Orchestrated Infrastructure Security - Change at the Speed of Business - UDF Lab
Introduction
The latest UDF Blueprint can be found here.
The UDF Blueprint is different from the Verified Design article. The topology in the UDF Blueprint is Layer 3 Inbound because Layer 2 is not supported in UDF. The High Availability (HA) configuration has been removed. BIG-IQ Centralized Management has also been removed. The AFM/IPS Service is not included. This is due to the UDF environment itself and resource constraints there. The services are deployed in Layer 2, which is unchanged between the UDF and this article.
The following Dev/Central article series has helpful configuration information:
Differences between the article and UDF Lab will be addressed here.
This UDF lab follows the original article high-level sections:
· Create a new topology to perform testing
· Monitor server statistics, change the weight ratio, and check server stats again (follow the procedure in the previous article)
· Remove a single Advanced WAF device from the service (follow the procedure in the previous article)
· Perform maintenance on the Advanced WAF device (follow the procedure in the previous article)
· Add the Advanced WAF device to the new topology
· Test functionality with a single client
· Add Advanced WAF device back to the original topology
· Test functionality again
· Repeat to perform maintenance on the other Advanced WAF device
Important Details
All VLANs and Self IPs have been created.
SSL Orchestrator: bigip-ssl-orchestrator.com
Self IPs
Inside-vlan 10.1.10.100
Outside-vlan 10.1.20.100
Management: 10.1.1.4
L2 Vlans for Adv.WAF Services
Egress1 – 1.3
Ingress1 – 1.4
Egress2 – 1.5
Ingress2 – 1.6
Advanced WAF is preconfigured with the 5 Application Servers (virtual servers):
10.1.10.90
10.1.10.91
10.1.10.92
10.1.10.93
10.1.10.94
Advanced WAF1
L2 VLANs
Ingress
Egress
Management 10.1.1.7
Advanced WAF2
L2 VLANs
Ingress
Egress
Management 10.1.1.8
F5 devices usernames and passwords are admin/admin
Ubuntu clients: student/agility
Outside – Desktop
This desktop simulates an external user accessing the web application.
10.1.20.65
TEST – Client
This desktop is external, but is only used for testing. After performing maintenance on an SSL Orchestrator service, this is where you test it to make sure it’s working properly.
10.1.20.99
Application Webservers
These are the webservers that are being protected by SSL Orchestrator and Advanced WAF.
10.1.10.90
10.1.10.91
10.1.10.92
10.1.10.93
10.1.10.94
Create a new Topology to perform testing
Follow the procedure in the previous article, but instead create an Inbound L3 Topology. When you create an interception rule, be sure to set the Source to 10.1.20.99 as this is the test client for the UDF lab. The Ingress Network should be set to the outside-vlan.
The ingress network should be set to the outside-VLAN.
When you get to the egress settings, set Manage SNAT Settings to Auto Map.
Monitor server statistics – change the weight ratio – check server stats again (Follow the procedure in the previous article)
Remove a single Advanced WAF device from the Production Service (Follow the procedure in the previous article)
Perform maintenance on the Advanced WAF device (Follow the procedure in the previous article)
Add the Advanced WAF device to the new topology
Follow the procedure in the previous article. Create a new Generic Inline Layer 2 service. The network configuration should look like this:
When you get to the security policy, add a Client IP Subnet Match for 10.1.20.99/32 as this is the external client where we will perform testing. Set the SSL Proxy Action to Intercept. Select the "testing" Service Chain.
Test functionality with a single client
Use the TEST - Client in UDF to test the Advanced WAF service post-maintenance.
Hit Enter to get to the Login screen. Login as the Student. The password is "agility".
The TEST – Client desktop will load. Click Activities to access the Firefox browser. Note that a console is also available should you wish to use it.
Note that all application web servers are already bookmarked. Click one of them. You will get a security warning. Click Advanced.
Click View Certificate.
You should see the default certificate that comes with the BIG-IP.
When you see the default certificate, you know that your connection is not being routed through the Production-Topology.
Click Accept the Risk and Continue.
The web page should load.
Add the Advanced WAF device back to the original topology
First you need to remove the TESTING-SERVICE from the service chain. It should look like the image below.
Then you can delete the Service.
Now you can add the Service back to the AdvancedWAF Service.
Test functionality again
You can use the Outside - Desktop to test functionality and make sure the Advanced WAF Services are working properly.
Repeat to perform maintenance on the other Advanced WAF device
The TESTING-TOPOLOGY was not deleted so you can re-use it for the other Advanced WAF device. The TESTING-CHAIN is empty, so make sure you add the Service to it after it's created.
Conclusion
You're done! Hopefully you were able to follow along despite the differences in the original article when compared to the UDF Lab.