Reading Time: 5 minutes

Introduction

This article will review some of the more technical aspects of F5 Distributed Cloud AIP. F5 Distributed Cloud AIP is a platform-independent intrusion detection system (IDS) designed to provide users with a unique view into various integrated server security functions. It monitors both Linux and Windows servers as well as Kubernetes or other container-based server infrastructures to observe behaviors and detect malicious, uncommon, and risky activity.

It is advantageous in many situations where Alert Logic may not be a good fit.

What is F5 Distributed Cloud AIP?

F5 Distributed Cloud AIP is a real-time, agent-based IDS for modern Linux and Windows Servers. The F5 Distributed Cloud AIP agent is designed to send event data for the user, process, network, and file behaviors to the F5 Distributed Cloud AIP Platform. Within the F5 Distributed Cloud AIP Platform, events are reviewed, processed, and compared against Rule Sets comprised of security detections that trigger alerts for review. The F5 Distributed Cloud AIP Security Operations Center (SOC), which operates 24/7/365, will triage high severity alerts, investigate the alerts, and then escalate to Liquid Web Support, who actively addresses the issue. Should proactive mitigation steps need to be taken on the server, we immediately notify the client to ensure a solution is provided while keeping the client informed of its progress.

F5 Distributed Cloud AIP operates via a monitoring agent installed by Liquid Web. F5 Distributed Cloud AIP actively monitors the following concerns:

  • User logins/login attempts.
  • Suspicious commands.
  • Network connections.
  • File access and modification.
  • Privilege escalations.
  • New processes and kernel modules.

It is implemented on servers where clients are looking to bolster server security, add increased visibility into suspect processes, and add real-time security monitoring for customers who also desire an IDS for HIPAA or PCI compliance.

Systems Integration

F5 Distributed Cloud AIP can be installed on the following Liquid Web server platforms:

Requirements

F5 Distributed Cloud AIP can be installed on the following operating systems.

Note:
Full system requirements can be reviewed on the F5 Distributed Cloud AIP website.

Rulesets

Typically, F5 Distributed Cloud AIP security rules are broken down into three tiers. These tiers define the severity of the issue and the appropriate effort that is taken in response.

SEV 1 - Critical

A severity level one notification indicates a possible root-level server compromise. A noted process(s) is identified as being executed within the /tmp or /dev/shm folders or other known possible root compromise locations. These types of alerts will result in an immediate investigation, and if warranted, an administrator will open a ticket immediately with the client.

SEV 2 - Suspicious

A severity level two notification indicates questionable processes running as the root user. Suppose a service on the server runs a shell, or if a new user is created or other types of user privilege escalation, these alerts are logged. We may open a ticket with the client depending on the level of activity or active suppression.

SEV 3 - Logged

A severity level three notification implies that a suspect command-line tool (like wget or netstat) has been downloaded or used, a user has logged in from a LAN, or other odd GNU Compiler Collection (GCC) activity is seen. These alert types are logged for potential use during forensic analysis, but a ticket is not explicitly created for this activity type.

Additionally, if a security issue is found to be a false positive, it is whitelisted globally to prevent further false positives. Our version of F5 Distributed Cloud AIP does not include on-demand vulnerability scanning. However, because F5 Distributed Cloud AIP performs in real-time and continuously monitors your server, it immediately flags suspicious activity. A manual investigation is promptly started when a threat is detected, and appropriate remediation steps begin immediately. Clients are continually updated throughout the process. If desired, clients can purchase on-demand vulnerability and malware scans separately.

Verification

Agent Process

A client can verify that the F5 Distributed Cloud AIP agent is running using the following command in the terminal.

[root@host ~]# tsagent status
 UP F5 Distributed Cloud AIP Agent Daemon
 UP F5 Distributed Cloud AIP Backend Connection
 UP F5 Distributed Cloud AIP Heartbeat Service
 UP F5 Distributed Cloud AIP Login Collector
 UP F5 Distributed Cloud AIP Audit Collection
 UP F5 Distributed Cloud AIP Log Scan Service
 UP F5 Distributed Cloud AIP Vulnerability Scanner
 UP F5 Distributed Cloud AIP File Integrity Monitor

Confirmation Check

To verify the last time the agent completed a check-in, we can use the F5 Distributed Cloud AIP command-line tool and run the following command.

[root@host ~]# tsagent info
LastBackendConnection: 2021-03-05T21:09:37Z
ClientConfig:
ID: 5f735f85c137554511ca3a51-19beebd0-6fd2-11eb-9997-a11e888adf040001020304050607
Key: 5f735f85c137554511ca3a51-19beebd0-6fd2-11eb-9997-a11e888adf04
Protocol: ALv2
Backend: wss://cssensors.threatstack.com

Process Manipulation

If the agent needs to be started, stopped, or restarted, we can again use the F5 Distributed Cloud AIP command-line tool. Running any of the following commands will accomplish this task.

[root@host ~]# tsagent stop
[root@host ~]# tsagent start
[root@host ~]# tsagent restart

F5 Distributed Cloud AIP Advantages

F5 Distributed Cloud AIP offers multiple benefits to small and medium-sized businesses.

  • Real-time detection from intrusion attempts on a server.
  • Robust security that provides proactive, reactive, and interactive based responses to immediate server threats.
  • Escalated analysis to Liquid Web from its dedicated Security Operations Center.
  • Cost-conscious consumers are provided a genuinely competitive price point while delivering world-class protection similar to other higher-proceed alternatives.
  • Intangible cost savings are realized via reduced timeframes spent investigating false positives, increased vigilance without the additional time investment, and it prevents costly business interruptions.
  • Peace of mind in knowing that a fully managed product is hard at work protecting you all day, every day.

F5 Distributed Cloud AIP Disadvantages

  • Despite all the advantages that F5 Distributed Cloud AIP offers, a few drawbacks may deter some clients from choosing this product.
  • Server Agent Requirement: An agent must be installed on every server, which may be troublesome for clients with a larger clustered footprint as an agent only encompasses one server at a time.
  • Additional Processes Increase Load: While the addition of a single agent process should not significantly impact server load, owners of heavily utilized servers must be aware of all resource usage. The agent runs continuously and interacts with an external source to provide data for the service.
    No Automated Mitigation: While F5 Distributed Cloud AIP actively monitors and logs current server events, it does not take proactive actions on any events besides reporting. A further remediation step is required to address any severe or critical issues seen. This being stated, the response times for said incidents are excellent.

Conclusion

Overall, F5 Distributed Cloud AIP provides significant benefits to clients for a small price. The uninterrupted protection it offers in monitoring, reporting, and subsequent action taken by Liquid Web support provides round-the-clock peace of mind to every security-conscious business owner.

F5 Distributed Cloud AIP is enhanced by its modest initial price point for high-level functionality. Its continuous active delivery of intrusion detection included with the system keeps your server safe from malicious actors who use various attack vectors to gain access. Overall, F5 Distributed Cloud AIP is a superb service that every security-conscious client needs.

If you have any questions about the information presented in this article., reach out to one of our Most Helpful Humans in Hosting via phone at 800.580.4985, support ticket, or LiveChat 24 hours a day, 7 days a week, 365 days per year

Latest Articles

Blocking IP or whitelisting IP addresses with UFW

Read Article

CentOS Linux 7 end of life migrations

Read Article

Use ChatGPT to diagnose and resolve server issues

Read Article

What is SDDC VMware?

Read Article

Best authentication practices for email senders

Read Article