Day1 Application traffic flow

this conference will now be recorded so in this course we'll be discussing about one of the product solutions of f5 which

is called as a SM SM stands for

application security manager it is

nothing but a Web Application Firewall which helps us in protecting your application level attacks so in today's

world it is very important that all your applications which are deployed in your environment are protected from various attackers who are existing on the

Internet so this product is basically one of the f5 solutions which works as a valve to

protect your applications so before we

start with ASM we will get into will

start the course by understanding how is a normal application traffic flow when

you try to access something on the internet or from your local machine what all processes are basically involved in

the backend for application to load

completely then we'll understand how to build the f5 box so initial

configuration what what are the various methods what steps we need to follow to build our f5 device

once we're done with this we'll start with basic of traffic processing objects on f5 and after this we'll start

application components in between while we are discussing the application traffic flow we'll also have a touch of

HTTP protocol and how various components work there after this we'll be

discussing about the web application

vulnerabilities once we are done with this then we will actually get into all

the products or all various features which are involved inside the product so

what exactly each feature does we'll discuss all those in detail and along this I'll also be performing labs and

I'll show you how you can mitigate any specific vulnerability so this was a

brief of the course so let's get started application traffic flow let's say your client machine and in here you are

trying to access opcom this is your application name yep basically on internet or for ease of use

of the users any application basically huh is represented by a name because it

is always difficult to remember IP address of various applications you it is for very easy for a user to remember

facebook.com instead of remembering that facebook.com relies on 101.1 10.1 and on

a single day in facebook might be using a single service provider one which is using this IP address on the other day it might change its service provider and

let's say the IP gets changed to this so again we have to remember this new IP address so it is quite similar to how

nowadays we rely on phonebook mobile Mobile is very important for us to get

all the database of with the name and mobile number yep so similar to this in

networking world we have a big database which is being handled by protocol called as DNS domain name system or

service you can call this this DNS protocol basically works on port 53 so every protocol has their standard port

the DNS works on port 53 now the first things which comes into picture is a DNS protocol which will map your domain name

to an IP address on internet any communication that happen we'll be happening from your IP address

so let's say this client system is trying to communicate to the IP address of our comm so in here client only has

first its own IP address the source IP address now next thing is it needs to

find out the IP address corresponding to

this AB comm to find out this the first

step which is involved is check off host file so there is a file on your local

system itself which has an entry saying

that this domain name AB comm is on let's say on red dot one dot one dot 100

is relying on this IP address the location of this host file is C Drive

windows system32 drivers and et Cie let

me show you example of this host file so this is my location C Drive windows

system 32 drivers et Cie on this I just

do a right click open with notepad so this is an example of hosh file which

will have entries like what is the IP address and what domain name is corresponding to that IP address so

usually usually you will find that any entry present in here will be with present with the hash value so when it

is hashed it is something like it is commented if you basically use this host file in situations wherein you have

issues with your DNS l environment so you don't want clients to get affected in terms of if there is a problem with

the DNS so you can just create one entry on this host file push it to all local machines so that this domain name gets

resolved to the IP address that you

mentioned here now after this check the

hosts entry check the next if let's assume there is no entry in the host

file this first SEC is the host file next is your DNS cache so on your local

system also there is a cache which is being maintained by the system so this

cache is looked for an entry for AB com to see if there are any DNS entries with

respect to this app.com if there is no entry in the DNS cache the next part

which is check this a DNS query goes to your DNS server on the response that we get from the DNS

server then client will try to communicate to that destination IP address so for example if let's say an

IP address is 10 1 1.1 and the IP address that we get for this destination

is 100 dot 1.1.1 so now my this is how my packet is being formed at different

layers so I at layer 3 now my I know my source IP and destination IP address then this packet is basically handed

over to my lower layer so now this DNS cache that we are talking about how can

we check this DNS cache on my local

device let me show you so on your

command prompt you type IP config slash display DNS and give enter you will get

records for various URL that you would have accessed in a while ago so the entries would be something like this

name what is the TTL of this record and where it has to go so this name is pointing to this cname record and then

this cname basically has a a record which gives me this IP address so now my Klein system knows that I have

to send the traffic to this IP address once I know the IP address then what I will try to do is I'll check my routing

table on my local appliance and see for sending any packets to this network where what is the route which is

mentioned or what is the default gateway if this destination IP address in is not in my network what is the default

gateway that I need to send the packet

do so to find out this I would use a

command route print on my windows system so you will see the default gateway of my network which is for any destination

any network mark it is configured this

IP address so now I know that my IP is

10.1.1.10 ik 8 2 is let's say 1 0 1 1

dot 1.1 and my default gateway is 192

168 2.1 according to my network so now

my packet is being formed with 10.1.1.1

and 192 168 2.1 now this packet is being

handed over to layer 2 so after that in layer 2 basically a MAC address is added

as a header so now I know my source MAC address say for assumption I'll type

this and I don't know the destination MAC address where the packet has to be transferred so this is where in a

protocol called s R comes into picture R

will translate this IP address to the

MAC address so sorry in here this will not be the destination

the destination will be my this IP because my application AB comm is

corresponding to this IP address but after I check the routing table in order for me to reach out to this network I

have to send a packet to this so your source system will initiate something

called as ARP request asking who has this IP address so when my default gateway or the router receives the ARP

request he sends back a response saying that this IP address is at is at let's

say this MAC address so now my packet which is being formed at the layer 2 will be something like this

now in this packet is then handed over to the physical layer to be transmitted

in bits and bytes so this is how the communication of the packets will get

stablished between the client and my server so in order to fetch any website

first a TCP three-way handshake will get initiated between the client and the server and then the actual request actual wave application requests or

components will be fetched from the server now whenever we talk about the

web applications right so there are

various components you just type AB comm

so corresponding to this whenever you type this domain name there will be multiple objects so nowadays most of the

websites that you find will be either you know static or dynamic so when I say static static means though the

components of this webpage remain constant dynamic means it keeps on changing so whenever I call a object

object could be like a JPEG image file a PDF file or may be external link to a resource

so whenever you are dealing with the application traffic flow right these are various components which will be requested from your client machine and

will be fetched from various servers now the question is how do you actually find out what are these components so when I when I access this app comm what are the

various components within that application which are being requested

from my system to the external server in

order to find out that I have various

tools which I can use one is Wireshark why stroke is one of the open-source

best one of the best tools to perform

packet captures and then we have another

tool called as fiddler or you can use HTTP watch and at the end there is a

default tool included in your browser itself which is called as developers tool so you can rely on any of these to

find out what all components are being requested from your system so let me

just show you a fiddler or developer tools option so let me open Chrome

- in here I click on this icon I go to more tools and then developer tools or there is shortcut option

available which you can use ctrl shift I just click on developer tools and after

this you go to the network section in here let's say I type URL called as abc.com

so as my website is being loaded at the right and hand side you can see there are various components which are being requested at the back end so unless all

those objects are being fetched you will not find that my website is completely loaded so now in order to see these

various components you can even just click on one of these options and see the request headers what is the response to which server the request went to what

is the remote and IP address so even though see I selected this object I can see this is my domain name but I tried

accessing something else right I tried abc.com it is still fetching the request from a different domain name that's big

because how your application is designed by the developer so if he has designed

in such a way that the application will be fetching the request so for example

in here you have a youtube link the or YouTube video link you have option for

FB calm so these are various objects embedded on your website and these objects have to be fetched from external

server of that domain so maybe a abc.com wherever it realize it will tell the

client that hey boss to fetch this object you need to go to the f miss over so then client will initiate a connection to this MV server send a

request for that specific component and this server will respond back the object so on unless this client has all the

objects the complete page will not get

loaded now guys till this part

everything is clear right so similar to this you can also find option in headless tool

we're in whatever you are requesting you can see in the components here what I request is being sent from your system

you can see the components here you can even within using these tools you can modify the specific request so for example if this is being sent as get /

some special component you can edit this and send a complete different request as well you can use this as a hacking tool

as well and then we have another tool called as Wireshark in Wireshark if you want to perform a

packet capture you just click on start and then what network interface that you want to perform a packet capture on so for example if let's say I'm connected

through Wi-Fi I'll just select that interface and click on start the moment

I click on start see just in hardly one or two seconds almost around at the bottom you can see 2000 packets were

captured so packet capture is continuously running here if I want to

find out packets in my network belonging to a specific protocol so I can even do a filter here let's say I just type DNS

so I'll see that ok from my system what DNS queries are being sent to the DNS

server or I can even do a filter with let's say HTTP so like this I can see a

various request and what is the response I can analyze various protocol packets how the request flows

okay so now now that we are quite comfortable with the various application

components let's discuss a bit about HTTP protocol whenever you try open a browser and try

to access a website basically what you type you just type like s GDP forward

slash abc.com or maybe a fi dot-com or

HTTP colon let's say SBA

not Co not n so in here this component

is called as your protocol identifier

and this is nothing but your resource

name let's assume that I have typed this

big URL HTTP web dot five.com / kb / in

- Us / search dot HTML question mark

product equal to SN so in this this will be termed as my protocol identifier and

this complete segment will be termed as my resource name and then this resource name is again broken down into various

components wherein this will be called as your hostname and this will be your filename

or you can say as path where the file is located and this search dot HTML is your

the request object and after the question mark whatever you find right

that will be your query string so it is very important that you understand these

terminologies what are they so this is a parameter as well which has a value of a

SM so in here a very common example which I can give is whenever you type or open up browser

you just type say let me just first open up Google and in here I type f5

so if you see the request carefully see

here there is a parameter Q is equal to f5 so I what I did is I just typed f5 on Google's website and what has happened

is this f5 is being sent as an input to the Google server and then google searched its complete database found out

what all references it has related to f5 as a keyword and then it will send all those response back to your system and

then you will be able to see the various references related to f5 so beat f5 networks or maybe it could it could be anything

f5 saloon so wherever the Google server found a relation with respect to this

term f5 it will give you all these additions back in your response

now let's discuss about HTTP packet request and response structure

first component of this HTTP packet is your request line this request line

indicates the method token so whenever we are dealing with HTTP there are various methods like gate head post put

delete connect options so what method is being used to fetch your resource and

then what is the requested URI then what protocol version are you using so with respect to HTTP there are

different flavors like 0.9 1.0 1.1 nowadays most of the time you will find

it as 1.1 so in the for example you just

will get in the back a test get get

method slash admin dot PHP question mark

category equal to let's say orders and

after this you will find as HTTP protocol 1.1 this is the first line

which is called as request line and next component is the headers the address will have valid information for example

host host header will indicate what is the website name so let's assume you try

to access mysite.com do I need to keep the connection alive okay connection keep alive what are the

encoding methods that I can accept accept encoding so for example it will

have gzip deflate so basically in the request it is an indication of what are the capabilities of the server what is

the language that it will you hello Vinnie Theodore hello guys you can hear me right yeah yeah no

no one no you can okay so um the hence component will basically indicate what are the capabilities of the client or

how it wants to communicate to the server and after this you'll have

message body message body will have the parameters which are sent via the post

method so this is how your HTTP request structure is looking like similar to

this we have a HTTP response structure

as well so in the small structure first component is your

status line the status line will indicate protocol version and what is

the status code example would be like

HTTP 1.1 and will say is 200 ok and then

the headers filled this again will have valid content for example it could be

specifying date the server details let's say Apache what is the content encoding

so in the previous page when we saw the details about accept encoding which

provided the various ways in which the client is ready to accept the encoding of the data so this content encoding

will show the server has chosen what component so for example it will choose discipline so then the client knows that

the data which is being sent by the server is encoded in what format it

could have the content length if there is any cookie which is being sent so said cookie so like this various headers

can be present and then your message body this message body is the actual

response payload it could have images

like HTML images HTML file images scripts video

now same thing if you want to find out

on the scene here if I just use one of

the components I can see these are my response headers these are my request

headers so like this I can find out the various header components within my HTTP

protocol and even in the packet capture as well if you just click on one of the

requests and in here you have invoice check you have a tab which will show you the data on how the packet looks like

from led to two layer seven so if you click on or expand the layer seven protocol you will find the various

details what method is being used connection keep alive except encoding

and then the response which is coming back from the server so always remember

whenever you are dealing with HTTP right the way that server responds back is will be having a five different series

of codes 100-series just means that it is

informational 200 indicates of success

300 basically indicates redirection 400s

client-side error 500s server-side error so most of the time the codes that you will find in these series will be two

hundred three zero two four zero four

four zero three five zero three 200 is what you need to look at for the

connection to be successful it has to deliver the response code as 200

and then there are various HTTP request

methods like get post put delete connect

the reason why I am taking you through all this is these are the various application components and this is what you'll be dealing around when you are

when you'll be working on the wave product so you have to see what component which component attack is

being performed what is the response payload what is the request payload - or do you have any doubts in till this

point of time ah yes Vinita I just want to know if we are required to know only like those much those many quotes and

not the in detail the code for the the HTTP the quotes that I have shown in the

previous page yes those are most generic quotes which you'll find when you are trying to troubleshoot any application issues so it is not mandatory that it is

limited only to those so it is how your application behaves in your network so for example like 4:04 you say okay I'll

give you an example for Xero for you you are trying to access a website and you

just say HTTP abc.com slash test dot HTML this request goes to the web server

okay and web server is trying to find out this specific page or a request

object on one web server but this does not have it so in response the web server will respond back with a status

code as 4:04 which is which means that requests not found so I so telling the client that boss I don't know what you

are trying to request oh maybe this user as a hacker is trying to access admin

dot PHP page he knows that in the backend is using PHP language and he is trying to get to the admin page of the

website so the server will respond back with the 4:03 which means that hey boss wait a second you are not allowed to access this page

why should a user who's sitting on the internet should have access to this admin page so it will just respond back with

kotas 4:03 and again for some reason

let's say you have a proxy sitting in in

between that this is a client so client

sends a request to the proxy proxy you have implemented way of authentication

so it might send you or 4:07 it's asking for authentication so these

are different ways in which you know as you get along you troubleshoot you'll find various responses from the application so you should at least have

a basic understanding of what B does this response represent so when you are getting a 4 to 3 from a web server it means that you are not allowed to access

that one of the common example which I can give you of or 4:03 is it's assumed

client is trying to access application app calm ok and this app calm it has one

of the component or maybe a video on its webpage which is which has to be loaded from YouTube YouTube server ok but in

your environment YouTube is blocked right so the the client will come to you with an issue saying that was this

webpage for some reason is not loading properly so at that point of time you would have to investigate the application component so you might not

know how this application is designed so you would have to take help of developer tools or maybe fiddler or Wireshark and

see what component is being requested in here and with respect to that what is the response code so in here if I just open

this the developer tools so I can see the status code like this you would have to see what component is failing in here

so that is the reason this means basic things you should be aware of okay okay

so I think we are running out of time today we'll stop it here we'll continue

from tomorrow so okay thank you very Thanks