E XERCISE 8.3 – C ONFIGURING S ECURE W EB G ATEWAY
Required virtual images: BIGIP_SWG_v11.5.1, LAMP_3.4.
Estimated completion time: 45 minutes
TASK 1 – Configure BIG-IP APM Logging
Create a log settings configuration for Secure Web Gateway, and then add the log settings configuration to the explicit_policy access profile.
In the VMware library, power on the BIGIP_SWG_v11.5.1 and LAMP_3.4 images.
Access and log in to BIGIP_A_v11.5.1.
Verify that you have restored using bc_8.2_swg_explicit_proxy_v11.5.1 (there should be two virtual servers).
Open the System > Logs > Configurations > Log Publishers page, and then click Create.
Create a log publisher using the following information, and then click Finished.
Name proxy_log_publisher Destinations local-db
Open the Access Policy > Event Logs > Log Settings page, and then click Create.
Create a log setting using the following information, and then click OK.
Name proxy_log_settings
General Information:
Log for Secure Web Gateway
Selected
Open the Access Policy > Access Profiles > Access Profiles List page, and then click explicit_policy.
Exercise 8.3 – Configuring Secure Web Gateway
Open the Logs page.
From the Available list, click proxy_log_settings, then click <<, and then click Update.
TASK 2 – Configure a URL Filter
Configure a URL filter that blocks access to gambling Web sites and Facebook.
Open the Access Policy > Secure Web Gateway > URL Filters page, and then click Create.
Name the URL filter lorax_filter, and then click Finished.
In the Associated Categories section, select the Gambling, Security, and Social Web - Facebook checkboxes, and then click Block.
Expand the Social Web - Facebook option to view the sub-categories.
Expand the Miscellaneous category, then select the Uncategorized checkbox, and then click Block.
This ensures that sites that are not categorized will be blocked by Secure Web Gateway.
TASK 3 – Create a Scheme
Create a scheme that uses the URL filter for work hours, and then add the scheme to the transparent_policy access policy.
Open the Access Policy > Secure Web Gateway > Schemes page, and then click Create.
Name the scheme lorax_scheme, and then click Finished.
In the Associated Schedules section, click Add.
Create a scheme schedule using the following information, and then click Finished.
Name lorax_filter Time Range 08:00 to 17:00
Exercise 8.3 – Configuring Secure Web Gateway
Add a new item in the following location:
Click the Assignment tab, then select the SWG Scheme Assign option, and then click Add Item.
Click Add/Delete.
Select the /Common/lorax_scheme option, and then click Save.
Click Apply Access Policy.
TASK 4 – Test the SWG URL Filter and Scheme
Use the LAMP_3.4 image to test access to unauthorized Web sites.
In the VMware library, on the LAMP_3.4 desktop, use Firefox to access http://www.wikipedia.org.
Enter your login credentials (your first and last name).
Edit the URL to http://www.casino.com.
Click the link to return to the previous page.
Edit the URL to http://www.onlinegambling.com.
On your host PC, open a command prompt, and then type:
ping www.onlinegambling.com
The user has found that the IP address for a gambling site is 209.44.109.189. They are going to try and get around the proxy by using the IP address instead of the host name.
In the VMware library, on the LAMP_3.4 desktop, use Firefox to access http://209.44.109.189.
BIG-IP Secure Web Gateway blocks access to Web sites accessed either by a hostname or an IP address.
Edit the URL to https://www.facebook.com.
Exercise 8.3 – Configuring Secure Web Gateway
Click Download, and then click the eicar.com file.
The malware request was blocked by BIG-IP SWG.
Edit the URL to http://www.monster.com, and then click Jobs > Browse Jobs.
Edit the URL to http://jokes.com.
Under Joke Categories, click Work Jokes, and note the URL.
Lorax Industries has decided they want to block users from job searching during work hours. They also have found that several employees are spending a lot of work time viewing and sharing inappropriate jokes from this Web site.
Close Firefox.
In the Configuration Utility, open the Access Policy > Manage Sessions page, and then select and kill any active sessions.
Open the Access Policy > Secure Web Gateway > URL Categories page, and then click Create.
Create a URL category using the following information, and then click Finished.
Name Jokes Web sites
Associated URLs http://jokes.com http://jokes.cc.com http://www.jokesfind.com Prefix Match Yes (selected)
Click Add
The prefix match option ensures that any Web page that begins with each URL will be considered a match.
Expand the Custom Categories option to view the new category.
Open the Access Policy > Secure Web Gateway > URL Filters page, and then click lorax_filter.
In the Associated Categories section, expand the Custom Categories option, and then select the
Exercise 8.3 – Configuring Secure Web Gateway
Edit the URL to http://www.indeed.com.
Edit the URL to http://www.careerbuilder.com.
Edit the URL to http://www.yahoo.com, and then click Jobs.
Edit the URL to http://jokes.com.
Edit the URL to http://jokes.com/funny-work-jokes.
Edit the URL to http://www.jokesfind.com.
Close Firefox.
In the Configuration Utility, open the Access Policy > Manage Sessions page, and then select and kill any active sessions.
TASK 5 – Enable Secure Proxy Access for Unauthenticated Users
Enable proxy access for non-authenticated users, and apply the most secure URL filter for these users.
Open the Access Policy > Secure Web Gateway > URL Filters page, and then click Create.
Name the URL filter high_security_filter, and then click Finished.
In the Associated Categories section, select ALL category checkboxes EXCEPT for Business and Economy, Education, and Information Technology, and then click Block.
Expand Education, then select the Cultural Institutions and the Educational Institutions checkboxes, and then click Block.
Open the Access Policy > Secure Web Gateway > Schemes page, and then click Create.
Name the scheme unauthorized_users_scheme.
From the Default URL Filter list box, select high_security_filter, and then click Finished.
For this scheme we won’t use a schedule. We’ll apply this filter at all times.
In the Visual Policy Editor, add a new item in the following location:
Exercise 8.3 – Configuring Secure Web Gateway
Click Add/Delete.
Select the /Common/unauthorized_users_scheme option, and then click Save.
Change the SWG Scheme Assign(1) fallback branch ending to Allow.
We now allow access for authenticated and non-authenticated users. Both sets of users have an SWG scheme, however the scheme for non-authenticated users is much for stringent then the scheme for authenticated users.
Click Apply Access Policy, and then close the Visual Policy Editor.
In the VMware library, on the LAMP_3.4 desktop, use Firefox to access http://www.wikipedia.org.
Leave the login credentials empty and click Logon.
→NOTE: If you entered your own login credentials, you must close Firefox, and then delete the active session. This task requires that you do not enter login credentials.
Edit the URL to https://www.f5.com.
As it’s an IT organization, the user has access this Web site.
Edit the URL to http://www.cnn.com.
Edit the URL to http://www.expedia.com.
Edit the URL to http://www.whitehouse.gov.
Edit the URL to http://www.amazon.com.
Edit the URL to http://law.hardvard.edu.
The user doesn’t have access to educational institution Web sites.
Edit the URL to http://www.metmuseum.org.
The user doesn’t have access to cultural Web sites.
Edit the URL to http://www.youtube.com.
Edit the URL to http://www.twitter.com.
Close Firefox.
TASK 6 – View Secure Web Gateway Logging and Reports
View the information contained within the Secure Web Gateway log file, and then view the Secure Web Gateway reports.
In the Configuration Utility, open the Access Policy >Event Logs > Secure Web Gateway page.
This log displays all blocked and allowed requests through BIG-IP SWG.
Exercise 8.3 – Configuring Secure Web Gateway
Enter the following criteria, and then click OK.
User Name your first name URL Category Job_Search
Action Block
You can view all blocked requests for a specific user to a specific URL category.
Open the Access Policy >Secure Web Gateway > Overview page
This page has several built-in widgets to display allowed and blocked requests by both URL category and user.
Open the Access Policy >Secure Web Gateway > Reports > All Requests page
In the Details section, click Allowed.
From the View By list box, select Categories.
You can see the where your internal users are spending a majority of their Internet browsing time.
Open the Access Policy >Secure Web Gateway > Reports > Blocked Requests page
From the View By list box, select URLs.
You can see the URLs that have been blocked by Secure Web Gateway.
From the View By list box, select Categories.
Click Expand Advanced Filters.
From the Categories list box, select Custom.
Click Add, and then select the Jokes Web Sites and Uncategorized check boxes, and then click Done.
Click Update.
You can see how many times specific URL categories were blocked
From the Categories list box, select All, and then click Update.
Click Collapse Advanced Filters.
From the View By list box, select Users.
In the Details section, click your first name.
From the View By list box, select URLs.
You can see the blocked URLs that were requested by a specific user.
Create an archive file bc_8.3_swg_url_filtering_v11.5.1.
TASK 7 –Reset the LAMP_3.4 VMware Image
In the VMware library, power off the LAMP_3.4 image.
Right-click LAMP_3.4 in the Library panel and select Snapshot > LAMP_3.4_Clean, and then click Yes.
Appendix A – Exercise Question and Answer Key
A PPENDICES
A PPENDIX A – E XERCISE Q UESTION AND A NSWER K EY
Exercise 2.1 – Configuring Device and Traffic Groups Task 5 –Verify the Traffic Group
Q: What is the current device?
A: bigipA.f5demo.com
Q: What is the next active device?
A: bigipB.f5demo.com
Q: How many failover objects are there?
A: 2 (10.128.10.20 and 10.128.10.30)
Q: Which BIG-IP system forwarded this client request (view the Client IP address)?
A: 10.128.20.241 (bigipA2)
Task 6 – Test Failover
Q: Which BIG-IP system forwarded this client request?
A: 10.128.20.240 (bigipA1)
Q: Which BIG-IP are you accessing?
A: bigipB.f5demo.com
Q: Which BIG-IP are you accessing?
A: bigipA.f5demo.com
Task 7 – Create an Active/Active Pair
Q: How many failover objects does this BIG-IP manage?
A: 0
Q: How many failover objects does this BIG-IP now manage?
A: 1
Q: Which BIG-IP system forwarded this client request?
A: 10.128.20.241 (bigipA2)
Appendix A – Exercise Question and Answer Key
Q: Which BIG-IP system forwarded this client request?
A: 10.128.20.240 (bigipA1)
Exercise 2.2 – Using Policies to Manage Traffic Task 3 –Verify Policy Enforcement
Q: Did this request generate a log entry?
A: No
Q: Was this request redirected to HTTPS?
A: No
Q: Did this request generate a log entry?
A: Yes
Q: Was this request redirected to HTTPS?
A: Yes
Task 5 –Update the Virtual Server and Test the Policy
Q: Did the index.php page come from either node 1 or node 2?
A: Yes
Q: Did all of the images come from either node 4 or node 5?
A: Yes
Exercise 2.3 – Using an HTML Content Profile Task 1 –Examine the Current HTML Meta Tags
Q: Are there description and/or keyword meta tags?
A: No
Q: Is there a no-cache meta tag present?
A: Yes
Task 5 –View HTML Content Rewrite
Appendix A – Exercise Question and Answer Key
Exercise 3.2 – Creating Servers
Task 1 – Prepare to Add BIG-IP Server Objects
Q: For which devices does GTM have a trusted certificate?
A: bigipB.f5demo.com, bigipA.f5demo.com, localhost.localdomain.
Exercise 3.4 – Creating Pools and Wide IPs Task 3 – Create Wide IPs
Q: At this point, what will happen to requests directed to secure.wip.f5se.com?
A: Since there are no topology records it will fall back to Round Robin.
Q: What needs to be created to utilize the Topology load balancing method?
A: Topology records
Task 5 – Verify the Wide IP Name Resolution
Q: Which IP address were you routed to?A: 10.128.10.20
Q: Which IP address were you routed to on subsequent requests?
A: The same IP address (10.128.10.20)
Q: Why is GTM resolving these requests to a single pool member when there are two pool members available?
A: We used the Global Availability load balancing method, which always selects the first available pool or pool member in the list, and continues to use that pool or pool member as long as its available.
Q: Which IP address were you routed to?
A: 10.128.10.99
Q: Which IP address were you routed to?
A: 10.128.10.20
Q: Is GTM routing requests as it should for this wide IP?
A: Yes, it’s using the same pool member as long as it’s available, and if not it moves to the next pool member in the list.
Q: Which IP address(es) were you routed to?
A: 10.128.20.10, 10.128.20.150, 10.128.20.51, 10.128.20.20, 10.128.20.52
Appendix A – Exercise Question and Answer Key
Q: Is GTM routing requests as it should for this wide IP?
A: Yes, it’s using simple round robin for all three pools and their corresponding pool members.
Q: Which IP address(es) were you routed to?
A: 10.128.20.10, 10.128.20.30
Q: Why were you only routed to these IP addresses?
A: My workstation IP address is 10.128.10.1, which falls into the topology record for the lampserver_https_pool which contains these two pool members.
Q: Which IP address was returned by the dig command?
A: 10.128.20.52, 10.128.20.53
Exercise 3.5 – Creating the DNS Express Zone List Task 3 – Test DNS Express
Q: Is GTM successfully resolving host names?
A: Yes
Q: Besides configuring the BIG-IP, what else would need modification to allow DNS Express to work?
A: The named.conf of the name server needs to be modified to allow zone transfers to the GTM listener IP.
Q: How can you monitor traffic that is hitting the DNS listener?
A: tcpdump –i <external vlan name> -s0 –X host <ip address of listener> and port 5.
Exercise 4.1 – Viewing AFM Log Details Task 6 – Create and View Log Entries
Q: Can you access the HTTP version of the Web site?
A: Yes
Q: Can you access the HTTPS version of the Web site?
A: Yes
Appendix A – Exercise Question and Answer Key
Task 7 – Change the AFM Mode
Q: Were you able to access the Web page?
A: No
Q: If no, how long did it take to get an error page?
A: About one second
Q: Were you able to access the self IP address?
A: No
Q: Were you able to access the Web page?
A: No
Q: If no, how long did it take to get an error page?
A: Several seconds
Exercise 4.2 – Creating AFM Rules
Task 2 – Add the Rule List to a Virtual Server
Q: Are there any other rules applied to this virtual?
A: Yes
Q: If so, what are they?
A: Default Accept
Task 3 – Create and View Log Entries
Q: Did the HTTPS request pass through the BIG-IP system?
A: No
Q: Did the SSH request pass through the BIG-IP system?
A: No
Q: Did the FTP request pass through the BIG-IP system?
A: No
Q: Did the HTTP request from 10.128.20.252 pass through the BIG-IP system?
A: Yes
Appendix A – Exercise Question and Answer Key
Q: Why wasn’t the request from 10.128.20.252 rejected?
A: The reject 10.128.20.0 rule is listed after the allow_http rule, therefore the user is matching the accept rule before being rejected.
Q: Were you able to access the Web page?
A: No
Task 9 – Create Global Rules
Q: Were you able to ping the external self IP address?
A: No
Q: Were you able to ping the external self IP address?
A: No
Q: Did you receive a “destination net unreachable” message?
A: Yes
Q: Were you able to ping the external self IP address?
A: No
Q: Did you receive a “destination net unreachable” message?
A: No
Exercise 4.3 – Configuring DoS Protection Task 4 – View DoS Reports
Q: Which IP addresses launched DoS attacks?
A: 10.20.30.40, 15.25.35.45, 10.128.20.253, and 10.128.10.20
Q: How could a DoS attack come from the same IP address as the virtual server?
A: It was a spoofed IP address configured in the DoS attack.
Exercise 5.2 – Creating a Security Policy
Task 1 – Create a Security Policy using Rapid Deployment
Appendix A – Exercise Question and Answer Key
Q: Why are these values displaying?
A: DataGuard is enabled for RDP.
Q: Are requests for .php pages Legal, Illegal, or Blocked?
A: Legal
Q: Are requests for .txt pages Legal, Illegal, or Blocked?
A: Legal
Q: Why aren’t requests for .txt pages being blocked through ASM?
A: ASM isn’t configured to block .txt pages.
Q: What caused this illegal entry?
A: DataGuard detected a credit card number pattern.
Task 3 – View the PCI Compliance Report
Q: Which requirements are compliant?A: Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks Assign a unique ID to each person with computer access
Track and monitor all access to network resources and cardholder data
Q: Why is this entry not yet in compliance?
A: We’re still using the default password for the root and admin usernames.
Exercise 5.3 – Updating a Security Policy
Task 1 – Configure a Security Policy to Learn About File Types
Q: Why can’t you enable the Block option?A: The security policy is in transparent mode.
Q: Why are these options already configured?
A: They were configured by the Rapid Deployment security policy
Task 4 – Fine Tune the Security Policy
Q: Which URL is currently vulnerable for SQL injection?
A: /vulnerabilities/sqli/
Q: Why is there an entry for no_ext?
Appendix A – Exercise Question and Answer Key
Q: Were you able to access these confidential files?
A: Yes
Q: Why is BIG-IP ASM still allowing access to these file types?
A: The security policy is in transparent mode.
Q: Are requests for .txt files Legal, Illegal, or Blocked?
A: Illegal.
Q: Are requests for .css and .exe files Legal, Illegal, or Blocked?
A: Illegal
Q: What do you need to configure in BIG-IP ASM to block access to these file types?
A: We need to place the security policy in blocking mode.
Task 5 – Modify the Security Policy’s Enforcement Mode
Q: Is the page displaying correctly?A: No
Q: Why or why not?
A: The Web application isn’t allowing access to the CSS (cascading style sheet) file.
Q: Can you access txt files?
A: No
Q: What is the support ID for this request?
A: Answers will vary
Appendix A – Exercise Question and Answer Key
Q: Can you access exe files?
A: No
Q: Are requests for .txt files Legal, Illegal, or Blocked?
A: Blocked
Q: Are requests for .css files Legal, Illegal, or Blocked?
A: Blocked
Exercise 5.4 – Using Automatic Policy Building
Task 6 – Use the Event Log to Determine Required Updates
Q: Which parameter caused the blocked violation?A: mtxMessage
Q: What needs to be updated for this parameter?
A: The exclamation point needs to be added as an allowed meta character.
Q: What caused the blocked violation?
A: Illegal URL, Forceful Browsing
Q: What needs to be added to the policy to allow access to this page?
A: /vulnerabilities/upload/ needs to be added to the Allowed URLs list.
Task 9 – View the Security Charts
Q: Which URL had the most violation alerts?
A: /vulnerabilities/xss_s/
Q: How many hacking attempts did BIG-IP ASM block?
A: Answers will vary
Exercise 6.2 – Enabling Basic SSL VPN Network Access Task 2 – Test Network Access
Q: Who issued this certificate?
A: localhost.localdomain
Q: Did you connect successfully?
A: Yes