Forum Discussion

Jonathan_c's avatar
Mar 28, 2024

WAF for APM Oauth Authorization VS

Hi,

We are testing the using of F5 as a OAuth Authorization Server and also a Resource Server.

We have a WAF policy attached the VS representing of the Resource Server, which has an IIS server behind it.

Since VS of the Auth Server will only utilize APM capabilities and won't actually have any application/web server behind it, I'm wondering if it's advised to add a WAF policy for this VS.

I was told it's not necessary but I find it odd, since attackers can still try to attack the F5 itself.

Any thoughts?

 

  • Hi Jonathan_c,

    I had a lengthy discussion about this with fellow MVP Kai_Wilke and we came up with the following answer.
    The F5 Authorization Server and the Resource Server should not be at risk, otherwise F5 would provide Attack Signatures or Threat Campaign signatures for APM Resources. F5 doesn't provide any ASM signatures for APM, which for me translates to - F5 is confident you don't need such. You'd rather have to install a BIG-IP upgrade to fix any security issues with APM.

    The IIS Server might be at risk, and here it might make sense to use ASM.
    But for this use case the chain of processing (APM before ASM) would be OK.

    KR
    Daniel

  • Hi Juergen,

    Yeah, I know, forgot to mention that. If we'll add ASM we'll create a layered VS first.

    But still the question is if it's even necessary? What's the best practice? 

    Our integrator told us he usually doesn't add ASM to in scenarios like this, but like I find it odd.

    • Daniel_Wolf's avatar
      Daniel_Wolf
      Icon for MVP rankMVP

      Hi Jonathan_c,

      I had a lengthy discussion about this with fellow MVP Kai_Wilke and we came up with the following answer.
      The F5 Authorization Server and the Resource Server should not be at risk, otherwise F5 would provide Attack Signatures or Threat Campaign signatures for APM Resources. F5 doesn't provide any ASM signatures for APM, which for me translates to - F5 is confident you don't need such. You'd rather have to install a BIG-IP upgrade to fix any security issues with APM.

      The IIS Server might be at risk, and here it might make sense to use ASM.
      But for this use case the chain of processing (APM before ASM) would be OK.

      KR
      Daniel

      • Jonathan_c's avatar
        Jonathan_c
        Icon for Cirrus rankCirrus

        Hi Daniel,

        Thanks for sharing your insights.

        I'm wondering if there's any official F5 document on the subject?

  • APM is processed before ASM. If you add an ASM Policy to an OAuth Authorization Server the ASM module will not trigger. You must create a layered VS setup to protect APM by ASM.

    Reference: https://community.f5.com/kb/communityarticles/knowledge-sharing-order-of-precedence-for-big-ip-modules-asm-ddos-protection-bot/298693