F5 is announcing the End of Sale (EoS) for BIG-IP ASM, effective April 1, 2021.
Advanced WAF (AWAF), which enables customers to benefit from an expanded feature set, replaces the BIG-IP ASM.
F5® has quietly grown into the leader of web application firewalls with their Application Security Manager™ (ASM®) module and their Advanced Web Application Firewall (AWAF). AWAF extends F5’s WAF with new features to combat fraudulent credential stuffing & bot mitigation, along with a whole slew of other new features. While the other “top dogs” were sleeping, F5 was diligently pouring resources into a more intelligent, easier to use, and feature-rich WAF.
However, as is the case with all innovation in technology, there is some confusion around new names and concepts. A lot of you out there are asking what is the difference between ASM and AWAF? I hope to add some clarity in this article and define the exact differences between F5’s base WAF a.k.a. ASM, and the Advanced WAF a.k.a. AWAF.
Note, both the ASM and AWAF come with some limited Local Traffic Manager™ (LTM®) functionality necessary for them to do their job – let’s set the stage by covering those first.
Differences Between the LTM, ASM, and AWAF (Advanced WAF) – Application Delivery Features
It’s important to understand that AWAF includes all the features of the base ASM in addition to more powerful functionality. You can buy AWAF or ASM individually, and if you already own ASM you can add AWAF to it – i.e. ASM + AWAF. Either way, I would always recommend buying WAF with LTM – as you lose some very important functionality around traffic delivery if you purchase F5’s ASM or AWAF solo – the feature comparison of LTM vs. AWAF vs. ASM is found below and outlines the functionality you’ll lose without LTM. Some of the more notable functionalities you’ll lose without LTM are support for UDP (think DNS) and more advanced load balancing methods and monitors. Essentially if you’re looking to use your BIG-IPs for anything more than just a WAF and web traffic, you really need to have LTM.
Features & Feature objects | Standalone Advanced WAF | Standalone BIG-IP ASM | With BIG-IP LTM module |
---|---|---|---|
Profiles | |||
Client LDAP | ✔ | ✔ | ✔ |
DHCPv4 | ✔ | ✔ | ✔ |
DHCPv6 | ✔ | ✔ | ✔ |
Diameter | ✔ | ✔ | ✔ |
DNS | ✔ | ✔ | ✔ |
FIX | ✔ | ✔ | ✔ |
FTP | ✔ | ✔ | ✔ |
GTP | ✔ | ✔ | ✔ |
HTTP/2 | ✔ | ✔ | ✔ |
HTTP Compression | ✔ | ✔ | ✔ |
ICAP1 | ✔ | ✔ | ✔ |
IPsecALG | ✔ | ✔ | |
iSession | ✔ | ✔ | ✔ |
Netflow | ✔ | ✔ | ✔ |
PPTP | ✔ | ✔ | ✔ |
Radius | ✔ | ✔ | ✔ |
Radius Adapt | ✔ | ✔ | ✔ |
Request Adapt | ✔ | ✔ | ✔ |
Response Adapt | ✔ | ✔ | ✔ |
Rewrite | ✔ | ✔ | ✔ |
RTSP | ✔ | ||
Server LDAP | ✔ | ✔ | ✔ |
SIP | ✔ | ||
SMTP | ✔ | ✔ | ✔ |
SMTPS | ✔ | ✔ | ✔ |
Socks | ✔ | ✔ | ✔ |
Web Acceleration | ✔ | ✔ | ✔ |
Websocket | ✔ | ✔ | ✔ |
XML | ✔ | ✔ | ✔ |
Protocol profiles | |||
Any IP | ✔ | ✔ | ✔ |
FastHTTP | ✔ | ✔ | ✔ |
FastL4 | ✔ | ✔ | ✔ |
SCTP | ✔ | ||
TCP | ✔ | ✔ | ✔ |
UDP | ✔ | ||
Health monitors | |||
Diameter | ✔ | ||
DNS | ✔ | ||
External | ✔ | ||
FirePass | ✔ | ✔ | ✔ |
FTP | ✔ | ✔ | ✔ |
Gateway | ✔ | ✔ | ✔ |
HTTP | ✔ | ✔ | ✔ |
HTTPS | ✔ | ✔ | ✔ |
ICMP | ✔ | ✔ | ✔ |
IMAP | ✔ | ||
Inband | ✔ | ||
LDAP | ✔ | ||
Module Score | ✔ | ||
MSSQL | ✔ | ||
MQTT | ✔ | ||
MySQL | ✔ | ||
NNTP | ✔ | ||
POP3 | ✔ | ||
Oracle | ✔ | ||
PostgreSQL | ✔ | ||
Radius | ✔ | ||
Radius Account | ✔ | ||
Real Server | ✔ | ||
RPC | ✔ | ||
SASP | ✔ | ||
Scripted | ✔ | ||
SIP | ✔ | ||
SMB | ✔ | ||
SMTP | ✔ | ||
SNMP DCA | ✔ | ||
SNMP DCA Base | ✔ | ||
SOAP | ✔ | ✔ | ✔ |
TCP | ✔ | ✔ | ✔ |
TCP Echo | ✔ | ✔ | ✔ |
UDP | ✔ | ✔ | ✔ |
Virtual Location | ✔ | ||
WAP | ✔ | ||
WMI | ✔ | ||
Load balancing methods | |||
Dynamic Ration (member) | ✔ | ||
Dynamic Ration (node) | ✔ | ||
Fastest (application) | ✔ | ||
Fastest (node) | ✔ | ||
Least Connections (member) | ✔ | ✔ | |
Least Connections (node) | ✔ | ✔ | |
Least Sessions | ✔ | ||
Observed (member) | ✔ | ||
Observed (node) | ✔ | ||
Predictive (member) | ✔ | ||
Predictive (node) | ✔ | ||
Ratio (member) | ✔ | ✔ | ✔ |
Ratio (node) | ✔ | ✔ | ✔ |
Ratio (session) | ✔ | ||
Ratio Least Connections (member) | ✔ | ✔ | |
Ratio Least Connections (node) | ✔ | ✔ | |
Round Robin | ✔ | ✔ | ✔ |
Weighted Least Connections (member) | ✔ | ✔ | |
Weighted Least Connections (node) | ✔ | ✔ | |
Pool members | |||
Max pool members | Unlimited | 3 | Unlimited |
Profiles persistence | |||
Cookie | ✔ | ✔ | |
Destination | ✔ | ✔ | |
Host | ✔ | ✔ | |
Source Address | ✔ | ✔ | |
Hash | ✔ | ||
MSRDP | ✔ | ||
SIP | ✔ | ||
SSL | ✔ | ||
Universal | ✔ | ||
Profiles SSL | |||
Client SSL | ✔ | ✔ | ✔ |
Server SSL | ✔ | ✔ | ✔ |
iRules event types | |||
HTTP_REQUEST Event | ✔ | ✔ | ✔2 |
1 The ICAP feature for LTM and Advanced WAF/ASM is functioned differently and licensed independently. License for LTM module is required to enable LTM ICAP feature on a standalone Advanced WAF/ASM system. For information about LTM ICAP, refer to K15819: Overview of the internal virtual server. For information about ASM ICAP, refer to K70941653: Configuring BIG-IP ASM antivirus protection.
2 For a complete list of BIG-IP LTM available iRules event types, refer to the Master List of iRule Events page on F5 Cloud Docs.
Feature Differences Between ASM & AWAF –
a.k.a. F5’s WAF vs. AWAF
Advance WAF has a number of features that make it “Advanced” vs. the traditional ASM. Remember, the features included in standalone ASM, add-on ASM, and ASM from the “Best” bundle are the same and also come with AWAF.
What’s included in AWAF:
- Base ADC – All the application delivery capabilities found in BIG-IP LTM, including as SSL offload and, of course, load balancing.
- L7 DDos – DDoS mitigation capabilities at the application layer; prevention of both client-side and server-side attacks and protecting access to essential web app features.
- BIG-IP ASM – All the features of the base WAF aka ASM module.
- Attack Signatures – Updates and protection from web exploits and application vulnerabilities (CVEs).
- Anti-Bot Defense – Proactive Bot Defense including Client Fingerprinting; preventing session hijacking, web scraping, brute force login attempts, and other bot attacks.
- ** Ability to purchase Anti-Bot Mobile™ SDK – Easily extend Anti-Bot Security to any mobile app. Appdome makes it super easy to integrate a slew of features with any mobile app including:
- Mobile bot protection
- Device identification
- Behavioral analysis
- Jailbroken – rooted detection
- Emulator detection
- Data Safe – Allows you to encrypt data entered into a webform, so if a computer is already infected with malware, the stolen password(s) will be unreadable.
- Behavioral DoS Unlimited/ BaDoS – Contrary to legacy DoS & DDoS (which is usually layer 2 and layer 3 based) AWAF BDoS & DoS is Web Transaction Per Second based around Layer 7 – think URLs, device-IDs, etc… anything detectable in layer 7. It can detect botnet attacks, parameters, URI lengths, content-types, anything in HTTP headers. The moral of the story here is that it has WAY more data than the current layer 2 & 3 detection methods commonly based around IP addresses.
- Note: You can still use BDoS with ASM without AWAF, but ASM limits BDoS to two Virtual Servers / VIPs.
- Credential Stuffing DB – Protect against hackers using password lists stolen from big password breaches.
- Note: This is early access starting in version 13.1x ASM, but it’s not ready for production unless you purchase AWAF + Threat Campaigns – which will give you real time updates to the Cred stuffing database. Otherwise you’ll be depending on a stale database and that’s no bueno 😉
- Upstream Signaling – An on-premise Advanced WAF solution hybrid with F5 Silverline. Available within a subscription model.
- ** Ability to purchase Threat Campaign Subscriptions – Threat campaigns allow you to do more with less resources. F5’s Security Research Team (SRT) discovers attacks with honeypots – performs their analysis and creates attack signatures you can use with your security policies. There’s a very low possibility for false positives as the signatures have been developed by SRT directly.
- OWASP Compliance Dashboard – This dashboard displays a list of your WAF policies and their related OWASP Top 10 compliance scores. It gives you a nice visual representation of each policy and to what extent it covers the OWASP top 10 web risks. What’s really nice is it also tells you the remediation changes you need to make to meet those OWASP compliance standards.
- Guided Config – Walk through complex configurations for OWASP top 10, API Protection, BDoS/DOS – and more on the horizon!
Additionally, there are some built-in features you get by using Appdome’s fusion like anti-reversing, obfuscation, tamper protection, checksum validation, and app integrity scans.
Summary
I hope this article gave you a clear view of what is included in AWAF today vs. ASM or LTM. As you can see, there are some key differences between the base ASM and the more fully-featured AWAF, which makes AWAF a must-have if your enterprise is serious about security.
The cost savings from the unlimited BDoS/DOS features alone can justify an upgrade to AWAF. I’ve seen organizations cut their bandwidth by more than 50% by turning on BDoS for their external facing VIPs. This has a waterfall effect of savings – from bandwidth usage, data costs associated with metered services like Splunk, longer shelf life on software that is usage-based and smaller footprints for hardware.
Questions? Comments? Have some feedback or Web Security war stories? Post them below!
Esteban says
Have worked with F5 platforms for many years and am happy to hear of ongoing successful product advancements and people from F5. Thanks for this research information sharing.