In our last post, we presented BIG-IP APM product and some of its functionalities. Since this is maybe one of the most complex products F5 has and there is a lot of ways it can be used, this post will cover some of most often use case scenarios.
BIG-IP APM as authentication proxy
BIG-IP APM is in fact authentication proxy and because its proxy architecture, it allows separation of authentication on the client and server side which enables identity transformation and authentication methods translation. Let’s say there is a client in internal network and is trying to access, through APM, organizational SharePoint which is also located in internal network. This will be easily done using NTML or Kerberos authentication methods. But, when client is located in the external network and tries to access SharePoint, system can ask of him to use additional authentication method, like client certificates or smart cards, and also additional checks on client computer using APM predefined client side checks can be done. This shows how APM and SSO functionality can automatically adapt based on various factors, like who user is and where user is located, also when and how user is trying to access the application behind APM.
Lots of companies still use different legacy applications which, if we talk from user perspective, still use old authentication methods. APM allows that different authentication methods can be used on client and server side. There is whole list of authentication methods that can be used on client and/or server side and we covered them in our last post. APM allows use new authentication mechanisms without need to change application itself. For example, on the client side we can use web form authentication, and user information can be send to server using HTTP Basic authentication. In this case, APM is not the one to authenticate user, it only takes user information and it is sending those to web server who will authenticate user then.
Single Sign-On access to multiple applications
IT Departments nowadays have simple goal: ensure that usrs can use one set of login credentials to access multiple internal applications. But, that “simple” goal becomes everything but simple when you realize that new and legacy applications are not using the same authentication methods. Legacy applications usually use some of the older authentication methods, like Headers Insertions or Kerberos Constrained Delegation, which newer application don’t always support.
Let’s say we want to use SAML as authentication method, but legacy application, of course, does not support it. In that case, we are using APM as authentication proxy which will take user’s SAML token and it will translate it to something that backend application understands. This shows that we can enable users to use same set of login credentials for all applications, no matter are those legacy or new applications, using Single Sign-On functionality.
APM Web Access Management
APM web application is a reverse proxy portal that allows access to various web resources through the APM system to web applications behind virtual servers. Also, it provides authenticated access to applications through an Internet browser without the need for using tunnels or other specific resources. This configuration usually includes the implementation of the LTM module, which then can be used to optimize the delivery of the traffic to the client and the offload or termination of SSL/TLS traffic.
After authentication, Webtop which contains links to all the resources for which the client has access is displayed to client, as is shown on the picture below.
In another example, IT administrators are asked to add authentication to application that previously did not ask user to authenticate. Using web form, user is typing his credentials in and APM is authenticating user and allowing him access to application. Using APM IT administrator need not to reconfigure servers or make changes to application code – you can see how APM simplifies process of adding new security measures in the network and application environment.
Support for SAML
Lots of organizations lately are adding support for SAML in their application environment, no matter if we are talking about cloud or internal solutions. Here we are facing problems when adding SAML to backend servers since SAML is easy to use on the client side, but it is not always easy to implement and use on server side. This is very good situation to use APM’s proxy architecture and possibilities of using different authentication methods on client and server side. If you want to avoid process of reconfiguring backend servers, you can use APM as SAML SP or SAML IdP, which allows for identity federation and SSO inside enterprise environment.
When using SAML as authentication method, IdP creates assertion to prove user’s identity. In cases like this, APM does not have user’s password so authentication methods as HTTP Basic and HTTP Form cannot be used. But, APM can translate SAML assertion into token and then methods as Kerberos Constrained Delegation can be used to authenticate user on server side. This method is very scalable since majority of servers support Kerberos authentication method and there is no need to create SSO configuration for every application itself.
Securing O365 identity
Using APM it is possible to secure access to O365 applications, and also to add whole set of additional checks in order to raise security level of system:
- Multifactor authentication
- Endpoint checks
- Checks based on geographic location of the user
- Check based on type of network user is in
Problem with O365 and similar cloud applications is how and where to store user information. Because of this most of organizations chooses federated identity model so they can keep control of users’ information. In case of O365, SAML is used to authenticate users using existing Active Directory services. One of the ways to achieve this is using ADFS and ADFS proxy servers, but also it is possible to use APM and LTM and achieve this in easier way.
Using APM instead of ADFS proxy servers IT administrator can achieve high availability and enable pre-authentication for ADFS servers which in fact leads to higher security of system in whole. Using different checks provided by APM system it is possible to do additional checks of users who are accessing applications, or use advanced authentication methods like client certificates of multifactor authentication.
More details can be found in our post about 0365.
BIG-IP APM support for OAuth 2.0
TMOS v13 introduced OAuth 2.0 support. OAuth 2.0 is authorization framework which allows limited access to user account from different services, like Facebook, Google or Salesforce. Now APM can be positioned as OAuth client, OAuth Resource server and OAuth Authorization Server, depending of required implementation.
If APM is positioned as OAuth authorization server it can create authorization codes, access tokens and refresh tokens, also it can perform token introspection. If we position APM as OAuth resource server, users can log in into application using external OAuth accounts to gain access to different resources that are protected by the system. External OAuth account can be user’s account from social networks like Facebook or Google or enterprise account like F5 APM or Ping Identity. In this case, APM becomes client application to an external OAuth Authorization Server like Google is.
Use social accounts to gain access to internal applications
There is internal application that access to is ensured through APM. When user is trying to access application, he gets, for example, screen that is shown on the picture below. Then user needs to choose which type of authentication he wants to use.
Google and Facebook are becoming more and more popular methods of authentication where organization wants to authenticate user and allows sharing of information between Google or Facebook with its application systems. In this case internal application is positioned behind F5 system and its functioning depends on sharing information with external services.
Back to the picture above, if user chooses Facebook for example, APM will re-direct user to Facebook login page. Here user needs to enter his credentials. After Facebook authenticate user, Facebook is sending crucial information like name, e-mail or other parameters back to APM.
What happened? APM accepted OAuth token sent by Facebook and it extracted needed information from OAuth scope. After that, APM is sending those information to backend application which now, after it has information about user’s identity, can decide which resources user can access.
Using social networks login helps organization in implementing authentication for its application, but also improves end user experience because it allows for quick and practical access, and also it enables organizations to collect important information about its users.
One of the APM functionalities is ensuring remote access to corporate networks and its applications. Connections can be initiated through browser or using dedicated application which is available for most of OSs today – Windows OS, MacOS, Linux, iOS, Android. There is possibility of limiting user access using access list or do one of the client side checks provided by APM. APM supports split tunneling and full tunnels. APM Networks Access client will change routing table on client device in order to match configuration defined on APM.
Use APM to protect user login form
Client browser is probably most vulnerable part in every online communication. Malicious users always try to exploit every browser vulnerability in order to gain access to login information and other sensitive users’ information.
For example, there is an application that uses APM to deliver login form to its users. Although web page that has login form is protected using TLS, malicious user can positioned itself inside browser and proceed with some kind of Man-in-the-Middle or Man-in-the-Browser attacks. Using these attacks malicious user can gain access to information user is typing into his browser while those are still in plain text, as it can be seen in following picture.
In order to avoid this situation, APM can be integrated with WebSafe Application Layer Encryption solution. F5 configuration allows to choose which type of protection exactly will be used and which parameters will be protected. WebSafe will be encrypting every user keyboard stroke in the real time. Additionally, HTML code is changed dynamically. Sensitive parameter names are also changed so that attacker cannot gain access to sensitive user information. More information about WebSafe can be found also in our post about F5 anti-fraud solution.
These are just some of the most often examples of APM implementation in different kinds of environments. For any questions or help, feel free to contact us.