F5 BIG-IP WAF


There are lots of Web Application Vulnerabilities which traditional firewalls and network firewalls aren’t able to detect and block. For instance, traditional firewalls aren’t able to detect bots, web scraping attacks or cookie manipulation attacks. Therefore, if we want to detect and block layer 7 vulnerabilities, like those highlighted by OWASP Top 10, we’ll need to deploy a Web Application Firewall which can protect web applications from advanced attacks such as forceful browsing attacks, field manipulation attacks, command injection attacks, etc. I’ve already written about AWS Shield & AWS WAF but, this time, I want to write about F5 BIG-IP ASM.

ASM or Application Security Manager is a powerful WAF that protect web applications from known and unknown threats, defends against bots and virtually patches application vulnerabilities. It is a WAF which is able to detect and mitigate layer 7 attacks such as DoS/DDoS, brute force, SQLi, XSS, remote file inclusion, cookie poisoning, session hijacking, etc as well as it is able to associate usernames with application violation, automatically correlate multiple attacks, prevent loss of sensitive data or identify suspicious clients.

F5 BIG-IP WAF Architecture

From my point of view, F5 WAF is the best solution to protect applications because we can apply immediately a firewall policy to web applications to block known attacks. This firewall policy, called Rapid Deployment Policy, is based in negative security model where attack signatures detect and block known attacks. However, we can also customize firewall policies with a positive security model that we should apply it for better protection. In addition, I think F5 WAF is the best solution, as Gartner Magic Quadrant says, along with Imperva WAF and Akamai WAF.

Magic Quadrant for Web Application Firewalls
If you are used to configuring network firewalls, you know about IPv4/IPv6 firewalling policies where we allow traffic by TCP/IP. This is easy if you know about networking. However, WAF works with file types, URLs, parameters, cookies, redirections, etc instead of IP addresses and TCP/UDP ports. Therefore, WAF administrators should know about security and developing to configure and customize WAF policies. In addition, F5 WAF administrator should know about the learning process of the BIG-IP as well as the different types of policies such as Fundamental Policy, Comprehensive Policy, Passive Deployment Policy, etc, etc.

F5 BIG-IP ASM
 
As you can see, a multidisciplinary team is needed for deploying and configuring a WAF where the security team is going to be talking with the development team day in day out asking for file types and parameters. However, we can get a good security baseline from the beginning thanks to attack signatures but if we want better protection, we’ll need to spend time customizing policies.

Security vs Time
 
Maybe, you are wondering how to start configuring F5 WAF. First, we should apply a negative security policy for blocking signature attacks while the learning process analyse file types, parameters, URLs, etc. Once, we know what file types, URLs and parameters use the web application, we can apply a positive security policy for better protection.

Regards my friend and remember, drop me a line with the first thing you are thinking!!

Commentaires

  1. Hello David,

    How packet will evaluate if BIG IP modules has enabled ASM, AFM both modules ? I mean let say packet hit to F5 than AFM --ASM--LTM(VS) and real server?

    Many Thanks,

    Brijesh Patel

    RépondreSupprimer
  2. Hello Brijesh,

    Check the next URL which will be useful for your question.

    https://devcentral.f5.com/s/articles/packet-tracing-in-big-ip-afm-25952

    Packet tester is an interesting tool.

    Thanks, best regards.
    David.

    RépondreSupprimer

Enregistrer un commentaire