F5Access | MacOS Sonoma
I upgraded my MacOS to Sonoma (the latest version of MacOS) and now F5 Access does not open When I try to open the application, nothing happens. The icon in the up menu bar does not appear. Is anyone passing through the same situation? Thanks! Thanks!2.4KViews3likes50CommentsGhostStripe, Sec Clearance bill, JR EAST, Vulnrichment, and Solar Storm
This week Koichi is back as editor for another round-up of the news. This time I chose these security news: GhostStripe, Security Clearance bill, and RISS, Suspected attack on Japan Railway (JR) East, Vulnrichment; and Solar Storm. GhostStripe, a new attack method against Self-Driving Car (SDC) A group of researchers from a university in Singapore announced that they have proved a new attack method against SDC. They called it GhostStripe. This is one of the Adversarial Attack against AI which is used for Self-Driving systems. SDC takes pictures and those AI recognizes their surroundings from those images. Intentional manipulation of the image to cause the SDC's AI to misrecognize, that is Adversarial example Attack whichI discussed before. For example, ShapeShifter is an attack method in which intentional manipulation of the image of a traffic sign ordering a stop makes SDC recognize the wrong instruction and not stop. GhostStripe uses LEDs to project colored lines that the human eye cannot distinguish but that the CMOS rolling digital shutter reacts to. AI security was discussed in a previous article, and we expect to see more research on such attacks in the future. Source: GhostStripe attack haunts self-driving cars by making them ignore road signs Security Clearance bill and RISS On May 9, the Japanese House of Councilors' Cabinet Committee voted unanimously in favor of a bill to create a "Security Clearance" system. This would limit access to information critical to economic security to those whose credibility has been verified by the government, including employees of private companies. Conversely, until now, access to such security assets did not require any particular background checks and there wasn't a penalty for information leakage. By this system, access to such information will be granted only to people recognized as having no risk of causing leaks. By the way, Japan has a national cybersecurity certification, the Registered Information Security Specialist (RISS), which certify the ability to protect systems against cyber attacks (However, it is debatable whether the qualification really proves actual skills). I do not know what is required to pass the clearance, but such a certification may be one of them. Source: Japan's parliament enacts new economic security clearance bill Suspected attack on Japan Railway (JR) East SUICA is the most popular prepaid rechargeable contactless smart card and electronic money system in Japan and mostly used as a fare card on train lines (JR East). On 5/10, JR East announced SUICA, especially "Mobile SUICA" smart phone IC ticket application had stopped running because of "system failure". From around 5:30pm on the same day, it had been difficult to connect to services that require network interaction, such as logging into the application and recharging money, and it took 5 hours to "became almost stable," according to a company spokesperson. JR believes that the cause of the system failure is that they suffered a cyber attack and is consulting with the Metropolitan Police Department. If this is a cyber attack incident, it Source: JR East hit by system disruption, cyberattack suspected Vulnrichment The US Cybersecurity and Infrastructure Agency (CISA) has announced the creation of “Vulnrichment,” a project to provide additional information on CVSS/CVE to fill in the gaps in the NVD’s recent slowdown. The current vulnerability assessment score is CVSS, but it does not take into account the vulnerability response policy or the environment within the system where the vulnerability exists. This is where the Stakeholder-Specific Vulnerability Categorization (SSVC) evaluation criteria is introduced to assess the urgency of responding to the vulnerability. According to the article, CISA has enriched 1,300 CVEs so far. They have a public repository of the project. Source: CISA starts CVE “vulnrichment” program Solar Storm On May 11–12, one of the largest flares ever generated on the sun caused aSolar Storm (magnetic storm) on Earth. As a result, Northern lights/Auroras were observed around the world. In the end, no large-scale communication problems were confirmed, but NICT urged people to be vigilant until around the 16th, as using GPS (satellite-based positioning systems) and some wireless communications may be affected. And NOAA detects another solar flare on the 16th but this time there are no magnetic storm Source: https://nict.go.jp/publicity/topics/2024/05/10-1.html5Views0likes0CommentsiRule interpretation assistance
Hi Dev Central. I need some assistance interpreting the following iRule, especially the first line. My interpretation is that if the HTTP path contains any of the following: /, /index.jsp, /startpage, /sap/admin, /sap/admin* AND the client IP address is NOT in the All-Internal_dg Data Group List, then the request is REJECTED. Is this correct? What is bothering me is the very first line with the "/". This would mean that any path would be rejected if the request isnt coming from an IP in the All-Internal_dg Data Group List right? I ask because this service is still accessible from IPs that are not in the All-Internal_dg Data Group List. So I am wondering how some paths are still working for clients that are not in the All-Internal_dg Data Group. Thanks for any help you can lend. switch -glob [HTTP::path] { "/" { # log 10.x.x.58 local0. "In root client ip is [IP::client_addr]" if { not [matchclass [IP::client_addr] equals All-Internal_dg] } { reject } HTTP::redirect https://[getfield [HTTP::host] ":" 1 ]/startPage } "/index.jsp" { # log 10..x.x.58 local0. "In index.jsp client ip is [IP::client_addr]" if { not [matchclass [IP::client_addr] equals All-Internal_dg] } { reject } HTTP::redirect https://[getfield [HTTP::host] ":" 1 ]/startPage } "/startpage" { # log 10.x.x.58 local0. "In startpage client ip is [IP::client_addr]" if { not [matchclass [IP::client_addr] equals All-Internal_dg] } { reject } } "/sap/admin" { # log 10..x.x.58 local0. "In sap admin client ip is [IP::client_addr]" if { not [matchclass [IP::client_addr] equals All-Internal_dg] } { reject } HTTP::redirect https://[getfield [HTTP::host] ":" 1 ]/sap/admin/public/default.html } "/sap/admin*" { # log 10..x.x.58 local0. "Deep in sap admin client ip is [IP::client_addr]" if { not [matchclass [IP::client_addr] equals All-Internal_dg] } { reject } } default { # log 10..x.x.58 local0. "Something hit the default switch client ip is [IP::client_addr]" } } }Solved43Views0likes6CommentsF5 Access Guard Deprecated: ZTA APM
Since F5 Access Guard is deprecated and not supported on Win 11, newer browsers, and some versions of MacOS, what is the replacement for posture checking when implementing a ZeroTrust architecture using APM as an identify aware proxy? One major point of ZT is to do continuous posture checking of a client and the requests they are making--each and every one utilizing a per-request policiy. Without this component, it seems like APM is not a great candidate for use. What are others doing when using APM within their ZT network? Are they using 3rd part solutions with an HTTP connector to evaluate to client/request for each and every request?33Views0likes1CommentASM Bot Defense JS and CSP
Our company has issued a requirement for all applications to enable CSP (Content Security Policy). The problem is one of the first applications to enable this has Bot Defense enabled. Part of PBD is to inject a JAVA script inline which causes an issue with the page not loading per the CSP policy. We opened a support case and F5 level II and the ENE say they can't find a way to make these compatible and this is beyond the scope of Support i.e. engage Professional Services. I'm a long-time F5 user and so this was frustrating, to say the least. Part of our CSP is our scripts have a nonce key generated. PBD script is not being delivered from our server (it's directly injected into the response), and it does not contain our nonce key. This means that the CSP will tell the browser to NOT allow the execution of that script thereby breaking the application. Part of the CSP Rules The browser should accept any JS that is delivered as a file from 'self' which means it's delivered from our web server with a relative path The browser should accept any JS that is delivered to the browser with our nonce key (value in the header) All other JS should be ignored by the browser! So, the only question that we really had for F5 is how do we make PBD JS work with a CSP? The CSP is set up in a basic way and is not customized to our application at all. It seems we either need to have this JS delivered by a file (not directly injected) or the F5 will need to pick up our nonce key and add it to that injection. Has anyone come across this and what methods did you employ to resolve it, i.e. iRule or Traffic policy to set the nonce key on the JS, which is not super ideal? Depending on when ASM/PBD fire, something similar to the following: when HTTP_RESPONSE { # Check if the response header contains a CSP if {[HTTP::header exists "Content-Security-Policy"]} { # Get the CSP header value set csp [HTTP::header value "Content-Security-Policy"] # Check if the CSP contains a nonce if {[string first "nonce-" $csp] != -1} { # Get the nonce value set nonce [string range $csp [string first "nonce-" $csp] [string first ";" $csp]] # Check if the response body contains a script tag if {[string first "<script" [HTTP::payload]] != -1} { # Add the nonce to the script tag HTTP::payload replace [string first "<script" [HTTP::payload]] [string first ">" [HTTP::payload]] "<script nonce=\"$nonce\"" } } } }843Views0likes3CommentsMitigating Application Threats with BIG-IP Next WAF
Overview of BIG-IP Next In today's modern world where the digital landscape is continuously evolving and security threats are becoming more sophisticated, the need for a robust and adaptive security solution is essential. BIG-IP Next is a next-generation solution which is setting a new standard for safeguarding your digital assets, protecting your applications, and empowering enterprises with the highest security efficacy.BIG-IP Next is the modernized solution optimized to simplify operations, enhance performance, and strengthen security. As per the official website, BIG-IP Next simplifies day-to-day ADC operations and accelerates application time-to-market through automation so that you can focus more on getting your apps online. BIG-IP Next’s modern, highly scalable software architecture is designed for maximum resiliency to support vast, dynamic application portfolios and their most complex traffic management and security policies, ensuring that applications are always available to end users. BIG-IP Next also provides deep insights into your application health, network performance, traffic patterns, and security threats to improve business decision-making. For a quick overview of BIG-IP Next and how the next-generation attributes can help you with your existing or new deployments, check out the video below. Here are some of the key capabilities that you can checkout and learn how you can mitigate app threats and security complexity with BIG-IP Next WAF: 1. Deploy HTTPS application with WAF Protection The first step in protecting your applications starts with onboarding your application in BIG-IP Next instance and creating a WAF security policy as per application requirements. Finally creating load balancers and applying the above-created WAF policies. Next, users can monitor the application traffic by navigating to their respective security dashboards and take necessary steps as per security insights. For more details, see this video. 2. Create and Manage Security Policies Sometimes creating security policies can be a time-consuming job, and BIG-IP Next has made this user-friendly for creating and managing security policies from a centralized UI. Users can create, delete or update their existing policies in fewer steps and can apply them directly to the applications, thereby decreasing the application delivery time to market. You can check out the video below for more details. 3. Create Security Policies using Templates One more advantage of BIG-IP Next is the support for creating security policies using templates and it’s just a one-click action using 'F5 BIG-IP Next’. Users can make use of default templates and protect their applications with zero effort, for ex. Using the Violation Rating Template. For more information, check below video. 4. Security Policy Migration Going through existing BIG-IP security policies and then creating the same ones in BIG-IP Next solution can be time-consuming. This is made easy so that users can migrate their security policy from 'F5 Advanced WAF' to 'F5 BIG-IP Next WAF' in a simple manner. With fewer steps, you can have your entire WAF security posture up without going through the rough step of creating them from scratch. Please refer to the video below for more insights. 5. Signatures and Threat Campaigns Update Regular update of attack signatures and threat campaigns is a vital step in safeguarding your applications against the latest attacks. This process is super easy using ‘F5 BIG-IP Next’ so that applications can mitigate them without the need for downtime. For step-by-step procedure to update signatures and threat campaigns, please check the video below. You can also check out the demo link below for detailed insights of how BIG-IP Next WAF enables the migration of apps and policies between BIG-IP TMOS and BIG-IP Next. The demo also shows how to deploy new web applications with WAF security policies included within BIG-IP Next Central Manager and finally how to analyze and respond to security incidents within the Next WAF dashboard. Reference links What is BIG-IP Next? | DevCentral Getting Started with BIG-IP Next: Fundamentals | DevCentral https://www.f5.com/products/big-ip-services/big-ip-next74Views0likes0CommentsCWE-20: Improper Input Validation
Good afternoon, We've recently had a burp suite scan done on our F5 pair. This was the result: The application may be vulnerable to DOM-based DOM data manipulation. Data is read from window.location.search and passed to the 'setAttribute()' function of a DOM element. The results page from the scan included the requests and responses to and from the F5s; so I believe this is not a false positive. I am wondering if there is a fix for this through an update? Currently, we're running "BIG-IP v15.1.10.3 (Build 0.0.12)"45Views0likes2CommentsSampling for F5 AFM DDOS Event Logs
I would like to know sampling for F5 AFM DDOS Event Logs In screen capture below show about Attack Started and Attack Sampled Drop, Could you please let me know about sampling for this event logs, Example 100 of attack in that time Thank you very much30Views0likes1CommentBIG-IP Next
Dears, I need to develop BIG-IP next, anyone can guide me, please? I tried to install BIG-IP next and Central Manager inside EVE-eg but it is not found, Can I install it in EVE? I need to start with BIG-IP LTM and ASM, there is a guide for all installation steps and all labs step by step. Thanks35Views0likes2Comments