Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

f5 BIG-IP working as IPS

Marcos_Gaspar_G
Nimbostratus
Nimbostratus

Hello all

 

I would like to know if somebody has ever tried to make a BIG-IP appliance as an IPS solution, in order to replace for example any of the Gartner IPS leaders' quadrant solutions... I would think we are not able to do so, but I think I heard somebody saying that we can... could you please help me with this doubt? Thanks in advance!!

 

2 REPLIES 2

samstep
MVP
MVP

ASM can be used as a Layer7-only IPS (HTTP-based intrusions on ports 80/443). It will not cover lower layers, protocols other than HTTP/HTTPS and things like protocol-tunneling etc

 

James_Affeld
F5 Employee
F5 Employee

AFM has an IPS now, Protocol Inspection. It provides protocol compliance checks that implement a positive security model (the traffic must match or it is alerted/dropped/rejected), and signatures that implement a negative security model (matching traffic generates alerts/is dropped or rejected). The signatures implement a subset of the Snort rules language syntax, but the matching engine is different. There's a subscription service available for updated signatures, and users can write their own custom signatures. Custom signatures are a pain due to some validation bugs, but they show a lot of promise.

 

As a drop-in replacement for an industry-leading IPS, it's probably not viable at this point. As an enhancement where there's already a BIG-IP, yeah it could completely avoid the need to add another device.