Ingress - Arcadia
Ingress - Arcadia¶
Exercise 1: NGINX Configuration¶
Get a IC’s POD name
kubectl get pods -n external-ingress-controller
output:
NAME READY STATUS RESTARTS AGE
nap-external-ingress-controller-7576b65b4-ps4ck 1/1 Running 0 8d
Log into IC’s container
kubectl exec --namespace external-ingress-controller -it nap-external-ingress-controller-7576b65b4-ps4ck bash
Package¶
See installed App Protect software
apt list --installed | grep protect
output:
app-protect-attack-signatures/now 2021.04.29-1~buster amd64 [installed,local]
app-protect-compiler/now 6.3.6-1~buster amd64 [installed,local]
app-protect-engine/now 6.3.6-1~buster amd64 [installed,local]
...
Capture The Flag
2.1 What is the name of Threat Campaigns package?
2.2 How many signature attack update were released in April? | Tip: On jumphost
yum list --showduplicates {{ package name }}
Directive¶
Show App Protect directives in Arcadia configuration
grep protect /etc/nginx/conf.d/lab1-arcadia-arcadia-ingress-external-master.conf
output:
app_protect_enable on;
app_protect_policy_file /etc/nginx/waf/nac-policies/external-ingress-controller_generic-security-level-low;
app_protect_security_log_enable on;
app_protect_security_log /etc/nginx/waf/nac-logconfs/external-ingress-controller_naplogformat syslog:server=10.1.0.10:5144;
Annotation¶
On Jumphost, show App Protect annotations in Arcadia ingress resource
kubectl describe ingress -n lab1-arcadia arcadia-ingress-external-master | grep protect
output:
Annotations: appprotect.f5.com/app-protect-enable: True
appprotect.f5.com/app-protect-policy: external-ingress-controller/generic-security-level-low
appprotect.f5.com/app-protect-security-log: external-ingress-controller/naplogformat
appprotect.f5.com/app-protect-security-log-destination: syslog:server=10.1.0.10:5144
appprotect.f5.com/app-protect-security-log-enable: True
Exercise 2: Security Policy¶
APPolicy¶
Show App Protect policy resource
kubectl describe appolicy -n external-ingress-controller generic-security-level-low | grep -A 100 Spec
output:
Spec:
Policy:
Application Language: utf-8
Blocking - Settings:
Violations:
Alarm: true
Block: true
Name: VIOL_HTTP_RESPONSE_STATUS
Enforcement Mode: blocking
Name: generic-security-level-low
Signatures:
Enabled: false
Signature Id: 200000128
Template:
Name: POLICY_TEMPLATE_NGINX_BASE
Declarative policy¶
On IC, show App Protect declarative policy
cat /etc/nginx/waf/nac-policies/external-ingress-controller_generic-security-level-low
output:
{
"policy": {
"applicationLanguage": "utf-8",
"blocking-settings": {
"violations": [
{
"alarm": true,
"block": true,
"name": "VIOL_HTTP_RESPONSE_STATUS"
}
]
},
"enforcementMode": "blocking",
"name": "generic-security-level-low",
"signatures": [
{
"enabled": false,
"signatureId": 200000128
}
],
"template": {
"name": "POLICY_TEMPLATE_NGINX_BASE"
}
}
}
Capture The Flag
2.3 Which request type are logged by App Protect for Arcadia application? | Tip: App Protect Logs
Exercise 3: Monitoring¶
Support ID¶
To test that the site is protected, on Jumphost, append a script to the end of the curl statement:
curl -k -s "https://arcadia1.f5app.dev/?a=<script>"
output:
<html><head><title>Request Rejected</title></head><body>The requested URL was rejected.
Please consult with your administrator.<br><br>
Your support ID is: 4096465330496922252
<br><br><a href='javascript:history.back();'>[Go Back]</a></body></html>
Analytics¶
Connect to Kibana
https://kibana{{site_ID}}.f5app.dev>> Dashboard >> OverviewAdd a filter
vs_name is *arcadia1.f5app.dev*
Add another filter
support_id is {{support_ID}}and replace {{support_ID}} by previous blocked requestReview log
Capture The Flag
3.1 What is the policy name?
3.2 What is the client_class for curl?
3.3 Which violations are raised?
3.4 Which attack signatures are detected?
Exercise 4: Modifications¶
- By default, App Protect minimize false positives :
block requests that are declared as threats their Violation Rating is 4 or 5.
if the violation rating is 4-5 the request is blocked using the VIOL_RATING_THREAT violation.
other requests which have a lower violation rating are not blocked, except for some specific violations described here .
App Developers assume that matched signatures are a False Positive. They added modifications of security policy here.
Now, a new security policy for Arcadia must be applied to allow this request.
APPolicy - Manifest¶
On Jumphost, create a manifest of App Protect Policy reusing the current policy and referencing modifications set by AppDev
vi lab3-arcadia_appolicy.yaml
input:
1apiVersion: appprotect.f5.com/v1beta1
2kind: APPolicy
3metadata:
4 name: arcadia
5 namespace: external-ingress-controller
6 labels:
7 app: arcadia
8 policy-version: 1.0.0
9spec:
10 policy:
11 applicationLanguage: utf-8
12 blocking-settings:
13 violations:
14 - alarm: true
15 block: true
16 name: VIOL_HTTP_RESPONSE_STATUS
17 enforcementMode: blocking
18 name: arcadia
19 signatures:
20 - enabled: false
21 signatureId: 200000128
22 template:
23 name: POLICY_TEMPLATE_NGINX_BASE
24 modificationsReference:
25 link: https://raw.githubusercontent.com/nergalex/f5-nap-policies/master/policy/modifications/arcadia.f5app.dev.json
APPolicy - APPLY¶
Apply manifest APPolicy
kubectl apply -f lab3-arcadia_appolicy.yaml
output:
appolicy.appprotect.f5.com/arcadia created
APPolicy - CHECK¶
Check apply status
kubectl describe appolicy -n external-ingress-controller arcadia
output:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal AddedOrUpdated 36s nginx-ingress-controller AppProtectPolicy external-ingress-controller/arcadia was added or updated
Ingress - Manifest¶
Create a manifest reusing current Arcadia’s ingress resource and reference newly created APPolicy
vi lab3-arcadia_ingress.yaml
input:
Note
Replace {{ site_ID }} in Manifest file, see highlighted lines below
1apiVersion: networking.k8s.io/v1
2kind: Ingress
3metadata:
4 name: "arcadia-ingress-external-master"
5 namespace: "lab1-arcadia"
6 labels:
7 app: "arcadia"
8 policy_target: external
9 annotations:
10 nginx.org/mergeable-ingress-type: "master"
11 nginx.org/server-snippets: |
12 proxy_ignore_headers X-Accel-Expires Expires Cache-Control;
13 proxy_cache_valid any 30s;
14 ingress.kubernetes.io/ssl-redirect: "true"
15 appprotect.f5.com/app-protect-policy: "external-ingress-controller/arcadia"
16 appprotect.f5.com/app-protect-enable: "True"
17 appprotect.f5.com/app-protect-security-log-enable: "True"
18 appprotect.f5.com/app-protect-security-log: "external-ingress-controller/naplogformat"
19 appprotect.f5.com/app-protect-security-log-destination: "syslog:server=10.{{ site_ID }}.0.10:5144"
20spec:
21 ingressClassName: "nginx-external"
22 tls:
23 - hosts:
24 - "arcadia{{ site_ID }}.f5app.dev"
25 secretName: "arcadia-secret-tls"
26 rules:
27 - host: "arcadia{{ site_ID }}.f5app.dev"
Ingress - APPLY¶
Apply manifest Ingress
kubectl apply -f lab3-arcadia_ingress.yaml
output:
ingress.networking.k8s.io/arcadia-ingress-external-master configured
Ingress - CHECK¶
Check apply status
kubectl describe ingress -n lab1-arcadia arcadia-ingress-external-master
output:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal AddedOrUpdated 45s (x20 over 7d23h) nginx-ingress-controller Configuration for lab1-arcadia/arcadia-ingress-external-master was added or update
Check that request is not block by WAF
curl -k -s "https://arcadia1.f5app.dev/?a=<script>"
Exercise 5: Anti Automation¶
Anti Automation provides basic bot protection by detecting bot signatures and clients that falsely claim to be browsers or search engines. The bot-defense section in the policy is enabled by default.
The default actions for bot classes are:
detect for trusted-bot
alarm for untrusted-bot
block for malicious-bot
Now, core policy is updated by SecOps to block untrusted-bot class.
APPolicy - Manifest¶
On Jumphost, create a new manifest of App Protect Policy using new core policy and still referencing modifications set by AppDev
vi lab3-arcadia_appolicy_bot.yaml
input:
1apiVersion: appprotect.f5.com/v1beta1
2kind: APPolicy
3metadata:
4 name: arcadia
5 namespace: external-ingress-controller
6 labels:
7 app: arcadia
8 policy-version: 1.1.0
9spec:
10 policy:
11 name: arcadia
12 enforcementMode: blocking
13 applicationLanguage: utf-8
14 template:
15 name: POLICY_TEMPLATE_NGINX_BASE
16 server-technologies:
17 - serverTechnologyName: Unix/Linux
18 - serverTechnologyName: Nginx
19 - serverTechnologyName: "Apache/NCSA HTTP Server"
20 - serverTechnologyName: PHP
21 - serverTechnologyName: JavaScript
22 - serverTechnologyName: PostgreSQL
23 bot-defense:
24 settings:
25 isEnabled: true
26 mitigations:
27 classes:
28 - name: trusted-bot
29 action: alarm
30 - name: untrusted-bot
31 action: block
32 - name: malicious-bot
33 action: block
34 modificationsReference:
35 link: https://raw.githubusercontent.com/nergalex/f5-nap-policies/master/policy/modifications/arcadia.f5app.dev.json
APPolicy - APPLY¶
Apply new Arcadia’s APPolicy
kubectl apply -f lab3-arcadia_appolicy_bot.yaml
output:
appolicy.appprotect.f5.com/arcadia configured
App Protect - configuration¶
On IC, see configured WAF policies
grep -A 8 arcadia /opt/app_protect/config/config_set.json
output:
"/etc/nginx/waf/nac-policies/external-ingress-controller_arcadia": {
"import_filename": "/etc/nginx/waf/nac-policies/external-ingress-controller_arcadia",
"src_config_line": 79,
"vs_info": {
"49-arcadia1.f5app.dev:12-/": {
"vs_name": "49-arcadia1.f5app.dev:12-/",
"logging": {
"dest_ip": "10.1.0.10",
"dest_port": "5144",
"dest_filename": "",
"$ref": "/etc/nginx/waf/nac-logconfs/external-ingress-controller_naplogformat",
"src_config_line": 81
}
}
(...)
App Protect - declarative policy¶
See content of Arcadia’s WAF policy
cat /etc/nginx/waf/nac-policies/external-ingress-controller_arcadia
App Protect - compilation status¶
See WAF compilation output
cat /var/log/app_protect/compile_error_msg.json
output:
{
"completed_successfully": true,
"user_signatures_packages": [],
"threat_campaigns_package": {
"revision_datetime": "2021-05-04T21:03:00Z",
"version": "2021.05.04"
},
"attack_signatures_package": {
"revision_datetime": "2021-04-29T10:41:04Z",
"version": "2021.04.29"
}
}
CHECK¶
Test again with curl
curl -k -s "https://arcadia{{site_ID}}.f5app.dev/?a=<script>"
Test again with your web browser
https://arcadia{{site_ID}}.f5app.dev/?a=<script>Review log generated by curl using support ID in Kibana
https://kibana{{site_ID}}.f5app.dev
Capture The Flag
5.1 What is the violation rating?
5.2 What are the violations?
Exercise 6: Checks of the trusted bot’s authenticity¶
NAP’s Search engine signatures such as googlebot are under the trusted_bots class,
but App Protect performs additional checks of the trusted bot’s authenticity
as reverse DNS for example.
Try to impersonated the search engine googlebot
curl -k --user-agent "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" https://arcadia{{site_ID}}.f5app.dev
Review log generated by curl using support ID in Kibana
https://kibana{{site_ID}}.f5app.dev
Capture The Flag
6.1 What is the bot anomaly?
6.2 What is the client class?