f5 remediation module suwitcha musijaral. 2 f5 api interface ● icontrol ▸ api (perl support),...
TRANSCRIPT
F5 Remediation ModuleSuwitcha Musijaral
2
F5 API interface
● iControl▸ API (perl support), more flexible, more work
● Command line▸ ssh and issue cli command (bigpipe command)
● iRule with Session Table▸ Create virtual server to add record to session table▸ Add iRule to protected server▸ Easy to create and suitable for FW type action
3
Control VIP iRule
when HTTP_REQUEST { if { [URI::query [HTTP::uri] "action"] equals "blacklist" } { set blockingIP [URI::query [HTTP::uri] "sip"] set IPtimeout [URI::query [HTTP::uri] "timeout"] table add -subtable "blacklist" $blockingIP 1 $IPtimeout HTTP::respond 200 content "$blockingIP added to blacklist for $IPtimeout seconds" return } HTTP::respond 200 content "You need to include an ?action query"}
4
iRule for protected Server
when CLIENT_ACCEPTED { set srcip [IP::remote_addr] if { [table lookup -subtable "blacklist" $srcip] != "" } { drop log local0. "Block IP on black list" return }}
5
POC Environment
Virtual BIG-IP
VMNET Mgmt192.168.133.0
VMNET2192.168.10.0
VMNET4192.168.111.0
Virtual Sensor
Virtual DC
Target MachineLAMP
Attacker
6
Screen Shot on F5
7
Control Server
8
Protected Server
9
F5 Remediation Module
10
Compliance Event
11
Remediation Status
12
Result – Connection Reset
13
Status on BIG-IP