In mid-2017, names, addresses, birthdates, security numbers, and drivers’ license numbers of about 140 million people were exposed as a result of a data breach. That is about 40% of the population of America. They were all consumers of Equifax, one of the largest credit bureaus in the US. Among those, about 200,000 consumers also had their credit card data exposed. After this incident, Equifax spent over a billion dollars on upgrading its security. The company is currently required to spend at least another billion to resolve consumer claims. How did a breach of such a scale happen? It was revealed that the hackers exploited a vulnerability in the Apache Struts framework on the Equifax website. Attackers gained access via a consumer complaint web portal using the widely known vulnerability that should have been patched out.
We hear news of such data breaches every month. The number of data breaches has grown significantly over the past decade. Research has shown that the largest cause of such breaches is web and application attacks.
A service might depend on several applications and each of them must be configured or patched to their latest security update. Applications are not perfect, each has a vulnerability waiting to be discovered, and once it gets discovered a patch might not be available immediately. So, what can you do? A wise solution is to deploy a BIG-IP-F5 Web Application Firewall in the network infrastructure. F5 web application firewall protects web, mobile and API-based applications from all application attacks, including OWASP Top 10, Layer 7 DDoS, bots, zero-day protection with virtual patching and more. It has negative (signature-based), positive (rule-based) as well as behavior-based security models. Deploying and maintaining an F5 AWAF could have easily prevented such a data breach.
F5 specializes in application services and application delivery networking. It focuses on delivery, security, performance and availability of web applications, including the availability of computing, storage and network resources. F5 comprises of various products to provide these services such as BIG-IP, BIG-IQ, Silverline. BIG-IP can be in hardware or a virtual appliance running F5 TMOS operating system which includes offerings such as Local Traffic Manager (LTM), Application Security Manager (ASM), Application Policy Manager (APM), Application Firewall Manager (AFM), Application Acceleration Manger (AAM), IP Intelligence (IPI), Web safe, BIG-IP DNS. BIG-IQ is a framework for managing BIG-IP devices and application services. Whereas Silverline is a cloud-based application service offering security services such as WAF and DDoS protection services.
BIG-IP-F5 Web Application Firewall protects web applications by filtering, monitoring and blocking any malicious HTTP/S traffic approaching the web application and prevents any unauthorized data leaving the application. It does so by following a set of policies that determine what traffic is malicious and what traffic is safe. It operates in reverse proxy mode, masquerading the identity of the web application server. It acts as an intermediary between the user and the application itself.
Now as it can read the incoming/outgoing traffic, it compares them with attack signatures to determine whether they are malicious attacks or not. Attack signatures are rules and patterns that identify attacks against web applications. When a matching pattern or signature is detected by F5, it is capable of either alarming or blocking the request based on the enforcement mode. The BIG-IP ASM contains over 4,500 attack signatures which can protect the web application from any attack it may encounter. It also gives users/admins the to create their own unique signatures depending on their requirements. In addition to these, BIG-IP ASM also utilizes geolocation and IP Intelligence to allow for more sophisticated and targeted defense measures. BIG-IP ASM also consists of the Data Guard feature that automatically blocks sensitive data such as credit card numbers, social security numbers, etc. from being displayed in a browser. Other features provided by BIG-IP ASM are Behavioral DoS (Layer 7 DoS), Bot Protection, API Protocol Security, Anti-Bot Mobile SDK, and Stolen Protection.
Attack signatures would contain various known parameters that may cause harm to the application. These includes signatures for identifying attacks related to various types of injections, cross site scripting, XML external entities, insecure deserialization, etc.
In addition to attack signatures, the system can be configured to restrict illegal meta character and illegal parameters. (Characters such as <,>,’,” can be restricted.) It also enables disallowing Document type Definitions which can prevent XXE attacks.
BIG-IP ASM can be configured to allow or disallow HTTP/S URLs. Requests with certain file types can also be disallowed depending on the requirements. The cookie Encryption feature is also provided by BIG-IP ASM. It also allows detection of session hijacking by tracking device id.
The BIG-IP ASM system can detect brute force attacks from a single source (source-based brute force protection) or from multiple sources (distributed brute force protection) and mitigate the attacks by tracking the number of failed logins attempts for a URL that is defined in the security policy and taking an action when an attack is detected. For source-based brute force protection, the system tracks the number of failed logins attempts per source (username, device ID, and IP address) over a detection period. When the configured threshold for a source is exceeded, the system performs the configured enforcement action. If the threshold for one or more sources is exceeded, the system applies the strictest configured enforcement action among the triggered sources. For distributed brute force protection, the system tracks the number of failed logins attempts for the configured login page over a detection period. If credential stuffing attack detection is enabled, the system tracks the number of logins attempts that match the known leaked credentials dictionary. When the configured threshold for either or both is exceeded, the system applies the configured enforcement action until either attack stops or the maximum prevention duration has passed.
BIG-IP ASM provides security mechanisms to protect from sensitive data exposure attacks using features such as Secure Vault, and Data Guard. Data Guard helps in masking sensitive data such as credit card numbers.
BIG-IP ASM also allows granular security policies based on signature staging. Staging means that the system applies the attack signatures to the web application traffic but does not apply the blocking policy action to requests that trigger those attack signatures. Placing new and updated attack signatures in staging helps reduce false positive matches. When signatures match attack patterns during the staging period, the system generates learning suggestions. If the signature is a false positive, it can be disabled after which the system will not apply that signature for the corresponding traffic. And if the detected signature is legitimate the corresponding attack signature can be enabled. Therefore, in such a way ASM can be configured to follow policies as required by the application.
The cyber environment keeps changing with time and currently protection and privacy of data is of the utmost priority. With that interest, protection of data at the application level is undeniably very essential. Thus, deploying a Web Application Firewall is a simple and wise move to make. And with all the features that F5’s BIG-IP solution provides, the choice gets easier.