SlideShare a Scribd company logo

Nginx app protect-for-meetup-v1.0-202006_lk

J
Juraj Hantak

NGINX AppProtect is a web application firewall (WAF) module for NGINX Plus that provides security protections beyond just signatures. It offers a lightweight software package that can be installed on top of NGINX Plus and leverages F5's core WAF technology. NGINX AppProtect provides high performance, security protections beyond signatures, simple CI/CD integration, and is designed for modern infrastructures.

Internet
1 of 22
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
NGINX AppProtect FINALLY THE WAF FOR NGINX Luboš Klokner Sr. Solutions Engineer | F5 June 19, 2020
| ©2019 F52 DNS UAC WAF Acceleration ADC VDI WEBAPPS FW • Network ACL • IP Intelligence • IP Lists • DDoS Protection • Full Proxy DNS • Business Continuity • GSLB • DNS Security / Services • DNS Firewall WAF • L7 Firewall • Positive & Negative Policy • API Security • BOT Detection • Brute Force Protection • Credential Stuffing • Client Fingerprinting • L7 DDoS Mitigation UAC • Remote Access • Pre-Authentication • Multi-factor/SSO/Federation • End Point Inspection • API GW ADC • Full Proxy • TLS/SSL Offload • Application Awareness • Traffic enhancements Acceleration • TCP Optimization • Caching/Compression • End User Experience • HTTP/2 FW Users Customers Client Protection • Encryption • Phishing • Malware • Automated Transactions Attackers BIG-IPVE VIPRION High Performance Services Fabric Cloud Services
| ©2019 F53 Positioning App Super-Net Ops DevOps NetOpsArchitectDevOpsDev SecOps ASM/Advanced WAF NGINX App Protect Infrastructure Code Micro-Services Cloud
| ©2019 F54 CONFIDENTIAL Solution Description Stand-Alone premium WAF Annually Subscription based Dynamic Module Lightweight software package Installed on top of NGINX Plus Platform Agnostic Leverage F5's core technology
| ©2019 F55 CONFIDENTIAL NGINX App Protect: Customer Value ✔ High performing ✔ Security protection beyond signatures ✔ Trusted Signatures from F5 ✔ Simple CI/CD integration ✔ Designed for modern infrastructures ✔ Rapid feedback loop for security remediations ✔ Unified F5 declarative interface ✔ Security statistics via syslog ✔ Backed by F5 Support Manage CI/CD Friendly Secure
| ©2019 F56 NGINX App Protect Performance • ModSec Configuration: OWASP Top 10 (enable all CRS 3v rules) • NGINX App Protect Configuration: OWASP Top 10 (Enable signatures), Evasion technique, Data Guard, Disallowed file types, HTTP protocol compliance NGINX App Protect with a much more comprehensive security policy had no impact on latency, and offered much better throughput and requests/second when compared to ModSec
| ©2019 F57 • OWASP Top 10 based attack signatures & CVEs • Meta characters check • HTTP protocol compliance • Evasion techniques • Disallowed file types (bin, cgi, cmd, com, dll, exe, msi, sys, shtm, shtml, stm & more) • Enforcement based on high risk score (Violation Rating) • Cookie integrity check • JSON & XML well-formedness • Sensitive parameters & Data Guard CONFIDENTIAL NGINX App Protect Default Security Policy
| ©2019 F58 CONFIDENTIAL NGINX.conf
| ©2019 F59 CONFIDENTIAL Default Policy and log-default Policy 🌎 https://docs.nginx.com/nginx-app-protect/configuration/
| ©2019 F510 Deployment Options CONFIDENTIAL
| ©2019 F511 CONFIDENTIAL Consider Two Different WAF User Profiles NetOps/SecOps: • Centralized Ops team • Set of stable applications • Top concern: governance, stability and predictability DevSecOps/DevOps: • Democratized, distributed teams • Multiple applications, many actively developed • Top concern: time-to-market, speed to innovate Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Edge Customer DEVOPS / APPLICATIONS NETOPS / OPERATIONS
| ©2019 F512 CONFIDENTIAL Standard App Protect NGINX-proxy deployment Available now Stand-Alone premium WAF module for NGINX Plus Configured using NGINX directives and App Protect policy file / signature database Dynamic module • Installed on top of NGINX Plus • Connector module, pipe agent, bd agent • Limited Platforms (Debian, CentOS at release, others to follow) Released May 15th CustomerCode
| ©2019 F513 CONFIDENTIAL WAF Deployment at the Edge DEPLOY WAF POLICIES OUTSIDE KUBERNETES, ON LOCAL BIG-IP OR CLOUD-BASED WAF Available now Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Edge NetOps/SecOps-Centric Approach • This is a prime use case for Edge load balancer i.e. outside K8s • NetOps/SecOps empower their App/DevOps brethren to consume F5 application services in an automated manner • Can also be provided using F5 AWAF Appropriate for NetOps/SecOps-managed WAF
| ©2019 F514 CONFIDENTIAL WAF Deployment on the Ingress Controller DEPLOY WAF POLICIES ON THE INGRESS CONTROLLER, CONFIGURED USING KUBERNETES API Available June 2020 Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Edge K8s SecOps/DevSecOps-Centric Approach Appropriate solution when WAF policies are under direction of NetOps or DevOps teams. Policies are defined and associated with services using Kubernetes API. NGINX Ingress Controller RBAC allows: • Admin users to enforce policies per listener • DevOps users to select policy per Ingress Resource Leverage Container Ingress Services to scale NGINX Ingress Controller and add other application services (LB, DNS, DDoS, IAM). Appropriate for Kubernetes-native SecOps or DevSecOps
| ©2019 F515 CONFIDENTIAL WAF Deployment within K8s, for a specific pod DEPLOY WAF POLICIES FOR A SPECIFIC POD/INSTANCE, EMBEDDING NGINX PLUS WITHIN THE POD Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Edge AppOwner-Centric Approach Appropriate solution when App Owner has full control of WAF for their application. WAF is implemented using an embedded proxy for each application pod. • Implemented, tested and deployed using CI/CD pipeline • WAF updates require re-deployment of application pods Suitable for services that require very close control and testing of WAF configuration. Appropriate when AppOwner has full control over WAF policies Available now Good use case: I have a large legacy application that I have packaged as a container. This application has vulnerabilities
| ©2019 F516 Differentiators CONFIDENTIAL
| ©2019 F517 o No security expertise required to implement o Customer does not need to know how to write their own signatures o Better performance (up to 20x) o gRPC Support o Response-based security support o Extremely difficult to use in ModSec o Positive security (only attack signatures) o Rich logging available out of the box o Splunk & ArcSight (syslog) easily integrated o Kibana dashboard available o Easy to update/revert signatures CONFIDENTIAL vs ModSec NGINX APP PROTECT HAS…
| ©2019 F518 CONFIDENTIAL
| ©2019 F519 CONFIDENTIAL Arcadia Finance
| ©2019 F520 CONFIDENTIAL Arcadia Finance API SCHEMA
| ©2019 F521 CONFIDENTIAL Arcadia Finance WITH NGINX APP PROTECT
Nginx app protect-for-meetup-v1.0-202006_lk

More Related Content

What's hot (20)

PDF
NGINX DevSecOps Workshop
NGINX, Inc.
 
PDF
F5 TMOS v13.0
MarketingArrowECS_CZ
 
PDF
Get the Most Out of Kubernetes with NGINX
NGINX, Inc.
 
PPTX
F5 Offers Advanced Web Security With BIG-IP v10.1
DSorensenCPR
 
PDF
F5 DDoS Protection
MarketingArrowECS_CZ
 
PDF
Bezpečnostní architektura F5
MarketingArrowECS_CZ
 
PDF
F5 Networks: architecture and risk management
AEC Networks
 
PPTX
F5's Dynamic DNS Services
F5 Networks
 
PPTX
F5's IP Intelligence Service
F5 Networks
 
PPTX
Intelligent DNS Scale
Peter Silva
 
PDF
Securing Your Apps & APIs in the Cloud
Olivia LaMar
 
PPTX
Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAP
Olivia LaMar
 
PDF
Novinky F5
MarketingArrowECS_CZ
 
PPTX
F5 Meetup presentation automation 2017
Guy Brown
 
PDF
Relevez les défis Kubernetes avec NGINX
NGINX, Inc.
 
PPTX
F5 - BigIP ASM introduction
Jimmy Saigon
 
PDF
From Code to Customer with F5 and NGNX London Nov 19
NGINX, Inc.
 
PDF
Kubernetes and the NGINX Plus Ingress Controller
Katherine Bagood
 
PPTX
Migrating from BIG-IP Deployment to NGINX ADC
NGINX, Inc.
 
PDF
Web Socket ASM support lior rotkovitch
Lior Rotkovitch
 
NGINX DevSecOps Workshop
NGINX, Inc.
 
F5 TMOS v13.0
MarketingArrowECS_CZ
 
Get the Most Out of Kubernetes with NGINX
NGINX, Inc.
 
F5 Offers Advanced Web Security With BIG-IP v10.1
DSorensenCPR
 
F5 DDoS Protection
MarketingArrowECS_CZ
 
Bezpečnostní architektura F5
MarketingArrowECS_CZ
 
F5 Networks: architecture and risk management
AEC Networks
 
F5's Dynamic DNS Services
F5 Networks
 
F5's IP Intelligence Service
F5 Networks
 
Intelligent DNS Scale
Peter Silva
 
Securing Your Apps & APIs in the Cloud
Olivia LaMar
 
Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAP
Olivia LaMar
 
Novinky F5
MarketingArrowECS_CZ
 
F5 Meetup presentation automation 2017
Guy Brown
 
Relevez les défis Kubernetes avec NGINX
NGINX, Inc.
 
F5 - BigIP ASM introduction
Jimmy Saigon
 
From Code to Customer with F5 and NGNX London Nov 19
NGINX, Inc.
 
Kubernetes and the NGINX Plus Ingress Controller
Katherine Bagood
 
Migrating from BIG-IP Deployment to NGINX ADC
NGINX, Inc.
 
Web Socket ASM support lior rotkovitch
Lior Rotkovitch
 

Similar to Nginx app protect-for-meetup-v1.0-202006_lk (20)

PDF
IObit Uninstaller Pro Crack 13.2.0.5 + Key Download 2025
maharajput103
 
PDF
Movavi Screen Recorder Studio 22.5.2 Crack
aladdinkhana47
 
PDF
What's New with NGINX Application Security Solutions
NGINX, Inc.
 
PDF
IDM Crack 2025 Internet Download Manger Patch
wistrendugftr
 
PDF
Découvrez NGINX AppProtect
NGINX, Inc.
 
PDF
Easily View, Manage, and Scale Your App Security with F5 NGINX
NGINX, Inc.
 
PDF
Application Security with NGINX | APAC
NGINX, Inc.
 
PDF
Secure Your Kubernetes Apps from Attacks with NGINX
NGINX, Inc.
 
PDF
Application Security with NGINX
NGINX, Inc.
 
PPTX
Protecting Apps from Hacks in Kubernetes with NGINX
NGINX, Inc.
 
PPTX
Secure Your Apps with NGINX Plus and the ModSecurity WAF
NGINX, Inc.
 
PPTX
Modernizing Applications by Replacing F5 with the NGINX Application Delivery ...
NGINX, Inc.
 
PPTX
ModSecurity 3.0 and NGINX: Getting Started - EMEA
NGINX, Inc.
 
PPTX
Control Kubernetes Ingress and Egress Together with NGINX
NGINX, Inc.
 
PPTX
Gain multi-cloud versatility with software load balancing designed for cloud-...
Ashnikbiz
 
PDF
Call of Duty: Warzone for Windows With Crack Free Download 2025
Iobit Uninstaller Pro Crack
 
PDF
Grand Theft Auto 6 PC Game Cracked Full Setup Download
Iobit Uninstaller Pro Crack
 
PDF
SamFw Tool v4.9 Samsung Frp Tool Free Download
Iobit Uninstaller Pro Crack
 
PDF
IObit Uninstaller Pro Crack {2025} Download Free
Iobit Uninstaller Pro Crack
 
PPTX
ModSecurity 3.0 and NGINX: Getting Started
NGINX, Inc.
 
IObit Uninstaller Pro Crack 13.2.0.5 + Key Download 2025
maharajput103
 
Movavi Screen Recorder Studio 22.5.2 Crack
aladdinkhana47
 
What's New with NGINX Application Security Solutions
NGINX, Inc.
 
IDM Crack 2025 Internet Download Manger Patch
wistrendugftr
 
Découvrez NGINX AppProtect
NGINX, Inc.
 
Easily View, Manage, and Scale Your App Security with F5 NGINX
NGINX, Inc.
 
Application Security with NGINX | APAC
NGINX, Inc.
 
Secure Your Kubernetes Apps from Attacks with NGINX
NGINX, Inc.
 
Application Security with NGINX
NGINX, Inc.
 
Protecting Apps from Hacks in Kubernetes with NGINX
NGINX, Inc.
 
Secure Your Apps with NGINX Plus and the ModSecurity WAF
NGINX, Inc.
 
Modernizing Applications by Replacing F5 with the NGINX Application Delivery ...
NGINX, Inc.
 
ModSecurity 3.0 and NGINX: Getting Started - EMEA
NGINX, Inc.
 
Control Kubernetes Ingress and Egress Together with NGINX
NGINX, Inc.
 
Gain multi-cloud versatility with software load balancing designed for cloud-...
Ashnikbiz
 
Call of Duty: Warzone for Windows With Crack Free Download 2025
Iobit Uninstaller Pro Crack
 
Grand Theft Auto 6 PC Game Cracked Full Setup Download
Iobit Uninstaller Pro Crack
 
SamFw Tool v4.9 Samsung Frp Tool Free Download
Iobit Uninstaller Pro Crack
 
IObit Uninstaller Pro Crack {2025} Download Free
Iobit Uninstaller Pro Crack
 
ModSecurity 3.0 and NGINX: Getting Started
NGINX, Inc.
 
Ad

More from Juraj Hantak (20)

PDF
Kubernetes day 2_jozef_halgas_pf
Juraj Hantak
 
PDF
Kubernetes day 2 @ zse energia
Juraj Hantak
 
PDF
Dev ops culture_final
Juraj Hantak
 
PDF
Promise of DevOps
Juraj Hantak
 
PDF
23 meetup rancher
Juraj Hantak
 
PDF
Integracia security do ci cd pipelines
Juraj Hantak
 
PDF
CNCF opa
Juraj Hantak
 
PDF
Secrets management vault cncf meetup
Juraj Hantak
 
PDF
Introductiontohelmcharts2021
Juraj Hantak
 
PDF
Intro to creating kubernetes operators
Juraj Hantak
 
PDF
19. stretnutie komunity kubernetes
Juraj Hantak
 
PDF
16. Cncf meetup-docker
Juraj Hantak
 
PDF
16. meetup sietovy model v kubernetes
Juraj Hantak
 
PDF
16.meetup uvod
Juraj Hantak
 
PDF
14. meetup
Juraj Hantak
 
PDF
Terraform a gitlab ci
Juraj Hantak
 
PDF
Monitoring with prometheus at scale
Juraj Hantak
 
PDF
Kubernetes monitoring using prometheus stack
Juraj Hantak
 
PDF
12.cncfsk meetup observability and analysis
Juraj Hantak
 
PDF
Grafana 7.0
Juraj Hantak
 
Kubernetes day 2_jozef_halgas_pf
Juraj Hantak
 
Kubernetes day 2 @ zse energia
Juraj Hantak
 
Dev ops culture_final
Juraj Hantak
 
Promise of DevOps
Juraj Hantak
 
23 meetup rancher
Juraj Hantak
 
Integracia security do ci cd pipelines
Juraj Hantak
 
CNCF opa
Juraj Hantak
 
Secrets management vault cncf meetup
Juraj Hantak
 
Introductiontohelmcharts2021
Juraj Hantak
 
Intro to creating kubernetes operators
Juraj Hantak
 
19. stretnutie komunity kubernetes
Juraj Hantak
 
16. Cncf meetup-docker
Juraj Hantak
 
16. meetup sietovy model v kubernetes
Juraj Hantak
 
16.meetup uvod
Juraj Hantak
 
14. meetup
Juraj Hantak
 
Terraform a gitlab ci
Juraj Hantak
 
Monitoring with prometheus at scale
Juraj Hantak
 
Kubernetes monitoring using prometheus stack
Juraj Hantak
 
12.cncfsk meetup observability and analysis
Juraj Hantak
 
Grafana 7.0
Juraj Hantak
 
Ad

Recently uploaded (20)

PDF
The Internet of Things (IoT) refers to a vast network of interconnected devic...
chethana8182
 
PPTX
Different Generation Of Computers .pptx
divcoder9507
 
PPTX
Pengenalan perangkat Jaringan komputer pada teknik jaringan komputer dan tele...
Prayudha3
 
PPTX
The Monk and the Sadhurr and the story of how
BeshoyGirgis2
 
PPTX
Blue and Dark Blue Modern Technology Presentation.pptx
ap177979
 
PPTX
办理方法西班牙假毕业证蒙德拉贡大学成绩单MULetter文凭样本
xxxihn4u
 
PPTX
The Internet of Things (IoT) refers to a vast network of interconnected devic...
chethana8182
 
PDF
GEO Strategy 2025: Complete Presentation Deck for AI-Powered Customer Acquisi...
Zam Man
 
PPTX
MSadfadsfafdadfccadradfT_Presentation.pptx
pahalaedward2
 
PDF
Latest Scam Shocking the USA in 2025.pdf
onlinescamreport4
 
PDF
Data Protection & Resilience in Focus.pdf
AmyPoblete3
 
PDF
How Much GB RAM Do You Need for Coding? 5 Powerful Reasons 8GB Is More Than E...
freeshopbudget
 
PDF
UI/UX Developer Guide: Tools, Trends, and Tips for 2025
Penguin peak
 
PPT
Introduction to dns domain name syst.ppt
MUHAMMADKAVISHSHABAN
 
PPTX
AI at Your Side: Boost Impact Without Losing the Human Touch (SXSW 2026 Meet ...
maytaldahan
 
PPTX
Google SGE SEO: 5 Critical Changes That Could Wreck Your Rankings in 2025
Reversed Out Creative
 
PPTX
dns domain name system history work.pptx
MUHAMMADKAVISHSHABAN
 
DOCX
An_Operating_System by chidi kingsley wo
kingsleywokocha4
 
PPTX
B2B_Ecommerce_Internship_Simranpreet.pptx
LipakshiJindal
 
PDF
The AI Trust Gap: Consumer Attitudes to AI-Generated Content
Exploding Topics
 
The Internet of Things (IoT) refers to a vast network of interconnected devic...
chethana8182
 
Different Generation Of Computers .pptx
divcoder9507
 
Pengenalan perangkat Jaringan komputer pada teknik jaringan komputer dan tele...
Prayudha3
 
The Monk and the Sadhurr and the story of how
BeshoyGirgis2
 
Blue and Dark Blue Modern Technology Presentation.pptx
ap177979
 
办理方法西班牙假毕业证蒙德拉贡大学成绩单MULetter文凭样本
xxxihn4u
 
The Internet of Things (IoT) refers to a vast network of interconnected devic...
chethana8182
 
GEO Strategy 2025: Complete Presentation Deck for AI-Powered Customer Acquisi...
Zam Man
 
MSadfadsfafdadfccadradfT_Presentation.pptx
pahalaedward2
 
Latest Scam Shocking the USA in 2025.pdf
onlinescamreport4
 
Data Protection & Resilience in Focus.pdf
AmyPoblete3
 
How Much GB RAM Do You Need for Coding? 5 Powerful Reasons 8GB Is More Than E...
freeshopbudget
 
UI/UX Developer Guide: Tools, Trends, and Tips for 2025
Penguin peak
 
Introduction to dns domain name syst.ppt
MUHAMMADKAVISHSHABAN
 
AI at Your Side: Boost Impact Without Losing the Human Touch (SXSW 2026 Meet ...
maytaldahan
 
Google SGE SEO: 5 Critical Changes That Could Wreck Your Rankings in 2025
Reversed Out Creative
 
dns domain name system history work.pptx
MUHAMMADKAVISHSHABAN
 
An_Operating_System by chidi kingsley wo
kingsleywokocha4
 
B2B_Ecommerce_Internship_Simranpreet.pptx
LipakshiJindal
 
The AI Trust Gap: Consumer Attitudes to AI-Generated Content
Exploding Topics
 

Nginx app protect-for-meetup-v1.0-202006_lk

  • 1. NGINX AppProtect FINALLY THE WAF FOR NGINX Luboš Klokner Sr. Solutions Engineer | F5 June 19, 2020
  • 2. | ©2019 F52 DNS UAC WAF Acceleration ADC VDI WEBAPPS FW • Network ACL • IP Intelligence • IP Lists • DDoS Protection • Full Proxy DNS • Business Continuity • GSLB • DNS Security / Services • DNS Firewall WAF • L7 Firewall • Positive & Negative Policy • API Security • BOT Detection • Brute Force Protection • Credential Stuffing • Client Fingerprinting • L7 DDoS Mitigation UAC • Remote Access • Pre-Authentication • Multi-factor/SSO/Federation • End Point Inspection • API GW ADC • Full Proxy • TLS/SSL Offload • Application Awareness • Traffic enhancements Acceleration • TCP Optimization • Caching/Compression • End User Experience • HTTP/2 FW Users Customers Client Protection • Encryption • Phishing • Malware • Automated Transactions Attackers BIG-IPVE VIPRION High Performance Services Fabric Cloud Services
  • 3. | ©2019 F53 Positioning App Super-Net Ops DevOps NetOpsArchitectDevOpsDev SecOps ASM/Advanced WAF NGINX App Protect Infrastructure Code Micro-Services Cloud
  • 4. | ©2019 F54 CONFIDENTIAL Solution Description Stand-Alone premium WAF Annually Subscription based Dynamic Module Lightweight software package Installed on top of NGINX Plus Platform Agnostic Leverage F5's core technology
  • 5. | ©2019 F55 CONFIDENTIAL NGINX App Protect: Customer Value ✔ High performing ✔ Security protection beyond signatures ✔ Trusted Signatures from F5 ✔ Simple CI/CD integration ✔ Designed for modern infrastructures ✔ Rapid feedback loop for security remediations ✔ Unified F5 declarative interface ✔ Security statistics via syslog ✔ Backed by F5 Support Manage CI/CD Friendly Secure
  • 6. | ©2019 F56 NGINX App Protect Performance • ModSec Configuration: OWASP Top 10 (enable all CRS 3v rules) • NGINX App Protect Configuration: OWASP Top 10 (Enable signatures), Evasion technique, Data Guard, Disallowed file types, HTTP protocol compliance NGINX App Protect with a much more comprehensive security policy had no impact on latency, and offered much better throughput and requests/second when compared to ModSec
  • 7. | ©2019 F57 • OWASP Top 10 based attack signatures & CVEs • Meta characters check • HTTP protocol compliance • Evasion techniques • Disallowed file types (bin, cgi, cmd, com, dll, exe, msi, sys, shtm, shtml, stm & more) • Enforcement based on high risk score (Violation Rating) • Cookie integrity check • JSON & XML well-formedness • Sensitive parameters & Data Guard CONFIDENTIAL NGINX App Protect Default Security Policy
  • 8. | ©2019 F58 CONFIDENTIAL NGINX.conf
  • 9. | ©2019 F59 CONFIDENTIAL Default Policy and log-default Policy 🌎 https://docs.nginx.com/nginx-app-protect/configuration/
  • 10. | ©2019 F510 Deployment Options CONFIDENTIAL
  • 11. | ©2019 F511 CONFIDENTIAL Consider Two Different WAF User Profiles NetOps/SecOps: • Centralized Ops team • Set of stable applications • Top concern: governance, stability and predictability DevSecOps/DevOps: • Democratized, distributed teams • Multiple applications, many actively developed • Top concern: time-to-market, speed to innovate Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Edge Customer DEVOPS / APPLICATIONS NETOPS / OPERATIONS
  • 12. | ©2019 F512 CONFIDENTIAL Standard App Protect NGINX-proxy deployment Available now Stand-Alone premium WAF module for NGINX Plus Configured using NGINX directives and App Protect policy file / signature database Dynamic module • Installed on top of NGINX Plus • Connector module, pipe agent, bd agent • Limited Platforms (Debian, CentOS at release, others to follow) Released May 15th CustomerCode
  • 13. | ©2019 F513 CONFIDENTIAL WAF Deployment at the Edge DEPLOY WAF POLICIES OUTSIDE KUBERNETES, ON LOCAL BIG-IP OR CLOUD-BASED WAF Available now Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Edge NetOps/SecOps-Centric Approach • This is a prime use case for Edge load balancer i.e. outside K8s • NetOps/SecOps empower their App/DevOps brethren to consume F5 application services in an automated manner • Can also be provided using F5 AWAF Appropriate for NetOps/SecOps-managed WAF
  • 14. | ©2019 F514 CONFIDENTIAL WAF Deployment on the Ingress Controller DEPLOY WAF POLICIES ON THE INGRESS CONTROLLER, CONFIGURED USING KUBERNETES API Available June 2020 Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Edge K8s SecOps/DevSecOps-Centric Approach Appropriate solution when WAF policies are under direction of NetOps or DevOps teams. Policies are defined and associated with services using Kubernetes API. NGINX Ingress Controller RBAC allows: • Admin users to enforce policies per listener • DevOps users to select policy per Ingress Resource Leverage Container Ingress Services to scale NGINX Ingress Controller and add other application services (LB, DNS, DDoS, IAM). Appropriate for Kubernetes-native SecOps or DevSecOps
  • 15. | ©2019 F515 CONFIDENTIAL WAF Deployment within K8s, for a specific pod DEPLOY WAF POLICIES FOR A SPECIFIC POD/INSTANCE, EMBEDDING NGINX PLUS WITHIN THE POD Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Edge AppOwner-Centric Approach Appropriate solution when App Owner has full control of WAF for their application. WAF is implemented using an embedded proxy for each application pod. • Implemented, tested and deployed using CI/CD pipeline • WAF updates require re-deployment of application pods Suitable for services that require very close control and testing of WAF configuration. Appropriate when AppOwner has full control over WAF policies Available now Good use case: I have a large legacy application that I have packaged as a container. This application has vulnerabilities
  • 17. | ©2019 F517 o No security expertise required to implement o Customer does not need to know how to write their own signatures o Better performance (up to 20x) o gRPC Support o Response-based security support o Extremely difficult to use in ModSec o Positive security (only attack signatures) o Rich logging available out of the box o Splunk & ArcSight (syslog) easily integrated o Kibana dashboard available o Easy to update/revert signatures CONFIDENTIAL vs ModSec NGINX APP PROTECT HAS…
  • 18. | ©2019 F518 CONFIDENTIAL
  • 19. | ©2019 F519 CONFIDENTIAL Arcadia Finance
  • 20. | ©2019 F520 CONFIDENTIAL Arcadia Finance API SCHEMA
  • 21. | ©2019 F521 CONFIDENTIAL Arcadia Finance WITH NGINX APP PROTECT