Ridiculously Easy Bot Protection: How to Use BIG-IP APM to Streamline Bot Defense Implementation

 

 

Ever imagined how your Bot solution implementation would be with a standard entry page at your application side--a page that’s easily referred, with clear parameters, and structured customization options?

In this article, we are exploring using F5 BIG-IP Access Policy Manager (BIG-IP APM) along side F5 Distributed Cloud Bot Defense (XC Bot Defense).

 

Bot defense solutions' challenges

Implementing bot defense solutions presents several challenges, each with unique considerations:

  1. Evolving Bot Tactics: Bot tactics constantly evolve, demanding adaptive detection methods to avoid both false positives (blocking legitimate users) and false negatives (allowing malicious bots through). Effective solutions must be highly flexible and responsive to these changes.

  2. Multi-Environment Integration: Bot defenses need to be deployed across diverse environments, including web, mobile, and APIs, adding layers of complexity to integration. Ensuring seamless protection across these platforms is critical.

  3. Balancing Security and Performance: Security measures must be balanced with performance to avoid degrading the user experience. A well-calibrated bot defense should secure the application without causing noticeable slowdowns or other disruptions for legitimate users.

  4. Data Privacy Compliance: Bot solutions often require extensive data collection, so adherence to data privacy laws is essential. Ensuring that bot defense practices align with regulatory standards helps avoid legal complications and maintains user trust.

  5. Resource Demands: Integrating bot defense with existing security stacks can be resource-intensive, both in terms of cost and skilled personnel. Proper configuration, monitoring, and maintenance require dedicated resources to ensure long-term effectiveness and efficiency.

 

What F5 BIG-IP APM brings to the table? 

For teams working on bot defense solutions, several operational challenges can arise:

  1. Targeted Implementation Complexity: Identifying the correct application page for applying bot defense is often a complex process. Teams must ensure the solution targets the page containing the specific parameters they want to protect, which can be time-consuming and resource-intensive.

  2. Adaptation to Application Changes: Changes like upgrades or redesigns of the application page often require adjustments to bot defenses. These modifications can translate into significant resource commitments, as teams work to ensure the bot solution remains aligned with the new page structure.

BIG-IP APM simplifies this process by making it easier to identify and target the correct page, reducing the time and resources needed for implementation. This allows technical and business resources to focus on more strategic priorities, such as fine-tuning bot defenses, optimizing protection, and enhancing application performance.

 

Architecture and traffic flow

In this section, let's explore how F5 XC Bot Defense and BIG-IP APM works together, let's list the prerequisites, 

  • F5 XC account with access to Bot Defense. 
  • APM licensed and provisioned. 
  • F5 BIG-IP min. v16.x for native connector integration. 
  • BIG-IP Self IP rechability to Internet to communicate with F5 XC, mainly to reach this domin (ibd-web.fastcache.net).

Now, time to go quickly through our beloved TMM packet order. Due to the nature of BIG-IP APM Access events take precedence to the Bot enforcement, hence we will rely on simple iRule to apply Bot Defense on BIG-IP APM logon page. 

  • BIG-IP Bot Defense is responsible for inserting the JS and passing traffic from client to APM VS back and forth. 
  • BIG-IP APM responsible for logon page, MFA, API security or SSO integrations to manage client Access to the backend application. 

 

Solution Implementation 

Let's start now with our solution implementation, 

  • F5 Distributed Cloud Bot defense connector with BIG-IP was discussed in details in this Article
    F5 Distributed Cloud Bot Defense on BIG-IP 17.1
    • You will follow the steps mentioned in the article, with few changes mentioned below, 
      • API Hostname Web:  ibd-web.fastcache.net
      • For Per-session policies we use /my.policy as the target URL, while for Per-request and MFA implementation, you need to add /vdesk/*.
      •  Protection Pool - Web: Create pool with FQDN ibd-web.fastcache.net
    • Virtual server, Create LTM virtual server to listen to incoming traffic, perform SSL offloading, HTTP profile and attach Bot Defense connector profile. 
    • Forwarding iRule, attach forwarding irule to the Bot virtual server. 

      when CLIENT_ACCEPTED { 
      ## Forwarding to the APM Virtual Server 
      virtual Auth_VS
      }
      

       

  • BIG-IP APM Policies, In this step we are creating two options of our deployment, 
    • Per-Session policy, where BIG-IP presents Logon page to the user. 
    • Per-Request policy, which services in case initial logon is handled at remote IdP and APM handles Per-request, MFA authentication or API security. 


Now, it's time to run the traffic and observe the results,

  • From client browser, we can see the customer1.js inserted,

 

  • From F5 XC Dashboard, 

 

Conclusion

The primary goal of incorporating BIG-IP APM into the Bot Defense solution is to strike a balance between accelerating application development across web and mobile platforms while enforcing consistent organizational bot policies. By decoupling application login and authentication from the application itself, this approach enables a more streamlined, optimized, and secure bot defense implementation. It allows development teams to concentrate on application performance and feature enhancements, knowing that security measures are robustly managed and seamlessly integrated into the infrastructure.

Related Content

Published Nov 06, 2024
Version 1.0