F5 networks

A Clean up routine for bigip.conf

Nicholas Zurfluh — Wed, 21 Feb 2007 20:37:00 GMT

Here is a neat trick I stumbled across while doing some Stream Editing. Here is a command that will remove all tabs and spaces before a new line. sed -e 's/[]*$//' -e '/^$/ d' (This command is yet untested) This should reduce those extra characters from causing the b load command to fail.

In case I forget again...

Nicholas Zurfluh — Wed, 28 Jun 2006 22:24:00 GMT

OpenSSL is a usefull tool for trouble shooting issues with BIG-IP.

The sytax for creating a client connection is as follows:

openssl s_client -connect hostname:port

Correct the time with Big-IP ver. 4.5.9x

Nicholas Zurfluh — Mon, 01 Nov 2004 19:07:00 GMT

Simple technique to correct the date/time of a Big-IP. F5 will tell you to take your unit into single user mode, this is not neccessary. I have discovered that you can update the time of an standby unit in multiuser mode.

You can update the clock in multiuser mode with ntpdate.

Syntax: ntpdate -b (time server IP/FQDN)

Manual page for ntpdate: http://www.eecis.udel.edu/~mills/ntp/html/ntpdate.html

enable SNMP queries in Big-IP ver. 4.5.9

Nicholas Zurfluh — Wed, 29 Sep 2004 20:13:00 GMT

If you put a 32 bit host mask (255.255.255.255) in your SNMP client allow list (hosts.allow) Big-IP will not respond. You must remove the host mask and leave an empty value unless your client is a network address

example: 192.168.1.0 255.255.255.0.

Changing time in Big-IP 4.5.9 and BSD

Nicholas Zurfluh — Wed, 29 Sep 2004 19:39:00 GMT

Normally with BSD you are required to go into single user mode prior to changing the time. I have discovered that you can use ntpdate to correct the time in multi-user mode (A.K.A. init level 2).

The origins of the Web

Nicholas Zurfluh — Thu, 09 Sep 2004 23:16:00 GMT

As it turns out Vannevar Bush didn't coin the phrase hypertext although he lays out the concepts of the web in his collumn “As We May Think“ for the Atlantic Monthly. Clearly a brilliant visionary, he even considers the problems we now face with i/o devices and logical abstraction.

Of note, it seems that Vannevar was a logical positivist, it is intersting to see the dillema that has resulted in a now post modern world that, in large part, is sceptical in regards to truth. The pressuppositions of this article assume that facts would be the overriding drive behind the choices of ones logical progression.

iRule that limits portal console access

Nicholas Zurfluh — Thu, 09 Sep 2004 23:11:00 GMT

Here are the requirements:

Exclude access, to either HTTP requests that contain /portal/console in the URI or from among deemed suspicious variables, from all client requests other than those who's source address is from internal address space.

***UNTESTED***

rule server_lock_down {

if (http_uri matches_regex "/portal/console" and not one of internal_network_class) {
    redirect to "http://%h"
  }
   else if (http_content contains one of bad_variable_class and not one of internal_network_class) {
     redirect to "http://%h"
   }
    else {
      use pool x
     }

}

Using F5 iRules to augment server security

Nicholas Zurfluh — Thu, 09 Sep 2004 23:00:00 GMT

The traditional aproach to site security.

Allow all traffic then identify an unauthorized requests and stop them This would be a deductive method.

The deductive method would compare http requests against a class of unauthorized values. A negative result would consider the request safe and use pool X. A positive match would identify an unauthorized request and be discarded. Since we cannot exhaustively anticipate all future vulnerabilities this method will never be comprehensive.

A comprehensive solution would include an inductive method.

The inductive method would work as such; all authorized http requests use pool X while unauthorized http requests are parsed further by deductive means and/or changed into an authorized request, or discarded altogether.

Also an inductive method would require much less overhead than the deductive method. Rules require parsing of packets, when we are trying to keep latency at a minimum the less data to parse the better. You can think of it like an ACL. With ACLs, you give your allowances first and your denials last. This ensures that the traffic is processed quickly.

The bad news is it would be nearly impossible to create such a rule with Big-IP 4.5.9. Anticipating all authorized values would be to difficult. The good news is F5 aquired Traffic Shield to do just this. It employs an application layer security that works beyond a packet by packet analasys but is session aware. It does far more than I could hope to accomplish with Big-IP 4.5.9.

Server configuration for n-Path routing, DSR, Switch Back

Nicholas Zurfluh — Thu, 09 Sep 2004 22:55:00 GMT

Proceedure for Windows 2000/3:

Install Loopback Adapter:

Start/Settings/Control Panel/Add Remove Hardware

Add Troubleshoot a device/ Next

No, from list/ Next

Network adapters/ Next

from manufacturers box select Microsoft.

from network adapters box select Microsoft Loopback adapter/ Next

Finish

Configuration for the Loopback interface:

ip address: VIP

Subnet mask: 255.255.255.0 *host mask 255.255.255.255 is not allowed in Windows*

gateway: no value

click “Advanced”

add to the “Interface metric” 254

to correct the subnet mask, this change must be made to the registry:

HKEY_LOCAL_MACHINES\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

locate and replace the subnet mask value for the loopback interface from 255.255.255.0 to 255.255.255.255

Solaris:

ifconfig lo0:1 plumb

ifconfig lo0:1 VIP netmask 255.255.255.255 up

BSD or Mac OS X:
ifconfig lo0 aliase VIP netmask 255.255.255.255 -arp up

Big-IP ver. 4.5.9 ECV of Siteminder protected sites

Nicholas Zurfluh — Thu, 09 Sep 2004 22:53:00 GMT

What are the criteria that constitutes meaningful ECV.

Would this be a page match for an authenticated user session?

If a simple content match on the home page is our goal it would require that we authenticate through Siteminder or thwart it. Given, my understanding of Siteminder a script that authenticates a user would require an extended application verification script. This aproach would exceed our ECV requirements.

An alternative would be unprotect a page (if there is such an ability) have Big-IP issue a get request and thwart the authentication. This would not tell us if the Siteminder elements are working and there could be a scenario where Big-IP can retreive a page that a user cannot authenticate.

What if a Siteminder referal response is good enough to consider a service available?

This can be done with a http v.1.1 request:

GET /index.html HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Host: www.yoursite.com Connection: close

The recieve string could be:

http://smntlm.yoursite.com/siteminderagent/ntlm/creds.ntc?CHALLENGE=&TARGET=$SM$http