Forum Discussion

fahimfarookme's avatar
Icon for Nimbostratus rankNimbostratus
Apr 28, 2024

Enterprise Security best practices with F5 WAF

When it comes to responsibilities of each layer in an enterprise (i.e. DMZ/ WAF, application, SoR etc), and provided F5 Advanced WAF is deployed on the DMZ, should other layers assume primary responsibility of mitigations supported out-of-the-box by F5 WAF.

i.e. Provided that F5 WAF supports bot defense, should the the layer below (application layer) as well be hardened to defend against bots by implementing features like fingerprinting, validating remote IPs based on HTTP headers etc? 

Certain defense mechanisms - specifically in the case of bot defense, go beyond the expertise of typical application development and having application developers to harden their apps against bots will just add overhead IMO, however one can still argue it's agains defense in depth.

What's the best practice and guideline F5 provides?  

2 Replies

  • if all user access to the app goes through bot defense in dmz f5 awaf, then no need to put the filter again in server zone.

    in my personal opinion, bigip/waf is application-layer oriented device, not network layer oriented device.
    it behaves more like application servers, so it's more properly installed in the server zone.

    and btw, bigip device supports vlan, vxlan, and vrf-like segmented routing via route domain features.
    so actually 1 device can covers all zones if you set proper vlan/vxlan/vrf configurations.
    some people might "persuade" buyers to buy separate devices for each zone though 🙂


    • fahimfarookme's avatar
      Icon for Nimbostratus rankNimbostratus

      Thanks for your response.

      In our case F5 WAF is in the DMZ and the applications are in the private subnets behind DMZ.