F5 BIG-IP Platform Security

As application and network attacks evolve to become more complex and harder to defend against, ensuring data security has become one of the most pressing issues for organizations of all sizes. High-profile leaks and breaches can damage an organization’s reputation and have a dramatic impact on its business.

Since the inception of the F5 BIG-IP platform, security has been a primary factor in all design and architecture decisions. Each subsequent release or new product has included more secure default settings, incorporated more security related features, and undergone more rigorous security testing, assurance, and certification efforts. As security threats increase, best practices are continually applied to new and acquired products to ensure that networks, applications, and data remain secure. Today, F5 products function as strategic points of control to manage an organization's critical information flow, while also improving the delivery of web-based applications through both performance and security enhancements.

When evaluating its overall security posture, an organization must consider two structural factors: a secure software development lifecycle and the inherent security features within its Application Delivery Network. By delivering on both fronts, F5 provides leadership and products to meet today’s new security challenges, helping organizations protect identities, applications, and sensitive data—all while minimizing application downtime and maximizing end-user productivity.

While there are many factors in a truly secure system, the foundation lies upon the two pillars of design and coding. The F5 Secure Software Development Lifecycle (SDLC) helps ensure that all products are built to the highest security standards and rigorously tested before release.

Sound security starts early in the product development process. Before writing a single line of code, the F5 Product Development team goes through a comprehensive threat modeling assessment. Architects evaluate each new feature to determine what vulnerabilities it might create or introduce to the system.

A vulnerability that takes one hour to fix at the design phase can take ten hours to fix in the coding phase and one thousand hours to fix after the product is shipped—so it's critical to catch vulnerabilities early in the process. Typical discussions during a threat model assessment include defining and reviewing the security boundaries, limiting the threat surface, and best practices for design and implementation of security-related functions.

After designs are completed, coding begins. All F5 development staff have been thoroughly trained in the process of writing secure code. But when it comes to software and network exploits, even the smallest mistake can have huge ramifications. F5 developers conduct regular code reviews with the security team, and also use static code-analysis tools to identify common problems. Code standards and best practices help developers avoid common security pitfalls.

Time- and labor-intensive security testing is a huge undertaking for any organization. At F5, security and development teams collaborate to help ensure a high level of security for each piece of software released into the marketplace.

Internal security teams conduct penetration testing by acting as attackers trying to compromise the BIG-IP platform. In addition, F5 performs fuzz testing on all programs. Fuzz testing evaluates how programs handle malformed inputs, such as a longer or shorter network packet or an input with incorrect data. Most will be handled well, but others might cause an exception, and still others could expose a serious vulnerability. Penetration testing and fuzz testing make F5 devices as secure as possible against denial of service (DoS) attacks, as well as code-based attacks.

In addition, through relationships with academic intuitions, F5 continually increases its knowledge base to cover multiple types of errors, such as:

• Buffer overflows and stack-smashing attacks that exploit insecure string manipulation logic.
• The incorrect use of dynamic memory management functions.
• Integer-related problems, including integer overflows, sign errors, and truncation errors.
• Introducing format-string vulnerabilities.
• I/O vulnerabilities, including race conditions.

F5 employs a sophisticated third-party scanning application, which analyzes nightly source code for a number of critical flaws. At compile time, the code scanning application looks for security bugs and defects, “build breaker” bugs, crashing bugs such as memory leaks and corruption, and unpredictable application behavior introduced by new code. Source code scanning can also find non-fatal flaws such as data integrity issues and performance bottlenecks.

For years, F5 has also partnered with third-party firms for additional testing of multiple types:

• Black-box testing: application and platform testing without knowledge of the product beyond what an attacker would have access to from public documents.
• Grey-box testing: application and platform testing with partial information such as internal design or access to the documentation of internal data structures as well as the algorithms used. Gray-box testers require both high-level and detailed documents describing the applications.
• White-box testing (also known as clear box testing, glass box testing, transparent box testing, or structural testing): testing of the internal structures or workings of an application, as opposed to its functionality. White-box testing requires advanced knowledge of the system as well as programming skills.

Security testing tools evolve over time and new products are introduced. F5 works closely with multiple vendor partners to include new protocols, expand test coverage, and update tools based on evolving threat models and newly discovered exploits. Once BIG-IP software passes multiple tests, F5 then uses it in its own product environment to ensure it's truly ready for release.

Despite threat models, secure coding, training, and testing of many types, vulnerabilities do occur. When a vulnerability is recognized in production, timely response is critical.

The F5 vulnerability response policy is updated regularly to reflect customer requirements and industry practices. By focusing on responding to security incidents—whether they are discovered internally, by third-party testing, or reported by a customer—F5 tracks and reports on vulnerabilities at least weekly to ensure correct prioritization and timely response.

Working closely with security researchers and other professionals such as National Vulnerability Database, MITRE CVE, CERT Coordination Center, Redhat, OpenSSL, and ISC allows F5 to responsibly disclose vulnerabilities and provide mitigations, patches, and protection from exploits. In the last year, F5 has provided over 350 Security Advisories—ranging from articles that educate on surfacing threats (e.g., script injections, Trojans) to protecting against malware and DDoS attacks—to the public to ensure that the latest security information is available.

Purpose-built to provide heightened and hardened security, the BIG-IP platform offers several key features that enable organizations to strengthen their security postures:

• Appliance Mode
• Secure Vault
• Security Enhanced Linux (SELinux)
• Security certifications
• DoS protection

The BIG-IP platform and F5 TMOS are designed so that hardware and software work together to protect enterprise applications and data, while optimizing application delivery throughout the network.

Originally designed for businesses in industries with sensitive data, such as healthcare and financial services, Appliance Mode is today used by enterprises in all fields. By turning on Appliance Mode, organizations can realize greater control over their networks and applications by enforcing the following restrictions:

• Remove access to the bash shell.
• Limit administrative access to the configuration utility and the TMSH. Administrators can use these hierarchical command-line utilities to easily manage and configure the BIG-IP system, and to view statistics and performance data.
• Disable the root login to prevent the root user from logging into the device by any means, including the serial console.
• Tighten the root account home directory (/root) file permissions for numerous files and directories. By default, new files are only user readable and writeable and all directories are better secured.
• Prevent the Always-On Management (AOM) subsystem, which provides lights-out management for the BIG-IP system, from accessing the host. The AOM will only be able to reset the host using a hardware reset command.

One thing to note is that once Appliance Mode has been enabled, it cannot be disabled; rather, organizations must obtain a new license and perform a clean installation of the software. Administrators can verify that a device is running in Appliance Mode from the License screen in the Configuration utility of the BIG-IP GUI.

SSL private keys are among the highest-value assets within a network, and many organizations have strict requirements that the keys be secure above and beyond simple file system protection. The Secure Vault feature—available on all F5 hardware appliances—protects SSL private keys with a master key stored in a hardware lock, so that even if the SSL private key file were recovered from a compromised backup server or malware infection, it could not be used by the attacker.

Each BIG-IP device comes with a unique unit key and a shared master key, which are both AES 256 symmetric keys. The unique unit key is stored in a custom-built hardware EEPROM on each physical appliance. This unit key encrypts the master key, which in turn encrypts SSL private keys, decrypts SSL key files, and synchronizes certificates between BIG-IP devices. Master keys follow the configuration in a high-availability (HA) configuration, so all units would share the same master key but still have their own unit key. The master key gets synchronized using the secure channel established by the Certificate Manager. The master-key-encrypted passphrases cannot be used on systems other than the units for which the master key was generated.

Secure Vault support can also be used by vCMP (Virtual Clustered Multiprocessing) guests. vCMP enables multiple instances of BIG-IP software to run on one device with each guest having their own unit key and master key. The guest unit key is generated and stored at the host, thus enforcing the hardware support, and it is protected by the host master key, which is in turn protected by the host unit key in hardware.

Used both in F5 development processes and customer production environments, Security Enhanced Linux (SELinux) streamlines the volume of software charged with security policy enforcement and allows separate enforcement of security decisions from the security policy itself. For example, a SELinux profile can instruct the TMOS kernel to disallow a specific process from ever executing the bash shell, thus securing the system from vulnerabilities such as Shellshock, which can allow an attacker to gain control over a web server or router.

SELinux also heightens security by providing mandatory access control (MAC) to complement the Linux discretionary access control (DAC) system. MAC consists of user, role, and domain labels on subjects, resource labels for objects, and relations between subjects and objects defined by policy. SELinux controls confine access by user programs and system servers to files and network resources. Limiting privilege to the minimum required to work reduces or eliminates the ability of these programs and daemons to cause harm from unknown vulnerabilities such as buffer overflows or misconfigurations. Because it operates independently of the Linux (discretionary) control mechanisms, MAC has no concept of a root super-user, and thus does not share the well-known shortcomings of the traditional Linux DAC system.

Federal and financial sector industry (FSI) organizations are subject to additional regulations that require security certifications such as Common Criteria and FIPS 140-2. These, and other U.S. and worldwide security certifications assure that the certified product meets standards in areas that include authentication, auditing, cryptography, management, and secure communications. Certifications standards and requirements change and evolve as the security world does; for that reason, most certifications are specific to a given product release.

Keeping current with security changes, best practices, and evolving standards, F5 participates in the International Cryptographic Modules Conference (ICMC) and the International Common Criteria conferences (ICCC) to provide organizations with robust security as well as streamlined compliance. The National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program (CMVP) drives the F5 roadmap for cryptography.

Many F5 products have been certified by Common Criteria, a worldwide assurance certification used by government agencies and companies across the globe. Twenty-six countries are signatories to a Mutual Recognition Agreement, which effectively ensures that once a product is certified, it can be marketed as certified in any or all of the signatory countries.

Developed by the NIST, Federal Information Processing Standards (FIPS) are used by United States government agencies and government contractors in non-military computer systems. FIPS 140 series are U.S. government computer security standards that define requirements for cryptography modules, including both hardware and software components, for use by departments and agencies of the United States federal government.

FIPS 140-2-compliant F5 products use FIPS 140-2-certified hardware security modules (HSMs) to meet the compliance requirement. An HSM is a secure physical device designed to generate, store, and protect digital, high-value cryptographic keys. It is a secure crypto-processor that often comes in the form of a plug-in card (or other hardware) with tamper protection built in. The BIG-IP system includes a FIPS cryptographic/SSL accelerator—an HSM option specifically designed for processing SSL traffic in environments that require FIPS 140-1 Level 2–compliant solutions.

F5 BIG-IP devices are FIPS 140-2 Level 2–compliant. This security rating indicates that once sensitive data is imported into the HSM, the platform incorporates cryptographic techniques to ensure the data is not extractable in a plain-text format. BIG-IP devices also provide tamper-evident coatings or seals to deter physical tampering. The BIG-IP platform’s unique key management framework enables a highly scalable secure infrastructure that can handle higher traffic levels and to which organizations can easily add new services.

Additionally the FIPS cryptographic/SSL accelerator uses smart cards to authenticate administrators, grant access rights, and share administrative responsibilities to provide a flexible and secure means for enforcing key management security.

A DoS attack is an attempt to make a machine or network resource unavailable to its intended users, so as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. A distributed denial-of-service (DDoS) comes from an attack source with more than one—often thousands of—unique IP addresses.

F5 architects have developed multiple strategies to prevent and mitigate DoS attacks. Development teams have released features and submitted patents for techniques to protect enterprise data and provide security for the fundamental elements of an application (network, DNS, SSL, and HTTP). Software features deliver a wide range of protection, such as rate limiting various types of requests, determining if there are too many packets or who initiated the request, providing heuristics, and preventing spoofing.

Leveraging the intrinsic security capabilities of intelligent traffic management and application delivery, the BIG-IP platform protects and ensures availability of an organization's network and application infrastructure under even the most demanding conditions.

While attacks on networks, applications, and data continue to increase, organizations relying upon the BIG-IP platform can be confident in the security of their systems to protect their most valuable assets.

F5 ensures the security of the BIG-IP platform through its rigorous Secure Software Development Lifecycle process, which has been designed to discover and fix vulnerabilities before product release. In addition, the BIG-IP platform has several key security features—such as Appliance Mode, Secure Vault, SELinux, security certifications, and DoS protection—that help ensure the integrity of critical applications and enterprise data.

The volume and complexity of security threats will certainly continue to evolve. At the same time, F5 will continue to design purpose-built security solutions to help organizations prevent, mitigate, and respond to attacks—while defending their reputations and protecting their business.