For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

emcd_145429's avatar
emcd_145429
Icon for Nimbostratus rankNimbostratus
Feb 25, 2014

ASM deployment time estimate

hi there, I'm looking to understand what kind of timeframe would you expect a new ASM deployment to take. I'm asking as we have vendor quoting us to implement a new installation of F5 boxes (cluster of 2 plus one for DR) with ASM for use with one new application. I'm looking to understand the typical timeframes you'd expect the work to be done in as a guide. any guidance would be useful.

 

ASM Advanced WAF
deployment
security

6 Replies

  • Vitaliy_Savrans's avatar
    Vitaliy_Savrans
    Icon for Nacreous rankNacreous
    Feb 26, 2014

    Hi, timeframe of ASM deployment depends on different things. Such as: how many File types, urls,parameters, cookies and Signatures will be for the appl., how you will plan to analize security violations on entries and fixed it. As for me, minimun timeframe is 2 weeks.

     

  • emcd_145429's avatar
    emcd_145429
    Icon for Nimbostratus rankNimbostratus
    Feb 26, 2014

    thanks Vitaliy, we are talking about a portal workflow applications, 2 to 3 URL's at most, I've been quoted 8 weeks but it seems very excessive and I would have expected 2 to 3 weeks given the rapid deployment and out of the box configs for web applications on ASM

     

    • jstauffacher_11's avatar
      jstauffacher_11
      Icon for Cirrus rankCirrus
      Mar 06, 2014
      It really depends on the depth of the application, the availability of your application developers ( or their willingness to divulge information ), and the depth you want your policy to go. When working with clients, the people managing the F5 and the developers creating the applications are usually pretty far apart -- in the sense of what they believe the application to be doing, or how it is accessed. So a good scoping call with your development team, and the partner should be able to narrow down that time frame a bit. Though 8 weeks does not sound unreasonable - if the application is sufficiently complex. There is not too much "out of the box" with ASM.
  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Mar 04, 2014

    2-3 weeks for first would be possible i guess, but i would expect some after care in the weeks after. good chance there will be some issue, certainly with websites that see certain traffic only in specific times during the week / month / ...

     

  • Colin_Keltie's avatar
    Colin_Keltie
    Icon for Nimbostratus rankNimbostratus
    Mar 10, 2014

    If someone were to ask me if i could deploy an ASM policy in 2-3 weeks that I would have confidence would be tuned to actually protect the app correctly and not kill it for the users, I'd probably guess that it would be an insufficient timeframe. Even for a greenfield app and straight OOB ASM config. If it's a live app with existing users and you want to introduce ASM protection - 2 to 3 weeks is insufficient. I would have tended to estimate towards 8 weeks as a minimum. And if it turned into 2 to 3 years I'd be disappointed but not surprised.

     

    (referring to Enterprise Class Corporate Transactional Apps)

     

    Note, these comments are general. Just getting an ASM policy "working" takes minutes.