Web App Security & Performance

Objective

This guide provides instructions on how to secure your web application and enhance its performance using F5® Distributed Cloud Console and F5 Distributed Cloud Mesh.

The steps to secure your web application and enhance its performance are:

Figure: Web Application Security and Performance Steps

The following image shows the topology of the example for the use case provided in this document:

Figure: Web Application Security Sample Topology

Using the instructions provided in this guide, you can configure F5 Distributed Cloud Services to handle the domain ownership (which includes the creation of needed DNS resource records) of a new subdomain, create an HTTPS Load Balancer with automatic SSL certificate for the VIP, secure the domain with features such as javascript challenge and a web application firewall (WAF), and monitor the security and performance of your new subdomain. This example use case presents securing an application hosted on a public website. The HTTPS Load Balancer creates a Virtual IP (VIP) across your Application Delivery Network (ADN). All the VIPs instantiated on the ADN are automatically enabled with the DDoS protection.

Note: Additional performance and origin access via private tunnels or native K8s/Consul integration can be achieved by installing a Mesh node closest to the origin server. For more information, see the Secure Kubernetes Gateway quick start guide.

Prerequisites

F5 Distributed Cloud Console SaaS account.

Note: If you do not have an account, see Create an Account.
Amazon Web Services (AWS) account.

Note: This is required to deploy a Distributed Cloud site.
F5 Distributed Cloud vesctl utility.

Note: See vesctl for more information.
Docker.

Configuration

The use case provided in this guide demonstrates enabling a domain for an application hosted on a public website and secures it using a Distributed Cloud javascript challenge and WAF. The following actions outline the activities in domain setup and securing the web app:

The domain for the application is delegated to F5 Distributed Cloud Services for handling the queries towards the subdomain for the application and management of the SSL certificates for the subdomain.
A HTTP load balancer is created for the subdomain with automatic certificate management. As part of this step, an origin pool is created with the origin server as the public website. This use case demonstrates securing the cloud.f5.com website.
The load balancer is secured with the javascript challenge and WAF for its ingress traffic.

Step 1: Create Primary Zone

Note: Previous versions of this quick start instructed you to delegate your domain to the F5 Distributed Cloud Platform. The Delegate Domain capability has since been deprecated. Now you will configure your domain to use F5 Distributed Cloud DNS instead.

Log into Console and perform the following:

Step 1.1: Navigate to zone management and start adding a zone.

Click DNS Management service on the Console home page.

Figure: Navigate to DNS Management

Select DNS Management option in the primary navigation menu located on the left side of the page.
Click Add Zone.

Figure: Add Zone

Enter domain or subdomain name in the Domain Name field in the metadata section.
Optionally, set labels and add a description for your zone.

Step 1.2: Start configuring primary zone.

Select Primary DNS Configuration for the Zone Type field in the DNS Zone Configuration section. Click Edit Configuration under the Primary DNS Configuration field. Do the following in the zone configuration form:

In the SOA Record Parameters section, the Use Default Parameters is populated by default. To customize this, select SOA Record Parameters option, click View Configuration, and set the SOA parameters such as refresh interval, retry interval, TTL, etc.

Figure: SOA Custom Configuration

Step 1.3: Configure resource record sets for the default group.

Go to Resource Record Sets section and click Add Item. The resource record sets configuration form opens.
Enter a value for the Time to live field.
Select a record type for the Record Set field, enter a name for your record name in the Record Name field, and set the fields as per your record type selection. Refer to the following table for the record type and field mapping:

Record Type	Fields	Notes
A	List of IPv4 Addresses	Enter IPv4 addresses.
AAAA	List of IPv6 Addresses	Enter IPv6 addresses.
ALIAS	Domain	Enter alias domain name.
CAA	Tags and Value	Enter a tag and its value.
CNAME	Domain	Enter domain name.
MX	Domain and Priority	Enter domain and priority in the `MX Record Value` section.
NS	List of Name servers	Enter the FQDN for the name servers.
PTR	List of Name servers	Enter the FQDN for the name servers.
SRV	Priority, Weight, Port, Target	Click `Add Item` in the `SRV Value` section and set the parameters.
TXT	List of Text	Add the TXT record.
DNS Load Balancer	DNS Load Balancer Records	Add the DNS Load Balancer record.
NAPTR	Naming Authority Pointer	Enter regex based domain names used in URIs.
DS	Delegation signer	Enter the signer to identify DNSSEC signing key of a delegated zone.
CDS	Child DS	Enter Child copy of DS record, for transfer to parent.
EUI48	MAC address (EUI-48)	Add uniquely identified MAC address as per the EUI-48 specification.
EUI64	MAC address (EUI-64)	Add uniquely identified MAC address as per the EUI-48 specification.
AFS	AFS record	Enter the AFS record.
DNSKEY	DNS Key	Enter the type, protocol, algorithm, and public key.
CDNSKEY	Child DNS Key	Enter the type, protocol, algorithm, and public key.
LOC	Location information	Enter geographical details such as latitude, longitude, hemispheres, etc.
SSHFP	SSH Key Fingerprint	Enter the fingerprint algorithm, type, and hexadecimal hash result of the ssh key.
TLSA	TLS Certificate Association	Enter the usage, selector, matching type, and association data.
CERT	Public Key Certificate	Enter the type, key tag, algorithm, and certificate.

Note: Use the Add item button available in each record type configuration to add more than one record for that record. See DNS Load Balancer for instructions on how to configure DNS load balancer for your zone.

Figure: Resource Record Set

Click Add Item to add the resource record set to the list of resource record sets. Use the Add Item button to add more than one resource record step.

Step 1.4: Configure specific resource record sets group.

This step configures specific groups for resource record sets. A resource record sets group allows grouping of DNS records to make it easier to manage them. For example, you can group DNS records that belong to the same application.

Enable Show Advanced Fields in the Resource Record Sets section.
Click Add Item in the appeared Additional Resource Record Sets section. This opens new resource record sets form.
Enter a Name in the metadata section.
Click Add Item in the Resource Record Sets section. This opens the resource record sets configuration form.
Configure the records in the same way as mentioned in previous step.
Click Add Item to add the resource record set to the group. Use the Add Item button to add more than one resource record set.
Click Add Item in the Resource Record Sets form to add the group to the Additional Resource Record Sets section. Use the Add Item button to add more than one group.

Step 1.5: Optionally, enable DNSSEC and load balancer management.

In the DNSSEC Mode section, select Enable for the DNSSEC Mode field if you want to use DNS security extensions (DNSSEC) to authenticate DNS response data.

Note: DNSSEC Mode is disabled by default.

Check the Allow HTTP Load Balancer Managed Records. This is only optional for a legacy delegated domain.

Note: Allow HTTP Load Balancer Managed Records is unchecked by default, which might have made sense for a delegated domain. However, Distributed Cloud Services has deprecated the Delegated Domain capability, which means that new domains will need to be setup as a Primary DNS zone corresponding to your HTTP Load Balancer (which is what you created in these steps), and you must check the Allow HTTP Load Balancer Managed Records checkbox for the HTTP Load Balancer to work properly.

Step 1.6: Complete creating the primary zone.

Click Apply in the primary zone configuration form.

Figure: Primary Zone Configuration

Click Save and Exit in the main zone configuration form to complete creating the primary zone.

Note: In case you enabled the DNSSEC, the system generates a DS record and displays it in the DNSSEC DS Record column. Click on the displayed value, click Copy DS Record on the displayed window, add the DS record to your parent zone. After primary zone is created, you can use the dig ds <domain name> command to verify that the DS record digest is displayed in the output. This indicates that DNSSEC is functional.

Step 2: Load Balancer

The HTTP load balancer is created with the domain name for which, the DNS and certificate management is delegated to Distributed Cloud Services. As part of load balancer creation, an origin pool is created with the origin server as the public website.

The following video shows the load balancer creation workflow:

Perform the following steps for creating load balancers to enhance the application performance:

Step 2.1: Obtain the public certificate for the origin server.

This example demonstrates securing the public website cloud.f5.com. You can obtain the public certificate using more than one method. This example shows how to obtain using Firefox browser.

Open https://cloud.f5.com website in browser.
Select the padlock symbol on the URL bar and then select the arrow button next to the Connection Secure option.

Figure: View Connection Information of Public Site

Select More Information to display the security options.

Figure: View Security Information of Public Site

Select the View Certificate button in the displayed security options.

Figure: View Certificate Information of Public Site

Switch to the Entrust Root Certification Authority - G2 tab and scroll down to the Miscellaneous section. Select PEM (Cert) and Ok in the confirmation box to download the certificate.

Figure: Download Certificate of Public Site

Step 2.2: Create a namespace.

Log into the Console and select the Administration service.
Navigate to Personal Management and select My Namespaces. Select Add namespace.

Figure: Manage Namespaces

Set a name, optionally add users, and select Save. This example creates waap namespace.

Figure: Create Namespace

Step 2.3: Create origin pool.

Select the Web App & API Protection service.
Change to your new application namespace and navigate to Manage > Load Balancers > Origin Pools.
Select Add Origin Pool.
Enter a name for your origin pool in the metadata section.

Figure: New Origin Pool

In the Origin Servers section, select Add Item.
- Select Public DNS Name of Origin Server for the Type of Origin Server field.
- Enter the public DNS name of your origin server in the DNS Name field. This example configures cloud.f5.com as the DNS name.
- Select Apply to save the origin server selection.

Figure: Origin Pool Basic Configuration

In the Origin server Port section, enter 443 for the Port field.
Scroll down to the TLS section, and select Enable.
Select SNI Value in the SNI Selection field and enter the SNI. This example sets cloud.f5.com as the SNI Value.
Select High for the TLS Security Level field.
Select Use Custom CA List for the Origin Server Verification field.
Select Base64(binary) option for the Trusted CAs field.
Switch to command terminal and encrypt the downloaded public certificate of the website using Base64. Copy the output.

cat author-www-f5-com.pem | base64

Copied!

Go back to Console and enter the copied Base64 string in the Trusted CAs field.

Figure: Origin Pool TLS Configuration

Note: Configuring the public certificate enables Distributed Cloud Services to establish connection to the origin server.

Select Save and Exit.

Step 2.4: Create HTTP load balancer.

Navigate to Manage > Load Balancers > HTTP Load Balancers. Select Add HTTP Load Balancer.
Enter a name and your domain in the Name and Domains fields respectively. This will create an A name entry, cloudf5-vip, which will resolve to an IP address that is pointed to a VIP that is hosted on F5 ADN.
Select HTTPS with Automatic Certificate in the Load Balancer Type field. This will create an SSL certificate for this domain and sign it with a public Certificate Authority (CA).

Figure: HTTP Load balancer creation

Since this use case attempts to provide a proxy to an existing public site, it is required to enable automatic host-rewriting. Therefore, route configuration is required. Scroll down to the Routes section and select Configure.

Figure: Route Configuration Section

Select Add Item, select ANY for the HTTP Method, select Regex for the Path Match field, and enter (.*?) (all routes) in the Regex field.

Note: The option Simple Route is applied by default for the Select Type of Route field.

Select Add Item for the Origin Pools section. Select the origin pool created in the previous step for the Origin Pool field and select Apply.

Figure: Route Origin Pool Configuration

Select Apply at the bottom of the Routes configuration form to add the route to the load balancer configuration and return to the load balancer configuration form.

Figure: Route Origin Pool Configuration

Note: Ensure that the Automatic Host Rewrite option is selected by default for the Host Rewrite field. This ensures that the requests coming to the domain you configured are redirected to the public DNS name of the origin server.

Select Apply to apply this list to the load balancer.
Scroll to the bottom and select Save and Exit to complete the load balancer.

The load balancer object gets displayed on the screen. The fields DNS Info and TLS Info with values VIRTUAL_HOST_READY and Certificate Valid indicate that the virtual host certificate is successfully validated and ready for use. You can verify this by entering the load balancer domain into a browser.

Figure: HTTP Load Balancer Created

Note: Select Refresh on the load balancers display list screen to display the latest status.

Step 3: Secure App

Securing the application includes applying javascript challenge for the requests towards the load balancer domain and configuring a WAF for the load balancer.

Note: Javascript challenge enforces the users to send requests through the browser preventing automated attacks.

The following video shows the workflow of securing the app:

Perform the following enable a javascript challenge and apply a WAF to the load balancer:

Step 3.1: Enable WAF.

In the Web App & API Protection service, select the same namespace as your load balancer.
Navigate to Manage > Load Balancers > HTTP Load Balancers.
Select ...>Manage Configuration for your load balancer to view its configuration. Next select Edit Configuration in the upper right corner to edit its configuration.
Scroll down to the Web Application Firewall section.
Select Enable for the Web Application Firewall (WAF) field, and then use the Enable pull-down menu to select the Add Item button.

Figure: HTTP Load Balancer Security Configuration

Step 3.2: Configure App Firewall.

Enter a name for the firewall.
Select Blocking for the Enforcement Mode field.
Leave the Protection Settings at their defaults and select Continue to save the WAF and return to the HTTP Load Balancer form.

Figure: WAF for HTTP Load Balancer

Step 3.3: Configure API Discovery, DDoS Detection, and Malicious User Detection.

Optionally select Enable in the API Discovery drop-down menu of the API Protection section.
In the DoS Protection section, select Default for the L7 DDoS Auto Mitigation field, and then Default for the Slow DDos Mitigation field.

Figure: DDoS Detection for HTTP Load Balancer Security

Scroll down to the Common Security Controls section and select Enable for the Malicious User Detection and Challenges field and then Default for the Malicious User Mitigation Settings field.

Note: This quickstart uses default malicious user detection settings. You can customize those settings by creating an app type and applying it to this load balancer with a label (in the metadata section). For more information, see Malicious Users.

Scroll down and select Save and Exit to save these security settings.

Step 4: Performance and Security Monitoring

This step shows how to see the performance and security monitoring available.

Note: Monitoring is based on site traffic, so in order to have meaningful information, either wait for some user traffic or create traffic by visiting the website and interacting with it in a browser.

Step 4.1: View the overall performance.

In the Web App & API Protection service, select the same namespace as your load balancer.
Select Overview > Dashboards > Performance Dashboard. This provides an overall performance view of the entire namespace, including Health, Active Alerts, Active Configuration, Traffic Overview, and Throughput graphs. Below these is a list of Load Balancers.

Figure: HTTP Load Balancer WAF Monitoring

Step 4.2: View the performance dashboard for your load balancer.

Select the name of the load balancer you want to monitor in load balancers list. This will show the performance dashboard for that specific load balancer.

Figure: HTTP Load Balancer Performance Dashboard

Step 4.3: View the app's requests.

Select the Requests tab. Each request shown represents a call to our website.
Select a request to get more information specific to that request.
Select Forensics to see the Forensics panel allowing you to filter the requests chart by various metrics, like country and soure ip.

Figure: HTTP Load Balancer Performance Requests

Step 4.4: View the overall security.

Select Overview > Dashboards > Security Dashboard. This provides an overall security view of the entire namespace, including Threat intelligence, Bot Traffics, API Classification, DDoS Attack Activity, Security Events, Top Attack Sources, Top Attacked Paths, Events by Country, and Active Configuration. Below these is a list of Load Balancers.

Figure: HTTP Load Balancer Security Dashboard

Step 4.5: View security dashboard for your load balancer.

Select the name of the load balancer you want to monitor in the load balancers list. This will show the security dashboard for that specific load balancer.

Figure: Security Dashboard for specific HTTP Load Balancer

Step 4.6: View the app's blocked requests.

Select the Security Analytics tab to see all security events, shown in a bar chart and below in a table. The chart shows time-based counts for the different types of events. The table shows event summary information across the columns.
The Actions column provides options to either block the requesting client and/or add the client to the list of trusted clients (depending on the type of event).
Select > at the left side of a row to see the specifics of the request and the violations that were triggered by the attack.
To see only blocked requests, use the Add Filter option and select Action, In, Select Block, followed by Apply.

Figure: HTTP Load Balancer Blocked Requests

Note: For more information on analyzing security, see the security section of the Monitor HTTP Load Balancer document.