Introduction Who needs WAF anyway? The Death of WAF? Advanced WAF Why F5?
https://laurent22.github.io/so-injections/
https://laurent22.github.io/so-injections/
13 major airlines flight information credit card personal data 1,5 year
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_us/assets/pdf/tech-briefs/paloaltonetworks-vs-waf.pdf
BIG-IP ASM extends protection to more than application vulnerabilities Attack Visibility & Logging Data Leak Protection Automatic Policy Builiding (Dynamic configuration) Stop bad Users (Device ID) Protect Web/API from L7 Attack Prevent Bot Attack (DDOS, VA tools, web scraping, brute force, etc.)
1 Automatic Policy Building.exe /admin/wp-admin /login.php?name=jerrick; ls /etc/ Server Technologies URLs & File Types Parameters Cookies /images/banner.jpg /login.php /css/design.css /app/app.php /js/jquery.js name={alphanumeric, len=16} address={any char, len=100} file={multipart/form-data, maxsize=10mb} price={numeric, tampering protection=on, len=10 } Cookie: name=value Cookie:JSESSIONID=1A5306372... Cookie: price=399;total=1399 (+) sec model : enforcing legitimate traffic only
2 Protect Web/API from Known Attack /etc/passwd OR 1=1 --; %2527%2BOR%2B1%253D1%2B%2523; OR 1=1 --; OWASP top 10 Parser Attacks Buffer overflows Zero-day attacks CSRF Cross-site scripting Parameter tampering Evasion technique Forceful browsing Information Leakage Malformed headers Session Hijacking SQL injections Command injection RFI Many more (-) sec model : protecting against known attacks
3 Prevent Bot Attack 29% 48% Traffic generated by Humans 48% 23% Traffic generated by Good Bots like Bing, Google Bot 29% Traffic generated by Bad Bots like scanners, password guessing 23% Humans Good Bots Bad Bots Incapsula Bot Traffic Report 2016
3 Prevent Bot Attack Validate bot or human on initial site access Bad Bot Differentiate good bots and bad bots Good Bot Scraping and brute force protection Human Real time challenge (js and captcha)
4 Stop Bad Users Stop unique device/browser access (Browser fingerprinting) Stop users/sessions that trigger violation (session tracking) Persistent Attacker Anonymous Proxy Vulnerability Scanner Stop users with bad IP reputation Stop users from specific country/region (Geolocation)
4 Stop Bad Users
5 Mask Sensitive Data Cc=#### #### #### #### Cc=4012 8888 9999 1881
6 See Hostile Traffic
6 See Hostile Traffic
Allow TCP/80, TCP/443 Regular user Web server App server DB server Network Firewall Regular user
Cross-Site Scripting Information Leakage Responsible for 78% of all vulnerabilities 80% Injection 80/20 RULE
WHY F5?
F5 is the only vendor who uses the same product for cloud- based as on-premises, which enables simple policy sharing and improved security effectiveness Virtual Edition Secures applications deployed in Virtualized and IaaS environments Datacenter Appliance Protects business critical applications in the datacenter WAF as a Service Immediately turn on new services or scale existing protections without capital investment and resource requirements
Gartner Magic Quadrant for WAF F5 Networks Positioned as a Leader in 2017 Gartner Magic Quadrant for Web Application Firewalls* F5 is highest in execution within the Leaders Quadrant. * Gartner, Magic Quadrant for Web Application Firewalls, Jeremy D Hoinne, Adam Hils, Claudio Neiva, 7 August 2017 This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from F5 Networks. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Gartner Magic Quadrant for ADC+WAF? Figure 1. Magic Quadrant for Application Delivery Controllers Source: Gartner (August 2016)
Tzoori Tamam F5 WAF Product Manager
DevCentral AskF5/Support ihealth University https://devcentral.f5.com/ https://ask.f5.com/ https://ihealth.f5.com/ https://university.f5.com/