Forum Discussion

THE_BLUE's avatar
THE_BLUE
Icon for Cirrostratus rankCirrostratus
Sep 18, 2023

API security

I have API which can be accessed through internet. I have restrict the  access with IP address ( iRule/data group). Also, I have applied client authentication using certificate to be installed on client side ( iRule).

Is there any other layer I should add? To increase the security ? because the API is critical.

  •  Hi THE_BLUE,

    instead of iRules & datagroup you could use address lists. But this is just personal flavor (read more here).
    Client cert auth is good. Cert management might be cumbersome. 
    Maybe look at Rate Limiting, check out API Protection with APM. Old but gold video https://www.youtube.com/watch?v=UVcUAjtyYaY 
    And final hint - apply a WAF policy. Use ASM Signatures to protect your technologie stack from known vulnerabilities. Apply signatures for Server Technologies, like NGINX, JavaScript, etc.

    KR,
    Daniel

  • I do everything you do, but i also ask the client using the api to put in or amend a http header with a pre-shared key.
    user-agent or something like that. 
    If you have apm, you could potentially get apm to do the api auth for you but you'd then need to get apm to auth lower for you as well but might protect your api servers a little more.

  • Hi THE_BLUE, just to add a comment, if LTM is what you have to work with these techniques mentioned by PSFletchTheTek and Daniel_Wolf are solid.

    As you review your architecture and plan for the future, you'd be far better served for critical services like this with a focused API gateway, with something like NGINX or F5 Distributed Cloud API Security, the latter which is pretty close to any easy button. It's worth a look to see where the specific features can benefit you. 

  •  Hi THE_BLUE,

    instead of iRules & datagroup you could use address lists. But this is just personal flavor (read more here).
    Client cert auth is good. Cert management might be cumbersome. 
    Maybe look at Rate Limiting, check out API Protection with APM. Old but gold video https://www.youtube.com/watch?v=UVcUAjtyYaY 
    And final hint - apply a WAF policy. Use ASM Signatures to protect your technologie stack from known vulnerabilities. Apply signatures for Server Technologies, like NGINX, JavaScript, etc.

    KR,
    Daniel

  • I do everything you do, but i also ask the client using the api to put in or amend a http header with a pre-shared key.
    user-agent or something like that. 
    If you have apm, you could potentially get apm to do the api auth for you but you'd then need to get apm to auth lower for you as well but might protect your api servers a little more.

  • Hi THE_BLUE, just to add a comment, if LTM is what you have to work with these techniques mentioned by PSFletchTheTek and Daniel_Wolf are solid.

    As you review your architecture and plan for the future, you'd be far better served for critical services like this with a focused API gateway, with something like NGINX or F5 Distributed Cloud API Security, the latter which is pretty close to any easy button. It's worth a look to see where the specific features can benefit you.