Addressing Security Loopholes of Third Party Browser Plug ins UPDATED FEBRUARY 2017

Similar documents
Webshells. Webshell Examples. How does a webshell attack work? Nir Zigler,

APM Cookbook: Single Sign On (SSO) using Kerberos

BIG IP APM: Max Sessions Per User Enable users to terminate a specified session

Citrix Federated Authentication Service Integration with APM

Secure Mobile Access to Corporate Applications

Archived. Configuring a single-tenant BIG-IP Virtual Edition in the Cloud. Deployment Guide Document Version: 1.0. What is F5 iapp?

One Time Passwords via an SMS Gateway with BIG IP Access Policy Manager

Deploying the BIG-IP LTM with IBM QRadar Logging

Enhancing VMware Horizon View with F5 Solutions

Complying with PCI DSS 3.0

Deploying the BIG-IP System with CA SiteMinder

Deploying a Next-Generation IPS Infrastructure

v.10 - Working the GTM Command Line Interface

Deploying the BIG-IP System with Oracle Hyperion Applications

Converting a Cisco ACE configuration file to F5 BIG IP Format

Deploying WAN-Optimized Acceleration for VMware vmotion Between Two BIG-IP Systems

Deploying a Next-Generation IPS Infrastructure

Prompta volumus denique eam ei, mel autem

Document version: 1.0 What's inside: Products and versions tested Important:

Server Virtualization Incentive Program

Archived. h h Health monitoring of the Guardium S-TAP Collectors to ensure traffic is sent to a Collector that is actually up and available,

Archived. Deploying the BIG-IP LTM with IBM Cognos Insight. Deployment Guide Document version 1.0. What s inside: 2 Products and versions tested

Large FSI DDoS Protection Reference Architecture

BIG IQ Reporting for Subscription and ELA Programs

Protecting Against Application DDoS A acks with BIG-IP ASM: A Three- Step Solution

Geolocation and Application Delivery

Data Center Virtualization Q&A

Securing the Cloud. White Paper by Peter Silva

Improving VDI with Scalable Infrastructure

VMware vcenter Site Recovery Manager

Vulnerability Assessment with Application Security

Deploying the BIG-IP System v11 with DNS Servers

F5 in AWS Part 3 Advanced Topologies and More on Highly Available Services

Managing the Migration to IPv6 Throughout the Service Provider Network White Paper

Optimizing NetApp SnapMirror Data Replication with F5 BIG-IP WAN Optimization Manager

F5 and Nuage Networks Partnership Overview for Enterprises

Multi-Tenancy Designs for the F5 High-Performance Services Fabric

DESIGN GUIDE. VMware NSX for vsphere (NSX-v) and F5 BIG-IP Design Guide

Maintain Your F5 Solution with Fast, Reliable Support

Archived. For more information of IBM Maximo Asset Management system see:

Archived. Deploying the BIG-IP LTM with IBM Lotus inotes BIG-IP LTM , 10.1, 11.2, IBM Lotus inotes 8.5 (applies to 8.5.

Load Balancing 101: Nuts and Bolts

Session Initiated Protocol (SIP): A Five-Function Protocol

Deploying the BIG-IP LTM with Oracle JD Edwards EnterpriseOne

Configuring Smart Card Authentication to BIG IP Management Interface

Help with F5 Networks Virtual Classroom. Troubleshooting your client connection to the remote Windows PC

Meeting the Challenges of an HA Architecture for IBM WebSphere SIP

Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall

BIG-IP Access Policy Manager : Portal Access. Version 12.1

Enabling Long Distance Live Migration with F5 and VMware vmotion

The Programmable Network

Providing Security and Acceleration for Remote Users

Cookies, Sessions, and Persistence

Help with F5 Networks Virtual Classroom. Troubleshooting your client connection to the remote Windows PC

Browser Configuration Reference

Deploying the BIG-IP LTM and APM with VMware View 4.6

Unified Application Delivery

BIG-IP Access Policy Manager : Application Access. Version 13.0

Optimize and Accelerate Your Mission- Critical Applications across the WAN

Protecting Against Online Banking Fraud with F5

Internet Browsers with CYBER

BIG-IP Access Policy Manager : Visual Policy Editor. Version 12.1

Wavecrest Certificate SHA-512

End User System Requirements. Marsh ClearSight, Marsh ClearSight Apps, Enterprise, Stars Discovery, and Stars Intake Release Version: 17.1.

SNMP: Simplified. White Paper by F5

Q2 TLS 1.0 Disablement CSR Playbook 3/28/18

Validating Microsoft Exchange 2010 on Cisco and NetApp FlexPod with the F5 BIG-IP System

The F5 Intelligent DNS Scale Reference Architecture

Load Balancing 101: Nuts and Bolts

Simplifying Security for Mobile Networks

BYOD 2.0: Moving Beyond MDM

Network Video Management System Standard Edition 2017 R2. Administrator Getting Started Guide

Thank you for joining our Webinar, if you are having a problem logging in, please refer to the guide for more information.

Training Bulletin TITLE: CHIP-CARD BROWSER RECOMMENDATIONS AUDIENCE: GENERAL MANAGERS, FRONT DESK STAFF DATE: DECEMBER 12. Intro

Q2 TLS 1.0 Disablement Frequently Asked Questions 12/4/17

Java Vulnerability. Contents. There is a security vulnerability in Oracle Java 6 & 7 that may present a security threat to your computer.

WHITE PAPER. F5 and Cisco. Supercharging IT Operations with Full-Stack SDN

Micro Focus Desktop Containers

Enhancing Exchange Mobile Device Security with the F5 BIG-IP Platform

System requirements for Qlik Sense. Qlik Sense June 2018 Copyright QlikTech International AB. All rights reserved.

Sage CRM 7.3 SP2 Software Support Matrix


McAfee Virtual Network Security Platform 8.4 Revision A

F5 iapps: Moving Application Delivery Beyond the Network

Five9 Virtual Contact Center Online Help and Browser Usage Guidelines

Managing BIG-IP Devices with HP and Microsoft Network Management Solutions

BIG-IP APM: Access Policy Manager v11. David Perodin Field Systems Engineer

BIG-IP Access Policy Manager : Implementations. Version 12.1

Trouble Shooting Portable Documents Format (PDF) Q/A Solutions: AT ANY TIME THE USER CAN SAVE THE FILE TO THEIR COMPUTER AND FILL OUT THE FORM

Quick Start Guide. Version R95. English

Real Player Manual Not Working Firefox 2013

BIG-IP Access Policy Manager and F5 Access for Android. Version 3.0.4

GO-GLOBAL FOR WINDOWS. Host Release Notes Version (C) GRAPHON CORPORATION ALL RIGHTS RESERVED.

Protect Against Evolving DDoS Threats: The Case for Hybrid

Automating the Data Center

Resource Provisioning Hardware Virtualization, Your Way

Web Browser Problems and Solutions

MOZILLA FIREFOX (Version 52) EXTENDED SUPPORT RELEASE (ESR) Guidance for Windows PC Patient Portal End Users

McAfee Network Security Platform 8.3

F5 icontrol. In this white paper, get an introduction to F5 icontrol service-enabled management API. F5 White Paper

Transcription:

Addressing Security Loopholes of Third Party Browser Plug ins UPDATED FEBRUARY 2017 Jay Kelley, 2015-22-12 February 2017 Update Endpoint inspection and network access support with Chrome browser, Firefox, and Edge Browser is now available for BIG-IP v13. Release notes with details are available here: https://support.f5.com/kb/en-us/products/bigip_apm/releasenotes/related/relnote-helper-apps-13-0-0.html. January 2017 Update As the popularity of browser-based security attacks and vulnerabilities continue to increase, scrutiny is turning to thirdparty browser plugins as an attack vector. Java and Flash have both been successful targets, as have certain third-party malicious plugins. As a result, browser vendors are eager to close loopholes that allow control of page content and computer operation outside of the browser context. The longstanding F5 client technique of using browser plugins to allow VPN, application tunnel, and endpoint security checks utilize these functions. To mitigate these concerns, F5 will soon end the use of browser plug-ins. This will support the ability to run the endpoint security checks and connectivity operations such as SSL VPN and app tunnels with client PCs using new versions of popular web browsers - Google Chrome, Firefox, and Microsoft Edge Browser, in addition to Microsoft Internet Explorer and Apple Safari. F5 s plan is to use components that will be installed by end users that run outside of the browser process, thereby eliminating the security concerns of using browser plug-ins. These client components will register a URI scheme and will be able to be called from the browser when users launch a VPN or app tunnel from BIG-IP APM web portals, endpoint security checks (firewall, antivirus, and OS patch and registry checks). Additionally, a plug-in-less technique will be used to launch native Microsoft Remote Desktop apps or desktops on the user s device without the traditional use of an ActiveX plugin. This solution will not require the use of browsers NPAPI support. Although end users will be required to download and install components that run outside of the browser process, F5 s most important goal is to keep the user experience as close to the current browser-initiated experience on currently supported browsers as much as possible. Alternatively, the client components may be installed by Microsoft s SCCM or other automatic software installation systems in end user populations with limited rights on PCs. With this plan, F5 will also be able to support 64-bit versions of browsers specified above as well. In the meantime, you can use the below instructions to detect unsupported browsers and guide the user to a supported browser with a remediation message. Handling new Firefox and Chrome browsers in BIG-IP APM. Client browsers can be detected by their User-Agent header transmitted along with HTTP requests. APM automatically creates a session variable during Access Session creation that contains this value. It s a simple matter to handle this in an appropriate way. 1. Launch the Visual Policy Editor. Access Policy => Access Profiles => (your access policy) => Edit. The VPE will launch in a new browser tab 2. Click the + icon to add a new Policy Item. Choose General Purpose => Empty and click Add Item. The new Policy Item will appear

The new Policy Item will appear 3. Name the Policy Item appropriately. (In this example, Browser Info was chosen.). 4. Select the Branch Rules tab and click Add Branch Rule. 5. Name the branch rule Firefox 43 6. Click Advanced. 7. Insert the TCL code: expr { [mcget "session.user.agent"] contains "Firefox/43" } 8. Repeat the last 3 steps, this time for Firefox 44. 9. Your new Policy Item should look something like this: 10. Click Save to save the changes to the Policy Item. Now we need to add a user friendly error message. 11. Near the top of the VPE screen, click Edit Endings. 12. Click Add Ending. 13. Name the ending Unsupported Firefox 14. Click the + near Customization.

15. Change the text to something appropriate for your users. This is a sample: 16. Because the user should close the browser and use a different one, it doesn t make sense to display a Restart Session link, so we simply hide it using the HTML <!-- and --> tags in the New session text and New session link areas. 17. Click the Deny endings attached from Firefox 43 and 44, and change them to the new Unsupported Firefox endings. 18. Review your Access Policy. The new section should appear similar to this (note that this policy is empty -- your normal policy should be attached to the fallback branch).

19. Test this with Firefox 43 or 44. You should see an error page similar to this: If you need to detect additional browsers and are not sure of the user agent, simply add a Message Box Policy Item to the beginning of the policy to log your browser s User Agent string, like this:

When a browser activates this Policy Item, the User-Agent will be displayed. We hope this is helpful. Update January 2017 Currently the latest Firefox version is release 50. Releases 50 and 51 include NPAPI plugin support that is required by F5 endpoint inspection and VPN access. Firefox release 52 will not allow the use of F5 plugin by default. This means that endpoint inspection and VPN will not function with Firefox browser for BIG-IP APM end users. F5 is planning to release BIG-IP version 13.0 that includes the new lite endpoint check and VPN clients that support a seamless end user experience with Firefox, Microsoft Edge Browser, and Chrome Browser. Based on current release schedules from F5 and Mozilla, the BIG-IP v13.0 release may not be available before Firefox 52 is released. If your end users require endpoint inspection or VPN launch capability with Firefox browser, we recommend installing Firefox ESR. This version will include plugin capability until early 2018. Firefox 51 Firefox 52 Firefox 53 Firefox ESR 52 F5 plugin not allowed by default F5 plugin not allowed. F5 plugin allowed by F5 plugin allowed F5 plugin can be enabled via a configuration parameter in Firefox.* F5 plugin will not be enabled even with a configuration parameter used in Firefox 52. default until Q2 Calendar Year 2018 *Firefox 52 Note: The configuration parameter is called plugin.load_flash_only, and it should be set to false. After this configuration parameter is created and set, the user needs to quit Firefox and delete pluginreg.dat file under profiles folder. Please see https://bugzilla.mozilla.org/show_bug.cgi?id=1269807 for more details. Note that this is preliminary information about a non-f5 product and is subject to change.

Refer to the information about Firefox ESR: https://www.mozilla.org/en-us/firefox/organizations/ Information from Mozilla on future NPAPI support: https://blog.mozilla.org/futurereleases/ F5 Networks, Inc. 401 Elliot Avenue West, Seattle, WA 98119 888-882-4447 f5.com F5 Networks, Inc. Corporate Headquarters info@f5.com F5 Networks Asia-Pacific apacinfo@f5.com F5 Networks Ltd. Europe/Middle-East/Africa emeainfo@f5.com F5 Networks Japan K.K. f5j-info@f5.com 2017 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. CS04-00015 0113

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback