Evolution of WAF

Stop Worrying About Vulnerabilities

Who is this guy?

• Brian A. McHenry, Sr. Security Solutions Architect, F5 Networks• 9 years at F5, focused on application security solutions• Regular contributor on DevCentral.f5.com &

InformationSecurityBuzz.com• Follow me on twitter @bamchenry

In the Beginning…

• There were Application Layer Gateways (ALG)

Samples anyone?

© F5 Networks, Inc 4CONFIDENTIAL

Then There Was IPS

And NGFW

© F5 Networks, Inc 6

Change the Way We Deploy WAF

Traditional WAF• Signatures (OWASP Top 10)• DAST Integration• Site Learning• File/URL/Parameter/Header/Cookie Enforcement• Protocol Enforcement• Login Enforcement / Session Tracking• Data Leak Prevention• Flow Enforcement

Advanced WAF• BOT Detection• Web scraping Prevention• Brute Force Mitigation• L7 DDoS Protection• Heavy URL Detection & Protection• Captcha Challenges• CSRF Token Injection• Client fingerprinting

Why Is Bot Detection So Valuable?

Typical Web Traffic

Humans Good Bots Bad Botshttps://www.incapsula.com/blog/bot-traffic-report-2015.html

• Roughly 50% of traffic is human

• About 20% is good bots• Remaining 30% is malicious

bots

How do we differentiate?

Deep Thoughts

• Eliminating 30% of web traffic has serious impact– Capacity and performance improvements are measurable– Budget is always more available than for a security project

• Bot detection requires less per-application customization– Increases operational scale for application security

• Reduces threat model by eliminating most opportunistic attackers– Focus other defenses on vectors for directed attackers

Thank you!

@bamchenry

AppendixExpanded discussion of this topic:http://www.informationsecuritybuzz.com/articles/organic-denial-service-dos-isnt-attack/http://www.informationsecuritybuzz.com/articles/when-a-bot-isnt-a-bot/http://www.informationsecuritybuzz.com/is-bot-detection-the-best-value-in-infosec/http://www.informationsecuritybuzz.com/articles/the-death-of-waf-as-we-know-it/

https://www.youtube.com/watch?v=mB_xGSNm8Z0