lab1.rst

Lab: Protecting AWS Hosted Web Application with F5 Distributed Cloud WAF

Lab 1 will focus on the deployment and security of an existing AWS hosted application using F5 Distributed Cloud Platform and Services. This lab will be deployed in a SaaS only configuration with no on-premises (public or private cloud) elements. All configurations will be made via the F5 Distributed Cloud Console and within the F5 Distributed Cloud Global Network services architecture.

The protected application is an AWS Hosted application utilizing Amazon's Elastic Kubernetes Services (EKS) https://aws.amazon.com/eks/. This managed container service, alllows us to run and scale Kubernetes based applications wherever EKS is running.

For the tasks that follow, you should have already noted your individual namespace. If you failed to note it, return to the Introduction section of this lab, follow the instructions provided and note your namespace accordingly. The Delegated Domain and the F5 Distributed Cloud Tenant are listed below for your convenience as they will be the same for all lab attendees.

• Delegated Domain: .lab-sec.f5demos.com
• F5 Distributed Cloud Tenant: https://f5-xc-lab-sec.console.ves.volterra.io

Following the tasks in the prior Introduction Section, you should now be able to access the F5 Distributed Cloud Console, having set your Work Domain Roles and Skill levels. If you have not done so already, please login to your tenant for this lab and proceed to Task 1.

Task 1: Configure Load Balancer and Origin Pool

The following steps will allow you to deploy and advertise a globally available application. These steps will define an application, register its DNS and assign a target as an origin.

Following the Introduction section instructions, you should now be in the Load Balancers configuration window. If for some reason you are not in the Load Balancers window, use the Select Service in the left-hand navigation, and click Load Balancers as shown in the Introduction section, Task 2, Step 9. In the left-hand navigation expand Manage and click Load Balancers > HTTP Load Balancers In the resulting screen click the Add HTTP Load Balancer in the graphic as shown. Note You have defaulted to your specific namespace as that is the only namespace to which you have administrative access.

Using the left-hand navigation and in the sections as shown, enter the following data. Values where <namespace> is required, use the name of your given namespace. Metadata:Name ID: <namespace>-lb Basic Configuration: List of Domains: <namespace>.lab-sec.f5demos.com Basic Configuration: Select Type of Load Balancer: HTTP Basic Configuration: Automatically Manage DNS Records: (Check the checkbox) Basic Configuration: HTTP Port: 80

In the current window's left-hand navigation, click Default Origin Servers. Next, click Add Item within the Origin Pools section of Default Origin Servers.

In the resulting window, use the drop down as shown and click Create new Origin Pool.

In the resulting window, enter <namespace>-pool in the Name field and click Add Item under Basic Configuration: Origin Servers

In the resulting window, Public DNS Name of Origin Server should be selected for Select Type of Origin Server. For DNS Name enter the following hostname: demo-app.amer.myedgedemo.com and then click Add Item Note This is targeting the AWS hosted EKS where our containerized application is running. While we are targeing the public DNS name, we could within design options also target the EKS resources by service name using a Mesh node within the EKS Cluster.

After returning to the prior window, make sure Port: under Basic Configuration is configured for 80. Leave all other values as shown while scrolling to the bottom and click, Continue. After returning to the next window and confirming the content, click Add Item.

Task 2: Configure WAF Policy on the Load Balancer

The following steps will guide you through adding a Web Application Firewall (WAF) Policy. These steps will demonstrate various aspects of the configuration.

Continuing in the Security Configuration section, click on the Select Web Application Firewall (WAF Config) and select App Firewall.

In the resulting App Firewall drop down select Create new App Firewall. Note The "shared/base-appfw" policy is in the "shared namespace" which can be applied to multiple Load Balancer configurations across namespaces, reducing policy sprawl.

In the resulting window's Metadata section enter <namespace>-appfw for the Name. Under Enforcement Mode, change the mode to Blocking. In the Detection Settings section, click the Security Policy dropdown. Select Custom from the dropdown menu. Additional configurations will become available.

In the expanded configuration, use the dropdown for Signature Selection by Accuracy and select High, Medium, and Low. Leaving all other values as default, scroll to the bottom and click Continue.

In the resulting HTTP Load Balancer window, scroll to the Advanced Configuration section and note the Where to Advertise the VIP setting. Note The above selection controls how/where the application is advertised. The "Advertise On Internet" setting means that this application will be advertised globally using the F5 Distributed Cloud Global Network utilizing Anycast. Click Save and Exit at the bottom of the HTTP Load Balancer configuration screen.

In the HTTP Load Balancers window, note the application hostname under the Domains column (This was done in Task1: Step 4). Click the Action dots, and then in the subsequent menu Manage Configuration.

Click DNS Information in the left-hand navigation. Note The pointer record for the CNAME is listed under "Host Name". It is also listed on the "HTTP Load Balancers" screen for each Load Balancer. The associated "Tenant IP" is also shown. The "Tenant IP" is uniquely assigned to each F5 Distributed Cloud Tenant.

Click JSON in the horizontal navigation at the top of the screen. Note The JSON payload (or YAML format, from dropdown) provides the entire Load Balancer configuration for backup or subsequent CI/CD automation operations. Click Documentation in the horizontal navigation at the top of the screen. Note The Documentation screen provides details on the F5 Distributed Cloud Console API. All operations in the F5 Distributed Cloud Platform are API-first. This includes all GUI actions and associated audit logging. Click Cancel and Exit to return to the HTTP Load Balancers screen.

Task 3: Testing the WAF Policy & Reviewing Event Data

You will now perform basic testing of the Web Application Firewall (WAF) Policy. You will also review the generated event data to make additional configuration changes.

Open another tab in your browser (Chrome shown), navigate to the newly configured Load Balancer configuration: http://<namespace>.lab-sec.f5demos.com, to confirm it is functional. Using some of the sample attacks below, add the URI path & variables to your application to generate security event data. /?cmd=cat%20/etc/passwd /product?code=echo%20shell_exec(%27/sbin/ifconfig%20eth0%27); /product?id=4%20OR%201=1 /../../../../etc/shadow /cart?search=aaa'><script>prompt('Please+enter+your+password');</script> In the resulting block screens, note the URL and the Support ID. (copy and paste to a notepad or note resource).

Returning to the F5 Distributed Cloud Console, use the left-hand navigation to expand Virtual Hosts > HTTP Load Balancers and then click on Performance Monitoring link provided for your respective load balancer. Note As you have not run many requests, summary analytics may not be available in the dashboard view yet.

From the Dashboard view, using the horizontal navigation, click Requests. Change the viewable time period from 5 minutes (default) to 1 hour by selecting the dropdown shown, click Last 1 hour then clicking Apply. Note Security Event data may take 15-20 seconds to populate in the Console. Please force a refresh using the Refresh icon next to the Time Period selection in step 6.

Expand one of the requests and noted on the Information link that summary request details are available as is per request duration timing. Note that you can also use the horizontal, clickable response code filters to quickly filter requests. Click on the JSON link to get more data about the request.

Use the Monitoring dropdown near your Load Balancer name at the top of the screen to to select Security Monitoring.

From the Dashboard view, using the horizontal navigation, click Security Events. Expand your latest security event as shown. Note If you lost your 1 Hour Filter, re-apply using Task 3: Step 6

Note the summary detail provided Information link and identify the Request ID which is synonymous with Support ID (filterable) from the Security Event Block Page. Scroll to the bottom of the information screen to see specific signatures detected and actions taken during the security event. Note Similar to a Request, Security Events also have additional detail in JSON format. Next, click on the Add Filter link just under the Security Events title near the top of the Security Events window.

Type req in the open dialogue window and select req_id from the dropdown. Next, select In from the Select Operator dropdown. Finally, select/assign a value that matches one of your recorded Support IDs from Task 3, Step 2 as shown. You can also optionally just paste the Support ID in the value field and click Apply.

You should now be filtered to a single Security Event, as shown with your selected filter. You can expand and review the request as desired using the arrow icon. Under the Actions column, click on the three Action dots (Scroll to right).

Select Create WAF Exclusion rule from the dropdown that appears. Note Adding requestor to "Blocked or Trusted Clients" is also available. In the subsequent Simple WAF Exclusion Rule window, review the settings (which are editable) by scrolling through the window. The values have been auto-populated based on the selected event to be excluded. In the Expiration Timestamp field enter a timestamp 10 minutes from now at which the exclusion should expire. (helpful when testing/validating). the format should be as shown YYYY-MM-DD HH:MM:SS (2022-05-30 01:21:00). Click Apply when complete.

Click Apply on the WAF Exclusion Rules summary screen. Click on Security Configuration in the left-hand navigation and note the added WAF Exclusion Rules configuration. Scroll to the bottom of the HTTP Load Balancer configuration window and click the Save and Exit button. Note Rerunning the attack you just excluded, you will note that it is no longer blocked.

Task 4: Understanding Exclusions and Customizing WAF Policy

In this task you will come to understand how exclusions are applied. You will also further customize the WAF policy just built.

In the HTTP Load Balancers window (Manage > Load Balancers > HTTP Load Balancers) Click on the three action dots in the Actions column then Manage Configuration from the dropdown menu. Click on the JSON tab in the horizontal navigation as shown and scroll to find the waf_exclusion_rule section. Observe that the exclusion rule is associated with the Load Balancer configuration and not the WAF Policy. Note This allows for policy reuse and reduces the need for specific application WAF Policies. Click on the Cancel and Exit to return to the prior window.

In the left-hand navigation menu, expand the Security section and click the App Firewall link. On your App Firewall policy <namespace>-appfw, click the three dots in the Actions column and then click Manage Configuration. Click Edit Configuration in the top right corner.

Use the left-hand navigation and click on Advanced Configuration. Toggle the Show Advanced Fields button to on. Click the dropdown on Blocking Response Page and select Custom from the dropdown.

In the Blocking Response Page Body replace the existing text with the text provided below. Click Save and Exit when completed. You can rerun an attack from Task 3: Step 2 to see the new custom block page.

Sample Blocking Response Page to be copied:

<style>body { font-family: Source Sans Pro, sans-serif; }</style>
<html style="margin: 0;"><head><title>Rejected Request</title></head>
<body style="margin : 0;">
<div style="background-color: #046b99; height: 40px; width: 100%;"></div>
<div style="min-height: 100px; background-color: white; text-align: center;"></div>
<div style="background-color: #fdb81e; height: 5px; width: 100%;"></div>
<div id="main-content" style="width: 100%; ">
<table width="100%"><tr><td style="text-align: center;">
<div style="margin-left: 50px;">
<div style="margin-bottom: 35px;"><br/>
<span style="font-size: 40pt; color: #046b99;">Rejected Request</span>
</div><div style="font-size: 14pt;">
<p>The requested URL was rejected. Please consult with your administrator.</p>
<p>Your Support ID is: <span style="color:red; font-weight:bold">{{request_id}}</span></p>
<p><a href="javascript:history.back()">[Go Back]</a></p>
</div></div></td></tr></table></div>
<div style="background-color: #222222; position: fixed; bottom: 0px; height: 40px; width: 100%; text-align: center;"></div>
</body></html>

End of Lab 1: This concludes Lab 1, feel free to review and test the configuration. A brief presentation will be shared prior to the beginning of Lab 2.