Forum Discussion
- Pedro_HaoaRet. Employee
Hi,
AWS/Azure offers good integration with other AWS/Azure services but the major benefits are limited to AWS/Azure clients.
BIG-IP ASM offers some of the following advantages (from the security perspective):
- PCI Compliance
- Carrier-Grade Hardware Platform (On-Premise Option)
- Advanced L7 DoS and DDoS detection including: HASH DoS, Slowloris, floods, Keep dead, XML bomb
- Web scraping prevention
- Advanced automated attack defense and bot detection
- Advanced protections against threats including: Web injections, data leakage, session hijacking, HPP attacks, buffer overflows, shellshock
- Geolocation blocking
- IP Intelligence (IP reputation) services
- SSL termination with re-encryption
- Security incident and violation correlation
- Client-side certification support
- Client authentication LDAP, RADIUS
- Database security integration (Oracle)
- Response checking
- Violation risk scoring
- Web service encryption and decryption
- Device-ID detection and finger printing
- Live signature updates
- WebSocket traffic filtering
- IP shunning (layer 3 blacklisting in HW) with BIG-IP AFM
- Hannes_Rapp_162Nacreous
A pre-configured retail WAF solution typically has at least 85% of configuration done for you. As the end-user, you will end up having a few drop-down menus here and there, all laid out in an elegant and very easy-to-use management dashboard. There's very little actual control over security. In simple terms, you end up surrendering some quality of your security in return for a lower price. You trust the 85% they have done for you. You can take for granted, it's either too restrictive and bulky policy which ends up slowing your application due to a number of irrelevant security checks, or it's too loose, providing very little actual security benefit. And if you are not happy with that one-size-fits all glove, you will pay for additional exceptions and extended control.
If cost aspect should be ignored, then I'm not sure if I understand your question. There is not a single security benefit of having just one piece of protective glove for every application out there. Self-managed WAF with a fully 'customized for application' security policy wins all the time, every time, in every security aspect, or by minimum is on par in some aspects. I don't think this list would have much meaning, so best to disregard security aspect and focus on others - manageability, cost (one-time product + on-going management) and do not forget the most important one - degradation of app performance. The last one in particular is something you should clarify before signing any contracts. The best WAF policy is the one that offers all the relevant-for-your-application protection with minimal degradation of app performance.
- Porter-Ed_33126Nimbostratus
Thanks, I appreciate your feedback and agree with all of your points.
I simply need to document the security features of AWS/Azure WAF VS F5 WAF (to complete the paper work) i.e.
Features:
1 - Live signature updates
AWS: Yes Azure: No F5: Yes
2 - WebSocket traffic filtering
AWS: Yes Azure: No F5: Yes
--
Thanks in advance.
- Hannes_RappNimbostratus
A pre-configured retail WAF solution typically has at least 85% of configuration done for you. As the end-user, you will end up having a few drop-down menus here and there, all laid out in an elegant and very easy-to-use management dashboard. There's very little actual control over security. In simple terms, you end up surrendering some quality of your security in return for a lower price. You trust the 85% they have done for you. You can take for granted, it's either too restrictive and bulky policy which ends up slowing your application due to a number of irrelevant security checks, or it's too loose, providing very little actual security benefit. And if you are not happy with that one-size-fits all glove, you will pay for additional exceptions and extended control.
If cost aspect should be ignored, then I'm not sure if I understand your question. There is not a single security benefit of having just one piece of protective glove for every application out there. Self-managed WAF with a fully 'customized for application' security policy wins all the time, every time, in every security aspect, or by minimum is on par in some aspects. I don't think this list would have much meaning, so best to disregard security aspect and focus on others - manageability, cost (one-time product + on-going management) and do not forget the most important one - degradation of app performance. The last one in particular is something you should clarify before signing any contracts. The best WAF policy is the one that offers all the relevant-for-your-application protection with minimal degradation of app performance.
- Porter-Ed_33126Nimbostratus
Thanks, I appreciate your feedback and agree with all of your points.
I simply need to document the security features of AWS/Azure WAF VS F5 WAF (to complete the paper work) i.e.
Features:
1 - Live signature updates
AWS: Yes Azure: No F5: Yes
2 - WebSocket traffic filtering
AWS: Yes Azure: No F5: Yes
--
Thanks in advance.
- JGCumulonimbus
Well, as I see it, you can make up your own security rules/solutions when and where you need them, unlike in AWS, you pay $ for each existing rule you choose to use. You have control with F5.