Whitepaper

Advanced Web Application Firewall (WAF) Launchpad

Why do organizations need a WAF?

Today, enterprises are extending their businesses by using web-based and cloud-hosted applications, so having a robust and agile web application firewall (WAF) in place to protect them from security threats isn't a luxury—it's a necessity.

As these web- and cloud-based applications spread more rapidly, attacks become increasingly sophisticated and frequent, threatening enterprises' critical data and operations. This makes it far more difficult for administrators and security teams to keep up to date on the latest attacks and protection measures. At the same time, they must meet stringent compliance requirements for online commerce (e.g., Payment Card Industry Data Security Standard); protect business-critical web applications from common attacks such as SQL injection, DDoS attacks, and multifaceted zero-day attacks; and enable secured data sharing across traditional and cloud environments.

What does it take to deploy a WAF?

Enterprises can employ a combination of techniques to ensure accurate detection coverage that does not block legitimate traffic. Traditionally, the most widely used WAF configuration has been a negative security model, which allows all transactions except those that contain a threat/attack. Negative security utilizes signatures and rules designed to detect known threats and attacks. The signature rules database will be quite substantial, as attack knowledge has built up over the years. This is a great model for out-of-the-box protection, blocking commonly known threats including web injections, OWASP Top 10 threats, cross-site scripting (XSS), and more.

In recent years, positive security models have become more popular. This approach blocks all traffic, allowing only those transactions that are known to be valid and safe. The positive approach is based on strict content validation and statistical analysis, which can be more effective in preventing zero-day threats and vulnerability manipulation. To be truly effective, a positive security approach requires deep knowledge of the application and its expected uses.

Challenges
Multiple interlocked steps to undertake

Positive and negative models are both capable of achieving the delicate balance between "security" and "functionality." However, neither a positive nor negative security model alone can deliver the most economical solution in every situation or environment. When merged with business requirements, an integrated positive and negative approach can enable organizations to realize the greatest ROI from any security policy implementation.

Making the appropriate decisions for a WAF deployment that best meets business objectives can be a challenge. The need for time and resources usually competes with the need for adequate know-how and confidence in using the selected product.

There are multiple steps a customer will need to undertake when planning and delivering a WAF service implementation project:

  1. Build the “most appropriate” WAF strategy and get it approved by all internal stakeholders.
  2. Efficiently use the WAF product to implement the correct set of policies and parameters.
  3. Plan for the WAF service deployment, often over several hundreds of applications.
  4. Plan for the day-to-day service operations and lifecycle management in production.
Each step offers common challenges
  • Corporate and Business security requirements (or expectations) do not always take full consideration of technical, operational, and resource constraints. The temptation then is to try to meet a high-level objective by designing a very sophisticated strategy before making sure the organization has put everything required in place to make that objective achievable. A neutral assessment and analysis of the situation can be necessary to solve this issue in many cases.
  • The balance between application availability, required by business owners, and the level of protection required by the CISO team is not always easy to achieve. For example, business owners don't want their applications blocked due to false positive or WAF policies being too restrictive. Again here, an impartial and educated assessment and analysis of the situation can help organizations find the right balance and prepare mitigation plans to address possible impacts on production.
  • Attending software-vendor training or passing product certification is highly recommended, but it will never save the effort of practicing within the actual company context, objectives, and constraints.
  • One of the questions customers very often struggle with is how to go about securing a large number of applications. Quite often though, the volume itself is not the main problem, whereas the quality and completeness of information available for each application can indeed hinder a WAF project and should lead to further considerations of the design and implementation strategy. Experience with WAF implementations will be extremely helpful to discover relevant criteria and establish characterization and groupings of applications, and to adapt the overall WAF service design and implementation strategy.
  • Often, customers forget to include upfront considerations of later steps to ensure feasibility and supportability. That is probably the most frequently made mistake (i.e., designing and planning the solution without studying the implications of the selected design and implementation models when operating that solution on the long-term in a production environment). A common example is the underestimation of the resources required to maintain highly sophisticated WAF policies while the entire environment faces regular changes from all parts: threats, mitigations, application releases, etc.
The F5 Solution
F5 Professional Services customizes the solution for your environment

The comprehensive set of functions of BIG-IP Advanced WAF, such as multiple deployment methods (including real traffic policy builder); manual learning; and advanced features such as vulnerability scanner integration, attack signatures, brute force prevention, geolocation enforcement, bot detection, DDoS Mitigation, and more enable rapid fit-for-purpose configurations that can then scale and improve to address the evolving world of threats and meet the most demanding of customer requirements.

F5 Professional Services specifically created the Advanced WAF Launchpad service for customers who purchased and sometimes even provisioned the Advanced WAF BIG-IP module, but who have not deployed an effective WAF service yet (e.g., with few policies only in transparent mode).

The Advanced WAF Launchpad service can provide the benefit of F5 Professional Services expertise and experience to help customers overcome specific use-case problems and engage in a successful Advanced WAF implementation project.

Service scope

The service involves collaboration between a security expert from F5 Professional Services and the customer's security, infrastructure, network, and application management teams.

The two-fold objective of the service is to develop a fit-for-purpose Advanced WAF policy implementation strategy using F5 best practices, and to transfer know-how and expertise that can be directly put into practice by the customer.

Service delivery approach

The service is a two-day engagement during which the theory and practice of Advanced WAF functionalities, deployments, and management requirements are covered to ensure customers have the confidence and ability to implement effective Advanced WAF solutions for optimum application security.

Step 1: Advanced WAF design and deployment strategy

The first day of the engagement starts with a working session that involves the security architects, designers, engineers, operations, and other stakeholders in charge of Advanced WAF security policy management. The F5 Consultant will drive data gathering and impartial analysis of the existing context and objectives, provide recommendations and best practices, and conduct thorough reflections to develop a high-level design and implementation strategy.

At the end of that first day, the F5 Consultant will prepare a report which will highlight findings and recommendations.

Step 2: Policy creation and implementation

This step consists of creating a policy and applying it to a virtual server to cover one given web application. It can be performed at once or can be split into separate sub-tasks to suit the selected policy implementation strategy.

For example, a policy implementation into a customer testbed with the rapid deployment method may be performed in one session, whereas the generation of a policy using the Automatic Policy Builder (i.e., where "real" traffic is available to be inspected over an extended period) may be split into one sub-task to set up the basic policy, and another sub-task later to perform policy tuning and transition to blocking mode.

Conclusion

Live support from a skilled consultant with the relevant expertise and experience has very often proven to be the best solution to put a WAF service deployment project on the right track and help Advanced WAF owners make educated and efficient decisions.

For more information about the BIG-IP Advanced WAF Launchpad service, please contact F5 Professional Services.

Published March 21, 2018
  • Share to Facebook
  • Share to X
  • Share to Linkedin
  • Share to email
  • Share via AddThis

Connect with F5

F5 Labs

The latest in application threat intelligence.

Go to F5 Labs

DevCentral

The F5 community for discussion forums and expert articles.

Go to DevCentral

F5 Newsroom

News, F5 blogs, and more.

Go to the newsroom