F5® has quietly grown into the leader of web application firewalls with their Application Security Manager™ (ASM®) module and their Advanced Web Application Firewall (AWAF). AWAF extends F5’s WAF with new features to combat fraudulent credential stuffing & bot mitigation, along with a whole slew of other new features. While the other “top dogs” were sleeping, F5 was diligently pouring resources into a more intelligent, easier to use, and feature-rich WAF.
However, as is the case with all innovation in technology, there is some confusion around new names and concepts. A lot of you out there are asking what is the difference between ASM and AWAF? I hope to add some clarity in this article and define the exact differences between F5’s base WAF a.k.a. ASM, and the Advanced WAF a.k.a. AWAF.
Note, both the ASM and AWAF come with some limited Local Traffic Manager™ (LTM®) functionality necessary for them to do their job – let’s set the stage by covering those first.
Differences Between the LTM, ASM, and AWAF (Advanced WAF) – Application Delivery Features
It’s important to understand that AWAF includes all the features of the base ASM in addition to more powerful functionality. You can buy AWAF or ASM individually, and if you already own ASM you can add AWAF to it – i.e. ASM + AWAF. Either way, I would always recommend buying WAF with LTM – as you lose some very important functionality around traffic delivery if you purchase F5’s ASM or AWAF solo – the feature comparison of LTM vs. AWAF vs. ASM is found below and outlines the functionality you’ll lose without LTM. Some of the more notable functionalities you’ll lose without LTM are support for UDP (think DNS) and more advanced load balancing methods and monitors. Essentially if you’re looking to use your BIG-IPs for anything more than just a WAF and web traffic, you really need to have LTM.
|Configuration Object||LTM (Local Traffic Manager License)||AWAF (Advanced Web Application Firewall License)||ASM (Application Security Manager License)|
|Service Profiles||HTTP, HTTP Compression, Web Acceleration, FTP, TFTP, DNS, RTSP, ICAP, Request Adapt, Response Adapt, Diameter, DHCPv4, DHCPv6, Radius, SIP, SMTPS, Client LDAP, Server LDAP, Session, Rewrite, XML, HTTP/2, SOCKS, FIX, GTP, Websocket, PPTP, IPsecALG, Netflow||HTTP, HTTP Compression, Web Acceleration, FTP, TFTP, DNS, ICAP, Request Adapt, Response Adapt, Diameter, DHCPv4, DHCPv6, Radius, SMTP, SMTPS, Client LDAP, Server LDAP, iSession, Rewrite, XML, HTTP/2, SOCKS, FIX, GTP, Websocket, PPTP, IPsecALG, Netflow||HTTP, HTTP Compression, Web Acceleration, FTP, TFTP, DNS, ICAP, Request Adapt, Response Adapt, Diameter, DHCPv4, DHCPv6, Radius, SMTP, SMTPS, Client LDAP, Server LDAP, iSession, Rewrite, XML, HTTP/2, SOCKS, FIX, GTP, Websocket, PPTP, Netflow|
|Persistence Profiles||Cookie, Destination Address, Hash, Host, MSRDP, SIP, Source Address, SSL, Universal||Cookie, Destination Address, Host, Source Address||None|
|Protocol Profiles||FastL4, FastHTTP, TCP, UDP, SCTP, Any IP||FastL4, FastHTTP, TCP, Any IP||FastL4, FastHTTP, TCP, Any IP|
|Authentication Profiles||Profiles, Configuration, CRLDP Servers, OCSP Responders||Profiles, Configuration||Profiles, Configuration|
|Pool members||Unlimited||Unlimited||Max 3|
|Load Balancing Method||Round Robin, Ratio (member), Least Connections (member), Observed (member), Predictive (member), Ratio (node), Least Connections (node), Fastest (node), Observed (node), Predictive (node), Dynamic Ratio (node), Fastest (application), Least Sessions, Dynamic Ratio (member), Weighted Least Connections (member), Weighted Least Connections (node), Ratio (session), Ratio Least Connection (member), Ratio Least Connections (node)||Round Robin, Ratio (member), Least Connections (member), Ratio (node), Least Connection (node), Weighted Least Connections (member), Weighted Least Connections (node), Ratio Least Connections (member), Ratio Least Connections (node)||Round Robin, Ratio (member), Ratio (node)|
|Monitors||Diameter, DNS, External, FirePass, FTP, Gateway ICMP, HTTP, HTTPS, ICMP, IMAP, Inband, LDAP, Module Score, MSSQL, MQTT, MySQL, NNTP, Oracle, POP3, PostgreSQL, RADIUS, RADIUS Account, Real Server, RPC, SASP, Scripted, SIP, SMB, SMTP, SNMP DCA, SNMP DCA Base, SOAP, TCP, TCP Echo, TCP Half Open, UDP, Virtual Location, WAP, WMI||FirePass, FTP, Gateway ICMP, HTTP, HTTPS, ICMP, SOAP, TCP, TCP Half Open, UDP||FirePass, FTP, Gateway ICMP, HTTP, HTTPS, ICMP, SOAP, TCP, TCP Half Open, UDP|
Feature Differences Between ASM & AWAF –
a.k.a. F5’s WAF vs. AWAF
Advance WAF has a number of features that make it “Advanced” vs. the traditional ASM. Remember, the features included in standalone ASM, add-on ASM, and ASM from the “Best” bundle are the same and also come with AWAF.
What’s included in AWAF:
- ASM — All the features of the base WAF aka ASM module.
- Unlimited Behavioral DoS/ BaDoS — Contrary to legacy DoS & DDoS (which is usually layer 2 and layer 3 based) AWAF BDoS & DoS is Web Transaction Per Second based around Layer 7 – think URLs, device-IDs, etc… anything detectable in layer 7. It can detect botnet attacks, parameters, URI lengths, content-types, anything in HTTP headers. The moral of the story here is that it has WAY more data than the current layer 2 & 3 detection methods commonly based around IP addresses.
- Note: You can still use BDoS with ASM without AWAF, but ASM limits BDoS to two Virtual Servers / VIPs.
- DataSafe — Allows you to encrypt data entered into a webform, so if a computer is already infected with malware, the stolen password(s) will be unreadable.
- Guided Config — Walk through complex configurations for OWASP top 10, API Protection, BDoS/DOS – and more on the horizon!
- OWASP Compliance Dashboard — This dashboard displays a list of your WAF policies and their related OWASP Top 10 compliance scores. It gives you a nice visual representation of each policy and to what extent it covers the OWASP top 10 web risks. What’s really nice is it also tells you the remediation changes you need to make to meet those OWASP compliance standards.
- Credential Stuffing DB — Protect against hackers using password lists stolen from big password breaches.
- Note: This is early access starting in version 13.1x ASM, but it’s not ready for production unless you purchase AWAF + Threat Campaigns – which will give you real time updates to the Cred stuffing database. Otherwise you’ll be depending on a stale database and that’s no bueno 😉
- ** Ability to purchase Threat Campaign Subscriptions — Threat campaigns allow you to do more with less resources. F5’s Security Research Team (SRT) discovers attacks with honeypots – performs their analysis and creates attack signatures you can use with your security policies. There’s a very low possibility for false positives as the signatures have been developed by SRT directly.
- ** Ability to purchase Anti-Bot Mobile™ SDK — Easily extend Anti-Bot Security to any mobile app. Appdome makes it super easy to integrate a slew of features with any mobile app including:
- Mobile bot protection
- Device identification
- Behavioral analysis
- Jailbroken – rooted detection
- Emulator detection
Additionally there are some built-in features you get by using Appdome’s fusion like anti-reversing, obfuscation, tamper protection, checksum validation, and app integrity scans.
I hope this article gave you a clear view of what is included in AWAF today vs. ASM or LTM. As you can see, there are some key differences between the base ASM and the more fully-featured AWAF, which makes AWAF a must-have if your enterprise is serious about security.
The cost savings from the unlimited BDoS/DOS features alone can justify an upgrade to AWAF. I’ve seen organizations cut their bandwidth by more than 50% by turning on BDoS for their external facing VIPs. This has a waterfall effect of savings – from bandwidth usage, data costs associated with metered services like Splunk, longer shelf life on software that is usage-based and smaller footprints for hardware.
Questions? Comments? Have some feedback or Web Security war stories? Post them below!