Big-IP Application Security Manager
Strengths: Powerful policy engine and robust feature set
Weaknesses: Fragmented documentation
Verdict: Great for larger enterprises, but the product might be overkill for a smaller business. However, we do recommend it
Although primarily known for top-shelf networking products, F5 Networks' offering in the application security space is no afterthought. Available as a standalone appliance or module for one of its network products, the BIG-IP Application Security Manager (ASM) functions as a firewall, protecting web applications and services with a powerful policy engine.
The initial setup was reasonably straightforward. The product we received for review was bundled with the BIG-IP Local Traffic Manager, which complicated the network setup only slightly.
After defining our interfaces and assigning IP address and VLANs, we were ready to define our first policy. Policy creation was deceptively simple. The ASM offers a wizard for creating polices and came packaged with a number of predefined templates for several of the more popular web application packages, including Microsoft Outlook Web Access, SAP NetWeaver, PeopleSoft and others. We needed only to specify the public and private IPs of the application, enable the appropriate template and apply the policy.
The core of the ASM is the application firewall. Providing extremely granular rule options, the tool allows administrators to control HTTP responses at a parameter level - each parameter can be checked for length, attack signatures and more. It offers a good bit of data leak protection, too, as it can scan HTTP responses for defined bits of data, blocking or masking that data as appropriate. The product also provides protection against denial-of-service attacks.
The ASM's Policy Builder option is a strong feature. Designed to run on live production traffic, this system listens to normal traffic and builds a custom policy around what it sees, applying the appropriate signatures automatically.
Customers of WhiteHat Sentinel or Cenzic can take advantage of the ASM's virtual patching feature, which allows them to import their vulnerability assessment reports and have mitigation rules automatically created.
If power and flexibility are the ASM's strengths, documentation is its weakness. While we can't disparage the accuracy and volume of the documentation, our issue is with its presentation. The vast majority of the documentation is on F5's website as HTML or PDF documents. However, the sheer volume can make it challenging to find the document with the information for which one is looking, especially considering how fragmented it is. It has clearly been organised with a bend toward answering specific questions instead of offering general help. This is great for existing users, but makes getting started a little more difficult than it should be. We would have preferred a solid start-to-finish blocking guide. Unfortunately, we were forced to pick our way through a number of different PDFs and HTML documents, slowly assembling our own installation manual.
However, we couldn't come up with any question that F5 didn't have a documented answer for, either in its manuals or the AskF5 knowledgebase, so it is nothing if not thorough and we certainly appreciated that.
The base cost of the ASM hardware and licensing is c£9,454. Support costs start at 12 per cent of the retail price of the product, and all F5 solutions come with a one-year hardware warranty.
We were impressed with this product and would recommend it.