• Introduction• Who needs WAF anyway?

• The Death of WAF?

• Advanced WAF

• Why F5?

https://laurent22.github.io/so-injections/

https://laurent22.github.io/so-injections/

• 13 major airlines

• flight information

• credit card

• personal data

• 1,5 year

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

https://www.paloaltonetworks.com/content/dam/paloaltonetworks-

com/en_US/assets/pdf/tech-briefs/paloaltonetworks-vs-waf.pdf

Data Leak Protection

Prevent Bot Attack

(DDOS, VA tools, web scraping, brute force, etc.)

Protect Web/API

from L7 AttackStop bad

Users(Device ID)

BIG-IP ASM extends protection to more than application vulnerabilities

Attack Visibility & Logging

Automatic Policy

Builiding (Dynamic

configuration)

Automatic Policy Building1

/images/banner.jpg

/login.php

/css/design.css

/app/app.php

/js/jquery.js

URLs & File Types

name={alphanumeric, len=16}

address={any char, len=100}

file={multipart/form-data,

maxSize=10MB}

price={numeric, tampering protection=on,

len=10 }

Parameters

Cookie: name=value

Cookie:JSESSIONID=1A5306372...

Cookie: price=399;total=1399

Cookies

.exe

/admin/wp-admin

/login.php?name=jerrick; ls /etc/

(+) sec model : enforcing legitimate traffic only

Server Technologies

Protect Web/API from

Known Attack2

/etc/passwd

‘ OR 1=1 --;

OWASP top 10 Buffer overflowsParser Attacks Zero-day attacks

CSRF Parameter tamperingCross-site scripting Evasion technique

Forceful browsing

Information Leakage

Malformed headers RFI

Session Hijacking

SQL injections

Command injection Many more …

(-) sec model : protecting against known attacks

%2527%2BOR%2B1%253D1%2B%2523;

‘ OR 1=1 --;

48%

23%

29%

Humans Good Bots Bad Bots

Traffic generated by Humans

Traffic generated by Good Bots like Bing, Google Bot…

Traffic generated by Bad Bots like scanners, password guessing…

29%

48%

23%

Incapsula Bot Traffic Report 2016

Prevent Bot Attack3

Prevent Bot Attack3

Good Bot

Human

Bad Bot

Validate bot or human on initial site access

Differentiate good bots and bad bots

Real time challenge (js and captcha)

Scraping and brute force protection

Stop Bad Users4

Stop users from specific country/region (Geolocation)

Stop users/sessions that trigger violation

(session tracking)

Stop users with badIP reputation

Persistent Attacker

AnonymousProxy

VulnerabilityScanner

Stop unique device/browser access(Browser fingerprinting)

Stop Bad Users4

Mask Sensitive Data5

Cc=4012 8888 9999 1881Cc=#### #### #### ####

See Hostile Traffic6

See Hostile Traffic6

Network Firewall

Regular user

Web server

Allow TCP/80, TCP/443

DB serverApp server

Regular user

80%

80/20 RULE

• Cross-Site Scripting

• Information Leakage

• Injection

Responsible

for 78% of all

vulnerabilities

•

•

•

••

WHY F5?

F5 is the only vendor who uses the same product for cloud- based as on-premises,

which enables simple policy sharing and improved security effectiveness

Virtual Edition

Secures applications deployed in Virtualized and

IaaS environments

Datacenter Appliance

Protects business critical applications in the

datacenter

Immediately turn on new services or scale existing protections without capital investment and resource

requirements

WAF as a Service

Gartner Magic Quadrant for WAF

F5 is highest in execution within the

Leaders Quadrant.

F5 Networks Positioned as a

Leader in 2017 Gartner Magic

Quadrant for Web Application

Firewalls*

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from F5 Networks. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

* Gartner, Magic Quadrant for Web Application Firewalls,

Jeremy D’Hoinne, Adam Hils, Claudio Neiva, 7 August 2017

Gartner Magic Quadrant for ADC+WAF?Figure 1. Magic Quadrant for Application Delivery Controllers

Source: Gartner (August 2016)

Tzoori Tamam

F5 WAF Product Manager

DevCentral https://devcentral.f5.com/

AskF5/Support https://ask.f5.com/

iHealth https://ihealth.f5.com/

University https://university.f5.com/