Identity-Aware decisions with JA4+

Introduction

JA4+ is a suite of network fingerprints methods. These methods are both human and machine readable to facilitate more effective threat-hunting and analysis. The use cases for these fingerprints include scanning for threat actors, malware detection, session hijacking prevention, compliance automation, location tracking, DDoS detection, grouping of threat actors, reverse shell detection, and many more. 
 

Full Name 

Short Name 

Description 

JA4 

JA4 

TLS Client Fingerprinting 

JA4Server 

JA4S 

TLS Server response / Session Fingerprinting 

JA4HTTP 

JA4H 

HTTP Client Fingerprinting 

JA4Latency 

JA4L 

Latency measurement / Light distance 

JA4X509 

JA4X 

X509 TLS Certificate Fingerprinting 

JA4SSH 

JA4SSH 

SSH Traffic Fingerprinting 

JA4TCP 

JA4T 

Passive TCP Client Fingerprinting 

JA4TCPServer 

JA4TS 

Passive TCP Server Response Fingerprinting 

JA4TCPScan 

JA4TScan 

Active TCP Server Fingerprinting 

 

Identity-enhanced JA4+  

F5 BIG-IP Access Policy Manager (APM) and Next Access solutions ability to integrate with different F5 BIG-IP modules and make use of different integrations allows to leverage JA4+ fingerprints and enhance the Identity-based decisions. In this article we are covering three main JA4 fingerprints (JA4, JA4L, JA4H).  

We are using two main integration points: 

Policy event trigger

    1. Building on a great Devcentral repo by Joe Martin, https://github.com/f5devcentral/f5-ja4 discussing how to implement JA4 fingerprint via F5 BIG-IP iRules, to use Access flow to trigger iRules and obtain required JA4 fingerprints.  
    2. iRules are modified with additional Event ACCESS_POLICY_AGENT_EVENT and an iRule trigger is added to the Access policies. 

JA4 iRule

JA4L iRule

JA4H iRule

when ACCESS_POLICY_AGENT_EVENT {

            if { [ACCESS::policy agent_id] eq "JA4FP" } {

            ACCESS::session data set session.custom.JA4 $ja4

 

            }

}

 

when ACCESS_POLICY_AGENT_EVENT {

            if { [ACCESS::policy agent_id] eq "JA4FPL" } {

            ACCESS::session data set session.custom.JA4l $ja4l

            ACCESS::session data set session.custom.JA4la [getfield $ja4l "_" 1]

            ACCESS::session data set session.custom.JA4lb [getfield $ja4l "_" 2]

            ACCESS::session data set session.custom.JA4lc [getfield $ja4l "_" 3]

 

            }

}

when ACCESS_ACL_ALLOWED {

            ACCESS::session data set session.custom.JA4h $ja4h_fp

 

 

}

 

 

HTTP Connector, sideband calls

  1. Initiate a call to JA4 fingerprints database and make use of the obtained ones in the previous iRules to check and match from the database.
  2. This database can obtain allowed or blocked fingerprints (malicious browsers, clients, and others).

This is not only to cover security use cases but also network and performance use cases, listing below some of the use cases,

  • Network Performance: Using JA4L to get the delay at Client to VPN endpoint and VPN endpoint to backend server, and based on this delay we may direct user to better VPN endpoint to reach specific service.
  • Security use case: Using fingerprints calculated for (JA4, JA4H, others) and match this against JA4 Database to block malicious clients and browsers.

 

  • Security use case: Using fingerprints calculated for (JA4, JA4H, others) and matching this against JA4 Database to allow specific machines or browsers to access the service.

Conclusion

JA4+ provides great light-weight insights into passing traffic, knowing not only the traffic reaching the device, but the history of the path that the packet traversed. Enhancing such visibility with the Identity piece from F5 Access solutions allows granular control over traffic not only from a security perspective but also from a performance and optimization point of view.

 

Related content

Published Jun 07, 2024
Version 1.0
application delivery
cloud
devops
JA4+
security
Verified Designs

Was this article helpful?

No CommentsBe the first to comment