BIG-IP

v9 Series

Datasheet
Application Security Manager

BIG-IP Application Security ManagerTM

Physical Specications

Delivering Next Generation Application Security

The BIG-IP Application Security Manager (ASM) delivers the industrys
foremost comprehensive application delivery security solution with the
option to deliver both application delivery and security together in one
single platform.
BIG-IP 8800

BIG-IP 6800

The ASM provides application layer protection from both targeted and
generalized application attacks to ensure that applications are always
available and performing optimally.

8800 Series

8400 Series

6800 Series

6400 Series

Processor: Dual CPU, Dual

Core (4 Processors)

Processor: Dual CPU

Processor: Dual CPU

Processor: Dual CPU

Base Memory: 2 GB

Base Memory: 2 GB

Base Memory: 2 GB

Base Memory: 4 GB

ASIC: Packet Velocity ASIC 10

ASIC: Packet Velocity ASIC 2

ASIC: Packet Velocity ASIC 2

ASIC: Packet Velocity ASIC 10

Gigabit Ethernet CU Ports:

12 (Copper or Fiber)

Gigabit CU Ports: 16

Gigabit CU Ports: 16

10-Gigabit Fiber Ports:

2 (XFP pluggable optics)

Gigabit Fiber Ports (SFPGBIC Mini): 4 (2 standard,

2 optional)

Gigabit Fiber Ports (SFPGBIC Mini): 4 (2 standard,

2 optional)

Included SSL TPS/Max TPS/

Bulk Crypto:
100/22,000/2.5 Gbps

Included SSL TPS/Max TPS/

Bulk Crypto:
100/20,000/2 Gbps

Included SSL TPS/Max TPS/

Bulk Crypto:
100/15,000/2 Gbps

Trafc Throughput: 10 Gbps

Trafc Throughput: 4 Gbps

Trafc Throughput: 2 Gbps

Available Hardware Option:

Hardware Compression*
(2 Gbps)
FIPS Processing**
(7,000 TPS and 1.5 Gbps
SSL Throughput)

Available Hardware Option:

Hardware Compression*
(2 Gbps)
FIPS Processing**
(7,000 TPS and 1.5 Gbps
SSL Throughput)

Available Hardware Option:

Hardware Compression*
(2 Gbps)
FIPS Processing**
(7,000 TPS and 1 Gbps
SSL Throughput)

Input Voltage:
90-240VAC +/- 10%
36-72VDC (optional)
90-132 9A
180-264 4A

Input Voltage:
90-240VAC +/- 10%
90-132 9A
180-264 4A

Input Voltage:
90-240VAC +/- 10%
36-72VDC (optional)
90-132 9A
180-264 4A

Gigabit Ethernet CU Ports:

12 (Copper or Fiber)
10-Gigabit Fiber Ports:
2 (XFP pluggable optics)
Included SSL TPS/Max TPS/
Bulk Crypto:
100/48,000/6 Gbps
Trafc Throughput:
10 Gbps L4;
8 Gbps L7
Hardware Compression:
6 Gbps
Input Voltage:
90-240VAC +/- 10%
90-132 9A
180-264 4A

Key Benets:
Advanced Security The ASM provides protection for
emerging technologies. It has the ability to inspect and
protect xml, javascript, ash, ftp, as well as evasion
attacks.
Guaranteed Delivery The ICSA-certied BIG-IP
Application Security Module identies, isolates,
and blocks sophisticated attacks without impacting
legitimate application transactions
Groundbreaking Performance and Scalability The
ASM is fastest web application rewall on the market
with up to 9x improvement in performance. With a
new level of integration with TMOS, the ASM delivers
application delivery optimizations such as compression,
cache, and TCP optimizations.
Zero Day Defense Unlike traditional signature
inspection methods, the ASM uses a bi-directional
heuristic security model to protect against entire
classes of HTTP and HTTPS-based threats (both known
and unknown) rather than just guarding against a
limited list of known attacks. This solution works in live
production, dynamic environments.

F5 Networks, Inc.
Corporate Headquarters

F5 Networks
Asia-Pacic

F5 Networks Ltd.
Europe/Middle-East/Africa

F5 Networks
Japan K.K.

401 Elliott Avenue West

Seattle, WA 98119
(206) 272-5555 Voice
(888) 88BIGIP Toll-free
(206) 272-5556 Fax
www.f5.com
info@f5.com

+65-6533-6103 Voice
+65-6533-6106 Fax
info.asia@f5.com

+44 (0) 1932 582 000 Voice

+44 (0) 1932 582 001 Fax
emeainfo@f5.com

+81-3-5114-3200 Voice
+81-3-5114-3201 Fax
info@f5networks.co.jp

Part No. DS-BIG-IP_ASM 1007

Granular Control With the ASM, signature and pattern

inspection can optionally be deployed on an as-needed
basis to augment rewalls and IPS system defenses,
guarding against network protocol attacks that are
beyond the boundaries of those systems. The powerful
adaptive learning and tuning mechanism reduces the
administrative overhead of policy denintions

2007 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, BIG-IP, FirePass, and iControl are trademarks or registered trademarks of F5 Networks, Inc. in the U.S. and in certain other countries.

Detailed Statistics and Forensic Information The

ASM can record a wealth of application transaction
and event information in its logs, which are invaluable
for analyzing application behavior and recognizing/
preventing illegitimate user behavior.
Plug and Protect The ASM on the BIG-IPs TMOS
architecture is easily nested in a companys web
infrastructure. Once installed, the modules automated
learning mechanism quickly and accurately builds
security policies tailored to the unique requirements of
the applications it protects, dramatically reducing policy
management and manual con guration duties.

Together, you get a complete, robust solution that reduces box clutter,
lowers maintenance and management costs, and provides a new level of
proactive application protection while ensuring exceptional application
performance.

Comprehensive and Integrated Application Delivery Security

With the increase in application trafc moving to the web, more and more
sensitive customer data is exposed to new threats that most current security
systems cannot prevent. The BIG-IP Application Security Manager signicantly
reduces the risk of loss or damage to data, intellectual property, and web
applications, protecting an organizations brand equity and reputation while
offering additional benets.
Proactive Protection Against Identity Theft
The ASM ensures the industrys most comprehensive protection of identity
information (credit card numbers, bank accounts, etc.) by controlling access
to this information as part of every HTTP request/response.
Payment Card Industry Data Security Standard (PCI DSS)
Achieve PCI DSS compliance through an integrated Application Delivery and
Security Solution. The ASM provides a exible and less expensive alternative
to annual code reviews.
Lower Application Development Cost
Without adequate protection around their applications, developers are
forced to scour their applications for security holes, and hard-code plugs
for them. Application scanners can detect some of these holes, but rigorous
code review and rewriting is always necessary. With the ASM, developers
can focus on the rapid deployment of new applications and functionality,
knowing that their code is sitting behind a powerful security perimeter.
Reduce Remediation Costs
In addition to the costs of attacks themselves, companies incur extensive
costs associated with responding to the attack and repairing the damage.
This response is not limited to the IT department it can also involve public
relations, brand image, litigation, and even regulatory costs. The ASM stops
attacks before they can do any type of harm.
Easily Quantied Return on Investment
Combining web application security with the BIG-IP application traf c
management system gives you the tools to shorten deployment time, simplify
infrastructure design, and reduce overall costs related to security enforcement,

The Performance and Flexibility of TMOS

At the heart of ASM is the TMOS, an intelligent, modular, and
scalable foundation for quickly adapting to future business
challenges and streamlining management duties. TMOS
enhances every function riding on top of ASM, delivering
insight, exibility, and control while empowering you to
intelligently protect your web applications.
Eliminates the trade-off between operational ef ciency and
holistic security
Helps reduce box clutter
Enables the deployment of strong yet economically viable
security postures
Delivers pre-congured tested application policies to for
industry standar applications including Microsoft SharePoint,
OWA, Oracle, and SAP
Delivers a centralized, bi-directional security model that
adapts to changing threats
Offers a seamless upgrade path for today and tomorrow
TMOS Fast Application Proxy
TMOS allows BIG-IP to serve as a full proxy for traf c passing
through it to and from the servers in the data center. This
capability enables BIG-IP to understand the content of
applications and make decisions based on complex rules
associated with a speci c application. It can also intelligently
alter the content as needed to provide increased security and
deliver functions that would otherwise require a change in the
application itself.
attack damage, and damage response.
Comprehensive Protection Against External Threats
The BIG-IP Application Security Manager enhances BIGIPs robust application trafc management through secure
application layer ltering, resulting in best-in-class security
technology on a powerful trafc management platform. The
result is a complete, exible, easy to manage web application
security solution.
The Application Security Manager provides:
Bi-directional heuristic security protection against targeted
attacks:
Adaptive Learning and Tuning engine
Pre-congured and tested industry standard security policies
Manipulation of invalidated input
Broken access control (Forceful Browsing)
Buffer overow
Cross-site scripting
SQL/OS injection
Cookie poisoning
HTTP request smuggling

Selective signature recognition attack lters protect globally

against:
Automated denial of service attacks
Known worms and vulnerabilities

Requests for restricted object and le types

Other known exploits
Cloaking:
Prevent OS and web server ngerprinting
Conceal any HTTP error messages from users
Remove application error messages from pages sent to users
Prevent leakage of server code
Additional network security services:
SSL accelerator
IP/Port ltering
Reverse proxy
Key management and failover handling
SSL termination and re-encryption to web servers
Additional network security services:
Advanced Security Functionality
XML rewall
ftp security
evasion attack protection

Universal Inspection Engine

The TMOS incorporates a new version of F5s Universal
Inspection Engine to provide unprecedented control over how
to handle application trafc in real time within the application
transaction or ow. BIG-IP is the key control point for addressing
and solving diverse application delivery issues at network
speeds.
Input Manipulation/Parameter Tampering
In todays world, web applications solicit input from users and
base future decisions on that input. Until the input leaves the
users machine, it is susceptible to manipulation either by the
user or by any malicious code on the client. If that input is not
validated before the application consumes it, the application
may be vulnerable along any point of the decision tree. The
ASM protects against these types of attacks by validating all
accessible and hidden parameter data against known user state
and application ow information.

Broken Access Control/Deep Linking (Forceful Browsing)

Although publicly available, not every part of a web application
is meant to be accessible by the general public. URL browsing
attacks, such as modifying path and directory names within the
URL, or opening up private areas to crawlers (Google Hacking),
are very common attacks against an applications architecture.
Users who are familiar with the application can often guess or
detect where to forcefully point their browser, or even modify
clear access rights within a cookie to grant access to known
forbidden locations.
The ASM can protect against these breaches based on its
comprehensive understanding of the user interaction with the
web application and a rm understanding of the user context
and state during a browsing session.
Zero Day Defense
Utilizing a positive security model, ASM allows only known,
acceptable trafc through rather than simply analyzing and
blocking known attack signatures. Devices relying on a known
list of signature attacks cannot defend against targeted attacks
involving a malicious user seeking vulnerabilities unique to
a particular application. The BIG-IP and Application Security
Modules purpose-built hardware and patent-pending software
detect and mitigate patternless exploits in real time, adding
accurate, complementary protection to existing rewalls and IDS
devices, which cannot efciently address HTTP and HTTPS-borne
threats.
Cloaking/Reverse Proxy
The ASM hides your web infrastructure so that hackers cant
tell which servers youre running on your network. It strips out
identifying OS and web server information (such as version
strings, messages, signatures, and ngerprinting) from message
headers, conceals any HTTP error messages from users, and
removes application error messages from pages sent to users
while checking to ensure no server code or private HTML
comments leak out onto public web pages. Working as a reverse
proxy, the ASM provides SSL acceleration, termination, and reencryption to web servers, SSL key management, load balancing,
and failover handling.

The Performance and Flexibility of TMOS

At the heart of ASM is the TMOS, an intelligent, modular, and
scalable foundation for quickly adapting to future business
challenges and streamlining management duties. TMOS
enhances every function riding on top of ASM, delivering
insight, exibility, and control while empowering you to
intelligently protect your web applications.
Eliminates the trade-off between operational ef ciency and
holistic security
Helps reduce box clutter
Enables the deployment of strong yet economically viable
security postures
Delivers pre-congured tested application policies to for
industry standar applications including Microsoft SharePoint,
OWA, Oracle, and SAP
Delivers a centralized, bi-directional security model that
adapts to changing threats
Offers a seamless upgrade path for today and tomorrow
TMOS Fast Application Proxy
TMOS allows BIG-IP to serve as a full proxy for traf c passing
through it to and from the servers in the data center. This
capability enables BIG-IP to understand the content of
applications and make decisions based on complex rules
associated with a speci c application. It can also intelligently
alter the content as needed to provide increased security and
deliver functions that would otherwise require a change in the
application itself.
attack damage, and damage response.
Comprehensive Protection Against External Threats
The BIG-IP Application Security Manager enhances BIGIPs robust application trafc management through secure
application layer ltering, resulting in best-in-class security
technology on a powerful trafc management platform. The
result is a complete, exible, easy to manage web application
security solution.
The Application Security Manager provides:
Bi-directional heuristic security protection against targeted
attacks:
Adaptive Learning and Tuning engine
Pre-congured and tested industry standard security policies
Manipulation of invalidated input
Broken access control (Forceful Browsing)
Buffer overow
Cross-site scripting
SQL/OS injection
Cookie poisoning
HTTP request smuggling

Selective signature recognition attack lters protect globally

against:
Automated denial of service attacks
Known worms and vulnerabilities

Requests for restricted object and le types

Other known exploits
Cloaking:
Prevent OS and web server ngerprinting
Conceal any HTTP error messages from users
Remove application error messages from pages sent to users
Prevent leakage of server code
Additional network security services:
SSL accelerator
IP/Port ltering
Reverse proxy
Key management and failover handling
SSL termination and re-encryption to web servers
Additional network security services:
Advanced Security Functionality
XML rewall
ftp security
evasion attack protection

Universal Inspection Engine

The TMOS incorporates a new version of F5s Universal
Inspection Engine to provide unprecedented control over how
to handle application trafc in real time within the application
transaction or ow. BIG-IP is the key control point for addressing
and solving diverse application delivery issues at network
speeds.
Input Manipulation/Parameter Tampering
In todays world, web applications solicit input from users and
base future decisions on that input. Until the input leaves the
users machine, it is susceptible to manipulation either by the
user or by any malicious code on the client. If that input is not
validated before the application consumes it, the application
may be vulnerable along any point of the decision tree. The
ASM protects against these types of attacks by validating all
accessible and hidden parameter data against known user state
and application ow information.

Broken Access Control/Deep Linking (Forceful Browsing)

Although publicly available, not every part of a web application
is meant to be accessible by the general public. URL browsing
attacks, such as modifying path and directory names within the
URL, or opening up private areas to crawlers (Google Hacking),
are very common attacks against an applications architecture.
Users who are familiar with the application can often guess or
detect where to forcefully point their browser, or even modify
clear access rights within a cookie to grant access to known
forbidden locations.
The ASM can protect against these breaches based on its
comprehensive understanding of the user interaction with the
web application and a rm understanding of the user context
and state during a browsing session.
Zero Day Defense
Utilizing a positive security model, ASM allows only known,
acceptable trafc through rather than simply analyzing and
blocking known attack signatures. Devices relying on a known
list of signature attacks cannot defend against targeted attacks
involving a malicious user seeking vulnerabilities unique to
a particular application. The BIG-IP and Application Security
Modules purpose-built hardware and patent-pending software
detect and mitigate patternless exploits in real time, adding
accurate, complementary protection to existing rewalls and IDS
devices, which cannot efciently address HTTP and HTTPS-borne
threats.
Cloaking/Reverse Proxy
The ASM hides your web infrastructure so that hackers cant
tell which servers youre running on your network. It strips out
identifying OS and web server information (such as version
strings, messages, signatures, and ngerprinting) from message
headers, conceals any HTTP error messages from users, and
removes application error messages from pages sent to users
while checking to ensure no server code or private HTML
comments leak out onto public web pages. Working as a reverse
proxy, the ASM provides SSL acceleration, termination, and reencryption to web servers, SSL key management, load balancing,
and failover handling.

BIG-IP

v9 Series

Datasheet
Application Security Manager

BIG-IP Application Security ManagerTM

Physical Specications

Delivering Next Generation Application Security

The BIG-IP Application Security Manager (ASM) delivers the industrys
foremost comprehensive application delivery security solution with the
option to deliver both application delivery and security together in one
single platform.
BIG-IP 8800

BIG-IP 6800

The ASM provides application layer protection from both targeted and
generalized application attacks to ensure that applications are always
available and performing optimally.

8800 Series

8400 Series

6800 Series

6400 Series

Processor: Dual CPU, Dual

Core (4 Processors)

Processor: Dual CPU

Processor: Dual CPU

Processor: Dual CPU

Base Memory: 2 GB

Base Memory: 2 GB

Base Memory: 2 GB

Base Memory: 4 GB

ASIC: Packet Velocity ASIC 10

ASIC: Packet Velocity ASIC 2

ASIC: Packet Velocity ASIC 2

ASIC: Packet Velocity ASIC 10

Gigabit Ethernet CU Ports:

12 (Copper or Fiber)

Gigabit CU Ports: 16

Gigabit CU Ports: 16

10-Gigabit Fiber Ports:

2 (XFP pluggable optics)

Gigabit Fiber Ports (SFPGBIC Mini): 4 (2 standard,

2 optional)

Gigabit Fiber Ports (SFPGBIC Mini): 4 (2 standard,

2 optional)

Included SSL TPS/Max TPS/

Bulk Crypto:
100/22,000/2.5 Gbps

Included SSL TPS/Max TPS/

Bulk Crypto:
100/20,000/2 Gbps

Included SSL TPS/Max TPS/

Bulk Crypto:
100/15,000/2 Gbps

Trafc Throughput: 10 Gbps

Trafc Throughput: 4 Gbps

Trafc Throughput: 2 Gbps

Available Hardware Option:

Hardware Compression*
(2 Gbps)
FIPS Processing**
(7,000 TPS and 1.5 Gbps
SSL Throughput)

Available Hardware Option:

Hardware Compression*
(2 Gbps)
FIPS Processing**
(7,000 TPS and 1.5 Gbps
SSL Throughput)

Available Hardware Option:

Hardware Compression*
(2 Gbps)
FIPS Processing**
(7,000 TPS and 1 Gbps
SSL Throughput)

Input Voltage:
90-240VAC +/- 10%
36-72VDC (optional)
90-132 9A
180-264 4A

Input Voltage:
90-240VAC +/- 10%
90-132 9A
180-264 4A

Input Voltage:
90-240VAC +/- 10%
36-72VDC (optional)
90-132 9A
180-264 4A

Gigabit Ethernet CU Ports:

12 (Copper or Fiber)
10-Gigabit Fiber Ports:
2 (XFP pluggable optics)
Included SSL TPS/Max TPS/
Bulk Crypto:
100/48,000/6 Gbps
Trafc Throughput:
10 Gbps L4;
8 Gbps L7
Hardware Compression:
6 Gbps
Input Voltage:
90-240VAC +/- 10%
90-132 9A
180-264 4A

Key Benets:
Advanced Security The ASM provides protection for
emerging technologies. It has the ability to inspect and
protect xml, javascript, ash, ftp, as well as evasion
attacks.
Guaranteed Delivery The ICSA-certied BIG-IP
Application Security Module identies, isolates,
and blocks sophisticated attacks without impacting
legitimate application transactions
Groundbreaking Performance and Scalability The
ASM is fastest web application rewall on the market
with up to 9x improvement in performance. With a
new level of integration with TMOS, the ASM delivers
application delivery optimizations such as compression,
cache, and TCP optimizations.
Zero Day Defense Unlike traditional signature
inspection methods, the ASM uses a bi-directional
heuristic security model to protect against entire
classes of HTTP and HTTPS-based threats (both known
and unknown) rather than just guarding against a
limited list of known attacks. This solution works in live
production, dynamic environments.

F5 Networks, Inc.
Corporate Headquarters

F5 Networks
Asia-Pacic

F5 Networks Ltd.
Europe/Middle-East/Africa

F5 Networks
Japan K.K.

401 Elliott Avenue West

Seattle, WA 98119
(206) 272-5555 Voice
(888) 88BIGIP Toll-free
(206) 272-5556 Fax
www.f5.com
info@f5.com

+65-6533-6103 Voice
+65-6533-6106 Fax
info.asia@f5.com

+44 (0) 1932 582 000 Voice

+44 (0) 1932 582 001 Fax
emeainfo@f5.com

+81-3-5114-3200 Voice
+81-3-5114-3201 Fax
info@f5networks.co.jp

Part No. DS-BIG-IP_ASM 1007

Granular Control With the ASM, signature and pattern

inspection can optionally be deployed on an as-needed
basis to augment rewalls and IPS system defenses,
guarding against network protocol attacks that are
beyond the boundaries of those systems. The powerful
adaptive learning and tuning mechanism reduces the
administrative overhead of policy denintions

2007 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, BIG-IP, FirePass, and iControl are trademarks or registered trademarks of F5 Networks, Inc. in the U.S. and in certain other countries.

Detailed Statistics and Forensic Information The

ASM can record a wealth of application transaction
and event information in its logs, which are invaluable
for analyzing application behavior and recognizing/
preventing illegitimate user behavior.
Plug and Protect The ASM on the BIG-IPs TMOS
architecture is easily nested in a companys web
infrastructure. Once installed, the modules automated
learning mechanism quickly and accurately builds
security policies tailored to the unique requirements of
the applications it protects, dramatically reducing policy
management and manual con guration duties.

Together, you get a complete, robust solution that reduces box clutter,
lowers maintenance and management costs, and provides a new level of
proactive application protection while ensuring exceptional application
performance.

Comprehensive and Integrated Application Delivery Security

With the increase in application trafc moving to the web, more and more
sensitive customer data is exposed to new threats that most current security
systems cannot prevent. The BIG-IP Application Security Manager signicantly
reduces the risk of loss or damage to data, intellectual property, and web
applications, protecting an organizations brand equity and reputation while
offering additional benets.
Proactive Protection Against Identity Theft
The ASM ensures the industrys most comprehensive protection of identity
information (credit card numbers, bank accounts, etc.) by controlling access
to this information as part of every HTTP request/response.
Payment Card Industry Data Security Standard (PCI DSS)
Achieve PCI DSS compliance through an integrated Application Delivery and
Security Solution. The ASM provides a exible and less expensive alternative
to annual code reviews.
Lower Application Development Cost
Without adequate protection around their applications, developers are
forced to scour their applications for security holes, and hard-code plugs
for them. Application scanners can detect some of these holes, but rigorous
code review and rewriting is always necessary. With the ASM, developers
can focus on the rapid deployment of new applications and functionality,
knowing that their code is sitting behind a powerful security perimeter.
Reduce Remediation Costs
In addition to the costs of attacks themselves, companies incur extensive
costs associated with responding to the attack and repairing the damage.
This response is not limited to the IT department it can also involve public
relations, brand image, litigation, and even regulatory costs. The ASM stops
attacks before they can do any type of harm.
Easily Quantied Return on Investment
Combining web application security with the BIG-IP application traf c
management system gives you the tools to shorten deployment time, simplify
infrastructure design, and reduce overall costs related to security enforcement,