F5 FederalSecurity Hardening & RemediationMichael Coleman, Senior Federal Systems Engineer2018

© F5 Networks, Inc 2

© F5 Networks, Inc 3

F5 Security Certifications & Compliance

• (NIST) FIPS 140-2

• NIST SP 800-53r4

• DNSSEC

• USGv6 (IPV6)

• NIAP CC EAL2+ & EAL4+

• JTIC PKE Certification

• DISA UC-APL (TN#1312201): IA Tool

• US Army’s IA- APL

• ICSA Certifications:

• WAF, Network Firewall, IPSEC, SSL-TLS VPN

• C&A (RMF) Current ATO

• F5 Device STIG/SRG

• DISA

• NMCI

• JWICS

• SOCOM & CENTCOM

• ARMY

• USMC

• NAVY

• AF

https://f5.com/about-us/compliance-and-certifications

© F5 Networks, Inc 4

• F5 “Appliance Mode”

• National Institute of Standards and Technology [NIST] 800-53r4

• DoD Instruction 8500 (Certification and Accreditation): DITSCAP, DIACAP, Risk Management Framework[RMF]:

• Security Technical Implementation Guide [STIG] / Security Requirements Guide [SRG]

• Defense Information Security Agency Unified Communications Configuration Office Approved Product List Certification [DISA UCCO APL] Military Unique Deployment

• Traffic Management Operating System [TMOS] Hardening

• Secure Socket Layers [SSL] / Transport Layer Security [TLS] & Federal Information Processing Standard [FIPS] 140-2

• National Information Assurance Partnership [NIAP] Common Criteria [CC] EAL4+

• Common Vulnerability & Exposure [CVE] Scanning, Remediation, False Positives

F5 Device Hardening Topics

© F5 Networks, Inc 5

F5 Appliance Mode (App Mode Lite)

VIPRION PlatformBIG-IP PlatformBIG-IP Virtual Edition

Appliance Mode is a zero-dollar license option, which, when applied, will provide

additional BIG-IP device security by removing access to the advance shell (bash) and

the root account. TMSH will become the default shell once applied.

Appliance Mode has two options:

• Licensed – Forever.

• Enabled – Configurable.

[Platform]

© F5 Networks, Inc 6

• Root is covered automatically by Appliance Mode / App Mode Lite. However [SOL15632]:

• #tmsh modify sys db systemauth.disablerootlogin value true

• #tmsh save sys config

• Admin is used for the GUI, but can be disabled or renamed (recreated with a new name) using the following guidance [SOL14943].

• Create a new Admin user first, via GUI.

• Remove Default Admin, via CLI.

• #userdel admin

Disable / Rename Default Admin Accounts

© F5 Networks, Inc 7

NIST Special Publication 800-53 Revision 4

• F5 iApp [Wizard]:

• https://www.f5.com/pdf/deployment-guides/nist-sp-800-53-r4-dg.pdf

© F5 Networks, Inc 8

• Network / Perimeter / Wireless - Network Infrastructure (Other Network Devices)

• http://iase.disa.mil/stigs/net_perimeter/network-infrastructure/Pages/other.aspx

DoD 8500: Risk Management Framework, SRG & STIG

Download Date Size Format

F5 BIG-IP Access Policy Manager (APM) 11.x STIG 6/11/2015 91 KB ZIP

F5 BIG-IP Advanced Firewall Manager (AFM) 11.x STIG 6/11/2015 241 KB ZIP

F5 BIG-IP Application Security Manager (ASM) 11.x STIG 6/11/2015 245 KB ZIP

F5 BIG-IP Device Management 11.x STIG 6/11/2015 266 KB ZIP

F5 BIG-IP Local Traffic Manager (LTM) 11.x STIG 6/11/2015 268 KB ZIP

F5 BIG-IP STIG Overview, Version 1 6/11/2015 91 KB ZIP

F5 BIG-IP STIGs, Version 1 memo 6/11/2015 68 KB PDF

© F5 Networks, Inc 9

This iApp pre-dates the release of the FINAL F5 STIG / SRG release July 2015, but accounts for the majority of STIG items in Network Device Other, to EXCLUDE the following:

1. NET0700 – this disables bash and root but breaks the rest of the iApp once its enabled. Troubleshooting a workaround. The option is there but the proc is disabled.

2. NET1647 – this adds the “Protocol 2” string as an include to sshd. The tmsh command to set sshdincludes doesn’t allow multiple values (the other is “MaxAuthTries 3”)

3. NET0440 – Some of the required commands are only available in 11.6. Need to adjust for version (remove this option for < 11.6)

4. NET1640 – sets up MCP logging

5. NET0992 – sets up ACLs for the management interface

6. NET0340 – sets up the DoD banner

7. NET0386 – sets up log quota size alerts (need to integrate the script).

STIG iApp – Network Device Other - ~Obsolete

© F5 Networks, Inc 10

• https://github.com/Mikej81/PowerSRG

• Disclaimer: This is not written, nor supported by F5. It is an OpenSourceproject created by an F5 employee attempting to help customers streamline their STIG / SRG and hardening configurations.

But, there is a STIG / SRG Script available!

© F5 Networks, Inc 11

• This document pre-dates the release of the FINAL F5 STIG / SRG July 2015. New versions will be in development, but most likely will focus on TMOS v12.1 release features.

• Contact the DISA UCCO FSO for a copy, or email your F5 Account Team to get the most recent release.

• Current version of document only accounts for 11.6 and does NOT include remediation's for new STIGS / SRGS released in July 2015. YET.

DISA UCCO APL IO Certification – Military Unique Deployment Guide [MUDG] v1.2

© F5 Networks, Inc 12

• F5 has identified the following security recommendations:

• Develop system access policy.

• Develop user and password management.

• Policy monitoring for login failures.

• Monitor indications of DoS/DDoS attacks.

• Join the DevCentral Security Compliance Forum.

• Join the security mailing list.

TMOS Hardening – At a Glance

© F5 Networks, Inc 13

• Switch Module connects to PVA (F5 Custom Engineered ASIC)

• PVA is directly connected to the switch module and traffic never goes any further.

• Traffic NOT handled by PVA is passed to next layer, Traffic Management Micro-Kernel [TMM].

TMOS Hardening - Architecture

F5 TMOS Operations Guide is available now:

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/f5-tmos-operations-guide.html

© F5 Networks, Inc 14

TMOS Hardening

• Allow None on Self Ips – Please stop using self-IP’s for management.

• Packet Filtering

• Disable non-required services (but dont)

• Management Web ACL’s

• Management SSH ACL’s

• Secure NTP

© F5 Networks, Inc 15

FIPS 140-2 Compliance

Level 1

•Evaluated crypto algorithms and/or random number generators

•No physical security requirements, can be software only

Level 2 (L1+)•Physical enclosures with pick-resistant locks or

tamper-evident stickers

•Enclosures “opaque in the visible spectrum”

Level 3 (L2+) •Automatic deletion

Level 4 (L3+)•Kevlar jacketing and EMP-like deletion

•Hermetically sealed enclosure

© F5 Networks, Inc 16

• The FIPS Administration Manual contains detailed instructions for initialization of the FIPS HSM for each platform / version.

• https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-platform-fips-administration.pdf

• Keep the security domain name and password in a secure location. You need the domain name and password when you initialize the internal HSM on the peer unit. This information is also required when replacing a unit (for RMA or other reasons).

• Initialization Example:

• #tmsh

• #run util fips-util info

• #run util fips-util –f init

• #restart sys service all

FIPS 140-2 – Key Storage

© F5 Networks, Inc 17

• FIPS 140-2 not only applies to key storage, but also utilizing FIPS compliance ciphers. For a list of supported ciphers on F5, from the CLI run the following command:

• #openssl ciphers –v ‘FIPS’

• A shortened list (NON SSLv3) is included to the right.

• From Local Traffic Manager, under Profiles, ClientSSL, set the view of a profile to Advanced, and change the cipher box to one of the ciphers listed

FIPS 140-2 - CiphersECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD

ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD

ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384

ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384

DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD

DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD

DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256

DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256

ADH-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=None Enc=AESGCM(256) Mac=AEAD

ADH-AES256-SHA256 TLSv1.2 Kx=DH Au=None Enc=AES(256) Mac=SHA256

ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD

ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD

ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384

ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384

AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD

AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256

ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD

ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD

ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256

ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256

DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD

DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD

DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256

DHE-DSS-AES128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256

ADH-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=None Enc=AESGCM(128) Mac=AEAD

ADH-AES128-SHA256 TLSv1.2 Kx=DH Au=None Enc=AES(128) Mac=SHA256

ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD

ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD

ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA256

ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256

AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD

AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256

© F5 Networks, Inc 19

• NATIVE:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:!SSLv3:!TLSv1:!EXPORT:!DH:!ADH:!LOW:!MD5:!RC4:RSA+AES:RSA+3DES:@STRENGTH

• !LOW:!SSLv3:!MD5:!RC4-SHA:!EXPORT:!DHE:ECDHE+AES-GCM:DHE+AES-GCM:ECDHE+AES:ECDHE-RSA-DES-CBC3-SHA:DHE+AES:AES-GCM+RSA:RSA+AES:RSA+3DES:@SPEED

• In 11.6: iRule

• In 12.0: DEFAULT Cipher& Enable HSTS

• Verify Configured ClientSSL Ciphers:

• nmap --script ssl-enum-ciphers -p 443 [virtual server. Eg, www.domain.com]

• Make sure clients support the selected ciphers…

PKI (SSL / TLS): A+ SSL Labs score.

© F5 Networks, Inc 20

• The ccmode command is a command script used during the configuration of a Common-Criteria-evaluation-compliant system to easily make a subset of the required configuration changes.

• This command has no facility for "undoing" the changes it makes. Instead, the administrator must reverse or revise all of the individual commands, reset the DB variables to their defaults, save the new configuration, and restart the BIG-IP.

• From the BIG-IP:#tmsh#ccmode

Common Criteria – EAL4+

© F5 Networks, Inc 21

• Google: site:f5.com [CVE-ID]

• site:f5.com CVE-2015-1793

• Open a Case, Identify CVE

• Reach out to your account team.

Common Vulnerability & Exposure [CVE] Scanning, Remediation, False Positives