Netprice, Ltd. (“netprice”) is an Internet-based retailer whose business model depends of the smooth functioning of numerous web servers grouped by function. The company used load balancers to control access to them, but the time had come to replace the aging OS they were running on, and the company had long wanted to deploy a web application firewall (WAF). In 2016, netprice chose an F5 solution as the much-needed WAF.
Netprice was founded in 1999 and runs a website, launched in 2000, that is marked by a unique group (collective) buying scheme with several characteristics that set it apart from most other ecommerce sites, including daily specials and a 30-day returns policy for customers who are dissatisfied with their purchases. Netprice now enjoys an aggregate 2.5-million strong customer base and is particularly popular among busy women in their 30s and 40s.
Netprice’s challenge was deploying a WAF with minimal service disruption, at a low cost, and with as little workload increase as possible.
“In building our web applications, we’ve always been mindful of secure coding, and we’ve never suffered any real damage from an attack targeting applications,” says Keisuke Takahashi, Manager of Technology Headquarters at netprice. “But enhancing security by blocking threats before they could even reach our applications was something we’d wanted to do for a long time,” he adds.
Takahashi and his team had been talking about deploying a WAF since 2009, but their deliberations never came to actual deployment. Back then it was still uncommon and seemed too expensive.
Netprice had originally deployed F5 BIG-IP Local Traffic Manager (LTM) for load balancing in 2006. Discussion came to a head with the impending need to replace the F5 TMOS operating system used with BIG-IP LTM. Since the operating system was getting old, the time had come to move on to the latest iteration.
In December 2015, netprice decided to deploy a WAF when migrating their BIG-IP LTM installation to the new TMOS. After consulting with Tokyo Electron Devices (TED), a partner for many years, they decided to adopt BIG-IP Application Security Manager (ASM)—F5’s comprehensive WAF—to do the job.
Two factors made BIG-IP ASM their choice. The first was that the product eliminates any need for additional hardware. It runs on the same platform as BIG-IP LTM, so they only needed to enable BIG-IP ASM to reap its benefits. This also helped keep the deployment cost down. “A huge attraction of BIG-IP ASM was that we could install it after migrating BIG-IP LTM and without changing the network configuration at all,” says Takahashi.
The second factor was that BIG-IP ASM can be managed from the same console as BIG-IP LTM. In deploying BIG-IP ASM, netprice looked forward to minimizing the workload for running the system while enjoying all the advantages of having a WAF in place.
TED took on the task of adjusting BIG-IP LTM’s settings and migrating F5 iRules scripting language by replacing the old version of TMOS. They were able to get the new system working exactly as the old one had without incident or disruption, and launched it in April 2016. Then in May, netprice’s IT personnel activated BIG-IP ASM and started running it in logging mode. With TED’s support, they tweaked the signatures database several times to fine tune it, and eventually switched BIG-IP ASM to blocking mode in June 2017.
“Since this was the first time we’d ever used a WAF, initially we were unsure about getting the settings right; but with TED’s help, deployment went smoothly,” says Takahashi. He adds that thanks to TED’s meticulous training—encompassing BIG-IP ASM functions and practical tips—netprice personnel have been able to run the system by themselves without incident. “WAF is a very sophisticated feature, and we were afraid we might not be up to the task of deploying it. But TED assuaged those fears, showing us how easily it could be done. They were essential in helping us reap the benefits of BIG-IP AMS’s full potential.”
To ensure that its web applications would be fully shielded from cyberattacks, netprice began by running BIG-IP ASM in logging mode to gather data on the attacks hitting its system, thus making them visible. A year later, the company switched the product to blocking mode to stop attacks before they reach the web applications. This has not only relieved the IT personnel of much of the worry of running the system, but also helped reduce the load on the company’s web servers.
One thing Takahashi learned running BIG-IP ASM in logging mode was just how frequently netprice’s systems are subject to assault. “Cyberattacks from outside far exceeded anything we’d imagined,” he says “Several thousand attacks a day was routine, and there were days when we were hit by as many as 160,000. We were surprised by how few were from within Japan and how many were from overseas, headed up by China and the U.S.”
The most prominent among the attacks were SQL injections, cross-site scripts (XSSs), and most of all— exploits targeting OSS vulnerabilities in applications like WordPress.
Once BIG-IP ASM was switched to blocking mode, the load on netprice’s web servers dropped significantly: it now stops tens of thousands of attack-generated accesses that arrive daily. The size of the web server log files stabilized, too, whereas previously they would often suddenly balloon. Takahashi now knows that cyberattacks were the main cause.
“Before, whenever the web server logs would suddenly explode, we had to go through them with a fine-toothed comb to uncover the cause. But now that BIG-IP ASM logs cyberattacks and the web servers log other incidents, it’s much easier for us to sort issues out and pinpoint causes when faults occur.”
BIG-IP ASM also processes SSL at netprice. This means that, in addition to reducing the load on the company’s web servers, it also lightens the SSL certificate management load. And a concomitant reduction in the number of certificates helps keep costs down.
Takahashi and his team are looking for other ways to get the most out of their new WAF. Their BIG-IP ASM installation currently uses signature-based detection to sniff out threats, so they also have to tune it. They are therefore studying the product’s other detection methods to see whether they can use them to lighten that burden as well.