A year ago the payment card industry began demanding that online merchants increase protection for Web sites that process credit cards, making the demand for Web application firewalls soar.
That’s one of the reasons F5 Networks has boosted the capabilities of its BIG-IP Application Security Manager. The company has just released version 10 of the software, which now includes protection from denial of service and brute force attacks. “Version 10 provides a lot of unification of services,” said Dorothy Pultz, F5’s director of product marketing.
It follows the release of v. 10 of the company’s Local Traffic Manager, an application delivery controller. The ASM runs either as a software module on the LTM or as a standalone on one of F5’s BIG-IP application switches. The Application Security Manager analyzes traffic normally not blocked by corporate firewalls on ports 80 and 443.
The latest version protects against Layer 7 denial of service attacks by setting server latency and transaction per second limits through a tab on the software’s menu. If those limits are exceeded, defensive policies such as limiting an offence client start.
Similarly, there are two ways to meet brute force attacks. For session-based protection, network administrators can limit the number of logon attempts from the same client, then automatically re-enable the logon after a set number of seconds. For what F5 calls dynamic protection, automated action can be set after failed logins increase by a set percentage or set number a second.
To help administrators the ASM includes a large number of policy templates for common applications from Microsoft, Oracle and others.
Also new is protection against cross-site scripting and SQL injection attacks. As before, the ASM defends against parameter tampering, session highjacking, buffer overflows, cookie manipulation, various encoding attacks, forceful browsing and XML bombs.
F5 faces a lot of competition in this market from manufacturers that add security to application delivery controllers such as Cisco Systems, Citrix, Radware and Foundry Networks, to standalone startups such as Breach Security and Imperva.
Jon Olstik, a senior analyst at the Enterprise Strategy Group in Milford, Mass., noted F5’s approach continues a trend to integrating security and application acceleration on the same platform. Until recently they’ve been separate, he said, meaning it could take four or more devices to accomplish these tasks. By consolidating appliances IT managers save on power, space and training.
According to John Pescatore, vice-president of Internet research at Gartner, a number of studies have shown that the best defence against Web site attacks is to make sure online code has no mistakes. Unfortunately, he said, a number of studies have shown that the most common strategy Web site attackers use is to exploit well-known vulnerabilities. With organizations seemingly unable to avoid such vulnerabilities, that puts a premium on Web application firewalls as a second line of defence.
The biggest problem he sees today is the inability of Web firewalls to distinguish between humans coming to a Web site and automated attacks of bots. The ASM has some ability through scripts to detect denial of service attacks, he said, but it isn’t as finely controlled as he’d like.
The ASM v. 10 runs on F5’s BIG-IP 3600 and up application switches, including, for the first time, the high-end Viprion hardware used by content and service providers. However, the denial of service and brute force capabilities aren’t available on Viprion.
Pricing depends on the module running on the appliance. For example, a BIG-IP 3600 (which has a 2Gbps throughput, a dual core CPU, 4 GB of memory, eight Gigabit Ethernet ports and software compression) with only the ASM costs US$23,995. If the Local Traffic Manager is added, the cost is US$46,990. The BIG-IP 6900 (which has 6Gbps throughput, two dual core CPUs, 8GB of memory, 16 GigE ports and hardware compression) with the ASM costs US$49,995. With the LTM added it costs US$71,990.