Nicholas Zurfluh

Here are the details of the protocols.

Protocol rollover: How the server discovers the best protocol to initiate the stream.

As it turns out Vannevar Bush didn't coin the phrase hypertext although he lays out the concepts of the web in his collumn “As We May Think“ for the Atlantic Monthly. Clearly a brilliant visionary, he even considers the problems we now face with i/o devices and logical abstraction.

Of note, it seems that Vannevar was a logical positivist, it is intersting to see the dillema that has resulted in a now post modern world that, in large part, is sceptical in regards to truth.  The pressuppositions of this article assume that facts would be the overriding drive behind the choices of ones logical progression.

Here are the requirements:

Exclude access, to either HTTP requests that contain /portal/console in the URI or from among deemed suspicious variables, from all client requests other than those who's source address is from internal address space.

***UNTESTED***

rule server_lock_down  {

 if (http_uri matches_regex "/portal/console" and not one of internal_network_class) {
    redirect to "http://%h"
  }
   else if (http_content contains one of bad_variable_class and not one of internal_network_class) {
     redirect to "http://%h"
   }
    else {
      use pool x
     }

}

The traditional aproach to site security.

Allow all traffic then identify an unauthorized requests and stop them  This would be a deductive method.

The deductive method would compare http requests against a class of unauthorized values.  A negative result would consider the request safe and use pool X.  A positive match would identify an unauthorized request and be discarded.  Since we cannot exhaustively anticipate all future vulnerabilities this method will never be comprehensive.

A comprehensive solution would include an inductive method.

The inductive method would work as such; all authorized http requests use pool X while unauthorized http requests are parsed further by deductive means and/or changed into an authorized request, or discarded altogether. 

Also an inductive method would require much less overhead than the deductive method.  Rules require parsing of packets, when we are trying to keep latency at a minimum the less data to parse the better.  You can think of it like an ACL.  With ACLs, you give your allowances first and your denials last.  This ensures that the traffic is processed quickly.

The bad news is it would be nearly impossible to create such a rule with Big-IP 4.5.9.  Anticipating all authorized values would be to difficult.  The good news is F5 aquired Traffic Shield to do just this.  It employs an application layer security that works beyond a packet by packet analasys but is session aware.  It does far more than I could hope to accomplish with Big-IP 4.5.9. 

Proceedure for Windows 2000/3:

Install Loopback Adapter:

Start/Settings/Control Panel/Add Remove Hardware

Add Troubleshoot a device/ Next

No, from list/ Next

Network adapters/ Next

from manufacturers box select Microsoft.

from network adapters box select Microsoft Loopback adapter/ Next

Finish

Configuration for the Loopback interface:

ip address: VIP

Subnet mask: 255.255.255.0  *host mask 255.255.255.255 is not allowed in Windows*

gateway: no value

click “Advanced”

add to the “Interface metric” 254

to correct the subnet mask, this change must be made to the registry:

HKEY_LOCAL_MACHINES\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

locate and replace the subnet mask value for the loopback interface from 255.255.255.0 to 255.255.255.255

Solaris:

ifconfig lo0:1 plumb

ifconfig lo0:1 VIP netmask 255.255.255.255 up

BSD or Mac OS X:
ifconfig lo0 aliase VIP netmask 255.255.255.255 -arp up

What are the criteria that constitutes meaningful ECV.

Would this be a page match for an authenticated user session? 

If a simple content match on the home page is our goal it would require that we authenticate through Siteminder or thwart it.  Given, my understanding of Siteminder a script that authenticates a user would require an extended application verification script.  This aproach would exceed our ECV requirements. 

An alternative would be unprotect a page (if there is such an ability) have Big-IP issue a get request and thwart the authentication.  This would not tell us if the Siteminder elements are working and there could be a scenario where Big-IP can retreive a page that a user cannot authenticate.

What if a Siteminder referal response is good enough to consider a service available?

This can be done with a http v.1.1 request:

GET /index.html HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Host: www.yoursite.com Connection: close

The recieve string could be:

http://smntlm.yoursite.com/siteminderagent/ntlm/creds.ntc?CHALLENGE=&TARGET=$SM$http

The purpose of the iRule is to identify the destination port of an incoming HTTP request and respond to the client with:

HTTP/1.0 302 Found
Location: https://www.sitename.com
Connection/index.htm
Connection: close

Here is the rule: 

rule https_only  {

    if  (server_port equals 80)  {

         redirect to “https://%h/%u”

    }

       else  {

           discard

        }

So far my testing has only substantiated  the RFCs that define LDAP communications.  Since the client first authenticates then subsequently makes its request operations, it would be impossible for Big-IP to identify the request without some theoretical LDAP proxy capability.  An LDAP proxy would need to authenticate a user locally and then identify the nature of a request, upon which Big-IP would then authenticate against the actual LDAP servers themselves and subsequently forward on the client request operation.

A possible alternative would be to use Sun System Directory Proxy Server, proxy the communications, once the Sun proxy determines that there is a write request operation, then have the proxy refer the client to a VS on Big-IP that balances load between one or more master LDAP servers.

Update, Vignette does not support LDAP referrals.

F5 official! LDAP v.2 rules will not work

This must be revisited with Big-IP version 9 to see if the new authentication/authorization module could provide a fix to applications that use LDAP v.2 requests.

Bad news, the LDAP browser opens a connection to the the server prior to sending commands.  This nails up a TCP connection, at this point all load balancing decisions are over.  Any intervention by Big-IP will break the IP session.  If the Vingette servers work similarly, then a rule will not work.  Also as a side note the LDAP browser reveals a potential security exploit, given that there is an apparent long-lived TCP connection.

I must consult RFCs 1777 and 2251

The issue is Vignette makes LDAP v.2 requests that are load balanced to a Master and Consumer, Sun Java System Directory Server 5.2.  I must parse the transactions to identify “read“ and “write“ requests.  Read requests may be sent to either servers, while the write requests must be sent only to the Master LDAP server.

Read request redirected to Master or Consumer LDAP server:

• SearchRequest
• CompareRequest

Write requests forwarded to Master LDAP server:

• ModifyRequest
• AddRequest
• DelRequest
• ModifyDNRequest

Operations common to both Master and Consumer LDAP servers:

• BindRequest
• UnbindRequest
• AbandonRequest
• ExtendedRequest

The capabilities of this new release are impressive.  The flash demo is a bit cheesey...

http://www.f5.com/f5products/v9intro/index.html#

Selective Content Encryption/Compression

XML gateway: parser, encryption, authentication and authorization 

Resource cloaking: “BIG-IP device can remove sensitive information about servers contained in Error codes, Source code comments on Web pages, and Server Headers that contain important information about servers and applications”  (Wow!)

This is all too exciting, I'm going to have to increase my hourly rate.  To justify even greater levels of compensation, I will require a fancy new title. hmmm...

Application Traffic Management Consultant

Application Network Whore

IT Budget Gouger