Securing Web Applications with F5® BIG-

IP® Application Security Manager and

VMware® vCloud® Air™

D E P L O Y M E N T G U I D E

V MW A R E V C L O U D A I R A ND F 5 B I G - I P A S M | 1

Securing Web Applications

Migrating application workloads to the public cloud is an essential consideration for many enterprises. The barriers to greater adoption of public clouds have frequently stemmed from lack of enterprise-ready software and network security components, or an immature cloud platform. Threats to applications such as cross-site scripting, brute force attacks, and DDoS attacks can expose an enterprise to outages, data theft, and even lost customers. Ensuring that applications are available and secure in public cloud infrastructures will speed adoption. The benefits of cloud deployments are obvious; however, enterprise-ready application delivery components are essential to ensure successful deployments. This guide provides an overview of the setup and deployment of BIG-IP Local Traffic Manager (LTM) and BIG-IP Application Security Manager (ASM) running in front of a vulnerable web application. In this guide, we deploy an application in order to demonstrate the most common Layer 7 exploits and then illustrate how BIG-IP ASM protects against these vulnerabilities. Providing robust web application security is a necessary complement to deploying robust production-ready application workloads in vCloud Air, whether for test and development or for new application deployments.

V MW A R E V C L O U D A I R A ND F 5 B I G - I P A S M | 2

Application Setup

Application Version Description

DVWA 1.8 DVWA is an application designed specifically to show most common web application exploits

BIG-IP Local Traffic Manager (LTM) 11.5.1 Core BIG-IP LTM Functionality

BIG-IP Application Security Manager (ASM) 11.5.1 Web Application Firewall

Microsoft Windows 2012 Web Server

Xamp 1.0.8 Apache Web Server and MSQL Database

vCloud Air N/A IaaS Platform

Deploy F5 BIG-IP LTM and BIG-IP ASM in vCloud Air Follow these steps to download and set up BIG-IP Virtual Edition and deploy it in vCloud Air.

1. Open a web browser, navigate to https://downloads.f5.com, and then click on BIG-IP

v11.x/Virtual Edition.

2. From the dropdown menu, choose version 11.5.1, and then click on Virtual-Edition.

Follow the download instructions.

3. Once the BIG-IP Virtual Edition is downloaded, upload it into the vCloud Air My Catalog.

4. In vCloud Air, click on Add Virtual Machine, select your resources, and choose the My

Catalog tab.

Figure 1: Deploy BIG-IP 11.5.1.XX

V MW A R E V C L O U D A I R A ND F 5 B I G - I P A S M | 3

5. Provide a name for your BIG-IP and ensure a public IP address is assigned to your

primary management interface.

6. Set up NAT and firewall rules in vCloud Air to provide access to the management IP

address.

7. After the BIG-IP is deployed, navigate to https://bigippublicipaddress and use the default

username Admin and the default password Admin to log in.

8. License your BIG-IP using the automatic method.

9. In the Module provisioning section, select BIG-IP LTM and BIG-IP ASM and set license

provisioning to Nominal.

Figure 2: Provision ASM and LTM Modules on BIG-IP

For additional details on deploying BIG-IP VE please go to https://support.f5.com.

Provision Internal and External VLANs on the BIG-IP After you complete the initial BIG-IP system setup, you’ll need to provision the networking and VLANs. In this example, we will create an Internal and an External VLAN and select interface 1.1 and 1.2 for the VLANs respectively. The BIG-IP system’s full proxy architecture mandates that the network virtual servers reside on the External VLAN; communication to the application server will reside on the Internal VLAN.

Figure 3: Create VLANs on the BIG-IP System

V MW A R E V C L O U D A I R A ND F 5 B I G - I P A S M | 4

Assign Self-IP Addresses Once you have created the VLANs, you will need to create at least one self-IP address for each VLAN. A self-IP address is an IP address on the BIG-IP

system that you associate with a VLAN so it can access

hosts in that VLAN. By virtue of its netmask, a self-IP address represents an address space—that is, a range of IP addresses spanning the hosts in the VLAN, rather than a single host address. (You can associate self-IP addresses not only with VLANs, but also with VLAN groups.) Self-IP addresses serve two purposes. First, when sending a message to a destination server, the BIG-IP system uses the self-IP addresses to determine the specific VLAN in which the destination server resides. For example, if VLAN Internal has a self-IP address of 10.10.10.100, with a netmask of 255.255.255.0, and the destination server’s IP address is 10.10.10.20 (with a netmask of 255.255.255.255), the BIG-IP system recognizes that the server’s IP address falls within the range of VLAN Internal’s self-IP address and therefore sends the message to that VLAN. More specifically, the BIG-IP system sends the message to the interface that you assigned to that VLAN. If more than one interface is assigned to the VLAN, the BIG-IP system takes additional steps to determine the correct interface, such as checking the Layer 2 forwarding table. Second, a self-IP address can serve as the default route for each destination server in the corresponding VLAN. In this case, the self-IP address of a VLAN appears as the destination IP address in the packet header when the server sends a response to the BIG-IP system.

Figure 4: Create Self IP Addresses

Deploy Microsoft Windows Server in vCloud Air Log on to the vCloud console by navigating to https://vchs.vmware.com. From the Virtual Machines tab, click on Add Virtual Machine. You will be prompted to select your data center and resources, and then

choose a Windows server. For our example, we chose Windows 2012 Server 64bit R2 server (see Fig. 5). We deployed a single interface on this Windows device, in this case, the non-routable internal network. And we chose 10.4.4.x for our network. This correlates to the internal network which we configured on the BIG-IP system. After you have configured this device and assigned the network interface, the Windows server will boot and assign a default password. You will be prompted to immediately change your password at login. Once logged in, you will provide a unique password for the Admin account. Once the Windows server is deployed, navigate to the network settings and change the default gateway to the self-IP for the Internal VLAN on the BIG-IP system.

V MW A R E V C L O U D A I R A ND F 5 B I G - I P A S M | 5

Figure 5: Deploy Windows 2012 R2 Standard

Install Xampp Web Server and MySQL DB Xampp is a free Apache Web Server, PHP, and MySQL DB application that can be downloaded free of charge. In this exercise, we downloaded the Xampp product from https://www.apachefriends.org/index.html. We selected the Windows version 1.8.3 (PHP 5.5.15) and

installed this product on our Windows 2012 server. Once you have downloaded the Xampp product, run the installer and accept the default settings, launch the Xampp application, and start the MySQL and Apache Web Server (see Fig. 6). After the Xampp engine is started, open a browser and navigate to http://127.0.0.1, the loopback address of the local

machine, in order to validate proper installation.

Figure 6: XAMPP Server Control

V MW A R E V C L O U D A I R A ND F 5 B I G - I P A S M | 6

Install the DVWA Application The DVWA application is designed for security professionals as an aid for testing. It is specifically

constructed to be highly vulnerable to many layer 4-7 attack vectors such as cross-site scripting, SQL

injection, and brute force attacks. As such, it is an ideal web application to demonstrate the ability of BIG-

IP ASM to protect even the most attack-prone web applications against attack.

To deploy DVWA, you must first download the DVWA web application from http://www.dvwa.co.uk/. Once the application is downloaded, extract the files and copy the DVWA directory into the c:\xampp\htdocs directory. Remove all existing files contained in this directory and paste the DVWA directory to c:\xampp\htdocs.

Figure 7: Copy DVWA to root of c:\xampp\htdocs

Once you have copied the DVWA directory to the c:\xampp\htdocs directory on the Windows server, navigate to http://127.0.0.1, which is the default loopback address. Log in with the username: admin and the password: password. In the left-hand sidebar, click Setup, then Create/Reset Database. This will

deploy the initial configuration of the DVWA application.

Figure 8: DVWA initial configuration and database setup

V MW A R E V C L O U D A I R A ND F 5 B I G - I P A S M | 7

Configure BIG-IP ASM Security Policy on the BIG-IP System Once you have configured the BIG-IP LTM with its associated VIPs and NAT rules, you will now configure a BIG-IP ASM security policy and associate it with the BIG-IP LTM Virtual Server. Use the automatic policy builder to create a security policy for dvwa_virtual.

1. In the Navigation pane of the BIG-IP Configuration utility, open the Security > Application

Security > Security Policies > Active Policies page, and then click Create.

2. Leave Existing Virtual Server selected, and then click Next.

Figure 9: Application Security Policy

On the Configure Local Traffic Settings page: 1. In the protocol list, select HTTPS.

2. For the HTTPS Virtual Server, leave bigip_webserver_vs selected, and then click Next.

3. Leave Create a policy automatically (recommended) selected, and then click Next.

4. From the Security Policy Language list, select Auto Detect, and then click Next.

On the Configure Attack Signatures page: 1. From the Available Systems list, move the following to the Assigned Systems list.

Operating Systems > Windows

Web Servers > Apache and Apache Tomcat

Languages, Frameworks and Applications > PHP

Database Servers > MySQL

2. Leave Signature Staging enabled, and then click Next.

On the Configure Automatic Policy Building page: 3. From the Policy Type list, select Comprehensive.

Slide the Policy Builder learning speed control to Fast.

From the Trusted IP Addresses list box, leave Address List selected.

In the IP Address box, type xxx.xxx.xxx.xxx or your trusted IP addresses.

In the Netmask box, type 255.255.255.0, and then click Add.

4. Click Next, and then click Finish.

V MW A R E V C L O U D A I R A ND F 5 B I G - I P A S M | 8

Once you have created your security policy, you will need to associate it with your virtual server. 1. From the Configuration utility’s welcome page, navigate to Local Traffic > Virtual Servers.

2. Double click on the virtual server BIG-IP_webserver then click on the Resources tab at the top

of the window (see Fig. 10).

Figure 10: Resources for Virtual SeBIG-IPbigip_webserver_vs

3. Under Policies click Manage.

4. In the dialog box that opens, associate the security policy with your virtual server.

Figure 11: Add Security Policy to bigip_webserver_vs

Create Trusted Learning Suggestions for Automatic Policy Building In this section, you will verify the functionality of BIG-IP ASM in combination with BIG-IP LTM. As a web application firewall (WAF), BIG-IP ASM pre-stages potential illegal web exploits and enables the WAF administrator to fine tune the blocking of these prospective exploits. This prevents potential false positives and ensures that the application can continue to perform as expected. In the first section, we will navigate to the DVWA server and perform activities such as cross-site scripting and engage in insecure activities such as entering social security numbers. We will then return to the BIG-IP system and fine tune these policies to block these prohibited behaviors.

1. Open a Web browser to access the DVWA virtual server and attempt various well-known attacks

against the website to determine its current security state.

2. Open a new tab and go to https://IPaddressofdemoLog into DVWA, entering the username: admin and the password: password.

3. On the navigation menu, click Command Execution.

At this point, you can enter a hostname or IP address, which will be sent to the Web server. The Web server will then ping the hostname or IP address and display the results.

V MW A R E V C L O U D A I R A ND F 5 B I G - I P A S M | 9

Password Retrieval Try to retrieve the password list by typing cat /etc/passwd, and then click Submit.

Nothing is returned, demonstrating that you are not able to use the cat command to retrieve the password list. Now, specify an IP address by typing xxx.xxx.xxx.xxx; cat /etc/passwd, and then click Submit.

By preceding the cat command with an IP address, you are able to expose the contents of the passwd file on this Web server. This is not the intended use of this field, and it is a target for hackers to exploit.

SQL Injection The SQL Injection feature in DMWA is designed to display various types of database information. In the following examples, we’ll demonstrate how easy it is to extract information (such as ID, first name, and surname of a user) from the database using SQL commands. To reproduce the results of each example, begin by following these steps:

1. From the DVWA Navigation menu, click SQL Injection.

2. Type 1, and then click Submit.

In the User ID field, type %' or 1='1, and then click Submit.

This displays all of the users in the database.

In the User ID field, type %' or 1=1 union select null, database () #, and then click

Submit.

This displays the database name (dvwa).

In the User ID field, type Enter %' or 1=1 union select null, table_name from

information_schema.tables #, and then click Submit.

Every record after “Bob Smith” displays a table named from this database server.

In the User ID field type %' or 1=1 union select null, concat ( 0x0a, user_id, 0x0a,

first_name, 0x0a, last_name, 0x0a, user, 0x0a, password) from users #, and then click

Submit.

Every record after “Bob Smith” displays the user ID, first name, last name, user name, and password (in a hash format) of a different user in the users table.

As you can see from each example above, the database, without protection, is highly vulnerable.

Fine Tune the Security Policy In this section, we will return to the BIG-IP system to fine tune the security policy to block prospective exploits. The potentially illegal behavior was set to Staging first and we will now block the insecure application exploits.

1. In the Configuration utility, open the Security > Application Security > Policy Building >

Status (Automatic) page. The policy builder now begins to analyze the traffic.

Figure 12. Policy builder traffic analysis

2. In the Details section, click File Types, and then Staging.

V MW A R E V C L O U D A I R A ND F 5 B I G - I P A S M | 1 0

Figure 13. Choose the Staging option

3. At the bottom of the page that’s displayed, for the css, js, no_ext, php, and png entries, click the

corresponding Enforce button. This removes these five file types from staging.

4. In the Details section, select Parameters, and then Staging. Multiple parameters are currently in

staging.

5. Open the Settings page.

6. In the Automatic Policy Building Settings section, clear the Real Traffic Policy Builder

checkbox, and then click Save.

Add some sort of header or divider here to increase readability. For example: Block Insecure Application Exploits.

1. Open the Security > Application Security > File Types > Allowed File Types page.

2. Select the * checkbox, then click Delete, and then click OK.

Figure 14. Delete the * file type

1. Open the Security > Application Security > Parameters > Parameters List page.

2. Select the * checkbox, then click Delete, and then click OK.

3. Select the id, ip, and mtxMessage checkboxes, and then click Enforce. This removes these

parameters from staging.

4. View the Security > Application Security > URLs > Allowed URLs page.

5. Delete the HTTP and HTTPS wildcard (*) entries.

Add header to improve readability; Change Application Signatures 1. Open the Security > Application Security > Attack Signatures > Attack Signatures

Configuration page.

V MW A R E V C L O U D A I R A ND F 5 B I G - I P A S M | 1 1

2. From the Available Signature Sets list, select Command Execution Signatures, Cross Site

Scripting Signatures, and SQL Injection Signatures, and then click <<.

3. Clear the Signature Staging checkbox, and then click Save.

Figure 15. Configure attack signatures

1. Open the Security > Application Security > Data Guard page.

2. Select the Data Guard, Credit Card Numbers, U.S. Social Security Numbers, and Mask Data

checkboxes, and then click Save. This will mask credit card and social security numbers.

Figure 16. Set data guard for credit card and social security numbers

1. Open the Security > Application Security > Blocking > Settings page.

2. In the Negative Security Violations section, clear the Block checkbox for Data Guard, and

then click Save. This ensures that credit card numbers and social security numbers will be

masked, but the pages that display these masked values will not be blocked by BIG-IP ASM.

3. Click Apply Policy, and then click OK.

Figure 17. ADD CAPTION

Now that you have fine-tuned your security policy, open a browser and navigate back to the DVWA site. From the Navigation menu, choose XSS Stored, and then enter a number sequence that appears like a social security number. Click sign guestbook and you will see that the number you entered has been

masked. This prevents data leakage and ensures that personal information is not compromised.

V MW A R E V C L O U D A I R A ND F 5 B I G - I P A S M | 1 2

Conclusion As VMware continues to include a broader portfolio of solutions in its vCloud Air public cloud offering, enterprises are going to transition from test and development to enterprise-ready application deployments. Performance, availability, and security of these applications are crucial to ensuring new application deployments, as well as migration and expansion of existing application workloads. With the addition of the BIG-IP LTM and BIG-IP ASM modules in vCloud Air, enterprise customers now have the ability to deploy new application workloads, have a robust disaster recovery and business continuity strategy, and they can secure their web applications in vCloud Air. Learn More

F5 on the vCloud Air Solution Exchange F5 and VMware Technology Alliance

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com Copyright © 2015 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.

Partner logo and legal information to be added here Partner logo and legal information to be added here Partner logo and legal information to be added here Partner logo and legal information to be added here Partner logo and legal information to be added here Partner logo and legal information to be added here Partner logo and legal information to be added here Partner logo and legal information to be added here Partner logo and legal information to be added here

FPO