Forum Discussion

Kishore_Kumar_2's avatar
May 09, 2016

What are the prime differences between the following modules, APM / ASM / AFM - Need a clear explanation

Can someone please explain the practical differences between APM / ASM / AFM for me to choose their requirement at a Network's Infrastructure.

 

  • Hi,

     

    I think you may find information on the F5.com web site.

     

    • AFM is the Layer-4 firewall module
    • ASM is the Web application firewall module (filter HTTP / HTTPS requests according to a security policy : Attack signatures, brute force prevention, ...
    • APM is the authentication and VPN SSL module.
  • DavisLi's avatar
    DavisLi
    Ret. Employee

    AFM - Network firewall for Layer 3/4. It is application-centric because firewall rules are tied to your applications. When you decommission an application, you can also safely remove the firewall rules associated with the applications. This makes your ACL more efficient and cleaner. Also, F5's firewall is proxy-based unlike stateful inspection firewalls - Whether to have proxy-based or SPI firewalls, it's a heated debate since the 1990s. However, F5 was one of the first (if not the first?) to bring back proxy-based firewall because of custom coding in their kernel and the custom hardware in their appliances. (Thus the price-tags and sad to say not many customers are willing to invest)

     

    ASM - Web Application Firewall. Prevents Web Bots, Web Scrapping, Service-chains with vulnerabilities scanners so ASM can recommend security policies to plug the gaps while you patch your servers. By using LTM to decrypt your traffic, ASM can also inspect encrypted traffic coming into your web servers to check for malformed HTTP requests, check for malicious IP, or detect a threshold of HTTP-GET from a single source IP and then apply rate-limiting, etc...

     

    APM - Access management for remote users, LAN users, wireless connections, etc. You can remember it as an SSL VPN solution. There are some granular checks for example, you enforce a user to be using a company-issued laptop (certificates) before he can connect back into your data center from a cafe. Or, you can also launch a web desktop as a protected space to allow your employee/partner to access applications. You can also do cool stuff like ensuring a user is not using a jail-broken/root mobile device to access your data center.

     

    *Both AFM and ASM provides low- to mid-level DDoS attacks because of a "DDoS chipset" meant to absorb the traffic. (This only applies to higher-end models like 5000 series and above) If you need volumetric DDoS protection, F5 has its own managed services called Silverline.

     

    Some personal sharing!