Adaptive Apps: Replicate & deploy WAF application security policies across F5's security portfolio

Introduction

Adaptive applications utilize an architectural approach that facilitates rapid and often fully-automated responses to changing conditions—for example, new cyberattacks, updates to security posture, application performance degradations, or conditions across one or more infrastructure environments.

Unlike the current state of many apps today that are labor-intensive to secure, deploy, and manage, adaptive apps are enabled by the collection and analysis of live application performance and security telemetry, service management policies, advanced analytic techniques such as machine learning, and automation toolchains.

This example seeks to demonstrate value in two key components of F5's Adaptive Apps vision: helping our customers more rapidly detect and neutralize application security threats and helping to speed deployments of new applications.

In today's interconnected digital landscape, the ability to share application security policies seamlessly across data centers, public clouds, and Software-as-a-Service (SaaS) environments is of paramount importance. As organizations increasingly rely on a hybrid IT infrastructure, where applications and data are distributed across various cloud providers and security platforms, maintaining consistent and robust security measures becomes a challenging task.

Using a consistent & centralized security policy architecture provides the following key benefits:

Reduced Infrastructure Complexity: Modern businesses often employ a combination of on-premises data centers, public cloud services, and SaaS applications. Managing separate security policies for each platform introduces complexity, making it challenging to ensure consistent protection and adherence to security standards.
Consistent Protection: A unified security policy approach guarantees consistent protection for applications and data, regardless of their location. This reduces the risk of security loopholes and ensures a standardized level of security across the entire infrastructure.
Improved Threat Response Efficiency: By sharing application security policies, organizations can respond more efficiently to emerging threats. A centralized approach allows for quicker updates and patches to be applied universally, strengthening the defense against new vulnerabilities.
Regulatory Compliance: Many industries have strict compliance requirements for data protection. Sharing security policies helps organizations meet these regulatory demands across all environments, avoiding compliance issues and potential penalties.
Streamlined Management: Centralizing security policies simplifies the management process. IT teams can focus on maintaining a single set of policies, reducing complexity, and ensuring a more effective and consistent security posture.
Cost-Effective Solutions: Investing in separate security solutions for each platform can be expensive. Sharing policies allows businesses to optimize security expenditure and resource allocation, achieving cost-effectiveness without compromising on protection.
Enhanced Collaboration: A shared security policy fosters collaboration among teams working with different environments. This creates a unified security culture, promoting information sharing and best practices for overall improvement.
Improved Business Agility: A unified security policy approach facilitates smoother transitions between different platforms and environments, supporting the organization's growth and scalability.

By having a consistent security policy framework, businesses can ensure that critical security policies, access controls, and threat prevention strategies are applied uniformly across all their resources. This approach not only streamlines the security management process but also helps fortify the overall defense against cyber threats, safeguard sensitive data, and maintain compliance with industry regulations. Ultimately, the need for sharing application security policies across diverse environments is fundamental in building a resilient and secure digital ecosystem.

In the spirit of enabling a unified security policy framework, this example shows the following two key use cases:

Replicating and deploying an F5 BIG-IP Advanced WAF (AWAF) security policy to F5 Distributed Cloud WAAP (F5 XC WAAP)
Replicating and deploying an F5 NGINX App Protect (NAP) security policy to F5 XC WAAP

Specifically, we show how to use F5's Policy Supervisor and Policy Supervisor Conversion Utility to import, convert, replicate, and deploy WAF policies across the F5 security proxy portfolio. Here we will show how the Policy Supervisor tool provides flexibility in offering both automated and manual ways to replicate and deploy your WAF policies across the F5 portfolio. Regardless of the use case, the steps are the same, enabling a consistent and simple methodology.

We'll show the following 2 use cases:

1. Manual BIG-IP AWAF to F5 XC WAAP policy replication & deployment:

Private BIG-IP AWAF deployment with security policy blocking specific attacks
Manual conversion of this BIG-IP AWAF policy to F5 XC WAAP policy using the Policy Supervisor Conversion Utility
F5 XC WAAP environment without application security policy
Manual deployment of converted BIG-IP AWAF security policy into F5 XC WAAP environment showing enablement of equivalent attack blocking

2. Automated NGINX NAP to F5 XC WAAP policy replication & deployment:

Private NGINX NAP deployment with security policy blocking specific attacks
Automated conversion of this NGINX NAP policy to F5 XC WAAP policy using the Policy Supervisor tool
F5 XC WAAP environment without application security policy
Automated deployment of converted NGINX NAP security policy into F5 XC WAAP environment showing enablement of equivalent attack blocking

Note there are additional resources available from F5's Technical Marketing team to help you better understand the capabilities of the F5 Policy Supervisor. For a more detailed look at the F5 Policy Supervisor, be sure to review the following additional excellent resources:

F5 Technical Marketing: "Minimizing Security Complexity: Managing Distributed WAF Policies"
- DevCentral article: https://community.f5.com/t5/technical-articles/minimizing-security-complexity-managing-distributed-waf-policies/ta-p/321168
- YouTube demo video:

Use Case

Simple, easy way to replicate & deploy WAF application security policies across F5's BIG-IP AWAF, NGINX NAP, and F5 XC WAAP security portfolio.

While the Policy Supervisor supports all of the possible security policy replication & migration paths shown on the left below, this example is focused on demonstrating the two specific paths shown on the right below.

Solution Architecture

Problem Statement

Customers find it challenging, complex, and time-consuming to replicate & deploy application security policies across their WAF deployments which span the F5 portfolio (including BIG-IP, NAP, and F5XC WAAP) within on-prem, cloud, and edge environments.

Customer Outcome

By enforcing consistent WAAP security policies across multiple clouds and SaaS environments, organizations can establish a robust and standardized security posture, ensuring comprehensive protection, simplified management, and adherence to compliance requirements.

The Guide

Please refer to https://github.com/f5devcentral/adaptiveapps for detailed instructions and artifacts for deploying this example use case.

Demo Video

Watch the demo video:

Updated Sep 20, 2023

Version 3.0