F5 TIC3.0 Capability Mappings

About

The information below lists how F5 products address TIC 3.0 capability requirements (Dec 2023/Version 3.1) from the context of how F5 can help the broader agency.

Important Note: Prior to reading this please read each capability as defined in

https://www.cisa.gov/sites/default/files/2023-12/CISA%20TIC%203.0%20Security%20Capabilities%20Catalog_508c.pdf

If a capability is not explicitly listed it should be assumed the F5 product does not meet the requirement.

At the core the security provided by TIC 3.0 is based on Zero Trust. If you would like to learn more about how F5 can help your agency meet its Zero Trust requirements, please contact your local account team for additional detail.

 

F5 Products Background

  • F5 BIG-IP is a reverse proxy with web application security and authentication capabilities. BIG-IP provides these capabilities for traditional applications.
  • F5 BIG-IP delivers applications securely, efficiently and at scale. BIG-IP Web Application Firewall protects applications from the ever-evolving security threat landscape. Specific BIG-IP software modules are matched to certain capabilities below where applicable.
  • F5 NGINX Plus is a reverse proxy with web application security and authentication capabilities in a containerized format. NGINX+ typical use cases is to provide these protections for modern containerized applications.
  • F5 Distributed Cloud is a SaaS offering that provides Application Delivery, WAAP, DNS, DDOS to applications as an edge service.
  • F5 Distributed Cloud also offers a “Customer Edge” CE that provides many of these same capabilities on-prem or in a Cloud Service Provider.
  • F5 Distributed Cloud will be referred to as “F5 XC” below.

 

TIC 3.0 Capabilities

Universal Security Capabilities

Central Log Management with Analysis

  • BIG-IP
    • BIG-IP provides application security and telemetry logging enterprise wide to a centralized log store.
  • NGINX Plus
    • NGINX Plus provides application security and telemetry logging enterprise wide to a centralized log store.
  • F5 XC
    • F5 XC provides application security and telemetry logging enterprise wide to a centralized log store.

Configuration Management

  • BIG-IP
    • BIG-IP configuration and capabilities can be fully automated and orchestrated.
  • NGINX Plus
    • NGINX Plus configuration and capabilities can be fully automated and orchestrated.
  • F5 XC
    • F5 XC configuration and capabilities can be fully automated and orchestrated.

Incident Response Planning and Incident Handling

  • BIG-IP
    • F5 BIG-IP provides the ability to detect, prevent and log application security events.
  • NGINX Plus
    • F5 NGINX Plus provides the ability to detect, prevent and log application security events in a containerized form factor.
  • F5 XC
    • F5 Distributed Cloud provides the ability to detect, prevent and log application security events.

Strong Authentication

  • BIG-IP
    • F5 BIG-IP supports requiring SAML, OIDC, Active Directory, and mTLS authentication before a client can access an application
  • NGINX Plus
    • F5 BIG-IP NGINX Plus supports requiring OIDC, and mTLS authentication before a client can access an application containerized format.
  • F5 XC
    • N/A

Enterprise Threat Intelligence

  • BIG-IP
    • F5 provides threat intelligence feeds that help organizations detect whether they are a target of a threat campaign. This service can be leveraged by BIG-IP.
  • NGINX Plus
    • F5 provides threat intelligence feeds that help organizations detect whether they are a target of a threat campaign. This service can be leveraged by NGINX Plus.
  • F5 XC
    • F5 provides threat intelligence feeds that help organizations detect whether they are a target of a threat campaign. This service can be leveraged by F5 XC.

Dynamic Threat Discovery

  • BIG-IP
    • BIG-IP can learn HTTP traffic patterns and establish a baseline to protect applications.
  • NGINX Plus
    • N/A
  • F5 XC
    • N/A

Continuous Monitoring Reporting

  • BIG-IP
    • BIG-IP provides application security and telemetry logging providing vital application access, performance, and threat data for analysis.
  • NGINX Plus
    • NGINX Plus provides application security and telemetry logging providing vital application access, performance, and threat data for analysis.
  • F5 XC
    • F5 XC provides application security and telemetry logging providing vital application access, performance, and threat data for analysis.

 

Web PEP Capabilities

Break and Inspect

  • BIG-IP
    • F5 BIG-IP provides the ability to decrypt TLS traffic and send the decrypted traffic to any number of security devices, allowing the security devices.
  • NGINX Plus
    • N/A
  • F5 XC
    • N/A

Active Content Mitigation

  • BIG-IP
    • BIG-IP provides the ability to decrypt TLS traffic and send this traffic to a content filtering solution for further inspection. This allows the filtering solution to inspect previously encrypted traffic and remove any malicious content.
  • NGINX Plus
    • N/A
  • F5 XC
    • N/A

Certificate Denylisting

  • BIG-IP
    • F5 BIG-IP can enforce certification revocation on clients (human or non-human) presenting certificates (mTLS/Smart Card/CAC/PIV) via OCSP or CRLs before granting access to the application. BIG-IP can also be configured to deny certificates based on a blacklist.
  • NGINX Plus
    • F5 BIG-IP can enforce certification revocation on clients (human or non-human) presenting certificates (mTLS/Smart Card/CAC/PIV) via OCSP or CRLs before granting access to the application.
  • F5 XC
    • N/A

Content Filtering

  • BIG-IP
    • BIG-IP provides the ability to decrypt TLS traffic and send this traffic to a content filtering solution for further inspection. This allows the filtering solution to inspect previously encrypted traffic and remove any malicious content.
  • NGINX Plus
    • N/A
  • F5 XC
    • N/A

Authenticated Proxy

  • BIG-IP
    • F5 BIG-IP is a reverse proxy that provides the ability to require SAML, OIDC, Active Directory and mTLS authentication before a client can access an application.
  • NGINX Plus
    • F5 BIG-IP NGINX Plus is a reverse proxy that provides the ability to require OIDC, and mTLS authentication before a client can access an application in a containerized format.
  • F5 XC
    • N/A

Data Loss Prevention

  • BIG-IP
    • BIG-IP can detect and block sensitive data leaving an application. Data patterns that are deemed sensitive can be added. Additionally, BIG-IP provides the ability to decrypt TLS traffic and send this traffic to a DLP solution for further inspection preventing sensitive data leakage.
  • NGINX Plus
    • NGINX Plus can detect and block sensitive data leaving an application. Data patterns that are deemed sensitive can be added.
  • F5 XC
    • F5 XC can detect and block sensitive data leaving an application. Data patterns that are deemed sensitive can be added.

Domain Resolution Filtering

  • BIG-IP
    • BIG-IP can report of block DNS over HTTPS originating from or destined for your agency.
  • NGINX Plus
    • N/A
  • F5 XC
    • N/A

Protocol Compliance Enforcement

  • BIG-IP
    • BIG-IP provides protocol compliance for both HTTP and DNS with the ability to report or reject traffic that is out of compliance.
  • NGINX Plus
    • NGINX Plus provides protocol compliance for HTTP with the ability to report or reject traffic that is out of compliance.
  • F5 XC
    • F5 XC provides protocol compliance for HTTP with the ability to report or reject traffic that is out of compliance.

Domain Category Filtering

  • BIG-IP
    • BIG-IP provides break and inspect capabilities for traffic egressing from the network. Categories may be configured to bypass break and inspect for domain categories (e.g., banking, medical, government). This is typically done so that PII data is not inspected.
  • NGINX Plus
    • N/A
  • F5 XC

Domain Reputation Filtering

  • BIG-IP
    • BIG-IP provides the ability to deny access to domains via a list or categories of domains enforced at the HTTP protocol layer. Domain filtering can also be provided via DNS using a list of domains or an integration with a RPZ provider such as Spamhaus or SUBRL.
  • NGINX Plus
    • N/A
  • F5 XC
    • N/A

Bandwidth Control

Malicious Content Filtering

  • BIG-IP
    • BIG-IP provides the ability to decrypt TLS traffic and send this traffic to a content filtering solution for further inspection. This allows the filtering solution to inspect previously encrypted traffic and remove any malicious content.
  • NGINX Plus
    • N/A
  • F5 XC
    • N/A

Access Control

  • BIG-IP
    • F5 BIG-IP provides the ability to define policies to limit actions on protected web applications. This is achieved by limiting on a per user and per application basis the URLs and HTTP methods that a user is permitted to access.
  • NGINX Plus
    • F5 NGINX Plus provides the ability to define policies to limit actions on protected web applications. This is achieved by limiting on a per user and per application basis the URLs and HTTP methods that a user is permitted to access.
  • F5 XC
    • F5 XC provides the ability to define policies to limit actions on protected web applications. This is achieved by limiting on a per user and per application basis the URLs and HTTP methods that a user is permitted to access.

 

Resiliency PEP Security Capabilities

Distributed Denial of Service Protections

  • BIG-IP
    • BIG-IP provides protection against DOS attacks at layers 3-7 by providing the ability to learn traffic patterns and establish a baseline. BIG-IP Layer 3-4 capabilities provide protection against IP, UDP and TCP based attacks. Layer 7 capabilities provide protection against DNS, TLS and HTTP based DOS attacks.
  • NGINX Plus
    • NGINX Plus provides protection against HTTP based DOS attacks.
  • F5 XC
    • F5 XC provides protection against HTTP based DOS attacks.

Elastic Expansion

  • BIG-IP
    • F5 BIG-IP provides the ability to scale out applications by distributed the application traffic across as many instances as needed.
  • NGINX Plus
    • F5 NGINX Plus provides the ability to scale out applications by distributed the application traffic across as many instances as needed in a containerized environment.
  • F5 XC
    • F5 XC provides the ability to scale out applications by distributed the application traffic across as many instances as needed.

Regional Delivery

  • BIG-IP
    • N/A
  • NGINX Plus
    • N/A
  • F5 XC
    • F5 XC provides the ability through a Regional Edge to host containerized application and their associated services through a secure scalable fabric. Additionally, F5 XC’s Regional Edge provides the ability to scale, secure and deliver applications across a geographically dispersed set of environments.

 

Domain Name System PEP Security Capabilities

Domain Name Sinkholing

  • BIG-IP
    • Domain Name Sinkholing DNS using a list of domains or an integration with a RPZ provider such as Spamhaus or SUBRL.
  • NGINX Plus
    • N/A
  • F5 XC
    • N/A

Domain Name Verification for Agency Clients

  • BIG-IP
    • F5 BIG-IP can enforce that queries from agency clients utilize DNSSEC
  • NGINX Plus
    • N/A
  • F5 XC
    • N/A

Domain Name Validation for Agency Domains

  • BIG-IP
    • F5 BIG-IP can enforce DNSSEC chain of trust for all agency domains.
  • NGINX Plus
    • N/A
  • F5 XC
    • N/A

 

Intrusion Detection PEP Security Capabilities

Intrusion Detection and Prevention Systems

  • BIG-IP
    • F5 BIG-IP provides Intrusion Detection capabilities that allow for the reporting and blocking of threats over a wide range of protocols.
  • NGINX Plus
    • N/A
  • F5 XC
    • N/A

 

Enterprise PEP Security Capabilities

Virtual Private Network

  • BIG-IP
    • F5 BIG-IP provides site-to-site IPSEC capabilities along with end user remote access SSL VPN.
  • NGINX Plus
    • N/A
  • F5 XC
    • N/A

Application Container

  • BIG-IP
    • N/A
  • NGINX Plus
    • F5 NGINX Plus provides load balancing, ingress services (for K8s), WAF, HTTP DOS protection and API Security for containerized services.
  • F5 XC
    • F5 XC provides the ability to host containerized services in F5 XC Regional Edge.

 

Services PEP Security Capabilities

Active Content Mitigation

  • BIG-IP
    • BIG-IP provides the ability to decrypt TLS traffic and send this traffic to a content filtering solution for further inspection. This allows the filtering solution to inspect previously encrypted traffic and remove any malicious content.
  • NGINX Plus
    • N/A
  • F5 XC
    • N/A

 

Data Loss Prevention

  • BIG-IP
    • BIG-IP can detect and block sensitive data leaving an application. Data patterns that are deemed sensitive can be added. Additionally, BIG-IP provides the ability to decrypt TLS traffic and send this traffic to a DLP solution for further inspection preventing sensitive data leakage.
  • NGINX Plus
    • NGINX Plus can detect and block sensitive data leaving an application. Data patterns that are deemed sensitive can be added.
  • F5 XC
    • F5 XC can detect and block sensitive data leaving an application. Data patterns that are deemed sensitive can be added.

Protocol Compliance Enforcement

  • BIG-IP
    • F5 BIG-IP provides the ability to enforce protocol compliance for HTTP and DNS protocols.
  • NGINX Plus
    • F5 NGINX Plus provides the ability to enforce protocol compliance for the HTTP protocol.
  • F5 XC
    • F5 XC provides the ability to enforce protocol compliance for the HTTP protocol.

Malicious Content Filtering

  • BIG-IP
    • BIG-IP provides the ability to decrypt TLS traffic and send this traffic to a content filtering solution for further inspection. This allows the filtering solution to inspect previously encrypted traffic and remove any malicious content.
  • NGINX Plus
    • N/A
  • F5 XC
    • N/A

Access Control

  • BIG-IP
    • F5 BIG-IP provides the ability to define policies to limit actions on protected web applications. This is achieved by limiting on a per user and per application basis the URLs and HTTP methods that a user is permitted to access.
  • NGINX Plus
    • F5 NGINX Plus provides the ability to define policies to limit actions on protected web applications. This is achieved by limiting on a per user and per application basis the URLs and HTTP methods that a user is permitted to access.
  • F5 XC
    • F5 XC provides the ability to define policies to limit actions on protected web applications. This is achieved by limiting on a per user and per application basis the URLs and HTTP methods that a user is permitted to access.

 

Identity PEP Security Capabilities

Behavioral Baselining

  • BIG-IP
    • BIG-IP can learn HTTP traffic patterns and establish a baseline to protect applications.
  • NGINX Plus
    • N/A
  • F5 XC
    • N/A

Multi-factor Authentication

  • BIG-IP
    • F5 BIG-IP supports requiring SAML, OIDC, Active Directory, and mTLS authentication before a client can access an application
  • NGINX Plus
    • F5 BIG-IP NGINX Plus supports requiring OIDC, and mTLS authentication before a client can access an application containerized format.
  • F5 XC
    • N/A

Continuous Authentication

  • BIG-IP
    • F5 BIG-IP provides the ability to authenticate users prior to accessing an application. After access to the application BIG-IP can enforce periodic requests for authentication to reverify the client’s identity in addition to their OS posture.
  • NGINX Plus
    • N/A
  • F5 XC
    • N/A
Updated Mar 05, 2024
Version 6.0
F5 Distributed Cloud
federal
NGINX Plus
publicsector
security
TIC3.0
zerotrust

Was this article helpful?

No CommentsBe the first to comment