Many of us first discovered F5 because of their flagship LTM & GTM products, but more recently the F5 firewalls have been making waves, namely their Web Application Firewall (WAF) a.k.a. the Application Security Manager (ASM). Now, in conversation when you tell people you work with F5, more often than not they say “oh yeah the WAF company!” This wasn’t by mistake, since the BIG-IP is the best in the industry at terminating SSL / TLS, it makes it easy to see unencrypted traffic and apply security policies to it like a WAF, or identity and access rules with the APM.
While this is progress for sure, what most people don’t realize is all the modules in the BIG-IP family are security focused and offer some type of firewall functionality. Even the base LTM is indeed a traditional IP & port based ICSA certified firewall, and has been since 2011. In this article, I’ll break down all the different ways F5 is a firewall – making it the most advanced and complete firewall on the market today.
Local Traffic Manager (LTM)
LTM is the core module included in base “Good” licensing platform F5 offers. Like all of F5’s products, LTM works in on-premise hardware as well as all the popular clouds like AWS, Azure, and Google Cloud. Enterprises use LTM’s full proxy functionality to offer complete control to their application teams with the ability to augment client side and server side connections independently. From terminating and offloading SSL / TLS Traffic and simplifying certificate management, to load balancing traffic based on performance to monstrous server farms – LTM is the most complete Load Balancer on the market. What you may not realize is LTM is indeed also an IP & port based firewall. There are only so many entry points into the F5, and unless you open them explicitly – there is no way for traffic to enter or exit the device. Let’s evaluate all the ways traffic can enter & exit the F5 BIG-IP LTM Module:
- Management Interface – This is how you administer the F5 and is a physical ethernet port on the F5 BIG-IP hardware devices, and a logical interface you assign to a NIC on the Virtual Edition Devices. By default, the management interface listens on port 22 for SSH and port 443 for HTTPS web access. This interface is typically an RFC-1918 private address and should never be exposed on the Internet. Authentication can be local or to some sort of directory service like LDAP / AD.
- Self-IPs – These are logical interfaces you assign for data the BIG-IP pushes. Typically your Virtual IPs live on the subnets Self-IPs are a part of. You can think of them as your next hop interface, and or your exit interface. The LTM interface gives you a “port lockdown” setting that allows you to accept or deny traffic on different ports. This is one of the most misunderstood settings on the F5 LTM. In particular, folks think they need to allow specific IPs & ports in the port lockdown settings for traffic to flow through your self-ips – this is not true. The port lockdown setting is to allow connections to “terminate” on the individual Self-IPs. This is only useful for a few scenarios like – connecting to the self IPs as mgmt interfaces (a big no-no), iQuery traffic, HA / Sync traffic, IPSEC termination endpoints. If you don’t have any of those going on, then you should always set your port lockdown settings to “allow-none”.
- Virtual Servers – “VIPS” – These are the containers for all configuration elements the F5 BIG-IP offers. All the other modules like the ASM, APM, and AFM fit inside virtual servers and are typically configured as a “Profile” – other than the GTM/DNS – which has its own containers known as “Wide-IPs” or “WIPs”. Virtual servers are comprised of an IP and port – keeping the virtual IP address constrained to the allowed ports from the get-go, as you can only allow traffic to pass through a virtual server for what you tell it to allow. For example – if you create a VIP that listens on 126.96.36.199, and port 80 – it will only allow traffic on 188.8.131.52 and port 80.
- NATs & SNATs – This is one of the most vulnerable spots on the F5 BIG-IP LTM if not used properly. Though SNATs/NATs can be constrained by source via an Origin IP list, you can’t restrict ports. Once you configure a NAT or a SNAT you allow ALL traffic through for those particular IPs. So how do you safely use NATs and SNATs? Once you configure NATs and SNATs on your BIG-IPs you will have to use the Global Packet Filters or the AFM to lock down traffic. NATs & SNATs are one of the biggest reasons folks start to use the AFM module, as the AFM gives users more granular control over IP & port-based traffic vs global packet filtering – as global packet filtering is just that- it applies to all box traffic (other than the management interface). I know, you have questions here – and I have answers in the AFM section below. Note: If you want to know more about how address translation works on the F5 BIG-IP read my popular article on the topic here – F5 Address translation.
Global Traffic Manager (GTM), now branded as BIG-IP DNS
A lot of products translate names to IP addresses, but nobody does Intelligent name resolution better than F5. Working closely with the other modules, GTM is the defacto standard when it comes to disaster recovery and active/active application availability. On-premise, in the cloud, or a hybrid architecture – GTM can ingest the health of an application that lives across the globe and resolve your customers to the best location for them – all using the same URL for that application. Again, a lot of folks don’t realize there is quite a bit of security built into this monster of a DNS platform. What kind of security features does GTM offer you ask? Let’s take a look at a few of the most popular ones:
- DNSSEC – Ensures the integrity of data returned by domain name lookups by incorporating a chain of trust in the DNS hierarchy. The GTM makes it easy to take advantage of DNSSEC and streamlines the key signing process.
- Mitigating DNS Attacks with iRules – protect against amplification attacks, DNS flood attacks, and Malformed DNS packets – just to name a few.
- DNS Express (high-speed DNS caching) – ability to handle large volumetric DDoS attacks with a larger request per second (RPS) threshold.
Advanced Firewall Manager (AFM)
AFM is F5’s answer to enhancing the global packet filtering that comes with the LTM module, as well as the lack of logging control around the global packet filtering. In short, the AFM gives you the ability to control the IP & port-based firewalling more granularly, and in more spots than the global packet filters could ever give you – all while giving you detailed logs of what exactly is being blocked.
Contrary to the Global Packet Filtering, which is applied, you guessed it – globally 😉 the AFM gives you different “contexts” you can apply rules to, including globally. The firewall contexts available on the AFM are listed below in the order they process traffic:
- Route Domain
- Virtual Server
- Management Interface
Hold on a second, I thought you said virtual servers are secure and only process traffic for what you tell it to? Yes true, but there are different functions for virtual servers than the traditional VIP you may be familiar with. For example, there are times when you will want to allow your BIG-IPs to route (think in-line traffic with the F5 as your gateway). There are some filters you can apply at the virtual server itself to limit source addresses, and destination addresses & ports, but the AFM allows you to use lists and give you more granular control over your firewalling.
Application Security Manager (ASM)
This is F5’s Web Application Firewall (WAF), if you understand how traditional firewalls block and allow traffic by means of IP & Ports, you can think of the F5 ASM as filtering and protecting everything after the slash “/” in your URL – specifically on the contents of requests to your web application, including the URIs and posted parameters. Web applications that are not static and allow user input are at high risk for vulnerabilities. F5’s ASM is at the forefront of web threats – constantly releasing updates that come in forms of attack signatures to block known malicious traffic. F5 is now a leader in Gartner’s Magic Quadrants for Web Application Firewalls, beating out longtime king of the mountain Imperva. Taking it a step further, ASM also adds protocol security features to DNS, HTTP, FTP, SSH, and SMTP. There are also hoards of DoS mitigation features the ASM provides like Proactive bot defense, TPS-based detection, Behavioral and stress-based detection, performance acceleration, geolocations and more.
If all that wasn’t enough, F5 has released an extension to their ASM module called the Advanced WAF or AWAF for short. Some of the biggest advantages of F5’s AWAF are unlimited behavioral DOS/BaDOS – (the base ASM is limited to 2 virtuals), Data Safe, and guided configurations. I’ll have an article out soon covering more on AWAF.
Application Policy Manager (APM)
Easily secure and control access to any application from any device. The APM consolidates application access and allows employees and contractors to access a limited set of applications based on their directory service memberships. From SSO, SAML, & basic NTLM auth to more advanced auth methods like Kerberos and complicated multifactor setups – F5’s APM provides enterprise grade Identity & Access Management (IAM) and acts like an IAM firewall for your apps. It can even integrate with mobile device management (MDMs) platforms like airwatch, which can act as a firewall to your organization’s mobile devices.
I hope you enjoyed this f5 firewall overview, while it covers a lot, it’s definitely not exhaustive! The F5 BIG-IP is a firewall in so many different ways! Please post your comments, questions, or the creative ways you use the F5 BIG-IP Firewall features below!