F5 Networks Configuring BIG-IP Advanced WAF: Web Application Firewall

In this 4 day course, students are provided with a functional understanding of how to deploy, tune, and operate F5 Advanced Web Application Firewall to protect their web applications from HTTP-based attacks. The course includes lectures, hands-on labs, and discussion about different F5 Advanced Web Application Firewall tools for detecting and mitigating threats from multiple attack vectors such as web scraping, Layer 7 Denial of Service, brute force, bots, code injection, and zero-day exploits.

Course Objectives

• Describe the role of the BIG-IP system as a full proxy device in an application delivery network
• Provision the F5 Advanced Web Application Firewall
• Define a web application firewall
• Describe how F5 Advanced Web Application Firewall protects a web application by securing file types, URLs, and parameters
• Deploy F5 Advanced Web Application Firewall using the Rapid Deployment template (and other templates) and define the security checks included in each
• Define learn, alarm, and block settings as they pertain to configuring F5 Advanced Web Application Firewall
• Define attack signatures and explain why attack signature staging is important
• Deploy Threat Campaigns to secure against CVE threats
• Contrast positive and negative security policy implementation and explain the benefits of each
• Configure security processing at the parameter level of a web application
• Deploy F5 Advanced Web Application Firewall using the Automatic Policy Builder
• Tune a policy manually or allow automatic policy building
• Integrate third-party application vulnerability scanner output into a security policy
• Configure login enforcement for flow control
• Mitigate credential stuffing
• Configure protection against brute force attacks
• Deploy Advanced Bot Defense against web scrapers, all known bots, and other automated agents
• Deploy DataSafe to secure client-side data

Course Topics

• Resource provisioning for F5 Advanced Web Application Firewall
• Traffic processing with BIG-IP Local Traffic Manager (LTM)
• Web application concepts
• Mitigating the OWASP Top 10 and other vulnerabilities
• Security policy deployment
• Security policy tuning
• Deploying Attack Signatures and Threat Campaigns
• Positive security building
• Securing cookies and other headers
• Reporting and logging
• Advanced parameter handling
• Using Automatic Policy Builder
• Integrating with web vulnerability scanners
• Login enforcement for flow control
• Brute force and credential stuffing mitigation
• Session tracking for client reconnaissance
• Using Parent and Child policies
• Layer 7 DoS protection
  • Transaction Per Second-based DoS protection
  • Layer 7 Behavioral DoS Protection
• Configuring Advanced Bot Defense
  • Web Scraping and other Microservice Protection
  • Working with Bot Signatures
• Using DataSafe to Secure the client side of the Document Object Model

Lesson 1 : Setting Up the BIG-IP System

• Introducing the BIG-IP System 
• Initially Setting Up the BIG-IP System 
• Archiving the BIG-IP System Configuration 
• Leveraging F5 Support Resources and Tools

Lesson 2 : Traffic Processing with BIG-IP

• Identifying BIG-IP Traffic Processing Objects 
• Overview of Network Packet Flow 
• Understanding Profiles 
• Overview of Local Traffic Policies 
• Visualizing the HTTP Request Flow

Lesson 3 : Web Application Concepts

• Overview of Web Application Request Processing 
• Web Application Firewall: Layer 7 Protection 
• F5 Advanced WAF Layer 7 Security Checks 
• Overview of Web Communication Elements 
• Overview of the HTTP Request Structure 
• Examining HTTP Responses 
• How F5 Advanced WAF Parses File Types, URLs, and Parameters 
• Using the Fiddler HTTP Proxy

Lesson 4 : Common Web Application Vulnerabilities

• A Taxonomy of Attacks: The Threat Landscape 
• What Elements of Application Delivery are Targeted? 
• Common Exploits Against Web Applications

Lesson 5 : Security Policy Deployment

• Defining Learning 
• Comparing Positive and Negative Security Models 
• The Deployment Workflow 
• Policy Type: How Will the Policy Be Applied 
• Policy Template: Determines the Level of Protection 
• Policy Templates: Automatic or Manual Policy Building 
• Assigning Policy to Virtual Server 
• Deployment Workflow: Using Advanced Settings 
• Selecting the Enforcement Mode 
• The Importance of Application Language 
• Configure Server Technologies 
• Verify Attack Signature Staging 
• Viewing Requests 
• Security Checks Offered by Rapid Deployment 
• Defining Attack Signatures 
• Using Data Guard to Check Responses

Lesson 6 : Policy Tuning and Violations

• Post-Deployment Traffic Processing 
• Defining Violations 
• Defining False Positives 
• How Violations are Categorized 
• Violation Rating: A Threat Scale 
• Defining Staging and Enforcement 
• Defining Enforcement Mode 
• Defining the Enforcement Readiness Period 
• Reviewing the Definition of Learning 
• Defining Learning Suggestions 
• Choosing Automatic or Manual Learning 
• Defining the Learn, Alarm and Block Settings 
• Interpreting the Enforcement Readiness Summary 
• Configuring the Blocking Response Page

Lesson 7 : Attack Signatures

• Defining Attack Signatures 
• Attack Signature Basics 
• Creating User-Defined Attack Signatures 
• Defining Simple and Advanced Edit Modes 
• Defining Attack Signature Sets 
• Defining Attack Signature Pools 
• Understanding Attack Signatures and Staging 
• Updating Attack Signatures

Lesson 8 : Positive Security Policy Building

• Defining and Learning Security Policy Components 
• Defining the Wildcard 
• Defining the Entity Lifecycle 
• Choosing the Learning Scheme 
• How to Learn: Never (Wildcard Only) 
• How to Learn: Always 
• How to Learn: Selective 
• Reviewing the Enforcement Readiness Period: Entities 
• Viewing Learning Suggestions and Staging Status 
• Violations Without Learning Suggestions 
• Defining the Learning Score 
• Defining Trusted and Untrusted IP Addresses 
• How to Learn: Compact

Lesson 9 : Cookies and Other Headers

• F5 Advanced WAF Cookies: What to Enforce 
• Defining Allowed and Enforced Cookies 
• Configuring Security Processing on HTTP headers

Lesson 10 : Reporting and Logging

• Overview: Big Picture Data 
• Reporting: Build Your Own View 
• Reporting: Chart based on filters 
• Brute Force and Web Scraping Statistics 
• Viewing F5 Advanced WAF Resource Reports 
• PCI Compliance: PCI-DSS 3.0 
• The Attack Expert System 
• Viewing Traffic Learning Graphs 
• Local Logging Facilities and Destinations 
• How to Enable Local Logging of Security Events 
• Viewing Logs in the Configuration Utility 
• Exporting Requests 
• Logging Profiles: Build What You Need 
• Configuring Response Logging

Lesson 11 : Lab Project 1

Lesson 12 : Advanced Parameter Handling

• Defining Parameter Types 
• Defining Static Parameters 
• Defining Dynamic Parameters 
• Defining Dynamic Parameter Extraction Properties 
• Defining Parameter Levels 
• Other Parameter Considerations

Lesson 13 : Policy Diff and Administration

• Comparing Security Policies with Policy Diff 
• Merging Security Policies 
• Restoring with Policy History 
• Examples of F5 Advanced WAF Deployment Types 
• ConfigSync and F5 Advanced WAF Security Data 
• ASMQKVIEW: Provide to F5 Support for Troubleshooting

Lesson 14 : Automatic Policy Building

• Overview of Automatic Policy Building 
• Defining Templates Which Automate Learning 
• Defining Policy Loosening 
• Defining Policy Tightening 
• Defining Learning Speed: Traffic Sampling 
• Defining Track Site Changes

Lesson 15 : Web Application Vulnerability Scanner Integration

• Integrating Scanner Output into F5 Advanced WAF 
• Will Scan be Used for a New or Existing Policy? 
• Importing Vulnerabilities 
• Resolving Vulnerabilities 
• Using the Generic XML Scanner XSD file

Lesson 16 : Layered Policies

• Defining a Parent Policy 
• Defining Inheritance 
• Parent Policy Deployment Use Cases

Lesson 17 : Login Enforcement, Brute Force Mitigation, and Session Tracking

• Defining Login Pages 
• Configuring Automatic Detection of Login Pages 
• Defining Session Tracking 
• What Are Brute Force Attacks? 
• Brute Force Protection Configuration 
• Defining Source-Based Protection 
• Source-Based Brute Force Mitigations 
• Defining Session Tracking 
• Configuring Actions Upon Violation Detection 
• Session Hijacking Mitigation Using Device ID

Lesson 18 : Web Scraping Mitigation and Geolocation Enforcement

• Defining Web Scraping 
• Mitigating Web Scraping 
• Defining Geolocation Enforcement 
• Configuring IP Address Exceptions

Lesson 19 : Layer 7 DoS Mitigation and Advanced Bot Protection

• Defining Denial of Service Attacks 
• The General Flow of DoS Protection 
• Defining the DoS Profile 
• Overview of TPS-based DoS Protection 
• Applying TPS mitigations 
• Create a DoS Logging Profile 
• Defining DoS Profile General Settings 
• Defining Bot Signatures 
• Defining Proactive Bot Defense 
• Defining Behavioral and Stress-Based Detection 
• Defining Behavioral DoS Mitigation

Lesson 20 : F5 Advanced WAF and iRules

• Common Uses for iRules 
• Identifying iRule Components 
• Triggering iRules with Events 
• Defining F5 Advanced WAF iRule Events 
• Defining F5 Advanced WAF iRule Commands 
• Using F5 Advanced WAF iRule Event Modes

Lesson 21 : Using Content Profiles

• Defining Asynchronous JavaScript and XML 
• Defining JavaScript Object Notation (JSON) 
• Defining Content Profiles 
• The Order of Operations for URL Classification

Lesson 22 : Review and Final Labs

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Administering BIG-IP; basic familiarity with HTTP, HTML and XML; basic web application and security concepts.

This course is intended for security and network administrators who will be responsible for the installation, deployment, tuning, and day-to-day maintenance of the F5 Advanced Web Application Firewall.