Today I would like to open this post to talk about the use of AWAF to protect APM, I know some cases of use for this integration but I would like to receive some suggestions based on your experience and expose an interesting guide to make different integrations.
What do you think? do you have any idea of a case of use different to:
* Use ASM to protect against attacks of brute force on the login page of the APM portal.
for more information relative to this integration follow this link: https://my.f5.com/manage/s/article/K54217479, it works really well and enables us to show a captcha to the customer, but take in mind that we have to configure really low thresholds in the brute force protection because APM has their own limit of logins.
*Use the APM+ASM to protect APIs.
*Apply Bot defense in the ASM layer to protect APM.
*General attack signatures protection in the front of the ASM for the APM portal.
I've also wondered this, I'm sure there is a very good reason to put APM infront of ASM/AWAF but you do loose a level of protection or visability on that apm webtop.
Could the process be swopped? AWAF then APM?
Or maybe a AWAF plug in for APM which can feed information back to the APM module to give you both levels of protection?
I like this kind of approaches, which maximize the use of BIG-IP modules to have more features with less complexity, here're my two cents on this,
Note, this is under assumption that we are using layered VS, so a VS for AWAF, another VS for APM.
- Yes, we can utilize AWAF infront of APM for couple of cases, the one you mentioned brute force, there's also bot defense.
- Apply attack sigature based policy to protect against common attacks before it reaches APM.
- Apply specific parameters/URLs restrictions before it gets handled at APM VS.
Note, If no explicit need, I would recommend to get APM at the front before AWAF because AWAF processing cost is higher, so it might be good to get APM to first check the incoming session and then pass it to AWAF, so that AWAF doesn't inspect traffic unnecessarily (for example, failed logins).
> You can make use of AFM as well, specially that AFM hits before APM, that allows you to protect against DoS, have a resrtrictive policy for APM access and make use of IPS in AFM.