Class 3: [Day-1] CE - Secure and Protect Web Apps with WAAP =========================================================== Objective: ~~~~~~~~~~ **Secure and Protect Application and API with WAAP** .. NOTE:: Continiously protect and secure application and API with F5XC Web Application and API Protection 1. Arcadia Financial 2. Hipster Retail 3. Bank of XC For the purpose of the lab, below are the high level tasks 1. Create a common App firewall policy in Shared namespace and consumed by all apps 2. Create HTTP LB and apply common App Firewall policy 3. Advertise HTTP LB (with HTTPS - domain ce.local) on CE 4. Test and validate protected application. **Use the following wildcard certificate for all apps** ce.local certificate :: -----BEGIN CERTIFICATE----- MIIEjzCCAvegAwIBAgIUZCQYY1TGLNEKbtZU3N/MsY++n1EwDQYJKoZIhvcNAQEN BQAwdjELMAkGA1UEBhMCQVUxETAPBgNVBAgMCFZpY3RvcmlhMRIwEAYDVQQHDAlN ZWxib3VybmUxEjAQBgNVBAoMCUZPT0JaIExBQjELMAkGA1UECwwCSVQxHzAdBgNV BAMMFkZPT0JaIEludGVybWVkaWF0ZSBDQTEwHhcNMjMwMjI4MjMwNTAyWhcNMjQw MjI4MjMwNTAyWjBjMQswCQYDVQQGEwJBVTERMA8GA1UECAwIVmljdG9yaWExEjAQ BgNVBAcMCU1lbGJvdXJuZTELMAkGA1UECgwCRjUxCzAJBgNVBAsMAlNFMRMwEQYD VQQDDAoqLmNlLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA 4VQJE9ECBS9wfcN9Xf9sMjW9gXl0g8YqI5nWKJiokPPv0Gk/2GJmGX1G+Ryc/H5+ TNcnY86gU1zmd9DnpHrBee8z9bFj9XNrvTXi+vqnfTTXOQlyBTyQMccB/PygHM1m trQwOvJhZmp1iQsViFfMLuwH+kDKz+5PLVYFHf+QRMTOa1KEiCaVVm5anaHWe9Xx HnnBn8QgqZr0s2ADZIeirUHN4ALEKs38NOmzorkzWRjFo6VwMGxI6oLhV4zqmJgD 4DzDgQ0HZ7UERK0Ry4P6iqHbrcFmcNahRqn+ME8YBRDjajNmcVo24Kubh6mLZ4dK ZF2Vu3zUxLCyY0URAMoB8wIDAQABo4GnMIGkMB8GA1UdIwQYMBaAFMhcSKot1kWA /Dhm1yrMSduZul88MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgTwMBMGA1UdJQQMMAoG CCsGAQUFBwMBMFQGA1UdEQRNMEuCDHdlYi5jZS5sb2NhbIIIY2UubG9jYWyCEGFy Y2FkaWEuY2UubG9jYWyCEGhpcHN0ZXIuY2UubG9jYWyCDWJveGMuY2UubG9jYWww DQYJKoZIhvcNAQENBQADggGBAF39ruyqVgog32u+VOTN9Y4snuOTk0BbbZC68fC3 5T3zStuoisdcXg5UGYtZW0xYvU9s8gNy0YLt93j829yNAIOAhAtTxbTftw58shy9 uDa/u7+dMsM9l2mnDVVF4e8a19LgAj8ji/H8NxaT6nnZN25H6QVwVpzEeripgKrP mirKLD85lctXU/3wbWt7adTMQbX7DseIZPmGsXGvwtmjhSFF96xkcA7ddj0B6QW0 w+MG+GNnYk0GBACONForUTVF/I1Ccf8IaaZLtuLJNysPweGclStcbiancYJ4T7fo QoaUq7UHav1p1725jz2vEKtWU3W1x9MfZfd4Jso6oHIQEDIbXM+E13fP1OdEF/k8 rOrV/sPrM0xcYsRoRkRc13vtVbtK8dk6B+vSSZIWFZXK9zi7G1WKSR9c+6XEF2Sa oInovuXSYaAf10HvJYRqYSfBriitRK7hDNY0SAAzb8LIXhTF/wXXYRLJVRctqJbk m7fk7fEsJY3X/EQx3rCuS1TILQ== -----END CERTIFICATE----- ce.local private key :: -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDhVAkT0QIFL3B9 w31d/2wyNb2BeXSDxiojmdYomKiQ8+/QaT/YYmYZfUb5HJz8fn5M1ydjzqBTXOZ3 0OekesF57zP1sWP1c2u9NeL6+qd9NNc5CXIFPJAxxwH8/KAczWa2tDA68mFmanWJ CxWIV8wu7Af6QMrP7k8tVgUd/5BExM5rUoSIJpVWblqdodZ71fEeecGfxCCpmvSz YANkh6KtQc3gAsQqzfw06bOiuTNZGMWjpXAwbEjqguFXjOqYmAPgPMOBDQdntQRE rRHLg/qKodutwWZw1qFGqf4wTxgFEONqM2ZxWjbgq5uHqYtnh0pkXZW7fNTEsLJj RREAygHzAgMBAAECggEAUrgh+PdisXqf5lts26QYGTqnTi/DOVj3QUiJWS/pugUD RdRNjudYqgTWmD8L1pmtThIyMK67Jr9VEClN0JEME/JfddPgaUwtAjIVGKQJ9qn+ VL8F76wzF0MClNg9AzXYfjwZ9Jnkbc+pRF0gU4Q/vf4CU7mTes/2myMYD9IxKT0S XNsGKlszsmE0afd0xJDpBhf5MQ+OrunqBXxyRF5KhCrwL15syKvCb+L1qNBGcSat cGKxw8megemFle6WCt0l+tU6wASlfgtifZyqC6N0zg9U7hFZjuiJoTee2mhBL77N XxdKyUSsooMLPREwyz48ZVnP+i9EdCDzTBwTkHd4sQKBgQDyZ7/2EBKwtntad7qi NxjzdOqoeyjzBGn+YNAIKp+S5q3IZwGUIjHfUqTfmudjq4jMeSLwMPa+KQIdXb/2 sRCFTmaYumG/FqZDqe+Y4VidrHVHweh+u7UgRJ2HzwtJOdZB5R0Wq10/pyO3dQVJ lp7dXaFMAh2F1+JW5zOPyMn/KQKBgQDt9xu71gz/WPpjJUFlXROWcwl7eLjYxYV6 /qgzp6AfU8XeT/UsQVbXix5udWriBIaoFa9TrM9rVCvkO6RppcIdWPizMgRWjpJb 70RFGlVoyla5mFZsreI4F1krSiGaVg5NJEtFTsyFQJQIzXwBakI0JYQqnH3JXHPg Z720Hf6HuwKBgQDwiKDDwuk47qpyd9H7Ox8IHaDn8+YLVvryTxC+ucTEWSBidkvr uQ6x4mj19NjcXw8MjrtribqdsUWG7EsauFKDZOuLa46otgnfpJW6pwlu0/1AahqQ /yPY1B1Y8MrrK3f+xSFbKEoMaoaXeYf4oHwdftYZ/RNch37x6tOQPpaqGQKBgQDV NnNC+abro221J8xQZfUG+EumtaPplhDjAwjyP17Ysta3Oi0SWfjVZ3D8x3fcyvFb 6RIOhufR4rjw5f+KKVqjsPQkmswIQfYhKWCiCdY87g6GfFfzSFlIqKLchq9U+YYW 2E4Y62GUgyggOvzAx9RJpNOm2lBZ+txYVJtEpxtHwQKBgHK9wOB0vBOLtXBvpCDW YHCBpZWYHrJHU4GptCCd7/PoEzflGmNndCKdZl9hnX+xkuAbVHEOYRURCx9a7Hto Cj0jNX6aaPuzvqD4PmckvZ59YSjJqgNt7ydup2GaiBOVnOXE+shJ1j0xc+/wFjQJ EowYbc/E/qDLN2dChYqtC998 -----END PRIVATE KEY----- App Firewall Policy ~~~~~~~~~~~~~~~~~~~ Follow the following instruction to create a shared app firewall rules. This app firewall reside on Shared namespace and will be visible to other namespaces. This allow SecOps to define App Firewall and DevOps consume from their individual namespace. .. image:: ./_static/class3-01.png .. image:: ./_static/class3-02.png .. image:: ./_static/class3-03.png .. image:: ./_static/class3-04.png App#1 - Arcadia Financial Apps [Internal] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Create App Protection ~~~~~~~~~~~~~~~~~~~~~ +-----------------------------------+-----------------------------------------------+ | Arcadia Financial | Value | +===================================+===============================================+ | Protected FQDN | https://arcadia.ce.local | +-----------------------------------+-----------------------------------------------+ | Type of Origin Server | IP address of Origin Server on given Sites | +-----------------------------------+-----------------------------------------------+ | Origin Server | 10.1.20.21 | +-----------------------------------+-----------------------------------------------+ | Origin Server Port | 80 | +-----------------------------------+-----------------------------------------------+ | Origin Server Network on the Site | Inside | +-----------------------------------+-----------------------------------------------+ | VIP Advertisement | Custom | +-----------------------------------+-----------------------------------------------+ | Where to advertise | Outside on CE site | +-----------------------------------+-----------------------------------------------+ .. image:: ./_static/class3-05.png Add new HTTP LB .. image:: ./_static/class3-06.png .. image:: ./_static/class3-07.png Create custom TLS certificate .. image:: ./_static/class3-08.png .. image:: ./_static/class3-09.png .. image:: ./_static/class3-10.png Add Origin Pool. Where the HTTP LB should send traffic to. .. image:: ./_static/class3-11.png .. image:: ./_static/class3-12.png The Web server or Origin server resides inside network (10.1.10.21) of the CE. .. image:: ./_static/class3-13.png .. image:: ./_static/class3-14.png Create Health Check. It is a good practice to always create appropriate health check. This to ensure HTTP LB constant know the health of the application. .. image:: ./_static/class3-15.png .. image:: ./_static/class3-16.png .. image:: ./_static/class3-17.png .. image:: ./_static/class3-18.png Attach WAF policy to HTTP LB .. image:: ./_static/class3-19.png Enable API Discovery, API Traffic Learning, DDoS Protection and DDoS Auto-Mitigation .. image:: ./_static/class3-20.png Configure where this HTTP LB listen on - "listerner". For CE deployment, select **Custom** .. image:: ./_static/class3-21.png Specify HTTP Listerner listen on Outside Network in reference to the CE site. .. image:: ./_static/class3-22.png .. image:: ./_static/class3-23.png .. image:: ./_static/class3-24.png HTTP LB for arcadia-lb created with valid certificate. .. image:: ./_static/class3-25.png Validate App Protection ~~~~~~~~~~~~~~~~~~~~~~~ Attack from Client browser .. image:: ./_static/class3-26.png +----------------+---------------+ | **Username** | olivia | +----------------+---------------+ | **Password** | ilovef5 | +----------------+---------------+ .. image:: ./_static/class3-27.png .. image:: ./_static/class3-28.png Try to access Web Server /etc/passwd file .. image:: ./_static/class3-29.png Triger blocking by CE WAAP. Match an attack signature. Attack mitigated. .. image:: ./_static/class3-30.png Validate detection and mitigation from F5XC Console .. image:: ./_static/class3-31.png .. image:: ./_static/class3-32.png .. image:: ./_static/class3-33.png App#2 - Hipster Retails Apps [Public Internet] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Create App Protection ~~~~~~~~~~~~~~~~~~~~~ +-----------------------------------+--------------------------------------+ | Hipster Retail | Value | +===================================+======================================+ | Protected FQDN | https://hipster.ce.local | +-----------------------------------+--------------------------------------+ | Type of Origin Server | Public DNS Name of Origin Server | +-----------------------------------+--------------------------------------+ | Origin Pool | https://hipster.edgecnf.com | +-----------------------------------+--------------------------------------+ | Origin Server Port | 443 | +-----------------------------------+--------------------------------------+ | Origin Pool TLS | Enable | +-----------------------------------+--------------------------------------+ | VIP Advertisement | Custom | +-----------------------------------+--------------------------------------+ | Where to advertise | Outside on CE site | +-----------------------------------+--------------------------------------+ Create HTTP LB and add custom certificte. .. image:: ./_static/class3-34.png .. image:: ./_static/class3-35.png Add Origin Pool. Origin pool reside on Internet. .. image:: ./_static/class3-36.png .. image:: ./_static/class3-37.png Due to orgin pool runing on HTTPS, enable TLS so that when CE connect to origin server, it invoke a secure connection. .. image:: ./_static/class3-38.png .. image:: ./_static/class3-39.png Enable and select Shared app firewall. .. image:: ./_static/class3-40.png Advertise the listener on CE outside interface. Hence, select **Custom** .. image:: ./_static/class3-41.png .. image:: ./_static/class3-42.png HTTP LB for hipster-lb created .. image:: ./_static/class3-43.png Validate App Protection ~~~~~~~~~~~~~~~~~~~~~~~ .. image:: ./_static/class3-44.png Select and item and Add item to cart. Inject SQL Injection attack vector ( **' OR 1=1#** ) to street address field. .. image:: ./_static/class3-45.png Attack blocked and mitigated by CE WAAP. .. image:: ./_static/class3-46.png Validate detection and mitigation from F5XC Console .. image:: ./_static/class3-47.png .. image:: ./_static/class3-48.png App#3 - Bank of XC [ Public Internet] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. warning:: No instruction given for this task. You should be familiar to secure any Apps and API. Leverage your understand to execute this task. Leverage the following provided information. +-----------------------------------+--------------------------------------+ | Bank of XC | Value | +===================================+======================================+ | Protected FQDN | https://boxc.ce.local | +-----------------------------------+--------------------------------------+ | Type of Origin Server | Public DNS Name of Origin Server | +-----------------------------------+--------------------------------------+ | Origin Pool | https://pay.edgecnf.com | +-----------------------------------+--------------------------------------+ | Origin Server Port | 443 | +-----------------------------------+--------------------------------------+ | Origin Pool TLS | Enable | +-----------------------------------+--------------------------------------+ | VIP Advertisement | Custom | +-----------------------------------+--------------------------------------+ | Where to advertise | Outside on CE site | +-----------------------------------+--------------------------------------+ Suggested sample attack vector - /?page=test|/bin/cat%20/etc/passwd - ' OR 1=1# --> SQL injection - --> Cross Site Scripting .. toctree:: :maxdepth: 1 :glob: