The BIG-IP Application Security Manager Part 1: What is the ASM?

tl;dr - BIG-IP Application Security Manager (ASM) is a layer 7 web application firewall (WAF) available on F5's BIG-IP platforms.

Introduction

This article series was written a while back, but we are re-introducing it as a part of our Security Month on DevCentral.  I hope you enjoy all the features of this very powerful module on the BIG-IP!

This is the first of a 10-part series on the BIG-IP ASM. This module is a very powerful and effective tool for defending your applications and your peace of mind, but what is it really? And, how do you configure it correctly and efficiently? How can you take advantage of all the features it has to offer? Well, the purpose of this article series is to answer these fundamental questions. So, join me as we dive into this really cool technology called the BIG-IP ASM!

The Basics

  • The BIG-IP ASM is a Layer 7 ICSA-certified Web Application Firewall (WAF) that provides application security in traditional, virtual, and private cloud environments.
  • It is built on TMOS...the universal product platform shared by all F5 BIG-IP products.
  • It can run on any of the F5 Application Delivery Platforms...BIG-IP Virtual Edition, BIG-IP 2000 -> 11050, and all the VIPRION blades.
  • It protects your applications from a myriad of network attacks including the OWASP Top 10 most critical web application security risks
  • It is able to adapt to constantly-changing applications in very dynamic network environments
  • It can run standalone or integrated with other modules like BIG-IP LTM, BIG-IP DNS, BIG-IP APM, etc

Why A Layer 7 Firewall?

Traditional network firewalls (Layer 3-4) do a great job preventing outsiders from accessing internal networks. But, these firewalls offer little to no support in the protection of application layer traffic. As David Holmes points out in his article series on F5 firewalls, threat vectors today are being introduced at all layers of the network. For example, the Slowloris and HTTP Flood attacks are Layer 7 attacks...a traditional network firewall would never stop these attacks. But, nonetheless, your application would still go down if/when it gets hit by one of these. So, it's important to defend your network with more than just a traditional Layer 3-4 firewall. That's where the ASM comes in...

Some Key Features

The ASM comes pre-loaded with over 2,200 attack signatures. These signatures form the foundation for the intelligence used to allow or block network traffic. If these 2,200+ signatures don't quite do the job for you, never fear...you can also build your own user-defined signatures. And, as we all know, network threats are always changing so the ASM is configured to download updated attack signatures on a regular basis.

Also, the ASM offers several different policy building features. Policy building can be difficult and time consuming, especially for sites that have a large number of pages. For example, DevCentral has over 55,000 pages...who wants to hand-write the policy for that?!? No one has that kind of time. Instead, you can let the system automatically build your policy based on what it learns from your application traffic, you can manually build a policy based on what you know about your traffic, or you can use external security scanning tools (WhiteHat Sentinel, QualysGuard, IBM AppScan, Cenzic Hailstorm, etc) to build your policy. In addition, the ASM comes configured with pre-built policies for several popular applications (SharePoint, Exchange, Oracle Portal, Oracle Application, Lotus Domino, etc).

Did you know? The BIG-IP ASM was the first WAF to integrate with a scanner. WhiteHat approached all the WAFs and asked about the concept of building a security policy around known vulnerabilities in the apps. All the other WAFs said "no"...F5 said "of course!" and thus began the first WAF-scanner integration.

The ASM also utilizes Geolocation and IP address intelligence to allow for more sophisticated and targeted defense measures. You can allow/block users from specific locations around the world, and you can block IP addresses that have built a bad reputation on other sites around the Internet. If they were doing bad things on some other site, why let them access yours?

The ASM is also built for Payment Card Industry Data Security Standard (PCI DSS) compliance. In fact, you can generate a real-time PCI compliance report at the click of a button! The ASM also comes loaded with the DataGuard feature that automatically blocks sensitive data (Credit Card numbers, SSN, etc) from being displayed in a browser.

In addition to the PCI reports, you can generate on-demand charts and graphs that show just about every detail of traffic statistics that you need. The following screenshot is a representative sample of some real traffic that I pulled off a site that uses the ASM. Pretty powerful stuff!

I could go on for days here...and I know you probably want me to, but I'll wrap it up for this first article. I hope you can see the value of the ASM both as a technical solution in the defense of your network and also a critical asset in the long-term strategic vision of your company.

So, if you already have an ASM and want to know more about it or if you don't have one yet and want to see what you're missing, come on back for the next article where I will talk about the cool features of policy building. 

  1. What is the BIG-IP ASM?
  2. Policy Building
  3. The Importance of File Types, Parameters, and URLs
  4. Attack Signatures
  5. XML Security
  6. IP Address Intelligence and Whitelisting
  7. Geolocation
  8. Data Guard
  9. Username and Session Awareness Tracking
  10. Event Logging

 

Published Feb 02, 2017
Version 1.0
ASM Advanced WAF
dcsecurity17
devcentral basics
firewall
security
tech tip

Was this article helpful?

6 Comments

Sort By
  • Zeeshan_01_1331's avatar
    Zeeshan_01_1331
    Icon for Nimbostratus rankNimbostratus
    Sep 06, 2013
    Hi John,

     

     

    I have AFM license on Viprion2400 Platform , do i need an additional license for ASM ?

     

     

    Thanks

     

    Zeeshan
  • ltwagnon's avatar
    ltwagnon
    Ret. Employee
    Sep 06, 2013
    Zeeshan, this is a great question...thanks for asking!

     

     

    Yes, you will likely need a license for each module...AFM, ASM, LTM, etc. Even though you have the AFM (which is also a security module, but focused on a different layer), the ASM is still a separate license. You can work with your Sales Engineer to verify this, though. I'm not sure about the details of your specific configuration, but as a general rule, you will need to get a license for each module.

     

     

    Thanks again for the question!
  • DavisLi's avatar
    DavisLi
    Icon for Employee rankEmployee
    Apr 28, 2016
    Your posts are all good stuff! A question, please: I get confused on the many marketed features of BIG-IP on whether certain features are included in the TMOS regardless of appliance model/VE editions versus features that are only available when you choose to purchase a particular module license. Example: SSL Offloading is available and part of TMOS. URL Filtering is a module-based feature when we buy Secure Web Gateway. If IP Intelligence a module-based feature with ASM or are they part of TMOS? I understand IP intelligence or URL filtering is a subscription-based license. Question is, which features are native to TMOS and which are add-on to the modules we buy? Thanks!
  • ClemsonPaul_174's avatar
    ClemsonPaul_174
    Icon for Nimbostratus rankNimbostratus
    Sep 13, 2018

    Is the ASM different from AWAF? If so, does it require a separate license from the best-bundle like the IP Intelligence license?

     

  • tbyerly_229301's avatar
    tbyerly_229301
    Historic F5 Account
    Dec 31, 2018

    @ClemsonPaul Yes ASM and AWAF are different products. AWAF takes ASM up several levels. AWAF includes Threat Campaign Protection, Advanced Bot Detection, L7 & Behavioral DoS, Credential Stuffing Protection and several more enhancements. IP Intelligence is an add-on as before.

     

  • james_lee_31100's avatar
    james_lee_31100
    Icon for Nimbostratus rankNimbostratus
    Mar 18, 2019

    Interesting production, I have following questions, hope someone could help to answer 1) Whatif the traffic is legit, but it cause web servers for database servers overload? 2) How ASM knows it is bot attack? 3) Whatif the traffic is from CDN like Akamai, which client IP address is on HTTP header only.