F5 WAF – High Protection

I’ve already written about Good Protection and Elevated Protection for the last two weeks where I’ve written about lots of useful security features to protect web services. Features such as Attack Signatures and Protocol Compliance are examples of Good Protection, and features such as Bot Protection and CSRF Protection are examples of Elevated Protection. These features are enough for most companies. We are going to block 80% of attacks with these security features. However, there are still 20% of attacks which can be very dangerous for some companies. Therefore, these companies require High Protection. More security features and more sophisticated.

Disallowed File Types is a best practice for Elevated Protection, but if we want to improve and protect better the web services, we’ll also have to create an Allowed URL List. This is going to be a whitelist of allowed URL which will never be blocked. For instance, we should configure /login.jsp as an explicit URL allowed and /products/* as a string pattern allowed. All other URL will be deny. In addition, the User Session Tracking help us to improve the security policy. This security feature is able to track all application traffic during a user session, allowing us to perform user validation and gather insights about users.

Allowed URL List

If you are working with passwords, account numbers, credit card numbers, social security numbers, or other valuable personal data, you’ll be interested in DataSafe. This is a security feature that protects data before users send it from their browser. If you have Advanced WAF, you have the DataSafe feature. On the other hand, sensitive web applications sometimes also obtain and store browser fingerprinting data when you log in to detect Session Hijacking Attacks. However, the BIG-IP ASM system can also protect common web applications against hijacking and other attacks.

Credential Theft Using Malware (DataSafe)
Brute Force Attack Protection is also a High Protection feature. Most security devices are able to lock an account when there are unsuccessful authentication attempts repeatedly. Hackers attempt to guess users’ account again and again. Another version of this attack is called “credential stuffing”. Hackers make only one attempt to log in to users’ accounts because they obtain the credentials from a compromised application. The BIG-IP ASM system are able to detect these attacks based on failed login attempts, user device IDs or user IP addresses.

Brute Force Protection Configuration
Finally, there are some applications which need to be bypassed, for instance, for testing a new version, penetration testing or using automated scanning tools to identify and resolve vulnerabilities. Therefore, Blocking Mode Override is also an useful security feature. We are going to configure an unique hostname in the host header which will be allowed to bypass Blocking and be handled by Transparent enforcement mode. However, we have to maintain secrecy or ensure regular rotation of this hostname to keep blocking malicious traffic.

Blocking Mode Override
Regards! I hope these security features fit your needs.