Advanced Web Application Firewall (WAF) Launchpad

Similar documents
Getting Started with DevOps

Prompta volumus denique eam ei, mel autem

Simplify Management in an Application-Centric World

Achieve Your Business and IT Goals with Help from CA Services

SAP Hybris Commerce, cloud edition and SAP Hybris Commerce, Edge cloud edition Supplemental Terms and Conditions

VULNERABILITY MANAGEMENT BUYER S GUIDE

EMC ATMOS. Managing big data in the cloud A PROVEN WAY TO INCORPORATE CLOUD BENEFITS INTO YOUR BUSINESS ATMOS FEATURES ESSENTIALS

ForeScout Professional Services Overview OUR TEAM OF EXPERT CONSULTANTS WILL HELP YOU ACHIEVE FULL VALUE FROM YOUR FORESCOUT IMPLEMENTATION

IBM QRadar SIEM. Detect threats with IBM QRadar Security Information and Event Management (SIEM) Highlights

CA Network Automation

Accelerate Your Digital Transformation

Migrate to a New Testing Tools

Security intelligence for service providers

Infor CloudSuite Industrial

YOUR FLEXIBLE POLICY ADMINISTRATION SOLUTION

SAP Business One OnDemand. SAP Business One OnDemand Solution Overview

An Enterprise Architect s Guide to API Integration for ESB and SOA

invest in leveraging mobility, not in managing it Solution Brief Mobility Lifecycle Management

NEW SKILLS AND PARTNERSHIPS IN IT ASSET MANAGEMENT

ALCATEL-LUCENT SOLUTION PREMIER SERVICE Protecting, maintaining and evolving your communications solution

White Paper Remove the risk from your multi-vendor infrastructure

The Smart SOA approach: Innovate, accelerate, differentiate To support your business objectives. Smart SOA: The experienced approach.

BASICS OF SOFTWARE TESTING AND QUALITY ASSURANCE. Yvonne Enselman, CTAL

COMPUTE CLOUD SERVICE. Move to Your Private Data Center in the Cloud Zero CapEx. Predictable OpEx. Full Control.

Cisco Enterprise Agreement: Meeting the Challenges of Shifting Business Trends

2017 Oracle EBS Cloud Roadmap

Microsoft Dynamics ERP. Success for your business. Success for you.

Building a Roadmap to Robust Identity and Access Management

The Economic Benefits of Puppet Enterprise

Infor CloudSuite solutions Flexible, proven solutions designed for your industry. Infor CloudSuite

ORACLE ADVANCED FINANCIAL CONTROLS CLOUD SERVICE

The Total Economic Impact Of Tenable SecurityCenter Continuous View

Elevate your organization. To reach the Cloud.

KPMG Smart Controls. Putting you in control of your controls. kpmg.co.uk

Adopting Azure Resource Manager for efficient cloud infrastructure management

IS AN OPEN SOURCE BUSINESS PROCESS MANAGEMENT SOLUTION RIGHT FOR YOU?

CCV s self-service payment solutions drive PCI-DSS-compliant security

Supply Chain Innovation Fuels Success SAP ERP and Oracle Supply Chain Management: A Case for Coexistence. An Oracle White Paper

5 Key PaaS Benefits and What They Mean for Your Business

Social Networking Advisory Services

Application Migration to Cloud Best Practices Guide

Oracle Cloud Blueprint and Roadmap Service. 1 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Comprehensive Enterprise Solution for Compliance and Risk Monitoring

Service Catalog ATTOSOL TECHNOLOGIES.

Transform Application Performance Testing for a More Agile Enterprise

Alcatel-Lucent OmniVista 2500 NMS C for Network on Demand Service Multi-tenant Network Management

THE SIMPLEST CLOUD MIGRATION IN THE WORLD

Infor VISUAL. Introduction. Statement of direction

How Can I Better Manage My Software Assets And Mitigate The Risk Of Compliance Audits?

Axxius Whitepaper. MaaS The future of cloud automation

Infor CloudSuite HCM. Talent drives business. How do I modernize HCM?

Designing PSIM Software for the Enterprise Market Creating a platform to meet the unique challenges of today s highly distributed organization

WHY COMMERCIAL REAL ESTATE FIRMS ARE EMBRACING OFFICE 365. Find out how out-of-the-box Cloud services in Office 365 can help you grow your practice

Quantifying the Value of Software Asset Management

Oracle Systems Optimization Support

7 things to ask when upgrading your ERP solution

The Benefits of Using an Appliance to Simplify and Accelerate Desktop Virtualization Initiatives

The Future of Workload Automation in the Application Economy

Product Brief SysTrack VMP

Helping merchants automate testing practices.

SuprTEK PanOptes TM Continuous Monitoring Platform

White paper. Alan Radding, Technology Consultant

Medical Devices. Epicor for. Functionality. Meeting the Challenges for Medical Devices

Why Your SIEM Isn t Adding Value And Why It May Not Be The Tool s Fault Co-management applied across the entire security environment

Oracle Sourcing. Cut Costs with Online Collaboration and Negotiation

Using ClarityTM for Application Portfolio Management

StableNet Enterprise. Automated IT Management & Business Service Assurance

PREVENT MAJOR DATA BREACHES WITH THREAT LIFECYCLE MANAGEMENT Seth Goldhammer, Senior Director of Product Management at LogRhythm

Application-centric Infrastructure Performance Management (IPM)

Five-Star End-User Experiences Require Unified Digital Experience Management

How to sell Azure to SMB customers. Paul Bowkett Microsoft NZ

8 QUESTIONS YOU SHOULD ASK WHEN BUYING A CASH MANAGEMENT SOLUTION

Ten Reasons Why Ex Libris Rosetta is Better than Other Solutions. An Ex Libris Rosetta Solution Brief

PROPERTY EXCHANGE AUSTRALIA LTD (PEXA): CLOUD-BASED DEVOPS IMPLEMENTATION IMPROVES SPEED TO DELIVERY AND REDUCES ENVIRONMENT PROVISIONING COSTS.

Audit Analytics. Delivered. Why Work With Us? CONSULTING. Leading analytics software. Fast, reliable service. We speak your language

SYSPRO Integration SYSPRO Integration Framework

Point of view Digital Business Resilience in Financial Services

Vodafone Global M2M. Smart utilities solutions

Start your SAP Optimization Effort Yesterday: A 10-minute guide to the SAP Optimization process for an Enterprise

A technical discussion of performance and availability December IBM Tivoli Monitoring solutions for performance and availability

THE INDUSTRY STANDARD

Image Itron Total Outcomes

Reinventing Leak Test

4/26. Analytics Strategy

Why Cloud-based Portal Software Makes Sense for Today s Payers

IBM Grid Offering for Analytics Acceleration: Customer Insight in Banking

SAP Business ByDesign A Solution for Midsize Companies

AUTOMATION TECHNOLOGY SERIES: PART 2 INTEL LIGENT AUTO MATION DRIVING EFFICIENCY AND GROWTH IN INSURANCE

Windchill Quality Management

B2B Integration Managed Services Provider Profiles: Axway

SAP s Quality & Testing Platform Complete Solution of Products and Professional Services

WHITEPAPER WHITEPAPER. Processing Invoices in the Cloud or On Premises Pros and Cons

PV213 Enterprise Information Systems in Practice 09 Security, Configuration management

siemens.com/simatic-it SIMATIC IT for Automotive Suppliers Answers for industry.

Windows Server 2003 migration: Your three-phase action plan to reach the finish line

ECONOMIC AND STRATEGIC BENEFITS

The ABCs of. CA Workload Automation

3 STEPS TO MAKE YOUR SHARED SERVICE ORGANIZATION A DIGITAL POWERHOUSE

EngageOne INTERACTIVE COMMUNICATIONS. An Advanced Interactive Technology Solution for a New Era of Enterprise Communications

Transcription:

Advanced Web Application Firewall (WAF) Launchpad Why do organizations need a WAF? Today, enterprises are extending their businesses by using web-based and cloud-hosted applications, so having a robust and agile web application firewall (WAF) in place to protect them from security threats... White Paper

Why do organizations need a WAF? Today, enterprises are extending their businesses by using web-based and cloud-hosted applications, so having a robust and agile web application firewall (WAF) in place to protect them from security threats isn't a luxury it's a necessity. As these web- and cloud-based applications spread more rapidly, attacks become increasingly sophisticated and frequent, threatening enterprises' critical data and operations. This makes it far more difficult for administrators and security teams to keep up to date on the latest attacks and protection measures. At the same time, they must meet stringent compliance requirements for online commerce (e.g., Payment Card Industry Data Security Standard); protect business-critical web applications from common attacks such as SQL injection, DDoS attacks, and multifaceted zeroday attacks; and enable secured data sharing across traditional and cloud environments. What does it take to deploy a WAF? Enterprises can employ a combination of techniques to ensure accurate detection coverage that does not block legitimate traffic. Traditionally, the most widely used WAF configuration has been a negative security model, which allows all transactions except those that contain a threat/attack. Negative security utilizes signatures and rules designed to detect known threats and attacks. The signature rules database will be quite substantial, as attack knowledge has built up over the years. This is a great model for out-of-the-box protection, blocking commonly known threats including web injections, OWASP Top 10 threats, cross-site scripting (XSS), and more. In recent years, positive security models have become more popular. This approach blocks all traffic, allowing only those transactions that are known to be valid and safe. The positive approach is based on strict content validation and statistical analysis, which can be more effective in preventing zero-day threats and vulnerability manipulation. To be truly effective, a positive security approach requires deep knowledge of the application and its expected uses. Challenges Multiple interlocked steps to undertake Positive and negative models are both capable of achieving the delicate balance between "security" and "functionality." However, neither a positive nor negative security model alone can deliver the most economical solution in every situation or environment. When merged with business requirements, an integrated positive and negative approach can enable organizations to realize the greatest ROI from any security policy implementation. Making the appropriate decisions for a WAF deployment that best meets business objectives can be a challenge. The need for time and resources usually competes with the need for adequate know-how and confidence in using the selected product. 1

There are multiple steps a customer will need to undertake when planning and delivering a WAF service implementation project: 1. Build the most appropriate WAF strategy and get it approved by all internal stakeholders. 2. Efficiently use the WAF product to implement the correct set of policies and parameters. 3. Plan for the WAF service deployment, often over several hundreds of applications. 4. Plan for the day-to-day service operations and lifecycle management in production. Each step offers common challenges Corporate and Business security requirements (or expectations) do not always take full consideration of technical, operational, and resource constraints. The temptation then is to try to meet a high-level objective by designing a very sophisticated strategy before making sure the organization has put everything required in place to make that objective achievable. A neutral assessment and analysis of the situation can be necessary to solve this issue in many cases. The balance between application availability, required by business owners, and the level of protection required by the CISO team is not always easy to achieve. For example, business owners don't want their applications blocked due to false positive or WAF policies being too restrictive. Again here, an impartial and educated assessment and analysis of the situation can help organizations find the right balance and prepare mitigation plans to address possible impacts on production. Attending software-vendor training or passing product certification is highly recommended, but it will never save the effort of practicing within the actual company context, objectives, and constraints. One of the questions customers very often struggle with is how to go about securing a large number of applications. Quite often though, the volume itself is not the main problem, whereas the quality and completeness of information available for each application can indeed hinder a WAF project and should lead to further considerations of the design and implementation strategy. Experience with WAF implementations will be extremely helpful to discover relevant criteria and establish characterization and groupings of applications, and to adapt the overall WAF service design and implementation strategy. Often, customers forget to include upfront considerations of later steps to ensure feasibility and supportability. That is probably the most frequently made mistake (i.e., designing and planning the solution without studying the implications of the selected design and implementation models when operating that solution on the long-term in a production environment). A common example is the underestimation of the resources required to maintain highly sophisticated WAF policies while the entire environment faces regular changes from all parts: threats, mitigations, application releases, etc. The F5 Solution F5 Professional Services customizes the solution for your environment The comprehensive set of functions of BIG-IP Advanced WAF, such as multiple deployment methods (including real traffic policy builder); manual learning; and advanced features such as vulnerability scanner integration, attack signatures, brute force prevention, geolocation enforcement, bot detection, DDoS Mitigation, and more enable rapid fit-for-purpose configurations that can then scale and improve to address the evolving world of threats and meet the most demanding of customer requirements. 2

F5 Professional Services specifically created the Advanced WAF Launchpad service for customers who purchased and sometimes even provisioned the Advanced WAF BIG-IP module, but who have not deployed an effective WAF service yet (e.g., with few policies only in transparent mode). The Advanced WAF Launchpad service can provide the benefit of F5 Professional Services expertise and experience to help customers overcome specific use-case problems and engage in a successful Advanced WAF implementation project. Service scope The service involves collaboration between a security expert from F5 Professional Services and the customer's security, infrastructure, network, and application management teams. The two-fold objective of the service is to develop a fit-for-purpose Advanced WAF policy implementation strategy using F5 best practices, and to transfer know-how and expertise that can be directly put into practice by the customer. Service delivery approach The service is a two-day engagement during which the theory and practice of Advanced WAF functionalities, deployments, and management requirements are covered to ensure customers have the confidence and ability to implement effective Advanced WAF solutions for optimum application security. Step 1: Advanced WAF design and deployment strategy The first day of the engagement starts with a working session that involves the security architects, designers, engineers, operations, and other stakeholders in charge of Advanced WAF security policy management. The F5 Consultant will drive data gathering and impartial analysis of the existing context and objectives, provide recommendations and best practices, and conduct thorough reflections to develop a high-level design and implementation strategy. At the end of that first day, the F5 Consultant will prepare a report which will highlight findings and recommendations. Step 2: Policy creation and implementation This step consists of creating a policy and applying it to a virtual server to cover one given web application. It can be performed at once or can be split into separate sub-tasks to suit the selected policy implementation strategy. For example, a policy implementation into a customer testbed with the rapid deployment method may be performed in one session, whereas the generation of a policy using the Automatic Policy Builder (i.e., where "real" traffic is available to be inspected over an extended period) may be split into one sub-task to set up the basic policy, and another sub-task later to perform policy tuning and transition to blocking mode. 3

Conclusion Live support from a skilled consultant with the relevant expertise and experience has very often proven to be the best solution to put a WAF service deployment project on the right track and help Advanced WAF owners make educated and efficient decisions. For more information about the BIG-IP Advanced WAF Launchpad service, please contact F5 Professional Services. F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119 888-882-4447 f5.com Americas info@f5.com Asia-Pacific apacinfo@f5.com Europe/Middle-East/Africa emeainfo@f5.com Japan f5j-info@f5.com 2018 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. 0113 4

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback