Introduction to WAF
A web application is an application software that runs on a web server, unlike computer-based software programs that are run locally on the operating system (OS) of the device. Web applications are protected by a web application firewall (WAF) from a range of application layer vulnerabilities including cross-site scripting (XSS), SQL injection, cookie poisoning, and others.
A WAF protects web applications by filtering, monitoring, and blocking any malicious HTTP/S traffic traveling to the web application, and prevents any unauthorized access to the application. Adhering to a set of policies helps to determine what traffic is malicious and what traffic is safe. A WAF operates in the reverse proxy architecture which means, it acts as an intermediary that protects the web app server from a potentially malicious client. WAFs can come in the form of software, an appliance, or delivered as-a-service. Policies can be customized to meet the unique needs of the web application or set of web applications. Many WAFs requires to update the policies regularly so that it addresses new vulnerabilities.
WAF over network firewall
It’s important to note that a WAF does not replace a firewall as they are independent devices or functions which complement each other. A Firewall, at its most level, is a device or appliance with a collection of rules which dictate who can talk to whom. Whereas WAF is a protocol layer 7 defense (in the OSI model) and is not designed to defend against all types of attacks. There are various types of WAF solutions available but in this blog, we will be discussing the F5 Big-IP system.
F5 Big-IP
F5, Inc. is an American technology company specializing in application security, multi-cloud management, online fraud prevention, application delivery networking (ADN), application availability & performance, network security, and access & authorization.
BIG-IP software products are licensed modules that run on top of F5’s Traffic Management Operation System (TMOS). This custom operating system is an event-driven operating system designed specifically to inspect network and application traffic and make real-time decisions based on the configurations that have been provided. The BIG-IP software can run on hardware or can run in virtualized environments. Before configuring and using the Big-IP system, The system must be activated with a valid license.
Licensing Big-IP system
Before activating the license for the Big-IP system, a Base registration key of 27- character string should be obtained. The base registration key is pre-installed on new BIG-IP systems or can be requested by registering a free user account in F5. When you connect to the Configuration utility, the Licensing page opens and displays the registration key.
Figure 1: Entering the base registration key
After entering the base registration key, we will obtain a dossier. The dossier is an encrypted list of key characteristics used to identify the platform.
Figure 2: Entering Dossier
Lastly, paste the license obtained and we are ready to go.
Figure 3: Entering license file
Configuring Network Adapters
After finishing licensing part, F5 interfaces need to be configured in order to communicate with servers and the internet. F5-BigIP has four interfaces and those interfaces should be assigned to management, Internal, External, and HA using network adapters. HA means High Availability and its deployment consists of two BIG-IP systems. They are synchronized with the same configuration. An active system processes the traffic and the standby system remains in dormant mode until required. The main purpose of HA is that the failure of any one of these components does not interrupt the operation of the system.
Management Interface
The TMM switch ports are the interfaces that the BIG-IP system uses to send and receive load-balanced traffic. The system uses the management interface to perform system management functions.
The management port on a BIG-IP system provides administrative access to the system out-of-band of the application traffic, which enables to restriction of administrative access to an internal secure network.
self-IP
In the BIG-IP platform, the “Self IP” term is associated with VLAN for each device. Each BIG-IP has a self-IP in a VLAN which is the IP defined on the interface. Self IP represents the range of IP addresses spanning the hosts in the VLAN and not only a single host address.
Node Configuration
A node is a logical object on the BIG-IP system that identifies the IP address of a physical resource on the network. The node can be explicitly created or can instruct the BIG-IP system to automatically create one while adding a pool member. Nodes are the basis for creating a load balancing pool. For any server that we want to be part of a load balancing pool, a node must be created which means “designate that server as a node”. After designating the server as a node, this node can be added as a pool member.
A primary feature of nodes is their association with health monitors. Like pool members, nodes can be associated with health monitors as a way to determine server status.
Pools
A pool is a logical set of devices, such as web servers, that you group together to receive and process traffic. Instead of sending client traffic to the destination IP address specified in the client request, the BIG-IP system sends the request to any of the nodes that are members of that pool.
Figure 5: Creating pool members
A health monitor for a pool member reports the status of a service running on the device, whereas a health monitor associated with a node reports status of the device itself.
virtual IP address and service, such as 192.168.20.10:80. When clients on an external network send application traffic to a virtual server, the virtual server listens for that traffic and through destination address translation, directs the traffic according to the way that you configured the settings on the virtual server. A primary purpose of a virtual server is to distribute traffic across a pool of servers that you specify in the virtual server configuration. When creating a virtual server, we can specify the pool or pools that can be used as the destination for any traffic coming from that virtual server. We also configure its general properties, profiles, SNATs, and other resources you want to assign to it, such as iRules or session persistence types.
Let’s have a look at a standard virtual server.
Figure 7: Source address translation in Virtual server
A Standard virtual server (also known as a load balancing virtual server) directs client traffic to a load balancing pool and is the most basic type of virtual server. While creating the virtual server, firstly, an existing default pool should be assigned to it then the virtual server automatically directs traffic to that default pool.
Conclusion
This blog aims for readers to provide an overview of WAF and learn various components of F5-WAF. The components mentioned above are of LTM (Local Traffic Manager) module. There are other various modules in F5 like DNS, APM, ASM, AAM, etc with their own features.
As we know that the rapid growth of internet users is making the world more vulnerable to attack. Cyberattacks disrupt normal operations, but they may cause damage to important IT assets and infrastructure that can be impossible to recover. A web application firewall (WAF) has the ability to protect against those attacks and secure Web Applications. Moreover, F5-WAF can protect web applications from Cyberattacks using modules like ASM which will be discussed further in upcoming blogs.