WAF Management¶
WAF creates robust security policies that protect web applications from targeted application layer threats, such as buffer overflows, SQL injection, cross-site scripting, parameter tampering, cookie poisoning, web scraping, and many others, by allowing only valid application transactions. Using a positive security model, WAF secures applications based on a combination of validated user sessions and user input, as well as a valid application response. WAF also includes built-in security policy templates that can quickly secure common applications.
WAF also protects applications using negative security by means of attack signatures. Attack signatures can detect and thwart attacks such as the latest known worms, SQL injections, cross-site scripting, and attacks that target commonly used databases, applications, and operating systems.
When to use application security¶
The decision about when to use WAF to protect an application can be made on a case-by-case basis by each application and security team. You can use WAF in many ways:
For securing existing web applications against vulnerabilities and known attack patterns, protecting sensitive data, and proactively identifying (and possibly blocking) attackers performing unauthorized activities.
To restrict access to a web application only from those locations identified on a whitelist or to prevent access from certain geolocations.
To help address external traffic vulnerability issues that it might not be cost effective to address at the application level.
As an interim solution while an application is being developed or modified to address vulnerability issues.
As a means to quickly respond to new threats. You can tune WAF to block new threats within a few hours of detection if needed.
These are just a few of the ways that WAF can be used to secure your web applications.
What is a security policy?¶
The core of WAF functionality centers around the security policy, which secures a web application server from malicious traffic, using both positive and negative security features. Positive security features indicate which traffic has a known degree of trust, such as which file types, URLs, parameters, or IP address ranges can access the web server. Negative security features provide the ability to detect and thwart known attack patterns, such as those defined in attack signatures. Security polices can also include protection against web scraping, cross-site request forgery, and multiple attacks from an IP address.
When a user sends a request to the web application server, the system examines the request to see if it meets the requirements of the security policy protecting the application. If the request complies with the security policy, the system forwards the request to the web application. If the request does not comply with the security policy, the system generates a violation (or violations), and then either forwards or blocks the request, depending on the enforcement mode of the security policy and the blocking settings on the violation.
The system can similarly check responses from the web server. Responses that comply with the security policy are sent to the client, but those that do not comply cause violations and may also be blocked.
Types of attacks WAF protects against¶
WAF is a web application firewall that protects mission-critical enterprise Web infrastructure against application-layer attacks, and monitors the protected web applications. For example, WAF protects against web application attacks such as:
Malicious bot traffic
SQL injection attacks intended to expose confidential information or to corrupt content
Exploitations of the application memory buffer to stop services, get shell access, and propagate worms
Fraudulent transactions using cross-site request forgery (CSRF)
Unauthorized changes to server content
Attempts aimed at causing the web application to be unavailable or to respond slowly to legitimate users
Manipulation of cookies or hidden fields
Unknown threats, also known as zero-day threats
Access from unauthorized IP addresses or geolocations
The system can automatically develop a security policy to protect against security threats and you can configure additional protections customizing the system response to threats.
WAF Concepts¶
- Overview: WAF Policies
- Overview: WAF Event Management
- Overview: WAF Advanced Dashboard
- Overview: WAF Rating-Based Protection
- Overview: WAF Policy Builder
- Overview: Evasion Techniques
- Overview: Attack Signatures
- Overview: Live updates for policy signatures
- Overview: Blocking response pages
- Overview: Data Guard
- Overview: Brute force protection
- Overview: URLs
- Overview: Parameters
- Overview: Allowed Methods
- Overview: WAF Cookie Protection
- Overview: CSRF Protection Using Origin Validation
- Overview: Server-Side Request Forgery (SSRF)
- Overview: Layer 7 Denial-of-Service (DoS)
- Overview: Bot Protection
- Overview: Threat Campaigns
- Overview: IP Intelligence
- Overview: Controlling application use by geolocations
- Overview: Security Reports
Work with WAF on BIG-IP Next Central Manager¶
- How To: Create, Import, or Export a WAF Policy on BIG-IP Next Central Manager
- How To: Manage and edit a WAF policy on BIG-IP Next Central Manager
- API Use Cases: Manage and edit a WAF policy on BIG-IP Next Central Manager
- How To: Install Live Updates
- How To: Policy Builder learning suggestion and entity management
- How to: Policy actions from WAF Advanced Dashboard
- How To: Create and Manage WAF Event Logs on BIG-IP Next Central Manager
- How To: Override an attack signature on BIG-IP Next Central Manager
- How To: Define sensitive parameters on BIG-IP Next Central Manager
- How To: Customize blocking response pages on BIG-IP Next Central Manager
Work with WAF in BIG-IP Next Central Manager’s Policy Editor¶
- How To: Configure WAF Policy
- How to: Add a remote security log server
- How to: Enable file types
- How to: Configure Parameter Handling
- How to: Allow Parameter Meta-Characters
- How to: Define Sensitive Parameters
- Overview: Masking credit card numbers
- How to: Mask Credit Card Numbers
- Overview: User-defined HTTP Headers
- How to: Configure User Defined HTTP Header
- Overview: Differentiating between HTTP and HTTPS URLs
- How to: Differentiating between HTTP and HTTPS URLs
- How to: Configure multiple user-defined parameters, including empty and repeated
- How to: Limit user-defined parameter to a single context
- How To: Configure user-defined numeric parameter
- How to: Configure whether the user-defined parameter value is also a multiple of a specific number
- How to: Configure user-defined text and query parameters
- How to: Enable the illegal method violation
- How to: Set Enforcer Cookie Settings
- Overview: CSRF Configuration
- How to: Enable CSRF globally with no customization
- How to: Configure a custom CSRF URL wildcard and myurl
- How to: Define a custom CSRF URL and policy-wide host-name domain without subdomains
- Overview: User-Defined URLs
- How to: Configure wildcard/explicit URLs
- How to: Configure meta-characters in a user-defined URL
- How to: Disable one signature and enable another in a user-defined URL
- How to: Configure json/xml/form-data content types for a specific user-defined URL
- Overview: Login Pages for Secure Application Access
- How to: Configure login enforcement
- How to: Configure login with HTML form authentication
- How to: Configure login with AJAX or JSON request authentication
- How to: Add a login page with Windows NT LAN Manager (NTLM) authentication
- How to: Add a logout URL
- How to: Set disallowed geolocations
- How to: Configure SSRF protection
- Overview: User-Defined Signatures
- How to: Work with user-defined signatures
- Reference: IP Intelligence Categories
- How to: Set IP Intelligence
- How to: Configure Attack Signatures
- How to: Enable a specific attack signature
- How to: Exclude single signature in a set
- How to: Configure Layer 7 DoS protection
- How to: Configure Layer 7 DoS Remote Logging
- How to: Log Bot Defense traffic
- How to: Update the F5-provided Attack Signatures package
- How to: Create an AJAX custom blocking page
- How to: Create a custom redirect URL response page
- Overview: Server Technologies
- How to: Enable Server Technology Signature
- How to: Enable Data Guard Blocking
- How to: Enable Data Guard Masking
- How to: Activating Brute Force Alarm login attempts from same user
- How to: Activate Brute Force Block login attempts from same IP
- How to: Enable blocking evasion technique
- How to: Add or Update Threat Campaigns
- How to: Modify Threat Campaign
- How to: Modify Bot Signature Enablement
- How to: Change Bot Anomaly Configuration
- How to: Add or update bot signatures
- Overview: Long Requests
- How to: Enable the shutdown flag
WAF References¶
- Reference: WAF Terminology
- Reference: WAF Policy Templates
- Reference: Web Application Event Logs
- Reference: L7 DoS Event Logs
- Reference: Attack Signatures
- Reference: Bot mitigation settings
- Reference: WAF Policy Builder
- Reference: File Types
- Reference: Parameters
- Reference: Authentication types
- Reference: Cookie Enforcement
- Reference: URL Enforcement
- Reference: Attack Signature Sets
- Reference: Violation Protection
- Reference: WAF Web Protection Dashboard
- Reference: WAF L7 DoS Dashboard
- How To: Manage WAF Security Reports
- WAF Feature Mapping between BIG-IP and BIG-IP Next
- Declarative WAF Policy Schema