I would also add that the reason to have WAFs is it's faster to adjust firewalls than rewrite an application. If your application has a security flaw, adjusting the firewall to "cover" that "weak spot" so to speak is much easier than fundamentally changing the architecture of your app. As humans we strive for perfection, that's why we have secure code standards and such. But the chase for perfection is without end and the app ultimately needs to be deployed, to perform its function, so it's much more productive to design safe apps to the best of your abilities while being efficient and use WAFs as a frontline defense.
can we just take a moment to appreciate the crazy vizual. You're writing on a glass board (or so it appears) while looking at the cam and it's legibal as we see it in the direct your write which should be mirror reflected. It should look backwards... Great job Cam crew, good job John.
I like this. Being non-tech, i was grappling with the concept. The visual presentation here and the back-to-basics kind of instruction are exactly what i need. THANK YOU👍
I would have liked to see a couple of details about how it works out. Show code/details on how a specific attack is blocked. I see the WAF as being valuable to quickly block off things that are learned until the application can be changed. That seems to go against what I see in the field though, since those who use a WAF often lack the commitment to go fix the core problem in the app later. That is surprising on the one hand, but not when leadership tendencies are considered.
I was about to figure it myself then I saw the t-shirt chest label, fooled myself and said "nah, he must be really writing backwards". So, that's backwards, too? If so, nice touch!
thats great, but how can we know over the network before log activity, whether the user is going to to do un-authorize or authorize activity in the web application
Hi Fawad, thanks for the question. When a user requests a web application, you don't immediately know if they are trying to do something good or bad. This is where the Web Application Firewall comes in and inspects each request and ensures it is a safe request (based on all the signatures of the WAF and the protection capabilities it has), and then only allows the request through if it passes the security checks of the WAF. If the WAF finds something unsafe in the request, then it blocks the request from accessing your web application. It does this for every single request, so even if a user gets logs in properly and then (once they are in) starts to do some bad stuff, the WAF will block as soon as the bad stuff starts happening. I hope this helps...thanks!
Hi, i got two small questions: First how is a WAF setup? Is there a physical instance ahead of the web apps within my network? seconly how does the detection work, is it able to work with complex machine learning models or is the detection of for example XSS signature based? Other than that great video, thanks :)
WAF can be set up in many different configurations. Most common, historically, is to have an appliance in front of applications. The WAF can be a proxy, itself, or scaled horizontally in front of the app being defended. With modern attacks, most customers are shifting to a multi-layered WAF approach, with Distributed Cloud WAAP taking out signature based attacks before a packet even reaches the data center. Inside the data center, AWAF profiles the applications on a per-uri basis, right down to which unicode characters are allowed! It understands what the expected request and response time are for every element on every uri in your app. Some customers also employ NGINX+ w/ Application Protection to proxy in small environments or even to profile East-West inside an application environment that exists underneath the traditional load balancer / WAF or cloud WAF that is northbound in flow. Great question! Thanks for watching!
Generally it does need to terminate and decrypt the traffic to inspect the data. However, if an organization want to send encrypted traffic direct to the server, a WAF can pass that through if configured to do so. Does that answer your question?
@@devcentral yes, it does. The F5 WAF has built-in stuff to decrypt the traffic before evaluating the data or it requires a separate tool like F5 SSLO?
This is good, but you compared a legacy firewall to a WAF, but what about a Next-gen firewall? Next-Gen firewall does Layer 7/Deep packet inspection, so why would I need a WAF if I had a Next-Gen for example? What does the WAF inspect that the Next-Gen doesn't, especially when both can inspect HTTPs? Thank you!
signatures and constraint. Some NGFW have embeded WAF software, but the differences between that WAF and "the real WAF" is the real WAF can do SSL-offload, and it have much deeper settings on signature (i think that focus on 10 OWASP)
Arent most of the firewalls today like Fortigate and Palo Alto claim to be Application level firewall? My question is why the need of WAF separately? do they cost less than standard vm version of layer 1-7 layer firewalls? i have seen in a enterprise network that Fortigate is deployed at Azure acting as a hub and they also have WAF in azure separately.
Great Video, easy to understand. Question, if you only have Web Apps in the cloud, no infrastructure, would deploying a Firewall in front of the WAF be of any use or would this add complexity and new costs?
Well, a WAF generally focuses on http(s) (80/443) traffic so there ight be instances where you'd want a Network Firewall (layer 3 - tcp/udp) to protect that traffic. Some WAFs have network security features and much depends on your infrastructure and where the WAF resides within the network. I know that's not a definitive answer but like with many infrastructure questions, it depends. :-)
Great explanation, but the WAF features you mentioned can also be handled by an NGFW (upto layer 7) as opposed traditional network firewalls (layer3-4). I was hoping you throw a light on the real difference between an NGFW and a WAF.
As I understand NGFW is a package comprising of WAF and IPS/IDS capabilities on a traditional firewall. It is a cost effective solution for SME. At the same time they are prone to single point of failure, having all those features in a single box. For large enterprises, they use separate devices to protect their infrastructure, insuring different layers fo security,
How would you integrate a waf with a typical n/w firewall?? What would be the typical packet flow in that case between the clients and the web app servers?
Here's a good lightboard lesson on the "life of a packet" through the BIG-IP. it doesn't explicitly cover everything you asked, but it can provide additional perspective. and, the answer from Blood Sausage is a good one as well!! ruclips.net/video/qCLEw5xIZ7s/видео.html
El tema es que los firewalls tradicionales ya no se utilizan y fueron reemplazados por los NGFW que trabajan en la capa de aplicaciones... ¿como compararías un WAF vs NGFW?.. Saludos!
Thanks for the comment! It's true that firewalls have come a long way in recent days/years. This video is showing the difference between a WAF and some of the older network firewalls. It's important to have the security functionality discussed in the video, so if a newer firewall can get it done, that's great!
I would also add that the reason to have WAFs is it's faster to adjust firewalls than rewrite an application. If your application has a security flaw, adjusting the firewall to "cover" that "weak spot" so to speak is much easier than fundamentally changing the architecture of your app. As humans we strive for perfection, that's why we have secure code standards and such. But the chase for perfection is without end and the app ultimately needs to be deployed, to perform its function, so it's much more productive to design safe apps to the best of your abilities while being efficient and use WAFs as a frontline defense.
Love this comment.
can we just take a moment to appreciate the crazy vizual. You're writing on a glass board (or so it appears) while looking at the cam and it's legibal as we see it in the direct your write which should be mirror reflected. It should look backwards... Great job Cam crew, good job John.
Thanks for the comment and here's the Behind the Scenes for our Lightboards: ruclips.net/video/U7E_L4wCPTc/видео.html
@@devcentral 👌 Awesome!... I thought John was in boxers for a second... 😆🤣
I like this. Being non-tech, i was grappling with the concept. The visual presentation here and the back-to-basics kind of instruction are exactly what i need. THANK YOU👍
glad you enjoyed it!
AGREED!!!
Great presenter. very simply to follow and easy to listen to.
Glad you lied it and thanks for the comment!
You are a great speaker man.
Appreciate the comment!
I concur with Trevor you present very well and helps "owning the content"✨👍
Sometimes network forensics and security can seem like Romulan..
glad you enjoyed it!
Lovely... Thankyou very much.. Due to your excellent presentation will start my journey to security from today
I'm glad you enjoyed the video!
I would have liked to see a couple of details about how it works out. Show code/details on how a specific attack is blocked.
I see the WAF as being valuable to quickly block off things that are learned until the application can be changed. That seems to go against what I see in the field though, since those who use a WAF often lack the commitment to go fix the core problem in the app later. That is surprising on the one hand, but not when leadership tendencies are considered.
Well explained, thank you!
glad you enjoyed it!
Great explanation! Thank you
Quick question, in general, can WAFs protect against LDAP injections as well?
Hi and thanks for the comment!. The primary defense against LDAP injection is proper input validation and a (competent) WAF should be able to do that.
Great explanation!!! Thank you for your effort.
very simple and to the point video
Glad you enjoyed it!
I am happy about finding this awesome tutorial, thanks a lot
Glad you enjoyed it!
it would be nice if there were subtitles!
agree with u!!!
We'll see what we can do about that and appreciate the comment.
😂😂😂😂😂😂 0:31
😂😂😂😂😂😂 0:36
😂😂😂😂😂😂 0:45 😅
How is he writing backwards? It's hard to stay focused because it's too cool
Thanks for the note! You can see how we do these here: ruclips.net/video/U7E_L4wCPTc/видео.html
Lol, ya there's some video showing how its all done, but don't watch it cause it's so awesome without! lol ;)
i agree, i'm in awe....
I was about to figure it myself then I saw the t-shirt chest label, fooled myself and said "nah, he must be really writing backwards". So, that's backwards, too? If so, nice touch!
It's even cooler that they printed a flipped logo on his polo shirt.
Good content and clear explanation, liked and subscribed, keep them bringing
glad you enjoyed it!
thats great, but how can we know over the network before log activity, whether the user is going to to do un-authorize or authorize activity in the web application
Hi Fawad, thanks for the question. When a user requests a web application, you don't immediately know if they are trying to do something good or bad. This is where the Web Application Firewall comes in and inspects each request and ensures it is a safe request (based on all the signatures of the WAF and the protection capabilities it has), and then only allows the request through if it passes the security checks of the WAF. If the WAF finds something unsafe in the request, then it blocks the request from accessing your web application. It does this for every single request, so even if a user gets logs in properly and then (once they are in) starts to do some bad stuff, the WAF will block as soon as the bad stuff starts happening. I hope this helps...thanks!
F5 DevCentral thank you great insight
Thank you very much for this video.
...and, thank you for the comment! Glad you enjoyed the video!
Great explanation !
Glad you liked it! And, thanks for the comment!
Just want to know is this support for web site security , block sql injection and other attacks
Yes, a WAF (if properly configured) can mitigate those types of attacks.
@@devcentral can you suggest any service for hostgater cpannel
❤😂😂🎉😢😮😅😊
Hi, i got two small questions: First how is a WAF setup? Is there a physical instance ahead of the web apps within my network?
seconly how does the detection work, is it able to work with complex machine learning models or is the detection of for example XSS signature based?
Other than that great video, thanks :)
WAF can be set up in many different configurations. Most common, historically, is to have an appliance in front of applications. The WAF can be a proxy, itself, or scaled horizontally in front of the app being defended. With modern attacks, most customers are shifting to a multi-layered WAF approach, with Distributed Cloud WAAP taking out signature based attacks before a packet even reaches the data center. Inside the data center, AWAF profiles the applications on a per-uri basis, right down to which unicode characters are allowed! It understands what the expected request and response time are for every element on every uri in your app. Some customers also employ NGINX+ w/ Application Protection to proxy in small environments or even to profile East-West inside an application environment that exists underneath the traditional load balancer / WAF or cloud WAF that is northbound in flow.
Great question! Thanks for watching!
Backward writing understood but did you design the tshirt with mirror images as well?
Hi. We had shirts made with the logos reversed. :-)
Awesome explanation! Keep up the great work.
glad you enjoyed it!
Amazing explanation!Thanks.
glad you enjoyed it!
This is so amazing! What a great resource :)
glad you enjoy the videos!
Hi John. Great video. What about the behavior of a WAF with HTTPS? Does it work properly without SSL inspection or does it need an open traffic? Tnks.
Generally it does need to terminate and decrypt the traffic to inspect the data. However, if an organization want to send encrypted traffic direct to the server, a WAF can pass that through if configured to do so. Does that answer your question?
@@devcentral yes, it does. The F5 WAF has built-in stuff to decrypt the traffic before evaluating the data or it requires a separate tool like F5 SSLO?
@@wramarante The WAF can decrypt. SSL Orchestrator can too depending on your infrastructure.
Really good explanation. Thanks a lot
glad you enjoyed it!
When he's talking about layers 3 and 4, is he referencing the OSI model?
Yes he is. thanks for the comment!!
@@devcentral Thanks for the quick reply!
man just started writing mirror alphabets.... he's in different league 🔥
this is how we do the Lightboard Lessons: ruclips.net/video/U7E_L4wCPTc/видео.html
@@TopTechTalent damn!!
Love your videos guys! Would basic WAF theory like this still be relevant in 2022? I know a lot of knowledge in IT Security changes day by day!
We think so but WAFs are moving more toward WAAP - Web Application & API Protection. So, still protecting websites plus, API calls. Hope that helps!
Oh WAAP sounds interesting! Look forward to your lightboard lesson on that one day!
thank you !! you're a great teacher :)
Thanks Trevor...glad you enjoyed the video!
This is good, but you compared a legacy firewall to a WAF, but what about a Next-gen firewall?
Next-Gen firewall does Layer 7/Deep packet inspection, so why would I need a WAF if I had a Next-Gen for example? What does the WAF inspect that the Next-Gen doesn't, especially when both can inspect HTTPs? Thank you!
signatures and constraint. Some NGFW have embeded WAF software, but the differences between that WAF and "the real WAF" is the real WAF can do SSL-offload, and it have much deeper settings on signature (i think that focus on 10 OWASP)
awesome explanation!!!
Glad you enjoyed it!
Super video.Thank you.
glad you enjoyed it!
Arent most of the firewalls today like Fortigate and Palo Alto claim to be Application level firewall? My question is why the need of WAF separately? do they cost less than standard vm version of layer 1-7 layer firewalls? i have seen in a enterprise network that Fortigate is deployed at Azure acting as a hub and they also have WAF in azure separately.
Are you left handed??
Do you write in lateral inverted style??
Is your T-shirt having an inverted text ??
We made a video to explain it all :) ruclips.net/video/U7E_L4wCPTc/видео.html
Ahh!! The Tshirt has inverted text
Great Video, easy to understand. Question, if you only have Web Apps in the cloud, no infrastructure, would deploying a Firewall in front of the WAF be of any use or would this add complexity and new costs?
Well, a WAF generally focuses on http(s) (80/443) traffic so there ight be instances where you'd want a Network Firewall (layer 3 - tcp/udp) to protect that traffic. Some WAFs have network security features and much depends on your infrastructure and where the WAF resides within the network. I know that's not a definitive answer but like with many infrastructure questions, it depends. :-)
Great video !!!! Clear explain thank you
I'm glad you enjoyed it!
"ack el" that's the first time I have heard ACL pronounced like that :D
writing backwards?
camera is facing a mirror
Great video - but I have a question. Is he writing backwards? Or is the video just reversed? It's magic!
Thanks for the comment! One we get often. ;-) Here's how we produce these: ruclips.net/video/U7E_L4wCPTc/видео.html
@@devcentral thanks! I guessed right! Its really effective!
Isn't this supposed to be handled in the l7 reverse proxy ?
Awesome explanation
glad you enjoyed it!
Hi
Do you have plans to produce a Lightboard for 'Advanced WAF' in the near future?
yes we do! stay tuned...it's coming out in the next couple of weeks
Here's the Advanced WAF Lightboard: ruclips.net/video/HBbDKBV4QW0/видео.html
Great explanation, but the WAF features you mentioned can also be handled by an NGFW (upto layer 7) as opposed traditional network firewalls (layer3-4). I was hoping you throw a light on the real difference between an NGFW and a WAF.
As I understand NGFW is a package comprising of WAF and IPS/IDS capabilities on a traditional firewall. It is a cost effective solution for SME. At the same time they are prone to single point of failure, having all those features in a single box. For large enterprises, they use separate devices to protect their infrastructure, insuring different layers fo security,
How would you integrate a waf with a typical n/w firewall??
What would be the typical packet flow in that case between the clients and the web app servers?
Here's a good lightboard lesson on the "life of a packet" through the BIG-IP. it doesn't explicitly cover everything you asked, but it can provide additional perspective. and, the answer from Blood Sausage is a good one as well!!
ruclips.net/video/qCLEw5xIZ7s/видео.html
Tamir Zuhair
What are you using for writing like this?
You can see how we do this: ruclips.net/video/U7E_L4wCPTc/видео.html
I hope I will get judgement about this..tnk u very much..
El tema es que los firewalls tradicionales ya no se utilizan y fueron reemplazados por los NGFW que trabajan en la capa de aplicaciones... ¿como compararías un WAF vs NGFW?.. Saludos!
My certificate is been used by one company and made server so how could u help me regarding this
Are there hardware WAF’s you can buy of is this something you have to download or program in?
F5's WAF is available in many difference packages, you can reference here: www.f5.com/products/security/advanced-waf.
inverted writing technique?
Behind the Scenes: ruclips.net/video/U7E_L4wCPTc/видео.html
Great...thanks a lot..😊😊
glad you enjoyed it!
You comparing WAF VS very old firewall !
You should compared with NG firewalls.
Thanks for the comment! It's true that firewalls have come a long way in recent days/years. This video is showing the difference between a WAF and some of the older network firewalls. It's important to have the security functionality discussed in the video, so if a newer firewall can get it done, that's great!
thank you
Glad you enjoyed the video!
I like his reversed logo shirt
he is writing with his right hand actually
Highness of your writing skills.....lefty smoothly write
Qgm group LLC,is made server using my ISO, finger print,headscan, so what security is given by the government, or security Buro
thanks
We appreciate the comment!
Well Explained
Gud work
Dude is Davinci writing with left hand backwards
thanks for the comment and this is how we produce these: ruclips.net/video/U7E_L4wCPTc/видео.html
não entendi nada
firewall takes care only layer3-4, that is in stone age.
733 Libbie Lane
Shirt blends it with background and arms appear independent of body. Makes hard to focus.
you are SO cute.
i bet you'd like to flood some of his ports with http requests but i am sure he's employing an intrusion prevention system
i want this chinese vision
Kuphal Tunnel
This video is filled with filler, and technical jargon. I bet 90% of viewers still don't understand what a WAF does.
Gislason Harbors
FLE HOUSE HAS FOUND ITS NEW HOST.
Nina Orchard
Hammes Extension
Kuhic Knolls
Dickens Run
579 Telly View
4441 Turcotte Lock
Gaylord Ways
0939 Hayes Shores
Yang milih allah like 800 ya yang milih dajal abaikan saja
Great explanation ! Thank you ...
glad you enjoyed it!
Very well explained... thank you!