Applies To:

Show Versions Show Versions

Manual Chapter: Introducing the BIG-IP Protocol Security
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

F5 Networks BIG-IP® system is a port-based, multilayer switch that supports virtual local area network (VLAN) technology. Because hosts within a VLAN can communicate at the data-link layer (Layer 2), a BIG-IP system reduces the need for routers and IP routing on the network. This in turn reduces equipment costs and boosts overall network performance. At the same time, the BIG-IP systems multilayer capabilities enable the system to process traffic at other OSI layers. The BIG-IP system can perform IP routing at Layer 3, as well as manage and secure TCP, UDP, and other application traffic at Layers 4 through 7. The following software modules provide comprehensive traffic management and security for all traffic types. The modules are fully integrated to provide efficient solutions to meet any network, traffic management, and security needs.
BIG-IP Protocol Security Module
The Protocol Security Module provides an additional layer of network security for your application-layer local traffic. The Protocol Security Module inspects FTP, HTTP and SMTP traffic for common network vulnerabilities, and protocol compliance. Full compatibility and integration with F5 Networks TMOS architecture simplifies deployment with BIG-IP Local Traffic Manager.
BIG-IP Local Traffic Manager
The BIG-IP system includes local traffic management features that help you make the most of network resources such as web servers. Using the powerful Configuration utility, you can customize the way that the BIG-IP system processes specific types of protocol and application traffic. By using features such as virtual servers, server pools, profiles, and iRulesTM, you ensure that traffic passing through the BIG-IP system is processed quickly and efficiently, while meeting all of your security needs. For more information, see the Configuration Guide for BIG-IP® Local Traffic Management.
BIG-IP Application Security Manager
The Application Security Manager provides web application protection from application-layer attacks. The Application Security Manager protects Web applications from both generalized and targeted application layer attacks, including buffer overflow, SQL injection, cross-site scripting, and parameter tampering. Application Security Manager also integrates all of the functionality of the Protocol Security Module, for an additional layer of security. For more information, refer to the Configuration Guide for BIG-IP® Application Security Management.
Integrated platform guaranteeing the delivery of secure application traffic
Built on F5 Networks award-winning TMOS architecture, the BIG-IP Protocol Security Module is fully integrated with the BIG-IP Local Traffic Manager.
Integrated, simplified management
The browser-based Configuration utility provides network device configuration, centralized defense configuration management, and easy-to-read reports.
Application-layer security for common network protocols
The Protocol Security Module provides security checks and validation for the HTTP, FTP, and SMTP protocols.
Fully-supported upgrade path to BIG-IP Application Security Manager for HTTP application security
For customers who want more application-level security for HTTP and HTTPS web applications, a built-in migration tool fully upgrades the Protocol Security Module configuration to the BIG-IP Application Security Manager configuration. If you are interested in purchasing the upgrade, please contact your sales representative.
The Configuration Guide for the BIG-IP® Protocol Security Module contains configuration information for setting up security profiles and associating them with local traffic virtual servers, setting up remote logging, and security and traffic statistics.
FTP security profile
The FTP security profile defines the type of security checks that the Protocol Security Module performs on FTP traffic. For information on working with the FTP security profile, see Chapter 2, Configuring Security for FTP Traffic.
HTTP security profile
The HTTP security profile defines the type of security checks that the Protocol Security Module performs on HTTP traffic. For information on working with the HTTP security profile, see Chapter 3, Configuring Security for HTTP Traffic.
SMTP security profile
The SMTP security profile defines the type of security checks that the Protocol Security Module performs on SMTP traffic. For information on working with the SMTP security profile, see Chapter 4, Configuring Security for SMTP Traffic.
Remote logging configuration
By default, the Protocol Security Module retains logging information in memory instead of writing to disk. For users who want to retain a higher volume of log data, the system provides a remote logging configuration. For information on setting up remote logging, see Configuring remote logging.
Violation statistics and traffic reports
The Protocol Security Module provides violation data and traffic reports, on a per security profile basis, for the traffic that the module inspects. For information on the violations and traffic statistics for the security profiles, see the relevant chapter for that security profile.
Important: For detailed information on configuring the local traffic objects, refer to the Configuration Guide for BIG-IP® Local Traffic Management, which is available in the AskF5SM Knowledge Base,
The Configuration utility is the browser-based graphical user interface for the BIG-IP system. In the Configuration utility, the Main tab provides access to the Protocol Security Module configuration objects, as well as the network, system, and local traffic configuration objects. The Help tab contains context-sensitive online help for each screen.
Figure 1.1 shows the Welcome screen of the Configuration utility.
The identification and messages area
The identification and messages area of the Configuration utility is the screen region that is above the navigation pane, the menu bar, and the body. In this area, you find the system identification, including the host name, and management IP address. This area is also where certain system messages display, for example Activation Successful, which appears after a successful licensing process.
The navigation pane
The navigation pane, on the left side of the screen, contains the Main tab, the Help tab, and, the Search tab. The Main tab provides links to the major configuration objects. The Help tab provides context-sensitive help for each screen in the Configuration utility. The Search tab provides a quick way to locate local traffic objects.
The menu bar
The menu bar, which is below the identification and messages area, and above the body, provides links to the additional configuration objects within each major object.
The body
The body is the screen area where the configuration settings display.
In the Advanced Firewall section of the navigation pane, the first time you click an object with the link icon (), the Configuration utility opens a second browser session that contains only Protocol Security Module configuration objects. To differentiate between the two instances, next to the F5 logo in the identification and messages area, you see either BIG-IP® or Application Security. In this document, we refer to the navigation pane of the BIG-IP Configuration utility as simply the navigation pane. We refer to the navigation pane for the Application Security Configuration utility as the Application Security navigation pane.
Microsoft® Internet Explorer, version 5.0, 5.5, and 6.0
Note: For the most current list of the supported browsers for the Configuration utility, refer to the current release note on the AskF5SM Knowledge Base web site,
To help you easily identify and understand certain types of information, this documentation uses the following stylistic conventions.
All examples in this documentation use only private IP addresses. When you set up the configurations we describe, you must use IP addresses suitable to your own network in place of our sample IP addresses.
When we first define a new term, the term is shown in bold italic text. For example, a security profile is a BIG-IP configuration tool that contains settings specific to securing network traffic.
We refer to all products in the BIG-IP product family as BIG-IP systems. We refer to the software modules by their name, for example, we refer to the Local Traffic Manager module as simply the Local Traffic Manager. If configuration information relates to a specific hardware platform, we note the platform.
We apply bold text to a variety of items to help you easily pick them out of a block of text. These items include web addresses, IP addresses, utility names, most controls in the Configuration utility, and portions of commands, such as variables and keywords. For example, click the Apply Policy button to make the security policy active.
We use italic text to denote a reference to another document or section of a document. We use bold, italic text to denote a reference to a book title. For example, you can find information about local traffic virtual servers in the Configuring Virtual Servers chapter, in the Configuration Guide for BIG-IP® Local Traffic Management.
We show actual, complete commands in bold Courier text. Note that we do not include the corresponding screen prompt, unless the command is shown in a figure that depicts an entire command line screen. Table 1.1 explains additional special conventions used in command line syntax.
Online help for Protocol Security Module components
The Configuration utility has online help for each screen. The online help contains descriptions of each control and setting on the screen. Click the Help tab in the left navigation pane to view the online help for a screen.
Welcome screen in the Configuration utility
The Welcome screen in the Configuration utility contains links to many useful web sites and resources, including the AskF5SM Knowledge Base, the F5 Solution Center, the F5 DevCentral web site, plug-ins, SNMP MIBs, and SSH clients.
F5 Networks Technical Support web site
The F5 Networks Technical Support web site,, provides the latest documentation for the product, including:
Configuration Guide for BIG-IP® Local Traffic Management
The AskF5SM Knowledge Base
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)