Nimbostratus
We've recently had a security audit reveal that the BigIP persistence cookie contains the IP address and the port of the node the user connected to.
I can see why this is required from a BigIP point of view but is there any way of securing this information, bar not using cookie-based persistence.
Many thanks in advance,
Phill
Cirrostratus
As the client should never need to read or modify this cookie, you can encrypt the cookie value using the 9.4+ HTTP profile option 'Encrypt Cookies'. Enter the name of the cookie and a passphrase to use. Make sure to create a custom HTTP profile rather than modifying the default HTTP profile so this option will only be used on the specific VIP(s) you want it for.
If you're on an older version of LTM, you could use an iRule to encrypt the cookie value using 'HTTP::cookie encrypt|decrypt' in HTTP_RESPONSE and HTTP_REQUEST, respectively.
Aaron
Nimbostratus
we have made use of a config example from the f5 site (shown below)
just to confirm 100%, does the encrypted cookie prevent the end user from reading the contents of it? i.e. is the IP address of the back end server disguised? or is the cookie simply encrypted in transit to prevent anyone other than the genuine client and server from reading the data?
thanks
when CLIENT_ACCEPTED {
set cookiename "OurCookie"
set encryption_passphrase "OurPassphrase"
}
when HTTP_RESPONSE {
if { [HTTP::cookie exists $cookiename] } {
HTTP::cookie encrypt $cookiename $encryption_passphrase
}
}
when HTTP_REQUEST {
if { [HTTP::cookie exists $cookiename] } {
set decrypted [HTTP::cookie decrypt $cookiename $encryption_passphrase]
if { ($decrypted eq "") } {
Cookie wasn't encrypted, delete it
HTTP::cookie remove $cookiename
}
}
}