Nimbostratus
Altostratus
http://devcentral.f5.com/wiki/default.aspx/iRules/EncryptingCookies.html
I'm not sure what kind of wildcard capabilities exist within the actual HTTP profile. Obviously with an iRule, you could use something like "if cookie starts_with BIGip, encrypt, yada yada."
Nimbostratus
I've been putting this off hoping that F5 would eventually realize that it needed to be addressed. At this point, however, our auditors are hounding us to get this corrected.. The 'plain text' persistence cookies are providing too much 'private' information and they need to be encrypted.
The auditors aren't hitting us on the name of the cookie.. yet.. but, yeah, that might happen too.. I think that can be changed but might have some other side-effects, if i remember correctly.
So the option seems to be either a zippy Irule that will do a wild card, or lots and lots of custom profiles. The latter is error prone. The former creates tons of unnecessary overhead.
Suggested solution:
1. System setting to encrypt all persistence cookies.
2. VIP setting to encrypt all persistence cookies.
2.a. VIP setting to encrypt all cookies.
3. HTTP profile allow wildcard entries for the list of cookies to encrypt.
Do 3 if nothing else can be done. I don't see that there has been anything done in this area, but could be wrong.. the cookies in the HTTP profile must be explicitly named .. all of them. for a VIP that works with a dozen resource pools, this list becomes quite long, and gee, all of them begin with BIGipServer . Dah... Help!?
Nimbostratus
I've been putting this off hoping that F5 would eventually realize that it needed to be addressed. At this point, however, our auditors are hounding us to get this corrected.. The 'plain text' persistence cookies are providing too much 'private' information and they need to be encrypted.
The auditors aren't hitting us on the name of the cookie.. yet.. but, yeah, that might happen too.. I think that can be changed but might have some other side-effects, if i remember correctly.
So the option seems to be either a zippy Irule that will do a wild card, or lots and lots of custom profiles. The latter is error prone. The former creates tons of unnecessary overhead.
Suggested solution:
1. System setting to encrypt all persistence cookies.
2. VIP setting to encrypt all persistence cookies.
2.a. VIP setting to encrypt all cookies.
3. HTTP profile allow wildcard entries for the list of cookies to encrypt.
Do 3 if nothing else can be done. I don't see that there has been anything done in this area, but could be wrong.. the cookies in the HTTP profile must be explicitly named .. all of them. for a VIP that works with a dozen resource pools, this list becomes quite long, and gee, all of them begin with BIGipServer . Dah... Help!?
Cirrostratus
I have a feature request in to add a checkbox on the cookie persistence profiles to support encryption that way. I think that would the most elegant option.
There's also a request for supporting wildcards in the HTTP profile's cookies to encrypt field: BZ227249. You could expand on that to include all cookies that the HTTP profile sees in responses.
You could open a case with F5 Support and ask to have your case attached to these RFEs. This will raise the visibility of the requests.
Aaron
Nimbostratus
Nimbostratus
If not I'll tack on my support - we are getting pinged for this every pen-test we do. Whats the id for the first request?
Cheers.
Employee
BZ 227249 - [RFE] - Support cookie encryption for dynamic cookie names in HTTP profile (Formerly CR 73147)
Nimbostratusif you means this one, it has not yet been implemented.
BZ 227249 - [RFE] - Support cookie encryption for dynamic cookie names in HTTP profile (Formerly CR 73147)
Hmm I like how that sounds!
Cirrostratus
https://devcentral.f5.com/wiki/iRules.Encrypt-HTTP-cookies-with-dynamic-names.ashx
Please do open a case with F5 Support though to request this:
There's also a request for supporting wildcards in the HTTP profile's cookies to encrypt field: BZ227249.
NimbostratusJust in case someone hits this page (as I did), the persistence cookie encryption is implemented in sw 11.5.0 (and later) in cookie persistence profile. See SOL23254150: Configuring cookie encryption for BIG-IP persistence cookies from the cookie persistence profile. Default is not encrypted.