Professional Documents
Culture Documents
2014 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in
certain other countries. Other F5 trademarks are identified at f5.com.
Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or
affiliation, express or implied, claimed by F5.
These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You
may not share these training materials and documentation with any third party without the express written permission of F5.
The F5 vLab (virtual lab environment) is an F5-community supported tool. Please DO NOT contact F5 Support for assistance with the vLab.
For help with the setup of the vLab or running a demonstration, you should contact your F5 Channel Account Manager (CAM).
Introduction
TABLE OF CONTENTS
Table of Contents .................................................................................................................................... 3
Introduction ............................................................................................................................................ 4
Using BIG-IP Fraud Protection Service (FPS) ............................................................................................... 6
Exercise 1 Creating a WebSafe Anti-Fraud Profile ................................................................................ 6
Exercise 2 Configuring Phishing Detection ........................................................................................... 9
Exercise 3 Configuring Application Layer Encryption ......................................................................... 17
Exercise 4 Configuring Automatic Transaction Detection .................................................................. 22
Page | 3
Introduction
INTRODUCTION
Welcome to the Using F5 FPS Exercise Guide.
This guide provides hands-on experience with F5 BIG-IP Fraud Protection Service (FPS).
You can use these exercises and the virtual environment (vLab) this includes VMware Workstation or
VMware Fusion and BIG-IP Virtual Edition (VE) as a learning tool or to give customer demonstrations.
Note, this guide is written for the following product and vLab version:
TMOS architecture v11.6.0
VMware Workstation 10.0.0 or VMware Fusion 6.0.3
Virtual images:
BIGIP 11.6.0.0.0.401.ALL-scsi-ova
LAMP 3.4
Alert_Server
Windows 7 Image
The F5 vLab (virtual lab environment) is an F5-community supported tool. Please DO NOT contact F5 Support
for assistance with the vLab. For help with the setup of the vLab or running a demonstration, you should
contact your F5 Channel Account Manager (CAM).
Page | 4
Page | 5
Click Wire Transfer.
Enter the following information, and then click Submit.
Payee Name
demopayee
Routing Number
111111
Account Number
222222
Amount
100
Click on Logout to end your banking session.
Page | 6
In Google Chrome, right-click in the bookmark bar and select Add Page.
Name the new page Demo Tools, then in the URL field paste the text from your clipboard, and then
click Save.
Click the Demo Tools bookmark.
Close Google Chrome.
alert_pool
Health Monitor
tcp
Members
Address
Service Port
10.128.10.202
80
NOTE: Ensure that the health monitor marks the pool available before moving on.
Open the System > Logs > Configuration > Log Destinations page, and then click Create.
Create log destination using the following information, and then click Finished.
WWFE vLab Guides Using BIG-IP Fraud Protection Service (FPS)
Page | 7
fps_log_destination
Type
Pool Name
alert_pool
Open the System > Logs > Configuration > Log Publishers page, and then click Create.
Create log destination using the following information, and then click Finished.
Name
fps_log_publisher
Destination
fps_log_destination
lorax_antifraud_profile
Yes (selected)
Alert Path
/rstats/
Alert Identifier
LRX
Alert Pool
alert_pool
Log Publisher
fps_log_publisher
No (cleared)
Open the Virtual Server List page, and then click demobank_virtual.
Open the Security > Policies page.
From the Anti-Fraud Profile list box, select Enabled.
From the Profile list box, select lorax_antifraud_profile, and then click Update.
Create a new archive file named fpsfund_03_configued_v11.6.0.
Page | 8
Use the following information for the URL Configuration section:
URL Path
/DemoBank/Login.jsp
Malware Detection
No (cleared)
Phishing Detection
Yes (Enabled)
No (cleared)
No (cleared)
Configure using the following information, and then click Create.
Web page copy detection
Yes (Enabled)
Yes (Enabled)
CSS Protection
No (Cleared)
Using Google Chrome, open a new incognito window, select to inspect element, click the Network tab,
and then click the F5 WebSafe Demo Site bookmark.
Examine the Network tab and locate the bsrmu.gif file.
The presence of this file indicates that phishing detection has been enabled for this page.
Page | 9
The parameter name is username.
To determine the HTTP method used for this parameter, click the Network tab.
Click Preserve log.
Log in using the following credentials, and then view the Network tab.
Username: demouser
Password: P@ssw0rd1
The HTTP method is POST.
Click on Logout to end your banking session.
Close Google Chrome.
In the Configuration Utility, click /DemoBank/Login.jsp.
Open the Parameters page.
Add a new parameter using the following information, and then click Add.
Parameter Name
username
Identify as Username
Yes (Enabled)
Send in Alerts
Yes (Enabled)
Method
POST
Click Finished.
Page | 10
Page | 11
phishing_pool
Members
Address
Service Port
10.128.20.18
80
Create a new virtual server using the following information, and then click Finished.
Name
phishing_virtual
Destination Address
10.128.10.47:80
Auto Map
Default Pool
phishing_pool
Using Google Chrome, open a new incognito window, select to inspect element, click the Network tab,
and then access http://demobank.f5dem0.com/Demo.html.
NOTE: Ensure you are using a zero at the end of f5dem0, not the letter o.
In the Alerts Dashboard, refresh the page, and then examine the Phishing > Copied Pages section.
A js_vtrack : Phishing detected alert was issued for f5dem0.com.
Yes (Enabled)
Yes (Enabled)
CSS Protection
Yes (Enabled)
Using Google Chrome, open a new incognito window, select Inspect element, and then click the
Network tab, and then browse to the demo bank application
http://demobank.f5demo.com/DemoBank/Login.jsp
Examine the Network tab, and click the style.css object.
Click the Preview tab.
When this link is called it generates an alert.
Page | 12
Go to Edit > Find, then in the Find field type <script (NOTE: include a space at the end of the word so
you only find opening script tags.
Page | 13
Save and close the Demo.html file.
On your local computer, using Google Chrome, open a new incognito window, select to inspect element,
click the Network tab, and then access http://demobank.f5dem0.com/Demo.html.
Examine the Network tab and click the style.css object, and then click the Preview tab.
Because the obfuscated JavaScript code was removed, the style.css was referenced, which resulted in
a call to the /rstats directory on the virtual server which generates and alert.
Click the ?id=L1&c=ss object, and then click the Headers tab.
This is the result of the style.css file being referenced, which is an alert sent with two
parameters: id and c.
Close Google Chrome.
In the Alerts Dashboard, refresh the page, and then examine the Phishing > Copied Pages section.
A vtrack : Css phishing alert was issued.
Select the alert and view the Query details.
WWFE vLab Guides Using BIG-IP Fraud Protection Service (FPS)
Page | 14
Open the Phishing Detection page.
Select the Referrer Checks checkbox.
Add *.png to the list of referrer header values, and then click Finished.
On your local computer, reload the http://demobank.f5dem0.com/Demo.html page.
Close Google Chrome.
In the Alerts Dashboard, refresh the page, and then examine the Phishing > Copied Pages section.
There are now one Phishing Referrer alert for the page1_img1.jpg image.
WWFE vLab Guides Using BIG-IP Fraud Protection Service (FPS)
Page | 15
Page | 16
Both the username and the password are in cleartext. They are both currently vulnerable to a hacker
or a malware script.
Click on Logout to end your banking session.
Close Google Chrome.
Use a web browser to access and log in to BIGIP_FPS_v11.6.0.
In the Configuration Utility, open the Security > Fraud Protection Service > Anti-Fraud Profiles page,
then click lorax_antifraud_profile, and then click /DemoBank/Login.jsp.
In the URL Configuration section, clear the Phishing Detection checkbox.
Select the Application Layer Encryption checkbox.
Open the Application Layer Encryption page.
Configure using the following information:
Identify Stolen Credentials
Yes (Enabled)
Yes (Enabled)
Fake Strokes
No (Cleared)
Page | 17
No-(Cleared)
password
Encrypt
Yes (Enabled)
Method
POST
Click Finished.
Repeat the above steps create similar Application Layer Encryption protection for /DemoBank/login. This
is needed because the /DemoBank/Login.jsp page does a post of user provided credentials to
/DemoBank/login.
Using Google Chrome, open a new incognito window, select to Inspect element, and then click
the F5 WebSafe Demo Site bookmark.
Type the following login credentials, but do not click LOGIN.
Username: demouser
Password: P@ssw0rd1
Open the Console tab.
In the console, type the following:
document.forms[0].password.value;
Question:
Is the password value encrypted prior to submitting the form? ________________
Click LOGIN.
Open the Network tab, then click Login.jsp, and then open the Headers tab.
Examine the Form Data section.
Question:
Is the password value encrypted after submitting the form? ________________
Click on Logout to end your banking session and close Chrome.
Page | 18
password
Encrypt
Yes (Enabled)
Substitute Value
Yes (Enabled)
Method
POST
Click Finished.
Repeat the above steps for /DemoBank/login url.
Using Google Chrome, open a new incognito window, select to Inspect element, and then click
the F5 WebSafe Demo Site bookmark.
Type the following login credentials, but do not click Login.
Username: Your first name
Password: P@ssw0rd1
Open the Console tab.
In the console, type the following:
document.forms[0].password.value;
Question:
Is the password value encrypted prior to submitting the form? ________________
Open the Demo Tools, and then click Steal Password.
Click your mouse on the Password field.
The password values have been substituted.
Page | 19
The encryption for the password field is taking place in real-time, as you type.
Page | 20
Page | 21
/DemoBank/wiretransfer.
do
Malware Detection
No (cleared)
Phishing Detection
No (cleared)
No (cleared)
Yes (Enabled)
No (cleared)
No (cleared)
accountnumber
Identify as username
No (cleared)
Yes (Enabled)
Send in alerts
Yes (Enabled)
Method
POST
Add another new parameter using the following information, and then click Add.
Parameter Name
amount
Identify as username
No (cleared)
Yes (Enabled)
Send in alerts
Yes (Enabled)
Method
POST
Click Create.
Repeat the above steps to add protection for /DemoBank/wiretransfer.jsp page.
WWFE vLab Guides Using BIG-IP Fraud Protection Service (FPS)
Page | 22
Click Accept and Install.
After the add-on has downloaded, click Restart now.
Demo payee
Routing Number
111111
Account Number
222222
Amount
150
Click Start Tamper.
In Firefox, click Submit.
WWFE vLab Guides Using BIG-IP Fraud Protection Service (FPS)
Page | 23
Modify the following information, then click into the Submit field, and then click OK.
accountnumber
555666
amount
15000
Page | 24
Page | 25