Professional Documents
Culture Documents
DATASHEET
Whats Inside
2 Comprehensive Attack
Protection
6 Built-in Compliance
Capabilities
7 Policy Control
9 Integration for Agility and
Adaptability
14 The BIG-IP ASM Architecture
15 BIGIP ASM Platforms
15 Virtual Platform
15 Simplified Licensing
16 F5 Global Services
16 More Information
With the continued growth of web application traffic, an increasing amount of sensitive
data is exposed to potential theft, security vulnerabilities, and multi-layer attacks. Protect
your organization and its reputation by maintaining the confidentiality, availability, and
performance of the applications that are critical to your business.
F5 BIG-IP Application Security Manager (ASM) is the most flexible web application
firewall that secures web applications in traditional, virtual, and private cloud environments.
BIG-IP ASM provides unmatched protection that helps secure applications against
unknown vulnerabilities and enables compliance with key regulatory mandatesall on a
platform that consolidates application delivery with a data center firewall solution offering
network and application access control.
Key benefits
Ensure app security and availability
DATASHEET
BIG-IP Application Security Manager
When policy is violated, BIG-IP ASM renders a unique blocking message for AJAX widgets,
protecting JSON payloads.
Advanced enforcement
BIG-IP ASM can secure any parameter from client-side manipulation and validate login
parameters and application flow to prevent forceful browsing and logical flaws.
HTTP parameter pollution (HPP) attacks are illegal requests with the URL separated with
illegal parameters to bypass application security. BIG-IP ASM recognizes these attacks and
blocks these requests, providing granular attack protection.
DATASHEET
BIG-IP Application Security Manager
Additionally, BIG-IP ASM protects against the OWASP Top Ten application security risks,
including layer 7 denial-of-service (DoS), SQL injection, cross-site scripting (XSS), brute force,
and zero-day web application attacks. Its unique protections enable mitigation of DoS-heavy
URL attacks, prevent execution of fraudulent transactions, and stop in-browser session
hijacking. Administrators can even more effectively detect attacks that fall below established
rate and volumetric limits and help determine the source of suspicious requests and
fraudulent fund transfers.
An attack expert system
As threats grow in number and complexity, the integrated and comprehensive attack expert
system in BIG-IP ASM provides an immediate, detailed description of the attack, as well as
enhanced visibility into the mitigation techniques used by BIG-IP ASM to detect and prevent
the attack.
The attack expert system bridges the gap between the network and the application team,
educating the administrator on application security.
The expert system in BIG-IP ASM provides detailed descriptions of detected attacks.
DATASHEET
BIG-IP Application Security Manager
New signatures from new attacks are frequently required to ensure up-to-date protection.
BIG-IP ASM queries the F5 signature service on a daily basis and automatically downloads
and applies new signatures.
Geolocation-based blocking
With attacks increasing from varying global sources, BIG-IP ASM enables you to
block attacks based on geolocation: states, countries, or regions. BIG-IP ASM allows
administrators to easily select allowed or disallowed geolocations for strong policy
enforcement and attack protection. You can also enable geolocation protection against
anomalous traffic patterns that stem from specific countries or regions and enable traffic
throttling based on location. This location-based protection can also be applied to a
CAPTCHA challenge and to protect RAM cache and other resources from DoS attacks.
You can easily configure geolocation-based blocking by selecting states, countries, or regions for
enforcement.
DATASHEET
BIG-IP Application Security Manager
Devices
ASM
Web App
Servers
HTTP/S Traffic
Internet
BIG-IP Platform
Data
DATASHEET
BIG-IP Application Security Manager
a DNS firewall, and access control security services that provide deep controls and threat
mitigation to enable dynamic data center protection.
PCI reporting in BIG-IP ASM specifies which industry requirements are being met, and, if needed,
provides information on the required steps enterprises must take in order to become compliant.
Geolocation reporting
Geolocation reporting informs you of the country where threats originate in addition to
attack type, violation, URL, IP address, severity, and more. You can also schedule reports
to be sent to a designated email address automatically for up-to-date reporting.
DATASHEET
BIG-IP Application Security Manager
With attacks coming from around the world, geolocation reporting in BIG-IP ASM helps you identify
where threats originate to better block future attacks.
Policy Control
Websites are diverse, complex, and constantly changing, requiring policies with hundreds if
not thousands of clear and precise rules. BIG-IP ASM helps security teams manage these
changes while maintaining the delicate balance between ensuring the strictest security
controls possible and allowing legitimate user access.
Out-of-the-box protection
BIG-IP ASM is equipped with a set of pre-built application security policies that provide
out-of-the-box protection for common applications such as Microsoft Outlook Web Access,
Lotus Domino Mail Server, Oracle E-Business Financials, and Microsoft SharePoint.
In addition, BIG-IP ASM includes a rapid deployment policy that immediately secures any
customer application. The validated policies require zero configuration time and serve as a
starting point for more advanced policy creation, based on heuristic learning and specific
customer application security needs.
DATASHEET
BIG-IP Application Security Manager
Staging
Staging functionality enables updated policies to be transparent for testing in a live
environment without reducing current protection levels. BIG-IP ASM makes it easy to
stage policies using attack signatures, file types, URLs, and other parameters, and to test
whether changes are needed before a policy is enforced. The policy can be redesigned
and retested until you are satisfied and the policy is ready for live implementation.
iRules Integration
The F5 iRules scripting language provides extensibility to solve unique application security
challenges. iRules enables administrators to develop scripts that extend the functionality of
firewall rules. Additionally, iRules lets administrators leverage functionality across the BIG-IP
infrastructure to provide a greater degree of flexibility in responding to threats that may be
unique to an organization. iRules violations can trigger a firewall rule violation that can be
automatically logged, blocked, and reported. Reports contain all the necessary information
to create intelligent rules. iRules integration provides greater granularity to firewall policies
to mitigate the most aggressive attacks.
Real-time traffic policy builder
At the heart of BIG-IP ASM is the dynamic policy builder engine, which is responsible for
automatic self-learning and creation of security policies. It automatically builds and manages
security policies around newly discovered vulnerabilities, deploying fast, agile business
processes without manual intervention.
According to the Web
Application Security
Consortium, 97 percent of
websites have vulnerabilities
that put them at immediate
risk of attack, and 64 percent
of these vulnerabilities are
on the server side. As more
applications move to the
web, data breaches from web
applications are a real concern.
Once a breach occurs, the
Ponemon Institute estimates
the total average cost of a
data breach is $145 per record
compromised.1
When traffic flows through BIG-IP ASM, the policy builder parses requests and responses,
providing the unique ability to inspect the bi-directional flow of full client and application
trafficboth data and protocol. By using the advanced statistics and heuristics engine,
the policy builder can filter out attacks and abnormal traffic. The policy builder can also run
in a mode in which it is made aware of site updates. By parsing responses and requests,
it can detect site changes and automatically update the policy accordingly, without any
user intervention.
iApps for pre-configured policies
F5 iApps provides application, security, network, systems, and operations personnel a
framework to unify, simplify, and control their Application Delivery Networks (ADNs) by
1 Corporate data breach average costs rose to $3.5 million in 2013, Tim Wilson, Dark Reading.
DATASHEET
BIG-IP Application Security Manager
providing a contextual view and advanced statistics of the application services supporting
the business.
iApps supports applications with BIG-IP ASM security using pre-configured policies for
easy-to-use and flexible templates for deployment of application services, thereby increasing
IT agility and efficiency.
Fast policy creation and helpful hints
When configuring and implementing application security policies in BIG-IP ASM, helpful
hints guide you to craft stronger policies, better protect applications, and deliver a stronger
response to the threat landscape. For example, a list of useful links are provided in the UI
as Quick Links to help you increase productivity and accuracy during security policy design.
In addition, a To Do list recommends tasks for improving BIG-IP ASM policies.
Centralized policy management and deployment
BIG-IQ Security provides administrators with a consolidated view of all BIG-IP ASM devices
and a simplified approach to deploying policies across BIG-IP ASM devices throughout the
firewall infrastructure. With a centralized view of BIG-IP ASM devices, administrators can
easily import firewall configurations, consistently apply firewall policies across multiple
devices, compare policies to identify rules overlap or conflict, and verify compliance with
corporate policy. This helps you reduce IT overhead, minimize configuration errors, and
ensure the overall effectiveness of each policy.
Application visibility and reporting
BIG-IP ASM monitors and reports the most requested URIs and every URI for server latency.
It gives visibility to slow server scripts and troubleshoots server code that causes latency.
BIG-IP ASM monitors the most accessed pages for a web application for the last hour,
last day, and last week. For these pages, it provides average TPS and average latency.
In addition, for every web application, BIG-IP ASM also provides a list of top accessing
source IP addresses, with TPS and throughput for every IP address. These monitoring
capabilities allow administrators visibility into how the application is being accessed and
how it is behaving.
DATASHEET
BIG-IP Application Security Manager
actionable application assessment results and ensures protection while developers correct
vulnerable code. The service allows BIG-IP ASM administrators to import vulnerabilities from
WhiteHat, Cenzic, IBM, and QualysGuard application scanners. When combined with Cenzic
Hailstorm or WhiteHat Sentinel, BIG-IP ASM can detect and report recent website changes
to the scanner to ensure scanning of otherwise overlooked URLs and parameters and the
application of specific policiesenabling organizations to secure their applications right
after updates.
You can also easily layer a vulnerability-driven policy (received from F5 scanner integrations)
on top of a current policy such as rapid deployment or SharePoint policies for multideployment policies. This provides assurance so that no matter how an administrator builds
policies, the additional vulnerability assessment scan allows BIG-IP ASM to layer the scandriven policy on top of existing policy for layering attack protection.
Four scanner service integrations allow BIG-IP ASM administrators to import the
vulnerabilities to BIG-IP ASM for policy creation. Those services are:
Cenzic Hailstorm
WhiteHat Sentinel
IBM Rational AppScan
QualysGuard Web Application Scanning
For Cenzic Hailstorm and WhiteHat Sentinel, BIG-IP ASM includes an option to activate
three free trial scans, integrated into the user interface.
This BIG-IP ASM user interface indicates integration with Cenzic Hailstorm vulnerability assessment
and BIG-IP ASM mitigation.
The Cenzic Hailstorm or Cenzic Cloud service integration scanning for web application
vulnerabilities is manageable through the BIG-IP ASM UI for Cenzic customers or available
with three free scans upon Cenzic Cloud signup. Vulnerabilities are visible in the UI after
scanning and available for threat resolution.
Better protection with external IP Intelligence (optional)
Organizations delivering todays rich and complex Internet content to users without adequate
security incur significant risk. Clients are exposed to a variety of potentially malicious attacks
10
DATASHEET
BIG-IP Application Security Manager
from rapidly changing IP addresses. Inbound and outbound botnet traffic such as DDoS and
malware activity can penetrate security layers and consume valuable processing power.
The F5 IP Intelligence service incorporates external, intelligent services to enhance
automated application delivery decisions with better IP intelligence and stronger, contextbased security. By identifying IP addresses and security categories associated with
malicious activity, the IP Intelligence service can incorporate dynamic lists of threatening IP
addresses into the BIG-IP platform, adding context and automation to blocking decisions.
You can set an alarm or a full block of IPs from a specific category while whitelisting
approved IP addresses.
The IP Intelligence service identifies IP addresses from a variety of threat categories,
including:
BotnetsInfected IPs controlled by bots
Denial of serviceIPs known for DoS, DDoS, or SYN flood attacks
Windows exploitsIPs known for distributing exploits
Anonymous proxiesIPs used for anonymous services, including The Onion Router (Tor)
Web attacksIPs used for SQL injection, cross-site request forgery, cross-site scripting,
and application infrastructure attacks
ReputationInfected IPs
Phishing proxiesPhishing site hosts
ScannersProbes, scans, and brute force IPs
Legitimate Users
Attacker
Sensor
Network
Phishing
Internet
Exploit
Honeypots
IP Intelligence identifies
bad reputation sources
Attacker
Proxy
Farms
Unidentified
User
Update from
IP Intelligence
Database
BIG-IP Platform
IP Intelligence identifies
connections to threat IPs
Enterprise Users
Scanner
Web App
Honeypots
11
Infected
Laptop
DATASHEET
BIG-IP Application Security Manager
Unlike intrusion prevention services (IPSs), the IP Intelligence service has a unique ability
to provide defensive services even when used behind a content delivery network (CDN) or
other proxies. The IP Intelligence service can evaluate the original real client IP address as
logged within the X-Forwarded-For (XFF) header to allow or block traffic from a CDN with
threatening IPs. Other solutions, such as IPSs or conventional firewall technology, examine
the source address of the packets (instead of the XFF header) and end up evaluating the
CDNs proxyaddress.
Centralized reporting with Splunk
Splunk, a large-scale, high-speed indexing and search solution, provides numerous
different BIG-IP ASMspecific reports. These reports provide visibility into attack and
traffic trends, long-term data aggregation for forensics, acceleration of incident response,
and identification of unanticipated threats before exposure occurs.
Database reporting and security with Oracle
The integration between Oracle Database Firewall and BIG-IP ASM is an advanced solution
for web application and database security. This powerful solution shares common reporting
for web-based attempts to gain access to sensitive data, subvert the database, or execute
DoS attacks against the database. Malicious users can be isolated while reports and alerts
provide immediate detection and information on the type and threat of such attacks.
Integration with IBM InfoSphere Guardium database security
By combining the powerful security and reporting features in BIG-IP ASM with the
advanced database inspection functionality and reporting of IBM InfoSphere Guardium,
organizations can now gain an unparalleled real-time view into the operation of their websites.
This information allows administrators to take a variety of actions, such as preventing attacks,
enforcing controls, auditing access, and many other essential database tasks. For example,
using Guardium and BIG-IP ASM, an administrator can run a dashboard that shows in real
time which SQL statements are being generated by a front-end user.
Acceleration and application security
With BIG-IP ASM and BIG-IP Application Acceleration Manager running together
on BIG-IP Local Traffic Manager, you can secure applications while also accelerating
performance. This efficient, multi-solution platform adds security without sacrificing
performance. Attacks are filtered immediately and web applications are accelerated for
improved user experience. Since there is no need to introduce a new appliance to the
network, you get an all-in-one solution for maximum cost effectiveness.
Granular access control and application security
BIG-IP Access Policy Manager (APM) and BIG-IP ASM bring access control and application
security services layered together on your BIG-IP system. With BIG-IP APM, you
can provide context-aware, policy-based access to users while simplifying authentication,
authorization, and accounting (AAA) management for web applications.
BIG-IP APM is available as an add-on module to the BIG-IP ASM standalone appliance.
BIG-IP APM Lite (with 10 free user licenses) is included with any BIG-IP ASM standalone
purchase.
12
DATASHEET
BIG-IP Application Security Manager
13
DATASHEET
BIG-IP Application Security Manager
SSL offload
Policy staging
Caching
Compression
he ability to manipulate any application content on
T
the fly, regardless of in- or outbound traffic
TCP/IP optimization
Advanced rate shaping and quality of service
IPv6 Gateway
IP/port filtering
VLAN support through a built-in switch
Resource provisioning
Route domains (virtualization)
Remote authentication
Security
Brute force
SQL injection
64-bit OS support
Session highjacking
Buffer overflows
Cookie manipulation
Various encoding attacks
Forceful browsing
Request smuggling
XML bombs/DoS
Web scraping
Reverse engineering
Code examination
SAP NetWeaver 7
Application tampering
14
DATASHEET
BIG-IP Application Security Manager
Virtual Platform
BIG-IP LTM VE with BIG-IP ASM and BIG-IP ASM VE standalone can help you meet the
needs of your virtualized environment.
BIG-IP ASM VE
Hypervisors Supported:
VMware vSphere Hypervisor 4.0, 4.1, 5.0, and 5.1 and vCloud
Director 1.5
Citrix XenServer 5.6 and 6.0
Microsoft Hyper-V for Windows Server 2008 R2 and 2012
KVM Linux Kernel 2.6.32 (RHEL 6.2/6.3, CentOS 6.2/6.3)
Simplified Licensing
Meeting your applications needs in a dynamic environment has never been easier.
F5s Good, Better, Best provides you with the flexibility to provision advanced modules on
demand, at the best value.
Decide what solutions are right for your applications environment with F5s reference
architectures.
Provision the modules needed to run your applications with F5s Good, Better, Best
offerings.
Implement complete application flexibility with the ability to deploy your modules on a
virtual or physical platform.
15
16
DATASHEET
BIG-IP Application Security Manager
F5 Global Services
F5 Global Services offers world-class support, training, and consulting to help you get the
most from your F5 investment. Whether its providing fast answers to questions, training
internal teams, or handling entire implementations from design to deployment, F5 Global
Services can help ensure your applications are always secure, fast, and reliable. For more
information about F5 Global Services, contact consulting@f5.com or visit f5.com/services.
More Information
To learn more about BIG-IP ASM, visit f5.com to find these and other resources.
Datasheets
IP Intelligence
BIG-IP Application Acceleration Manager
Report
Gartner Web Application Firewall Magic Quadrant, 2014
White papers
Complying with PCI DSS
Protecting Against Application DDoS Attacks with BIG-IP ASM
Vulnerability Assessment with Application Security
Case study
Human Kinetics Boosts Website Performance, Security, and Innovation
Article
SC Magazine Review: BIG-IP Application Security Manager
F5 Networks
Asia-Pacific
apacinfo@f5.com
888-882-4447
F5 Networks Ltd.
Europe/Middle-East/Africa
emeainfo@f5.com
www.f5.com
F5 Networks
Japan K.K.
f5j-info@f5.com
2014 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com.
Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5.
DS-28204 0714