Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
69 Cards in this Set
- Front
- Back
|
web access management |
Provides the ability to access web applications through a web browser without the use of tunnels or specific resources APM web access management eliminates the need for content rewriting, allowing access to the configured local traffic pool after the user passes through the access policy checks. |
|
|
What does Web Access Management eliminate the need for? |
Re-writing, as it allows access to the configured local traffic pool after the user passes through the access policy checks. |
|
|
What resources do you need to support Web Access Management? |
1. Pool of web application servers 2. An access profile 3. Access policy 4. A virtual server |
|
|
Most notable thing Web Access Management is lacking in regard to session management? |
A logout mechanism |
|
|
Web Access Management session timeout options: |
1. The Windows Cache and Session Control access policy item - terminates user session when it detects that the browser screen has closed. 2. Maximum Session Timeout access profile setting - Provides an absolute limit for the duration of the access policy connection, regardless of user activity 3. Inactivity Timeout access profile setting - Terminates the session after there is no traffic flow for a specified number of seconds |
|
|
What profile type do you chose when creating a Web Access Management access profile? |
LTM-APM |
|
|
Which pool will take precedence: One that is defined on a virtual server, or one that is defined in Access Policy? |
Access Policy |
|
|
You can apply ACLs from Active Directory, RADIUS, or LDAP servers using what? |
Dynamic ACL action from an Access Policy |
|
|
What is a Dynamic ACL |
One that is created on and stored in an LDAP, RADIUS, or Active Directory server. A Dynamic ACL action dynamically creates ACLs based on attributes from the AAA server. Because a dynamic ACL is associated with a user directory, this action can assign ACLs specifically per the user session. |
|
|
What is 'Hosted Content' |
Hosted content is any type of file you would like to serve from Access Policy Manager® (APM®) to access policy users. Hosted content can include executable files, scripts, text, HTML, CSS files, and image files. You can serve hosted content from a webtop link, or from a portal access link. |
|
|
Permissions for Hosted Content |
1. Policy - users who have completed an AP 2. Public 3. Session |
|
|
Access Profile |
The profile you select in a BIG-IP LTM virtual server definition to establish a secure connection to a resource,such as an application or a webtop. Access profiles can be configured to provide access control and security features to a localtraffic virtual server hosting web applications. |
|
|
An Access Profile contains what? (6) |
•Access session settings. • Access policy timeout and concurrent user settings. • Accepted and default language settings. • Single sign-on (SSO) information and cookie parameter settings. • Customization settings. • The access policy for the profile. |
|
|
Access Policy |
An access policy is an object where you define criteria for granting access to various servers, applications, and other resourceson your network |
|
|
An access policy allows you to perform what 4 basic tasks? |
• Collect information about the client system. • Use authentication to verify client security against external authentication servers. • Retrieve a user’s rights and attributes. • Grant access to resources |
|
|
What 3 types of Web Tops can you configure? |
1. Network Access Webtop 2. Portal Access Webtop 3. Full Webtop |
|
|
What cookie is set with /my.policy redirect? |
MRHSession cookie |
|
|
APM Supports these client side authentication methods (8) |
• NTLM • Kerberos • SAML • Client certificate • RSA SecurID • One-time passcode • HTTP Basic • HTTP Form |
|
|
APM validates client side authentication with these industry standard mechanisms (6) |
• Active Directory authentication and query • LDAP and LDAPS authentication and query • RADIUS • TACACS • OCSP and CRLDP (for client certificates) • Local User Database authentication |
|
|
APM Supports these server side authentication methods (5) |
• NTLM • Kerberos • HTTP Basic • HTTP Form • SAML |
|
|
What is Network Access? |
Full OSI layer 2 remote access VPN connectivity to internal network resources. |
|
|
Which two things have the ability to change the client's routing table based on the network access resource configuration? |
1. Network Access Client 2. BIG-IP Edge client |
|
|
How can network access handle DNS requests? |
The Windows network access client, including BIG-IP Edge Client, has a flexible proxy DNS service. The DNS service canforward client DNS requests to BIG-IP APM for processing. BIG-IP APM can then answer the requests directly or forwardthem to the local DNS server. |
|
|
What components are required with APM Network Access? |
• A connectivity profile. • A network access lease pool to assign to connecting clients. • A network access resource to configure network access properties. • A full webtop or network access webtop to present the network access resource to the client. • An access policy that assigns the webtop and network access resource. |
|
|
What two type of transport uses are there for APM network access? |
1. TLS (tcp) 2. DTLS (udp) |
|
|
What are Per-Application VPNs |
A per-application (per-app) VPN makes sure that specific mobile applications and their data remain secure and protected, andonly data relevant from the application is sent to the internal network. With the per-app VPN capabilities of the BIG-IP APM,combined with a mobile device management (MDM) solution, enterprise organizations can be sure only authenticatedand authorized mobile users are able to access and send data to the organization from approved mobile applications or mobilecontainers. |
|
|
What is an 'Application Tunnel' |
An application tunnel (app tunnel) provides secure, application-level TCP/IP connections from the client to the internal network. |
|
|
Do 'Application Tunnels' require administrative privileges to install client modules? |
No |
|
|
Benefits of 'Application Tunnels' |
App tunnels have lower overhead in connection establishment, lower client module complexities, and faster applicationconnections when compared to network access. Unlike network access, app tunnels allow simultaneous creation of multipleconnections from a client, even to different BIG-IP APM endpoints. |
|
|
An 'Application Tunnel' is comprised of the following components (4) |
• A connectivity profile. • A full webtop. • An application tunnel resource. • An access policy that assigns a webtop and an application tunnel resource. |
|
|
What is 'Web Access Management' |
BIG-IP APM can be integrated with BIG-IP LTM to provide authenticated access to web applications through a web browserwithout the use of tunnels or specific resources Also called LTM+APM or LTM-APM |
|
|
What components are required for Web Access Management? |
• An access policy configured with an authentication agent. • A pool of resources. • An LTM virtual server. |
|
|
What is 'Portal Access' |
Portal access is the HTTP reverse proxy feature for BIG-APM. It allows for any number of internal hosts to be accessed remotely.A rewrite process is implemented to retrieve content on the user’s behalf. Web content including HTML, Java, JavaScript, CSS, and Flash is rewritten so that the client’s web browser only retrieves content from the enterprise web application via the BIG-IPAPM virtual server |
|
|
What can be one downside to LTM-APM and it NOT re-writing page content? |
LTM-APM does not rewrite the page content, and if links or other functionality reside on a different internal host, additionalBIG-IP APM-protected virtual servers must be configured to support each. Additionally, the BIG-IP APM session cookie may beshared between any number of other host names in the same domain. |
|
|
What components are required for Portal Access? |
• A rewrite profile. • A server SSL profile, when using internal pages protected by HTTPS. • A portal access webtop or full webtop. • A connectivity profile. • An access policy that assigns a webtop and portal resource. |
|
|
After successful completion of access policy, Portal Access client's access a special URL in the following format: |
https://apm/f5-w-$$/path. |
|
|
What type of web apps are not supported by re-write and thus Portal Access? |
web apps that contain JavaScript errors orwhich rely on XML stylesheets are not supported. Reverse proxy technology is not formally standardized and new features in JavaScript libraries develop rapidly. Therefore,compatibility problems do occur in a small number of web apps. F5 continually works to improve portal access and encouragesusers to report issues to F5 support. |
|
|
What is Exchange Proxy? |
Exchange proxy is the F5 BIG-IP APM solution to provide secure remote access for all Microsoft Exchange services. Theseinclude: • ActiveSync • Autodiscover • Exchange Web Services • Offline Address Book • Outlook Anywhere • Outlook Web Access |
|
|
What type of authentication functionality does Exchange Proxy provide? |
It uses NTLM, and is provided in a such a way that it can be used simultaneously with multiple client-sideauthentication types (HTTP Basic, HTTP NTLM, and more) and authentication for mobile devices, depending on capability andprotocol used. |
|
|
What components are required for Exchange Proxy? (6) |
• An NTLM machine account. • An NTLM authentication configuration. • An Exchange profile. • A Kerberos SSO profile. • Support for HTTP Basic for Autodiscover/ActiveSync. • An access profile with an Exchange profile assigned. |
|
|
What is a 'WebTop'? |
A webtop is a BIG-IP APM customizable landing page. At the end of successful access policy execution and final client POST tocomplete the access policy, the client can be redirected to a BIG-IP APM webtop. |
|
|
What 3 types of webtops are there? |
1. Network Access - Contains JavaScript and browser plugins to launch network access on supported browsers or theBIG-IP Edge Client. 2. Portal Access - Contains a 302 redirect to the portal access encoded URL. 3. Full Webtop -Contains a complex set of JavaScript, XML, and HTML to present a menu to end-users. Assignedresources are presented to the user as icons. A full webtop also allows the launching of network access from a browserand the BIG-IP Edge Client. |
|
|
What are 'Access Control Lists'? |
Access control lists (ACLs) are used to restrict user access to specified internal hosts, ports and/or URIs. For an ACL to have aneffect on traffic, it must be assigned to a user session. ACLs are applied to all access methods by default. |
|
|
What are ACEs |
Access Control Entries - what make up ACLs Can work on Layer 4, Layer 7, or both. |
|
|
If there are no ACLs assigned to a session, what is the default behavior? |
Allot |
|
|
Where do ACLs log entries (when configured for logging) get logged to? |
/var/log/pktfilter |
|
|
What is a dynamic ACL? |
A dynamic ACL is an ACL that is created on and stored in an LDAP, RADIUS, or Active Directory server. A dynamic ACL actiondynamically creates ACLs based on attributes from the AAA server. Because a dynamic ACL is associated with a user directory,you can use it to assign ACLs specifically per the user session. BIG-IP APM supports dynamic ACLs in an F5 ACL format, and ina subset of the Cisco ACL format. |
|
|
What is the Big-IP Edge client? |
BIG-IP Edge Client is a native platform-specific application for desktop operating systems that provides network access andendpoint inspection. It can also launch third-party applications configured in access policy on BIG-IP APM. BIG-IP Edge Clientcannot provide portal access. |
|
|
What is Session ID rotation? |
All BIG-IP APM client sessions are tracked using a unique, proprietary session ID. During the course of an access policyevaluation, the session ID is randomly rotated to prevent session hijacking and fixation attempts. |
|
|
F5 APM uses secure cookies. What is this? |
To make sure that the client browser will not send session cookies in an unencrypted request, the Secure cookie option(enabled by default) adds the secure attribute to the session cookie. Set-Cookie: MRHSession=d896020385383db9ece7ac6d41f45923; path=/; secure |
|
|
F5 APM and 'Persistent cookies' |
Persistent cookies can be used with web access management/LTM-APM access profile type to store the cookies locally on theclient hard disk. When the session is first established, BIG-IP APM session cookies are not marked as persistent. After the usersuccessfully authenticates with BIG-IP APM and the access policy completes successfully, the cookies will be marked aspersistent in the next response to the client. |
|
|
Options to prevent Brute Force Attacks? |
1. Minimum Authentication Failure Delay/Maximum Authentication Failure Delay 2. CAPTCHA 3. Local User DB provides account lockout option |
|
|
Option to prevent Dos/DDoS Attacks? |
Max In Progress Session Per Client IP restricts the number of in-progress access policies for a given client IP address.In-progress access policies are client sessions which are still being evaluated by BIG-IP APM to determine whether the client willbe granted or denied access to the protected resources |
|
|
All in-memory sensitive data, such as user credentials, SSO credentials, and secure stored session variables, are 128-bitAES encrypted. BIG-IP APM uses a per-user master key, which comes from where? |
Big-IP APM session cookie The cookie isonly valid for that single user session. The key is not stored in memory, and the session variables are only stored in memory aslong as the session is valid. Once the session is terminated, the data is removed and the key is destroyed. |
|
|
What is 'Full Tunneling'? |
Full tunneling provides Windows, Macintosh, Linux, and Windows Mobile users with access to the complete set of IP-basedapplications, network resources, and intranet files available, as if they were working at their desktop in the office. |
|
|
What is 'Split Tunneling'? |
Split tunneling provides control over exactly what traffic is sent over the network access connection to the internal network and which is not. This feature provides better client application performance by allowing connections to the public Internet to godirectly to the destination, rather than being routed down the tunnel and then out to the public Internet. |
|
|
What does APM provide to migitage DNS hijacking? |
BIG-IP APM provides Windows DNS Relay Proxy, which can be configured to allowhostnames for internal domain names to be intercepted and relayed over the VPN tunnel for correct resolution. |
|
|
How does APM handle failover and user sessions? |
BIG-IP APM does not support the use of connection flow mirroring. BIG-IP APM HA mirroring configurationssynchronize BIG-IP APM session data (such as session variables and session state). In the case of a failover event, the clientsession state is maintained and the user will not be required to re-establish the session. |
|
|
Typical APM failover behavior (5) |
• Active BIG-IP APM session is maintained. • TCP and PPP connections are reset. • Disconnected clients automatically renegotiate their network connection. • User sessions are maintained, including session state information. • Client applications re-establish connection when the tunneled protocol supports automatic reconnect (such as VPN andRDP protocols). |
|
|
What 4 things can be included in APM management tasks to maintain the health of the system? |
1. Tracking the number of concurrent user sessions. 2. Monitoring the authentication server pool to make sure that valid servers are used to authenticate and authorize users. 3. Maintaining and reviewing log files to track usage patterns and other information. 4. Preventing disk partitions from filling up, which can degrade performance of the BIG-IP system |
|
|
2 Points for license usage: |
1. For every user session with BIG-IP APM, anaccess license is consumed. 2. If the user is allowed access to a remote access resource, such as network access (VPN), portalaccess (HTTP tunneling) or application access (AppTunnels), a concurrent user (CCU) license is also consumed. |
|
|
What is 'High Speed Logging'? |
Some administrators may want to log additional data such as when an access session is started or completed. Becauseexcessive logging on the BIG-IP APM system can impair performance, the high-speed logging (HSL) feature can be used tosend logs to a remote logging server. HSL utilizes TMM for faster processing and bypasses the local syslog-ng instancealtogether. This can yield a performance gain over normal logging by orders of magnitude. |
|
|
Implementing HSL requires the use of what? |
iRules |
|
|
Linux session view command? |
sessiondump |
|
|
APM supports these AAA servers: |
RADIUS (authentication and accounting) Active Directory (authentication and query) LDAP (authentication and query) CRLDP OCSP Responder TACACS+ (authentication and accounting) SecurID Kerberos HTTP |
|
|
APM support which AAA servers for high availability? |
RADIUS, Active Directory, LDAP, CRLDP, and TACACS+ |
|
|
AAA Server HA typical configuration includes: |
- An APM AAA server configuration object that specifies a pool of external AAA servers. - An access policy that includes a logon item to obtain credentials and an authentication item that uses the credentials to authenticate against one of the servers in the pool. When an AAA server supports high availability, you can configure a pool for it in the AAA configuration itself. An AAA server does not load balance over a pool that is attached to a virtual server. |
|
|
What is RSA SecurID? |
RSA SecurID is a two-factor authentication mechanism based on a one-time passcode (OTP) that is generated by using a token code provided by a software or hardware authenticator. Both BIG-IP Edge Client for Windows and OS X systems support the RSA SecurID feature. A token is a one-time authentication code generated every 60 seconds by an authenticator (hardware or software) assigned to the user. |
|
|
What are the permissions for hosted content? |
1. Policy - File only available to users who have completed an access policy with Allow 2. Public - File available to anyone with acess profile associated 3. Session - Available only to users with an active access policy session |
