|
1 | | -Enable API discovery for BIG-IP |
2 | | -=============================== |
| 1 | +API Discovery outcomes |
| 2 | +====================== |
3 | 3 |
|
4 | | -In the previous lab, we learnt how F5 Distributed Cloud can discover API Endpoints when those endpoints are exposed on F5 Distributed Cloud infrastructure. |
5 | | -But many modern applications (API firt) reside on-premises behind BIG-IP. In order to offer the same level of services, F5 deployed the on-premises API Discovery for BIG-IP. |
| 4 | +.. note:: The "traffic discovery" scheduler runs on a random interval within a two hours time window and therefore it can take up to 2 hours (maximum) to see all results in the Dashboard for the "API Discovery outcomes" lab section. You can also continue with the next lab "Advanced Protection - "JWT validation and access control" (module 3) and continue here later. |
6 | 5 |
|
7 | | -In this lab, you will learn how to ``onboard`` a BIG-IP into F5XC, in order to enable the API Discovery feature on this BIG-IP. |
| 6 | +.. note:: The "code base repo discovery" is done once a day |
8 | 7 |
|
9 | | -Key take aways before jumping into the lab: |
| 8 | +Endpoint Discovery |
| 9 | +------------------ |
10 | 10 |
|
11 | | -* Out of Band Discovery |
12 | | -* CE required on BIG-IP Network |
13 | | -* CE collects and anonymises logs from BIG-IP |
14 | | -* F5XC runs API Discovery engine in F5XC infrastructure |
15 | | -* Outcomes |
| 11 | +* Goto Web App & API Protection > Overview > Security > Dashboard |
| 12 | +* Click on your Application Load Balancer |
| 13 | +* Click on ``API Endpoints`` to see the endpoints in the the "Table" view. |
16 | 14 |
|
17 | | - * Inventory |
18 | | - * Security Insights risks |
19 | | - * Compliance |
20 | | - * Authentication state |
21 | | - * Sensitive Data |
22 | | - |
23 | | -.. image:: ../pictures/cbip-apid-archi.png |
| 15 | +.. image:: ../pictures/api-endpoints-table.png |
24 | 16 | :align: left |
| 17 | + :scale: 50% |
25 | 18 |
|
| 19 | +Understand the API Discovery elements |
| 20 | +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
26 | 21 |
|
27 | | -Deploy and register Customer Edge (CE) |
28 | | --------------------------------------- |
29 | | - |
30 | | -The CE (Customer Edge) is not yet registered. But it is already deployed in your UDF environment. |
31 | | -The CE is deployed with 2 NICs |
| 22 | +API Category |
| 23 | +************ |
32 | 24 |
|
33 | | -* NIC Outside in charge of IPSEC tunnels between CE and RE |
34 | | -* NIC Inside in charge of configuring BIG-IP and collect logs from BIG-IP |
| 25 | +On the top left corner, there are 3 important elements: |
35 | 26 |
|
36 | | -.. note:: In a nutshell, F5XC will configure the BIG-IP to collect request logs from the Virtual Server, and send those logs to the CE. Then the CE will anonymize the logs and send them to the F5XC infrastructure to render the API Discovery endpoints and insights. |
| 27 | +* **Inventory** : Endpoints known from the OpenAPI Spec file |
37 | 28 |
|
38 | | -Register the CE |
39 | | -^^^^^^^^^^^^^^^ |
| 29 | + * In our lab, there are 3 endpoints know (adjectives, animals, locations) |
40 | 30 |
|
41 | | -In UDF environment, connect to the Customer Edge (CE) UI with credentials below |
| 31 | +* **Discovered** : Endpoints that the XC platform has discovered/learned from live traffic (known and unknown endpoints) |
| 32 | +* **Shadow** : Endpoints that have been ``Discovered`` but are **NOT PART** of the ``Inventory`` |
42 | 33 |
|
43 | | -* Creds : ``admin`` / ``Volterra123`` |
44 | | -* Click on ``Configure Now`` button |
| 34 | +You can filter on ``Shadow`` only to show the ``/colors`` endpoint as a Shadow API. |
45 | 35 |
|
46 | | -.. image:: ../pictures/configure-ce.png |
| 36 | +.. image:: ../pictures/shadow.png |
47 | 37 | :align: left |
| 38 | + :scale: 50% |
48 | 39 |
|
49 | | -* Token (copy paste using the copy button below) |
50 | | - |
51 | | -.. code-block:: none |
52 | | -
|
53 | | - $$smsv2Token$$ |
54 | | -
|
55 | | -* Cluster Name: ``$$smsv2SiteName$$`` |
56 | | -* Hostmane: ``master0`` |
57 | 40 |
|
58 | | -* Click ``Save Configuration`` |
| 41 | +Discovery Source and Schema Status |
| 42 | +********************************** |
59 | 43 |
|
60 | | -Wait 15min to see the CE registered in the F5 Distributed Cloud Console. |
| 44 | +The ``Discovery Source`` tells you from which source each EndPoint has been discovered |
61 | 45 |
|
| 46 | +* Traffic: discovered thanks to traffic passing through XC (real traffic) |
| 47 | +* Code Analysis: discovered by scanning the source code into the repositories |
62 | 48 |
|
63 | | -Check Registration on the F5 Distributed Cloud Console |
64 | | -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 49 | +The ``Schema status`` tells you if this Endpoint is part of the OpenAPI specification file |
65 | 50 |
|
66 | | -In F5 Distributed Cloud Console |
67 | | - |
68 | | -* Go to Multi-Cloud Network Connect > Overview > Infrastructure > Sites |
69 | | -* Search for your site $$smsv2SiteName$$ |
70 | | -* Click on it |
71 | | -* Refresh the page till upgrades are finished and every flag is green |
72 | | - |
73 | | -.. image:: ../pictures/site-view.png |
| 51 | +.. image:: ../pictures/code-base-table.png |
74 | 52 | :align: left |
| 53 | + :scale: 50% |
75 | 54 |
|
| 55 | +.. note:: These 2 columns are very important. First of all, this shows if the Endpoint is part of the source code. Then, it shows if this Endpoint is exposed (traffic) and also part of the OpenAPI specification file. The best outcome is when an Endpoint is part of Code Base and Traffic discovery and also in OpenAPI Spec file. |
76 | 56 |
|
77 | | -.. note:: Your CE is up and running and ready to connect to the BIG-IP in order to collect logs. |
78 | 57 |
|
| 58 | +Go deeper into the discovery |
| 59 | +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
79 | 60 |
|
80 | | -Onboard on-premises BIG-IP |
81 | | --------------------------- |
| 61 | +* Click on the ``/colors`` shadow API endpoint. A pop-up will appear on the right side of the screen. |
| 62 | +* You can see on the top right corner, 2 actions |
82 | 63 |
|
83 | | -The BIG-IP is already up and running into your lab environment. Each student has his own BIG-IP. |
| 64 | + * **API Protection rule** : if you want to block this endpoint. Let's say SecOps have this power to block unknown endpoints. |
84 | 65 |
|
85 | | -Go to Multi-Cloud App Connect tile > Manage > Service Discovery, and create a new Service Discovery type BIG-IP |
86 | | - |
87 | | -.. image:: ../pictures/add-service-discovery.png |
88 | | - :align: left |
| 66 | + * **Rate Limiting** : if you want to Rate Limit this endpoint because SecOps don't have the full power and don't want to break the app. |
89 | 67 |
|
| 68 | +* Click on the ``Discovered`` tab and navigate into the sub-menus. You will see all the details discovered by the platform. |
90 | 69 |
|
91 | | -Configure the service discovery so it can find the BIG-IP |
92 | | - |
93 | | -* Name: ``cbip-apid`` |
94 | | -* Select your CE named ``$$smsv2SiteName$$`` under ``Reference`` |
95 | | -* Select ``Site Local Inside Network`` under ``Network Type`` <- This is the interface on the BIG-IP Self-IP (but we could have used the mgmt interface) |
96 | | -* Click ``Add Item`` under ``Classic BIG-IP Clusters`` |
97 | | - |
98 | | -.. image:: ../pictures/create-service-discovery.png |
| 70 | +.. image:: ../pictures/discovered.png |
99 | 71 | :align: left |
| 72 | + :scale: 50% |
100 | 73 |
|
101 | | -* Give a name to the BIG-IP such as ``bigip1`` |
102 | | -* Configure with the BIG-IP settings |
103 | | - |
104 | | - * Management IP: ``10.1.20.8`` <- Self-IP address |
105 | | - * Management Port: ``443`` |
106 | | - * Admin username: ``admin`` |
107 | | - * Admin password: |
108 | | - |
109 | | - * Select ``Clear Secret`` instead of ``Blindfold`` |
110 | | - * Secret is: ``admin`` |
111 | | - |
112 | | -* Apply |
113 | 74 |
|
114 | | -Your configuration should look like this |
| 75 | +Sensitive Data Discovery |
| 76 | +------------------------ |
115 | 77 |
|
116 | | -.. image:: ../pictures/cbip-config.png |
117 | | - :align: left |
| 78 | +* Click on the ``/animals`` API endpoint. A pop-up will appear on the right side of the screen. |
118 | 79 |
|
119 | | -After few minutes (up to 2min), you can click on Refresh button, you should see ``1 services``. This service is the BIG-IP Virtual Server |
| 80 | + .. image:: ../pictures/pii-1.png |
| 81 | + :align: left |
| 82 | + :scale: 50% |
120 | 83 |
|
121 | | -.. image:: ../pictures/vs-services.png |
122 | | - :align: left |
| 84 | +* Click on the ``Discovered`` tab to show discovered sensitive data for requests and responses. |
123 | 85 |
|
124 | | -.. note:: At this stage, the BIG-IP is onboarded in F5 Distributed Cloud and API Discovery can be enabled on this BIG-IP (from the F5XC Console) so that the BIG-IP sends traffic logs to F5XC. |
| 86 | + .. image:: ../pictures/pii-2.png |
| 87 | + :align: left |
| 88 | + :scale: 50% |
125 | 89 |
|
| 90 | +.. warning:: Dataguard can obfuscate sensitive PII data in the response but currently not for custom created PII configurations. This feature is in the roadmap. OWASP Top 10 does not require to ``hide`` sensitive data. |
126 | 91 |
|
127 | | -Enable API Discovery on BIG-IP Virtual Server |
128 | | ---------------------------------------------- |
129 | 92 |
|
130 | | -Click on the ``1 Services`` blue link to be redirected to the Multi-Cloud App Connect ``discovered services`` page where we will enable the different features on the BIG-IP. If you are lost, you can access this page as well by Multi-Cloud App Connect tile > Overview > Discovered Services |
131 | | -You can see now the BIG-IP Virtual Server |
| 93 | +Click on the ``Graph`` tab to show the API endpoints in a different view. |
132 | 94 |
|
133 | | -.. image:: ../pictures/mcn-vs.png |
| 95 | +.. image:: ../pictures/octopus.png |
134 | 96 | :align: left |
| 97 | + :scale: 50% |
135 | 98 |
|
136 | | -Click on ``Actions dots`` and ``Enable Visibility in All workspaces``` |
| 99 | + |
| 100 | +Authentication Discovery |
| 101 | +------------------------ |
137 | 102 |
|
138 | | -.. image:: ../pictures/enable-visibility.png |
139 | | - :align: left |
| 103 | +* Click on an endpoint with an ``Authenticated`` state, like **/api/locations** |
140 | 104 |
|
141 | | -.. note:: At this moment, F5XC will configure the BIG-IP with some extra settings in order to send logs traffic to the CE. If you connect to the BIG-IP TMUI, you can see one new Virtual Server. This VS collects logs and security insights. |
| 105 | + .. image:: ../pictures/authenticated-endpoint.png |
| 106 | + :align: left |
| 107 | + :scale: 50% |
142 | 108 |
|
143 | | - .. image:: ../pictures/bigip-tmui.png |
144 | | - :align: left |
| 109 | +* Click on ``Discovered`` tab and check the Authentication details |
145 | 110 |
|
| 111 | + .. image:: ../pictures/auth-discovery-new.png |
| 112 | + :align: left |
| 113 | + :scale: 50% |
146 | 114 |
|
147 | | -In the F5XC Console, you can see that the VS has a new option called ``Manage in WAAP``. Click on it. |
| 115 | +* Notice that the auth information collected from the OpenAPI Spec file differs from the discovered auth information. If both don't match, a "Security Posture" is raised. |
148 | 116 |
|
149 | | -.. image:: ../pictures/manage-in-waap.png |
150 | | - :align: left |
151 | | - |
152 | | -You will be redirected to the WAAP menu but in a new section dedicated to BIG-IP Virtual Servers. Click on ``Enable`` under ``API Discovery`` |
153 | | - |
154 | | -.. image:: ../pictures/vs-waap.png |
155 | | - :align: left |
156 | | - |
157 | | -Configure the Virtual Server similar to what you did in the previous lab for the F5XC HTTP Load Balancer. We will reuse the same profiles |
158 | | - |
159 | | -* Select your API Definition |
160 | | -* Enable API Discovery |
161 | | -* Select your Custom Sensitive Date Detection Policy |
162 | | - |
163 | | -.. image:: ../pictures/cbip-config-apid.png |
164 | | - :align: left |
| 117 | + .. image:: ../pictures/basic-auth.png |
| 118 | + :align: left |
| 119 | + :scale: 50% |
165 | 120 |
|
166 | | -.. note:: You are done. Now, let's wait 2 hours so that F5XC can handle logs sent by CE. There is a traffic generator already running in your lab environment to populate BIG-IP logs. |
| 121 | +AI/ML Security Posture |
| 122 | +---------------------- |
167 | 123 |
|
168 | | -Check API Endpoints discovered on BIG-IP VS |
169 | | -------------------------------------------- |
| 124 | +* Click on an endpoint with the highest ``Risk Score`` |
| 125 | +* And click on the ``Security Posture`` tab |
| 126 | +* Review the recommandations done by the AI/ML engine |
170 | 127 |
|
171 | | -Let's see if discovery is done. |
172 | | -Click on the Virtual Server |
173 | | - |
174 | | -.. image:: ../pictures/click-vs.png |
175 | | - :align: left |
176 | | - |
177 | | -And then click on API Endpoints. You can see all the API Discovery Outcomes |
178 | | - |
179 | | - * Inventory |
180 | | - * Security Insights risks |
181 | | - * Compliance |
182 | | - * Authentication state |
183 | | - * Sensitive Data |
184 | | - |
185 | | -.. image:: ../pictures/cbip-outcomes.png |
| 128 | +.. image:: ../pictures/security-posture.png |
186 | 129 | :align: left |
187 | | - |
188 | | - |
189 | | -.. note:: As you can see, you are able to get all API Discovery added values for an on-premises BIG-IP without having to use a cloud HTTP LB. The traffic remains private in the datacenter on the BIG-IP and only anonymized logs are sent to the cloud to generate the API Discovery outcomes. |
190 | | - |
| 130 | + :scale: 50% |
| 131 | + |
| 132 | +* Click on the ``Evidence`` link to get more details about the logs who generated this security posture. |
| 133 | + |
| 134 | +.. note:: Congratulation, your application is now protected by a modern engine enforcing (validating) what is provided by the developers, but also providing visibility for unkown traffic. |
| 135 | + |
| 136 | +Compliance |
| 137 | +---------- |
| 138 | + |
| 139 | +The last information provided by F5XC is the ``compliance``. In lab ``Enable API traffic discovery`` we created 2 custom Sensitive Data (called Data Type) |
| 140 | + |
| 141 | +* The ``French Social Security Number`` |
| 142 | +* The ``French Phone Number`` |
| 143 | + |
| 144 | +To each, we assigned a compliance ``GDPR``. But the F5XC platform has +400 data types into its database. Each data type has one or more compliance assigned. |
| 145 | +For instance, the ``payment-details`` data type is defined as below. You can find it into API Management > Data Types |
| 146 | + |
| 147 | +.. code-block:: json |
| 148 | + :emphasize-lines: 24, 25 |
| 149 | +
|
| 150 | + "get_spec": { |
| 151 | + "rules": [ |
| 152 | + { |
| 153 | + "key_pattern": { |
| 154 | + "exact_values": { |
| 155 | + "exact_values": [ |
| 156 | + "payment_method", |
| 157 | + "pay_method", |
| 158 | + "payment_type", |
| 159 | + "payment_option", |
| 160 | + "payment_mode", |
| 161 | + "payType", |
| 162 | + "payment_source", |
| 163 | + "pay_method_type", |
| 164 | + "payment_service", |
| 165 | + "payment_system" |
| 166 | + ] |
| 167 | + } |
| 168 | + } |
| 169 | + } |
| 170 | + ], |
| 171 | + "is_sensitive_data": true, |
| 172 | + "is_pii": false, |
| 173 | + "compliances": [ |
| 174 | + "PCI_DSS" |
| 175 | + ], |
| 176 | +
|
| 177 | +This data type has the PCI-DSS compliance assigned. It means, if such pattern is seen in the request or in the response for an API Endpoint, F5XC dashboard will categorize this endpoint as PCI-DSS compliance. |
| 178 | +
|
| 179 | +.. note:: This compliance is an ``information`` not an ``enforcement``. It shows to SecOps, for each Endpoint, the compliance to apply based on the sensitive datas detected. In our exmaple, the company must rely to PCI-DSS in order to be compliant as a sensitive data belonging to PCI-DSS has been discovered. |
0 commit comments