07-21-2014 11:05 AM
Hi All
I am hoping someone can help with the following on the Cisco ACE, this is the ACE20.
A scan of our environment has revealed a vulnerability in the application hosted on ACE Load Balancer due to ACE inserting a predictable cookie for sticky http sessions.
The cookie type used is cookie insert browser-expire, I believe this is expected as the cookie value is derived from a combination from the serverfarm name, rserver name, and rserver port.
Is there anyway to changed this so the cookie is not predictable....
Thanks Craig
07-21-2014 11:18 AM
Hi Craig,
I was wrong. You can actually define the string of your choice. Please have a look below:
http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/vA4_2_0/configuration/slb/guide/slbcfggd/rsfarms.html#wpxref94060
From the above link:
You can enter a cookie string value of a real server that you want to use for HTTP cookie insertion by using the cookie-string value command in server farm real server configuration mode. You can configure one cookie string for each real server. Valid entries are text strings with a maximum of 32 alphanumeric characters. You can include spaces and special characters in a cookie string value provided that the spaces and special characters are included in double quotes (for example, "test cookie string"). If you use quotes in a cookie string, the specified cookie-string value appears in double quotes in the running-configuration file.
Use cookie insertion when you want to use a session cookie for persistence if the server is not currently setting the appropriate cookie. With this feature enabled, the ACE inserts the cookie in the Set-Cookie header of the response from the server to the client.
Regards,
Kanwal
Note: Please mark answers if they are helpful.
07-21-2014 11:43 AM
HI Kanwal
Thank you for the response, I take it this command was introduced in A4. I have checked the configuration guide on the latest software for the ACE20 and I have not been able to see this setting.
Regards Craig
07-21-2014 12:10 PM
Hi Craig,
I don't see it either. It seems that it was never added to ace20. Only for appliance and ace30. With ACE end of life i don't see that it would be introduced either.
Regards,
Kanwal
Note:Please mark answers if they are helpful.
07-21-2014 12:29 PM
Hi Craig,
I confirmed it and you don't have this option in ACE20. Do you think you can try and configure static cookie? But you have limitation of 4095 static cookies only.
sticky http-cookie ACE COOKIE1
cookie insert
serverfarm Cookie-Sticky-Farm
1 static cookie-value "PC1" rserver PC1-1
2 static cookie-value "PC11" rserver PC2-1
Regards,
Kanwal
07-22-2014 12:49 AM
Hi Kanwal
Thanks for the response, I take it this will be a predictable cookie as the value is static.
Regards Craig
07-22-2014 09:58 AM
Hi Craig,
You can define any anything there like "2 static cookie-value Test rserver PC2-1" and that will not make it predictable since it is not being generated by ACE depending upon standard parameters like rserver name etc.
Regards,
Kanwal
Note:Please mark answers if they are helpful.
07-21-2014 11:23 AM
Hi Craig,
So something like this you can do in the serverfarm.
switch/Admin(config)# do sh running-config serverfarm XXX
Generating configuration....
serverfarm host XXX
rserver xxx1
cookie-string "test123"
inservice
Now, ACE shall use the above string for cookie insertion and it will point to rserver xxx1. You should have different string for each rserver under the serverfarm.
Hope this helps!
Regards,
Kanwal
Note: Please mark answers if they are helpful.
07-21-2014 11:33 AM
m
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide