23-Feb-2023 02:19 - edited 23-Feb-2023 09:39
Today I would like to open this post to talk about the use of AWAF to protect APM, I know some cases of use for this integration but I would like to receive some suggestions based on your experience and expose an interesting guide to make different integrations.
What do you think? do you have any idea of a case of use different to:
* Use ASM to protect against attacks of brute force on the login page of the APM portal.
for more information relative to this integration follow this link: https://my.f5.com/manage/s/article/K54217479, it works really well and enables us to show a captcha to the customer, but take in mind that we have to configure really low thresholds in the brute force protection because APM has their own limit of logins.
*Use the APM+ASM to protect APIs.
*Apply Bot defense in the ASM layer to protect APM.
*General attack signatures protection in the front of the ASM for the APM portal.
You know that APM is processing the traffic before ASM?
You can circumvent this only, if you build a layered VS setup. Ingress VS with ASM, layered VS with APM.
Yes I know it, I comment about the protection of the APM portal with the brute force protection of the waf, but thanks, I´m looking for new features that we can we use with this integration and if is something relative for customers.
I've also wondered this, I'm sure there is a very good reason to put APM infront of ASM/AWAF but you do loose a level of protection or visability on that apm webtop.
Could the process be swopped? AWAF then APM?
Or maybe a AWAF plug in for APM which can feed information back to the APM module to give you both levels of protection?
Yes, we can modify the behavior to process the first ASM module with a Virtual Server Layer and execute protections tan can be applied when the APM is executed first as brute force protection.
I like this kind of approaches, which maximize the use of BIG-IP modules to have more features with less complexity, here're my two cents on this,
Note, this is under assumption that we are using layered VS, so a VS for AWAF, another VS for APM.
- Yes, we can utilize AWAF infront of APM for couple of cases, the one you mentioned brute force, there's also bot defense.
- Apply attack sigature based policy to protect against common attacks before it reaches APM.
- Apply specific parameters/URLs restrictions before it gets handled at APM VS.
Note, If no explicit need, I would recommend to get APM at the front before AWAF because AWAF processing cost is higher, so it might be good to get APM to first check the incoming session and then pass it to AWAF, so that AWAF doesn't inspect traffic unnecessarily (for example, failed logins).
> You can make use of AFM as well, specially that AFM hits before APM, that allows you to protect against DoS, have a resrtrictive policy for APM access and make use of IPS in AFM.