What is F5 BIG-IP Advanced Firewall Manager?

F5 BIG-IP Advanced Firewall Manager (AFM) is a high-performance, full-proxy network security solution designed to protect networks and data centers against incoming threats that enter the network on the most widely deployed protocols. BIG-IP AFM is a platform that works with F5’s Application Delivery Controller (ADC). It gives service providers a flexible, subscriber-aware platform that can grow and be used by many subscribers. It gives them the flexibility, performance, and control they need to stop aggressive distributed denial-of-service (DDoS) and protocol attacks before they overwhelm and damage services.

BIG-IP AFM’s unique application-centric design enables greater effectiveness in guarding against targeted network infrastructure-level attacks. It tracks the state of network sessions, maintains deep subscriber and application awareness, and uniquely mitigates attacks based on more granular details than traditional firewalls. With BIG-IP AFM, organizations can protect themselves from over 100 attack signatures. This is more hardware-based signatures than any other top firewall vendor. It also has unsurpassed programming, interoperability, and visibility into threat conditions.

 

Demo Video

 

Why is BIG-IP AFM important?

Ensure services availability

• Secure the network edge and core from DDoS and protocol threats with in-depth rules customization, and increased performance and scalability.

Protect with full proxy capabilities

• Inspect all incoming subscriber connections and server-to-client responses, and mitigate threats based on security and protocol parameters before forwarding them.

Inspect SSL sessions

• Decrypt SSL traffic to identify potentially hidden attacks—at high rates and with high throughput.

Automate security deployment

• Simplify configuration with security policies oriented around services and protocols and an efficient rules and policy GUI.

Scale to meet network demand

• Meet demands for higher bandwidth usage and concurrency rates with F5’s proven virtual software editions and hardware systems to flexibly ensure performance while under attack.

Consistent protection for containerized applications

• Protect container-based applications regardless of platform or location with attack detection and mitigation services to mitigate attacks and risks.

Flexible automation options for ease of integration into operations

• Extensive integration with third-party and public cloud automation tools to speed BIG-IP AFM into production.

Actionable reporting and visibility

• Easily understand your security status with rich telemetry that can be customized into reports and charts to provide insight into all event types and enable effective forensic analysis.

Reduced Operational Complexity

• Single platform to consolidate and deliver Firewall, CGNAT, DNS, protocol protection and deep packet inspection to reduce operational complexity and costs.

How does BIG-IP AFM do this?

Network DDoS Protection

The full proxy architecture of BIG-IP AFM helps to ensure the application infrastructure is protected using advanced capabilities to mitigate DoS and DDoS attacks. The out-of-the-box functionality includes a comprehensive set of signatures that enable organizations to defend against, track, and report a breadth of well-known network DDoS attacks and methodologies.

IP Intelligence

BIG-IP AFM integrates with F5 IP Intelligence Services for stronger context-based security that strategically guards against evolving threats at the earliest point in the traffic flow. IP Intelligence Services minimizes the threat window and enhances BIG-IP AFM DDoS and network defense with up-to-date network threat intelligence for stronger, context-based security.

DNS Security

BIG-IP® DNS delivers an intelligent and scalable DNS infrastructure that gives mobile users faster access and service response. This makes it easy for service providers to optimize, monetize, and secure their DNS infrastructures. F5 DNS is a high-performance, carrier-grade DNS solution that caches and resolves LDNS. It is a highly scalable authoritative DNS solution that can handle business growth and sudden demand spikes.

Carrier-Grade NAT

F5 BIG-IP Carrier-Grade NAT (CGNAT) has many tools that help service providers move to IPv6 successfully. It also helps them support and work with existing IPv4 devices and content.

Intrusion Prevention Security

BIG-IP’s AFM Intrusion Prevention System (IPS) delivers deep packet inspection and visibility for incoming network traffic. BIG-IP’s AFM IPS engine performs Layer 5-7 traffic inspection for security incidents, protocol/application violations and exploits to take appropriate action for prevention. It reviews traffic for adherence to 25+ protocol standards and matches it against hundreds of known attack signatures and exploits.

Protection for Container-based Apps

BIG-IP AFM Virtual Edition (VE) supports running in both public and private cloud environments and provides protection that readily secures container-based applications by off-loading the “North/South” decryption and encryption of traffic to and from container-based application environments.

Deep Visibility and Reporting

With advanced logging and intelligent threat reporting capabilities, BIG-IP AFM logs millions of records in real time, providing granular visibility into DDoS attacks for in-depth analysis of security events. BIG-IP AFM reports provide clear, concise, and actionable information highlighting attacks and trends with drill-down and page-view capabilities.

BIG-IP AFM Policy Rule Options             

Contexts

A context defines the scope of a firewall rule. This is also defined as the category of an object to which the rule applies. There are a total of six Contexts:

• Global
• Route Domain
• Virtual Server
• Self IP
• Management IP
• Global Drop

Actions

When creating a rule, there are four main actions. However, depending on the Context, these actions may differ. The four actions are:

• Accept – The packet can pass the rule and is then passed onto the next Context for processing.
• Drop – The packet is silently dropped.
• Reject – The packet is rejected and a Reset (RST) is sent back to the client if TCP is used. Otherwise, an ICMP Unreachable is sent.
• Accept Decisively – The packet is permitted and no further Context processing is performed.

Each of the Contexts allows for the Actions of Accept, Drop or Reject. The Global and Route Domain Contexts also include the Accept Decisively Action.

Processing Order

Network Firewall

The AFM's key feature is its ability to act as a network based (stateful) firewall. To understand the various options available, we will describe the functions and key components within the AFM Network Firewall.

• Active Rules / Policies - To permit or deny traffic, either use Active Rules or Policies. The differences are shown below.
• Active Rules - Can be assigned across all Contexts.
• Policies - Can be assigned across all Contexts. However, Policies can also be assigned to a Virtual Server and applied in Staging Mode only (i.e. do not perform an action-only log).
• Rule Lists - A Rule list, as the name suggests, is a collection of rules.
• IP Intelligence - IP Intelligence allows you to block traffic based on an IP block list. This list is retrieved either directly from F5 (an additional license is required) or you can use your own custom feed.

Protocol Security

Whereas the Network Firewall allows you to block (or permit) traffic at the transport layer (i.e. layer 4), Protocol Security allows you to block traffic based on certain conditions within the protocol itself.

There are 2 protocols that can be configured. They are DNS and HTTP. To configure 'Protocol Security' a Security Profile is configured which is then assigned to the Virtual Server. An HTTP Security Profile has extensive options under Protocol Checks and Request Checks.

DoS Protection

DoS Protection can both alert and block network-based attacks. Within DoS Protection there are 2 key components - Protection Profiles and Device Protection.

Protection Profiles

AFM DoS can be configured at a Device level along with the ability to apply more specific DoS profiles to Virtual Servers, which enable granular policy management. Protected Objects, for example, are objects that have a DoS Profile associated to them (vs Device DoS). Protection Profile thresholds can be configured for Network, DNS or SIP. Once the Protection Profiles is configured, it can be assigned to a Virtual Server.

Device Protection

AFM, by default, blocks common network-based attacks such as ARP Floods, Fragmentation attacks, etc. Within AFM, each of these attacks has a set of thresholds that can be adjusted. These thresholds define the point at which AFM should either alert or block the attack. 

Logging

AFM can be configured to either log locally or to send logs to a remote log server. There are 3 main components to logging. They are:

• Log Filters/Profiles - Defines what to log. This is configured via 'System > Logs > Configuration > Log Filters'
• Log Publishers - Is a container for 'Log Destinations' as shown below. This is configured via 'System > Logs > Configuration > Log Publishers'
• Log Destination - Defines where to send the logs. This is configured via 'System > Logs > Configuration > Log Destinations’

To configure logging, the Log Destination is assigned to the Log Publisher. The Log Publisher is then assigned to a Logging Filter/Profile. This Logging Profile can then be assigned to Contexts (i.e. Virtual Servers). Otherwise, simply turn the profile on or off from within a global rule.

Conclusion

BIG-IP AFM is a high-performance, full-proxy network security solution designed to protect networks and data centers against incoming threats that enter the network on the most widely deployed protocols. This product’s unique application-centric design enables greater effectiveness in guarding against targeted network infrastructure-level attacks. Additionally, with BIG-IP AFM, organizations receive protection from more than 100 attack signatures—more hardware-based signatures than any other leading firewall vendor—along with unsurpassed programmability, interoperability, and visibility into threat conditions.