Difference between Rest API security protection and API Security ASM template ?

Question

Hi,I have to protect some Rest API with ASM.I saw that there are 2 different API protection features :1) Create an ASM policy with the API security template where you just import the swagger file.2) Use the guided configuration tool and create an API security protection. I can see that this also add some APM features to manage authenticationWhat is the difference between the 2 ?I do not need to manage authentication at F5 level,&nbsp; which one should I use ?&nbsp;

daniel_wolf · Answer

Hi&nbsp;DocteurBGP,the APM Policy canimport an Open API Spec fileverify that the API call is made to an allowed API endpoint.verify that clients makes only unauthenticated API calls and verify JWT access tokensdo Rate LimitingThe AWAF Policy canimport an Open API Spec file and validate that the API request conforms to the spec fileprotect against Web Application ThreatsTo my surprise the AWAF Policy can&nbsp;import an Open API Spec file but does not build a list of allowed URLs (methods / endpoints) from it.KRDaniel

nut2889 · Answer

Hi DocteurBGP,Referring to your question. This is my opinion below:1) Swagger file import to F5 ASM / AWAFGenerally the Swagger file will help to security team to reduce the time and false postivie to understand your API service has been protected by WAF/API security solution. I will call this is a "Positive Security Model".Reference from&nbsp;Introduction to Application Security Manager (f5.com)"&nbsp;Positive security features indicate which traffic has a known degree of trust, such as which file types, URLs, parameters, or IP address ranges can access the web server."Then the F5 ASM / AWAF will not touch any authentication method in your API services.2) API security protectionReference from&nbsp;Configure API security protection using the F5 BIG-IP Guided ConfigurationSeems to F5 APM will interact with session-based level of API since authentication until request/response the data.3) I do not need to manage authentication at F5 level,&nbsp; which one should I use ?Normally base on the many criteria within your solution or organization. Below is based on my experience:The WAF operation team mostly not understand how your API service working, how your API authentication working.&nbsp; I'm try to say you should move API authentication management to API gateway level. But our WAF will help them to secure the API services.Hope it helpfull.&nbsp;

Forum Discussion

Difference between Rest API security protection and API Security ASM template ?

Recent Discussions

Surah Yaseen in F5’s products

R2600 device and tenant/partition configuration

FQDN resolve in non default domain name.

Inquiry About PayByPlate Integration with F5

APM - Capture Login sharepoint

Related Content

Mitigating OWASP API Security Top 10 risks using F5 NGINX App Protect

F5 Hybrid Security Architectures: Part 3 F5 XC API Protection and NGINX Ingress

Beyond REST: Protecting GraphQL

L7 DoS Protection with NGINX App Protect DoS

F5 CES protects the security of K8s egress traffic with the idea of fusion