The Easy Button for WAF
At F5, I often think of the old BASF slogan “We don’t make a lot of the products you buy, we make a lot of the products you buy better.” And so it is with BIG-IP and applications. F5 doesn’t make the applications you use, F5 makes the applications you use better. Faster. More available. More secure.
As a security solutions architect, I spend a lot of time thinking about how to use BIG-IP for that last bit: more secure applications. Application security comes in many forms, including TLS encryption to improve confidentiality and pre-authentication to manage access. However, I spend a lot of time thinking, talking, and writing about Web Application Firewall (WAF) and all that it touches. Whether it’s for PCI compliance, bot detection, or overall threat mitigation, many organizations are seeking ways to prevent breaches. Most breaches involving data loss involve an SQL-injection exploit, which can be easily obfuscated to evade an IPS or open-source WAF such as mod_security.
No one wants a fine for failing to meet PCI compliance. And no one wants to be the next victim of a breach that dumps passwords, credit card numbers, or other sensitive data. It’s easier said than done, even if we’ve got the budget to acquire a WAF such as BIG-IP Application Security Manager, we may not have a full-time engineer capable of operating and maintaining BIG-IP ASM. The WAF administrator must possess a unique set of skills spanning the network, application, and security disciplines to understand what is and is not an appropriate and/or effective policy. I’ve written about operational application security challenges before, and most recently declared that WAF as we know it is dead.
We don’t want to be breached. But we don’t have the budget for a WAF and the engineer to attach to it. The application development team doesn’t seem able to patch these vulnerabilities fast enough to keep my CSO’s hair from falling out from risk-related stress.
Where do we go to address this need for application security without the expertise to deploy and manage it?
To the cloud, of course!
You may have heard about F5’s acquisition of Defense.net and the re-launch of the DoS scrubbing service as F5 Silverline. If you haven’t heard, click this FAQ link and get caught up. I’ll wait.
Up to speed? OK, good. Silverline DDoS Protection mitigates those pesky L3/4 volumetric attacks threatening to flood all our ISP links. Silverline WAF is here to go “the last mile” and protect our applications from those nasty L7 attacks, like SQL injection and cross-site scripting (XSS), reigning champions of the OWASP Top Ten. Unlike other cloud-based WAF services you may have heard about, F5 Silverline WAF isn’t based on open source mod_security. It’s the first WAF-aaS based on BIG-IP ASM.
That last part is important for a few reasons:
- BIG-IP ASM isn’t prone to evasion techniques such as the 150 published by former mod_security developer Ivan Ristic at BlackHat in 2012.
- Silverline WAF can easily import any existing BIG-IP ASM policies, and offers obvious future cloud + on-premises integration potential.
- Silverline WAF has access to the full range of bot detection, L7 DoS, client fingerprinting, and other advanced capabilities available in BIG-IP ASM, but not found in open source WAF solutions.
- Silverline WAF isn’t dependent upon a third-party, open-source WAF. F5 controls the development and maintenance of the entire technology stack for Silverline WAF.
F5 Silverline WAF is a fully-managed service, meaning that your team specifies the sites needing protection and the scope of protection required, and the Silverline SOC takes care of the rest. The tight-rope balancing act between the application security budget, talent, and requirements suddenly becomes a whole lot easier. And just in case you were wondering: all F5 Silverline data centers are fully PCI-compliant.