Ingress - Arcadia

Ingress - Arcadia

Exercise 1: NGINX Configuration

  • Get a IC’s POD name

kubectl get pods -n external-ingress-controller

output:

NAME                                              READY   STATUS    RESTARTS   AGE
nap-external-ingress-controller-7576b65b4-ps4ck   1/1     Running   0          8d
  • Log into IC’s container

kubectl exec --namespace external-ingress-controller -it nap-external-ingress-controller-7576b65b4-ps4ck bash

Package

  • See installed App Protect software

apt list --installed | grep protect

output:

app-protect-attack-signatures/now 2021.04.29-1~buster amd64 [installed,local]
app-protect-compiler/now 6.3.6-1~buster amd64 [installed,local]
app-protect-engine/now 6.3.6-1~buster amd64 [installed,local]
...

Capture The Flag

2.1 What is the name of Threat Campaigns package?

2.2 How many signature attack update were released in April? | Tip: On jumphost yum list --showduplicates {{ package name }}

Directive

  • Show App Protect directives in Arcadia configuration

grep protect /etc/nginx/conf.d/lab1-arcadia-arcadia-ingress-external-master.conf

output:

app_protect_enable on;
app_protect_policy_file /etc/nginx/waf/nac-policies/external-ingress-controller_generic-security-level-low;
app_protect_security_log_enable on;
app_protect_security_log /etc/nginx/waf/nac-logconfs/external-ingress-controller_naplogformat syslog:server=10.1.0.10:5144;

Annotation

  • On Jumphost, show App Protect annotations in Arcadia ingress resource

kubectl describe ingress -n lab1-arcadia arcadia-ingress-external-master | grep protect

output:

Annotations:  appprotect.f5.com/app-protect-enable: True
              appprotect.f5.com/app-protect-policy: external-ingress-controller/generic-security-level-low
              appprotect.f5.com/app-protect-security-log: external-ingress-controller/naplogformat
              appprotect.f5.com/app-protect-security-log-destination: syslog:server=10.1.0.10:5144
              appprotect.f5.com/app-protect-security-log-enable: True

Exercise 2: Security Policy

APPolicy

  • Show App Protect policy resource

kubectl describe appolicy -n external-ingress-controller generic-security-level-low | grep -A 100 Spec

output:

Spec:
  Policy:
    Application Language:  utf-8
    Blocking - Settings:
      Violations:
        Alarm:         true
        Block:         true
        Name:          VIOL_HTTP_RESPONSE_STATUS
    Enforcement Mode:  blocking
    Name:              generic-security-level-low
    Signatures:
      Enabled:       false
      Signature Id:  200000128
    Template:
      Name:  POLICY_TEMPLATE_NGINX_BASE

Declarative policy

cat /etc/nginx/waf/nac-policies/external-ingress-controller_generic-security-level-low

output:

{
  "policy": {
    "applicationLanguage": "utf-8",
    "blocking-settings": {
      "violations": [
        {
          "alarm": true,
          "block": true,
          "name": "VIOL_HTTP_RESPONSE_STATUS"
        }
      ]
    },
    "enforcementMode": "blocking",
    "name": "generic-security-level-low",
    "signatures": [
      {
        "enabled": false,
        "signatureId": 200000128
      }
    ],
    "template": {
      "name": "POLICY_TEMPLATE_NGINX_BASE"
    }
  }
}

Capture The Flag

2.3 Which request type are logged by App Protect for Arcadia application? | Tip: App Protect Logs

Exercise 3: Monitoring

Support ID

  • To test that the site is protected, on Jumphost, append a script to the end of the curl statement:

curl -k -s "https://arcadia1.f5app.dev/?a=<script>"

output:

<html><head><title>Request Rejected</title></head><body>The requested URL was rejected.
Please consult with your administrator.<br><br>
Your support ID is: 4096465330496922252
<br><br><a href='javascript:history.back();'>[Go Back]</a></body></html>

Analytics

  • Connect to Kibana https://kibana{{site_ID}}.f5app.dev >> Dashboard >> Overview

  • Add a filter vs_name is *arcadia1.f5app.dev*

SecureCRT
  • Add another filter support_id is {{support_ID}} and replace {{support_ID}} by previous blocked request

  • Review log


Capture The Flag

3.1 What is the policy name?

3.2 What is the client_class for curl?

3.3 Which violations are raised?

3.4 Which attack signatures are detected?

Exercise 4: Modifications

By default, App Protect minimize false positives :
  • block requests that are declared as threats their Violation Rating is 4 or 5.

  • if the violation rating is 4-5 the request is blocked using the VIOL_RATING_THREAT violation.

  • other requests which have a lower violation rating are not blocked, except for some specific violations described here .

App Developers assume that matched signatures are a False Positive. They added modifications of security policy here.

Now, a new security policy for Arcadia must be applied to allow this request.

APPolicy - Manifest

  • On Jumphost, create a manifest of App Protect Policy reusing the current policy and referencing modifications set by AppDev

vi lab3-arcadia_appolicy.yaml

input:

 1apiVersion: appprotect.f5.com/v1beta1
 2kind: APPolicy
 3metadata:
 4  name: arcadia
 5  namespace: external-ingress-controller
 6  labels:
 7    app: arcadia
 8    policy-version: 1.0.0
 9spec:
10  policy:
11    applicationLanguage: utf-8
12    blocking-settings:
13      violations:
14      - alarm: true
15        block: true
16        name: VIOL_HTTP_RESPONSE_STATUS
17    enforcementMode: blocking
18    name: arcadia
19    signatures:
20    - enabled: false
21      signatureId: 200000128
22    template:
23      name: POLICY_TEMPLATE_NGINX_BASE
24  modificationsReference:
25      link: https://raw.githubusercontent.com/nergalex/f5-nap-policies/master/policy/modifications/arcadia.f5app.dev.json

APPolicy - APPLY

  • Apply manifest APPolicy

kubectl apply -f lab3-arcadia_appolicy.yaml

output:

appolicy.appprotect.f5.com/arcadia created

APPolicy - CHECK

  • Check apply status

kubectl describe appolicy -n external-ingress-controller arcadia

output:

Events:
  Type    Reason          Age   From                      Message
  ----    ------          ----  ----                      -------
  Normal  AddedOrUpdated  36s   nginx-ingress-controller  AppProtectPolicy external-ingress-controller/arcadia was added or updated

Ingress - Manifest

  • Create a manifest reusing current Arcadia’s ingress resource and reference newly created APPolicy

vi lab3-arcadia_ingress.yaml

input:

Note

Replace {{ site_ID }} in Manifest file, see highlighted lines below

 1apiVersion: networking.k8s.io/v1
 2kind: Ingress
 3metadata:
 4  name: "arcadia-ingress-external-master"
 5  namespace: "lab1-arcadia"
 6  labels:
 7    app: "arcadia"
 8    policy_target: external
 9  annotations:
10    nginx.org/mergeable-ingress-type: "master"
11    nginx.org/server-snippets: |
12      proxy_ignore_headers X-Accel-Expires Expires Cache-Control;
13      proxy_cache_valid any 30s;
14    ingress.kubernetes.io/ssl-redirect: "true"
15    appprotect.f5.com/app-protect-policy: "external-ingress-controller/arcadia"
16    appprotect.f5.com/app-protect-enable: "True"
17    appprotect.f5.com/app-protect-security-log-enable: "True"
18    appprotect.f5.com/app-protect-security-log: "external-ingress-controller/naplogformat"
19    appprotect.f5.com/app-protect-security-log-destination: "syslog:server=10.{{ site_ID }}.0.10:5144"
20spec:
21  ingressClassName: "nginx-external"
22  tls:
23  - hosts:
24    - "arcadia{{ site_ID }}.f5app.dev"
25    secretName: "arcadia-secret-tls"
26  rules:
27  - host: "arcadia{{ site_ID }}.f5app.dev"

Ingress - APPLY

  • Apply manifest Ingress

kubectl apply -f lab3-arcadia_ingress.yaml

output:

ingress.networking.k8s.io/arcadia-ingress-external-master configured

Ingress - CHECK

  • Check apply status

kubectl describe ingress -n lab1-arcadia arcadia-ingress-external-master

output:

Events:
  Type    Reason          Age                   From                      Message
  ----    ------          ----                  ----                      -------
  Normal  AddedOrUpdated  45s (x20 over 7d23h)  nginx-ingress-controller  Configuration for lab1-arcadia/arcadia-ingress-external-master was added or update
  • Check that request is not block by WAF

curl -k -s "https://arcadia1.f5app.dev/?a=<script>"

Exercise 5: Anti Automation

Anti Automation provides basic bot protection by detecting bot signatures and clients that falsely claim to be browsers or search engines. The bot-defense section in the policy is enabled by default.

The default actions for bot classes are:

  • detect for trusted-bot

  • alarm for untrusted-bot

  • block for malicious-bot

Now, core policy is updated by SecOps to block untrusted-bot class.

APPolicy - Manifest

  • On Jumphost, create a new manifest of App Protect Policy using new core policy and still referencing modifications set by AppDev

vi lab3-arcadia_appolicy_bot.yaml

input:

 1apiVersion: appprotect.f5.com/v1beta1
 2kind: APPolicy
 3metadata:
 4  name: arcadia
 5  namespace: external-ingress-controller
 6  labels:
 7    app: arcadia
 8    policy-version: 1.1.0
 9spec:
10  policy:
11    name: arcadia
12    enforcementMode: blocking
13    applicationLanguage: utf-8
14    template:
15      name: POLICY_TEMPLATE_NGINX_BASE
16    server-technologies:
17      - serverTechnologyName: Unix/Linux
18      - serverTechnologyName: Nginx
19      - serverTechnologyName: "Apache/NCSA HTTP Server"
20      - serverTechnologyName: PHP
21      - serverTechnologyName: JavaScript
22      - serverTechnologyName: PostgreSQL
23    bot-defense:
24      settings:
25        isEnabled: true
26      mitigations:
27        classes:
28        - name: trusted-bot
29          action: alarm
30        - name: untrusted-bot
31          action: block
32        - name: malicious-bot
33          action: block
34  modificationsReference:
35      link: https://raw.githubusercontent.com/nergalex/f5-nap-policies/master/policy/modifications/arcadia.f5app.dev.json

APPolicy - APPLY

  • Apply new Arcadia’s APPolicy

kubectl apply -f lab3-arcadia_appolicy_bot.yaml

output:

appolicy.appprotect.f5.com/arcadia configured

App Protect - configuration

  • On IC, see configured WAF policies

grep -A 8 arcadia /opt/app_protect/config/config_set.json

output:

"/etc/nginx/waf/nac-policies/external-ingress-controller_arcadia": {
"import_filename": "/etc/nginx/waf/nac-policies/external-ingress-controller_arcadia",
"src_config_line": 79,
"vs_info": {
  "49-arcadia1.f5app.dev:12-/": {
    "vs_name": "49-arcadia1.f5app.dev:12-/",
    "logging": {
      "dest_ip": "10.1.0.10",
      "dest_port": "5144",
      "dest_filename": "",
      "$ref": "/etc/nginx/waf/nac-logconfs/external-ingress-controller_naplogformat",
      "src_config_line": 81
    }
  }
(...)

App Protect - declarative policy

  • See content of Arcadia’s WAF policy

cat /etc/nginx/waf/nac-policies/external-ingress-controller_arcadia

App Protect - compilation status

  • See WAF compilation output

cat /var/log/app_protect/compile_error_msg.json

output:

{
  "completed_successfully": true,
  "user_signatures_packages": [],
  "threat_campaigns_package": {
    "revision_datetime": "2021-05-04T21:03:00Z",
    "version": "2021.05.04"
  },
  "attack_signatures_package": {
    "revision_datetime": "2021-04-29T10:41:04Z",
    "version": "2021.04.29"
  }
}

CHECK

  • Test again with curl

curl -k -s "https://arcadia{{site_ID}}.f5app.dev/?a=<script>"
  • Test again with your web browser https://arcadia{{site_ID}}.f5app.dev/?a=<script>

  • Review log generated by curl using support ID in Kibana https://kibana{{site_ID}}.f5app.dev


Capture The Flag

5.1 What is the violation rating?

5.2 What are the violations?

Exercise 6: Checks of the trusted bot’s authenticity

NAP’s Search engine signatures such as googlebot are under the trusted_bots class, but App Protect performs additional checks of the trusted bot’s authenticity as reverse DNS for example.

  • Try to impersonated the search engine googlebot

curl -k --user-agent "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" https://arcadia{{site_ID}}.f5app.dev
  • Review log generated by curl using support ID in Kibana https://kibana{{site_ID}}.f5app.dev


Capture The Flag

6.1 What is the bot anomaly?

6.2 What is the client class?