Securing Web Applications with F5 BIG-
IP Application Security Manager and
VMware vCloud Air
D E P L O Y M E N T G U I D E
V MW A R E V C L O U D A I R A ND F 5 B I G - I P A S M | 1
Securing Web Applications
Migrating application workloads to the public cloud is an essential consideration for many enterprises. The barriers to greater adoption of public clouds have frequently stemmed from lack of enterprise-ready software and network security components, or an immature cloud platform. Threats to applications such as cross-site scripting, brute force attacks, and DDoS attacks can expose an enterprise to outages, data theft, and even lost customers. Ensuring that applications are available and secure in public cloud infrastructures will speed adoption. The benefits of cloud deployments are obvious; however, enterprise-ready application delivery components are essential to ensure successful deployments. This guide provides an overview of the setup and deployment of BIG-IP Local Traffic Manager (LTM) and BIG-IP Application Security Manager (ASM) running in front of a vulnerable web application. In this guide, we deploy an application in order to demonstrate the most common Layer 7 exploits and then illustrate how BIG-IP ASM protects against these vulnerabilities. Providing robust web application security is a necessary complement to deploying robust production-ready application workloads in vCloud Air, whether for test and development or for new application deployments.
V MW A R E V C L O U D A I R A ND F 5 B I G - I P A S M | 2
Application Version Description
DVWA 1.8 DVWA is an application designed specifically to show most common web application exploits
BIG-IP Local Traffic Manager (LTM) 11.5.1 Core BIG-IP LTM Functionality
BIG-IP Application Security Manager (ASM) 11.5.1 Web Application Firewall
Microsoft Windows 2012 Web Server
Xamp 1.0.8 Apache Web Server and MSQL Database
vCloud Air N/A IaaS Platform
Deploy F5 BIG-IP LTM and BIG-IP ASM in vCloud Air Follow these steps to download and set up BIG-IP Virtual Edition and deploy it in vCloud Air.
1. Open a web browser, navigate to https://downloads.f5.com, and then click on BIG-IP
2. From the dropdown menu, choose version 11.5.1, and then click on Virtual-Edition.
Follow the download instructions.
3. Once the BIG-IP Virtual Edition is downloaded, upload it into the vCloud Air My Catalog.
4. In vCloud Air, click on Add Virtual Machine, select your resources, and choose the My
Figure 1: Deploy BIG-IP 11.5.1.XX
V MW A R E V C L O U D A I R A ND F 5 B I G - I P A S M | 3
5. Provide a name for your BIG-IP and ensure a public IP address is assigned to your
primary management interface.
6. Set up NAT and firewall rules in vCloud Air to provide access to the management IP
7. After the BIG-IP is deployed, navigate to https://bigippublicipaddress and use the default
username Admin and the default password Admin to log in.
8. License your BIG-IP using the automatic method.
9. In the Module provisioning section, select BIG-IP LTM and BIG-IP ASM and set license
provisioning to Nominal.
Figure 2: Provision ASM and LTM Modules on BIG-IP
For additional details on deploying BIG-IP VE please go to https://support.f5.com.
Provision Internal and External VLANs on the BIG-IP After you complete the initial BIG-IP system setup, youll need to provision the networking and VLANs. In this example, we will create an Internal and an External VLAN and select interface 1.1 and 1.2 for the VLANs respectively. The BIG-IP systems full proxy architecture mandates that the network virtual servers reside on the External VLAN; communication to the application server will reside on the Internal VLAN.
Figure 3: Create VLANs on the BIG-IP System
V MW A R E V C L O U D A I R A ND F 5 B I G - I P A S M | 4
Assign Self-IP Addresses Once you have created the VLANs, you will need to create at least one self-IP address for each VLAN. A self-IP address is an IP address on the BIG-IP
system that you associate with a VLAN so it can access
hosts in that VLAN. By virtue of its netmask, a self-IP address represents an address spacethat is, a range of IP addresses spanning the hosts in the VLAN, rather than a single host address. (You can associate self-IP addresses not only with VLANs, but also with VLAN groups.) Self-IP addresses serve two purposes. First, when sending a message to a destination server, the BIG-IP system uses the self-IP addresses to determine the specific VLAN in which the destination server resides. For example, if VLAN Internal has a self-IP address of 10.10.10.100, with a netmask of 255.255.255.0, and the destination servers IP address is 10.10.10.20 (with a netmask of 255.255.255.255), the BIG-IP system recognizes that the servers IP address falls within the range of VLAN Internals self-IP address and therefore sends the message to that VLAN. More specifically, the BIG-IP system sends the message to the interface that you assigned to that VLAN. If more than one interface is assigned to the VLAN, the BIG-IP system takes additional steps to determine the correct interface, such as checking the Layer 2 forwarding table. Second, a self-IP address can serve as the default route for each destination server in the corresponding VLAN. In this case, the self-IP address of a VLAN appears as the destination IP address in the packet header when the server sends a response to the BIG-IP system.
Figure 4: Create Self IP Addresses
Deploy Microsoft Windows Server in vCloud Air Log on to the vCloud console by navigating to https://vchs.vmware.com. From the Virtual Machines tab, click on Add Virtual Machine. You will be prompted to select your data center and resources, and then
choose a Windows server. For our example, we chose Windows 2012 Server 64bit R2 server (see Fig. 5). We deployed a single interface on this Windows device, in this case, the non-routable internal network. And we chose 10.4.4.x for our network. This correlates to the internal network which we configured on the BIG-IP system. After you have configured this device and assigned the network interface, the Windows server will boot and assign a default password. You will be prompted to immediately change your password at login. Once logged in, you will provide a unique password for the Admin account. Once the Windows server is deployed, navigate to the network settings and change the default gateway to the self-IP for the Internal VLAN on the BIG-IP system.
V MW A R E V C L O U D A I R A ND F 5 B I G - I P A S M | 5
Figure 5: Deploy Windows 2012 R2 Standard
Install Xampp Web Server and MySQL DB Xampp is a free Apache Web Server, PHP, and MySQL DB application that can be downloaded free of charge. In this exercise, we downloaded the Xampp product from https://www.apachefriends.org/index.html. We selected the Windows version 1.8.3 (PHP 5.5.15) and
installed this product on our Windows 2012 server. Once you have downloaded the Xampp product, run the installer and accept the default settings, launch the Xampp application, and start the MySQL and Apache Web Server (see Fig. 6). After the Xampp engine is started, open a browser and navigate to http://127.0.0.1, the loopback address of the local
machine, in order to validate proper installation.
Figure 6: XAMPP Server Control
V MW A R E V C L O U D A I R A ND F 5 B I G - I P A S M | 6
Install the DVWA Application The DVWA application is designed for security professionals as an aid for testing. It is specifically
constructed to be highly vulnerable to many layer 4-7 attack vectors such as cross-site scripting, SQL
injection, and brute force attacks. As such, it is an ideal web application to demonstrate the ability of BIG-
IP ASM to protect even the most attack-prone web applications against attack.
To deploy DVWA, you must first download the DVWA web application from http://www.dvwa.co.uk/. Once the application is downloaded, extract the files and copy the DVWA directory into the c:\xampp\htdocs directory. Remove all existing files contained in this directory and paste the DVWA directory to c:\xampp\htdocs.
Figure 7: Copy DVWA to root of c:\xampp\htdocs
Once you have copied the DVWA directory to the c:\xampp\htdocs directory on the Windows server, navigate to http://127.0.0.1, which is the default loopback address. Log in with the username: admin and the password: password. In the left-hand sidebar, click Setup, then Create/Reset Database. This will
deploy the initial configuration of the DVWA application.
Figure 8: DVWA initial configuration and database setup
V MW A R E V C L O U D A I R A ND F 5 B I G - I P A S M | 7
Configure BIG-IP ASM Security Policy on the BIG-IP System Once you have configured the BIG-IP LTM with its associated VIPs and NAT rules, you will now configure a BIG-IP ASM security policy and associate it with the BIG-IP LTM Virtual Server. Use the automatic policy builder to create a security policy for dvwa_virtual.
1. In the Navigation pane of the BIG-IP Configuration utility, open the Security > Application
Security > Security Policies > Active Polici