WHITE PAPER

Modern Workloads on Dell EMC VxRail

Bringing Availability & Security Services to an Infrastructure-as-a-Service Environment

Whitepaper Overview

Dell EMC VxRail provides a proven virtualized environment for enterprises that want to consolidate workloads on a high-performance platform. As more workloads, including web-facing microservice applications, migrate onto the platform, infrastructure managers need to look beyond Infrastructure-as-a-Service. To support the growing list of workloads, they’ll need to look into services that ensure performance, security and availability for uninterrupted business operations. Taking an ecosystem perspective, our whitepaper focuses on F5 network application services that provide availability and security to web-facing workloads on VxRail. These application services use F5 software that seamlessly integrates into the VxRail VMware environment, making it easy to provision, configure and support F5 services via VxRail vCenter.

In the VxRail environment, infrastructure managers can consolidate applications from legacy and cloud platforms to create a single, integrated environment that is layered on top of the infrastructure for optimal operation. These capabilities could be offered as an integrated “as-a-service” environment to internal stakeholders, ensuring performance and cost efficiency, and enabling seamless extension to the public cloud via VMware Cloud.

Key topics outlined within the whitepaper:

  • Section 1: Deploying F5® Advanced Web Application Firewall™ services within VxRail
  • Section 2: Customizing the security policy
  • Section 3: Configuring high availability support for workloads and applications
  • Section 4: Keeping web-facing assets safe and secure
  • Section 5: Future ready: Leveraging vCenter for application service visibility & capacity planning
  • Section 6: Summary

Section 1 – Deploying F5 Advanced Web Application Firewall services within VxRail

This section focuses on using the vCenter management interface to provision and deploy F5 Advanced Web Application Firewall (Advanced WAF) software onto VxRail. For this example, we have created two web servers hosting a sample workload and have deployed Advanced WAF in front of the servers. The example was designed with the objective of optimizing and protecting the web-facing workload residing within the web servers.

Figure 1: A screenshot of the VxRail vCenter
Figure 1: A screenshot of the VxRail vCenter

Start by creating an Advanced WAF template within VxRail vCenter, as shown in Figure 1. The Advanced WAF template should be listed in the template folder in VxRail-Datacenter. The template stores the image of the Advanced WAF; the template can be used to launch the application service in the future, allowing for easy service creation.

Figure 2: Setting up the Advanced WAF service using the vCenter interface.
Figure 2: Setting up the Advanced WAF service using the vCenter interface.

Click on the Advanced WAF template as indicated in Figure 2. From this menu you can launch a new VM, then prepare the services to be used, referring to the steps outlined in screenshots below as needed. We have included individual screenshots of each step to simplify the deployment process.

To ensure a smooth deployment, be sure to follow these guidelines:

  • Create a unique name for your Advanced WAF’s VM (We named it F5-AWAF-A here).
  • Select the location of the VM (We select VxRail Datacenter as the default location).
  • Select destination compute cluster (We name it F5 Resource Pool within the cluster).
  • Select the storage (We pick VxRail-Virtual-SAN-DataStore).

When you have finished the configuration process, you should see Advanced WAF deployed on the VxRail cluster with the IP Address specified in the summary page, including pre-assigned compute resources and storage. See Figure 3 for an example of a successfully configured deployment.

Figure 3: A summary page showing the Advanced WAF service deployed on VxRail
Figure 3: A summary page showing the Advanced WAF service deployed on VxRail

A step-by-step visual guide for deploying Advanced WAF on VxRail

Figure 4: When deploying Advanced WAF security services, you can choose to use a pre-defined service template. Doing this will make the deployment faster and more consistent.
Figure 4: When deploying Advanced WAF security services, you can choose to use a pre-defined service template. Doing this will make the deployment faster and more consistent.
Figure 5: You can select your preferred Advanced WAF template from the service deployment menu.
Figure 5: You can select your preferred Advanced WAF template from the service deployment menu.
Figure 6: Be sure to set the location of the service VM to VxRail Datacenter.
Figure 6: Be sure to set the location of the service VM to VxRail Datacenter.
Figure 7: Confirm F5 as the VM compute source under VxRail Datacenter.
Figure 7: Confirm F5 as the VM compute source under VxRail Datacenter.
Figure 8: Set the storage option to VxRail-SAN-Datastore.
Figure 8: Set the storage option to VxRail-SAN-Datastore.
Figure 9: Confirm that all settings are correct before clicking Finish.
Figure 9: Confirm that all settings are correct before clicking Finish.
Figure 10: Check the Summary tab for an overview of the Advanced WAF settings.
Figure 10: Check the Summary tab for an overview of the Advanced WAF settings.

Section 2 – Customizing the security policy

Once the Advanced WAF software has been deployed, we can define the security policy that should be used to screen incoming traffic before it is passed the webservers. Advanced WAF empowers users to craft their own granular security policies, and also includes extensive libraries of threat intelligence and signatures. These libraries are frequently updated to include the most timely security information This enables users to create workload-centric security profiles that are supported by the latest threat intelligence. Users may also choose to enable “listening” mode. This mode uses machine learning to establish an environment-specific baseline security policy, thereby reducing unnecessary alerts triggered by false positives.

Figure 11: Within the F5 Console, users can apply granular, customized security policies for different workloads that Advanced WAF is tasked to protect.
Figure 11: Within the F5 Console, users can apply granular, customized security policies for different workloads that Advanced WAF is tasked to protect.
Figure 12: Users can access policy templates to guide the design of a security policy that is best suited to their environment. These templates make use of Learn, Alarm, or Block modes.
Figure 12: Users can access policy templates to guide the design of a security policy that is best suited to their environment. These templates make use of Learn, Alarm, or Block modes.

To create a customized security policy, access the Application Security option from the Security menu. From this menu, users can click the Security Policies option, and choose the Policy Customization Page. From the Policy Customization page, users can create security policies for individual workloads.

Security policies can be designed to accommodate many different types of enforcement. For example:

  • File type enforcement blocks all file types that are commonly used during attacks, such as .exe, .bak, and .pl.
  • Specific URL enforcement creates restrictions based on URLs, for example, GET /index.php HTTP/1.1.
  • Parameter enforcement only allows specific parameters in the URL, for example: username=admin&password=P@sswOrd!&Login=Login.

Advanced WAF includes a machine learning-enabled baseline learning module. When activated, this module monitors incoming traffic over a period of time (usually 3-6 weeks), then uses the accumulated data to establish a baseline traffic rhythm and identify a set of anomalies to cross check with the threat signature database. If any threats are identified, they will immediately be blocked or forwarded to the administrator for further action.  

As shown in Figure 12, it is possible to define a granular course of action to take when a security incident occurs. For example:

  • When learning mode is turned on, incident records will be captured for future reference and benchmarking.
  • With alarm mode enabled, all identified incidents will trigger an alert to the administrator.
  • With block mode enabled, incoming threats will be automatically blocked without the need for administrator intervention.

Section 3 – Configuring high availability support for workloads and applications

BIG-IP High Availability is supported by TMOS, allowing the resiliency methodology and supports to be consistent throughout all product modules.

The figures below will walk you through the steps necessary to configure your system for high availability. These steps include:

  • Setting internal network configurations (for example, VLAN information)
  • Setting external network configurations
  • Choosing your High Availability Network Configuration
  • Reviewing and confirming configuration details
Figure 13: Configure network-level failover for basic high availability.
Figure 13: Configure network-level failover for basic high availability.
Figure 14: Configure VLAN information within the internal network settings.
Figure 14: Configure VLAN information within the internal network settings.
Figure 15: Configure the external network settings.
Figure 15: Configure the external network settings.
Figure 16: Finalize the high availability VLAN configuration.
Figure 16: Finalize the high availability VLAN configuration.

Section 4 – Keeping web-facing assets safe and secured

In this section, we use two security features, user credential projection and SQL injection blocking, to illustrate how to implement protection for web-facing workloads. In lieu of a step-by-step guide, we created a that shows how these security features work block out intrusions and threats automatically, keeping the workloads and back end infrastructure safe.

Figure 17: A view of the Advanced WAF Service Demo on User Credential Protection as we name the service “Anti-Fraud” and configure it within the Advanced WAF Security Section.
Figure 17: A view of the Advanced WAF Service Demo on User Credential Protection as we name the service “Anti-Fraud” and configure it within the Advanced WAF Security Section.

User Credential Protection

Data Safe allows user credentials and parameter names (for example, ID and password) to be encrypted and obfuscated at the application layer in real-time. No coding changes or adjustments to the application source code are required to implement this security service.

For web-facing assets or applications with HTTP/HTTPS traffic, data encryption with SSL is the first step toward protecting the data against potential exposure to an unlawful third party. SSL encryption during transfer is not enough to ensure data security. Credential theft could also occur at the client level; for example, end users may have compromised their web browsers by clicking on harmful files or accessing malware-infested sites.

The Data Safe feature can be enabled via the Security section on the Advanced WAF console.  Select data protection, then proceed to Data Safe profiles:

  • Create a new profile
  • Set the profile name to Anti-Fraud
  • Enable application layer encryption inside the Anti-Fraud profile
  • Enable other criteria to protect user credentials

With Data Safe enabled, you can set the criteria to encrypt ID and password at the client level for web-facing assets or services. This reduces the risk of a security breach due to malware-infected browsers. Applications that are protected by Data Safe present web pages via Advanced WAF. ID and password characters are encrypted as they are entered by the user. Even if a browser is compromised, the malware will only be able to extract the encrypted data, which cannot be decrypted without the private key, rather than the actual password (See the illustration below for more details). In addition to client-side web-layer credential protection, Advanced WAF can be upgraded to include mobile-layer protection for workloads from mobile applications.

Figure 18: Choose security options in the Application Layer Encryption menu to set a security policy appropriate for your needs.
Figure 18: Choose security options in the Application Layer Encryption menu to set a security policy appropriate for your needs.

Solution Demo: Comparing service with and without Advanced WAF

Part A: User credential protection

Figure 19: The above illustration shows the results of a query to the password.value field. With no protection, a compromised client could expose user credentials to hacker. With Data Safe enabled, the user credentials will be encrypted as they are entered, reducing the risk that credentials are compromised.
Figure 19: The above illustration shows the results of a query to the password.value field. With no protection, a compromised client could expose user credentials to hacker. With Data Safe enabled, the user credentials will be encrypted as they are entered, reducing the risk that credentials are compromised.

Part B: On SQL injection

SQL injection always ranks highly on the OWASP Top 10 Threats list. Hackers look for vulnerabilities within application code to find opportunities to extract essential data from the back-end database. The first step to reducing the risk of compromise by SQL injection is to promote coding best practices to ensure “safe-n-secure” coding. You can also apply an extra layer of protection within your infrastructure. Advanced WAF incorporates extensive threat intelligence and includes a library of threat signatures, which can be deployed to safeguard the web-facing workloads from SQL injection.

To enable protection against SQL injection, access the Attack Signatures section from the Application Security menu, and use SQL as the filter keyword. You’ll see list of SQL injection-related signatures within the threat signature database. At the time when this demo was completed, there were 563 related signatures available to protect against SQL related attacks. Select all the relevant threat signatures and add them to your application security policy.

Figure 20: This shows the extensive library of SQL injection threat signatures. The library is updated frequently to reflect the latest threat intelligence.
Figure 20: This shows the extensive library of SQL injection threat signatures. The library is updated frequently to reflect the latest threat intelligence.

To illustrate the difference, the following figures show the results with and without SQL injection blocking.

Figure 21: Without SQL injection protection, execution of the query command returns user ID data stored within the system.
Figure 21: Without SQL injection protection, execution of the query command returns user ID data stored within the system.
With protection, the query is blocked, and an error message like this one is returned instead.

With protection, the query is blocked, and an error message like this one is returned instead.

With SQL injection activated, SQL queries are blocked before they reach the database. The would-be hacker receives an error message instead.

Section 5 – Future ready: Leveraging vCenter for application service visibility and capacity planning

VxRail offers a scalable, easy-to-manage environment that enables users to easily deploy, test, and integrate F5 services. In this section, we focus on the usage details of Advanced WAF, demonstrating how to access a full report of its current state (for example, CPU and memory utilization), and showing how this information can be used to plan for future expansion. Our goal is to ensure F5 software is built to support the ‘as-a-service’ model of VxRail.

Figure 22: The Advanced WAF Service Utilization Dashboard for easy capacity planning
Figure 22: The Advanced WAF Service Utilization Dashboard for easy capacity planning

As outlined in Figure 22, within VxRail vCenter, we can have granular visibility of the Advanced WAF Virtual Appliance usage level. From here, users can access details of the Advanced WAF VM, including:

  • Overview info about Advanced WAF (IP Address, DNS name, CPU usage, etc.)
  • Configuration (including VM settings)

For this Advanced WAF demo, we’ve created 2 web servers (LAMP Server 1 and LAMP Server 2) that are used to illustrate usage scenarios in which Advanced WAF optimizes and protects web-facing assets residing within VxRail.

F5 Advanced WAF resource usage overview on VxRail

The figures below show the resources allocated to our services, giving readers insight into the resources used for the demo. This allows infrastructure managers to estimate the capacity needed to scale up these services for a production environment. This information may be particularly useful if these tools will be used in a scalable as-a-service environment.

Figure 23: A summary of resource utilization by Advanced WAF (CPU, Memory, Storage)
Figure 23: A summary of resource utilization by Advanced WAF (CPU, Memory, Storage)
Figure 24: A view of F5 Service resource utilization that compares currently utilized resources to total available resources. This provides a simple view of future capacity to scale.
Figure 24: A view of F5 Service resource utilization that compares currently utilized resources to total available resources. This provides a simple view of future capacity to scale.
Figure 25: Details of the two open source ubuntu web servers deployed for this demonstration
Figure 25: Details of the two open source ubuntu web servers deployed for this demonstration

Section 6 – Summary

In this whitepaper, we have shown how to set up the F5 Advanced Web Application Firewall (Advanced WAF) within the VxRail environment. We walked through a step-by-step deployment guide, illustrating Advanced WAF security features using before and after comparisons.

This document demonstrates how to deploy third party software on the VxRail environment by setting it up as a service that infrastructure managers can integrate and offer in a service-rich environment. We showed how to configure Advanced WAF in the VxRail environment to provide application security services for web-facing microservices-based applications.  

VxRail is a high performance, scalable, easy-to-manage platform that can be used by infrastructure managers to drive business operations. Deploying third party services that ensure a good user experience is critical to business success. F5 Advanced WAF provides seamless support within the VxRail environment that can be extended to the VMware Cloud.

 

Published August 03, 2020
  • Share to Facebook
  • Share to Twitter
  • Share to Linkedin
  • Share to email
  • Share via AddThis

Connect with F5

F5 Labs

The latest in application threat intelligence.

DevCentral

The F5 community for discussion forums and expert articles.

F5 Newsroom

News, F5 blogs, and more.