•

•

How much WAF do you need?

Security

Goals

Application

Profile

Operational

Capacity

Why do you want a WAF ?

Compliance

Security Best Practice

Response to Actual Threats

What kind of Applications do you need to protect ?

Critical vs Non Critical

Legacy vs Custom

DevOps or not

Who will manage the WAF ?

How many people

How much time

Security

Goals

• Check Box

• Compliance

• Top10 OWASP mitigation

• Recurrent Audits

• Specific Protection (L7 DDoS, Scraping)

• Visibility on Web Attacks

• Safely expose API

• Business owner – identify risks and

constrains

© 2018 F5 Networks

Security Goals

Application

Profile

• How Many Applications

• Same or Different Applications

• Legacy Applications / Agile

• Custom / Well-Known Applications

Application Profile

Operational

Capacity

• Who will manage the WAF policy?

• How Many People

• Network / Security / Dev People

• Amount of Time Available

Operational Capacity

••

•

•

•

•

• ASM provides Server Technology Detection (v13.0+)

• Understand what you are trying to protect and why

•

•

•

•

•

Gidon Leizer

Product Manager ASM

“The Best Web Application Firewall you may have is the one you can Manage.”

•

•

•

•

• Policy Tuning

• Pen tests

• Performance Tests

• Final Policy Tuning

• Pen Tests

•

•

•

• What types of WAF protections?

• Cookies

• Brute Force

• DDOS

• Web Scraping

• Bot Defense

Apps

Internet

Devices

Data Center

ASM ASM

•

••

•

•

•

•

•

•

•

•

•

•

•

• https://support.f5.com/csp/article/K7825

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•• https://support.f5.com/csp/article/K9970

• Subscribe to F5 labs threat intelligence• https://f5.com/labs

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

© F5 Networks, Inc 26

© F5 Networks, Inc 27

•

•

•

•

•

•

•

•

•

•

•

•

••

•

•

•

•

•

•

•

•

•

•

•

•

•

•

• The term blacklisting is used because signatures are checked against parameters (negative security = blacklisting)

• Ensure Parameters are checked by attack signatures

• Keep attack signatures up to date

•

•

•

•

•

•

•

•

••

•

•

•

• Proactive Bot Defense and Bot signatures are relatively benign

• With the exception of Proactive requiring JS, which mobile clients do not support

• Can greatly reduce alarms and false positives

•

•

•

•• https://support.f5.com/csp/article/K00736342

•

•

• https://support.f5.com/csp/article/K15405450

•

••

•

•

••

•

•

•

• https://support.f5.com/csp/article/K29359407

•

•

•

•

•

•

•

•

•

•

•

•

ASM 12.0+ Limit Request

Size

Limit Query

String Size

Specify Storage

Format

CSV YES YES YES

Key-Value Pair YES YES NO

Common Event Format (ArcSight) YES NO NO

BIGIQ YES YES NO

•

• https://support.f5.com/csp/article/K11930

•

•

• https://support.f5.com/csp/article/K04211103

•

•

•

•

•

• https://support.f5.com/csp/article/K57420543

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

• https://support.f5.com/csp/article/K29418033

•

•

•

•

•

• https://support.f5.com/csp/article/K02212345

•

•

•

•

•

•

• https://support.f5.com/csp/article/K40120684

•

•

•

•

•

••

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•••

•

•

•

•

••

•

•

•

•

•

•

•

•

•

••

•

•

•

•

•

••

•

•

• Other requests cause a violation

•

•

•• https://support.f5.com/csp/article/K07359270

• OWASP Top 10 2017• https://devcentral.f5.com/articles/big-ip-asm-and-the-owasp-top-10-2017-28911

• ASM Operations Guide• https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/f5-asm-operations-

guide.html

PROTECTION