Forum Discussion

Cirrus

Mar 28, 2024

WAF for APM Oauth Authorization VS

Hi, We are testing the using of F5 as a OAuth Authorization Server and also a Resource Server. We have a WAF policy attached the VS representing of the Resource Server, which has an IIS server behi...

Daniel_Wolf
Mar 28, 2024
Hi Jonathan_c,

I had a lengthy discussion about this with fellow MVP Kai_Wilke and we came up with the following answer.
The F5 Authorization Server and the Resource Server should not be at risk, otherwise F5 would provide Attack Signatures or Threat Campaign signatures for APM Resources. F5 doesn't provide any ASM signatures for APM, which for me translates to - F5 is confident you don't need such. You'd rather have to install a BIG-IP upgrade to fix any security issues with APM.

The IIS Server might be at risk, and here it might make sense to use ASM.
But for this use case the chain of processing (APM before ASM) would be OK.

KR
Daniel

Jonathan_c

Cirrus

Mar 28, 2024

Hi Juergen,

Yeah, I know, forgot to mention that. If we'll add ASM we'll create a layered VS first.

But still the question is if it's even necessary? What's the best practice?

Our integrator told us he usually doesn't add ASM to in scenarios like this, but like I find it odd.

Daniel_Wolf
MVP
Mar 28, 2024
Hi Jonathan_c,

I had a lengthy discussion about this with fellow MVP Kai_Wilke and we came up with the following answer.
The F5 Authorization Server and the Resource Server should not be at risk, otherwise F5 would provide Attack Signatures or Threat Campaign signatures for APM Resources. F5 doesn't provide any ASM signatures for APM, which for me translates to - F5 is confident you don't need such. You'd rather have to install a BIG-IP upgrade to fix any security issues with APM.

The IIS Server might be at risk, and here it might make sense to use ASM.
But for this use case the chain of processing (APM before ASM) would be OK.

KR
Daniel
- Jonathan_c
  Cirrus
  Mar 31, 2024
  Hi Daniel,
  Thanks for sharing your insights.
  I'm wondering if there's any official F5 document on the subject?
  - Jonathan_c
    Cirrus
    Apr 07, 2024
    Hi Daniel_Wolf ,
    Do you have any official F5 document on that subject?

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

WAF for APM Oauth Authorization VS

Recent Discussions

F5 Health Monitor Receive String as JSON

Background Tasks

Which process is consuming higher CPU

SSL bridging without SSL proxy forward

Big-IP VE edition for MacBook M4 Chip

Related Content

Basic OAuth concept and OAuth with F5 solutions

APM as Oauth Authorization server

JWT authorization with NGINX Ingress Controller

Group based authorization + OAuth 2.0 client setup with APM

Implementing basic OAuth with F5 BIG-IP APM

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS