Forum Discussion
How to do API Protection with 3scale API Manager?
- Apr 14, 2023
Hi Cypher ,
The approach I would take to a scenario like this is to include responses in your Policy Builder (if you have that set for the policy).
This will mean that you have a way of 'tracking' the URIs that are sent in the responses.
At a very basic level, API discovery technologies will have a API schema (which in your case you don't), and then monitor the responses sent back from the origin servers. The drift between these is the 'shadow APIs'. This is not all of the mechanisms in API discovery, but just giving you some ideas on how you can implement a similar type of control with AWAF.
By the way your comment about APIs being onboarded and offboarded is a concern, this is the very thing that needs to have a level of control - at least to a transparent/logging level. In most not all scenarios, you should not be creating too many Hostname or differfent URI endpoints in production regularly, as it may be the services that host those URIs that can change daily, etc. But if you are in a situation where the URI endpoints and Hostnames terminating on the API gateway change quite frequently, then definitely having a policy that tracks responses is a good measure as a start.
Also, to point out, that the gateway vendor should not matter in this scenario as at a foundational level you are in front of something that speaks HTTP, URIs, JSON, etc.
Hi Cypher is there a particular deployment type for protection you were looking into for API protection? BIG-IP Advanced WAF? NGINX App Protect? Distributed Cloud WAAP?
Let's take for example if you wanted to use BIG-IP Advanced WAF, we have a guided configuration which takes you through a few steps from API definition (Swagger) through to enforcement. https://techdocs.f5.com/kb/en-us/products/big-ip_apm/releasenotes/product/relnote-guided-config-8-0.html#overviewasm
If you have an existing BIG-IP Advanced WAF, you should see this under the Guided Configuration option in Advanced WAF.
If you are looking at NGINX App Protect or Distributed Cloud WAAP, then they both have different scenarios for enforcement of API schemas as well.
- CypherApr 06, 2023Cirrus
Hi shsingh,
Thanks for your reply. Deployment type is indeed BIG-IP Advanced WAF. I am aware of the guided configuration, and that is the approach i want to take. The thing is, i can not obtain a swagger file from this 3scale API manager for the applications behind it. It is in itself a reverse proxy for api calls.. API calls get onboarded and offboarded frequently, and how would i manage this, while maintaining current ASM exclusions? I wonder how F5 sees the deployment https://www.f5.com/pdf/partners/red-hat-3scale-api-gateways.pdf. Is it just placing the F5 in between acting as reverse proxy + advanced WAF functionality, or is it possible to work with guided configurations and a swagger file. Maybe i got off track because it said API protection (referring to advanced WAF and not guided configuration-api protection) in the design in the document.
I know these are very specific questions
- shsinghApr 14, 2023Employee
Hi Cypher ,
The approach I would take to a scenario like this is to include responses in your Policy Builder (if you have that set for the policy).
This will mean that you have a way of 'tracking' the URIs that are sent in the responses.
At a very basic level, API discovery technologies will have a API schema (which in your case you don't), and then monitor the responses sent back from the origin servers. The drift between these is the 'shadow APIs'. This is not all of the mechanisms in API discovery, but just giving you some ideas on how you can implement a similar type of control with AWAF.
By the way your comment about APIs being onboarded and offboarded is a concern, this is the very thing that needs to have a level of control - at least to a transparent/logging level. In most not all scenarios, you should not be creating too many Hostname or differfent URI endpoints in production regularly, as it may be the services that host those URIs that can change daily, etc. But if you are in a situation where the URI endpoints and Hostnames terminating on the API gateway change quite frequently, then definitely having a policy that tracks responses is a good measure as a start.
Also, to point out, that the gateway vendor should not matter in this scenario as at a foundational level you are in front of something that speaks HTTP, URIs, JSON, etc.
- CypherApr 19, 2023Cirrus
Hi shsingh
I will definitely look into the appoach 'learning from responses'. Tracking the URI's and see what we can do with it. It is not that it changes daily, and there is control over the onboarding process. In the current web landscape, i do see an uptick in the amount of API's.
Thanks for your valued response.
Kind regards
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com