Ads 468x60px

16 de julio de 2018

A2 level in French language

Last summer, I wrote about French language A1 level passed because I started learning a new language, French language, at Official School of Languages and I passed the A1 level exam. These were my beginnings in French language, although I had already studied some of French at High School. As a result, my wishes for this year 2018 was keep studying French language and I’ve just successfully passed the A2 level in French. I feel happy to be able to pass to the next level, B1 level, because it means I'm improving my French language skills.

I got 9,5 in the listening skill which is very good. I mean, it's amazing! I think, I got it because I’ve done a lot of listening exercises. Almost five listening exercises a week since I started the course. They are online clicking on Besides, I’ve heard the France Info radio on live from time to time. While I’m working, while I'm taking a shower or while I’m in the gym, I can listen the radio in French language. All of this has been enough to have a good marks in the listening skill.

The speaking skill is the most difficult skill from my point of view because students have to speak about a topic for a few minutes but you don’t have a lot of time to think about it. Therefore, students have to improvise and devise what they want to say. I got 8 in the speaking skill which is also very good. I’ve been speaking alone in my house with Vaughan Bonjour! and I’ve been also speaking with schoolmates in French language which has allowed me to improve my speaking skill. In addition, I think the Video Selfie in French language, my talk about the mathematician, physicist and French philosopher Sophie Germain, and the talk about La région Île de France have helped me to get this good marks.

I think the reading skill is the easier skill because although you don’t understand the whole document, you can know what you are reading by the context. I really love reading. Therefore, I’ve read three books in French language in this course. I still read books for beginners which means I read books with basic vocabulary and easy grammatical sentences but I hope getting more and more vocabulary and complex grammatical sentences in the next years for reading more interesting books.

Finally, I have to admit that the writing skill is not easy. Although I usually write in this blog, writing is not easy even for me because you have to think about what you are going to write as well as you have to think about how you are going to organise the text. How many paragraph you are going to write, what verbal tense you are going to use for the story, the letter, mail or whatever. Many thing you have to think and decide before writing the first letter. However, I got 9 in writing skill which is also a very good mark.

To sum up, I’ve been studying for the whole course and I've finished with very good marks. Thanks for the teacher, thanks for the schoolmates and thanks for my supporters.

Regards my friends and keep studying!!

9 de julio de 2018

F5 ASM - Denial of Service (DoS) Mitigation

From time to time, I talk about techniques and methods of DoS attacks with workmates and customers, and when we speak about it, most of them always think about DDoS Attacks where a botnet flood the targeted server with excessive bandwidth consumption. However, we shouldn’t forget that an attacker can also make services unavailable with just requesting heavy URLs. Therefore, it’s not necessary to have lots of resources, neither a botnet, to make services unavailable because it can also be accomplish with a simple DoS Attack.

Mainly, there are three DoS attack categories: volumetric attacks, computational attacks and application attacks. Firstly, volumetric attacks, like UDP Flood Attacks or Amplification DDoS Attacks, which are the most known DoS attacks. Secondly, computational attacks, like SYN Flood Attacks, are less known than volumetric attacks where attackers want to exhaust resources such as firewall session tables. Finally, application attacks, like HTTP Flood Attacks, are easy to execute with DoS attack tools such as LOIC or slowloris. However, these last attacks are little known by companies and most of them even don’t know how to mitigate it nor which mitigation tools are on the market.

DoS Attacks Categories

When we are mitigating DoS attacks, it’s important to have a good classification between malicious traffic and legitimate traffic because the mitigation process could also block legitimate users when DoS mitigation tools are not well configured. In addition, DoS attacks are increasingly sophisticated and targeted which are delivered in SSL traffic as well against servers and applications. As a result, behavioural analytics, ultra-fast automated detection and comprehensive protection are required for a good mitigation strategy.

F5 BIG-IP WAF is also able to detect and block DoS attacks. We can watch in the next video how I configure a DoS profile to detect and block attacks based in TPS (Transactions Per Second). When the bot iMacros requests two transactions per second, the DoS profile blocks requests and the DoS attack is stopped. In addition, the video shows how to block DoS attacks with a CAPTCHA challenge to find out who is behind the web server whether a bot or a human being. Last but not least, DoS reporting are very important to know what’s going on and what happened in the services.

Regards my friends and don’t forget to protect your services.

2 de julio de 2018

F5 BIG-IP ASM Certified Technology Specialist

As you will have realised, I’m writing a lot about load balancers lately. In fact, I’ve written 10 posts about F5 BIG-IP since April. This is due to the fact that my F5 Certified BIG-IP Administrator (F5-CA) certification is going to expire soon. Therefore, I was thinking how to renovate this certification and what was the best option for my job, my skills and my knowledge. Finally, I chose to study for the 303 – BIG-IP ASM Specialist v2 exam for the recertification process because I had already worked with Web Application Firewalls.

Two years ago, I studied for 101 - Application Delivery Fundamentals and 201 - TMOS Administration. I passed the exams with an score of 86 and 73 respectively. This is the entry level certification for F5 BIG-IP. Once I got the F5-CA certification, I could register for F5 Certified Technology Specialists (F5-CTS) certification where I could choose between LTM, DNS, ASM or APM. However, if I wanted to pass the F5 Certified Solution Expert (F5-CSE), first, I would have to achieve all CTS levels.

F5 Certification Program

I think the exam 303 – ASM Specialist is the best option for my recertification because I’ve already worked with Web Application Firewalls. In fact, I’ve had to talk about ASM module and show its features in marketing campaigns as well as I’ve delivered training courses and deployed demo and appliances for production environments. In addition, I’ve also worked with other manufactures such as AWS WAF or Fortinet FortiWeb. For this reason, my knowledge about WAF is not only limited to F5.

What have I been studying for the exam? First, I took the Getting Started with BIG-IP ASM course from F5 University. Next, I’ve had the lucky of taking a training course in ASM and I’ve done all the labs twice. I’ve also read the book I got from the training course as well as I read the BIG-IP ASM Operation Guide. Finally, I’ve read carefully the OWASP Top 10 to know and understand the most critical security risks to web application.

Although BIG-IP v13.1 has already been released, BIG-IP ASM exam is still from the old version 12.1, which is nice for people who has already worked with ASM but it’s undesirable for newbie who are learning for the first time about ASM because there has been some changes in the new version and, probably, they are going to deploy, configure and manage the last version, v13.1, in the future. It’s also important to highlight that the passing score is 57%, which is the lower passing score to get a F5-CTS. This is great!!

Exam descriptions and study materials
If you want to take the plunge to this certification, I would recommend you to read the next posts:
Regards my friends and keep studying!!

25 de junio de 2018

F5 BIG-IP ASM - Brute Force and Web Scraping

Today, I want to write about two mitigation mechanisms that, I think, they are not used enough in enterprises. First, brute force attacks can be stopped easily with the free tool fail2ban but we can also use WAF appliances for blocking this kind of attacks. On the other hand, web scraping attacks can also be stopped easily with WAF appliances but most IT engineers don’t know it and, therefore, their web sites are not protected from competitors. These are two attacks that we can mitigate with F5 BIG-IP ASM.

Brute force attacks are attempts to discover credentials to break into services such as web services, file services or mail services. For example, malicious users and bots may be interested to get into secure areas and, as a result, they’ll need to discover legitimate credentials. How does F5 ASM protect web sites against brute force attacks? We have to define a login page, for instance user_login.php, and, thereafter, we have to apply the brute force protection to the security policy to know what to do when a brute force attack is detected. We can watch the configuration in the next video:

Web scraping attacks are sophisticated attacks whose aim is to obtain large amounts of data from web sites to extract proprietary data directly out of HTML such as price tracking, directory listings to get leads and marketing information, searching images, financial information, etc. How does F5 ASM protect companies against web scraping attacks? We have to enable Bot Detection and, thereafter, we have to configure interval and period times to detect bots. For example, if a client loads 30 different pages in 30 seconds, it will be unusual and it will be defined as a bot. We can watch the configuration in the next video:

However, there are some times that we may also want to deny access by countries because we are detecting too much attacks which come from a specific origin country. Carefully, if we don’t have customers or potential customers in such country, we’ll be able to deny traffic from the “malicious” country. In addition, we’ll be also able to deny traffic from Anonymous Proxies. How does F5 ASM protect web applications by geolocation? It is easy. We’ll define disallowed location and allowed location into the security policy. That’s all! We can watch the configuration in the next video:

Regards my friends and drop me a line with the first thing you are thinking.

18 de junio de 2018

WAF - Login Enforcement & Session Tracking

Associates usernames and sessions with application violations provide in-depth blocking and visibility, which is useful for attack understanding and forensics. In addition, if we are able to identify devices for every visitor across multiple IPs and sessions, we’ll increase precision in blocking malicious activities. Therefore, this kind of techniques will help us to identify and block suspicious clients and headless browsers as well as mitigate client side malware.

The first video this week is about Login URL Enforcement which is a mechanism for preventing Forceful Browsing to restricted parts of the web application. By defining a required URL (i.e. login page), the user must pass through it in order to access a certain target URL. This mechanism uses ASM cookies, which are session cookies, to keep information about the prerequisite URL that was accessed successfully. We’ll watch how to create a Login Page and how to configure Login Enforcement in the next video.

The second video is about Session Awareness and how to configure violation detection actions. In fact, we’ll configure ASM to log all requests from the session when the threshold is triggered. However, session awareness can also mitigate Session Hijacking Attacks which occurs when an attacker is able to steal session information from an authenticated user. Session hijacking prevention is based on fingerprinting where client identification is based on screen resolution, time and time zone data, browser attributes such as platform, version, plugins installed, etc. Therefore, we’ll watch in the next video how to enable session awareness and how to log all requests once a violation is detected.

Regards my friends and drop me a line if you configure Login Enforcement and Session Tracking in your security policy.

11 de junio de 2018

F5 BIG-IP ASM - Parameter Tampering Attacks

Cookie Tampering Attacks, HTTP Header Tampering Attacks or Parameter Tampering Attacks can’t be blocked from traditional firewalls. Instead, we should deploy a Web Application Firewall (WAF) where we can configure a Positive Security Policy that allows file types, URLs and parameters. If we configure a security policy, which is Learning with Add All Entities, we’ll have granular protection of entities and much more security protection but maintenance efforts will be high. It’s up to you what level of protection you need.

I would like to show how we can configure a policy for Protecting Static Parameters. It’s important to highlight that security engineers will have to work along with developers to understand web application logic because it will be necessary to know the amount of parameters, the type of parameters and their values as well. We can watch in the next video that the “payment” parameter is static and it has four static values, then, when the “payment” value is not one of the values configured, the request is blocked.

I would also like to show how we can configure a policy for Protecting Dynamic Parameters. It’s similar than protecting static parameters but dynamic means we don’t know the value. Therefore, we have to define dynamic parameter extraction properties which depend on how the web application handles parameter name/value pairs. For instance, we can configure extractions searching in links, searching in response bodies, searching entire forms, searching within forms or even searching in XML files. We can watch in the next video that the “nick” parameter is dynamic and it is extracted from “index.php” searching in the entire form.

Regards my friends and drop me a line if you want to configure advanced parameter handling in your security policy.

4 de junio de 2018

La région Île de France

Bonsoir. Ici est ma présentation. Je vais parler de les routes historiques et touristiques dans la région Île de France. J’ai choisi ce sujet parce que j’aime beaucoup faire de la randonne. J’adore promenade dans les forets et j’adore aussi visiter jardins et châteaux.

Donc, on va voir quatre routes: la route historique des maisons d’écrivains, la route Normandie-Vexin, la route François 1er , et le parcours des impressionnistes. Ici, on peut voir la région Île de France dans le nord de la France.

La route historique des maisons d'écrivain

La premier route s’appelle la route historique des maisons d’écrivain où treize célèbre écrivains ont écrit des livres. On verra des grandes maisons et des agréable châteaux aussi. La route commence à Paris et finit à Rouen. On va faire de la randonnée à côté de la rivière de Seine où il y a des beaux paysages qui sont très calme.

Par exemple. Elsa a habité ici avec son mari, qui s’appelle Aragon. Elsa est une femme d’origine russe, et de parents juifs, qui a écrit plus de 25 livres. Maurice a habité ici, dans ce château où il a écrit des poèmes romantiques.

La route Normandie-Vexin

La deuxième route s’appelle La route Normandie-Vexin qui est similaire à la route historique de maisons d’écrivains parce qu’elle commence à Paris et finit à Rouen. La rivière de Seine est aussi à côté de la route. C’est une route très longue d’environ 200km où on peux visiter des jardins et des châteaux du XVème siècle.

Par exemple. Dans la route Normandie-Vexin, on peux voir les jardins et la maison de Claude Monet où il peignait des peintures. Ici, il y a un pont dans son jardin avec beaucoup des fleurs. Dans la photo à droite. On peux voir un château du XVème siècle. Il s’appelle le château de Gaillon qu’il a utilisé comme résidence d’été et après comme prison. Aujourd’hui, il est utilisé comme monument historique.

La route François 1er

La troisième route s’appelle François 1er où le roi François 1er avait des résidences à côte de Paris et dans des réserve faunique où il a habité près de Paris et très calme dans le foret.

Par exemple. Au sud-est, le château royal de Fontainebleau, qui a été la résidence favorite de François Ier. Au sud-ouest, le château de Rambouillet, où François Ier est mort, et aujourd’hui résidence d’été des Présidents de la République.

Le parcours des Impressionnnistes
La dernière route est le parcours des impressionnistes où on peux voir des peintures à côté de Paris et dans l’Île de la Jatte.

Par exemple. Monet a peint à la Grande Jatte et Van Gogh a peint La Seine avec le pont de la Grande Jatte. Ces peintures se trouve dans le musée mais on peux voir aussi une réplique dans l’île de la Jatte.

Merci Beaucoup!!

28 de mayo de 2018

F5 ASM – Cookie and HTTP Header Tampering

Many web applications set cookies for user tracking, shopping cart functionality, and other reasons related to the user experience. These cookies have to be secured because if they are not properly protected, a malicious hacker could steal or modify cookies for unauthorized access or unrequested purchases. Today, Web Application Firewalls (WAF) help us to secure cookies adding cookie attributes such as the secure attribute, the HttpOnly attribute, Domain and Path attributes, Expire and Max-Age attributes, etc as well as WAFs are also able to sign cookies which are useful to protect web applications from attacks like Cookie Tampering or HTTP Request Header Tampering.

Next, we can watch a video where there is a vulnerable web application to Cookie Tampering. First, I have modified the cookie and sent to the web application successfully. Afterwards, I have protected the web application from Cookie Tampering attacks with F5 BIG-IP ASM. Finally, cookie tampering attacks are unsuccessfully because ASM blocks modified cookies which has been enforced and signed by the WAF security policy. Therefore, it will be a good idea to know what cookies web applications use to enforce those which should not be modified on the client side.

Next, there is another video where the web application is also vulnerable to HTTP Request Header Tampering. First, I have modified the referer HTTP Header to take advantage of the ShellShock vulnerability, which is not blocked. Afterwards, I have enforced the attacks signatures “bash Shellshock execution attempt” and “/bin execution attempt”. Finally, HTTP Request Header Tampering attacks are unsuccessfully because ASM detects malicious strings, which are used to exploit the Shellshock vulnerability, into the referer HTTP Header. Therefore, it will be a good idea to enforce attack signatures in the WAF security policy.

To sum up, we can use a WAF to protect web applications from Cookie Tampering and HTTP Request Tampering which are attacks difficult to block by a traditional network firewall. In this post, we have seen that a manually security policy with Selective Learning for Cookies and Attack Signatures enforced in the WAF security policy is the best configuration to block sophisticated attacks, which want to take advantage of Cookies and Other HTTP Headers to get into web applications.

Regards my friends. Keep reading and keep studying!!

21 de mayo de 2018

F5 BIG-IP ASM – Positive Security Policy

I wrote about Policy Tuning and Violations last week where I created a Negative Security Policy, named Rapid Deployment Policy (RDP), to protect web applications from attacks. This kind of policies are useful to protect web applications from known attacks. However, I want to write about Positive Security Policy this week where I’m going to create a security policy manually to customize and accept what file types, URLs and parameters will be used by my web application. This kind of policies are more difficult and complex to configure than Negative Security Policies but they are able to defeat sophisticated and complex threats better than Negative Security Policies.

When we configure a security policy manually, we can choose Never (Wildcard Only), Selective and Add All Entities for file types, URLs and parameters. For instance, if we choose Add All Entities, we’ll have a comprehensive whitelist policy that includes ALL of the website entities. Add All Entities will form a large set of security policy entities, which will produce a granular object-level configuration and high security level. However, it may take more time to maintain such a policy.

On the other hand, the Never (Wildcard Only) option is the most easy security policy to manage because many application objects will share the same security settings driven from the global or wildcard level. In addition, when false positives occur the system will suggest to relax the settings of the wildcard entity. Therefore, it may result in overall relaxed application security. From my point of view, this is a good option for URLs entities because most applications usually have lots of URLs which are difficult to manage from a security policy.

The third learning option is Selective which offers intermediate protection between Never (Wildcard Only) and Add All Entities. This is an option that when false positives occur, the system will add/suggest to add an explicit entity with relaxed settings that avoid the false positive. In other words, Selective mode is suitable for applications containing entities which use similar or identical attributes. However, if some the entities need special handling, the policy can be expanded to include exceptional explicit entities just for those outliers. Therefore, this option serves as a good balance between security, policy size, and ease of maintenance.

To sum up, if we want a comprehensive security policy to defeat sophisticated and complex threats, we’ll have to configure a positive security policy, along with a negative security policy as well, with the Add All Entities, Selective and Never (Wildcard Only) option for file types, URLs and parameters. However, we always have to take into account that the Add All Entities mode is time-consuming but offers high granular protection of entities while the Never (Wildcard Only) mode is easy to manage but offers low protection of entities.

Regards my friends. Keep reading and keep studying!!

14 de mayo de 2018

F5 BIG-IP ASM – Policy Tuning and Violations

Web Application Firewalls (WAF) should be configured properly to understand web applications logic because if it’s not well-configured, intruders will be able to get access to applications. This is the main reason why developers should take part into WAF deployment projects. However, developers sometimes want to add lots of security codes into applications or even worse, they don’t want to know anything about security. From my point of view, developers should take part into WAF deployment projects but security should be managed by security engineers. I mean, developers should improve applications with new features and enhancements while security engineers should protect applications.

Organizations don’t take advantage of lots of security tools like Antivirus, network firewalls, Web Application Firewalls (WAF), Security Information and Event Management (SIEM) systems, Network Access Control (NAC) systems or Vulnerability Assessment Tools because these tools are time-consuming, companies don’t have security staff and IT engineers never have enough time to configure properly these tools. Therefore, security tools tuning such as firewall policies tuning is most of the time difficult to accomplish.

When I talk about Policy Tuning and Violation, for instance, for a WAF deployment, I’m talking about choosing the right learning mode, defining learning suggestions, defining the Learn, Alarm and Block settings or defining the Enforcement Readiness Period. Next, we can watch how I create a negative security policy based on Rapid Deployment Policy (RDP) and I accept learning suggestions for false positive as well as I block XSS attacks. A negative security policy configuration like this should be the first phase in a WAF deployment.

Once we are protecting web applications with a negative security policy, we should take the plunge to a positive security policy. This will be more difficult because we need the developers participation. What’s mean, developers have to know what entities are used by applications. For instance, we have to know about file types, URLs redirections, cookies, static and dynamic parameters, etc, etc. Therefore, negative security policy along with positive security policy will be a real protection for your web services.

Regards my friends. Drop a line with the first thing you are thinking.

7 de mayo de 2018


Organizations are wondering whether IDS/IPS is enough for protecting their services or it’s much better to deploy a Web Application Firewall (WAF) solution. They are always wondering if deploying a WAF solution, they’ll able to save money because IDS/IPS infrastructure will not be necessary. However, attacks occur at different layers thus web application protection is not enough for network attacks. For instance, malicious intruders may start with DoS attacks, and later, launch a layer 7 attack like SQLi or XSS attack. Therefore, we should provide security at all layers. Otherwise organizations have a closed gate with no fence around it.

IDS were developed in the mid-80s by the U.S. Air Force because they needed a behavioral analysis to increased computer security awareness. First, they only analysed system logs to detect anomalies and attacks. Next, they started analysing network traffic as well. However, IDS was improved to IPS in the 90s which was also able to find and stop attacks in real time. Snort was one of the first open source IDS/IPS available. Today, most NGFW have built-in IDS/IPS based on signature attacks, which are able to intercept files and network activity for preventing malicious attacks.

As web applications became publishing to Internet, secure internet gateways and network firewalls became more used in the late 90s because web applications were designed without thinking about security and most of them had serious vulnerabilities. WAFs have greatly matured since then. Today, WAFs can understand the web application logic to block everything which not match the application logic. Therefore, WAFs can block malicious attacks matching traffic against signature attacks (negative security) but WAFs can also block malicious traffic matching the application logic (positive security).

IPS don’t understand underlying applications thus they don’t know about entities like parameters, URLs, file types, cookies or redirections. However, WAFs can protect entities to block sophisticated attacks like web-scraping attack, SQLi, XSS, CSRF, etc, etc. For instance, IPS can analyse HTTP traffic to look for most common web application vulnerabilities but WAFs can also analyse HTTP traffic to look for parameters value, parameters size, cookies signatures, etc.

The best security protection involve both an IPS and a WAF. Although some commercial WAFs like F5 BIG-IP WAF or Imperva WAF have IPS features, it’s much better to deploy both separately for a comprehensive protection because IPS are going to protect the most commonly used Internet protocols, such as DNS, SMTP, SSH, Telnet and FTP, while WAFs are going to protect applications against web-based threats.

WAFs solutions are mainly designed to prevent attacks against web applications while IPS are purely designed to inspect network traffic. Therefore, both may block known and common attacks. However, if we want to protect companies from sophisticated attacks, we’ll have to deploy IPS and WAFs, as well as IDS. This is a best practice of layered defenses. Nevertheless, if your company has neither, the WAF would provide the best application protection overall.

Regards my friends. Let me know what you are wondering!!

30 de abril de 2018

What’s new in BIG-IP version 13.1

I like to know about technology trends to take advantage of new features and enhancements because if we don’t keep studying, we won’t know how to deal new technology requirements. If we don’t read and study new features and enhancements, we’ll be out of market. This is the reason why I’ve written about what’s new in FortiOS 5.6 and what’s new in FortiOS 6.0. In addition, I like testing technologies and architectures such as Multipath TCP, Data Center Load Balancing, Web Application Firewalls (WAF), etc. Today, I would like to write about the new BIG-IP version 13.1.

The most known module is LTM or Local Traffic Manager which is useful for traffic load balancing. The BIG-IP version 13.1 has included new features like test button for monitor, iRule execution tracing features for debugging, TCPDUMP remote output, configuration load independent of licensing, etc. For instance, we can check monitors before assigning to nodes or pools, we can know the time-consuming iRules and we can also mirror traffic to a remote analysis tool.

Test Button for Monitors

Another interesting module is ASM or Application Security Manager which is useful to defeat sophisticated and complex threats for protecting web applications. The BIG-IP version 13.1 has also included new features to this module like simplified attack signature creation, remove inactive file types, passive deployment policy template, brute force mitigation improvements, etc. For instance, we can already write attack signatures easily, we can accept suggestion of removing inactive entities, we can apply a fully transparent policy without interfering with traffic and we can also improve brute force mitigation attacks by username, IP addresses and device IDs.

Passive Policy Deployment Template
F5 BIG-IP ASM has different kind of security policy templates which can be used for protecting Virtual Servers. For instance, if we want to apply a negative security policy where attack signatures detect and block known attacks and where we don’t want to configure manually entities such as file types, parameters, URLs, cookies, redirection, etc, we can configure a Rapid Deployment Policy which is easy to accomplish this task.

F5 BIG-IP APM or Access Policy Manager is another useful module which can be used for unifying application accesses securely. The BIG-IP version 13.1 has included many improvements like Microsoft Office forms based authentication, Citrix StoreFront, Microsoft Intune, Microsoft Active Directory Federation Services proxy, native application tunnel for macOS and Linux, update Edge client without BIG-IP upgrade, privileged OPSWAT checks, SAML attribute consuming service, etc.

Microsoft Active Directory Federation Services Proxy Support
As we can see, there are many new features and enhancements in BIG-IP version 13.1. Therefore, it is up to us to test this new features and enjoy of the new version.

Regards my friends; new version, new features, go ahead.

23 de abril de 2018


There are lots of Web Application Vulnerabilities which traditional firewalls and network firewalls aren’t able to detect and block. For instance, traditional firewalls aren’t able to detect bots, web scraping attacks or cookie manipulation attacks. Therefore, if we want to detect and block layer 7 vulnerabilities, like those highlighted by OWASP Top 10, we’ll need to deploy a Web Application Firewall which can protect web applications from advanced attacks such as forceful browsing attacks, field manipulation attacks, command injection attacks, etc. I’ve already written about AWS Shield & AWS WAF but, this time, I want to write about F5 BIG-IP ASM.

ASM or Application Security Manager is a powerful WAF that protect web applications from known and unknown threats, defends against bots and virtually patches application vulnerabilities. It is a WAF which is able to detect and mitigate layer 7 attacks such as DoS/DDoS, brute force, SQLi, XSS, remote file inclusion, cookie poisoning, session hijacking, etc as well as it is able to associate usernames with application violation, automatically correlate multiple attacks, prevent loss of sensitive data or identify suspicious clients.

F5 BIG-IP WAF Architecture

From my point of view, F5 WAF is the best solution to protect applications because we can apply immediately a firewall policy to web applications to block known attacks. This firewall policy, called Rapid Deployment Policy, is based in negative security model where attack signatures detect and block known attacks. However, we can also customize firewall policies with a positive security model that we should apply it for better protection. In addition, I think F5 WAF is the best solution, as Gartner Magic Quadrant says, along with Imperva WAF and Akamai WAF.

Magic Quadrant for Web Application Firewalls

If you are used to configuring network firewalls, you know about IPv4/IPv6 firewalling policies where we allow traffic by TCP/IP. This is easy if you know about networking. However, WAF works with file types, URLs, parameters, cookies, redirections, etc instead of IP addresses and TCP/UDP ports. Therefore, WAF administrators should know about security and developing to configure and customize WAF policies. In addition, F5 WAF administrator should know about the learning process of the BIG-IP as well as the different types of policies such as Fundamental Policy, Comprehensive Policy, Passive Deployment Policy, etc, etc.

As you can see, a multidisciplinary team is needed for deploying and configuring a WAF where the security team is going to be talking with the development team day in day out asking for file types and parameters. However, we can get a good security baseline from the beginning thanks to attack signatures but if we want better protection, we’ll need to spend time customizing policies.

Security vs Time
Maybe, you are wondering how to start configuring F5 WAF. First, we should apply a negative security policy for blocking signature attacks while the learning process analyse file types, parameters, URLs, etc. Once, we know what file types, URLs and parameters use the web application, we can apply a positive security policy for better protection.

Regards my friend and remember, drop me a line with the first thing you are thinking!!
Related Posts Plugin for WordPress, Blogger...

Entradas populares