Posted by: psilva | October 18, 2016

Your SSL Secrets Uncovered

Get Started with SSL Orchestrator

SSL and its brethren TLS is becoming more prevalent to secure IP communications on the internet. It’s not just financial, health care or other sensitive sites, even search engines routinely use the encryption protocol. This can be good or bad. Good, in that all communications are scrambled from prying eyes but potentially hazardous if attackers are hiding malware inside encrypted traffic. If the traffic is encrypted and simply passed through, inspection engines are unable to intercept that traffic for a closer look like they can with clear text communications. The entire ‘defense-in-depth’ strategy with IPS systems and NGFWs lose effectiveness.

F5 BIG-IP can solve these SSL/TSL challenges with an advanced threat protection system that enables organizations to decrypt encrypted traffic within the enterprise boundaries, send to an inspection engine, and gain visibility into outbound encrypted communications to identify and block zero-day exploits. In this case, only the interesting traffic is decrypted for inspection, not all of the wire traffic, thereby conserving processing resources of the inspecting device. You can dynamically chain services based on a context-based policy to efficiently deploy security.

This solution is supported across the existing F5 BIG-IP v12 family of products with F5 SSL Orchestrator and is integrated with such solutions like FireEye NX, Cisco ASA FirePOWER and Symantec DLP.

Here I’ll show you how to complete the initial setup.

A few things to know prior – from a licensing perspective, The F5 SSL visibility solution can be deployed using either the BIG-IP system or the purpose built SSL Orchestrator platform. Both have same SSL intercept capabilities with different licensing requirements.

To deploy using BIG-IP, you’ll need BIG-IP LTM for SSL offload, traffic steering, and load balancing and the SSL forward proxy for outbound SSL visibility. Optionally, you can also consider the URL filtering subscription to enforce corporate web use policies and/or the IP Intelligence subscription for reputation based web blocking. For the purpose built solution, all you’ll need is the F5 Security SSL Orchestrator hardware appliance.

The initial setup addresses URL filtering, SSL bypass, and the F5 iApps template.

URL filtering allows you to select specific URL categories that should bypass SSL decryption. Normally this is done for concerns over user privacy or for categories that contain items (such as software update tools) that may rely on specific SSL certificates to be presented as part of a verification process.

Before configuring URL filtering, we recommend updating the URL database. This must be performed from the BIG-IP system command line. Make sure you can reach on port 80 via the BIG-IP system and from the BIG-IP LTM command line, type the following commands:

modify sys url-db download-schedule urldb download-now false modify sys url-db download-schedule urldb download-now true

To list all the supported URL categories by the BIG-IP system, run the following command:

tmsh list sys url-db url-category | grep url-category

Next, you’ll want to configure data groups for SSL bypass. You can choose to exempt SSL offloading based on various parameters like source IP address, destination IP address, subnet, hostname, protocol, URL category, IP intelligence category, and IP geolocation. This is achieved by configuring the SSL bypass in the iApps template calling the data groups in the TCP service chain classifier rules. A data group is a simple group of related elements, represented as key value pairs. The following example provides configuration steps for creating a URL category data group to bypass HTTPS traffic of financial websites.



For the BIG-IP system deployment, download the latest release of the iApps template and import to the BIG-IP system.

Extract (unzip) the template (or any newer version available) and follow the steps to import to the BIG-IP web configuration utility.


From there, you’ll configure your unique inspection engine along with simply following the BIG-IP admin UI with the iApp questionnaire. You’ll need to select and/or fill in different values in the wizard to enable the SSL orchestration functionality. We have deployment guides for the detailed specifics and from there, you’ll be able to send your now unencrypted traffic to your inspection engine for a more secure network.



Posted by: psilva | October 12, 2016

Lightboard Lessons: BIG-IP in Hybrid Environments

A hybrid infrastructure allows organizations to distribute their applications when it makes sense and provide global fault tolerance to the system overall. Depending on how an organization’s disaster recovery infrastructure is designed, this can be an active site, a hot-standby, some leased hosting space, a cloud provider or some other contained compute location. As soon as that server, application, or even location starts to have trouble, organizations can seamlessly maneuver around the issue and continue to deliver their applications.

Driven by applications and workloads, a hybrid environment is a technology strategy to integrate the mix of on premise and off-premise data compute resources. In this Lightboard Lesson, I explain how BIG-IP can help facilitate hybrid infrastructures.




Posted by: psilva | October 11, 2016

F5 Access for Your Chromebook

My 5th grader has a Chromebook for school. She loves it and it allows her access to school applications and educational tools where she can complete her assignments and check her grades. But if 5th grade is a tiny dot in your rear-view and you’re looking to deploy Chromebooks in the enterprise, BIG-IP v12 can secure and encrypt ChromeOS device access to enterprise networks and applications. With network access, Chromebook users can run applications such as RDP, SSH, Citrix, VMware View, and other enterprise applications on their Chrome OS devices.

From an employee’s perspective, it is very easy to get the SSLVPN configured. Log on to a Chromebook, open Chrome Web Store, search for ‘F5 Access’ and press the +ADD TO CHROME button. Add app when the dialogue box pops and F5 Access will appear in your ‘All Apps’ window.

f5 access

Next, when launched, you’ll need to accept the license agreement and then add a server from the Configuration tab:

add server

Next, give it a unique name, enter the BIG-IP APM server URL and optionally add your username and password. Your password will not be cached unless that’s allowed by the BIG-IP APM Access Policy. You can also select a client certificate if required. Once configured, it’ll appear in the list. You can also have multiple server configurations if needed:

added server

To connect, click the bottom tray bar and select the tile that says, ‘VPN Disconnected.’

f5access tile

And select the server configured when setting up the app. Depending on the configuration, you’ll either get the native login window or the WebTop version:

f5access login

Once connected, there won’t be any indication in the tray but if you click it, you’ll see the connection status in the same VPN area as above and it’ll show ‘connected’ within the F5 Access app:

f5access connected

As you can see in the above image, you can also check Statistics and Diagnostics if those are of interest. To end the connection, click the tray again, select the VPN tile and click Disconnect.

For administrators, it’s as simple as adding a ‘ChromeOS’ branch off the ClientOS VPE action:

f5access clientos

Then add a Connectivity Profile to BIG-IP:

f5access connectivity profile

In addition to generic session variables, client session variables are also available. Check out the release notes and BIG-IP Access Policy Manager and F5 Access for Chrome OS v1.0.0 manual for more info.



stanislas1Stanislas Piron is a Security Engineer for ExITeam. 16 years ago, Stanislas started out with Firewalls, email and Web content security. His first F5 deployment was with LTM and Link Controller 10 years ago and he is DevCentral’s Featured Member for October!

He started to focus on F5 products as pre-sales engineer for a IT security distributor in charge of F5 development. 4 years ago, he joined Exiteam, a small company of two security engineers helping resellers audit, design and deploy security solutions for their customers. To provide real expertise, they both focus their skills on a small set of products. He works with F5 products about 80% of his time.

DevCentral got an opportunity to chat with Stanislas about his work, life and if European organizations have unique security requirements.

DevCentral: You’ve been an active contributor to the DevCentral community and wondered what keeps you involved?

Stanislas Piron: When I started working with F5 products, I created my DevCentral account to search piece of iRules and write my own iRules according to customer’s needs.

As the needs grew, I had some unanswered questions. Searching DevCentral, I found another approaches to solving issues, helping me to solve my own challenges. Each time I find a better way to solve my problems, I try to share my code.

I often read question and try to solve them thinking, “This can solve an issue of a customer I didn’t think about before”

DevCentral is a place where every time you help someone, you learn something.

DC: Tell us a little about the areas of BIG-IP expertise you have.

SP: My favorite BIG-IP product is APM (LTM+APM mode), which covers almost everything about authentication. It’s also the product we must configure as simple as possible if we do not want the customer to have headaches reading the access policy.

I often deploy BIG-IP with multiple modules including LTM, APM, AFM, GTM and ASM to offer high datacenter security.

Most of my deployments use the local traffic policies for standard admin tasks, iRules for application compatibility, and the tcl codes in APM to assign variable boxes.

DC: You are a Security Engineer with Exiteam, a security consulting practice. Can you explain how DevCentral helps with your daily challenges? Where does BIG-IP fit in the services you offer or within your own infrastructure?

exiteam logoSP: iRules is a great tool to solve problems BIG-IP is not addressing, but iRules is nothing without the developer’s community. DevCentral experts share experience not only about tcl coding but protocol knowledge, iRule events orders, and working iRules. And on the other side, some IT admins ask about new needs that I may answer for the next customer.

Each time I have a new challenge, I first search on DevCentral to see if someone already solved it. If not, I’ll create my own iRule.

DC: I understand you are in France and wondered, what are some of the unique information security challenges for European organizations?

SP: Information security challenges are not unique for European organizations as security risks are the same for all countries.

DC: Describe one of your biggest challenges and how DevCentral helped in that situation.

SP: With Microsoft Forefront TMG End of sale, most of my customers migrated to F5 products.

One of my customers, a SAAS provider, with almost exclusively Microsoft products (TMG, Exchange, Sharepoint, etc.) and with more than 20K concurrent users was evaluating how to migrate to BIG-IP LTM, ASM, APM and AFM.

During POC (and then deployment) we worked to get the same behavior with APM as TMG with SharePoint about office editing documents. I found some question on DevCentral with parts of an answer, but not the full answer. I wrote an iRule optimized for such a deployment (20K users) answering all the customer needs and shared it. Some DevCentral experts, who had the same needs, commented on it to make it simpler, generic and optimized.

DC: Lastly, if you weren’t an IT admin – what would be your dream job? Or better, when you were a kid – what did you want to be when you grew up?

SP I don’t remember what I wanted to be when I was child and IT is not a dream job if you don’t evolve. What I expect in my job is to not do the same job as the day before, and I think I found it. Every day, I meet new customers, I have new challenges and I learn something increasing my knowledge.

DC: Thanks Stanislas and congratulations! You can find Stanislas on LinkedIn and also check out his DevCentral contributions.


Posted by: psilva | September 28, 2016

Lightboard Lessons: Secure & Optimize VDI

Virtualization continues to impact the enterprise and how IT delivers services to meet business needs. Desktop Virtualization (VDI) offers employees anywhere, anytime, flexible access to their desktops whether they are at home, on the road, in the office or on a mobile device. In this edition of Lightboard Lessons, I show how BIG-IP can secure, optimize and consolidate your VMware Horizon View environment, providing a secure front end access layer for VMware’s VDI infrastructure.



Posted by: psilva | September 27, 2016

Lock Down Your Login

Posted by: psilva | September 21, 2016

Lightboard Lessons: DNS Scalability & Security

The Domain Name Service (DNS) is one of the most important components in networking infrastructure, enabling users and services to access applications by translating URLs (names) into IP addresses (numbers). Because every icon and URL and all embedded content on a website requires a DNS lookup, loading complex sites necessitates hundreds of DNS queries.

DNS lookups has exploded in recent years with mobile, IoT and the applications to support the growth. It is also a vulnerable target. In my first Lightboard Lesson, I show you how to scale, secure and consolidate your DNS infrastructure.



Posted by: psilva | September 20, 2016

Don’t Take the Impostor’s Bait

detect_phishing_introPhishing has been around since the dawn of the internet. The term was first used in an AOL Usenet group back in 1996 but it wasn’t until 2003 when many baited hooks and lures started dropping. Popular transaction destinations like PayPal and eBay were some of the early victims of these spoofed sites asking customers to update their personal and credit card information. By 2004, it was a full-fledged ‘get rich quick scheme’ with many financial institutions – and their customers – as targets.

Oxford Dictionary defines Phishing as, ‘The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.’

You’ve seen it, the almost perfect looking email with actual logos, images and links to a reputable company only to have it go to a slick looking replica complete with a login form. If you aren’t paying attention and do enter your credentials, you’ve just given a crook access to your money.

The Anti-Phishing Working Group (APWG) reports a 250 percent jump in the number of detected phishing websites between October 2015 and March 2016. More than in any other three-month span since it began tracking back in 2004. That’s around 230,000 unique phishing campaigns a month. And as recent as last week, American Express users were hit with a phishing email offering anti-phishing protection. Go figure. If you clicked the link, you were taken to a bogus Amex login page which asks for all the important stuff: SSN, DoB, mother’s maiden, AMEX number plus security code and a few other vitals.

When complete, you’ll be redirected to the authentic site so you think you’ve been there all along. That’s how they work their magic. A very similar domain URL and all the bells of the original, including the real customer service 800 number.

You can combat it however.

F5’s WebSafe Web Fraud Protection can secure your organization (and your customers) against the evolving online fraud and you do not need any special client to detect it. WebSafe inserts an obfuscated JavaScript code which can detect malware like bait, mandatory words or if the fake was loaded from a different domain. It can validate source integrity like comparing fields for multiple users and detect threats like automatic transactions. Alerts are sent to an on premise dashboard and can also be forwarded to F5’s Security Operations Center (SOC).

If you are configuring malware protection for the login and transaction pages for a financial application, it’s as simple as adding an Anti-Fraud profile to your VIP.

First, you create an anti-fraud profile:

anti fraud

Then indicate which URL should be watched and the action:

anti fraud url

Then enable Phishing detection:

anti fraud pshishing

And when a phishing attach occurs, both the domain and the username of the victim get reported to the dashboard :


The code that’s inserted is a little piece of JavaScript added to your website to detect the malicious activity. No action is needed on the part of the user since everything is handled within BIG-IP.

anti fraud code added

This tiny piece of code will dramatically reduce fraud loss and retain the most important asset in business—customer confidence.

Don’t get fooled by a faker.



Posted by: psilva | September 13, 2016

750th Blog Spectacular – Lessons of the LightBoard

IMG_3526I recently built out a LightBoard Studio for my home office so I can start contributing to the awesome LightBoard Lessons on DevCentral. These are short, informative videos explaining various technologies and often, how to implement on a BIG-IP system. Instead of writing on a whiteboard and looking over your shoulder into the camera as you explain something, Lightboards allow you to draw on and look through the crystal clear glass (into the camera) while discussing technical concepts. A transparent whiteboard. The LEDs that surround the glass accompanied with neon markers make the images pop. It’s pretty darn cool.

So the story goes, a college professor was looking for a better way to deliver lessons to his students both on campus and online without a chalkboard. He called it the Learning Glass and now there are Lightboards all over the world, especially in universities. Incidentally, there is cool video of Picasso painting on glass from 1949.

He had the right idea.

IMG_3525You may have read or watched Jason & John’s Lightboard Lessons: Behind the Scenes and I wanted to report on my own experiences. First, I followed Jason’s bill of materials (except the camera) and it provides most everything you need to get started. I initially thought about a 3’ x 5’ pane of glass due to my smaller venue but couldn’t find an appropriate frame for that size. Well, to be clear, there may have been one but it was way outside my budget. I looked at various saw horses, ladder frames and other apparatus thinking I could ‘make’ something that could properly hold the glass in place. No dice.

So I decided to go a little larger with the 4’ x 6’ size since there is a frame specifically built for this purpose. Rahm is correct about ordering the frame first since you’ll need to carefully measure the mounting holes so the glass can be drilled perfectly. It also takes a few weeks to order and have the glass delivered – at least in my area. This was fine since it allowed me to set up the other equipment like the lights, back drop and camera location. In addition, make sure you have the delivery folks help you place it on the frame…depending on the size, this is not a pick up and install yourself deal. The glass is large, heavy and certainly needs a few people to carry and properly align with the holes.

IMG_3524Once the glass is installed (and cleaned) you can wrap the LEDs around the edge. There are a couple ways to go with this step. You could use large binder clips to hold the lights at the edge or, like Jason, I got 3/8” shower u-channels to go around the glass and hold the lights in place. Instead of silicon to hold the u-channel, I used clamp clips to hold the outer metal. This allows me to easily change and adjust the LEDs if needed.

The Expo Neon markers do make a greasy mess and I’ve got the same Sprayway glass cleaner. I also got one of those magic erasers to help clean and old hotel room keys work well on dried ink. It’s not that difficult to have a clean slate but any smudges will certainly appear if it’s not sparkle-city.

This week I’ll be moving around the lights and doing some test shots for audio and visual screen tests and look forward to publishing my first LightBoard Lesson very soon. Shooting for next week if all tests go well. I’m excited.

It’s always been a dream of mine to have a home studio. Some guys want a man-cave, some want a game room, others a high end home theatre or a rack of computer equipment. Me? A studio.

And for my 750th DevCentral article I wanted to say: Thanks Gang!!


JoshJosh Becigneul is the ADC Engineer for Secure-24 and DevCentral’s Featured Member for September!

Josh has been working in the IT industry in various positions for a little over 10 years. He’s moved through various disciplines including MS server administration, Linux, Networking, and now has been working primarily with F5 BIG-IPs. For the past 3 years he has focused on F5’s products and growing a team of engineers to manage them. Secure-24 delivers managed IT operations, application hosting and managed cloud services to enterprises worldwide.

DevCentral got an opportunity to talk with Josh about his work, life and the importance of being F5 Certified.

DevCentral: You’ve been an active contributor to the DevCentral community and wondered what keeps you involved?

Josh Becigneul: DevCentral has helped me greatly over the years as I’ve worked with F5 products, so I feel like it’s worth some of my time to spend both reading posts and helping others in the community. When I started off it helped to be able to explain a need and have someone create a basic iRule, or point me towards documentation explaining something. Now that my skills have grown, I want to pay it forward.

DC: Tell us a little about the areas of BIG-IP expertise you have.

JB: I started off on just BIG-IP LTM but over the years have grown into managing APM, GTM, ASM, and sometimes a mix of each. I’ve worked with 1500’s, 1600s, 3600’s, 3900’s and VIPRION. As well as Enterprise Manager and now BIG-IQ too.

DC: You are an ADC Engineer with Secure-24, an application hosting and cloud services organization. Can you explain how DevCentral helps with your daily challenges? Where does BIG-IP fit in the services you offer or within your own infrastructure?

secure24sJB: At Secure-24, BIG-IP has grown into an essential product for many portions of our organization, along with many of our customers utilizing its services to deliver their applications. We’ve got a large number of LTM customers, APM customers and we’ve been growing into ASM. GTM provides advanced DNS services for many of our customers around the globe. Most deployments using BIG-IP are custom tailored to suit the needs of the particular customer. These can vary from basic load balancing to advanced content steering, or small deployments of a few virtual services to large ones comprised of hundreds.

With the variety of F5 products in use, having a resource like DevCentral is invaluable to our team. From being able to ask my peers questions about things, or utilizing the codeshare and wiki to learn more about iRules and iControl, I couldn’t imagine it not being available.

DC: Describe one of your biggest BIG-IP challenges and how DevCentral helped in that situation.

JB: One of the most useful things iRules allow us to do is virtual hosting; running many services behind a virtual service. Coupling this with APM allowed us to greatly simplify remote access for us and our customers. For several customers, we used APM to migrate them away from MS Forefront.

DC: I understand you are an F5 Certified Professional. Can you tell us about that and why you feel it is beneficial?

JB: Yes, I first became F5 Certified in 2015 with my 201 Certified BIG-IP Administrator, and followed that up at 2016’s F5 Agility conference by obtaining my 304 APM Specialist. I feel it is beneficial because it helps to reinforce what I’ve learned over the years, and (hopefully) lets my customers feel like they are in good hands. (DC: Josh also recently passed the 302 GTM Exam!)

DC: Lastly, if you weren’t an IT admin – what would be your dream job? Or better, when you were a kid – what did you want to be when you grew up?

JB: I’d probably be a roadie, and tour the world doing lights and sound for a huge band!

DC: Thanks Josh and get us backstage passes! Check out all of Josh’s DevCentral contributions, connect on LinkedIn and follow both Josh @vsnine and @secure_24.

And if you’d like to nominate someone to be the DevCentral Featured Member, please send your suggestions to the DevCentral Team!

Older Posts »