iRules LX – AFM/APM Dynamic Firewall Rules

One of the iRules LX projects I’ve been working on is the ability to dynamically open firewall rules based upon a user’s APM Access Session.  In this example the user is external trying to access internal server resources but is blocked by AFM’s default firewall policies.  The user then logs into an APM policy and upon successful login AFM allows that external user access to internal resources.  See the video below for a demo:

iRules do not have direct access to control plane settings.  So prior to TMOS 12.1 this wasn’t easily doable without some serious iRule foo around sideband connections. However, with the introduction of iRules LX we can leverage Node.js to help us interact with the control plane via API calls.

So how does it work?

You still leverate iRules in iRules LX but a new set of commands allow you to pass data from TMM (data plane) to Node.js (control plane) and process that data via javascript – more information in the Getting Started With iRules LX series on DevCentral.

So what does this look like?

Your iRules do not change much except for the addition of the ILX commands:

  • ILX::init – invokes the specified node methods
  • ILX::call – establishes a communication path from an iRules to the node process
  • ILX::notify  – sends a message to the specified node method but does not wait for a response

As an example I’ve included the  iRule used in the AFM/APM dynamic firewall rule project below:

Notice the ILX::init on line 7 – this is configured with the iRules LX plugin name and the iRules LX extension inside our workspace.

irules_lx_workspace

What about Node.js

Next, you provide the Node.js methods your iRule calls in the index.js file

Not too hard and it offers a world of possibilities with the inclusion of NPM modules.

Where’s the rest of the code?

For a complete view of the iRules LX code please visit the Github repository.

iRules LX – 5 Tips to Get You Started

iRules LX is now GA with the release of TMOS 12.1.  I’ve been using iRules LX over the past two weeks working on some cool projects I hope to share in the near future.  In the meantime I wanted to provide some tips I’ve picked up while learning Node.JS and iRules LX.

1 – NPM makes life easier

Wow… I was speechless when I first heard that iRules LX would have native access to NPM.  I’ve seen some pretty cool internal projects that leverage publically available NPM tool sets and now you have the power of NPM inside TMOS.  So what does this mean… well for all you APM fans out that you can now read/write to SQL!  NPM allows you to quickly create applications and features without having to write everything from scratch.  This opens up a new world of possibilities for F5’s advance modules like APM and AFM.  More to come on this in the near future.

2 – Learn Node.js or make friends with a developer

There are probably more Node.js developers in your city than there are TCL developers in your state.. and probably your surrounding states.  So I was happy to hear F5 was opening up our development capabilities to a wider audience.  If you’re new to Node.JS I highly recommend Code School or if your organization has a membership to Safari Books  they have some great resources as well.

I’m also a big fan of test driven development. Mocha and Chai are great tools and supper easy to learn.  The benefit of TDD is you always know your code works.  If any update breaks something, the TDD process will find it.I also like developing the Node.js code on my laptop so TDD helps me verify that my java libraries work before I upload them to the BIG-IP for integration with iRules.

3 – DevCentral

Eric Flores over on DevCentral publish a great 5 part Getting Started with iRules LX series.  Between this and the Node.js video tutorial in the Safari Books online library I was ready to go.  DevCentral is also a great place to ask question and get assistance.  With over 250,000+ members it’s definitely a site you should familiarize yourself with.

4 – {}; or {}

Okay, so I’ve written some Node.js code and I’m finishing my iRules code to glue the processes together and when I hit the “Reload from Workspace” button I get a slew of iRule error…. guess what I did wrong 🙂  Can’t write JavaScript in iRules

Syntax issues bit me several times as I moved between iRules and JavaScript so be sure you keep an eye on this.  Some of the most common issues:

Accessing a variable in iRules requires a $, in JavaScript it does not
JavaScript uses a semicolon (;) at the end of a statement, iRules does not

5 – Callback hell

One of the hardest things for me to wrap my head around while learning Node.js is the concept of synchronous vs asynchronous processes.  I’ve always been use to writing code in a synchronous way so it stumped me why my functions would not return a value or my debug statements were always empty.

An easy way to think about it:

if you’re reading/writing to a filesystem or a web server then use an asynchronous process
if you’re reading/writing to a local function, say generating a secret key for Google Authenticator, then use a synchronous process
Also, in your Mocha test framework you’ll need to use the break() function for any process that are synchronous.

I hope these tips help you has your dive into iRules LX.  I’ve definitely enjoyed working with iRules LX over the past two weeks and I’ll share my projects with you once they’re publically available.

The Burden of Federated Authentication

Authentication vs Authorization
Authentication vs Authorization

If you’ve ever had the pleasure to hear me rant on web access management then you know I like to stress the difference between authentication and authorization.  Authentication is the process of verifying a user’s identity while authorization is the process of determining the level of access the user possesses for any given application and/or resource; one does not imply the other. So why bring up a topic that has been discussed to death in many forums around the Internet? Federated authentication…

In my years as a developer and sys admin it was common place to either write or include a publicly available authentication framework and based upon group membership allow or disallow access to certain application functionality. These frameworks made it easy to quickly deploy applications without the need to “recreate the wheel” over and over again. However, what we gained in deployment speed we lost in code maintenance and software patching over time.  This ultimately lead to security issues, such as phishing attacks, because the end-user had:

  1. too many usernames/passwords
  2. too many application login points

Ultimately the user could no longer, well didn’t care to, keep track of these and resorted to less secure mechanisms for storing passwords as well as entering their extensive list of passwords on any site that resembled one of our applications.

So in early 2005 we started to use Shibboleth and Jasig Central Authentication Services (CAS) for federated authentication and single sing-on. Shibboleth and CAS addressed my issues by:

  1. reducing the number of username/password combinations as well as login entry points to 1
  2. allowed non-employees access to our websites without the need to maintain their identity in our authentication database – commonly know as federated authentication

While the paradigm of federated authentication caught on in higher education over a decade ago enterprise environments were slow to adopt until now. With the explosion of Software-as-a-Service offerings, such as Salesforce and Office 365, enterprises are quickly deploying federated authentication services with little to no understanding of what the snake oil, or IAM, vendor has sold them.

Too often, I sit in meetings regarding issues a customer is having with their IAM solution because of two issues:

  1. Customer did not understand the difference between authentication and authorization
  2. IAM vendor promised that multi-factor authentication capabilities would integration easily with <insert other vendor>.

So lets take a look at these issues.

Federated authentication protocols, like SAML, have made it easier for users to consume and/or modify data inside web applications without the need to maintain a local persona of that user. Now from an application perspective this feature might have marginal gain but from a security perspective it allows you to eliminate a substantial amount of risk. The concern I stress to my customers is that while federated authentication reduces the risk of managing and maintaining that user’s persona it does not alleviate the risk of unauthorized access. This is because authentication in a federated world does not imply authorization.

So what are the challenges of this in a federated application? Lets assume we have a user Alice accessing App1. First, App1 has the responsibility of consuming Alice’s authentication assertion, sent by the SAML IdP, as well as authorizing that Alice has access to the application. From a security point of view this can be very dangerous.

  • What if Alice’s credentials were stollen and the malicious actor now has access to sensitive information.
  • What if App1 has not been patched in several years, which never happens in the real world, and is vulnerable to authentication and/or authorization attacks.

Ideally we want to remove the initial authorization functionality from the web application like we have done for authentication. This can be achieved by leveraging a web access management solution that also operates as an authentication proxy. So what is web access management (WAM)? It’s a proxy that controls access to web applications based upon contextual authentication and provides a least privilege model for authorization.

So back to our concern:

  • What if Alice’s credentials are compromised?
    • The WAM can look at the full content of Alice’s connection and request to App1.  If the WAM notices something out of the ordinary, say Alice normally access App1 from within the USA but this request is coming from China, then the WAM could request that the IdP perform multi-factor authentication.
  • What if App1 may have known vulnerabilities and exploits?
    • The WAM only allows authenticated and authorized users access to App1 so we can reduce our threat vectors; typical in this use case we would combine a web authentication management and web application firewall together to fully alleviate this risk.

Okay, so if your still reading then what is my point – that with the growing adoption of federated authentication in enterprises we are relying too heavily upon identity providers to secure access to our applications. Only a handful of Identity vendors on the market provide both authentication and web access management capabilities. The vendors that do not posses WAM functionality leave the authorization to the application, which in our current security landscape can be a risky bet.

Now, unless you’ve been under a rock for the past 5 years you know I’m a big advocate of F5’s Access Policy Manager. APM is the tool I use over and over again to help my customers resolve their federated authentication burdens. Oh, and did I mention APM works with every major MFA vendor on the market! So you can easily add 2nd factor authentication to services such as Office 365 – even free solutions like Google Authenticator.

Clustered Multi-processing (CMP) versus Traditional Shared Memory Architecture

Over on DevCentral Robert Haynes has posted a great article outlining the advantages of F5’s clustered multiprocessing (CMP) architecture versus traditional shared memory architecture.

F5 clustered multiprocessing architecture
F5 clustered multiprocessing architecture

So why does this matter?  Because attacks today are designed to stress the performance of security devices and bring them to their knees.  If your architecture is designed correctly then it can utilize all of the available CPU and memory for your critical applications and not waste it on antiquated OS design issues.