F5 Advanced WAF - Softchoice · Why is F5 Advanced WAF deployed inline? F5 believes an inline, full...

FAQ F5 Advanced WAF

1

FAQ

F5 Advanced WAF

September 2018

FAQ F5 Advanced WAF

2

Contents

Packaging .......................................................................................................................................................... 5

Deployment Scenarios ...................................................................................................................................... 8

Use Cases .......................................................................................................................................................... 8

Positioning ...................................................................................................................................................... 10

Migration ........................................................................................................................................................ 12

Pricing ............................................................................................................................................................. 14

Resources ........................................................................................................................................................ 14

FAQ F5 Advanced WAF

US Headquarters: 401 Elliott Ave W, Seattle, WA 98119 | 888-882-4447

[email protected]

©2018 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries.

Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of the respective owners

with no endorsement or affiliation, expressed or implied, claimed by F5. TMPL-CORE-215662710 | 03.18

Product Overview

What is F5 announcing? F5 is releasing a new product called Advanced WAF. Availability is targeted for Q2 FY18. The new offering will be

highlighted in the App Protection marketing campaign starting in April 2018.

Why is F5 releasing Advanced WAF? F5 is re-defining web application security to address the most prevalent threats customers are facing today:

• Automated attacks and bots that overwhelm existing security solutions

• Web attacks that steal credentials and gain unauthorized access across user accounts

• Application layer attacks that evade signature and reputation-based security solutions

• New attack surfaces and threats due to the rapid adoption of APIs

Advanced WAF provides a dedicated solution for application security that targets the security buyer with differentiated

capabilities.

What is a WAF? A WAF is an application-layer security solution that sits in-front of an application to protect against attacks or

vulnerabilities without having to change the application itself.

Web Application Firewalls (WAFs) protect applications from common attacks such as cross-site scripting (XSS) and

SQL injection. A WAF is different from a regular firewall in that a WAF is able to filter the content of specific web

applications while network firewalls provide port filtering and segmentation. WAF solutions are capable of preventing

attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application

source code.

What is an Advanced WAF? The term "Advanced WAF" describes protection that goes beyond the traditional WAF functions by adding security

capabilities needed to defend against current threats.

F5 Advanced WAF introduces new capabilities that are unique in the WAF market:

• Bot detection beyond signatures and reputation to block evolving automated attacks

• Application layer encryption to protect against credential theft

• L7 DDoS detection using machine learning and behavioral analytics for high accuracy

FAQ F5 Advanced WAF


[email protected]




An advanced WAF has the following capabilities:

• Protection from Web Exploits and application vulnerabilities (CVEs)

• Bot protection

• Protection from credential attacks

• The ability to use real-time threat intelligence and reputation

• L7 DDoS mitigation based on machine learning and behavioral analytics

• API Security

Things to consider when evaluating an advanced WAF:

Bot Protection:

Detection goes beyond signatures and reputation to accurately detect malicious and benign bots using client behavioral

analysis, server performance monitoring, and escalating JavaScript/CAPTCHA challenges

Credential Attacks:

Protects against attacks that can steal credentials from the user’s browser (e.g. keyloggers), from data in transit (e.g.

MiTM), and/or from the server (e.g. vulnerabilities/data leakage)

Performance:

Scalable full proxy deployment with integrated TLS/SSL decryption and hardware acceleration

Flexible Deployment:

Available as a hardware appliance/chassis for the Data Center, and software for private/public Cloud.

What F5 products support Advanced WAF? Initially, Advanced WAF will be supported on the following BIG-IP platforms:

• iSeries i2x00, i4x00, i5x00, i7x00, i10x00, i11x00, i15x00

• BIG-IP 2000s/2200s, 4000s/4200v, 5050s/5250v, 705Xs/72XXv, 10XXXv/10X5Xs, 12250v

• VIPRION 2400 series

• VIPRION 4400 series

• BIG-IP Virtual Edition in Private Cloud: 25 Mbps, 200 Mbps, 1 Gbps

• High Performance VE (8 cores, 12 cores, 16 cores)

• BIG-IP Virtual Edition in Public Cloud marketplaces (Amazon, Azure)

Note: Support for the Google Cloud Platform is coming soon.

FAQ F5 Advanced WAF


[email protected]




Does Advanced WAF support FIPS? Advanced WAF can be added to FIPS certified BIG-IP platforms running Local Traffic Manager (LTM). Standalone

Advanced WAF on FIPS certified platforms is on the roadmap.

Is Advanced WAF certified by ICSA Labs? Advanced WAF can be added to ICSA-certified BIG-IP platforms running Local Traffic Manager (LTM).

Packaging

What version of BIG-IP supports Advanced WAF? Advanced WAF is supported beginning in BIG-IP version 13.1.0.2.

What is included in F5 Advanced WAF? F5 Advanced WAF includes all features found in ASM and adds additional capabilities:

FAQ F5 Advanced WAF


[email protected]




What is Base ADC? Base ADC refers to Application Delivery capabilities found in BIG-IP LTM such as SSL offload and load balancing.

What is L7 DDoS? L7 DDoS refers to comprehensive application layer DDoS mitigation capabilities found in Advanced WAF.

What is WAF? WAF refers to core ASM capabilities such as OWASP Top 10 protection.

What is API Security? API Security refers to a future add-on to Advanced WAF.

What is Anti-Bot (A.Bot)? Anti-Bot (A.Bot) refers to bot protection.

What is Anti-Bot Mobile SDK (A.Bot M)? Anti-Bot Mobile SDK (A.Bot M) refers to bot protection specific to mobile apps. The Anti-Bot Mobile SDK is available as

an add-on to Advanced WAF and ASM.

Mobile apps do not support JavaScript. JavaScript is a primary technique used to detect automated attacks and bots.

Mobile apps that do not support JavaScript cannot be protected by many traditional bot mitigation techniques.

Customers can eliminate the risk of automated attacks by establishing a Whitelist using the Mobile SDK.

Anti-Bot Mobile SDK uses a Whitelist to establish trust based on an embedded software package within the customer’s

application code, and corresponding cookie verification by Advanced WAF.

How is the Anti-Bot Mobile SDK Deployed? Traditionally, Software Development Kits (SDKs) require a developer to combine the mobile SDK and the customer’s

own mobile application code. F5, through a partnership with Appdome, removes SDK limitations that require manual

integration of SDKs to apps; enabling rapid integration and less deployment cycles. The components of the Anti-Bot

Mobile SDK include the SDK, Advanced WAF, and Appdome.

What is DataSafe? DataSafe refers to Application Layer Encryption, which allows Advanced WAF to protect credentials and sensitive fields

from compromise at the client/browser level.

FAQ F5 Advanced WAF


[email protected]




What is Behavioral DoS Unlimited? Behavioral DOS Unlimited refers to behavioral DoS (BDoS) support across all virtual servers.

What is Upstream Signaling? Upstream Signaling refers to the capability for an on-premise Advanced WAF solution to re-direct traffic to F5 Silverline

during an attack. This capability is available today through an iApp.

What is Credential Stuffing DB? Credential Stuffing Database; a future subscription service for Advanced WAF that leverages a threat feed of known

stolen credentials. The initial launch of Advanced WAF supports Early Access (EA) of the Credential Stuffing DB.

What is Threat Campaign? Threat Campaign refers to a future subscription service for Advanced WAF that includes unique signatures and

metadata to mitigate current malicious campaigns with high accuracy.

What is C. Device ID? Centralized Device ID; a future subscription service for Advanced WAF that leverages a central repository of Device

IDs.

When will Advanced WAF be available in Public Clouds? Advanced WAF is available today in the Amazon and Azure marketplaces. Support for the Google Cloud Platform is

coming soon.

When will Advanced WAF be available in F5 Silverline? Planning is underway to support Advanced WAF in F5 Silverline.

Can Advanced WAF be part of Enterprise Licensing Agreement (ELA)?

Yes. Advanced WAF is offered through the ELA program.

Is Application Layer Encryption (DataSafe) available for ASM? Yes, DataSafe is available as an add-on option for ASM.

Is Anti-Bot Mobile SDK (ABM) available for ASM? Yes, Anti-Bot Mobile SDK is available as an add-on for both Advanced WAF and ASM.

FAQ F5 Advanced WAF


[email protected]




Why would a customer purchase Advanced WAF instead of ASM? Advanced WAF has unlimited Behavioral DoS support, and is the platform for future security enhancements such as

Credential Stuffing DB, Threat Campaign, C. Device ID subscriptions, and automated signaling to F5 Silverline.

Deployment Scenarios

How is F5 Advanced WAF deployed? F5 Advanced WAF leverages the same inline full proxy architecture as existing BIG-IP solutions. Other deployment

scenarios such as L2 Transparent (non-proxy) are supported.

Why is F5 Advanced WAF deployed inline? F5 believes an inline, full proxy architecture is the most superior deployment model for detecting bad actors, decrypting

modern SSL/TLS, monitoring server behavior, and preventing data leakage. The superior architecture, performance,

and capabilities of F5 Advanced WAF sets it apart in the WAF market.

Can Advanced WAF run in the Cloud? Yes. Advanced WAF is supported on Virtual Edition for Private Clouds (ex. VMware), as well as in Public Cloud

marketplaces (Amazon, Azure). Support for the Google Cloud Platform is coming soon.

Use Cases

What are the target use cases for F5 Advanced WAF?

1) Advanced bot protection 2) Account Takeover 3) App-layer Denial of Service (L7 DDoS)

Why would a customer want advanced bot protection? Bots continue to evolve as attacks find methods to evade detection. Automation continues to grow in sophistication. As

evasion techniques mature, bots can emulate legitimate users and evade signature and reputation-based detection.

50%+ of all Internet traffic is attributed to bots, half of which can be malicious, such as vulnerability scanners, web

scrapers, DDoS tools, and tools from SPAM and user forums.

How does F5 protect against advanced bots? Behavior analytics in F5 Advanced WAF can detect threats that signature-based approaches miss or incorrectly block

FAQ F5 Advanced WAF


[email protected]




(false positives). F5 Advanced WAF also enables bot protection in cases where JavaScript cannot be used, for

example, with mobile apps.

Behavior analytics augments existing protection against bots: client transaction and server latency monitoring, resource-

intensive URL monitoring, proactive bot defense, and CAPTCHA challenges.

Why would a customer want to protect against Account Takeover? Account Takeover is a lucrative business for criminals, given many users share credentials across accounts. Account

Takeover is a type of attack where criminals pose as a legitimate user and gain access to a customer account to make

unauthorized transactions. These accounts contain valuable information such as financial data. This activity is less likely

to cause suspicion from security solutions, as the transaction appears legitimate.

Account Takeover typically involves two steps:

1) Theft of sensitive data (credential harvesting, data leakage) 2) Use of stolen credentials to gain unauthorized access (credential stuffing/brute force)

How does F5 protect against theft of sensitive data? F5 Advanced WAF uses app-layer encryption (DataSafe) to protect sensitive data and credentials. While customers

may use TLS/SSL to encrypt data in motion, encryption stops at the browser, and leaves sensitive data susceptible to

theft via malware or man-in-the-middle (MiTM) attacks. The extra layer of security provided by DataSafe can mitigate

generic keyloggers and credential capture tools at the browser level.

Using F5 Advanced WAF, customers encrypt data at the field-level without installing a client for the user or an agent on

the Web server. This ensures that, if malware such as a keylogger captures credentials or sensitive data, it cannot be

used.

How does F5 protect against unauthorized access from use of stolen credentials?

Advanced WAF prevents credentials from being compromised and protects against brute force hacking with previously

compromised credentials.

Hackers have used brute force to compromise user accounts. Traditionally, brute force mechanisms protect one

account from multiple login attempts with account lockout. However, account takeover has evolved to more

sophisticated methods, including distributed attacks, and re-use of known credentials through automated tools (i.e.

credential stuffing).

Over 4 billion user records were compromised in 2016 alone. These databases of stolen credentials are ticking time

bombs waiting for credential stuffing attacks, where hackers use automated tools to gain unauthorized access.

F5 Advanced WAF offers the most advanced and comprehensive brute force protection available, including distributed

brute force protection, CAPTCHA challenges, honeypots, and custom responses.

FAQ F5 Advanced WAF


[email protected]




Why would a customer want to protect against app-layer DDoS? Availability and uptime is a key principle to security. While many denial of service vendors focus on large-scale

volumetric attacks, application-layer attacks are happening without detection.

These application-layer attacks are low-and-slow and target resources other than bandwidth; for example, CPU and

memory, which can impact applications, APIs, firewalls, and other infrastructure. These attacks avoid network-level

detection, challenge traditional detection methods, and can be just as crippling as large-scale volumetric attacks.

Advanced WAF uses a variety of techniques and escalating challenges to mitigate app-layer DDoS, including behavioral

analysis, client fingerprinting, and server monitoring.

How does F5 protect against app-layer DDoS? F5 Advanced WAF improves operational efficiency with low-latency, low-touch mitigation, providing comprehensive

security without burdening staff or impacting user experience.

F5 Advanced WAF can improve detection accuracy by using real-time, observed application baselines rather than static

techniques such as signatures. F5 Advanced WAF baselines normal traffic, builds and enforces real-time DDoS

signatures for new app-layer (L7) attacks. Stress detection reduces false positives and ensures mitigation action only

occurs when an attack is impactful.

Advanced WAF can differentiate between benign and malicious bots, web scrapers, and brute force hacking attempts.

Does Advanced WAF help mitigate the OWASP Top 10? Yes. Advanced WAF protects against the OWASP Top 10, and goes beyond OWASP Top 10 protection to defend

against automated attacks, bots, account takeover, and app-layer (L7) DDoS.

Positioning

Who is the target customer for F5 Advanced WAF? Prospects looking for best-in-class Web security controls and existing LTM, ASM, and GBB customers looking to

expand Web security capabilities are targets for Advanced WAF.

F5 Advanced WAF targets the security buyer, who focuses on serious risks to the business. The security buyer needs

more than generic protection for safeguards, and is looking for best-in-class security controls for specific risks and

threats. Security buyers include CISO, Security Architects, Security Engineers. CISSP is a common certificate held by

security buyers.

In addition, Line of Business (LOB) owners responsible for application rollouts, such as Enterprise Architect and

DevOps Engineer, may be interested in Advanced WAF for comprehensive protection of critical applications.

Best (GBB) targets the NetOps buyer whose goal is to improve operational efficiency with consolidation. ASM remains

FAQ F5 Advanced WAF


[email protected]




in Best and remains a competitive differentiator against core ADC competitors. Advanced WAF is tailored for the

security buyer and introduces protection beyond the current WAF market. F5 Advanced WAF is the product for future

Web security add-ons and uses cases.

What are 3 reasons to upgrade to Advanced WAF?

1. Bot protection needs to go beyond reputation threat-feeds 2. Extend security to the data itself to protect against credential theft and data leakage 3. Accurate L7 DDoS detection requires machine learning for behavior analytics

How does F5 Advanced WAF compare to Imperva SecureSphere? F5 Advanced WAF has been packaged to position F5 to win with our strongest capabilities against Imperva.

App-layer Encryption

Imperva does not offer app-layer encryption, which is the best way to protect sensitive data and credentials from theft

through malware tampering and MiTM attacks.

Bot protection

SecureSphere is heavily reliant on signatures and reputation for bot protection. F5 supports signatures, reputation, client

behavioral analysis, server performance monitoring, escalating JavaScript/CAPTCHA challenges, and supports

scenarios where JavaScript injection is not possible (e.g. mobile apps).

L7 DDoS

Imperva is limited to threshold based detection, which is susceptible to false positives. Imperva lacks server

performance monitoring and automatic signature creation.

SSL decryption

Management of SSL on SecureShere is through modification of text files on the command line. Imperva recently added

support for modern cryptography (ECDHE/PFS), though this support will result in considerable performance

degradation.

When do I position Advanced WAF versus DDoS Hybrid Defender? App-layer (L7) DoS mitigation is a critical component of Web security. A two-tiered, defense-in-depth strategy is best for

defending against blended DoS. Customers should use F5 Advanced WAF for protecting application resources from

app-layer (L7) DDoS and F5 DHD for L3-7 DDoS protection at the network edge.

What do I sell between now and the release of Advanced WAF? ASM or Best, depending on the customer use case. In addition, DataSafe and Fraud Protection Services (FPS) can add

additional application security protection such as application layer encryption.

FAQ F5 Advanced WAF


[email protected]




What about customers who purchased ASM or Best within the last year?

F5 will have an internal program to migrate customers who recently purchased ASM and/or Best to Advanced WAF.

What happens to a customer’s support contract after migrating to Advanced WAF?

Advanced WAF is a perpetual license and has an associated support subscription component.

Migration

How do existing F5 customers take advantage of Advanced WAF?

The following table depicts several scenarios for positioning F5 Advanced WAF:

Customer Type What to Sell Available Add-ons

(At Launch) *

New Customer Advanced WAF • Anti-bot mobile SDK • IP Intelligence

ASM stand-alone / add-on Upgrade to Advanced WAF • Anti-bot mobile SDK • DataSafe • IP Intelligence

GBB (Best) Upgrade to Advanced WAF • Anti-bot mobile SDK • DataSafe • IP Intelligence

LTM LTM Add-on for Advanced WAF • Anti-bot mobile SDK • DataSafe • IP Intelligence

*DataSafe is included in Advanced WAF

FAQ F5 Advanced WAF


[email protected]




The following table depicts several scenarios for positioning F5 Advanced WAF:

Target Customer How to get Advanced WAF

Net New Buy Advanced WAF standalone or BIG-IP add-on

LTM Customers Advanced WAF add-on license SKU

ASM Customers Advanced WAF Upgrade SKU

Best Customers Advanced WAF Upgrade license SKU

Advanced WAF is available for prospects and existing customers on supported platforms:

• Net new customers can buy Advanced WAF standalone or as an add-on to a BIG-IP solution

• BIG-IP customers can acquire Advanced WAF through an add-on license SKU*

• ASM standalone customers can Upgrade to Advanced WAF with an upgrade license SKU

• Best customers can upgrade to Advanced WAF with an upgrade license SKU

Supported BIG-IP platforms include

• iSeries i2x00, i4x00, i5x00, i7x00, i10x00, i11x00, i15x00

• BIG-IP 2000s/2200s, 4000s/4200v, 5050s/5250v, 705Xs/72XXv, 10XXXv/10X5Xs, 12250v

• VIPRION 2400 and 4400 series

• BIG-IP Virtual Edition in Private Cloud: 25 Mbps, 200 Mbps, 1 Gbps

• High Performance VE (8 cores, 12 cores, 16 cores)

• BIG-IP Virtual Edition in Public Cloud marketplaces (Amazon, Azure)

Note: Once licensed for Advanced WAF, F5 customers can add the Anti-Bot Mobile SDK through an Add-on license

SKU.

Note: Support for the Google Cloud Platform is coming soon.

FAQ F5 Advanced WAF


[email protected]




Is ASM going away? ASM is a subset of Advanced WAF. No ASM features are not going away. ASM will continue to be offered in Good-

Better-Best and remains a key differentiator against core F5 ADC competitors.

Advanced WAF furthers F5 security differentiation. ASM stand-alone products and ASM add-ons will be replaced by the

new Advanced WAF offers.

Can my existing ASM customers upgrade to Advanced WAF? Yes. F5 will offer an upgrade path for existing ASM customer who will want to move to advanced WAF.

Can my existing GBB customers upgrade to Advanced WAF? Yes. F5 will offer an upgrade path for existing Best customers who will want to move to advanced WAF through an

Advanced WAF add-on license SKU. Advanced WAF provides protection beyond ASM and Best, including application

layer encryption, mobile bot defense, and behavioral DoS support for all services.

Pricing

How do customers purchase Advanced WAF? Please contact your preferred distributor for pricing

Resources

Where can I find additional Advanced WAF resources? • Visit Partner Central (https://partners.f5.com/Solutions/AdvancedWAF) for additional resources,

including: Partner Sales Play

• Quick Reference Guide

• Coming soon: eLearning, recorded demo, and recorded webinars

https://partners.f5.com/Solutions/AdvancedWAF

F5 Advanced WAF - Softchoice · Why is F5 Advanced WAF deployed inline? F5 believes an inline, full...

Documents

Transcript of F5 Advanced WAF - Softchoice · Why is F5 Advanced WAF deployed inline? F5 believes an inline, full...