Advanced Security TTT Workbook - V - 12.1.F

F5 PARTNER BOOT CAMP
USING F5 SECURITY SOLUTIONS
Participant and Hands-on Exercise Guide
Document version 12.1.F; updated 11/13/2017

©2017 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in
certain other countries. Other F5 trademarks are identified at f5.com.
Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or
affiliation, express or implied, claimed by F5.
These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You
may not share these training materials and documentation with any third party without the express written permission of F5.
Table of Contents
Application Security Manager Advanced ..................................................................................................... 5

Lesson 1.1: Automatic Policy Building, Learning vs Staging, and Trusted vs Untrusted Requests ......... 5
Exercise 1.1 – Use the Automatic Policy Builder ...................................................................................... 7
Lesson 1.2: Brute Force and Web Scraping Protection .......................................................................... 16
Exercise 1.2 – Use Brute Force and Web Scraping Protection ............................................................... 17
Lesson 1.3: Layer 7 DoS Protection ........................................................................................................ 21
Exercise 1.3 – Using Layer 7 DDoS Protection........................................................................................ 22
F5 BIG-IQ for Network and Web Application Firewall Management ......................................................... 29

Lesson 2.1: BIG-IQ Overview .................................................................................................................. 29
Exercise 2.1 – Using BIG-IQ to Manage BIG-IP Systems ......................................................................... 31
Lesson 2.2: BIG-IQ for AFM and ASM ..................................................................................................... 34
Exercise 2.2 – Using BIG-IQ to Manage Network and Web Application Firewalls ................................ 35
F5 WebSafe ................................................................................................................................................. 43
Lesson 3.1: Fraud Overview ................................................................................................................... 43
Exercise 3.1 – Examine the Dangers of Malware ................................................................................... 44
Lesson 3.2: Malware Detection .............................................................................................................. 47
Exercise 3.2 – Use Malware Detection ................................................................................................... 48
Lesson 3.3: Phishing Detection............................................................................................................... 53
Exercise 3.3 – Use Phishing Detection ................................................................................................... 54
Lesson 3.4: Application Layer Encryption............................................................................................... 57
Exercise 3.4 – Use Application Layer Encryption ................................................................................... 58
DDoS Hybrid Defender (DHD)..................................................................................................................... 61

Lesson 4.1: DHD Overview and Volumetric Attack Mitigation .............................................................. 61
Exercise 4.1 – Examine Volumetric Attack Mitigation ........................................................................... 62
Lesson 4.2: Behavioral DoS Detection and DHD Reporting................................................................... 69
Exercise 4.2 – Using Layer 7 Behavioral DoS Protection ........................................................................ 71
SSL Orchestrator (SSL-O) ............................................................................................................................ 73

Lesson 5: SSL Orchestrator Instructor Presentation .............................................................................. 73
Exercise 5 – Configure a Transparent Outbound Proxy ......................................................................... 74
ASM Adv. Lesson 1.1: Automatic Policy Building, Learning / Staging, and Trusted / Untrusted Requests
Application Security Manager Advanced

Lesson 1.1: Automatic Policy Building,
Learning vs Staging, and Trusted vs Untrusted Requests
NOTES
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
Participant Guide – Partner Boot Camp; Advanced Application Security, v12.1.F Page | 5
ASM Adv. Lesson 1.1: Automatic Policy Building, Learning / Staging, and Trusted / Untrusted Requests
Exercise 1.1 – Use the Automatic Policy Builder

• Estimated completion time: 50 minutes
Task 1 – Access the Ravello Lab Environment

Use a web browser to access your lab environment in Ravello, and then use RDP to access the Windows desktop
in your environment.
 Use a browser to access http://IP_address with the IP address supplied by your instructor, and log in
using the username and password supplied by your instructor.
 For the Advanced ASM blueprint click View.
 Copy the IP address of the Windows 7 External VM, and then use RDP to access the IP address.
 Log into the Windows workstation as external_user / P@ssw0rd!
 If necessary, update the Windows time:
o Select the clock and click Change date and time settings…
o Select the Internet Time tab, and then click Change settings…
o Select time.windows.com, and then click Update now.
Task 2 – Create a Security Policy using Untrusted Requests

Create an application security policy using untrusted requests from the Internet, then visit the DVWA web
application and view the details in the BIG-IP ASM Traffic Learning page
 Open Chrome and click the BIGIP_A bookmark, and then log into the BIG-IP system.
 Open the Virtual Server List page and click dvwa_virtual, and then open the Resources page.
This virtual server sends requests to dvwa_pool. It’s also using the random_ip_irule. This iRule uses
the X-Forwarded-For header to assign each incoming request to a random IP address.
 Open the Security > Application Security > Security Policies > Active Policies page and click Create.
 Leave Existing Virtual Server selected and click Next.
 Leave HTTP and dvwa_virtual selected and click Next.
 Leave Create a policy automatically (recommended) selected and click Next.
 On the Configure Security Policy Properties page:
o For Security Policy Name enter lorax_security_policy.
o From the Security Policy Language list, select Unicode (utf-8), and then click Next.
 Leave the default attack signature settings and click Next.
 On the Configure Automatic Policy Building page leave the default settings and click Next, and then
click Finish.
 Once the security policy has finished loading, from the Security Policy Properties list select Advanced.
 Select the Trust XFF Header checkbox, and then click Save.
This option uses the iRule that changes incoming IP addresses using the X-Forwarded-For header.
 Click Apply Policy and then OK.
 Open a new tab and click the DVWA bookmark, and then log in as admin / password.
 Near the bottom of the page click to view the user policy, and then click the link to return to
the main DVWA page.
 On the navigation menu, click Instructions, then Setup, then SQL Injection, and then close the tab.
 In the Configuration Utility, open the Application Security > Policy Building > Traffic Learning page.
There are several traffic learning suggestions.
 Note the learning score for the different Illegal file type suggestions.
With a learning score of 5%, ASM needs more traffic for these suggestions.
the main DVWA page.
 On the navigation menu, click Brute Force, then Command Execution, then XSS stored, and then close
the tab.
 In the Configuration Utility, refresh the Traffic Learning page.
The learning scores for the Illegal file type entries haven’t increased. With untrusted requests it takes
many requests over time to modify the learning score for suggestions.
→NOTE: It’s possible that the learning score may have increased to 10% if you waited too long
between the first and second requests to the DVWA page.
 Click the Illegal file type suggestion for php, and then in the middle pane click
the [HTTP] /login.php request.
 Select the IP / session drop-down arrow.
Presently there is only one sample request from a random IP address.

 Use Chrome to open an incognito window and click the DVWA bookmark, and then log in
as admin / password.
Task 3 – Use Trusted Requests for Building the Security Policy

Change lorax_security_policy to learn from trusted requests.
 Open the Virtual Server List page and click dvwa_virtual, and then open the Resources page.
 For iRules click Manage, then move random_ip_irule back to the Available list, and then click Finished.
This will ensure that all new (trusted) requests come from 10.1.10.199 only.
 Open the Application Security> Policy Building > Learning and Blocking Settings page.
Note that the current Learning Speed is Medium, which was configured in the wizard.
 From the list on the right-side of the page select Advanced.
 Expand File Types.

This security policy is configured to learn all new file types. These settings are configured because you
selected the Fundamental policy type.
 Expand URLs.
URL learning is not included in the Fundamental policy type.
 Expand Parameters.
Parameter entities are set to Selective learning.
 From the Policy Type list select Comprehensive, and then click OK.
 From the Learning Speed list select Fast.

 Examine the URLs and Parameters sections.
With Comprehensive policy building, learning is enabled for URLs and parameters.
 Expand Trusted IP Addresses.

 Enter an IP Address of 10.1.10.0 and a Netmask of 255.255.255.0, and then click Add.
This ensures that the policy will be built using trusted traffic.
 Click Save, then click Apply Policy and then OK.
 Open an incognito (Chrome) window and click the DVWA bookmark, and then log in
the main DVWA page.
 On the navigation menu, click Instructions, Setup, Brute Force, Command Execution, SQL Injection,
Upload, XSS reflected, XSS stored, DVWA Security, About, Logout, and then close the page.
 In the Configuration Utility, open the Traffic Learning page.
Notice there are no suggestions for illegal file type, illegal parameter, or illegal URL. That’s because
we used a trusted IP address. Therefore, each file type, parameter, and URL you visited were
automatically added to the security policy.
 Notice the status at the top of the screen.
From just a few requests, several entities have been added to the security policy because we were
making the requests from a trusted IP address.
 Open the Security > Application Security > Allowed File Types page.
Several file types have been added to the security policy, and most if not all are still in staging.
 Open the Application Security > URLs > Allowed URLs page.
Over 30 URLs have been added to the security policy. All of them are still in staging and most are
waiting for additional traffic. Some have learning suggestions available.
 Open the Application Security > Parameters > Parameters List page.
Several parameters have been added to the security policy. All of them are still in staging and most
are waiting for additional traffic. Some have learning suggestions available. Most have the parameter
value type of Ignore value.
Task 4 – Adjust the Learning Speed

Use the Learning and Blocking Settings page to adjust the learning speed for trusted and untrusted requests to
simulate more traffic over time.
 Open the Security > Application Security > Policy Building > Learning and Blocking Settings page.
 Expand the Loosen Policy section and update the values as follows:
 Expand the Tighten Policy (stabilize) section and update the values as follows:
 Expand Track Site Changes section and update the values as follows:

 Open an incognito (Chrome) window and click the DVWA bookmark, and then log in
→NOTE: During this process it’s possible that you may get a blocking page. If that happens, ASM needs
to add the new suggestion to the policy. Wait about 15 seconds and try the step again.
the main DVWA page.
 Click Instructions, then click the Copying link, and then click the PHPIDS License link.
 Click SQL Injection and type 4 into the field, and then click Submit.
 Type 5 into the field, and then click Submit.
 Click XSS reflected and type the following in the field, and then click Submit.
Advanced F5 security training students!
 Type your first and last name into the field, and then click Submit.
 Click DVWA Security, then from the list select medium, and then click Submit.
 Click About, then click Setup, then click Create / Reset Database, then click Logout, and then close the
page.
 Open the Application Security > Allowed File Types page.
Some file types are now enforced, and the wildcard entry (*) has been deleted.
 Open the Application Security > URLs > Allowed URLs page.
The wildcard entries have been deleted, and several URLs have learning suggestions available.
 Open the Application Security > Parameters > Parameters List page.
The wildcard entry has been deleted, and several parameters have learning suggestions available.
→NOTE: If you do not see the id and/or name parameter, you will need to use a new incognito
(Chrome) window and repeat the steps above one more time. Once you’ve done that, in
the Configuration Utility refresh the Parameters List page and ensure both the id and
name parameter are both in the list.
 Open a new private window in Firefox.
 Open the iMacros pane.
 In the iMacros pane select ASM_learning.iim and click Play (Loop). Once the macro has completed, close
Firefox.
This iMacro makes large requests into the name parameter with several keyboard characters.
→NOTE: It’s possible you will get a blocking page. This may result because the name parameter isn’t yet
configured correctly. If that happens close the browser and start with a new private window in
Firefox.
 Repeat several times:

o Wait at least 20 seconds, then open a new private window in Firefox. (This ensures the requests will
come from a new session.)
o In the iMacros pane select ASM_learning.iim and click Play (Loop).
o Once the macro has completed, close Firefox.
 In the Configuration Utility open the Application Security > Parameters > Parameters List page.
 Click name and examine the Perform Staging value.
The Perform Staging checkbox should be cleared (enforced). If not see the note below.
 Examine the Maximum Length value.
The Maximum Length value should be 500. If not see the note below.
 Open the Value Meta Characters page.
There should be 9 allowed meta characters. If not see the note below.
→NOTE: DO NOT MOVE FORWARD if the name parameter:

* is still in staging (not yet enforced) NOTE: It is very possible that the name parameter will come
out of staging, but then return to staging. Continue until it is out of staging again.
* isn’t configured with a Maximum Length value of 500, and /or
* does not have 9 allowed meta characters.
If all three of these conditions are not met simultaneously, repeat the process of using a new
private window in Firefox and running a loop of the iMacro. After each macro check the values
above for the name parameter.
 Once all three of the above conditions are met, open the Application Security > Policy Building >
Learning and Blocking Settings page.
 From the Learning Mode list select Manual, then click Save, and then click Apply Policy and then OK.
You are disabling automatic policy building.
 Open a new incognito (Chrome) window and click the DVWA bookmark, and then log in
 Click XSS reflected and copy and paste the following in the field, and then click Submit. (NOTE: Use the
copy and paste guide on the Windows desktop.)
This is a very cute Rocket Ship projection alarm clock. It is attractive sitting on my dresser. The Rocket Ship reminds
me of the rockets in TV and movies and books from the 50's. Rocket alarm clock projects the time and four different
NASA images on the ceiling or wall. There are four NASA space images to choose from: man on the Moon, earth, Moon and
space shuttle. The top of the clock rotates and pivots allowing the time and image to project anywhere in the room.
Images project up to 30 inches in diameter. Powered by 3 C batteries (not Included) or Included AC adaptor. Children
will love having this rocket ship alarm clock in their bedroom. Alarm button on/off is on the side.
What should be a valid user request is blocked by ASM. This is known as a false positive.
 In the Configuration Utility, open the Event Logs > Application > Requests page.
 Click the blocked /vulnerabilities/xss_r/ entry to view the request in a new window.
The request was blocked for two reasons: Illegal parameter value length and Illegal meta character
in value.
 Click Illegal parameter value length.
The current expected length is 500 characters, but the request was 686 characters.
 For the Illegal parameter value length violation click the Learn button. (NOTE: Move the View Full
Request Information window to the side so you can view the Configuration Utility.)
You are navigated to the Traffic Learning page with the suggestion to increase the maximum length
value for the name parameter to 1000. Now that you’re no longer in automatic mode, all changes
must be made manually.
 Click Accept Suggestion, and then click Accept suggestion.
 In the View Full Request Information window, click Illegal meta character in value.
The request contained two meta characters that weren’t previously added to the allowed list.
 For the Illegal meta character in value violation click the Learn button, and the close
the View Full Request Information window.
 Select the different Illegal meta character in value suggestions and view the Matched Meta Character
values.
The most recent request included a hyphen (‘) and a colon (:).
 Select all the Illegal meta character in value checkboxes, and then click Accept Suggestions and then
click Accept suggestions.
 Reload the blocked page.
The long entry with special meta characters is now allowed.
Task 5 – Examine Parameter Enforcement

Identify the behavioral difference between parameter staging and enforcement.
 In the DVWA application on the XSS reflected page, copy and paste the following in the field, and then
click Submit. (NOTE: Use the copy and paste guide on the Windows desktop.)
<script>alert("Your system is infected! Call 999-888-7777 for help.")</script>
The cross-site scripting attempt is blocked by BIG-IP ASM.
 Click the DVWA bookmark, then click SQL Injection, then in the User ID field copy and paste the
following and then click Submit: (NOTE: Use the copy and paste guide on the Windows desktop.)
%' or 1='1
This parameter is still vulnerable to SQL injection attacks.
 Right-click inside the field and select Inspect, and then examine the parameter name value.
The name of this parameter is id.
 In the Configuration Utility, open the Parameters List page and examine the id parameter.
Question:
Why did the name parameter block a signature violation, but the id parameter didn’t?
______________________________________________________________________
 Click the id link.

 Clear the Perform Staging checkbox.
 If Parameter Value Type is still listed as Ignore Value, change the setting to User-input value and change
the Maximum Length value to 25, and then click Update.
 Return to the Parameters List page.
Both the id parameter and the name parameter are now enforced.
 Reload the DVWA page with the SQL injection results.
The SQL Injection attempt is now blocked by ASM.
 Close the blocked page.
ASM Adv. Lesson 1.2: Brute Force and Web Scraping Protection
Lesson 1.2: Brute Force and Web Scraping Protection
NOTES
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
Exercise 1.2 – Use Brute Force and Web Scraping Protection
Exercise 1.2 – Use Brute Force and Web Scraping

Protection
Task 1 – Use iMacros to Run a Brute Force Attack

Use iMacros for Mozilla Firefox to launch a brute force attack against the web site.
 Open Firefox and the iMacros pane, then select ASM_bruteforce.iim, and then on the Play tab click Play.
This is a simple example of a brute force attack against this web site. The attacker is using a macro to
attempt access to this website using a variety of username and password combinations. Notice that
eventually the attacker successfully finds valid credentials. Also notice after a successful login the
page contains the text My Account.
 On the Hackazon My Account page click Profile.
The hacker now has access to this user’s account.
 In the Hackazon page click Logout, then click Sign In / Sign Up and attempt to log in using your first
name as the username and your last name as the password.
Notice the URL we are on is/user/login, and also notice the error message includes the word
incorrect.
 Close Firefox.
Task 2 – Add Brute Force Protection to a Security Policy

Update an existing ASM security policy to identify and then block brute force attacks.
 In the Configuration Utility, open the Virtual Server List page and click target_virtual, and then open the
Security > Policies page.
Application security is Enabled using a policy named brute_webscraping_policy. This is the virtual
server you were accessing in task 1.
 Open the Application Security > Policy > Policy Properties page, and from the Current edited policy list
select brute_webscraping_policy (blocking).
This policy was created before we started this exercise. This policy currently doesn’t include brute
force protection.
 Open the Event Logs > Application > Requests page and select All requests, and then scroll through the
entries in the log file.
There were several legal requests caused by the brute force attack against the/user/login page.
 Click Clear All and then OK to delete all the log file entries.
 Open the Allowed URLs page.
These URLs were added from normal user traffic when the policy was built.
 In the URL Contains field type login, and then click Go.
The/user/login URL is the login page we used to submit the login request.
 Click /user/login, and then open the URL Parameters page.
These are the parameters used on the /user/login page. We need both the login page URL and the
username and password parameters values when creating a login page for brute force protection.
 Open the Application Security > Sessions and Logins > Login Pages List page and click Create.
 For Login URL select Explicit > HTTPS, and then start typing /user/login, and then select /user/login
once it displays.
 Configure the login page using the following information, and then click Create.
Authentication Type HTML Form
Username Parameter Value username
Password Parameter Value password
A string that should appear in My Account
the response
A string that should NOT incorrect
appear in the response
 Open the Application Security > Anomaly Detection > Brute Force Attack Prevention page and
click Create.
 For Login Page select [HTTPS]/user/login.
 Examine the settings in the Session-based Brute Force Protection section.
After 5 failed login attempts, a blocked user will be unable to attempt another login for 600 seconds.
 Click Create, then click Apply Policy and then OK.
 Open a new private window in Firefox, then in the iMacros pane select ASM_bruteforce.iim, and then
click Play.
After a few successful attack attempts, the user is blocked.
 Click Stop and then click Play again. Continue to click Stop and Play several times, and then close Firefox.
There are now several blocked requests for the/user/login page.
 Select the most recent blocked request.
The violation is Brute Force: Maximum login attempts are exceeded.
 Click Brute Force: Maximum login attempts are exceeded.
There are details on the username that was attempted and the number of bad login attempts.
 Close the log windows.
Task 3 – Run a Web Scraping Attack and then Add Web Scraping Protection
Use iMacros for Mozilla Firefox to launch a web scraping attack against the web site, and then update a security
policy to identify and then block web scraping attacks.
 Open a new private window in Firefox, then in the iMacros pane select ASM_webscraping.iim, and then
click Play (Loop).
This is a simple example of a web scraping attack. Notice that as the macro runs it scrapes multiple
product category pages.
 Wait for the iMacro to complete before moving on.
 In the Configuration Utility, on the Event Logs > Application > Requests page select All requests.
There are many legal requests caused by the web scraping attack.
 Open the Application Security > Anomaly Detection > Web Scraping page.
 For Bot Detection, select Alarm and Block.
 In the Bot Detection section, edit the settings as follows.
 In Firefox click Play (Loop).
After identifying that a web scraping attack is occurring, ASM begins to block requests.
 Use Firefox to open a new Private window and select ASM_webscraping.iim and click Play (Loop).
 Continue to click Play (Loop) in each Firefox window a few more times, and then close both Firefox
windows.
There are several blocked requests.
 Select any of the blocked requests to view the information in the new window.
o Under Violations, select Web scraping detected.
o Under General Details, select Web Scraping.
 Close the log windows.
 Open the Event Logs > Application > Web Scraping Statistics page.
This page displays details about web scraping attacks that ASM detected and blocked.
Task 4 – View the Security Charts

View the security charts to identify that brute force and web scraping attacks were detected and blocked.
 In the Configuration Utility, open the Security > Reporting > Application > Charts page.
→NOTE: It will take several minutes for all of the transaction data to load.
 Change the Time Period to Last Hour and the Chart type to Stacked.
 In the Details section click /Common/brute_webscraping_policy, then click <Unassigned>, and then
click /Common/target_virtual.
 In the Details section click Blocked.
These are the blocked requests what were identified as brute force and web scraping attacks.
 In the View By list, select URLs.
This is the URL that ASM blocked from brute force and web scraping attacks.
 Click Export, and then click Export again.
 Open the downloaded PDF.

At any time, we can export the report data. The export will include the exact current contents
displayed on the reports page.
ASM Adv. Lesson 1.3: Layer 7 DoS Protection
Lesson 1.3: Layer 7 DoS Protection
NOTES
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
Exercise 1.3 – Use Layer 7 DDoS Protection
Exercise 1.3 – Using Layer 7 DDoS Protection

• Estimated completion time: 45 minutes.
Task 1 – Use Tools to Simulate Layer 7 DoS Attacks

Use several attack tools to simulate layer 7 DoS attacks.
 In the Configuration Utility, open the Learning and Blocking Settings page.
 From the Current edited policy list select lorax_security_policy (blocking).
 Expand Attack Signatures, and clear the Learn, Alarm, and Block checkboxes.
 Click Save, and then click Apply Policy and OK.
We’re removing the security policy attack signature protection so we can focus on ASM’S
DoS protection.
 Open the Event Log > Application > Requests page and click Clear All and then OK.
 From the desktop, open OWASP ZAP. (NOTE: This program takes several minutes to load. Continue
forward while the program opens.)
 Open XAMPP Control Panel and click Shell.
 Copy and paste the following command into the shell window. (NOTE: Use the copy and paste guide on
the Windows desktop.)
ab -n 100 -c 50 "http://dvwa.f5demo.com/"
Apache Bench sends 100 requests to the DVWA site and displays the results in milliseconds.
 In the Configuration Utility, on the Event Logs > Application > Requests page select All Requests.
All 100 requests were considered legal by the ASM security policy and were sent to the web server to
be processed.
 In the Shell window, copy and paste the following command. (NOTE: Use the copy and paste guide on
ab -n 200 -c 50 "http://dvwa.f5demo.com/images/login_logo.png"
 In the Configuration Utility, on the Event Logs > Application > Requests page click Go.
An additional 200 requests for the login_logo.png file were considered legal by the ASM security
policy and were sent to the web server to be processed. If there were thousands of bots in a botnet
sending this request it could overwhelm the web server.
 Click Clear All and then OK.
 Open a command prompt and copy and paste the following: (NOTE: Use the copy and paste guide on the
Windows desktop.)
curl -A "stringsample" http://dvwa.f5demo.com/login.php
cURL is a command line tool for getting or sending files using URL syntax. The cURL result is the HTML
web code for the DVWA login page.
 Resubmit the previous command 15 more times (use the ↑ key on the keyboard):
 In the command prompt and copy and paste the following command and resubmit it 15 times: (NOTE:
Use the copy and paste guide on the Windows desktop.)
curl http://dvwa.f5demo.com/login.php
 In the Configuration Utility, on the Application > Requests page select All Requests.
These requests were considered legal and sent the web server for processing.
 In the command prompt move to the following location and then issue the command.
cd c:\phantomjs\bin
phantomjs.exe L7DDOS.js
Each time Damn Vulnerable Web App (DVWA) - Login displays indicates a successful request for the
DVWA Login page. Wait until the C:\phantomjs\bin prompt displays, which identifies that the attack
is over.
Because of the attack, over 600 requests were considered legal by the ASM security policy and sent to
the web server for processing. Notice that none of these requests have a violation rating.
 In OWASP ZAP, in the URL to attack field, enter http://dvwa.f5demo.com, and then click Attack.
 Monitor the attack progress.
 Wait for the attack to complete before moving on.

Hundreds of requests were considered legal and sent to the web servers for processing. Some
requests have a violation rating due to the malicious nature of the requests.
 Open LOIC.
 Configure the attack using the following information, and then click IMMA CHARGIN MAH LAZER.
URL dvwa.f5demo.com (Click Lock on)
TCP/UDP message GET /\r\n
Method HTTP
Threads 1
Wait for reply Disabled (unchecked)
 Let the attack run until the Requested value goes over 1000, and then click Stop flooding.
In just a few seconds over 1000 requests were considered legal by the ASM security policy and sent to
the web servers for processing.
Task 2 – Enable Layer 7 Bot Signature Protection

Create a new DoS profile with layer 7 bot signature protection and attach it to an existing virtual.
 Navigate to Security > DoS Protection and right-click on DoS Profiles, and then
select Open Link in New Tab.
 On the DoS Profiles page click Create.
 Name the new profile lorax_dos_profile.
 Click General Settings, then click Disabled and then select the Enabled checkbox.
 Click TPS-based Detection, then for Operation Mode click Blocking, and then change the setting to Off.
 Click Heavy URL Protection, then for Heavy URL Protection click Enabled, and then clear the Enabled
checkbox.
 Click Bot Signatures, then for Bot Signature Check click Disabled and then select the Enabled checkbox,
and then click Finished.
 Navigate to Virtual Servers and right-click on Virtual Server List, and then select Open Link in New Tab.
 On the Virtual Server List page click dvwa_virtual, and then open the Security > Policies page.
 From the DoS Protection Profile list select Enabled, then select lorax_dos_profile, and then
click Update.
 Open the Security > Reporting > DoS > Application > Transaction Outcome page, and then
click Open Real-Time Charts.
 Resize the real-time chart window by making it wider.
→NOTE: You will keep the real-time chart window open through the rest of this exercise.
 In the Shell window, copy and paste the following command. (NOTE: Use the copy and paste guide on
ab -n 200 -c 50 "http://dvwa.f5demo.com/instructions.php"
Apache Bench failed to submit the 200 requests to the web server.
 Resubmit the same command 10 more times.
 In the Application > Requests tab select All Requests.
None of the most recent requests were processed by the security policy, as they were blocked by
ASM’s layer 7 DoS protection first.
 View the recent activity in the real-time chart.
All the recent requests fall under the DoS Blocked category, which means they were blocked by
ASM’s layer 7 DoS protection before being processed by the security policy.
Task 3 – Create a New Bot Category and Bot Signature

Create a new bot signature category, and then add a new bot signature into the new category.
 In the third Configuration Utility tab, open the Security > Options > DoS Protection >
Bot Signature Categories List page and click Create.
 For Category Name type Lorax DoS Signatures, and then click Create.
 Open the Security > Options > DoS Protection > Bot Signatures List page and click Create.
 Create a new bot signature using the following information, and then click Create.
Name .lorax_stringsample
Category Lorax DoS Signatures
Rule: Type Advanced Edit Mode
Rule: Text headercontent: "stringsample"; useragentonly;
Risk Medium
 In the DoS Profiles tab click lorax_dos_profile, and then click Bot Signatures.
 For Bot Signature Categories click Edit.
 In the Malicious Categories section, from the Lorax DoS Signatures list, select Block, and then
click Update.
 In the command prompt resubmit the following command:

curl -A "stringsample" http://dvwa.f5demo.com/login.php
You now receive an Empty reply from server error message.
 Quickly resubmit the previous command 30 more times (use the ↑ key on the keyboard):
 In the Application > Requests tab click Go.
None of the most recent requests were processed by the security policy, as they were blocked by
ASM’s layer 7 DoS protection.
 View the recent activity in the real-time chart. (NOTE: It will be a small amount of new data.)
The new requests fall under the DoS Blocked category.
Task 4 – Enable Proactive Bot Defense protection

Add proactive bot defense protection to the DoS profile.
 In the DoS Profiles tab, click lorax_dos_profile.

 Click Proactive Bot Defense, then click Off, then change Operational Mode to Always.
 For Grace Period click the Edit link, then change the value to 3 seconds, and then click Update.
curl http://dvwa.f5demo.com/login.php
The curl command fails because it didn’t pass the JavaScript challenge.
 Quickly resubmit the previous command 30 more times (use the ↑ key on the keyboard):
 Wait about 30 seconds before moving on.

 Open a new Chrome window and click the DVWA bookmark.
Notice that it takes a couple of seconds for the page to begin loading. This is caused by the browser
taking and passing the JavaScript challenge.
 Close the Chrome window.
 In the Application > Requests tab click Go.
Only the requests generated from the Chrome browser were legal. All of the rest were blocked by
Layer 7 DoS protection.
 Examine the recent activity in the real-time chart.
Most of the recent attack traffic falls under the Proactive Mitigation category. The requests from the
Chrome window fall under the Passthrough category.
 Open a new incognito (Chrome) window and click the Chrome UA Spoofer button, and then
select Internet Explorer 9.
 Click the DVWA bookmark.
You are presented with a CAPTCHA challenge.

 Enter the CAPTCHA challenge and click submit to view the DVWA login page, and then close Chrome.
 Open a new incognito (Chrome) window and click the Chrome UA Spoofer button and
select Internet Explorer 6, and then click the DVWA bookmark
You now receive a The connection was reset error page.
 Use Ctrl+F5 several times to reload the page.
 Click the Chrome UA Spoofer button and then select Chrome > Default.
The DVWA page displays.
 Close the Chrome window.
 View the recent activity in the real-time chart. (NOTE: It will be a small amount of new data.)
Some requests fall under CAPTCHA Mitigation, some fall under BIG-IP Response.
Task 5 – Client-Side TPS-Based Detection

Update the DoS profile by adding TPS-based detection.
 In the DoS Profiles tab, click lorax_dos_profile.

 Click TPS-based Detection, then click Off, then change Operational Mode to Blocking.
 Update the following values for the By Source IP section:
TPS increased by 5%
and reach at least 4
OR TPS reached 4
Client Side Integrity Defense Enabled (selected)
CAPTCHA Challenge Disabled (cleared)
Request Blocking Block All
 Update the following values for the By URL section, and then click Update.
TPS increased by 5%
and reach at least 4
OR TPS reached 4
Client Side Integrity Defense Enabled (selected)
CAPTCHA Challenge Disabled (cleared)
Request Blocking Enabled
 In the OWASP ZAP tool, click Attack. If the scan begins to run, let it run for about 10 seconds, then
click Stop, and then click Attack again.
 Click Attack multiple times and examine the recent activity in the real-time chart.
 In LOIC, click IMMA CHARGIN MAH LAZER and let the attack run for 10 seconds and then
click Stop Flooding.
 Open a new Chrome window and click the DVWA bookmark.
You are unable to access the web application due to the client-side integrity defense.
 Reload the page multiple times.
 In LOIC, click IMMA CHARGIN MAH LAZER and let the attack run for 10 seconds and then
click Stop Flooding. Wait five seconds and then repeat this twice.
 In the command prompt resubmit the following command three times:
 In the Shell window, copy and paste the following command and resubmit it five times. (NOTE: Use the
copy and paste guide on the Windows desktop.)
ab -n 1000 -c 50 "http://dvwa.f5demo.com/images/login_logo.png"
 Examine the recent activity in the real-time chart.
 In the Application > Requests tab select All Requests.
Only the few request from Chrome in the previous task were processed by the ASM security policy.
The rest of the thousands of attack requests were blocked by ASM’s layer 7 DoS protection.
 Open the Reporting > DoS > Application > Transaction Outcomes page.
NOTE: The log data can take up to five minutes to display.
 Place your mouse over the red flag and view the details.
 At the bottom of the screen, from the Drilldown to list select Transaction Outcomes.
This table shows how many requests of each transaction type were valid, mitigated, blocked, or
incomplete.
BIG-IQ Lesson 2.1: BIG-IQ Overview
F5 BIG-IQ for Network and Web Application Firewall

Management
Lesson 2.1: BIG-IQ Overview
NOTES
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
BIG-IQ Lesson 2.1: BIG-IQ Overview
Exercise 2.1 – Using BIG-IQ to Manage BIG-IP Systems


 For the BIG-IQ blueprint click View.
Task 2 – Add the BIG-IP System and then Examine BIG-IQ ADC Options
Add a BIG-IP managed object, and then view and edit ADC options.
On bigiq.f5demo.com
 Open Chrome and click the BIGIQ bookmark and then log into the BIG-IQ system.
 In the BIG-IQ Configuration Utility, click the main BIG-IQ menu.
The default admin user has access to all BIG-IQ management tasks.
 Notice on the Users page that three custom user accounts have been created.
 Log out of the BIG-IQ system as admin, then log back in as adc_admin / password, and then select the
main BIG-IQ menu.
This user only has access to the Access, ADC, Change Management, Device Management,
System Management, and Audit Logging menus.
 From the main BIG-IQ menu select Device Management, and then click Add Device.
 Configure settings using the following information, and then click Add.
IP Address 10.1.1.245
User Name admin
Password admin
 In the Add Device – 10.1.1.245 window select Local Traffic Manager (LTM), and then click Discover.
 Once the device has been discovered, under Services click Complete import tasks.
 For Local Traffic (LTM) click Import.

 Once the import has completed, return to the BIG-IP Devices page.
This device is now being managed by BIG-IQ for management and for LTM objects.
 From the main BIG-IQ menu select ADC, and then on the Virtual Servers page click dvwa_virtual_36.
 From the HTTP Profile list select http, and then click Save.
 Select Pools, and then click lorax_pool_46.
 For Health Monitors move gateway_icmp to the Enabled list.
 In the Resources section click New Member.
 Add a new pool member for 10.1.20.14: * All Ports, and then click Save, and then for the pool click Save.
Task 3 – Deploy Changes to the BIG-IP System

Deploy the changes you made to the BIG-IP system objects back to bigipA.f5demo.com.
On bigipA.f5demo.com
 Open a new tab and click the BIGIP_A bookmark and then log into the BIG-IP system.
 Notice the message at the top of the page.
 Open the Pool List page.

Notice the status of lorax_pool_46 is unknown. Also notice that this pool current has three members.
The new pool member hasn’t been deployed to this BIG-IP system.
 Open the Virtual Server List page and click dvwa_virtual_36.
This virtual server isn’t yet configured with an HTTP profile.
On bigiq.f5demo.com
 From the main BIG-IQ menu select Change Management.
 From the left menu open the Evaluate & Deploy > Local Traffic & Network page, and then under
Evaluate and Deploy – Local Traffic & Network click Create.
 For Name enter bigipA_deploy1.

 For Target move bigipA.f5demo.com to the Selected list, and then click Create.
 Once the Status reads Evaluation complete, click the link under Differences.
This is the list of all ADC objects that will be added, changed, or removed on the target BIG-IP system.
 Click Cancel, then with the bigipA_deploy1 checkbox selected, click Deploy, and then click Deploy again.
 Wait for the Status to read Deployment complete before moving to the next step.
 Refresh the dvwa_virtual_36 properties page.
This virtual server is now configured with an HTTP profile.
 Open the Pool List page.
Notice the status of lorax_pool_46 is now available, and it now has four pool members.
BIG-IQ. Lesson 2.2: BIG-IQ for AFM and ASM
Lesson 2.2: BIG-IQ for AFM and ASM
NOTES
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
Exercise 2.2 – Use BIG-IQ to Manage Network and Web Application Firewalls
Exercise 2.2 – Using BIG-IQ to Manage Network and

Web Application Firewalls
Task 1 – Add Network Firewall Management to the Existing BIG-IP System

Using a network firewall admin account, import network firewall objects to BIG-IQ, and then update objects and
deploy them back to the BIG-IP system.
On bigiq.f5demo.com
 Log out of the BIG-IQ system as adc_admin, and then log back in nf_admin / password.
 From the main BIG-IQ menu select Device Management and click bigipA.f5demo.com, and then
click Services.
 For Advanced Firewall (AFM) click Discover, and then once it’s discovered click Import.
Update shared security objects

 From the main BIG-IQ menu select Network Security, and then open the Shared Security page.
On the left menu are all BIG-IP system objects that can be used by both BIG-IP AFM and BIG-IP ASM.
You can access these pages due to the Network Security Manager role
 From the left menu click Logging Profiles and then click lorax_log_profile.
 Click the Network Firewall tab, then for Always Log Region select the Enabled checkbox, and then
click Save & Close.
View and update the network security policy editor

 Open the Network Security > Policy Editor page.
The Devices page displays the BIG-IP firewalls that are being managed by this BIG-IQ system.
 From the left menu click Rule Lists and click app_services.
 Right-click your mouse over the reject_all rule, and then select Add rule before.
 Click into the default rule name, then configure the new rule using the following information, and then
click Save & Close.
Name accept_telnet
Port > Destination Select Port from the list.
Type 23. (Click the + button to add the entry)
Protocol tcp
Log selected
 From the left menu click Rule Schedules and click ssh_schedule.
 Select the checkboxes for Monday and Friday, and then click Save & Close.
Deploy changes to the BIG-IP system
 Open the Security > Event Logs > Logging Profiles page and click lorax_log_profile.
Note that the log profile doesn’t include the Always Log Region option.
 Open the Network Firewall > Schedules page and click ssh_schedule.
This schedule is currently set to 8AM and 6PM, Tuesday through Thursday.
 Open the Network Firewall > Active Rules page.
Note that the app_services rule list doesn’t contain a rule named accept_telnet.
On bigiq.f5demo.com
 From the left menu open the Evaluate & Deploy > Network Security page, and then under
Deployments (NOT under Evaluate and Deploy) click Create.
 For Name enter bigipA_deploy2.

 For Target select the Device option, then move bigipA.f5demo.com to the Selected list, then for
Method select the Deploy immediately option, and then click Create and then Deploy.
 Refresh the Active Rules page.
The app_services rule list includes accept_telnet
 Open the Event Logs > Logging Profiles page and click lorax_log_profile.
The Always Log Region is now Enabled.
 Open the Network Firewall > Schedules page and click ssh_schedule.
The checkboxes for Monday and Friday are now selected.
Task 2 – Use BIG-IQ to Manage a Second Network Firewall

Add bigipB.f5demo.com as a managed network firewall.
On bigiq.f5demo.com
 Log out of the BIG-IQ system as nf_admin, and then log back in as admin.
 From the main BIG-IQ menu select Device Management, and then click Add Device.
 Configure settings using the following information, and then click Add.
User Name admin
Password admin
 In the Add Device – 10.1.1.246 window select Local Traffic Manager (LTM) ,
Application Security Manager (ASM), and Advanced Firewall Manager (AFM) and then click Discover.
You’re including ASM in preparation of the last task of this exercise.
 Once the device has been discovered click Complete import tasks.
 For Local Traffic (LTM) click Import, then in the Differences for bigipA.f5demo.com dialog box,
click Continue and then Resolve.
 For Advanced Firewall (AFM) click Import.
 For Application Security (ASM) click Import.
Add shared security and network policy objects to bigipB.f5demo.com

 Log out of the BIG-IQ system as admin, and then log back in as nf_admin / password.
 Open the Network Security > Shared Security page.
We can now see the virtual servers from bigipB.f5demo.com.
 Click lorax_virtual_45, then for Log Profiles move lorax_log_profile to the Selected list, and then
click Save & Close.
 Open the Network Security > Policy Editor page and from the left menu click Devices.
There are now two devices.
 Expand Contexts, and then click Global.
 For bigipB.f5demo.com, click the global link.
 At the bottom of the page, for the bigip_global_policy row, use the grabber hand to drag and drop the
policy up to the Enforced Firewall Policy section, and then click Save & Close.
 From the left menu click Virtual Server, and then click lorax_virtual_45.
 At the bottom of the page, click and drag lorax_fw_policy up to the Enforced Policy section, and then
click Save & Close.
On bigipB.f5demo.com
 Open a new tab and click the BIGIP_B bookmark and then log into the BIG-IP system.
 Open the Event Logs > Logging Profiles page.
This virtual server isn’t configured with a customized logging profile.
 Open the Active Rules page.
This BIG-IP AFM system has no rules applied to it.
On bigiq.f5demo.com
 From the left menu open the Evaluate & Deploy > Network Security page, and then under Deployments
click Create.
 For Name enter bigipB_deploy1.
 For Target select the Device option, then move bigipB.f5demo.com to the Selected list, then for Method
select the Deploy immediately option, and then click Create and then Deploy.
 Refresh the Active Rules page.
The bigip_global_policy has been deployed to the global context and lorax_fw_policy has been
deployed to the lorax_virtual_45 context.
 Click lorax_virtual_45, and then open the Security > Policies page.
This virtual server is now sending log data to lorax_log_profile.
Task 3 – View and Update ASM Options

Import ASM objects, and then use BIG-IQ to update and deploy changes to a firewall group.
On bigiq.f5demo.com
 Log out of the BIG-IQ system as nf_admin, and then log back in as waf_admin / password.
 From the main BIG-IQ menu select Device Management and click bigipA.f5demo.com, and then
click Services.
 For Application Security (ASM) click Discover, and then once it’s discovered click Import.
Update shared security objects
 From the main BIG-IQ menu select Web Application Security, and then open the Shared Security page.
 From the left menu click Dos Profiles and then click Create.
 Configure settings using the following information.
Name lorax_L7dos_profile
Application Security Enabled
 Select the Application Security tab, then configure settings using the following information, and then
click Save & Close.
General Settings > Geolocation Blacklist Syrian Arab Republic (Click Add)
Bot Signatures > Bot Signature Check Enabled
 From the left menu click Virtual Servers and then click dvwa_virtual_35.
 From the DoS Profile list select lorax_L7dos_profile, and then click Save & Close.
 Click dvwa_virtual_36, then from the DoS Profile list select lorax_L7dos_profile, then from
the Log Profiles list move Log all requests to the Selected list, and then click Save & Close.
Update the web application security policy

 Open the Web Application Security > Policy Editor page, and on the Policies page click
lorax_security_policy.
 From the left menu click File Types, and then click Edit.
 Select the html checkbox, and then click Delete and then OK.
 Click Add > Allowed File Type.
 For File type enter pdf, and then click Save.
 From the left menu click Blocking Settings, and then click Edit.
 For Enforcement Mode select the Blocking option, and then click Save.
 Click the Back button, then from the left menu click Virtual Servers, and then click dvwa_virtual_36.
 At the bottom of the page, for the lorax_security_policy row, use the grabber hand to drag and drop the
policy up to the Attached Policy section, and then click Save & Close.
Task 4 – Deploy Policy Settings to a Firewall Group

Use a BIG-IQ device group to deploy AFM and ASM updates to both BIG-IP systems.
 Open the Virtual Server List page and click dvwa_virtual_36, and then open the Security > Policies page.
This virtual server isn’t configured with any application security firewall policies, dos protection
profiles, or log profiles.
 Open the Virtual Server List page and click dvwa_virtual_35, and then open the Security > Policies page.
This virtual server is configured with an application security policy named lorax_security_policy. It is
also configured for logging using Log all requests. There is no DoS profile configured.
 Open the Allowed File Types page.
There are several file types added to lorax_security_policy including html files. Note that the pdf file
type is not on this list.
 Open the Learning and Blocking Settings page.
This security policy is currently in transparent mode.
On bigiq.f5demo.com
 From the main BIG-IQ menu select Device Management, and then on the left menu click Device Groups,
and then click West Coast Firewalls.
This group was created prior to the beginning of the exercise.
 At the bottom of the page add both bigipA.f5demo.com and bigipB.f5demo.com, and then click Save.
 From the left menu open the Evaluate & Deploy > Web Application Security page, and then under
Deployments click Create.
 For Name enter firewall_group_deploy1.
 For Target leave the Group option selected and select West Coast Firewalls, ensure that both
BIG-IP systems are in the Selected list, select the Deploy immediately option, and then Create and then
Deploy.
 Wait for the Status to read Deployment complete before moving to the next step. (NOTE: This may take
up to five minutes; this is a good time to take a quick break.)
 Refresh the Security > Policies page.
This virtual server is now protected with lorax_security_policy, is using the lorax_l7dos_profile
DoS profile, and is using the Log all requests log profile.
 Refresh the Learning and Blocking Settings page.
This security policy is now in blocking mode.
 Open the Allowed File Types page.
The html file type is no longer on the file type white list while the pdf file type is.
 Open the Security > DoS Protection > DoS Profiles page.
The lorax_L7dos_profile is now on this BIG-IP system and it’s attached to dvwa_vitual_35.
IF TIME PERMITS – View the BIG-IQ Audit Log

View the BIG-IQ audit log, and the sort and filter the list of log entries.
On bigiq.f5demo.com
 Log out as waf_admin and log back in as admin.
 From the main BIG-IQ menu select Audit Logging.
Notice there are separate audit logs for the different BIG-IQ functions.
 Select the Network Firewall Security audit log.
 In the filter box, type 8443 and then click the search icon.
 In the Changes column click View.

You can identify specific tasks made by BIG-IQ administrators.
 Select the Web Application Security audit log, then in the filter box, type waf_admin and then click the
search icon.
You can identify all tasks performed by a specific BIG-IQ administrator.
WebSafe Lesson 3.1: Fraud Overview
F5 WebSafe
Lesson 3.1: Fraud Overview
NOTES
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
Exercise 3.1 – Examine the Dangers of Malware


 For the WebSafe blueprint click View.
Task 2 – Use Chrome to Inspect and Modify a Web Page

Use the Chrome developer tools to examine the document object model for a web page, and then use the
Elements tab to make changes to the web page
 Open Chrome and press the Ctrl+Shift+I keys, and then click the Bank bookmark.
This opens the Chrome developer tools.
 Examine the Elements tab.
This is the top-level of the document object model tree. This element contains two child nodes,
<head> and <body>, and the <body> node contains two <div class=…> child nodes.
 Expand the second <div> node, and then expand its child <div> node.
 Mouse-over the second child <div> node and examine the web page.
This element represents the Demo Bank heading and the text below it.
 Expand the second child <div> node, then mouse over the <h2> element and the <p> element, and then
examine the web page.
 Expand the <h2> node, and then examine the text under the <b> … </b> line.
 Right-click on “ – Secure Online and select Edit text.
 Edit the element from – Secure Online to – Very Insecure Online, then press the Enter key.
 Examine the change to the web page.
You’ve just made a simple change to the web page within the browser after it was sent from the
web server.
 Copy the following text: (NOTE: Use the copy and paste guide on the Windows desktop.)
<form method="POST">
<div class="form-group">
Username: <input type="text" placeholder="" name="username" class="form-control">
</div>
Password: <input type="password" placeholder="" name="password" class="form-control">
</div>
ATM Pin: <input type="text" placeholder="" name="pin" class="form-control">
</div>
<input type="submit" class="btn btn-success" style="float:right" value="Login">
</form>
 In the web page, right click inside the Username field and select Inspect.
 Right-click the <form method="POST"> line, and then select Edit as HTML.
 Select and delete all the text between the <form> opening tag and the </form> closing tag, then paste
the text that copied to your clipboard earlier, then click outside of the <form> editing area and examine
the web page.
 Enter the following credentials but do not click Login.

Username: your first name
Password: abcDEF123&*(
PIN: your last name
 Open the Console tab, and in the console, type (or copy and paste) the following and press Enter:
document.forms[0]
 Place your mouse over the form element.

This is the form where the user credential fields are displayed.
 In the console, type (or copy and paste) each of the following and press Enter:
document.forms[0].username.value
document.forms[0].password.value
document.forms[0].pin.value
These values haven’t yet been submitted and are therefore available in cleartext for form grabbing.
 In the console, type (or copy and paste) each of the following and press Enter:
document.forms[0].username.value = "bob"
document.forms[0].pin.value = "smith"
 Examine the web page form.

Malware can manipulate the parameter values before they are submitted.
Task 3 – Configure BIG-IQ for Logging

Open the BIG-IQ management node and add a BIG-IQ logging node, which will be used for collecting WebSafe
alerts.
 In Chrome open a new tab and click the BIGIQ_Mgmt bookmark, and then log into the BIG-IQ system.
 From the left menu open the BIG-IQ Logging > Logging Nodes page and click Add Node.
 Use the following information, and then click Add.
User name admin
Password admin
Transport Address 10.1.20.248
Transport Port 9300
It takes a couple of minutes to discover the logging node.
 Once the logging node has been discovered, click bigipqlogging.f5demo.com, and then open the
Services page.
 For Fraud Protection Service, click Activate.
 Open a new tab and click the BIGIP_A bookmark, and then log into the BIG-IP system.
 Open the Pool List page and ensure that the bigiq_logging_pool displays as online.
WebSafe Lesson 3.2: Malware Detection
Lesson 3.2: Malware Detection
NOTES
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
Exercise 3.2 – Use Malware Detection

Task 1 – Create a WebSafe Anti-Fraud Profile

Create an anti-fraud profile on the BIG-IP system, then add the profile to the virtual server.
 In the BIG-IP Configuration Utility, open the Security > Fraud Protection Service > Anti-Fraud Profiles
page, and then click the icon to the right of Create.
 Clear the Phishing Detection, and Application Layer Encryption checkboxes, and then click Create.
 Use the following information, and then click Create.
Profile Name banking_fraud_profile
Alert Identifier D1 (you need to first click the checkbox to the right of the field)
Alert Pool bigiq_logging_pool (same note as above)
Log Publisher bigiq_logging_publisher (same note as above)
 Open the Virtual Server List page and click bank_virtual, and then open the Security > Policies page.
 From the Anti-Fraud Profile list select Enabled.
 From the Profile list box, select banking_fraud_profile, and then click Update.
 Open a new tab and press the F12 key, then click the Bank bookmark, and then examine the files on
the Network tab.
There are five files returned from the web server to build this web page.
 In the BIG-IP Configuration Utility, open the Anti-Fraud Profiles page and click banking_fraud_profile.
 Expand the left menu by clicking the > icon.
 In the left panel click URL List, and then click Add.
 For URL Path leave Explicit selected, and type /login.php.
 Expand the left panel and open the Malware Detection page.
 Leave the Malware Detection and Generic Malware Detection checkboxes selected and clear all other
configuration checkboxes, and then click Create.
Note that nearly all malware detection options are enabled by default.
 In the banking tab click the Bank bookmark and examine the Network tab.
There is now a script file and several xhr files.
 Click the Bank bookmark again and examine Network tab.
Most of the xhr object files are no longer requested, however the script is still added to the page.
 Log in as bobsmith / P@ssw0rd1, and then examine the Network tab.
The /Home.php page does not include the script. Malware detection is enabled for specific URLs and
has only been enabled for the /Login.php page.
 In the BIG-IP Configuration Utility, click the link with the text “Anti-Fraud Profile”.
 Add a new URL configuration using the following information, and then click Create.
URL Path Wildcard: /*
Malware Detection Only Malware Detection and Generic Malware Detection
checkboxes selected
Automatic Transactions Clear the Automatic Transactions checkbox
 In the banking tab reload the /Home.php page, and then examine the Network tab.
The script is now inserted into this page.
 Click Transactions, and then examine the Network tab.
By using the wildcard URL, all pages in the web site now include generic malware detection.
 Click Logout.
Task 2 – View WebSafe Alerts

Add detection for external URL injection for the /Login.php page, and then view triggered alerts.
 In the BIG-IQ Configuration Utility, from the main BIG-IQ menu select Fraud Protection Service, and then
on the left panel open the Malware Alerts section.
No alerts have been generated yet.

 In the BIG-IP Configuration Utility, click the Anti-Fraud Profile link, and then click /login.php.
 Open the Malware Detection page, then select the External URL Injection Detection checkbox, and then
click Save.
 In the banking tab click the Bank bookmark, then click the Demo Tools bookmark and
click Insert Malicious Script.
 For the Malicious domain field, copy and paste http://www.hackingsite.com/inject.js, and then
click OK. (NOTE: Use the copy and paste guide on the Windows desktop.)
 Log in as bobsmith / P@ssw0rd1, and then click Logout.
 In the BIG-IQ Configuration Utility reload the page, then open the Malware Alerts > External Scripts
page, and then expand the hackingsite.com alert.
An external script has been reported with the alert type of External Sources. There are also additional
alerts caused by the Demo Tools bookmark, which also makes calls to scripts from external sources.
 Examine the User Name column.
The user name is presently Unknown.
 Expand the alert section for ajax.googleapis.com and select the alert checkbox, and then click Remove
and then Delete Selected.
 Repeat the step above for the alert for s3-eu-west-1.amazonaws.com.
 In the banking tab, to discover the parameter name that needs to be sent to the alert server, right-click
inside the Username field and select Inspect.
The parameter name is “username”.

 In the BIG-IP Configuration Utility, click the Anti-Fraud Profile link, and then from the left menu select
the global Malware Detection option.
 For Allow URLs from these external domains, add both ajax.googleapis.com
and s3-eu-west-1.amazonaws.com, and then click Save. (NOTE: Use the copy and paste guide on the
Windows desktop.)
 From the left menu select URL List, and then click /login.php.
 From the left panel open the Login Page Properties page, and then select the URL is Login Page
checkbox.
 For Expected HTTP response status code, in the Specify field enter 302.
 From the left panel open the Parameters page.

 Create a new parameter named username, and then click Add.
 Select the Identify as Username and Send in Alerts checkboxes, and then click Save.
click Insert Malicious Script.
 For the Malicious domain field, copy and paste http://www.worsesite.com/malware.js, and then
click OK. (NOTE: Use the copy and paste guide on the Windows desktop.)
 In the BIG-IQ Configuration Utility reload the page, and then expand the worsesite.com alert.
The user name information (bobsmith) is now being sent to the alert server. (NOTE: If the User Name
is still displaying as Unknown, wait about 30 seconds and reload the page again.)
Task 3 – Check for Malware JavaScript Signatures

Configure the anti-fraud profile with known malware signatures.
 In the BIG-IQ Configuration Utility, open the Configuration > Alert Transform Rules page, and then
click Add.
 Create a new alert using the following information, and then click Save & Close and then OK. (NOTE: Use
the copy and paste guide on the Windows desktop.)
Transform Rule Name tatang.Trojan
Find tatangakatanga
Where Move all to the Selected list
When Move all to the Selected list
Accounts All Accounts
Alert Severity 90
Alert Status Open
→NOTE: We’re adding this alert now because it will take a few minutes before the tatang.Trojan
alert will display in the alerts page.
 In the BIG-IP Configuration Utility, click the Anti-Fraud Profile link, and then open the
global Malware Detection page.
 For the Search for malicious words in the HTML or JavaScript code field, add both system and trojan as
two separate entries to the global forbidden list, and then click Save.
 Open the URL List page and click /login.php.
 Open the Malware Detection page, then select the Malware JavaScript Signatures checkbox, and then
click Save.
Notice the two words you added are in the Globally Forbidden Words list.
 In the banking tab click the Bank bookmark and log in as bobsmith / P@ssw0rd1, and then click Logout.
 In the BIG-IQ Configuration Utility reload the page, then open the Malware Alerts > Targeted Malware
page, and then expand the alert.
A Symbols Found alert was issued.
 Click Symbols Found and view the Alert Details.
The alert was issued due to the forbidden word system.
 Click Remove and then OK, and then click Refresh to ensure the alert has been removed.
 Examine the Demo Bank login page.
The word system does in fact appear on this web page and shouldn’t trigger an alert.
 In the BIG-IP Configuration Utility, click system, and then click << to move this signature to
the Ignore these Globally Forbidden Words list, and then click Save.
 In the banking tab click the Bank bookmark and log in as bobsmith / P@ssw0rd1, and then click Logout.
 In the BIG-IQ Configuration Utility reload the page, then open the Malware Alerts > Targeted Malware
No new alerts were generated.
 In the BIG-IP Configuration Utility, click the Anti-Fraud Profile link, and then open the
global Malware Detection page.
 Add tatangakatanga to the global forbidden word list, and then click Save. (NOTE: Use the copy and paste
guide on the Windows desktop.)
click Imitate Trojan.
This imitates a Trojan for tatangakatanga.

 In the BIG-IQ Configuration Utility reload the page, and then open the Malware Alerts >
Targeted Malware page.
A tatang.Trojan alert was issued. Notice that the severity level is higher than other alerts.
In addition, a Symbols Found alert was issued, due to the word trojan that occurred when you
clicked Imitate Trojan.
→NOTE: If the tatang.Trojan alert doesn’t display, it hasn’t yet been synchronized to the
BIG-IP logging node. Wait a few more minutes and try to imitate the trojan again using a
new incognito (Chrome) window.
WebSafe Lesson 3.3: Phishing Detection
Lesson 3.3: Phishing Detection
NOTES
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
Exercise 3.3 – Use Phishing Detection

Task 1 – Enable Phishing Detection

Add phishing detection to the /demobank/Login.php page.
 From the left menu open the Phishing Detection page.
 Select the Phishing Detection checkbox, and then click Save.
Task 2 – Detect Phishing of a Web Site

Save a copy of the Demo Bank site to a web server, and then open it to generate a phishing alert.
 In the banking tab click the Bank bookmark. Notice that URL is https://bank.vlab.f5demo.com.
 Right-click inside the page and select Save as.
 Navigate to the desktop and select the Phishing directory.
 Name the file login.html, ensure that Webpage, Complete is selected and click Save, and then close the
banking tab.
 Open WinSCP.
 Change the File protocol to SCP, for Host name type 10.1.1.252, and log in as root / default.
This is a web server that’s been high jacked by a phishing hacker.
 In the left panel for the Windows workstation, navigate to the desktop and open the Phishing directory.
 In the right panel for the web server, navigate to var/www/dvwa.
 Select both login.html and login_files and copy them to the dvwa directory.
 Open a new incognito (Chrome) window and access https://bank.vlab.f5demos.com/login.html.
→NOTE: Ensure you are using f5demos instead of f5demo.
 Log in as bobsmith / P@ssw0rd1, and then close Chrome.
→NOTE: Your login will fail, you are simply sending your credentials in the request.
 In the BIG-IQ Configuration Utility reload the page, then open the Phishing Alerts > Phishing page, and
then expand the banking.vlab.f5demo.com alert.
A Copied Pages alert was generated, and in addition a Phishing Users alert was generated for user
bobsmith.
 Click Copied Pages and view the Domain and the Additional Info.
The fake domain name is bank.vlab.f5demos.com and the original page is
https://bank.vlab.f5demo.com/login.php.
Task 3 – Use JavaScript Removal Detection

Examine what happens with the hacker removes the script data from the copied page.
 In WinSCP, in the dvwa directory, right-click login.html and select Edit.

 Click on the find (binoculars) button and type <script and click Find Next several times to locate all scripts
in the page.
There are three script entries added by WebSafe.
 Select and delete everything from the first <script type="text/javascript" src=…> tag to its closing
</script> tag.
 Select and delete everything from the next <script type="text/javascript"> tag to its closing </script> tag
(right before the <style> tag near the end of the same line).
 Select and delete everything from the final <script type="text/javascript"> tag to its closing </script> tag
(right before the <img home= > tag).
 When you’re done, your code should resemble the following:
 Save and close the login.html file, and then close WinSCP.
 Open a new incognito (Chrome) window and access https://bank.vlab.f5demos.com/login.html and log
in as bobsmith / P@ssw0rd1, and then close Chrome.
Notice the page still displays as expected.
 In the BIG-IQ Configuration Utility reload the page, then open the Phishing Alerts > Advanced Phishing
page, and then expand the banking.vlab.f5demo.com alert.
Although the hacker removed the JavaScript, a CSS Check alert and an Image Check alert was issued.
WebSafe Lesson 3.4: Application Layer Encryption
Lesson 3.4: Application Layer Encryption
NOTES
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
Exercise 3.4 – Use Application Layer Encryption

Task 1 – Enable Application Layer Encryption

Add application layer encryption to the /Login.php page.
 Open a new Firefox window and press the F12 key, and then click the Bank bookmark, and then log in as
bobsmith / P@ssw0rd1.
 In the inspection window on the Network tab, click Login.php, and then view the Params tab.
Both the username and the password are in cleartext. They are both currently vulnerable to a hacker
or a malware script.
 From the left menu open the Application Layer Encryption page.
 Select the Application Layer Encryption checkbox.
 Leave the Identify Stolen Credentials and Hide Password Revealer Icon checkboxes selected and clear
all other configuration checkboxes.
 Open the Parameters page, and for the username parameter select the Encrypt checkbox.
 Create a new parameter named password, and then click Add.
 Select the Encrypt checkbox, and then click Save.
 In the Firefox banking page click Logout, and enter the credentials bobsmith / P@ssw0rd1 but do not
click Login.
 In the inspection window open the Console tab, and in the console type the following and press Enter:
document.forms[0].password.value;
The password parameter value is still in cleartext prior to submitting the form.
 Click Login, then in the inspection window open the Network tab and click Login.php, and then view the
Params tab.
Both the username and password parameter values are now encrypted after submitting the form.
 In the BIG-IP Configuration Utility, for the password parameter select the Substitute Value checkbox,
and then click Save.
 In the banking tab click Logout and click the Bank bookmark, and then enter the credentials
bobsmith / P@ssw0rd1 but do not click Login.
 Open the Console tab and repeat the following (type the ↑ key on your keyboard):
document.forms[0].password.value;
The password value has now been masked prior to the user submitting the web form.
If the hacker thinks that this user’s password is A@aaa1aa1 they may attempt to log in as the victim.
 Change the password BY TYPING A@aaa1aa1 and click Login.
 In the BIG-IQ Configuration Utility reload the page, then open the Suspicious Logins > Stolen Credentials
A Stolen Credentials alert was issued.
Task 2 – Use Real-Time Encryption

Configure the anti-fraud profile so that passwords are encrypted in real-time as they are typed.
 In the Firefox banking page right-click inside the Password field and select Inspect Element.
 While you examine the Elements tab, for the Password type P@ssw0rd1.
Encryption is not taking place in real-time, making it vulnerable to malware that grabs passwords as
they’re typed.
 In the BIG-IP Configuration Utility, open the Application Layer Encryption page and select
the Real-Time Encryption checkbox, and then click Save.
 In the Firefox banking tab click the Bank bookmark.
 While you examine the Elements tab, for the Password type P@ssw0rd1.
The encryption for the password field is taking place in real-time, as you type.
Task 3 – Use Keylogger Protection

Configure the anti-fraud profile to protect against browser-based keylogging by enabling fake strokes.
 Click the Bank bookmark, then click the Demo Tools bookmark, and from the Demo Tools
click Start Keylogger, and then click on the Password field.
 In the Password type P@ssw0rd1 and examine the top of the Demo Tools window.
A keylogging program can capture the characters of the user’s password as they’re typed.
 In the BIG-IP Configuration Utility, select the Keylogger Protection checkbox, and then click Save.
 In the Firefox banking tab click the Bank bookmark, then click the Demo Tools bookmark, then
click Start Keylogger, and then click on the Password field
 In the Password field begin typing P@ssw0rd1.
 Examine the top of the Demo Tools window.
Although the key strokes are being logged as you type, additional characters are being generated,
which will render the keylogging file useless.
Task 4 – Enable HTML Field Obfuscation and Decoy Inputs

Configure the anti-fraud profile to enable HTML field obfuscation and decoy input fields for the login page.
 Right-click inside the Username field and select Inspect Element, and then examine the name value for
this input parameter.
You can view the name for this parameter: username. You can also view the name of the password
parameter. This makes it easy for the fraudsters to craft targeted injections and create mass attacks.
 Notice that there are three input values within the form tags.
The code within the form is static HTML. There are three parameters, the username and password
fields and the submit button. This static HTML code makes it very easy for malware to manipulate the
page and extract values typed by the victim.
 In the BIG-IP Configuration Utility, select the HTML Field Obfuscation checkbox, and then select
the Add Decoy Inputs checkbox.
 Open the Parameters page, then for both the username and password parameters, select the Obfuscate
checkbox, and then click Save.
 In the Firefox banking tab click the Bank bookmark, and then right-click inside the Username field and
select Inspect Element.
 Examine the name value for this input parameter.
The name of the username parameter is now obfuscated. In addition, the obfuscated value changes
every few seconds.
WebSafe adds decoy input fields in the HTML source code.
 Click outside of the form edit panel and examine the contents of the <form method="POST"> element.
WebSafe adds and removes decoy input fields in the HTML source code dynamically, making it
virtually impossible for a fraudster to manipulate the form and/or steal data from it.
 Log in as bobsmith / P@ssw0rd1.
The successful login shows that the HTML obfuscation works transparently and does not affect the
user experience.
DHD Lesson 4.1: DHD Overview and Volumetric Attack Mitigation
DDoS Hybrid Defender (DHD)

Lesson 4.1: DHD Overview and Volumetric Attack
Mitigation
NOTES
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
Exercise 4.1 – Examine Volumetric Attack Mitigation


 For the DHD blueprint click View.
 Log into the Windows workstation as external_user / P@ssw0rd1
o Click Update now.
Task 2 – Start the Baseline Traffic Generation

Begin populating the baseline of typical, expected traffic in preparation for the behavioral-based DoS protection
exercise.
 Open putty and connect to GoodClient, and then log in as ubuntu with no password.
 To start the layer 7 baseline, at the CLI type the following:

sudo bash
cd ~/scripts
./generate_clean_traffic.sh
 Open a second putty session for GoodClient.

 To start the network baseline, at the CLI type the following:
sudo bash
cd ~/scripts
./baseline_l4.sh
 Minimize both putty windows, as you will leave these scripts running throughout the remainder of the
DHD exercises.
Task 3 – View Basic Network Attack Mitigation

Examine how DHD protects against volumetric attacks with defined vector threshold and rate limits.
 Open Chrome and click the BIGIP_A bookmark, and then log into the BIG-IP system.
 Open the DoS Protection > Quick Configuration page.
 In the Protected Objects section click ServerNet.
This protected object is for the entire 10.1.20.0/24 network.
 At the bottom of the page expand IPv4, and then examine the threshold and rate limit settings.
Three of the vectors, ICMP Fragment, ICMPv4 flood, and IP Fragment Flood have customized
threshold and rate limit values.
 Expand TCP, and then examine the threshold and rate limit settings.
 Navigate to Security > Dos Protection and right-click on DoS Overview, and then
select Open Link in New Tab.
There is no data on this page now.
 Open the Security > Event Logs > DoS > Network > Events page in a new tab.
There is no data on this page now.
 Open the Statistics > DoS Visibility page in a new tab.
 Open putty and connect to Attacker, and then log in as ubuntu with no password.
 To start the layer 7 baseline, at the CLI type the following:
sudo bash
cd ~/scripts
./multivector.sh
 Open a second putty session for Attacker and repeat the commands above.
 In the DoS Overview tab refresh the page and continue to refresh the page.
You will see attacks mitigated by the ServerNet protected object.
 Let the attack run for another 60 seconds, and then in the two Attacker putty sessions, type Ctrl + C until
you’re at the CLI, and then type the following:
killall -9 hping3
 Close one of the Attacker putty sessions.

 In the DoS Overview tab refresh the page and continue to refresh the page.
The attacks should change from Dropped to Detected, and then they should leave the page after DHD
identifies that the attack has ended.
 In the DoS > Network > Events tab reload the page.
 Click Custom Search, and then drag one of the TCP SYN flood attack types to the Custom Search field.
 Drag one of the Drop actions to the Custom Search field, and then click Search.
You can view very specific event logging.
 Close the DoS > Network > Events tab.
 View the DoS Visibility tab.
→NOTE: It can take up to five minutes for the report data to display.
 Use the slider to shorten the time frame to about 20 minutes.
 Mouse over the different attacks to view the attack IDs and the mitigation type.
 View the statistics in the Attacks section.

 Note how many ICMPv4 flood requests were blocked due to DHD volumetric attack mitigation.
Task 4 – View Bad Actor Detection

Examine how DHD identifies a bad actor and then begins blocking requests from the bad actor.
 In the DoS Protection > Quick Configuration tab, on the ServerNet protected object page, expand UDP,
and then click UDP Flood.
This vector identifies bad actors and adds their addresses to the denial_of_service blacklist.
 Refresh the DoS Protection > DoS Overview page.

There is no longer data on this page as the attack has ended.
 Open the Security > Event Logs >Network > IP Intelligence page in a new tab.
No IP addresses have yet been blacklisted.
 In the Attacker putty session, type the following, and when prompted, type 1:
./udp_flood.sh
 In the DoS Overview tab reload the page.

Note the number of blocked requests in the Bad Actor column.
→NOTE: The UDP flood attack is very short-lived. You may need to launch it again if the attack
ends and you haven’t finished viewing the various reports.
 In the Attacker putty session, type Ctrl+C to stop the attack and then type the following:
killall -9 hping3
 In the IP Intelligence tab refresh the page.

Several IP addresses have been added to the denial_of_service blacklist and all requests from these
IP addresses are being dropped.
 Close the IP Intelligence tab.

 In the DoS Visibility tab click Refresh.
 View the statistics in the Attacks section and note the values in the # IPs column.
Task 5 – Configure Auto-Thresholding for Specific Vectors

Configure the auto-threshold option for a virtual server protected object, and then view the threshold values
after launching an attack.
 Open putty and connect to BIGIP_A, and at the CLI type the following:
cd ~/scripts
./autothreshold-reset.sh
 On the DoS Overview page, from the Filter Type list select Virtual Server (DoS protected), and then
select Server5.
Note that all Threshold Mode values are Manual.
 Open the Security > Event Logs >DoS > Network > Auto Threshold page in a new tab.
 On the Quick Configuration tab, return to the Quick Configuration page and click Server5.
This is a virtual server protected object for 10.1.20.15.
 Expand IPv4, and then click ICMPv4 Flood.
 On the right-side of the page select the Auto-Threshold Configuration option.
 Repeat the steps above for TCP PSH Flood, TCP RST Flood, TCP SYN ACK Flood, and TCP SYN Flood, and
then click Update.
 On the Network > Auto Threshold page refresh the page.
DHD begins updating the detection thresholds. With auto-thresholding, DHD adjusts the detection
thresholds based on observed traffic patterns. However, mitigation rate limits are always dynamic
based on detected system or protected object stress.
 In the Attacker putty session, type the following:
./autot_flood.sh
 On the Network > Auto Threshold tab reload the page.

Rate limits are being automatically set and adjusted to mitigate the flood attack.
 Reload the page a couple more times to see the threshold values continue to change.
 Close the Auto Threshold tab.
 In the DoS Overview tab refresh the page.
The ICMPv4 Flood attack is being mitigated and the rate limit thresholds for each of the auto-
threshold vectors have been adjusted based on stress, including vectors that are not detecting or
blocking an attack.
 Close the DoS Overview tab.
 In the Attacker putty session, type Ctrl+C to stop the attack and then type the following:
killall -9 hping3
 In the second Good Traffic putty session running the network baseline traffic (to 10.1.20.14) type Ctrl+C
and then close the putty session.
 In the DoS Visibility tab click Refresh.
 View the new attack details.
Task 6 – Prepare for Next Exercise

 In the BIG-IP putty session copy and paste the following: (NOTE: Use the copy and paste guide on the
Windows desktop.)
admd -s vs./Common/Auction.info -s vs./Common/Auction.sig.health
Use these details to ensure that DHD has accumulated enough learning details. This signature has 4
comma-separated values, that show the learning progress:
The first value displays the health of the protected object (0.454825). A healthy system will show a
value around .45. If the value is consistently .5, no learning is occurring.
The second values display if DHD has detected an attack (the first value) and/or mitigated an attack
(the second value). 1 equals “yes” and 0 equals “no”.
The last four values are as follows:
▪ Value #1: baseline-learning_confidence in % (How confident the system is in the baseline
learning).
• This should be between 80 - 90%.
▪ Value #2: learned_bins_count (the number of learned bins).
• This should be > 0.
▪ Value #3: good_table_size (the number of learned requests).
• This should be > 4000.
▪ Value #4: good_table_confidence (how confident, as a percentage, the system is in the good
table. It must be 100% for behavioral signatures)
• This must be 100
 Open a new putty session and connect to BIGIP_A, and at the CLI type the following
cd ~/scripts
./l7bdos-reset.sh
This will reset the learning score values and remove any existing signatures. We are doing this now as
it will take at least 5 – 10 minutes for the learning score values to return to the levels needed to
complete the next exercise.
 Close the second BIG-IP putty session.
DHD Lesson 4.2: Behavioral DoS Detection and DHD Reporting
Lesson 4.2: Behavioral DoS Detection and

DHD Reporting
NOTES
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
Exercise 4.2 – Using Layer 7 Behavioral DoS Protection

Task 1 – Verify the Baseline Traffic Generation

Verify that the baseline of typical, expected traffic is ready for the behavioral-based DoS protection exercise.
 In the BIG-IP putty session, view the admd output.
 Before moving on, ensure that the admd output displays a learning confidence value greater than 80%
and a good table size value greater than 3000.
 Open the Security > DoS Protection > Behavioral Signatures page in a new tab.
There are no dynamically generated signatures now.
 Open the Security > Event Logs > DoS > Application Events page.
Task 2 – Generate a Dynamic Signature

Once you have established a baseline, launch an attack and view how DHD creates a dynamic signature and then
begins dropping requests that match the signature.
 In the Attacker putty session, type the following, and when prompted, type 1:
./http_flood.sh
 On the external Windows desktop examine the admd output.

The server health value goes over 1 and rapidly climbs. You will also see that the attack is detected
and mitigation begins.
Continuing to watch, you will see the server health start to return toward baseline and after a short
period, a behavioral signature is generated.
 Open a second putty session for Attacker A and repeat the attack commands above.
 Examine the admd output.
The health value remains around .45 as the attack is being protected by the dynamic signature.
 In the Behavioral Signatures tab reload the page.
 Select the Signature Alias.
Note you can use Wireshark filters for more visibility.

 On the Application Events page reload the page.
 Click on the Attack ID link

This opens the DoS Visibility page.
 Mouse over the new attack to view the attack IDs and the mitigation type.
The new attack was mitigated by the DHD L7 behavioral DoS protection.
Lesson 5: SSL Orchestrator Instructor Presentation
SSL Orchestrator (SSL-O)

Lesson 5: SSL Orchestrator Instructor Presentation
NOTES
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
Exercise 5 – Configure a Transparent Outbound Proxy


 For the SSLO blueprint click View.
 Log into the Windows workstation as student / P@ssw0rd!
 In Chrome, access and log into the BIG-IP system at https://10.10.0.100.
 Manually adjust the Windows time to match the time on the BIG-IP system.
Task 2 – View Logging on the Inline Services Images

View the log files on both the FireEye and the Palo Alto systems.
 In Ravello open the Console for Layer 2 Security (FireEye) and login as student / agility.
 At the CLI type or copy and paste the following: (NOTE: Use the copy and paste guide on the Windows
desktop.)
tail -f /var/log/suricata/http.log
 Press the Enter key several times to move the existing log files up.
 Repeat the steps above for the Layer 3 Security (Palo Alto) and the Passive (SourceFire) images.
Task 3 – Configure a Transparent SSL Outbound Proxy

Use the BIG-IP SSL Orchestrator configuration to create an SSL transparent outbound proxy.
 On the Windows desktop, use Internet Explorer and attempt to access www.vmware.com.
 Use a new tab to access www.google.com.
The internal user currently has no outbound access to the Internet.
 In the Configuration Utility, open the SSL Orchestrator > Configuration page.
The general properties contain all the inbound and outbound networking and certificate signing
options.
 Configure the general properties using the following information. For other options use the default
settings.
Application Service Name outbound_proxy
SSL Forward Proxy CA certificate subca.f5demo.com.crt
SSL Forward Proxy CA private key subca.f5demo.com.key
Should connections to servers with No, forbid connections to servers with expired
expired certificates be allowed? certificates
Should connections to servers with No, forbid connections to servers with
untrusted certificates be allowed? untrusted certificates
Which VLANs /Common/client-vlan
SNAT client IP addresses Yes, SNAT (replace) client addresses
Specific gateway Yes, send outbound traffic / internet traffic via
specific gateways
IPv4 outbound gateway address Ratio: 1, IPv4 gateway: 10.40.0.1
What kind of statistics Usage counters and remote-domain+cipher
records
 Click Save, and then click Deploy.

 Once the application has deployed, refresh both the www.vmware.com and www.google.com tabs.
The internal user now has outbound internet access to both http and https sites.
 In the www.google.com window, view the lock icon and then click View certificates.
The BIG-IP SSL Orchestrator acted as the trusted CA for this request.
 Click OK, then click the Malware Test bookmark and attempt to download the http version of eicar.com
 When prompted, click Cancel.
 Attempt to download the https version of eicar.com.
 When prompted, click Cancel.
Traffic isn’t being routed through the ICAP service.
 View the log files on the three external services tabs.
No traffic is currently being routed through the receive only or the inline services.
Task 4 – Add Receive Only, ICAP, and Inline Services

Update the SSL-O service by adding additional security service checks to all outbound traffic.
 In the Configuration Utility, click Undeploy, and then open the Receive Only Services page.
Receive only services is a device in which traffic doesn’t pass through, only a copy of the traffic is sent
to it.
 Click Add, then configure the receive only service using the following, and then click Finished.
(NOTE: Use the copy and paste guide on the Windows desktop.)
Name ids
MAC Address 2c:c2:60:6e:cf:a2
VLAN /Common/tap-vlan
Interface 1.6
 Open the ICAP Services page.

An ICAP device performs data loss prevention (DLP) functions and possibly malware detection using
the ICAP protocol.
 Click Add, then configure the ICAP service using the information, and then click Finished.
Name icap
ICAP Devices > IP: Port 10.30.0.5, 1344 (Click Add)
Request (and Response) Icap://${SERVER_IP}:${SERVER_PORT}/squidclamav
Preview Max Length (bytes) 1048576
 Open the Inline Services page.

An inline device is one in which traffic flows through it, generally with separate inbound and
outbound interfaces.
 Click Add, then configure a layer 2 inline service using the information, and then click Finished.
Name fireeye
Service Type Layer 2
Interfaces 1, 1.2, blank, 1.3.blank (Click Add)
Translate Port for HTTP Traffic Yes to Port 8080
 Click Add, then configure a layer 3 inline service using the information, and then click Finished.
Name paloalto
Service Type Layer 3
From BIG-IP > Interface 1.4
To BIG-IP > Interface 1.5
Available Devices 198.19.1.64 (Click Add)
Translate Port for HTTP Traffic Yes to Port 8443

 Once the application has deployed, reload the Malware Test page and attempt to download both the
http and the https version of eicar.com.
The attempted malware was caught by the ICAP service.
 View the log files on the three external services tabs. NOTE: You may need to click into each log file and
press the Enter key.
Traffic was directed to all external systems in cleartext.
 In the three log files press the Enter key several times to move the log files up.
Task 5 – Create Service Chains

Create specific service chains that will be used for specific traffic flows.
 In the Configuration Utility, click Undeploy, then open the Policies page, and in the Service Chains
section click Add.
 Configure the service chain using the information, and then click Finished.
Name paloalto
Type / Name Inline Service / paloalto (Click Add)
 Configure another service chain using the information, and then click Finished.
Name fireeye
Type / Name Inline Service / fireeye (Click Add)
Name receive-only and icap
Type / Name Receive Only / ids (Click Add)
ICAP / icap (Click Add)
Task 6 – Create Service Chain Classifiers

Create specific service chain classifiers for different traffic flows and then test the results.
 In the TCP Service Chain Classifiers section click Add.

 Configure the service chain using the information, and then click Finished.
Name internal_users to paloalto
Phase Normal
Protocol All
Source IP Address: 10.20.0.0/24 (Click Add)
Destination Address: IP Address: 0.0.0.0/0 (Click Add)
Service Chain paloalto

 Use Internet Explorer to access https://www.wikipedia.org.
 View the log files on the three external services tabs.
Traffic for www.wikipedia.org was only routed through the Palo Alto service.
 Press the Enter key several times to move the log files up.
 In the Configuration Utility, click Undeploy.
 To avoid competing classifiers, select the internal_users to paloalto checkbox and click Delete.
 Configure a new service chain using the information, and then click Finished.
Name education_sites
Phase Normal
Protocol All
Destination URLF: Category: Education (Click Add)
Service Chain fireeye
Name financial_sites
Phase Pre Handshake
Protocol All
Destination URLF: Category: Business and Economy (Click Add)
Service Chain Bypass
Name facebook
Phase Normal
Protocol All
Destination URLF: Category: Social Web - Facebook (Click Add)
Service Chain paloalto
Name youtube
Phase Pre Handshake
Protocol All
Destination URLF: Category: Social Web - YouTube (Click Add)
Service Chain Reject

 Reload the https://www.wikipedia.org page, and then view the three log files.
Traffic for www.wikipedia.org was only routed through the Fireeye service.
 Edit the URL to https://www.bankofamerica.com.
 View the lock icon and then click View certificates.
The trusted CA is now Symantec, as this request was bypassed by the SSL Orchestrator
 View the three log files.
Traffic was routed through all three security devices; however, it was not decrypted.
Traffic was routed through all three security devices; however it is still encrypted.
 Edit the URL to https://www.google.com, and then view the certificate details.
As this request wasn’t for a financial web site, it was still intercepted by the SSL Orchestrator.
This request didn’t match any of the traffic chain classifiers, therefore it was directed through all
configured security devices.
 Edit the URL to https://www.facebook.com, and then view the three log files.
Although each log file has data (caused by links on the web page), the bulk of the traffic for this page
was routed through the Palo Alto system.
 Edit the URL to https://www.youtube.com.
The request is rejected.
Task 7 – View SSL Orchestrator Analytics

View the analytics reports that come with SSL Orchestrator.
 In the Configuration Utility, open the SSL Orchestrator > Analytics page.
→NOTE: It can take up to five minutes for the report data to display.
 Change the time list to Last day.

 On the right-side of the screen, expand the widget column to the right.
 Expand the Servers widget.

 Scroll through the list and select www.wikipedia.org.
This modifies the charts on the left-side of the page.
 Expand the Actions widget.
Requests for this server were intercepted.
 Right-click on www.wikipedia.org and select Add Comparison Chart.
This adds a new chart to the left-side of the page.

Advanced Security TTT Workbook - V - 12.1.F

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Advanced Security TTT Workbook - V - 12.1.F

Hochgeladen von

Copyright:

Verfügbare Formate

F5 PARTNER BOOT CAMP

USING F5 SECURITY SOLUTIONS

Participant and Hands-on Exercise Guide

Document version 12.1.F; updated 11/13/2017

Application Security Manager Advanced ..................................................................................................... 5

F5 BIG-IQ for Network and Web Application Firewall Management ......................................................... 29

DDoS Hybrid Defender (DHD)..................................................................................................................... 61

SSL Orchestrator (SSL-O) ............................................................................................................................ 73

Application Security Manager Advanced

Exercise 1.1 – Use the Automatic Policy Builder

Task 1 – Access the Ravello Lab Environment

Task 2 – Create a Security Policy using Untrusted Requests

Presently there is only one sample request from a random IP address.

Task 3 – Use Trusted Requests for Building the Security Policy

 Expand File Types.

 From the Learning Speed list select Fast.

 Expand Trusted IP Addresses.

Task 4 – Adjust the Learning Speed

 Click Save, then click Apply Policy and then OK.

 Open a new private window in Firefox.

 Open the iMacros pane.

 Repeat several times:

→NOTE: DO NOT MOVE FORWARD if the name parameter:

Task 5 – Examine Parameter Enforcement

 Click the id link.

Lesson 1.2: Brute Force and Web Scraping Protection

Exercise 1.2 – Use Brute Force and Web Scraping

Task 1 – Use iMacros to Run a Brute Force Attack

Task 2 – Add Brute Force Protection to a Security Policy

 Click Save, then click Apply Policy and then OK.

Task 4 – View the Security Charts

 Open the downloaded PDF.

Lesson 1.3: Layer 7 DoS Protection

Exercise 1.3 – Using Layer 7 DDoS Protection

Task 1 – Use Tools to Simulate Layer 7 DoS Attacks

 Wait for the attack to complete before moving on.

Task 2 – Enable Layer 7 Bot Signature Protection

 Resize the real-time chart window by making it wider.

Task 3 – Create a New Bot Category and Bot Signature

 In the command prompt resubmit the following command:

Task 4 – Enable Proactive Bot Defense protection

 In the DoS Profiles tab, click lorax_dos_profile.

 Wait about 30 seconds before moving on.

 Click the DVWA bookmark.

You are presented with a CAPTCHA challenge.

Task 5 – Client-Side TPS-Based Detection

 In the DoS Profiles tab, click lorax_dos_profile.

 Examine the recent activity in the real-time chart.

NOTE: The log data can take up to five minutes to display.

F5 BIG-IQ for Network and Web Application Firewall

Exercise 2.1 – Using BIG-IQ to Manage BIG-IP Systems

Task 1 – Access the Ravello Lab Environment

 For Local Traffic (LTM) click Import.

Task 3 – Deploy Changes to the BIG-IP System

 Open the Pool List page.

 For Name enter bigipA_deploy1.

Lesson 2.2: BIG-IQ for AFM and ASM

Exercise 2.2 – Using BIG-IQ to Manage Network and

Task 1 – Add Network Firewall Management to the Existing BIG-IP System

Update shared security objects

View and update the network security policy editor

Deploy changes to the BIG-IP system

 For Name enter bigipA_deploy2.