F5

Netacea F5 Plugin

The integration with F5 load balancers relies on the iRules LX module.

‘iRules’ are the general expression for scripting in the F5 environment. Generally, this will be for expressing how requests should be load-balanced through the F5 with some lightweight security tools. Code blocks are separated into phases of the request and scripts can be written in an entirely F5-specific language. Documentation for iRules can be found here.

‘iRules LX’ describes an extension to iRules added in to allow less-bespoke scripting languages to be used (i.e. JavaScript). An entire node process runs parallel to the F5 Integration on the server and functions can be called via Remote Procedural Calls (RPC). Documentation can be found here.

The implementation of an F5 integration consists of three main deliverables. We have implemented general modules for interfacing with the Netacea platform, an F5-specific wrapper for serving the RPC through ILXServer (F5-provided module), and an iRule that handles the request-handling logic and calling to the remote methods.

Request Flow

When a visitor first hits a site protected by Netacea/F5, the Plugin will query the Netacea Protector API service. If the visitor is known to be malicious, the plugin will perform the appropriate mitigation action.

A cookie containing information about the validity of a user is placed on the client’s device for further identification and checked periodically for validity. The plugin will stream log data on the visitor and session to the Netacea Monitor Ingest service where Netacea’s Detection Engine will perform further analysis to confirm if they are a good actor. This action is done asynchronously so adds no latency to the request. If at any point the visitor’s activity becomes malicious the Netacea Protector API service will be updated and the plugin will perform the appropriate mitigation.

The diagram below and supporting notes explain how traffic flows in this implementation (at a high level).

1. The visitor requests the site protected by Netacea/F5.

2. The Netacea F5 plugin will query the Netacea Protector API service to check if the visitor is known to be malicious or safe.

3. A copy of the web request is sent as log data for analysis using our collective threat intelligence, machine learning, and behavioral analysis to determine if the request is safe.

4. Analysis results are published for the Netacea F5 plugin to read and determine what mitigation strategy should be used for this traffic.

5. If the requests are benign, they are passed to the origin as normal.

6. If the requests require mitigation to take place, the appropriate action is taken and served to the client.