Introducing The F5 Advanced WAF

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] [Music] hey everybody john wagon here with dev central we're coming to you with another light board lesson video and today we're gonna talk about the new f5 advanced laughs or the advanced web application firewall if you have seen some of our previous videos we did a series on the OWASP top 10 talked about all the different security risk out there the newest edition came out late 2017 and then and then we also did one on what is a Web Application Firewall so if you haven't seen those maybe check those out real quick but I wanted to talk today about the specifics of the f5 advanced laughs so just to give you a quick little overview here sort of a quick recap if you will on what a laugh is and maybe why you would need one let's say you have a client out there in the internet and that client wants to access your awesome web application so here's your web app over here and before you're gonna let that client get your web application you want to put a web web application firewall in line so that any kind of request that comes in is going to have to pass through the checks as it were of the Web Application Firewall and then finally that if things are good then that will allow the web application you know it will allow access back here and you may have several applications or several servers or whatever it is but like I said today we're going to talk about the new f5 advanced wave so I'm going to put advanced Web Application Firewall all right so pretty much all firewalls like or I'm sorry all web application firewalls are gonna are gonna protect against things like that a watch top-10 security risk and you know injection attacks and deserialization and you know all those different cross-site scripting CSRF that kind of stuff they're gonna they're gonna protect against those or the higher layer like dass attacks like slow loris and things like that so pretty much if you get a laugh it's gonna it's gonna you know protect against those types of things but the f5 advanced web has some really cool new features that that maybe were not present in previous versions of our web application firewall so so the first one that I'll mention is just like anything else that you would come to expect from f5 in terms of application delivery controlling capability our advanced wife gives you that so the I would just say the the base base ADC features are going to be there in our advanced Wow I'll put a little box around this thing to clarify all right so the the load balancing the SSL offloading those types of things you're going to find those capabilities in the advanced wife another another thing that you'll find is layer what we call layer 7 DDoS support and layer 7 DDoS uses things like signatures of course you know things that the attacks that would come through at layer 7 this is kind of a kind of an overview or a comprehensive layer 7 approach for any kind of DDoS attack that happens at that that layer so this is a kind of a like set of comprehensive you know protection at that layer 7 so so that's DDoS mitigation type actions that are gonna happen here another one that's kind of cool is API security so I'll write this down security API security is really important these days man everybody's got an API for everything these days you know kind of thing and api's can be just as vulnerable as anything else to these attacks and security risks that are out there so we we do some very specific things on our advanced waffe with respect to api security whether it is a format validation for API calls maybe schema validation protection at a parser level HTTP method configuration those are just some things that you can configure on the advanced wofe in order to keep your api's themselves secure so so that's a really cool feature that we offer on our advanced Wow another one that I'll put is anti-bot mobile sdk alright so that's a big old long-term there all right the software development kit is the SDK what this is is imagine if you have a mobile client out here so I'll just put you know mobile user and you know all of us have our mobile phones these days and you know mobile devices so let's say the mobile user wants to access your web application and you know you're of course that access or that request is going to come through the advanced laughs one of the interesting things is that a lot of mobile apps that you would download don't support JavaScript and so it's hard sometimes for a web application firewall to figure out hey is the mobile client acting as a bot to try to attack your web application because it doesn't the the app that it may be using to launch a bot attack doesn't support JavaScript and one of the primary ways that we test to see if it is a you know like a human user versus a bot or you know one of these automated attacks is to inject JavaScript and do kind of a JavaScript you know check on it so what we have done at f5 of we've teamed together with another company where we have said hey we can give you the sans how about mobile sdk and through a series of checks and cookie validation you know some some other established trusts that we can that we can put together you can actually check to see if a mobile client or a mobile app is being used in a bot attack against your web application and we can do that without the need for a JavaScript you know check and validation so so anyway so that's a really powerful thing where you don't you know you can check to see if these mobile apps are being used against your web application in the form of a bond attack so really powerful stuff anti-bot mobile sdk another one that we have is this this thing called data safe data safe is awesome but what it does is it actually injects JavaScript's of talking about JavaScript and injects JavaScript back here on the client so let's say let's say you're a client and for me I'm accessing this web application and maybe it's got a form field for username and password let's just say for example so if I go in there and say hey you know I'm user name John password you know password whatever then then what this is going to do is the Web Application Firewall is actually going to inject JavaScript back into my client browser and some of those HTML form fields are going to be able to be obfuscated or even encrypted in fact we can even change the name of the field and we can really start to mess around with what would be in attackers you know you know vector against trying to get to either some of my some of my login information or whatever it would be so kind of along those same lines an attacker what an attacker might do is load up some kind of malware on your client browser where as I'm typing in my username and password it's going to keystroke log that data so as I'm typing in John and then password it's going to be logging that stuff well with data safe what our Advanced Web Application Firewall does is again in injects JavaScript subjunctive a kin to the client and by the way you can configure this but it injects it back into the client browser so that as I'm typing my username and my password it obfuscates the the actual data that I'm typing in and then beyond that you can even encrypt it like I said you can change the form fields and those types of things so that the attacker then if if the attacker does actually log those keystrokes then they're not going to see John and password they're going to see some crazy you know jumbled letters and numbers not stuff so it's a it's a really powerful thing that if even if your client doesn't have you know the capability to say hey I've got this keystroke logger we're gonna protect you nonetheless so really really powerful stuff data safe another one that I'll pull it I'll just start writing some more up here behavioral behavioral it should be a be behavioural dass and then the behavioral das support is actually now unlimited so that's the key feature here we've had behavioral das on some of our previous versions of our web application firewall the the application security manager but it was limited and how many virtual servers you could put that on now you can do behavioral das unlimited so basically what this does is that it watches behavior from a client perspective coming you know back to access your web application via the virtual servers and all that kind of stuff and so it keeps track on hey this one client is not good this other client is good etc and so it might it's a you know it did it analyzes that behavior and if it starts to see that there's a daus attack happening from a certain client then it's going to be able to shut that down again you used to only be able to put that feature on a couple of different virtual servers at a time but now you can do it unlimited if you have the advanced Web Application Firewall so that's a cool thing I'm gonna put the next one is upstream upstream signaling signaling okay upstream signaling is really cool because what this thing can do what the advance wife can do is it can again it could start to notice the behavior and analyze the behavior of different clients or maybe maybe there's a bot attack happening from a you know a DDoS type attack perspective and what this can do is it can start to signal and automatically route the traffic back to what what we have is called silver line and silver line is a service that offers all kinds of great DDoS mitigation and other security features that help keep your web application secure so what upstream signaling can do is the advanced Web Application Firewall is going to notice that crazy things are happening and it's going to say hey we need to automatically route now to the silver line service all the traffic needs to go through silver line and then back through to the web applications and because you know it knows that hey we're under attack right now or you know that type of thing so maybe maybe for example you take advantage of the Silver Line DDoS scrubbing capability so if you're under an act of ddos attack then all the traffic goes through Silver Line and then it scrubs it all and it only lets the good stuff through but this is a this is an automatic thing that it can do for you so upstream signaling is it's really cool the next one output is credential stuffing credential stuffing and that's not great penmanship and then I'm going to put D B so we don't do credential stuffing but we do have a credential stuffing database and this is really really cool because if you know anything about credential stuffing we actually have a lightboard on it so yeah get out there and check it out but essentially what it is is you have an attacker who may have attacked one web application on the internet like you know Yahoo or whatever Yahoo is a good one because it got attacked not too long ago and every single credential got stolen so let's say that you as a user have your username and password that you use on Yahoo but then you come over here to this web application you use the exact same username and password well what attackers do is they know that they know that behavior and so if they have stolen your credentials from Yahoo they're gonna try to stuff those same credentials into this web application or many others and and then they're gonna try to get in that way and the fact that you reuse your credentials over and over allows them to have success with that with that approach so what this credential stuffing database is is we have a threat intelligence stream that comes in that tells us hey these are all of the stolen credentials that are out there on the dark webs and all the deep places that people don't like to talk about on the internet and but we know about these so hey all of these credentials are the stolen compromised credentials that could be used in a credential stuffing attack so credential stuffing database now resides here on the advanced web application firewall so now imagine if you're a client accessing this web application and our advanced Web Application Firewall says hey John you are using credentials the exact credentials that we already know about that have been stolen and compromised and they're out there for sale on the deep dark web so you may want to change your user name and password on this thing and you may want to stop using those credentials so that's a really really cool alert mechanism and tool that we have that we can start to alert your your users to say hey this is this is not good you know you're using stolen using credentials that have been stolen I should say so that's that's really really cool and then the last one that I'll put is proactive but defense or productive by defense all right the cool kids say P B D P V D product about defense what this is essentially is again bot attacks are are are popular they're extremely powerful they're not a good thing and we want to protect against those things effectively what proactive bot defense does is it starts to analyze the the behavior of a client and it says hey you are starting to act more and more like a bot or more like a bot that we feel comfortable with as it turns out and so we are going to maybe rate limit you a little bit or we are going to apply various signatures to you or we're going to do certain things to you to keep you from from really getting crazy in terms of the way that BOTS would act and we try to get in front of that so that before you ever have a chance you being the potential bot out there before you ever ever have a chance to really do don't to do to do harm or do damage to our web application we're gonna shut you down so again the effective product about defense is we stay ahead of this and we say hey we're gonna shut you down before you really get get out of control so so anyway so these are I know I've gone over several things here today but these are several key features of the advanced web application firewall that f5 now has so again you could deploy a web application firewall and it could do the standard OAuth top 10 standard you know layer 7 attacks those types of things or you could deploy the advanced Web Application Firewall and get all of this stuff and really really keep your web applications secure these are some some very powerful features so so I hope you've learned a couple of things here about the f5 advance laughs and hey if you like this video you can click on the DC ball here and subscribe to our YouTube channel and we will see you guys out there in the community you
Info
Channel: F5 DevCentral
Views: 31,885
Rating: undefined out of 5
Keywords: f5, devcentral, advanced, web, application, firewall, waf, security, owasp, top ten, ddos, api, bot, credential, stuffing, defense
Id: HBbDKBV4QW0
Channel Id: undefined
Length: 15min 56sec (956 seconds)
Published: Mon Apr 30 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.