F5 Networks BIG-IP Application Security Manager
Strengths: Powerful policy engine and robust feature set.
Weaknesses: Fragmented documentation.
Verdict: Great for larger enterprises, but the product might be overkill for a smaller business. For all of that, we make this our Recommended product
Although they're primarily known for top-shelf networking products, F5 Networks' offering in the application security space is no afterthought. Available as a standalone appliance or module for one of its network products, the BIG-IP Application Security Manager (ASM) functions as an application firewall, protecting web applications and services with a powerful policy engine.
The initial setup was reasonably straightforward. The product we received for review was bundled with the BIG-IP Local Traffic Manager, which complicated the network setup only slightly. After defining our interfaces and assigning IP address and VLANs, we were ready to define our first policy. Policy creation was deceptively simple. The ASM offers a wizard for creating polices and came packaged with a number of predefined templates for several of the more popular web application packages, including Microsoft Outlook Web Access, SAP NetWeaver, PeopleSoft and others. We needed only to specify the public and private IPs of the application, enable the appropriate template and apply the policy.
The core of the ASM is the application firewall. Providing extremely granular rule options, the tool allows administrators to control HTTP responses at a parameter level - each parameter can be checked for length, attack signatures and more. It offers a good bit of data leakage protection, too, as it can scan HTTP responses for defined bits of data, blocking or masking that data as appropriate. It also provides protection against denial-of-service attacks. The ASM's Policy Builder option is a strong feature. Designed to run on live production traffic, this system listens to normal traffic and builds a custom policy around what it sees, applying the appropriate signatures automatically. Customers of WhiteHat Sentinel or Cenzic are able to take advantage of the ASM's virtual patching feature, which allows them to import their vulnerability assessment reports and have mitigation rules automatically created.
If power and flexibility are the ASM's strengths, documentation is its weakness. While we can't disparage the accuracy and volume of the documentation, our issue is with its presentation. The vast majority of the documentation is up on F5's website as HTML or PDF documents. That in and of itself is fine. However, the sheer volume can make it challenging to find the document with the information for which one is looking, especially considering how fragmented it is. It has clearly been organized with a bend toward answering specific questions instead of offering general help. This is great for existing users, but makes getting started a little more difficult than it should be. We would have preferred a solid start-to-finish blocking guide. Unfortunately, we were forced to pick our way through a number of different PDFs and HTML documents, slowly assembling our own installation manual. That being said, we couldn't come up with any question that F5 didn't have a documented answer for either in its manuals or the AskF5 knowledge base, so they are nothing if not thorough and we appreciated that.
The base cost of the ASM hardware and licensing is $14,995. Support costs start at 12 percent of the retail price of the product. All F5 solutions come with a one-year hardware warranty.