Extended logging to Splunk servers beyond Syslog & Analytic Profiles & iRules.
What has been configured to date.
All syslog traffic is being sent to Splunk destination hosts. The Splunk hosts are external and have to transverse the WAN to eventual destination.
AVR has been provisioned and a Splunk TCP analytic profile has been created. (the traffic is HTTPS) The VIPS also have SNAT configured.
Detailed requirements from network security (Cyberfusion) and performance management groups below.
Task:
o Enable & configure detailed VIP connection event logging that includes Timestamp, F5 Host servicing the connection, Source IP, Initial Destination Port/Protocol, Destination IP, Final Destination Port/Protocol & if URL filters are being used - URL request logging should be enable & configured. This is a minimum requirement.
· Purpose:
o The Cyber Fusion Center analysts require end-to-end visibility in relation to network connection events in order to appropriately track potential threats, potentially malicious activity and assist in attack path validation during Cyber events & Cyber incident investigations. Due to the fact that a good majority of our Web-based traffic utilizes F5 VIPs to frontend infrastructure, it makes it nearly impossible to determine the actual source of traffic when investigating Cyber events & Cyber incidents on victim infrastructure. The source IP that gets logged in the majority of all host logs is the IP of the F5 load balancer. In turn, the Cyber Fusion Center analysts do not have the connection logs available from the F5 load balancers in order to track the activity back to an original source.
· End State:
o All UTC F5 load balancers have detailed VIP connection event logging & URL request logging (where utilized) enabled and configured. All logs are being sent to the xxx Splunk infrastructure for central visibility.
In a nutshell the Cyberfusion group wants to see ALL traffic.
My suggestion to implement network taps, a port aggregator and a netflow collection host has been shot down. The Cyberfusion group want to see if the F5’s are able to perform and satisfy all requirements listed above.
Any suggestions would be appreciated.
I personally do not believe that the F5’s should be part of Cyberfusions security suite relative to the detailed information that is being requested to be sent externally.
Thanks,
et