presentation title placeholder
TRANSCRIPT
•
•
How much WAF do you need?
Security
Goals
Application
Profile
Operational
Capacity
Why do you want a WAF ?
Compliance
Security Best Practice
Response to Actual Threats
What kind of Applications do you need to protect ?
Critical vs Non Critical
Legacy vs Custom
DevOps or not
Who will manage the WAF ?
How many people
How much time
Security
Goals
• Check Box
• Compliance
• Top10 OWASP mitigation
• Recurrent Audits
• Specific Protection (L7 DDoS, Scraping)
• Visibility on Web Attacks
• Safely expose API
• Business owner – identify risks and
constrains
© 2018 F5 Networks
Security Goals
Application
Profile
• How Many Applications
• Same or Different Applications
• Legacy Applications / Agile
• Custom / Well-Known Applications
Application Profile
Operational
Capacity
• Who will manage the WAF policy?
• How Many People
• Network / Security / Dev People
• Amount of Time Available
Operational Capacity
••
•
•
•
•
• ASM provides Server Technology Detection (v13.0+)
• Understand what you are trying to protect and why
•
•
•
•
•
Gidon Leizer
Product Manager ASM
“The Best Web Application Firewall you may have is the one you can Manage.”
•
•
•
•
• Policy Tuning
• Pen tests
• Performance Tests
• Final Policy Tuning
• Pen Tests
•
•
•
• What types of WAF protections?
• Cookies
• Brute Force
• DDOS
• Web Scraping
• Bot Defense
Apps
Internet
Devices
Data Center
ASM ASM
•
••
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•• https://support.f5.com/csp/article/K9970
• Subscribe to F5 labs threat intelligence• https://f5.com/labs
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
© F5 Networks, Inc 26
© F5 Networks, Inc 27
•
•
•
•
•
•
•
•
•
•
•
•
••
•
•
•
•
•
•
•
•
•
•
•
•
•
•
• The term blacklisting is used because signatures are checked against parameters (negative security = blacklisting)
• Ensure Parameters are checked by attack signatures
• Keep attack signatures up to date
•
•
•
•
•
•
•
•
••
•
•
•
• Proactive Bot Defense and Bot signatures are relatively benign
• With the exception of Proactive requiring JS, which mobile clients do not support
• Can greatly reduce alarms and false positives
•
••
•
•
••
•
•
•
• https://support.f5.com/csp/article/K29359407
•
•
•
•
•
•
•
•
•
•
•
•
ASM 12.0+ Limit Request
Size
Limit Query
String Size
Specify Storage
Format
CSV YES YES YES
Key-Value Pair YES YES NO
Common Event Format (ArcSight) YES NO NO
BIGIQ YES YES NO
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
• https://support.f5.com/csp/article/K29418033
•
•
•
•
•
•
•
•
•
•
•
•
••
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•••
•
•
•
•
••
•
•
•
•
•
•
•
•
•
••
•
•
•
•
•
••
•
•
• Other requests cause a violation
•
•
•• https://support.f5.com/csp/article/K07359270
• OWASP Top 10 2017• https://devcentral.f5.com/articles/big-ip-asm-and-the-owasp-top-10-2017-28911
• ASM Operations Guide• https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/f5-asm-operations-
guide.html
PROTECTION