From 31d80fe1b7099101928622341570f367dc5c9a46 Mon Sep 17 00:00:00 2001 From: stockerts Date: Wed, 17 Jan 2024 11:12:48 -0800 Subject: [PATCH 1/8] Class 2 | Corrected format of intro and images. --- docs/class2/close.rst | 4 ++-- docs/class2/intro.rst | 15 +++++++++++---- docs/class2/lab1.rst | 20 +++++++------------- docs/class2/lab2.rst | 9 +++++++++ docs/class2/lab3.rst | 3 ++- 5 files changed, 31 insertions(+), 20 deletions(-) diff --git a/docs/class2/close.rst b/docs/class2/close.rst index ffc6f886..9b7f17c9 100644 --- a/docs/class2/close.rst +++ b/docs/class2/close.rst @@ -2,7 +2,7 @@ Conclusion ========== Thank you for your participation in the F5 Distributed Cloud Lab. -This Lab Guide has highlighted how attendees can leverage F5 Distributed +This Lab Guide has highlighted how attendees can leverage F5 Distributed Cloud security to protect hosted applications and resources. Appendix @@ -30,7 +30,7 @@ Appendix * **Terraform:** https://registry.terraform.io/providers/volterraedge/volterra/latest +----------------------------------------------------------------------------------------------+ -| F5 Networks, Inc. \| f5.com | +| F5 Networks, Inc. /| f5.com | +----------------------------------------------------------------------------------------------+ +----------------------------------------------------------------------------------------------+ diff --git a/docs/class2/intro.rst b/docs/class2/intro.rst index ab38fb5a..bc0fe9c7 100644 --- a/docs/class2/intro.rst +++ b/docs/class2/intro.rst @@ -23,14 +23,15 @@ Cloud Services will be configured as a SaaS Edge delivery and security service tier to a publicly hosted web application. The key elements lab attendees will interact with are as follows: -- F5 Distributed Cloud Console -- F5 Distributed Cloud Global Network / Application Delivery Network (ADN) -- Publicly hosted application (Public Cloud) +* F5 Distributed Cloud Console +* F5 Distributed Cloud Global Network / Application Delivery Network (ADN) +* Publicly hosted application (Public Cloud) |intro001| + Task 2: F5 Distributed Cloud Console Login -========================================== +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following will guide you through the initial Lab environment access within the F5 Distributed Cloud Console. You should have received an email with an @@ -67,8 +68,11 @@ proceed to the first step below to access the F5 Distributed Cloud Lab Tenant. appear. |intro002| + |intro003| + |intro004| + |intro005| @@ -84,6 +88,7 @@ proceed to the first step below to access the F5 Distributed Cloud Lab Tenant. operations. As **some menus will be locked and not visible.* |intro006| + |intro007| #. Namespaces, which provide an environment for isolating configured @@ -109,6 +114,7 @@ proceed to the first step below to access the F5 Distributed Cloud Lab Tenant. available.* |intro008| + |intro009| **Beginning of Lab:** You are now ready to begin the lab, Enjoy! Ask question @@ -116,6 +122,7 @@ as needed. |labbgn| + .. |intro001| image:: _static/intro-001.png :width: 800px .. |intro002| image:: _static/intro-002.png diff --git a/docs/class2/lab1.rst b/docs/class2/lab1.rst index 5280e04f..d5837777 100644 --- a/docs/class2/lab1.rst +++ b/docs/class2/lab1.rst @@ -30,6 +30,7 @@ tenant for this lab and proceed to Task 1. **Expected Lab Time: 25 minutes** + Task 1: Configure Load Balancer and Origin Pool ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -50,6 +51,7 @@ assign a target as an origin. as shown. |lab001| + |lab002| .. note:: @@ -70,7 +72,6 @@ assign a target as an origin. |lab003| - #. In the current window's left-hand navigation, click **Origins**. In the adjacent **Origins** section, under **Origin Pools**, click **Add Item**. @@ -106,7 +107,9 @@ assign a target as an origin. **Apply**. |lab008| + |lab009| + |lab010| Task 2: Configure WAF Policy on the Load Balancer @@ -143,6 +146,7 @@ configuration. become available |lab013| + |lab014| @@ -205,8 +209,6 @@ configuration. |lab020| - - #. Click **Documentation** in the horizontal navigation at the top of the screen. @@ -228,7 +230,6 @@ You will now perform basic testing of the Web Application Firewall (WAF) Policy. You will also review the generated event data to make additional configuration changes. - #. Open another tab in your browser (Chrome shown), navigate to the newly configured Load @@ -247,7 +248,9 @@ configuration changes. (copy and paste to a notepad or note resource). |lab022| + |lab023| + |lab024| #. Returning to the F5 Distributed Cloud Console, use the left-hand menu to @@ -261,7 +264,6 @@ configuration changes. *As you have not run many requests, summary analytics may not be available in the dashboard view yet.* - #. Scroll to the bottom and select your load balancer. |lab026| @@ -278,14 +280,11 @@ configuration changes. *Security Event data may take 15-20 seconds to populate in the Console. Please force a* *refresh using the Refresh icon next to the Time Period selection in step 6.* - #. Expand one of the requests and note the **Information** tab link. This summarizes request details and provides request duration timing. |lab028| - - #. Click on the **JSON** link to get more data about the request. #. Click **Add Filter** as shown to see how you can filter by key identifiers. @@ -319,7 +318,6 @@ configuration changes. *Individual forensic categories can be changed using the noted pencil icon to surface additional top data details.* - #. Using the left-hand navigation, click **Dashboards** and then select **Security Dashboard**. @@ -365,8 +363,6 @@ configuration changes. |lab039| - - #. Type **req** in the open dialogue window and select **req_id** from the dropdown. @@ -382,8 +378,6 @@ configuration changes. |lab042| - - #. You should now be filtered to a single "Security Event", as shown with your selected filter. You can expand and review the request as desired using the **arrow** icon. diff --git a/docs/class2/lab2.rst b/docs/class2/lab2.rst index cb095c41..31ce517d 100644 --- a/docs/class2/lab2.rst +++ b/docs/class2/lab2.rst @@ -94,6 +94,7 @@ Cloud Console. This HTTP request will not show up in the Security Analytics however you will find it in Request logging. + Task 2: Enabling F5 Distributed Cloud Bot Defense ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -116,6 +117,7 @@ and understand its implementation. - **Token:** **password** |lab010| + |lab011| #. In the Developer window, find the **POST** to **auth.php**. **You can also @@ -125,6 +127,7 @@ and understand its implementation. that you only see limited form POST data (identity, token, & submit). |lab012| + |lab013| .. warning:: *Make sure to logoff using the menu on the right of the web @@ -165,6 +168,7 @@ and understand its implementation. #. Click **Edit Configuration** in the top right-hand corner. |lab014| + |lab015| #. Click **Bot Protection** in the left-hand navigation. @@ -182,7 +186,9 @@ and understand its implementation. #. In the new **App Endpoint Type** window, click **Add Item**. |lab017| + |lab018| + |lab019| #. In the **Application Endpoint** input the following values in the fields @@ -198,6 +204,7 @@ and understand its implementation. #. Scroll to the bottom and click **Apply**. |lab020| + |lab021| #. Click **Apply** on the **App Endpoint Type** window. @@ -206,6 +213,7 @@ and understand its implementation. section of the **Protected App Endpoints** window, then click **Apply**. |lab022| + |lab023| #. Observe that the **Bot Defense Policy** is now configured. @@ -214,6 +222,7 @@ and understand its implementation. bottom on the **HTTP Load Balancer** screen, and click **Save and Exit**. |lab024| + |lab025| #. Repeat Task 2 Steps 1-6. Note you many need to close your browser and clear diff --git a/docs/class2/lab3.rst b/docs/class2/lab3.rst index 8298de42..1c1766f5 100644 --- a/docs/class2/lab3.rst +++ b/docs/class2/lab3.rst @@ -33,7 +33,7 @@ malicious user mitigation and actions. |lab003| #. Click the dropdown for **User Identification Policy** and select - **Add Item**. + **Add Item**. |lab004| @@ -166,6 +166,7 @@ select **Enable**. bottom of the window and click the **Save and Exit** button. |lab023| + |lab024| **End of Lab 3:** This concludes Lab 3, feel free to review and test the From 72efa0c54f32d7e108136dc10f0d5dc5f2de28ad Mon Sep 17 00:00:00 2001 From: stockerts Date: Wed, 17 Jan 2024 12:52:18 -0800 Subject: [PATCH 2/8] Added code type --- docs/class2/lab2.rst | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/docs/class2/lab2.rst b/docs/class2/lab2.rst index 31ce517d..813361f7 100644 --- a/docs/class2/lab2.rst +++ b/docs/class2/lab2.rst @@ -89,7 +89,9 @@ Cloud Console. user-agent, you will skip signature-based bot detection. For example, if you run the following command: - ``curl http://.lab-sec.f5demos.com --user-agent 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2.1 Safari/605.1.15'`` + .. code:: BASH + curl http://.lab-sec.f5demos.com + --user-agent 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2.1 Safari/605.1.15' This HTTP request will not show up in the Security Analytics however you will find it in Request logging. @@ -138,10 +140,12 @@ and understand its implementation. Let’s explore how an attacker could perform credential stuffing attacks by using the curl command: - ``curl -v 'http://.lab-sec.f5demos.com/auth.php' - -H 'Content-Type: application/x-www-form-urlencoded' - --user-agent 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2.1 Safari/605.1.15' - --data-raw 'identity=user%40f5.com&token=password&submit=Submit'`` + .. code:: BASH + + curl -v 'http://.lab-sec.f5demos.com/auth.php' + -H 'Content-Type: application/x-www-form-urlencoded' + --user-agent 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2.1 Safari/605.1.15' + --data-raw 'identity=user%40f5.com&token=password&submit=Submit' For this application, a successful logon will have a 302 response to the location ./data.php?page=data @@ -240,10 +244,12 @@ and understand its implementation. requests and its ability to perform credential stuffing attacks. Let’s find out. Re-run our previously successful logon attempt: - ``curl -v 'http://.lab-sec.f5demos.com/auth.php' - -H 'Content-Type: application/x-www-form-urlencoded' - --user-agent 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2.1 Safari/605.1.15' - --data-raw 'identity=user%40f5.com&token=password&submit=Submit'`` + .. code:: BASH + + curl -v 'http://.lab-sec.f5demos.com/auth.php' + -H 'Content-Type: application/x-www-form-urlencoded' + --user-agent 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2.1 Safari/605.1.15' + --data-raw 'identity=user%40f5.com&token=password&submit=Submit' As you can see, instead of signaling to a potential attacker that they have a good or bad password, we have prevented the would-be attacker from From af08c4f83bec8bc78acfeddb5744051ff85f514c Mon Sep 17 00:00:00 2001 From: stockerts Date: Wed, 17 Jan 2024 12:55:41 -0800 Subject: [PATCH 3/8] Update to curl command --- docs/class2/lab2.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/class2/lab2.rst b/docs/class2/lab2.rst index 813361f7..9ed0178b 100644 --- a/docs/class2/lab2.rst +++ b/docs/class2/lab2.rst @@ -90,7 +90,7 @@ Cloud Console. run the following command: .. code:: BASH - curl http://.lab-sec.f5demos.com + curl 'http://.lab-sec.f5demos.com' --user-agent 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2.1 Safari/605.1.15' This HTTP request will not show up in the Security Analytics however you From d1a1944eb3920a196d39174472c804cefc3fad73 Mon Sep 17 00:00:00 2001 From: stockerts Date: Wed, 17 Jan 2024 12:58:34 -0800 Subject: [PATCH 4/8] Another change to curl --- docs/class2/lab2.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/class2/lab2.rst b/docs/class2/lab2.rst index 9ed0178b..78a0933a 100644 --- a/docs/class2/lab2.rst +++ b/docs/class2/lab2.rst @@ -90,7 +90,7 @@ Cloud Console. run the following command: .. code:: BASH - curl 'http://.lab-sec.f5demos.com' + curl -v 'http://.lab-sec.f5demos.com' --user-agent 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2.1 Safari/605.1.15' This HTTP request will not show up in the Security Analytics however you From 8d08e69c57728e9f2d69d14c216f5e0f8ff798f2 Mon Sep 17 00:00:00 2001 From: stockerts Date: Wed, 17 Jan 2024 13:00:12 -0800 Subject: [PATCH 5/8] curl update 3 --- docs/class2/lab2.rst | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/class2/lab2.rst b/docs/class2/lab2.rst index 78a0933a..c86fb014 100644 --- a/docs/class2/lab2.rst +++ b/docs/class2/lab2.rst @@ -90,8 +90,7 @@ Cloud Console. run the following command: .. code:: BASH - curl -v 'http://.lab-sec.f5demos.com' - --user-agent 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2.1 Safari/605.1.15' + curl -v 'http://.lab-sec.f5demos.com' --user-agent 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2.1 Safari/605.1.15' This HTTP request will not show up in the Security Analytics however you will find it in Request logging. From 7c015ba71c4c2df93f9f9dda13a078e433376a5a Mon Sep 17 00:00:00 2001 From: stockerts Date: Wed, 17 Jan 2024 13:02:17 -0800 Subject: [PATCH 6/8] Task 1 update, format --- docs/class2/lab2.rst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/class2/lab2.rst b/docs/class2/lab2.rst index c86fb014..f546109e 100644 --- a/docs/class2/lab2.rst +++ b/docs/class2/lab2.rst @@ -79,7 +79,7 @@ Cloud Console. |lab009| -#. **Optional Advanced Topic** + **Task 1: Optional Advanced Topic** Signature based Bot detection can be easily bypassed. By simply presenting a less suspicious user-agent string, a threat actor can easily bypass the @@ -90,7 +90,8 @@ Cloud Console. run the following command: .. code:: BASH - curl -v 'http://.lab-sec.f5demos.com' --user-agent 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2.1 Safari/605.1.15' + curl 'http://.lab-sec.f5demos.com' + --user-agent 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2.1 Safari/605.1.15' This HTTP request will not show up in the Security Analytics however you will find it in Request logging. From 7e25ebd85d1d72187b51e84f6c079b906753b3ad Mon Sep 17 00:00:00 2001 From: stockerts Date: Wed, 17 Jan 2024 13:05:28 -0800 Subject: [PATCH 7/8] Lab2 format update --- docs/class2/lab2.rst | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/docs/class2/lab2.rst b/docs/class2/lab2.rst index f546109e..c738f96b 100644 --- a/docs/class2/lab2.rst +++ b/docs/class2/lab2.rst @@ -10,7 +10,8 @@ protect the previously configured application from advanced Bot threats. **Expected Lab Time: 25 minutes** Task 1: Reviewing Signature-based Bot protection ------------------------------------------------- +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + In this task you will review the Bot signature configuration and view logged security events. This lab will begin back in the F5 Distributed Cloud Console. @@ -90,9 +91,17 @@ Cloud Console. run the following command: .. code:: BASH + curl 'http://.lab-sec.f5demos.com' --user-agent 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2.1 Safari/605.1.15' + .. code:: BASH + + curl -v 'http://.lab-sec.f5demos.com/auth.php' + -H 'Content-Type: application/x-www-form-urlencoded' + --user-agent 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2.1 Safari/605.1.15' + --data-raw 'identity=user%40f5.com&token=password&submit=Submit' + This HTTP request will not show up in the Security Analytics however you will find it in Request logging. From 56077b3bce009193348c083d10b02508a89cd8a7 Mon Sep 17 00:00:00 2001 From: stockerts Date: Wed, 17 Jan 2024 13:06:56 -0800 Subject: [PATCH 8/8] Final curl correction, last works! --- docs/class2/lab2.rst | 7 ------- 1 file changed, 7 deletions(-) diff --git a/docs/class2/lab2.rst b/docs/class2/lab2.rst index c738f96b..94184460 100644 --- a/docs/class2/lab2.rst +++ b/docs/class2/lab2.rst @@ -95,13 +95,6 @@ Cloud Console. curl 'http://.lab-sec.f5demos.com' --user-agent 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2.1 Safari/605.1.15' - .. code:: BASH - - curl -v 'http://.lab-sec.f5demos.com/auth.php' - -H 'Content-Type: application/x-www-form-urlencoded' - --user-agent 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2.1 Safari/605.1.15' - --data-raw 'identity=user%40f5.com&token=password&submit=Submit' - This HTTP request will not show up in the Security Analytics however you will find it in Request logging.