Forum Discussion

Jonathan_c's avatar
Jonathan_c
Icon for Cirrus rankCirrus
Mar 28, 2024

WAF for APM Oauth Authorization VS

Hi, We are testing the using of F5 as a OAuth Authorization Server and also a Resource Server. We have a WAF policy attached the VS representing of the Resource Server, which has an IIS server behi...
asm
ASM API
authorization server
oauth 2.0
waf
  • Daniel_Wolf's avatar
    Daniel_Wolf
    Mar 28, 2024

    Hi Jonathan_c,

    I had a lengthy discussion about this with fellow MVP Kai_Wilke and we came up with the following answer.
    The F5 Authorization Server and the Resource Server should not be at risk, otherwise F5 would provide Attack Signatures or Threat Campaign signatures for APM Resources. F5 doesn't provide any ASM signatures for APM, which for me translates to - F5 is confident you don't need such. You'd rather have to install a BIG-IP upgrade to fix any security issues with APM.

    The IIS Server might be at risk, and here it might make sense to use ASM.
    But for this use case the chain of processing (APM before ASM) would be OK.

    KR
    Daniel

Daniel_Wolf's avatar
Daniel_Wolf
Icon for MVP rankMVP

Hi Jonathan_c,

I had a lengthy discussion about this with fellow MVP Kai_Wilke and we came up with the following answer.
The F5 Authorization Server and the Resource Server should not be at risk, otherwise F5 would provide Attack Signatures or Threat Campaign signatures for APM Resources. F5 doesn't provide any ASM signatures for APM, which for me translates to - F5 is confident you don't need such. You'd rather have to install a BIG-IP upgrade to fix any security issues with APM.

The IIS Server might be at risk, and here it might make sense to use ASM.
But for this use case the chain of processing (APM before ASM) would be OK.

KR
Daniel

Jonathan_c's avatar
Jonathan_c
Icon for Cirrus rankCirrus
Mar 31, 2024

Hi Daniel,

Thanks for sharing your insights.

I'm wondering if there's any official F5 document on the subject?

  • Jonathan_c's avatar
    Jonathan_c
    Icon for Cirrus rankCirrus
    Apr 07, 2024

    Hi Daniel_Wolf ,

    Do you have any official F5 document on that subject?

    • Daniel_Wolf's avatar
      Daniel_Wolf
      Icon for MVP rankMVP
      Apr 07, 2024

      Hi Jonathan_c

      apologies, I missed this. No, there is no officical document. This is only my opinion.

      KR
      Daniel

    • LiefZimmerman's avatar
      LiefZimmerman
      Icon for Admin rankAdmin
      Oct 09, 2024

      Jonathan_c - this has been a few months. I wonder if you settled on anything here and then ALSO I wonder if we have an opportunity to take any learnings from your testing, or Daniel_Wolf / Kai_Wilke 's discussion that we should TURN INTO some official documentation?

      If we have an official knowledge gap that will help you or help the next member...I'd love to rectify that. 
      ICYMI Kendall_Brennei