F5 bulks up Web application firewall

A year ago the payment card industry began demanding that online merchants increase protection for Web sites that process credit cards, making the demand for Web application firewalls soar.

That’s one of the reasons F5 Networks has boosted the capabilities of its BIG-IP Application Security Manager. The company has just released version 10 of the software, which now includes protection from denial of service and brute force attacks. “Version 10 provides a lot of unification of services,” said Dorothy Pultz, F5’s director of product marketing.

It follows the release of v. 10 of the company’s Local Traffic Manager, an application delivery controller. The ASM runs either as a software module on the LTM or as a standalone on one of F5’s BIG-IP application switches. The Application Security Manager analyzes traffic normally not blocked by corporate firewalls on ports 80 and 443.

The latest version protects against Layer 7 denial of service attacks by setting server latency and transaction per second limits through a tab on the software’s menu. If those limits are exceeded, defensive policies such as limiting an offence client start.

Similarly, there are two ways to meet brute force attacks. For session-based protection, network administrators can limit the number of logon attempts from the same client, then automatically re-enable the logon after a set number of seconds. For what F5 calls dynamic protection, automated action can be set after failed logins increase by a set percentage or set number a second.

To help administrators the ASM includes a large number of policy templates for common applications from Microsoft, Oracle and others.

Also new is protection against cross-site scripting and SQL injection attacks. As before, the ASM defends against parameter tampering, session highjacking, buffer overflows, cookie manipulation, various encoding attacks, forceful browsing and XML bombs.

F5 faces a lot of competition in this market from manufacturers that add security to application delivery controllers such as Cisco Systems, Citrix, Radware and Foundry Networks, to standalone startups such as Breach Security and Imperva.

Jon Olstik, a senior analyst at the Enterprise Strategy Group in Milford, Mass., noted F5’s approach continues a trend to integrating security and application acceleration on the same platform. Until recently they’ve been separate, he said, meaning it could take four or more devices to accomplish these tasks. By consolidating appliances IT managers save on power, space and training.

According to John Pescatore, vice-president of Internet research at Gartner, a number of studies have shown that the best defence against Web site attacks is to make sure online code has no mistakes. Unfortunately, he said, a number of studies have shown that the most common strategy Web site attackers use is to exploit well-known vulnerabilities. With organizations seemingly unable to avoid such vulnerabilities, that puts a premium on Web application firewalls as a second line of defence.

The biggest problem he sees today is the inability of Web firewalls to distinguish between humans coming to a Web site and automated attacks of bots. The ASM has some ability through scripts to detect denial of service attacks, he said, but it isn’t as finely controlled as he’d like.

The ASM v. 10 runs on F5’s BIG-IP 3600 and up application switches, including, for the first time, the high-end Viprion hardware used by content and service providers. However, the denial of service and brute force capabilities aren’t available on Viprion.

Pricing depends on the module running on the appliance. For example, a BIG-IP 3600 (which has a 2Gbps throughput, a dual core CPU, 4 GB of memory, eight Gigabit Ethernet ports and software compression) with only the ASM costs US$23,995. If the Local Traffic Manager is added, the cost is US$46,990. The BIG-IP 6900 (which has 6Gbps throughput, two dual core CPUs, 8GB of memory, 16 GigE ports and hardware compression) with the ASM costs US$49,995. With the LTM added it costs US$71,990.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now