BIG-IP Data Center Firewall Configuration Guide

Version 11.1

Table of Contents

Table of Contents
Legal Notices.....................................................................................................................................5 Acknowledgments............................................................................................................................7

Chapter 1: Introduction to the BIG-IP Data Center Firewall.............................11

Overview................................................................................................................................12 Features and benefits.............................................................................................................12 BIG-IP data center firewall packet handling...........................................................................12

Chapter 2: Prerequisites for System Configuration.........................................15

List of prerequisite tasks.........................................................................................................16

Chapter 3: Securing BIG-IP Administrative Access.........................................17

Overview................................................................................................................................18 Configuring security settings for administrative login.............................................................18 Configuring a password policy for administrative users..........................................................18 Creating a BIG-IP system user account.................................................................................19 Configuring a security level for a self IP address...................................................................19

Chapter 4: Logging..............................................................................................21
Overview................................................................................................................................22 Logging server and profile setup............................................................................................22 Specifying Syslog servers...........................................................................................22 Creating a pool of servers for high-speed logging.......................................................22 Configuring a profile for high-speed logging................................................................23

Chapter 5: Access Control Lists........................................................................29

Overview................................................................................................................................30 Packet filter configuration.......................................................................................................30 Enabling packet filtering on the BIG-IP system...........................................................30 Creating a packet filter rule to allow traffic...................................................................31 Creating a packet filter rule to deny traffic...................................................................31 Application-specific access control using iRules....................................................................32

Chapter 6: Traffic Listeners................................................................................33

Overview................................................................................................................................34 Virtual server configuration....................................................................................................34

Table of Contents

Creating a Services profile within LTM........................................................................34 Creating a load balancing pool....................................................................................35 Creating an iRule.........................................................................................................36 Host virtual servers......................................................................................................36 Network virtual servers................................................................................................38 Configuring a SNAT................................................................................................................39

Chapter 7: Advanced Security............................................................................41

Overview................................................................................................................................42 Distributed Denial of Service protection.................................................................................42 Configuring adaptive reaping.......................................................................................42 SYN flood protection..............................................................................................................42 Adjusting the SYN Check threshold............................................................................43 ICMP packet handling............................................................................................................43 Limiting ICMP responses.............................................................................................43 Limiting ICMP unreachable packets............................................................................43 IPsec protocol configuration...................................................................................................44 Creating an IKE peer...................................................................................................44 Creating a bidirectional IPsec policy............................................................................45 Creating a bidirectional IPsec traffic selector..............................................................46

Chapter 8: Dynamic Attack Mitigation...............................................................47

Overview................................................................................................................................48 Server resource cloaking........................................................................................................48 Protection from Apache Killer attacks....................................................................................48

Chapter 9: Additional Attack Prevention using BIG-IP PSM and BIG-IP ASM..............49
Overview................................................................................................................................50 What is BIG-IP Protocol Security Module?.............................................................................50 Applying protocol security to an LTM profile................................................................50 Advanced Layer 7 protection using BIG-IP Application Security Manager.............................51

Legal Notices
Publication Date This document was published on March 9, 2012. Publication Number MAN-0395-00 Copyright Copyright 2012, F5 Networks, Inc. All rights reserved. F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumes no responsibility for the use of this information, nor any infringement of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent, copyright, or other intellectual property right of F5 except as specically described by applicable user licenses. F5 reserves the right to change specications at any time without notice. Trademarks 3DNS, Access Policy Manager, Acopia, Acopia Networks, Advanced Client Authentication, Advanced Routing, APM, Application Security Manager, ARX, AskF5, ASM, BIG-IP, Cloud Extender, CloudFucious, CMP, Data Manager, DevCentral, DevCentral [DESIGN], DNS Express, DSC, DSI, Edge Client, Edge Gateway, Edge Portal, EM, Enterprise Manager, F5, F5 [DESIGN], F5 Management Pack, F5 Networks, F5 World, Fast Application Proxy, Fast Cache, FirePass, Global Trafc Manager, GTM, IBR, Intelligent Browser Referencing, Intelligent Compression, IPv6 Gateway, iApps, iControl, iHealth, iQuery, iRules, iRules OnDemand, iSession, IT agility. Your way., L7 Rate Shaping, LC, Link Controller, Local Trafc Manager, LTM, Message Security Module, MSM, Netcelera, OneConnect, Packet Velocity, Protocol Security Module, PSM, Real Trafc Policy Builder, ScaleN, SSL Acceleration, StrongBox, SuperVIP, SYN Check, TCP Express, TDR, TMOS, Trafc Management Operating System, TrafcShield, Transparent Data Reduction, VIPRION, vCMP, WA, WAN Optimization Manager, WANJet, WebAccelerator, WOM, and ZoneRunner, are trademarks or service marks of F5 Networks, Inc., in the U.S. and other countries, and may not be used without F5's express written consent. All other product and company names herein may be trademarks of their respective owners. Export Regulation Notice This product may include cryptographic software. Under the Export Administration Act, the United States government may consider it a criminal offense to export this product from the United States. RF Interference Warning This is a Class A product. In a domestic environment this product may cause radio interference, in which case the user may be required to take adequate measures. FCC Compliance This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This unit generates, uses, and

Legal Notices

can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case the user, at his own expense, will be required to take whatever measures may be required to correct the interference. Any modications to this device, unless expressly approved by the manufacturer, can void the user's authority to operate this equipment under part 15 of the FCC rules. Canadian Regulatory Compliance This Class A digital apparatus complies with Canadian ICES-003. Standards Compliance This product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable to Information Technology products at the time of manufacture.

Acknowledgments
This product includes software developed by Bill Paul. This product includes software developed by Jonathan Stone. This product includes software developed by Manuel Bouyer. This product includes software developed by Paul Richards. This product includes software developed by the NetBSD Foundation, Inc. and its contributors. This product includes software developed by the Politecnico di Torino, and its contributors. This product includes software developed by the Swedish Institute of Computer Science and its contributors. This product includes software developed by the University of California, Berkeley and its contributors. This product includes software developed by the Computer Systems Engineering Group at the Lawrence Berkeley Laboratory. This product includes software developed by Christopher G. Demetriou for the NetBSD Project. This product includes software developed by Adam Glass. This product includes software developed by Christian E. Hopps. This product includes software developed by Dean Huxley. This product includes software developed by John Kohl. This product includes software developed by Paul Kranenburg. This product includes software developed by Terrence R. Lambert. This product includes software developed by Philip A. Nelson. This product includes software developed by Herb Peyerl. This product includes software developed by Jochen Pohl for the NetBSD Project. This product includes software developed by Chris Provenzano. This product includes software developed by Theo de Raadt. This product includes software developed by David Muir Sharnoff. This product includes software developed by SigmaSoft, Th. Lockert. This product includes software developed for the NetBSD Project by Jason R. Thorpe. This product includes software developed by Jason R. Thorpe for And Communications, http://www.and.com. This product includes software developed for the NetBSD Project by Frank Van der Linden. This product includes software developed for the NetBSD Project by John M. Vinopal. This product includes software developed by Christos Zoulas. This product includes software developed by the University of Vermont and State Agricultural College and Garrett A. Wollman. This product includes software developed by Balazs Scheidler (bazsi@balabit.hu), which is protected under the GNU Public License.

Acknowledgments

This product includes software developed by Niels Mueller (nisse@lysator.liu.se), which is protected under the GNU Public License. In the following statement, This software refers to the Mitsumi CD-ROM driver: This software was developed by Holger Veit and Brian Moore for use with 386BSD and similar operating systems. Similar operating systems includes mainly non-prot oriented systems for research and education, including but not restricted to NetBSD, FreeBSD, Mach (by CMU). This product includes software developed by the Apache Group for use in the Apache HTTP server project (http://www.apache.org/). This product includes software licensed from Richard H. Porter under the GNU Library General Public License ( 1998, Red Hat Software), www.gnu.org/copyleft/lgpl.html. This product includes the standard version of Perl software licensed under the Perl Artistic License ( 1997, 1998 Tom Christiansen and Nathan Torkington). All rights reserved. You may nd the most current standard version of Perl at http://www.perl.com. This product includes software developed by Jared Minch. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product contains software based on oprole, which is protected under the GNU Public License. This product includes RRDtool software developed by Tobi Oetiker (http://www.rrdtool.com/index.html) and licensed under the GNU General Public License. This product contains software licensed from Dr. Brian Gladman under the GNU General Public License (GPL). This product includes software developed by the Apache Software Foundation (http://www.apache.org/). This product includes Hypersonic SQL. This product contains software developed by the Regents of the University of California, Sun Microsystems, Inc., Scriptics Corporation, and others. This product includes software developed by the Internet Software Consortium. This product includes software developed by Nominum, Inc. (http://www.nominum.com). This product contains software developed by Broadcom Corporation, which is protected under the GNU Public License. This product contains software developed by MaxMind LLC, and is protected under the GNU Lesser General Public License, as published by the Free Software Foundation. This product includes software developed by the Computer Systems Engineering Group at Lawrence Berkeley Laboratory. Copyright 1990-1994 Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modication, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: This product includes software developed by the Computer Systems Engineering Group at Lawrence Berkeley Laboratory.

BIG-IP Data Center Firewall Configuration Guide

4. Neither the name of the University nor of the Laboratory may be used to endorse or promote products derived from this software without specic prior written permission. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes software developed by Sony Computer Science Laboratories Inc. Copyright 1997-2003 Sony Computer Science Laboratories Inc. All rights reserved. Redistribution and use in source and binary forms, with or without modication, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY SONY CSL AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL SONY CSL OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Acknowledgments

10

Chapter

1
Introduction to the BIG-IP Data Center Firewall
Topics: Overview Features and benefits BIG-IP data center firewall packet handling

Introduction to the BIG-IP Data Center Firewall

Overview
The BIG-IP system offers native, high-performance rewall services to protect the entire network infrastructure, and operates as a purpose-built, high-performance application delivery controller (ADC) designed to protect data centers. In many cases, the BIG-IP system can replace an existing rewall while also offering scale, performance, and persistence. The BIG-IP system provides a unied view of Layer 3 through Layer 7, as well as integration with Security Incident and Event Manager (SIEM) vendors.

Features and benefits

The BIG-IP system includes these rewall features: Protocol security The BIG-IP system natively decodes IPv4, IPv6, TCP, HTTP, SIP, DNS, SMTP, FTP, Diameter, and RADIUS. Organizations can control almost every element of the protocols they deploy. An integrated architecture enables organizations to combine traditional rewall Layers 3 and 4 with application Layers 5 through 7. The BIG-IP system protects UDP, TCP, SIP, DNS, HTTP, SSL, and other network attack targets while delivering uninterrupted service for legitimate connections. You can ofoad computationally-intensive SSL functions to the BIG-IP system, and gain visibility into potentially harmful encrypted payloads.

DDoS prevention capabilities DDoS mitigations

SSL termination

Dynamic threat mitigation iRules provide a exible way to enforce protocol functions on both standard, and emerging or custom protocols. With iRules, organizations can create a zero-day dynamic security context to react to vulnerabilities for which an associated patch has not yet been released. Resource cloaking and content security You can prevent leaks of error codes and sensitive content.

BIG-IP data center firewall packet handling

A BIG-IP data center rewall includes three basic mechanisms for controlling packet ow: Packet lters, trafc listeners, and iRules assigned to virtual servers.

12

BIG-IP Data Center Firewall Configuration Guide

Figure 1: Basic packet flow through a BIG-IP data center firewall To effectively congure a BIG-IP system as a data center rewall, you must decide the way that you want the BIG-IP system to process any network trafc that the system receives. A BIG-IP system evaluates and acts on network trafc using the following order of operations. Packet Filters The BIG-IP system evaluates network trafc against any packet lters that you have congured, in the explicit order you dene. Once accepted, a packet is not evaluated against additional lters, but is processed by any SNATs, virtual servers or iRules that apply. If a packet is discarded or rejected, a BIG-IP system does not perform any further evaluation of that packet. Traffic listeners When you create local trafc objects (such as virtual servers, NATs, and SNATs) that process network trafc on the BIG-IP system, the BIG-IP system creates appropriate listeners for the objects that you dene. A local trafc object with a destination listener processes requests matching a destination host or network IP address dened on the BIG-IP system. A local trafc object with a source listener processes requests originating from a host or group of hosts dened on the BIG-IP system. For example, a virtual server with a destination address and a netmask of 192.0.0.0/8:any, takes precedence over a virtual server with a destination address and a netmask of 0.0.0.0/0:80. If the trafc does not match a virtual server and there is a SNAT in place, processing follows a specic order. For example, a SNAT with an origin address of 10.10.64.0/24 takes precedence over a SNAT with an origin of default. Additionally, a SNAT with an origin address of 10.10.64.2 takes precedence over a NAT with an origin address of 10.10.64.2. Virtual server-specific ACL using iRules Any iRules associated with the matched virtual server are processed. iRules are event-driven, so that the order of events ultimately controls the order in which code blocks are processed. Additionally, you can use priority statements within iRules to assign execution orders for like events. Lastly, for like events of identical priority, iRules are triggered in the order that they are assigned to the virtual server. For each of these BIG-IP features, consult the BIG-IP product documentation and other online resources, such as F5 Networks' DevCentral Wiki, for complete details.

13

Introduction to the BIG-IP Data Center Firewall

14

Chapter

2
Prerequisites for System Configuration
Topics: List of prerequisite tasks

Prerequisites for System Configuration

List of prerequisite tasks

Before you begin conguring a BIG-IP system as a data center rewall, ensure that you have: Assigned a management IP address to the BIG-IP system Assigned a host name to the BIG-IP system Specied passwords for the admin and root accounts Created the necessary VLANs and associated self IP addresses Congured the redundancy settings for Sync-Failover device group management (CongSync, failover, and mirroring addresses, as well as the default trafc groups) Congured the DNS and NTP servers

Also, if you intend to use BIG-IP Protocol Security Module and BIG-IP Application Security Manager on the BIG-IP data center rewall, verify that these modules are licensed and provisioned on the system. Once you have met these prerequisites, the BIG-IP system is ready to be congured as a data center rewall.

16

Chapter

3
Securing BIG-IP Administrative Access
Topics: Overview Configuring security settings for administrative login Configuring a password policy for administrative users Creating a BIG-IP system user account Configuring a security level for a self IP address

Securing BIG-IP Administrative Access

Overview
There are several tasks that you can perform to control BIG-IP administrative access to the BIG-IP Conguration utility or to tmsh. This access control includes not only settings such as the number of failed login attempts allowed per user and the maximum amount of allowed idle login time, but also settings to specify user roles, administrative partition access, and console access.

Configuring security settings for administrative login

Use this procedure to dene: the maximum number of concurrent users allowed, the maximum duration that the Conguration utility can be idle before automatic user logout, and a security message that you want the system to display on the BIG-IP Conguration login screen. 1. On the Main tab, click System > Preferences. 2. From the System Settings list, select Advanced. Additional settings appear on the screen. 3. In the eld labeled Maximum HTTP Connections To Conguration Utility, retain or revise the default value. 4. In the eld labeled Idle Time Before Automatic Logout, revise the default value. F5 Networks recommends a value of 120 seconds. 5. For the setting labeled Show The Security Banner On The Login Screen, verify that the box is checked. This ensures that security message you specify displays on the login screen of the BIG-IP Conguration utility. 6. In the eld labeled Security Banner Text To Show On The Login Screen, revise the default security message. A good security message is one that provides legal protection to the organization, such as a message stating that unauthorized access is forbidden. The login screen of the BIG-IP Conguration utility displays the text that you specify in this eld. 7. Click Update. After you have performed these steps, administrative access to the BIG-IP Conguration utility is more secure.

Configuring a password policy for administrative users

Use this procedure to require BIG-IP system users to create strong passwords and to specify the maximum number of BIG-IP Conguration utility login failures that the system allows before the user is denied access. 1. On the Main tab, click System > Users. 2. On the menu bar, click Authentication. 3. From the Secure Password Enforcement list, select Enabled. Additional settings appear on the screen.

18

BIG-IP Data Center Firewall Configuration Guide

4. For the Minimum Length and Required Characters settings, congure the default values, according to your organization's internal security requirements. 5. In the Maximum Login Failures eld, specify a number. If the user fails to log in the specied number of times, the user is locked out of the system. Therefore, F5 Networks recommends that you specify a value that allows for a reasonable number of login failures before user lockout. 6. Click Update.

Creating a BIG-IP system user account

Use this procedure to create a user account for a BIG-IP system administrative user. When creating the account, you can specify a user role, the partitions to which the user has access, and the type of console access. 1. On the Main tab, click System > Users . 2. Click Create. The New User properties screen opens. 3. To grant an access level other than No Access, use the Role list to select a user role. 4. From the Partition Access list, select a partition name. You can select a single partition name, or All. 5. From the Terminal Access list, select a level of console access. 6. Click Finished. The BIG-IP system includes a new user account for administrative access.

Configuring a security level for a self IP address

You can specify the protocols and services from which a self IP address can accept trafc. Note that having fewer active protocols enhances the security level of the self IP address and its associated VLANs. 1. On the Main tab, click Network > Self IPs. The Self IPs screen opens. 2. In the Name column, click a self IP address associated with a VLAN on the public network. This displays the properties of that self IP address. 3. From the Port Lockdown list, select a level of security for the self IP address. Selecting Allow None blocks administrative trafc only, for this self IP address. Specically, a user is blocked from accessing the BIG-IP system through the BIG-IP Conguration utility or SSH. 4. Click Update. The BIG-IP system now controls the level of access that administrative users have to the BIG-IP Conguration utility and through SSH.

19

Securing BIG-IP Administrative Access

20

Chapter

4
Logging
Topics: Overview Logging server and profile setup

Logging

Overview
There are a number of logging features you can implement as part of a BIG-IP system rewall conguration.

Logging server and profile setup

When conguring the BIG-IP system as a data center rewall, you might want to implement high-speed logging and dene a group of remote Syslog servers. You can do this by creating a pool of servers, creating a custom request logging prole that determines log content and references the log server pool, and then assigning the prole to each virtual server that you create to process application trafc.

Specifying Syslog servers

Use this task to log messages to one or more remote Syslog servers. 1. From the Main tab, click System > Logs. 2. From the Conguration menu, choose Remote Logging. 3. In the Remote IP eld, type the IP address of the remote server to which the BIG-IP system will send the log messages. 4. In the Remote Port eld, retain the default port number or type a different port number. 5. Optionally, in the Local IP eld, type the IP address of the local BIG-IP system that is sending the log messages. 6. Click Add. 7. Repeat steps 3 through 6 for each remote logging server to which you want the BIG-IP system to send log messages. 8. Click Update. The remote Syslog servers are dened on the BIG-IP system.

Creating a pool of servers for high-speed logging

For the LTM rewall conguration, you can create a pool of remote servers for high-speed logging. 1. On the Main tab, click Local Trafc > Pools. The Pool List screen opens. 2. Click Create. The New Pool screen opens. 3. In the Name eld, type a unique name for the pool. 4. For the Health Monitors setting, in the Available list, select a monitor type, and click << to move the monitor to the Active list. Tip: Hold the Shift or Ctrl key to select more than one monitor at a time.

22

BIG-IP Data Center Firewall Configuration Guide

5. From the Load Balancing Method list, select how the system distributes trafc to members of this pool. The default is Round Robin. 6. For the Priority Group Activation setting, select the way to handle priority groups: Retain the default option, Disabled to disable priority groups. Select Less than, and type the minimum number of members in the Available Members eld that must remain available in each priority group in order for trafc to remain conned to that group.

7. Using the New Members setting, add the IP address for each logging server that you want to include in the pool: a) Type an IP address in the Address eld, or select a node address from the Node List. b) Type a service number in the Service Port eld, or select a service name from the list. c) You may type a priority number in the Priority eld. d) Click Add. 8. Click Finished. The new pool containing the remote Syslog servers appears in the Pools list. After creating the pool, you must create a request logging prole and specify this pool name within the prole. This eliminates the need for you to assign this pool to a virtual server.

Configuring a profile for high-speed logging

You must have already created a pool that includes logging servers as pool members. Many sites perform trafc analysis against the log les that their web servers generate. With a Request Logging prole, you can specify the data and the format for HTTP requests and responses that you want to include in a log le. If you prefer, you can tailor the information that appears in the logs so that the logs work seamlessly with whatever analysis tools you use for your origin web servers HTTP log les. You can use a request logging prole to log specic data, and then use that information for analysis and troubleshooting. 1. On the Main tab, click Local Trafc > Proles > Other > Request Logging . The Request Logging prole list screen opens. 2. Click Create. The New Request Logging Prole screen opens. 3. From the Parent Prole list, select a prole from which the new prole inherits properties. 4. Select the Custom check box for the Request Settings area. The settings in the Request Settings area become available for conguring. 5. In the Request Settings area, from the Request Logging list, select Enabled. 6. In the Template eld, type the request logging parameters for the entries that you want to include in the log le. 7. From the HSL Protocol list, select a high-speed logging protocol. 8. From the Pool Name list, select the pool that includes the logging server as a pool member. 9. (Optional) You can also congure the error response settings. a) From the Respond On Error list, select Enabled. b) In the Error Response eld, type the error response strings that you want to include in the log le. These strings must be well-formed for the protocol serving the strings. c) Select the Close On Error check box to drop the request and close the connection if logging fails.

23

Logging

10. (Optional) You can also congure the logging request errors settings. a) From the Log Logging Errors list, select Enabled. b) In the Error Template eld, type the request logging parameters for the entries that you want to include in the log le. c) From the HSL Error Protocol list, select a high-speed logging error protocol. d) From the Error Pool Name list, select a pool that includes the node for the error logging server as a pool member. 11. Click Update. This congures a request logging prole to log specied data for HTTP requests. Request logging parameters This table lists all available parameters from which you can create a custom logging prole. These are used to specify entries for the Template and Error Template settings For each parameter, the system writes to the log the information described in the right column. Table 1: Request logging parameters Parameter
BIGIP_BLADE_ID BIGIP_CACHED

Log le entry description An entry for the slot number of the blade that handled the request. An entry of Cached status: true, if the response came from BIG-IP cache, or Cached status: false, if the response came from the server. An entry for the congured host name of the unit or chassis. An entry for the IP address of a client, for example, 192.168.74.164. An entry for the port of a client, for example, 80. A two-character entry for the day of the month, ranging from 1 (note the leading space) through 31. An entry that spells out the name of the day. A two-digit entry for the day of the month, ranging from 01 through 31. A three-letter entry for the day, for example, Mon. A date and time entry in an HTTP format, for example, Tue, 5 Apr 2011 02:15:31 GMT. A two-digit month entry, ranging from 01 through 12. A three-letter abbreviation for a month entry, for example, APR. An entry that spells out the name of the month. A date and time entry in an NCSA format, for example, dd/mm/yy:hh:mm:ss ZNE. A two-digit year entry, ranging from 00 through 99. A four-digit year entry. The name of the httpclass prole that matched the request, or an empty entry if a prole name is not associated with the request. A ag summarizing the HTTP1.1 keep-alive status for the request:: aY if the HTTP1.1 keep-alive header was sent, or an empty entry if not.

BIGIP_HOSTNAME CLIENT_IP CLIENT_PORT DATE_D

DATE_DAY DATE_DD DATE_DY DATE_HTTP

DATE_MM DATE_MON DATE_MONTH DATE_NCSA

DATE_YY DATE_YYYY

HTTP_CLASS
HTTP_KEEPALIVE

24

BIG-IP Data Center Firewall Configuration Guide

Parameter
HTTP_METHOD

Log le entry description An entry that denes the HTTP method, for example, GET, PUT, HEAD, POST, DELETE, TRACE, or CONNECT. An entry that denes the HTTP path. The text following the rst ? in the URI. The complete text of the request, for example, $METHOD $URI $VERSION. The numerical response status code, that is, the status response code excluding subsequent text. The complete status response, that is, the number appended with any subsequent text. An entry for the URI of the request. An entry that denes the HTTP version. An NCSA Combined formatted log string, for example, $NCSA_COMMON $Referer ${User-agent} $Cookie. An NCSA Common formatted log string, for example, $CLIENT_IP - $DATE_NCSA $HTTP_REQUEST $HTTP_STATCODE $RESPONSE_SIZE. The elapsed time in milliseconds (ms) between receiving the request and sending the response. An entry for the size of response in bytes. The elapsed time in microseconds (s) between receiving the request and sending the response. An entry for the IP address of a server, for example, 10.10.0.1. An entry for the port of a server, for example, 80. An entry for the self IP address of the BIG-IP-originated connection to the server when SNAT is enabled, or an entry for the client IP address when SNAT is not enabled. An entry for the port of the BIG-IP-originated connection to the server when SNAT is enabled, or an entry for the client port when SNAT is not enabled. A twelve-hour request-time qualier, for example, AM or PM. A compact twelve-hour time entry for request-time hours, ranging from 1 through 12. A twelve-hour time entry for hours, for example, 12 AM. A twelve hour entry for request-time hours, ranging from 01 through 12. An entry for a compact request time of H:M:S, for example, 12:10:49. A twenty-four hour entry for request-time hours, ranging from 00 through 23. A two-digit entry for minutes, ranging from 00 through 59. An entry for the request-time fraction in milliseconds (ms).

HTTP_PATH HTTP_QUERY HTTP_REQUEST

HTTP_STATCODE

HTTP_STATUS

HTTP_URI HTTP_VERSION NCSA_COMBINED

NCSA_COMMON

RESPONSE_MSECS

RESPONSE_SIZE RESPONSE_USECS

SERVER_IP SERVER_PORT SNAT_IP

SNAT_PORT

TIME_AMPM TIME_H12

TIME_HRS TIME_HH12 TIME_HMS TIME_HH24

TIME_MM TIME_MSECS

25

Logging

Parameter
TIME_OFFSET TIME_SS TIME_UNIX

Log le entry description An entry for the time zone, offset in hours from GMT, for example, -11. A two-digit entry for seconds, ranging from 00 through 59. A UNIX time entry for the number of seconds since the UNIX epoch, for example, 00:00:00 UTC, January 1st, 1970. An entry for the request-time fraction in microseconds (s). An entry for the current Olson database or tz database three-character time zone, for example, PDT. An entry for the IP address of a virtual server, for example, 192.168.10.1. An entry for the name of a virtual server. An entry for the name of the pool containing the responding server. An entry for the port of a virtual server, for example, 80. the virtual server.

TIME_USECS TIME_ZONE

VIRTUAL_IP

VIRTUAL_NAME VIRTUAL_POOL_NAME VIRTUAL_PORT

VIRTUAL_SNATPOOL_NAME The name of the Secure Network Address Translation pool associated with NULL

Undelineated strings return the value of the respective header.

Standard log formats Log headers appear in the lines at the top of a log le. You can use log headers to identify the type and order of the information written to each line in the log le. Some log analysis software also uses log headers to determine how to parse a log le. There are three common conventions for log headers shown here. Convention No header line Description Apache web servers use this option. By default, Apache web servers write access logs in a format that is identical to the NCSA Common format. Netscape servers, and their descendants (such as the iPlanet Enterprise Server) write a log header line that is unique to this family of servers. These servers generally use either the NCSA Common or Combined log format, and the log header lines are composed of keywords. For example: #format=%Ses->client.ip% %Req->vars.auth-user% [%SYSDATE%] .... W3C headers Most Microsoft Internet Information Services (IIS) web servers write log les in the extended log le format, which is dened by a W3C working draft.

NCSA Common or Combined headers

The logging information that is commonly used by origin web servers consists of the following conventions: NCSA Common (no log header) NCSA Common (Netscape log header)

26

BIG-IP Data Center Firewall Configuration Guide

NCSA Combined (no log header) NCSA Combined (Netscape log header) W3C Extended

NCSA Common log format example This is the NCSA Common log format syntax: host rfc931 username [date:time UTC_offset] "method URI?query_parameters protocol" status bytes Here is an example that uses this syntax: 125.125.125.2 - - [03/Apr/2011:23:44:03 -0600] "GET /apps/example.jsp?sessionID=34h76 HTTP/1.1" 200 3045

27

Logging

28

Chapter

5
Access Control Lists
Topics: Overview Packet filter configuration Application-specific access control using iRules

Access Control Lists

Overview
You can implement two kinds of access control on the BIG-IP system -- Packet lters and iRules.

Packet filter configuration

Packet lters enhance network security by specifying whether a BIG-IP system interface should accept or reject certain packets based on criteria that you specify. Packet lters enforce an access policy on incoming trafc. They apply to incoming trafc only. Packet ltering is global and takes precedence over virtual server access control. However, ltering typically works best when you congure both packet lters and virtual server access control on the system. While packet lters allow or deny trafc based solely on the source of the trafc, regardless of destination, virtual servers can lter trafc destined for a particular IP address. When the trafc reaches the virtual server address, the BIG-IP system uses the assigned iRule to allow or deny the trafc based on some criteria specied in the iRule. You implement packet ltering by creating packet lter rules. The primary purpose of a packet lter rule is to dene the criteria that you want the BIG-IP system to use when ltering packets. Examples of criteria that you can specify in a packet lter rule are: The source IP address of a packet The destination IP address of a packet The destination port of a packet

You specify the criteria for applying packet lter rules within an expression. When creating a packet lter rule, you can instruct the BIG-IP system to build an expression for you, in which case you need only choose the criteria from predened lists, or you can write your own expression text, using the syntax of the tcpdump utility. You can also congure global packet ltering that applies to all packet lter rules that you create, such as specifying a specic MAC address or IP address to accept or reject. Note: Packet lters generate additional log messages.

Enabling packet filtering on the BIG-IP system

Before creating a packet ltering rule, you must enable packet ltering. 1. On the Main tab, click Network > Packet Filters . The Packet Filters screen opens. 2. From the Packet Filtering list, select Enabled. 3. From the Unhandled Packet Action list, select Accept. 4. Click Update. Packet ltering is enabled.

30

BIG-IP Data Center Firewall Configuration Guide

Creating a packet filter rule to allow traffic

When implementing this rewall implementation, you must create a packet lter rule that species an IP address for the type of trafc that the BIG-IP system accepts. In the example below, the packet lter is created to allow trafc from a specic network, on VLAN external. 1. On the Main tab, click Network > Packet Filters . The Packet Filters screen opens. 2. Click Rules. 3. Click Create. 4. In the Name eld, type a name for the rule. 5. From the Order list, select First. 6. From the Action list, select Accept. 7. If rate shaping is enabled, then from the Rate Class list, select a rate class. 8. From the VLAN / Tunnel list, select external. 9. From the Logging list, select Enabled. 10. From the Filter Expression Method list, select Enter Expression Text. This displays the Filter Expression box. 11. In the Filter Expression eld, type an expression. For example: ( src net 10.133.96.0/24 ) 12. Click Finished. The BIG-IP system now has a packet lter rule that accepts inbound trafc from network 10.133.96.0/24 on VLAN external.

Creating a packet filter rule to deny traffic

When implementing packet ltering, you can create a packet lter rule that rejects all trafc on VLAN external, except for any trafc to which another packet lter rule is applied. In the example below, the packet lter is created to deny all trafc except for that on VLAN external, and except that from a particular network specied in a separate packet lter rule. 1. On the Main tab, click Network > Packet Filters . The Packet Filters screen opens. 2. Click Rules. 3. Click Create. 4. In the Name eld, type a name for the rule. 5. From the Order list, select Last. 6. From the Action list, select Reject. 7. From the VLAN / Tunnel list, select external. 8. From the Logging list, select Enabled. 9. From the Filter Expression Method list, select Enter Expression Text. This displays the Filter Expression box. 10. Click Finished. You now have a packet lter rule that denies all trafc except trafc to which another packet lter rules applies.

31

Access Control Lists

Application-specific access control using iRules

You can create an iRule to assign to a specic virtual server, to protect the network resources for which the virtual server processes trafc. A common use of an iRule that you assign to a virtual server is to deny trafc destined for one or more specied IP addresses. For example, when the following iRule is assigned to a virtual server, any trafc passing through that virtual server that shows a source IP address of 4.4.4.4 is discarded. when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 4.4.4.4] }{ discard } else { log local0. "Allowed Traffic" } } You can assign an iRule to a virtual server either when you create the virtual server or by modifying the properties of an existing virtual server. You can nd more examples of iRules on F5 Networks DevCentral web site, located at http://devcentral.f5.com.

32

Chapter

6
Traffic Listeners
Topics: Overview Virtual server configuration Configuring a SNAT

Traffic Listeners

Overview
Part of conguring the BIG-IP system to be a data center rewall is to create virtual servers and SNATs. For some virtual servers, you can create iRules that lter trafc based on specic user-dened criteria.

Virtual server configuration

To complete the deployment of a BIG-IP data center rewall, you must set up your virtual server conguration. A virtual server is an IP address and port specication on the BIG-IP system. The BIG-IP system listens for trafc destined for that virtual server, and then directs that trafc either to a specic host for load balancing or to an entire network. A virtual server provides a level of security, similar to an access control list (ACL), because its destination address includes a port specication, causing the virtual server to accept only trafc destined for that port. When you create a virtual server, you can optionally assign an iRule that functions as another layer of security, ltering out specic unwanted trafc or allowing specic trafc destined for that virtual server. The virtual server emulates a traditional ACL, while the iRule customizes the virtual server even further by ltering out or allowing individual source IP addresses and ports that you specify. Example 1 This example shows an ACL that you can logically implement using a host virtual server with an assigned iRule. In this example, the virtual server has a destination host address of 204.170.25.11:80, with an iRule specifying that only trafc originating from the network 204.170.0.0/24 is allowed: allow src 204.170.0.0/24 port 80 dst 204.170.25.11 port 80 deny all In this case, only trafc originating from network 204.107.0.0/24 port 80 and destined for host 204.170.25.11:80 is accepted and load balanced, according to the virtual server conguration. The virtual server denies all other trafc. Example 2 This example shows an ACL that you can logically implement using a network virtual server with an assigned iRule. In this example, the virtual server has a destination network address of 204.170.25.0:80, with an iRule specifying that only trafc originating from the network 204.170.0.0/24 is allowed: allow src 204.170.0.0/24 port 80 dst 204.170.25.0 port 80 deny all In this case, only trafc originating from network 204.107.0.0/24 port 80 and destined for network 204.170.25.0:80 is accepted and forwarded to that network. The virtual server denies all other trafc. You can nd additional examples of how to create a comprehensive iRule for these scenarios on the F5 Networks DevCentral web site http://www.devcentral.f5.com.

Creating a Services profile within LTM

One of the Layer 7 tasks that you perform to congure BIG-IP Local Trafc Manager as a data center rewall is to create one or more custom application-layer proles. You create a unique prole for each type of application trafc, and then assign the prole to a virtual server that species that particular service. For

34

BIG-IP Data Center Firewall Configuration Guide

example, if the BIG-IP data center rewall must handle HTTP trafc, you can create a custom HTTP prole and then assign that prole to a virtual server that listens for trafc on port 80 on the BIG-IP system. This particular procedure creates an HTTP prole. You can use a variation of this task to create other proles as well, such as an FTP or SMTP prole. Important: You can create as many proles as you need. 1. On the Main tab, click Local Trafc > Proles > Services > HTTP . The HTTP prole list screen opens. 2. Click Create. The New HTTP Prole screen opens. 3. In the Name eld, type a name for the prole. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character. 4. From the Parent Prole list, retain http. 5. Select the Custom check box. The elds in the Settings area become available for revision. 6. Adjust all settings as required. You can use the default values or change them to suit your needs. 7. Click Finished. A custom BIG-IP LTM prole now appears in the relevant prole list in the BIG-IP Conguration utility. After creating this prole, you must assign the prole to a virtual server.

Creating a load balancing pool

You can create a load balancing pool (a logical set of devices such as web servers that you group together to receive and process trafc) to efciently distribute the load on your server resources. Note: You must create the pool before you create the corresponding virtual server. 1. On the Main tab, click Local Trafc > Pools. The Pool List screen opens. 2. Click Create. The New Pool screen opens. 3. In the Name eld, type a unique name for the pool. 4. For the Health Monitors setting, in the Available list, select a monitor type, and click << to move the monitor to the Active list. Tip: Hold the Shift or Ctrl key to select more than one monitor at a time. 5. From the Load Balancing Method list, select how the system distributes trafc to members of this pool. The default is Round Robin. 6. For the Priority Group Activation setting, select the way to handle priority groups: Retain the default option, Disabled to disable priority groups. Select Less than, and type the minimum number of members in the Available Members eld that must remain available in each priority group in order for trafc to remain conned to that group.

35

Traffic Listeners

7. Using the New Members setting, add each resource that you want to include in the pool: a) Either type an IP address in the Address eld, or select a node address from the Node List. b) Type a port number in the Service Port eld, or select a service name from the list. c) To specify a priority group, type a priority number in the Priority eld. d) Click Add. 8. Click Finished. The load balancing pool appears in the Pools list.

Creating an iRule
Use this procedure to create an iRule. 1. On the Main tab, click Local Trafc > iRules. 2. Click Create. The New iRule screen opens. 3. In the Name eld, type a 1- to 31-character name, such as virtual_acl_irule. 4. In the Denition eld, type the syntax for the iRule, using Tool Command Language (Tcl) syntax. For complete and detailed information on iRules syntax, see the F5 Networks DevCentral web site http://devcentral.f5.com. 5. Click Finished.

Host virtual servers

A host virtual server listens for trafc destined for a specic site, such as an Internet web site or an FTP site, and then directs that trafc to content servers that are members of a pool. A host virtual server provides a level of security, similar to an access control list (ACL), because its destination address includes a port specication, causing the virtual server to accept only trafc destined for that port. Creating a host virtual server Use this task to create a standard, host type of virtual server for application trafc. A host type of virtual server listens for trafc destined for the specied destination IP address and service. You must create a separate virtual server for each destination IP address/service combination. For example, if you want the BIG-IP rewall device to handle HTTP, SMTP, and FTP trafc, and you want to use the virtual address 204.170.25.11, you create three separate virtual servers: 204.170.25.11:80, 204.170.25.11:25, and 204.170.25.11:21 on the BIG-IP data center rewall. 1. On the Main tab, click Local Trafc > Virtual Servers . The Virtual Server List screen displays a list of existing virtual servers. 2. Click the Create button. The New Virtual Server screen opens. 3. In the Name eld, type a unique name for the virtual server. 4. For the Destination setting, in the Address eld, type the host IP address that you want to use for the virtual server. This is the IP address on the BIG-IP system to which inbound application trafc is destined. 5. In the Service Port eld, type a port number or select a service name from the Service Port list. 6. Assign any LTM trafc proles as needed.

36

BIG-IP Data Center Firewall Configuration Guide

7. From the Conguration list, select Advanced. 8. From the Request Logging Prole list, select the custom request logging prole that you created earlier. 9. Locate the Resources area of the screen. 10. For the iRules setting, from the Available list, select the name of the iRule that you want to assign, and using the Move button, move the name into the Enabled list. This step is optional. 11. From the Default Pool list, select the name of the pool that you created previously. 12. Click Finished. The BIG-IP system now listens for trafc destined for the specied destination IP address and service, and applies all assigned proles and any load balancing pool. Also, all log messages pertaining to the application trafc are logged to the pool of remote logging servers specied in the assign Request Logging prole. Example 1: Host virtual server configurations This example shows the BIG-IP data center rewall also functioning as an application delivery controller (ADC). In the illustration shown, the BIG-IP system contains two host virtual servers (FTP VIP and App VIP) to perform application delivery controller (ADC) functions, while still providing security. Specically, the two virtual servers perform these functions: Load balancing trafc to FTP resources Load balancing trafc to internal ADCs that handle specic applications. (The illustration shows one internal ADC named App ADC.)

The benet of the rst function is that you do not need to position the BIG-IP data center rewall between two ADCs before sending trafc to the internal resources. This simplies the management of the environment. The second function illustrates the same benet but also shows that the BIG-IP system can load balance the request to an internal ADC that is handling the more specialized tasks required for an application, such as web acceleration, compression, caching, or web optimization.

Figure 2: Host virtual server configurations

37

Traffic Listeners

Network virtual servers

A network virtual server listens for trafc destined for a specic network and simply forwards that trafc to that network. A network virtual server provides a level of security because its destination network address includes a port specication, causing the virtual server to accept only trafc destined for that port on the specied network. Creating a network virtual server Use this task to create a standard, network type of virtual server for application trafc. A network type of virtual server listens for trafc destined for a specic network. The BIG-IP system then forwards the trafc to that network, to the host specied in the system's routing conguration. 1. On the Main tab, click Local Trafc > Virtual Servers . The Virtual Server List screen displays a list of existing virtual servers. 2. Click the Create button. The New Virtual Server screen opens. 3. In the Name eld, type a unique name for the virtual server. 4. For the Destination setting, in the Address eld, type the network IP address that you want to use for the virtual server. This is the network for which inbound application trafc is destined. 5. 6. 7. 8. 9. In the Service Port eld, type a port number or select a service name from the Service Port list. From the Conguration list, select Advanced. From the Request Logging Prole list, select the custom request logging prole that you created earlier. Locate the Resources area of the screen. For the iRules setting, from the Available list, select the name of the iRule that you want to assign, and using the Move button, move the name into the Enabled list. This step is optional.

10. Click Finished. Now the BIG-IP system listens for trafc destined for the specied destination IP address and service, and applies all assigned proles and iRules. Example 2: Network virtual server configurations This example shows the BIG-IP data center rewall congured with a network virtual server. This conguration is generally used when you do not want the BIG-IP data center rewall to perform address translation on incoming requests; instead, the packets are simply forwarded to publicly-accessible resources while still providing security. As shown, an ADC provides traditional application delivery functionality along with possibly more specialized functionality behind the BIG-IP data center rewall. The illustration also shows a DNS server located behind the BIG-IP data center rewall, but with a publicly-accessible address. This could be a direct DNS server, or even a GTM system providing global DNS services to an infrastructure.

38

BIG-IP Data Center Firewall Configuration Guide

Figure 3: Network virtual server configurations

Adding a static route On the BIG-IP data center rewall, use this task to create a static route to a BIG-IP device on another network. 1. On the Main tab, click Network > Routes. 2. Click Add. The New Route screen opens. 3. In the Name eld, type a unique name for the route. 4. In the Destination eld, type the destination IP address in the route. This address can represent either a host or a network. Also, ifyou are using the route domains and the relevant route domain is the partition default route domain, you do not need to append a route domain ID to this address. 5. In the Netmask eld, type the network mask for the destination IP address. 6. From the Resource list, select Use Gateway. The gateway represents a next-hop or last-hop address in the route. 7. For the Gateway Address setting, select IP Address and type an IP address. 8. At the bottom of the screen, click Finished. Now, packets targeted for the destination address specied in the route can reach that destination.

Configuring a SNAT
To protect IP addresses on the private network from being exposed to nodes on a public network, you can dene a SNAT. A SNAT changes the source IP address on a packet to a SNAT external address located on the BIG-IP system. 1. On the Main tab, click Local Trafc > SNATs .

39

Traffic Listeners

2. 3. 4. 5. 6.

The SNAT List screen displays a list of existing SNATs. Click Create. Name the new SNAT. In the Translation eld, type the IP address that you want to use as a translation IP address. From the Origin list, select Address List. For each client to which you want to assign a translation address, do the following: a) Select Host. b) Type a client IP address in the Address eld. c) Click Add.

7. From the VLAN Trafc list, select Enabled on. 8. For the VLAN List setting, in the Available eld, select an external VLAN, and using the Move button, move the VLAN name to the Selected eld. 9. Click Finished.

40

Chapter

7
Advanced Security
Topics: Overview Distributed Denial of Service protection SYN flood protection ICMP packet handling IPsec protocol configuration

Advanced Security

Overview
You can protect network resources from snooping clients or various Denial of Service (DoS) attacks.

Distributed Denial of Service protection

You can perform certain conguration tasks to prevent Distributed Denial of Service (DDoS) attacks on the BIG-IP system.

Configuring adaptive reaping

This procedure congures adaptive reaping. The adaptive connection reaper closes idle connections when memory usage on the BIG-IP system increases. This feature allows the BIG-IP system to aggressively reap connections when the system memory utilization reaches the low-water mark, and to stop establishing new connections when the system memory utilization reaches the high-water mark percentage. If the BIG-IP platform includes an LCD panel, an adaptive reaping event causes the BIG-IP system to display the following message on the LCD panel: Blocking DoS attack Caution: The adaptive reaper settings do not apply to SSL connections. However, you can set TCP and UDP connection timeouts that reap idle SSL connections. 1. On the Main tab, click System > Conguration . The General screen opens. 2. From the Local Trafc menu, choose General. 3. In the Properties area of the screen, set the Reaper High-water Mark property to 95. 4. Set the Reaper Low-water Mark property to 85. 5. Click Update. When aggressive mode is activated on the BIG-IP system, the event is marked in the /var/log/ltm le with messages similar to these examples: tmm tmm[PID]: 011e0002:4: sweeper_update: aggressive mode activated. (117504/138240 pages) tmm tmm[PID]: 011e0002:4: sweeper_update: aggressive mode deactivated. (117503/138240 pages) Important: Setting both of the adaptive reaper values to 100 disables this feature.

SYN flood protection

A SYN ood is a type of Denial of Service attack in which an attacker sends a succession of SYN requests to a system with the intent of consuming available resources, thereby rendering the system unresponsive.

42

BIG-IP Data Center Firewall Configuration Guide

To prevent ooding on the BIG-IP system and to preserve memory, you can adjust the SYN Check threshold.

Adjusting the SYN Check threshold

You can congure the SYN Check feature to prevent the BIG-IP SYN queue from becoming full during a SYN ood attack. The SYN Check Activation Threshold setting indicates the number of new or untrusted TCP connections that can be established before the BIG-IP activates the SYN Cookies authentication method for subsequent TCP connections. 1. On the Main tab, click System > Conguration. 2. From the Local Trafc menu, choose General. 3. In the SYN Check Activation Threshold eld, type the number of connections that you want to dene for the threshold. 4. Click Update. If SYN ooding occurs, the BIG-IP system now protects the BIG-IP SYN queue from becoming full.

ICMP packet handling

One way to reduce the effect of Denial of Service attacks is to congure the way that the BIG-IP system handles ICMP packets.

Limiting ICMP responses

The TM.MaxICMPRate bigdb key can reduce the effects of a denial of service attack by allowing you to limit the number of responses that the BIG-IP system sends for ICMP errors and ICMP unreachable events. The TM.MaxICMPRate bigdb key species a general rate limit applied to ICMP errors coming from servers back through the BIG-IP system to the clients. Each ICMP event must be associated with an established connection ow. For example, if a virtual server connection generates ICMP unreachable responses from the pool member, the BIG-IP system passes the ICMP responses back to the clients until the number of ICMP messages reaches the value specied by the TM.MaxICMPRate bigdb key. Once the number of ICMP messages reaches this value, the BIG-IP stops sending ICMP responses. At the tmsh prompt, type the following command: tmsh sys db TM.MaxICMPRate value The default value for the TM.MaxICMPRate bigdb key is 100. The minimum value allowed is 1 and the maximum value allowed is 1000.

Limiting ICMP unreachable packets

The TM.MaxRejectRate bigdb key can reduce the effects of a Denial of Service attack by allowing you to limit the number of ICMP unreachable packets that the BIG-IP system sends in response to incoming client-side or server-side packets that cannot be matched with existing connections to trafc management listener IP addresses, such as virtual servers or SNATs. At the tmsh prompt, type this command: tmsh sys db TM.MaxRejectRate value

43

Advanced Security

The default value for the TM.MaxRejectRate bigdb key, in seconds, is 250. The minimum value allowed is 1 and the maximum value allowed is 1000. When the TM.MaxRejectRate threshold has been exceeded for ICMP, the BIG-IP system stops sending ICMP unreachable packets in response to unmatched packets, and logs a message to the /var/log/ltm le that appears similar to the following example: tmm tmm[1609]: 011e0001:4: Limiting icmp unreach response from 299 to 250 packets/sec

IPsec protocol configuration

You can congure the IPsec and IKE protocols when you want to use a protocol other than SSL to secure trafc that traverses a wide area network (WAN), from one BIG-IP system to another. More specically, you congure the IKE protocol to establish a secure channel during Phase 1 negotiation. You also congure the IPsec protocol for Tunnel mode and dynamic security negotiation, using a custom IPsec policy. Note: Depending on your network topology, use of this feature is optional.

Creating an IKE peer

Use this procedure to create an IKE peer object on the BIG-IP system. The IKE peer object identies to the system you are conguring the other BIG-IP system with which it communicates during Phase 1 negotiations. The IKE peer object also species the specic algorithms and credentials to be used for Phase 1 negotiation. Creating an IKE peer is a required step in the process of establishing a secure channel between the two systems. Important: Perform this task on each BIG-IP system. 1. On the Main tab, click Network > IPsec > IKE Peers . 2. Click the Create button. The New IKE Peer screen opens. 3. In the Name eld, type a unique name for the IKE peer. 4. In the Description eld, type a brief description of the IKE peer. 5. In the Remote Address eld, type the IP address of the BIG-IP system that is remote to the system you are conguring. This address must match the value of the Tunnel Remote Address setting in the relevant IPsec policy. 6. For the State setting, retain the default value, Enabled. 7. For the IKE Phase 1 Algorithms area, retain the default values. 8. For the IKE Phase 1 Credentials area, select one of the following: Option Description The default values The default authentication method is RSA signature. Important: If you have your own certicate le, key le, and certicate authority (CA), it is recommended for security purposes that you specify these les, using the Certicate, Key, and Trusted Certicate Authorities settings.

44

BIG-IP Data Center Firewall Configuration Guide

Option The authentication method Preshared Key.

Description This allows you to type a preshared key for use as the authentication method.

9. For the Common Settings area, retain all default values. 10. Click Finished. The page refreshes and displays the new IKE peer in the list. You now have IKE peers dened for establishing a secure channel.

Creating a bidirectional IPsec policy

Use this procedure to create a custom IPsec policy. You create a custom IPsec policy when you want to use a policy other than the default IPsec policy (default-ipsec-policy or default-ipsec-policy-isession). A typical reason for creating a custom IPsec policy is to congure IPsec to operate in Tunnel rather than Transport mode. Important: Perform this task on each BIG-IP system. 1. On the Main tab, click Network > IPsec > IPsec Policies. 2. Click the Create button. The New Policy screen opens. 3. In the Name eld, type a unique name for the policy. 4. In the Description eld, type a brief description of the policy. 5. From the Mode list, select Tunnel. The screen refreshes to show the Tunnel Local Address and Tunnel Remote Address settings. 6. In the Tunnel Local Address eld, type the local IP address of the system you are conguring. Sample tunnel local addresses for BIG-IP A and BIG-IP B are as follows: System Name BIG-IP A BIG-IP B Tunnel Local Address 2.2.2.2 3.3.3.3

7. In the Tunnel Remote Address eld, type the IP address that is remote to the system you are conguring. Sample tunnel remote addresses for BIG-IP A and BIG-IP B are as follows: System Name BIG-IP A BIG-IP B Tunnel Remote Address 3.3.3.3 2.2.2.2

8. For the Authentication Algorithm setting, retain the default value, AES-GCM128. 9. For the Encryption Algorithm setting, retain the default value, AES-GCM128. 10. For the Perfect Forward Secrecy setting, retain the default value, MODP1024. 11. For the Lifetime setting, retain the default value, 1440. This is the length of time (in seconds) before the current security association expires. 12. Click Finished.

45

Advanced Security

The screen refreshes and displays the new IPsec policy in the list. You now have an IPsec policy for each IPsec trafc selector.

Creating a bidirectional IPsec traffic selector

Use this procedure to create an IPsec trafc selector that references a custom IPsec policy. The trafc selector you create lters trafc based on the IP addresses and port numbers that you specify, as well as the custom IPsec policy you assign. 1. On the Main tab, click Network > IPsec > Trafc Selectors . 2. Click Create. The New Trafc Selector screen opens. 3. In the Name eld, type a unique name for the trafc selector. 4. 5. 6. 7. In the Description eld, type a brief description of the trafc selector. For the Order setting, retain the default value (First). From the Conguration list, select Advanced. For the Source IP Address setting, click Host or Network, and in the Address eld, type an IP address. This IP address should be the host or network address from which the application trafc originates. Sample source IP addresses for BIG-IP A and BIG-IP B are as follows: System Name BIG-IP A BIG-IP B Source IP Address 1.1.1.0/24 4.4.4.0/24

8. From the Source Port list, select a source port, or retain the default value *All Ports. 9. For the Destination IP Address setting, click Host, and in the Address eld, type an IP address. This IP address should be the nal host or network address to which the application trafc is destined. Sample destination IP addresses for BIG-IP A and BIG-IP B are as follows: System Name BIG-IP A BIG-IP B Destination IP Address 4.4.4.0/24 1.1.1.0/24

10. From the Destination Port list, select a source port, or retain the default value * All Ports. 11. From the Protocol list, select a protocol name. You can select * All Protocols, TCP, UDP, ICMP, or Other. If you select Other, you must type a protocol name. 12. From the Direction list, select Both. 13. From the Action list, select Protect. The IPsec Policy Name setting appears. 14. From the IPsec Policy Name list, select the name of the inbound IPsec policy that you previously created. 15. Click Finished. The screen refreshes and displays the new IPsec trafc selector in the list. You now have an IPsec trafc selector for each BIG-IP system.

46

Chapter

8
Dynamic Attack Mitigation
Topics: Overview Server resource cloaking Protection from Apache Killer attacks

Dynamic Attack Mitigation

Overview
The BIG-IP data center rewall can provide dynamic attack mitigation through the use of iRules. You can nd detailed examples on F5 Networks DevCentral web site, located at http://devcentral.f5.com.

Server resource cloaking

Server resource cloaking is one way to hide server-specic information from snooping clients. For example, you can write an iRule such as the following to clean web server signatures. This prevents unwanted information from being transmitted to hackers attempting to ngerprint the application and servers that run on a web site. 1 when HTTP_RESPONSE { 2 # 3 # Remove all but the given headers. 4 # 5 HTTP::header sanitize "ETag" "Content-Type" "Connection" 6 }

Protection from Apache Killer attacks

You can create iRules to prevent various DDoS attacks from succeeding on the network. The following shows an example of an iRule that guards against an Apache Killer attack. when HTTP_REQUEST { if { [HTTP::header exists "Range"] and ([HTTP::header "Range"] matches_regex {(,.*?){40,}}) } { log local0. "## Range attack CVE-2011-3192 detected from [IP::client_addr] on Host [HTTP::host]. [llength [split [HTTP::header "Range"], ","]] ranges requested." HTTP::header remove Range return }

48

Chapter

9
Additional Attack Prevention using BIG-IP PSM and BIG-IP ASM
Topics: Overview What is BIG-IP Protocol Security Module? Advanced Layer 7 protection using BIG-IP Application Security Manager

Additional Attack Prevention using BIG-IP PSM and BIG-IP ASM

Overview
You can conguration additional features to prevent attacks, using the BIG-IP Protocol Security Module (PSM) and BIG-IP Application Security Manager (ASM) modules.

What is BIG-IP Protocol Security Module?

One of the modules that you can congure to enhance the BIG-IP system's rewall capability is the BIG-IP Protocol Security Module (PSM). PSM offers these benets: Provides advanced protocol security and ensures compliance for common internet protocols. Protects your web servers, FTP and SMTP servers, masks sensitive data, and blocks spam. Performs security checks and validation for the HTTP, HTTPS, FTP, and SMTP protocols. Automatically creates HTTP, FTP, and SMTP proles within PSM when you enable the Protocol Security setting on LTM HTTP, FTP, and SMTP proles. This ensures that when you create LTM proles for those trafc types, you take advantage of PSM security benets.

Applying protocol security to an LTM profile

Before performing this procedure, verify that you have installed and provisioned BIG-IP Protocol Security Module (PSM) on the BIG-IP system. Use this procedure to apply protocol security to an existing BIG-IP Local Trafc Manager LTM prole. Note: This procedure shows how to enable protocol security on an HTTP prole. You can do this for FTP and SMTP proles as well. 1. On the Main tab, click Local Trafc > Proles > Services > HTTP . The HTTP prole list screen opens. 2. In the Name column, click the name of the prole you want to modify. The properties screen for the selected prole opens. 3. Select the Custom check box for the Settings area. The settings become available for editing. 4. Scroll down to the Protocol Security setting, and select the check box. 5. Click Update. A corresponding prole appears in PSM. After creating these proles, you must assign them to a virtual server.

50

BIG-IP Data Center Firewall Configuration Guide

Advanced Layer 7 protection using BIG-IP Application Security Manager

If you have BIG-IP Application Security Manager (ASM) licensed and provisioned on the system, you can congure ASM to protect against typical Denial of Service (DoS) attacks and Brute Force attacks. For more information, see the white paper titled Intelligent Layer 7 DoS and Brute Force Protection for Web Applications on the F5 Networks web site http://www.f5.com.

51

Additional Attack Prevention using BIG-IP PSM and BIG-IP ASM

52

Index

Index
A
access control conguring 19 for BIG-IP users 19 on per-virtual server basis 32 with packet lters and virtual servers 12 access control types 30 access policies 30 ACLs examples 34 adaptive connection reaping conguring 42 admin account 16 administrative access controlling 18, 19 administrative partitions access to 19 Apache Killer attacks 48 application ngerprinting 48 attack mitigation and iRules 48 DNS servers 16

E
expressions for packet ltering 30

F
lter ordering 12 ngerprinting 48 rewall features 12 rewalls and logging 22 rewall services 12

H
health monitors assigning to pools 35 high-speed logging and rewalls 22 and server pools 22 high-water mark thresholds 42 host names 16 host virtual servers 34, 36 HTTP proles creating 34 HTTP requests and responses logging 23

B
BIG-IP ASM 50, 51 BIG-IP Conguration utility controlling access to 18 BIG-IP PSM 50 Brute Force attacks 51

C
certicates, See x509 certicates. clients hiding information from 48 cloaking 48 concurrent connections for BIG-IP Conguration utility 18 connection reaping conguring 42 connection thresholds 43

I
ICMP error responses limiting 43 ICMP packet handling 43 ICMP unreachable packets limiting 43 idle timeout for BIG-IP Conguration utility 18 IKE Phase 1 conguring 44 internet protocols compliance for 50 IPsec IKE peers creating 44 IPsec policies creating 45 IPsec protocol suite described 44 IPsec trafc selectors creating 46

D
data center protection 12 DDoS attacks preventing 42 Denial of Service attacks preventing 51 reducing effects of 42, 43, 48 destination IP addresses for trafc selectors 46

53

Index

iRules creating 36 for access control 32, 34 for Apache Killer attacks 48 for dynamic attack mitigation 48 for signature cleaning 48 for virtual servers 12

L
listeners for packet handling 12 log content determining 22 log data analyzing 23 logging and pools 22 login failures 18 log servers 22 low-water mark thresholds 42 LTM proles creating 50

password policies 18 passwords for root and admin 16 performance monitors assigning to pools 35 Phase 1 negotiation and IKE protocol 44 pools creating 35 for high-speed logging 22 port lockdown 19 proles and PSM 50 creating for HTTP 34 protocol security 50

R
redundancy settings 16 remote logging 22 remote servers for high-speed logging 22 request logging code elements 24 request logging prole and standard log formats 26 for NCSA Common 27 Request Logging proles 23 resource cloaking 48 root account 16

M
management IP addresses 16 memory utilization and connection thresholds 42 monitors assigning to pools 35

S N
network infrastructure protecting 12 network virtual servers 34, 38 NTP servers 16 secure channels establishing 44 security banner 18 security checks performing with PSM 50 security settings for BIG-IP users 18 self IP addresses and VLANs 19 as prerequisite 16 creating 19 sensitive data masking with PSM 50 server ngerprinting 48 server resource cloaking 48 servers for high-speed logging 22 SIEM vendors 12 SNAT precedence 12 SNATs conguring client 39 source ports and trafc selectors 46 spam blocking with PSM 50 SSL protocol alternative to 44

O
order of packet evaluation 12

P
packet evaluation 12 packet ltering enabling 30 packet lter rules about 30 creating 31 packet lters about 30 packet rejection 30 parameters for request logging 24 partitions access to 19

54

Index

static routes adding 39 SYN Check threshold activating 43 Syslog servers remote logging to 22 system prerequisites 16

V
virtual servers and access control 12 assigning iRules to 32 creating 36, 38 examples 37, 38 examples of 34 VLANs and self IP addresses 19 as prerequisite 16

T
trafc listeners for packet handling 12 trafc selectors creating 46

W
WAN traversal using IPsec 44 web sites and ngerprinting 48

U
user access controlling 19 user lockout 18 user roles for system access 19

X
x509 certicates and IKE peers 44

55

Index

56