F5 Enterprise Solutions - Application Security
Our integrated security suite, backed by 24/7 access to our security experts, protects all your apps against constantly evolving threats.
Apps are the gateway to your data.
Protecting your data starts by thinking app security first.
Today, apps are your business. With this app-centric environment come new risks—86 percent of data breaches now occur at the app level. Protecting your data, and your business, requires integrated security solutions to defend critical areas of risk.
Understanding the Threat Landscape
Data is the currency among cybercriminals
The data that drives your business includes strategies, finances, and your customers' most sensitive information. So, it’s crucial to ensure only the right people get access to the right data while also keeping the app protected.
Over 70 percent of today’s Internet traffic is encrypted and analysts predict it will continue to rise. This growth is creating a dangerous blind spot because many traditional, network-focused security appliances can’t effectively decrypt traffic. And hackers readily exploit this blind spot to hide malware and other threats.
By fortifying security strategies with solutions and services focused specifically on the application, you can better secure access to applications and protect the ones that expose sensitive data, no matter where they live.
Our solutions can secure any infrastructure, from traditional data centers to cloud environments. This helps make sure users can securely access data on any device, in any environment, at any time.
F5 secures applications and the data behind them—because that’s where today’s attacks happen.
Manage risk everywhere, including the cloud
Traditional network-based security solutions focus on network protection and are blind to application context.
Our ability to eliminate blind spots provides necessary visibility and inspection for application traffic, so you can make decisions based on the potential risk to the application and take necessary action. Also, F5 security solutions are delivered where businesses need them—as standalone hardware, virtual appliances, and in the cloud.
Only with visibility into the weaknesses attackers are exploiting—within user identities and applications themselves—will enterprises like yours be able to protect their data.
The New Approach
As the perimeter dissolves, application protection, visibility, and application access become critical to protecting data.
- Application Protection
- SSL/TLS Visibility and Control
- Application Access
- Web Application Firewall (WAF)
Keep business applications up and running, despite attacks
Ensure your business-critical applications are protected against a variety of network and application-level attacks. Drive business agility without compromising security—extend security controls and policies from the data center to the cloud with a range of security solutions.
Many attack vectors, one objective
DDoS attacks range from pranksters having fun to targeted acts of retaliation, protest, theft and extortion. Depending on their skills, attackers may use readily available DDoS tools or launch more sophisticated attacks. Ultimately, all DDoS attacks have one objective—to disrupt service availability and have a significant impact on businesses.
Suddenly, your applications aren’t available and you can’t do business with customers.
There are four main types of attacks, although they’re most often combined:
- Volumetric—flood-based attacks that can be at layer 3, 4, or 7.
- Asymmetric—invoke timeouts or session-state changes.
- Computational—consume CPU and memory.
- Vulnerability-based—exploit application software vulnerabilities.
The most damaging DDoS attacks mix volumetric attacks with targeted, application-specific attacks.
DDoS demands vigilance
Combined or “mixed” DDoS attacks are becoming more difficult to defend against and are often an indicator of more advanced, persistent threats to come. How quickly you can discover and stop these threats is key to ensuring service continuity and limiting damage.
Consider application layer attacks
Layer 7 attacks are much more common now. Criminals are increasingly using low-and-slow attacks that target layer 7 computing power and I/O to disable web application servers. These attacks avoid network-level detection and challenge traditional detection methods.
In 2011, you’d see layer 7 attacks infrequently—maybe in 10 percent of DDoS campaigns. Today, the F5 Security Operations Center (SOC) sees layer 7 attacks all the time.
F5 is your best choice for DDoS defense.
F5 provides seamless, flexible, and easy-to-deploy solutions that enable a fast response, no matter what type of DDoS attack you’re under
- Defends against the full spectrum of DDoS attacks with multi-layered, hybrid defense that combines cloud scrubbing and an on-premises appliance
- Supports flexible deployment options with inline and out-of-band mode to make sure your applications remain available.
- Detects and mitigates targeted multi-vector, bursty DDoS with sub-second attack detection and instant mitigation in inline mode.
- Seamlessly integrates on-premises and native cloud-based attacks, signaling F5 Silverline cloud-based scrubbing.
Choose an application-aware solution.
F5 offers the most comprehensive layer 3—layer 7 DDoS mitigation, combining on-premises and cloud DDoS scrubbing to mitigate network, application, and volumetric attacks.
Find the DDoS solution that’s right for your business
Do you want to use the cloud to make sure that all traffic coming into your data center is clean?
Do you want to put DDoS protection in front of your current systems?
Do you want to add DDoS protection to your existing BIG-IP system?
SSL/TLS Visibility and Control:
See what’s hidden in encrypted traffic
Gain critical visibility into the traffic on your network that many traditional defenses are unable to examine, making your security stack more effective and simplifying management. Prevent data loss and ensure compliance with deeper intelligence and visibility into all data connection points (inbound and outbound traffic). Understand and mitigate attacks at every level, through layer 7.
SSL really is everywhere
SSL/TLS enables businesses to communicate securely with customers and partners. More and more organizations are protecting not just their business services, but all communication from email and social media to streaming video—including outbound—with SSL/TLS.
The challenge is that SSL/TLS can also function as a tunnel that attackers use to hide malware from security devices. And while your next-gen firewall watches users, your IDS/IPS knows thousands of vulnerabilities, and your Sandbox can find 0-days, they don’t see into encrypted SSL/TLS traffic.
Enterprise security solutions must gain visibility into this encrypted traffic to make sure it doesn’t bring malware into the network. Enter: SSL/TLS decryption.
Decrypt malware without the typical drawbacks
Traditional security gateways, network firewalls, and intrusion prevention system (IPS) appliances have SSL decryption capabilities, but most organizations don’t have the right architecture in place to enable it holistically. And because SSL/TLS changes over time, your architecture would have to be maintained and upgraded to stay ahead of new threats.
With F5 as the strategic point of control in your network, you’ll get unique levels of visibility into encrypted traffic minus the pitfalls of competing firewall decryption solutions. Here are a few things that set us apart:
- Flexible deployment modes that easily integrate into even the most complex architectures, centralize SSL/TLS decryption and encryption, and deliver the latest encryption technologies across your security infrastructure—without costly architecture upgrades.
- Industry-leading decryption and re-encryption allow you to offload the overhead of decryption, so your security devices can perform at their best.
- Dynamic security service chaining (including anti-virus/malware products, intrusion detection systems [IDS], IPSs, next-generation firewalls, and data loss prevention [DLP]) matches the URL with policies that determine whether encrypted traffic should be allowed to pass or be decrypted and sent through a security device or service.
- Full cipher support ensures that every device in the security stack has full traffic visibility.
- Two-way SSL/TLS encryption/decryption with HTTP/2 and TLS1.2 with forward secrecy to your internet users.
F5 security solutions manage SSL to give you better performance and effectiveness across your security stack. And because F5’s high performance SSL/TLS stack is custom-built over 15 years, F5 customers aren’t typically vulnerable to OpenSSL flaws like Heartbleed.
Find the SSL solution that’s right for you
Want a dedicated decryption solution that also provides intelligent routing and visibility for your security stack?
Identity Federation and Remote Access:
Enable mobile work styles without introducing risk
Security policies follow authorized users wherever they are located. Enable employees to access their applications securely while helping ensure that malware and attacks can’t make their way across connections. Build a contextual, dynamic, risk-based approach to application access that improves end-user experience without compromising security.
F5 offers security policies that scale
Application vulnerabilities are responsible for over 70 percent of data breaches.1 F5 has been focused on application access management and protection for over 20 years.
Our remote access and identity federation solutions let you customize the security policies that follow your apps, providing centralized and secure authentication and access control for users—no matter where they are or what device they’re using. Our contextual, dynamic, and risk-based approach to application access improves the user experience and scales without limits. And the policies and controls you create stay consistent wherever your apps are deployed.
Make sure people are who they say they are
Users no longer distinguish between remote access and on-premises access. They expect to connect from anywhere, on any device, whether they’re in the office, at home, at a hotel, on a flight, or at their local coffee shop. It’s up to network and security teams to ensure people can get their work done, without putting the business or its data at risk.
Fragmented identities and decentralized apps introduce significant risk due to the challenges of enforcing security policies across Software as a Service (SaaS), cloud, and on-premises applications.
With hybrid cloud environments becoming the norm, it’s important to make sure that "outside" apps have the same secure authentication as those inside your data center. Our solutions let you consolidate authentication to eliminate the risks that come with identity sprawl, and can integrate a variety of multi-factor authentication (MFA) options.
Single sign-on helps
Single sign-on (SSO) requires authentication, and it’s token-based; each user is identified by a token, not a password.
Using the Security Assertion Markup Language (SAML) standard, our application access solutions can serve as a SAML identity provider (IdP) for SaaS apps and a service provider for apps in the public cloud or on-premises. Regardless of where your applications live, your users' credentials remain safe and secure in one place because a trusted token is passed to applications when a user signs in.
F5 handles authentication for all your apps. Your users can sign in once and securely access the applications they use all the time, like Microsoft Office or Office 365, Microsoft Exchange, SharePoint, Salesforce, and others—over all networks and from all devices, while integrating with numerous MDM/MAM vendors.
They’re trying to connect to what from where?
As organizations deliver more and more sensitive data through applications, they introduce ever-increasing risk. Today’s users are everywhere, frequently outside the corporate network, working on a variety of devices, relying on apps located anywhere—from private data centers to the public cloud.
Our solutions give you up-to-the-minute access control and let you create and manage custom access policies, regardless of the location of the user or the app. By analyzing all devices both before and after access is granted, you can avoid the exposure to risks associated with remote or consumer device endpoints. You can assign access privileges and security policies that ensure the right people have access to the right data—from the right places and on the right devices.
Make sure you can control remote access and identity federation without adding the complexity that costly point solutions can introduce into your network. F5's application access solutions:
- Simplify the integration of authentication tools by creating an identity bridge, a trusted chain of user identity between two entities—networks, clouds, applications, etc.—via industry standards like SAML.
- Make the cumbersome duplication and insertion of identity directories unnecessary.
- Keep identity and access under the control of your enterprise, with authentication happening between the enterprise, cloud, and SaaS providers.
- Centralize enterprise control of instant user authentication and termination.
- Offer the most scalable remote access and identity federation solution in the industry, delivering over 5x the scale available from Citrix and Pulse Secure and 10x the scale of many other vendors.
- Provide fast, secure access with numerous authentication methods, including a variety of multi-factor authentication (MFA) options.
Find the remote access and identity federation management solution that’s right for you
1 Based on aggregated data from IT Business Edge, Krebs on Security, Security Week, and CSO Online.
Web Application Firewall (WAF):
Securing apps requires the right WAF solution
The right WAF in front of your applications can quickly stop application threats and mitigate vulnerabilities. As a key part of your total application security strategy, F5 WAF solutions can safeguard your data, enable compliance, and provide ongoing protection against evolving application threats. Our WAFs offer a range of defenses, so they can be tailored to the level of protection different apps require.
- Comprehensive Application Protection
Proactive bot defense, identity management, real-time threat protection, client-side threat defense, layer 7 DoS protection, and compliance enforcement and reporting.
- Proactive Bot Defense for Web and Mobile Apps
Extends bot protection across every app—web or mobile—with the ability to identify bots that bypass standard detection methods.
- Protection from Credential Theft
Protects against brute-force attacks that use stolen credentials. Also includes field-level encryption capabilities that safeguard user credentials before they can be stolen by man-in-middle attacks.
- Layer 7 DoS Behavioral Analysis
Mitigations that learn and adapt to your unique application layer user-interaction patterns to enable dynamic defenses based on changing conditions.
- Intelligent, Adaptable, and Programmable Defenses
Dynamic traffic-pattern learning, and behavioral analysis enable real-time identification and response to new application attacks with minimal admin intervention.
- Compliance and Beyond
Meet compliance requirements for regulatory standards like FFIEC, HIPAA, and PCI-DSS today and in the future via pre-configured security profiles. Also get the tools you need to respond to evolving application threats and attack vectors.
- Virtual Patching
Virtual patching through signature detection of vulnerability exploit attempts. Integration with third-party dynamic application security testing (DAST) tools for automated virtual patching.
- Context-Aware Risk Management
Geolocation and IP intelligence enable context-aware policies that facilitate the identification and blocking or limits for known malicious hosts and regions.
- Protocol Enforcement
Enforce strict adherence to RFC standards. Filter and block unused protocol features.
- Client-Side Integrity Defense
Identifies and limits or blocks suspicious clients and headless browsers, mitigates client-side malware.
- Scale and Performance Even Under Attack
Ensures app availability and performance even when under attack.
- Protection Against OWASP Top 10 Threats
Whether deployed in data centers or hybrid cloud environments, defends critical apps with comprehensive protection from today’s biggest security concerns, the OWASP top 10 vulnerabilities.
Find the WAF deployment that’s right for your business
Consistent, portable WAF policies follow your apps no matter where they are deployed—on-premises or across cloud providers.
High-performance hardware solutions to protect your applications.
Full-featured WAF you can deploy on any leading hypervisor or select cloud providers.
Cloud-based, fully managed solutions. We maintain your WAF.
Cloud-based solutions that we host, but that you update and manage yourself.