F5® Distributed Cloud Mesh’s Application Security is an integrated application security and AI inference engine in the data-plane providing the capability to perform intrusion and anomaly detection based on models that are computed and distributed from our SaaS-based service. The solution uses a combination of algorithmic, signature-based, reputation database, and machine learning techniques to identify application and API level attacks and provide a holistic next-generation application firewall. The machine learning engine automatically determines all the API endpoints that are being accessed for any virtual service and that can be used to define policies for application micro-segmentation. F5 Distributed Cloud also provides the capability of managed PKI identities to applications that can be used for application to application and developer to application authentication and policy-based authorization. It is “out-of-the-box” ready and accessible when F5 Distributed Cloud Node or Cluster is deployed.
If you are interested in further details of how the features described in this guide work, read more below in Concepts.
Introduction to Mesh Application Security
With all Node or Cluster deployments, you have the ability to leverage additional F5 Distributed Cloud Mesh and F5® Distributed Cloud App Stack services as a simple add-on. This section discusses specifically the Mesh Application Security features.
Mesh Application Security Features
Web Application Firewalls (WAF)
- Simplified App Firewall creation with default detection settings to limit the risk of false positives. Mesh also supports various violation detections, enabling of threat campaigns, and bot protection. As part of WAF configuration, one can also customize blocking response page, define allowed response status codes, and mask sensitive parameters in request logs. In addition to configuring, the actions supported are monitoring and blocking mode. Monitoring mode identifies threats and generates security events while blocking mode both generates security events and blocks the threats.
Application DoS & BOT Detection
- Denial of service attacks can be detected on Applications and APIs using alerts from rules-based WAF as well as anomaly alerts from our behavioral analysis. These alerts can be used to generate service policies at the application level as well as the network level. Since applications are always protected using distributed proxies and Mesh global infrastructure, any network-level DOS attacks affect only the data-plane. The data-plane is able to handle various resource exhaustion attacks (e.g. flow table using syn flood), fragmentation buffer, NAT pool etc. In addition, the data-plane provides fast ACLs to protect against application-level attacks from clients or BOTs.
Application Anomaly Detection
- If a tenant configures application security, a behavior firewall is enabled. Machine learning is centrally done in our control plane using inputs from logs and metrics from all distributed proxes for that tenant. AI models are then created to baseline different types of requests. This model then used for inference in the proxy’s request path to flag requests that deviate from the learned models. Request behavior is characterized by metrics such as request size, response size, and request to response latency.
Time-series Anomaly Detection
- Time-series metrics for request rate, errors, latency, and throughput are used to detect anomalies using statistical algorithms.
API Endpoint Markup, Behavioral Analysis & Anomalies
- Business markup using client/server logs and metrics from the VirtualHost to provide API endpoint markup. This includes identifying and tokenizing dynamic components in the URL which makes up the web application being accessed. Behavioral analysis generates API endpoint behavior models allowing for per request anomaly detection.
The following concepts are used for Mesh Application Security features. Click on each one to learn more: