Today, enterprises are extending their businesses by using web-based and cloud-hosted applications, so having a robust and agile web application firewall (WAF) in place to protect them from security threats isn't a luxury—it's a necessity.
As these web- and cloud-based applications spread more rapidly, attacks become increasingly sophisticated and frequent, threatening enterprises' critical data and operations. This makes it far more difficult for administrators and security teams to keep up to date on the latest attacks and protection measures. At the same time, they must meet stringent compliance requirements for online commerce (e.g., Payment Card Industry Data Security Standard); protect business-critical web applications from common attacks such as SQL injection, DDoS attacks, and multifaceted zero-day attacks; and enable secured data sharing across traditional and cloud environments.
Enterprises can employ a combination of techniques to ensure accurate detection coverage that does not block legitimate traffic. Traditionally, the most widely used WAF configuration has been a negative security model, which allows all transactions except those that contain a threat/attack. Negative security utilizes signatures and rules designed to detect known threats and attacks. The signature rules database will be quite substantial, as attack knowledge has built up over the years. This is a great model for out-of-the-box protection, blocking commonly known threats including web injections, OWASP Top 10 threats, cross-site scripting (XSS), and more.
In recent years, positive security models have become more popular. This approach blocks all traffic, allowing only those transactions that are known to be valid and safe. The positive approach is based on strict content validation and statistical analysis, which can be more effective in preventing zero-day threats and vulnerability manipulation. To be truly effective, a positive security approach requires deep knowledge of the application and its expected uses.
Positive and negative models are both capable of achieving the delicate balance between "security" and "functionality." However, neither a positive nor negative security model alone can deliver the most economical solution in every situation or environment. When merged with business requirements, an integrated positive and negative approach can enable organizations to realize the greatest ROI from any security policy implementation.
Making the appropriate decisions for a WAF deployment that best meets business objectives can be a challenge. The need for time and resources usually competes with the need for adequate know-how and confidence in using the selected product.
There are multiple steps a customer will need to undertake when planning and delivering a WAF service implementation project:
The comprehensive set of functions of BIG-IP Advanced WAF, such as multiple deployment methods (including real traffic policy builder); manual learning; and advanced features such as vulnerability scanner integration, attack signatures, brute force prevention, geolocation enforcement, bot detection, DDoS Mitigation, and more enable rapid fit-for-purpose configurations that can then scale and improve to address the evolving world of threats and meet the most demanding of customer requirements.
F5 Professional Services specifically created the Advanced WAF Launchpad service for customers who purchased and sometimes even provisioned the Advanced WAF BIG-IP module, but who have not deployed an effective WAF service yet (e.g., with few policies only in transparent mode).
The Advanced WAF Launchpad service can provide the benefit of F5 Professional Services expertise and experience to help customers overcome specific use-case problems and engage in a successful Advanced WAF implementation project.
The service involves collaboration between a security expert from F5 Professional Services and the customer's security, infrastructure, network, and application management teams.
The two-fold objective of the service is to develop a fit-for-purpose Advanced WAF policy implementation strategy using F5 best practices, and to transfer know-how and expertise that can be directly put into practice by the customer.
The service is a two-day engagement during which the theory and practice of Advanced WAF functionalities, deployments, and management requirements are covered to ensure customers have the confidence and ability to implement effective Advanced WAF solutions for optimum application security.
The first day of the engagement starts with a working session that involves the security architects, designers, engineers, operations, and other stakeholders in charge of Advanced WAF security policy management. The F5 Consultant will drive data gathering and impartial analysis of the existing context and objectives, provide recommendations and best practices, and conduct thorough reflections to develop a high-level design and implementation strategy.
At the end of that first day, the F5 Consultant will prepare a report which will highlight findings and recommendations.
This step consists of creating a policy and applying it to a virtual server to cover one given web application. It can be performed at once or can be split into separate sub-tasks to suit the selected policy implementation strategy.
For example, a policy implementation into a customer testbed with the rapid deployment method may be performed in one session, whereas the generation of a policy using the Automatic Policy Builder (i.e., where "real" traffic is available to be inspected over an extended period) may be split into one sub-task to set up the basic policy, and another sub-task later to perform policy tuning and transition to blocking mode.
Live support from a skilled consultant with the relevant expertise and experience has very often proven to be the best solution to put a WAF service deployment project on the right track and help Advanced WAF owners make educated and efficient decisions.
For more information about the BIG-IP Advanced WAF Launchpad service, please contact F5 Professional Services.