Configuring BIG-IP Advanced WAF: Web Application Firewall

Deploying F5 Advanced WAF is a curriculum bundle intended for Application Security Administrators responsible for the deployment of F5 Advanced Web Application Firewall to secure web applications from common vulnerabilities and denial of service. Course topics cover the identification and mitigation of web application vulnerabilities on both the client and application sides of the threat spectrum. Subject areas include Advanced WAF fundamentals, mitigating vulnerabilities, defending against Bots and other automated attacks, and additional deployments. Skills are imparted through a combination of video presentations and lab demonstrations, with accompanying job aids that provide configuration examples. __Audience__

This course is intended for SecOps personnel responsible for the deployment, tuning, and day-to-day maintenance of F5 Adv. WAF. Participants will obtain a functional level of expertise with F5 Advanced WAF, including comprehensive security policy and profile configuration, client assessment, and appropriate mitigation types.

Advanced WAF: Fundamentals

Understanding Web Application Communication Elements

Understanding HTTP Request Headers and their Vulnerabilities

Understanding HTTP Response Headers and their Vulnerabilities

Understanding HTTP Response Status Codes

Differentiating HTTP from HTTS

Understanding Web Application Flow with F5 Advanced WAF

Understanding Today's Threat Landscape

Discover Web Application Vulnerabilities

Understanding Deployment Workflow and Configuration

Viewing and Interpreting Application Security Event Logs

Exploring the Rapid Deployment Policy Template

Using the Guided Configuration to Deploy an Application Security Policy

Managing an Application Security Policy After Deployment

Trigger and Review a Violation

Accept Requests and View Learning Suggestions

Handle Learning Suggestions

Manage Policy Enforcement Mode and Staging

Mitigating Vulnerabilities, Attacks, and Threats

Deploying and Managing F5-Supplied Attack Signatures

Creating User-Defined Attack Signatures

Deploying and Updating Threat Campaigns

Reporting and Logging Features

Understanding F5 Advanced WAF Administrative Logs

Managing Security Event Logging with Logging Profiles

Configuring a Remote Logging Profile for Application Security Events

Configuring Response Logging

Achieving PCI Compliance

Generate the PCI Compliance Report

Using the Login Enforcement Feature to Control Application Flow

Detecting and Mitigating Brute Force Attacks

Detecting and Mitigating Credential Stuffing Attacks

Using the Session Tracking Feature to Detect and Deter Bad Actors

Login Enforcement for Flow Control

Mitigating Brute Force Attacks

Mitigating Credential Stuffing

Reconnaissance with Session Tracking

Deploy Session Awareness and Log All Requests

Protecting Application Delivery on the Client with DataSafe

Securing a Login Page on the Client Using DataSafe

Protecting Against Sensitive Data Leakage with the Data Guard Feature

Protect against credit card number leakage using Data Guard

Defending against Bots and other Automated Attacks

Understanding L7 DoS Attacks Protections

Deploying TPS-Based DoS Protection

Deploying Stress-Based Protection

Deploying Behavioral DoS Protection

Deploying BaDoS Mitigation

Deploying TPS-based DoS Mitigation

Classifying Clients with the Bot Defense Profile

Configuring and Deploying a Bot Defense Profile

Protecting Against OWASP Automated Threats with Bot Defense Profile Microservices

Mitigate a Web Scraping Attack

Provide Login Protection

Provide Signup Protection

Deploy the Search Protection Microservice

Deploy the Shopping Cart Protection Microservice

Deploy the Checkout Protection Microservice

Deploy the Automated Form Submission Microservice

Deploy the Intellectual Property Harvesting Microservice

Deploy Custom Microservice Protection

Additional Deployment Options

Understanding Entities (URLs, File Types, Parameters, Cookies, and Redirection Domains)

Managing Entities through Policy Building and Traffic Learning

Learning with Never, Selective, and Always

Experiment with Learning and Enforcement

Learn Using the Compact Scheme

Securing Advanced WAF System Cookies

Protect Against Cookie Tampering

Secure HTTP Headers

Modify ASM Cookie Names

Secure Application Domain Cookies with Secure and HTTP-Only Attributes

Secure BIG-IP ASM Cookies with Secure and HTTP-Only Attributes

Protecting Web Application Parameters

Protect Static and Dynamic Parameters

Using Automatic Policy Building

Deploying an Application Security Policy Automatically

Creating and Deploying Layered Policies

Using iRules with an Application Security Policy

Deploy an iRule to Handle a Custom Violation

Log Violation Data and Send a Custom Response Page from an iRule

Implementing Geolocation Enforcement and IP Address Exceptions

Secure a Modern Single Page Application

Qualys Scan Integration

Manage Traffic with Layer 7 Local Traffic Policies

Learn to deploy and operate F5 Advanced WAF to protect web applications from the most critical security risks as described in the OWASP Top 10 list, from bots and other automated agents, and from Denial of Service (DoS) attacks operating at the HTTP layer of the web application delivery ecosystem. Through a combination of lecture, hands-on labs, and discussion, secure applications from the majority of common attacks by the end of the first day. Take technical deep dives into mitigating web scraping, account aggregation, account creation, ad fraud, CAPTCHA defeat, card cracking, carding, cashing out, credential stuffing, and other unwanted automated application abuse as described in the OWASP automated threats list.
Observe various vulnerability mitigations in real time by playing the role of an attacker in lab exercises. Gain context for securing applications, including analysis of HTTP and the elements of both modern and traditional web applications such as file types, parameters, URLs, and login pages. Learn to recognize client and server-side technologies such as JSON and AJAX, and learn to address vulnerabilities that might be present in common application development tools such as PHP, AngularJS, and others.
Review recommended practices for reporting, security event logging, and integration with third-party web application vulnerability scanners in detail. Follow prescribed step-by-step directions for activities initially, and gradually gain proficiency so that, by the end of class, little or no instruction is needed to complete simple to more complex configurations.
This course is intended for SecOps personnel responsible for the deployment, tuning, and day-to-day maintenance of F5 Adv. WAF. Participants will obtain a functional level of expertise with F5 Advanced WAF, including comprehensive security policy and profile configuration, client assessment, and appropriate mitigation types. Experience with LTM and prior WAF knowledge are not required.

Chapter 1: Introducing the BIG-IP System

Initially Setting Up the BIG-IP System

Archiving the BIG-IP Configuration

Leveraging F5 Support Resources and Tools

Chapter 2: Traffic Processing with BIG-IP

Identifying BIG-IP Traffic Processing Objects

Understanding Profiles

Overview of Local Traffic Policies

Visualizing the HTTP Request Flow

Chapter 3: Overview of Web Application Processing

Web Application Firewall: Layer 7 Protection

Layer 7 Security Checks

Overview of Web Communication Elements

Overview of the HTTP Request Structure

Examining HTTP Responses

How F5 Advanced WAF Parses File Types, URLs, and Parameters

Using the Fiddler HTTP Proxy

Chapter 4: Overview of Web Application Vulnerabilities

A Taxonomy of Attacks: The Threat Landscape

Common Exploits Against Web Applications

Chapter 5: Security Policy Deployments: Concepts and Terminology

Defining Learning

Comparing Positive and Negative Security Models

The Deployment Workflow

Assigning Policy to Virtual Server

Deployment Workflow: Using Advanced Settings

Configure Server Technologies

Defining Attack Signatures

Viewing Requests

Security Checks Offered by Rapid Deployment

Chapter 6: Policy Tuning and Violations

Post-Deployment Traffic Processing

How Violations are Categorized

Violation Rating: A Threat Scale

Defining Staging and Enforcement

Defining Enforcement Mode

Defining the Enforcement Readiness Period

Reviewing the Definition of Learning

Defining Learning Suggestions

Choosing Automatic or Manual Learning

Defining the Learn, Alarm and Block Settings

Interpreting the Enforcement Readiness Summary

Configuring the Blocking Response Page

Chapter 7: Using Attack Signatures and Threat Campaigns

Defining Attack Signatures

Attack Signature Basics

Creating User-Defined Attack Signatures

Defining Simple and Advanced Edit Modes

Defining Attack Signature Sets

Defining Attack Signature Pools

Understanding Attack Signatures and Staging

Updating Attack Signatures

Defining Threat Campaigns

Deploying Threat Campaigns

Chapter 8: Positive Security Policy Building

Defining and Learning Security Policy Components

Defining the Wildcard

Defining the Entity Lifecycle

Choosing the Learning Scheme

How to Learn: Never (Wildcard Only)

How to Learn: Always

How to Learn: Selective

Reviewing the Enforcement Readiness Period: Entities

Viewing Learning Suggestions and Staging Status

Defining the Learning Score

Defining Trusted and Untrusted IP Addresses

How to Learn: Compact

Chapter 9: Securing Cookies and other Header Topics

The Purpose of F5 Advanced WAF Cookies

Defining Allowed and Enforced Cookies

Securing HTTP headers

Chapter 10: Visual Reporting and Logging

Viewing Application Security Summary Data

Reporting: Build Your Own View

Reporting: Chart based on filters

Brute Force and Web Scraping Statistics

Viewing Resource Reports

PCI Compliance: PCI-DSS 3.0

Analyzing Requests

Local Logging Facilities and Destinations

Viewing Logs in the Configuration Utility

Defining the Logging Profile

Configuring Response Logging

Chapter 11: Lab Project 1 Chapter 12: Advanced Parameter Handling

Defining Parameter Types

Defining Static Parameters

Defining Dynamic Parameters

Defining Parameter Levels

Other Parameter Considerations

Chapter 13: Automatic Policy Building

Defining Templates Which Automate Learning

Defining Policy Loosening

Defining Policy Tightening

Defining Learning Speed: Traffic Sampling

Defining Track Site Changes

Chapter 14: Integrating with Web Application Vulnerability Scanners

Integrating Scanner Output

Importing Vulnerabilities

Resolving Vulnerabilities

Using the Generic XML Scanner XSD file

Chapter 15: Deploying Layered Policies

Defining a Parent Policy

Defining Inheritance

Parent Policy Deployment Use Cases

Chapter 16: Login Enforcement and Brute Force Mitigation

Defining Login Pages for Flow Control

Configuring Automatic Detection of Login Pages

Defining Brute Force Attacks

Brute Force Protection Configuration

Source-Based Brute Force Mitigations

Defining Credential Stuffing

Mitigating Credential Stuffing

Chapter 17: Reconnaissance with Session Tracking

Defining Session Tracking

Configuring Actions Upon Violation Detection

Chapter 18: Layer 7 Denial of Service Mitigation

Defining Denial of Service Attacks

Defining the DoS Protection Profile

Overview of TPS-based DoS Protection

Creating a DoS Logging Profile

Applying TPS Mitigations

Defining Behavioral and Stress-Based Detection

Chapter 19: Advanced Bot Defense

Classifying Clients with the Bot Defense Profile

Defining Bot Signatures

Defining F5 Fingerprinting

Defining Bot Defense Profile Templates

Defining Microservices protection

Chapter 20: Final Projects