F5 BIG-IP Zero Trust Access

Key Concepts

• Client Posture Check: A security mechanism that verifies the state of a client device (e.g., firewall status) before granting access.
• Active Directory (AD) Authentication: A centralized authentication service used to verify user credentials.
• Multi-Factor Authentication (MFA): An additional layer of security requiring a second form of verification (in this case, via a RADIUS server).
• Single Sign-On (SSO): A session and user authentication service that permits a user to use one set of login credentials to access multiple applications.
• FQDN (Fully Qualified Domain Name): The complete domain name for a specific computer or host on the internet.
• RADIUS (Remote Authentication Dial-In User Service): A networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management.

1. Configuration Overview

The video demonstrates the step-by-step configuration of a secure application access gateway. The process involves defining client posture requirements, setting up authentication protocols, and configuring application-specific access rules.

2. Step-by-Step Configuration Process

A. Client Posture and Virtual Server Setup

• Posture Check: Enabled to ensure the client device meets security standards. Specifically, the configuration mandates that the Windows Firewall must be enabled for domain-managed devices.
• Virtual Server: Configured for destination 10.110 on port 443. It utilizes an acme.com wildcard certificate and a specific server SSL profile to secure the connection.

B. Authentication Framework

• Active Directory (AD): Added as an AAA server. The configuration requires specifying "member of" as the query property to identify user group memberships.
• Multi-Factor Authentication (MFA): Implemented using a custom RADIUS server. A "RADIUS pool" is created, requiring an IP address and a shared secret key for secure communication.

C. SSO and Application Definition

• SSO Profile: A "basic single sign-on" profile is created to streamline user access.
• Application Setup: The application is defined with the FQDN basic.acme.com. A server pool is created, and the protocol is set to HTTPS.

D. Contextual Access Rules

• Rule Definition: A rule is created to link the resource, device posture, and SSO profile.
• Group Filtering: Access is restricted to the "Sales Engineering" group.
• Step-Up Authentication: An "additional check" is enabled, triggering the custom RADIUS-based MFA when a user attempts to access the resource.

E. Remediation and Deployment

• Remediation Page: Configured to point to a host where users can download necessary updates or software if they fail the posture check.
• Deployment: After a final review of all settings, the configuration is deployed to the production environment.

3. Real-World Application and Troubleshooting

The video provides a practical demonstration of how these security layers interact:

• Scenario: A user attempts to access basic.acme.com.
• Initial Failure: The user is blocked because their local Windows Firewall was disabled, failing the "Client Posture Check."
• Resolution: Once the firewall is enabled, the user successfully proceeds to the MFA prompt.
• Success: After validating the MFA request, the user is granted access to the application.

4. Synthesis and Conclusion

The configuration process highlights a "Zero Trust" approach to network security. By combining Client Posture Checks (verifying device health), Active Directory (verifying identity), and RADIUS-based MFA (adding a secondary security layer), the system ensures that only authorized users on compliant devices can access sensitive applications. The inclusion of a remediation page ensures that users are guided on how to fix compliance issues, minimizing help-desk overhead while maintaining a robust security posture.