configuration guide for big-ip application security manager 11.4.1

373
Configuration Guide for BIG-IP ® Application Security Manager version 11.4 MAN-0283-07

Upload: valentin-tobi

Post on 02-Oct-2015

268 views

Category:

Documents


8 download

DESCRIPTION

Configuration Guide for BIG-IP Application Security Manager 11.4.1

TRANSCRIPT

  • Configuration Guide forBIG-IP Application Security Manager

    version 11.4

    MAN-0283-07

  • Product VersionThis manual applies to product version 11.4 of the BIG-IP Application Security Manager.

    Publication DateThis manual was published on May 15, 2013.

    Legal Notices

    CopyrightCopyright 2013, F5 Networks, Inc. All rights reserved.F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumes no responsibility for the use of this information, nor any infringement of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent, copyright, or other intellectual property right of F5 except as specifically described by applicable user licenses. F5 reserves the right to change specifications at any time without notice.

    TrademarksAccess Policy Manager, Acceleration Manager, Advanced Client Authentication, Advanced Routing, APM, Application Security Manager, ARX, AskF5, ASM, BIG-IP, BIG-IQ, Cloud Extender, CloudFucious, Cloud Manager, Clustered Multiprocessing, CMP, COHESION, Data Manager, DevCentral, DevCentral [DESIGN], DNS Express, DSC, DSI, Edge Client, Edge Gateway, Edge Portal, ELEVATE, EM, Enterprise Manager, ENGAGE, F5, F5 [DESIGN], F5 Management Pack, F5 Networks, F5 World, Fast Application Proxy, Fast Cache, FirePass, Global Traffic Manager, GTM, GUARDIAN, IBR, Intelligent Browser Referencing Intelligent Compression, IPv6 Gateway, iApps, iControl, iHealth, iQuery, iRules, iRules OnDemand, iSession, IT agility. Your way., L7 Rate Shaping, LC, Link Controller, Local Traffic Manager, LTM, Message Security Module, MSM, OneConnect, OpenBloX, OpenBloX [DESIGN], Packet Velocity, Policy Enforcement Manager, PEM, Protocol Security Manager, PSM, Real Traffic Policy Builder, Rosetta Diameter Gateway, ScaleN, Signaling Delivery Controller, SDC, SSL Acceleration, StrongBox, SuperVIP, SYN Check, TCP Express, TDR, TMOS, Traffic Management Operating System, Traffix Diameter Load Balancer, Traffix Systems, Traffix Systems (DESIGN), Transparent Data Reduction, UNITY, VAULT, VIPRION, vCMP, virtual Clustered Multiprocessing, WA, WAN Optimization Inc., in the U.S. and other countries, and may not be used without F5's express written consent.

    All other product and company names herein may be trademarks of their respective owners.

    PatentsThis product may be protected by U.S. Patent 6,311,278. This list is believed to be current as of May 15, 2013.

    Export Regulation NoticeThis product may include cryptographic software. Under the Export Administration Act, the United States government may consider it a criminal offense to export this product from the United States.

    RF Interference WarningThis is a Class A product. In a domestic environment this product may cause radio interference, in which case the user may be required to take adequate measures.

    FCC ComplianceThis equipment has been tested and found to comply with the limits for a Class A digital device pursuant Configuration Guide for BIG-IP Application Security Manager i

    to Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This unit generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual,

  • may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case the user, at his own expense, will be required to take whatever measures may be required to correct the interference.Any modifications to this device, unless expressly approved by the manufacturer, can void the user's authority to operate this equipment under part 15 of the FCC rules.

    Canadian Regulatory ComplianceThis Class A digital apparatus complies with Canadian ICES-003.

    Standards ComplianceThis product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable to Information Technology products at the time of manufacture.

    AcknowledgmentsThis product includes software developed by Bill Paul.This product includes software developed by Jonathan Stone.This product includes software developed by Manuel Bouyer.This product includes software developed by Paul Richards.This product includes software developed by the NetBSD Foundation, Inc. and its contributors.This product includes software developed by the Politecnico di Torino, and its contributors.This product includes software developed by the Swedish Institute of Computer Science and its contributors.This product includes software developed by the University of California, Berkeley and its contributors.This product includes software developed by the Computer Systems Engineering Group at the Lawrence Berkeley Laboratory.This product includes software developed by Christopher G. Demetriou for the NetBSD Project.This product includes software developed by Adam Glass.This product includes software developed by Christian E. Hopps.This product includes software developed by Dean Huxley.This product includes software developed by John Kohl.This product includes software developed by Paul Kranenburg.This product includes software developed by Terrence R. Lambert.This product includes software developed by Philip A. Nelson.This product includes software developed by Herb Peyerl.This product includes software developed by Jochen Pohl for the NetBSD Project.This product includes software developed by Chris Provenzano.This product includes software developed by Theo de Raadt.This product includes software developed by David Muir Sharnoff.This product includes software developed by SigmaSoft, Th. Lockert.This product includes software developed for the NetBSD Project by Jason R. Thorpe.This product includes software developed by Jason R. Thorpe for And Communications, http://www.and.com.This product includes software developed for the NetBSD Project by Frank Van der Linden.This product includes software developed for the NetBSD Project by John M. Vinopal.This product includes software developed by Christos Zoulas.This product includes software developed by the University of Vermont and State Agricultural College and Garrett A. Wollman.In the following statement, "This software" refers to the Mitsumi CD-ROM driver: This software was developed by Holger Veit and Brian Moore for use with "386BSD" and similar operating systems. "Similar operating systems" includes mainly non-profit oriented systems for research and education, including but not restricted to "NetBSD," "FreeBSD," "Mach" (by CMU).ii

    This product includes software developed by the Apache Group for use in the Apache HTTP server project (http://www.apache.org/).

  • This product includes software licensed from Richard H. Porter under the GNU Library General Public License ( 1998, Red Hat Software), www.gnu.org/copyleft/lgpl.html. This product includes the standard version of Perl software licensed under the Perl Artistic License ( 1997, 1998 Tom Christiansen and Nathan Torkington). All rights reserved. You may find the most current standard version of Perl at http://www.perl.com.This product includes software developed by Jared Minch.This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).This product includes cryptographic software written by Eric Young ([email protected]).This product contains software based on oprofile, which is protected under the GNU Public License.This product includes RRDtool software developed by Tobi Oetiker (http://www.rrdtool.com/index.html) and licensed under the GNU General Public License.This product contains software licensed from Dr. Brian Gladman under the GNU General Public License (GPL).This product includes software developed by the Apache Software Foundation (http://www.apache.org).This product includes Hypersonic SQL.This product contains software developed by the Regents of the University of California, Sun Microsystems, Inc., Scriptics Corporation, and others.This product includes software developed by the Internet Software Consortium.This product includes software developed by Nominum, Inc. (http://www.nominum.com).This product contains software developed by Broadcom Corporation, which is protected under the GNU General Public License.This product includes the Zend Engine, freely available at http://www.zend.com.This product contains software developed by NuSphere Corporation, which is protected under the GNU Lesser General Public License.This product contains software developed by Erik Arvidsson and Emil A Eklund.This product contains software developed by Aditus Consulting.This product contains software developed by Dynarch.com, which is protected under the GNU Lesser General Public License, version 2.1 or above.This product contains software developed by MaxMind LLC, and is protected under the GNU Lesser General Public License, as published by the Free Software Foundation.This product contains software developed by InfoSoft Global (P) Limited.This product includes software written by Steffen Beyer and licensed under the Perl Artistic License and the GPL.This product includes software written by Makamaka Hannyaharamitu 2007-2008.Configuration Guide for BIG-IP Application Security Manager iii

  • iv

  • Table of Contents

  • Table of Contents

    1Introducing the Application Security Manager

    Overview of the BIG-IP Application Security Manager ..........................................................1-1Summary of the Application Security Manager features ...............................................1-1Configuration guide summary .............................................................................................1-2

    Getting started with the user interface .....................................................................................1-3Finding help and technical support resources ..........................................................................1-4

    2Building a Security Policy Automatically

    Overview of automatic policy building ......................................................................................2-1Configuring general policy building settings ..............................................................................2-2

    Changing the policy type ......................................................................................................2-2Configuring explicit entities learning .................................................................................2-5Adjusting the parameter level .............................................................................................2-6

    Configuring automatic policy building ........................................................................................2-7Configuring automatic policy building settings ................................................................2-7Configuring advanced automatic policy building settings .............................................2-9Modifying security policy elements ....................................................................................2-9Modifying automatic policy building rules ..................................................................... 2-11Modifying the list of trusted IP addresses ..................................................................... 2-16Modifying automatic policy building options ................................................................. 2-18Restoring default values for automatic policy building ............................................... 2-22

    Viewing the automatic policy building status ......................................................................... 2-23Stopping and starting automatic policy building .................................................................... 2-26

    Using automatic policy building with device management ........................................ 2-27Viewing automatic policy building logs .................................................................................... 2-27

    3Manually Configuring Security Policies

    Understanding security policies ...................................................................................................3-1Creating security policies .....................................................................................................3-1Editing an existing security policy ......................................................................................3-2

    Configuring security policy properties .......................................................................................3-3Changing the security policy description .........................................................................3-3Configuring the enforcement mode ..................................................................................3-3Configuring the enforcement readiness period ..............................................................3-6Enabling or disabling staging for attack signatures .........................................................3-7Viewing whether a security policy is case-sensitive .......................................................3-7Differentiating between HTTP and HTTPS URLs ..........................................................3-8Configuring the maximum HTTP header length ............................................................3-9Configuring the maximum cookie header length ...........................................................3-9Configuring the allowed response status codes .......................................................... 3-10Configuring dynamic session IDs in URLs ..................................................................... 3-11Activating iRule events ....................................................................................................... 3-12Configuring trusted XFF headers .................................................................................... 3-13Handling path parameters ................................................................................................. 3-14

    Validating HTTP protocol compliance .................................................................................... 3-15Configuring HTTP protocol compliance validation .................................................... 3-16

    Adding file types ........................................................................................................................... 3-17Configuration Guide for BIG-IP Application Security Manager vii

    Creating allowed file types ............................................................................................... 3-18Modifying file types ............................................................................................................. 3-20Removing file types ............................................................................................................. 3-20Disallowing specific file types ........................................................................................... 3-21

  • Table of Contents

    Configuring URLs ......................................................................................................................... 3-22Creating an explicit URL ................................................................................................... 3-25Removing a URL .................................................................................................................. 3-27Viewing or modifying the properties of a URL ............................................................ 3-27Specifying URLs not allowed by the security policy ................................................... 3-28Enforcing requests for URLs based on header content ............................................. 3-29Working with the URL character set ............................................................................ 3-31

    Configuring flows ......................................................................................................................... 3-32Adding a flow to a URL ..................................................................................................... 3-32Viewing the entire application flow ................................................................................ 3-33Viewing the flow to a URL ................................................................................................ 3-33Configuring a dynamic flow from a URL ....................................................................... 3-34Creating login pages ........................................................................................................... 3-35

    Protecting sensitive data ............................................................................................................. 3-38Response headers that Data Guard inspects ............................................................... 3-38Disabling Data Guard ......................................................................................................... 3-40

    Adding multiple host names ...................................................................................................... 3-41Configuring allowed methods ................................................................................................... 3-42Configuring security policy blocking ........................................................................................ 3-43

    Configuring policy blocking .............................................................................................. 3-44Configuring blocking properties for evasion techniques ........................................... 3-46Configuring blocking properties for HTTP protocol compliance ........................... 3-46Configuring blocking properties for web services security ...................................... 3-47Configuring the response pages ...................................................................................... 3-48

    Protecting against CSRF ............................................................................................................. 3-53

    4Working with Wildcard Entities

    Overview of wildcard entities ......................................................................................................4-1Understanding wildcard syntax ...........................................................................................4-1Understanding staging and explicit learning for wildcard entities ..............................4-2Understanding security policy enforcement for wildcard entities .............................4-6

    Configuring wildcard file types .....................................................................................................4-6Creating wildcard file types .................................................................................................4-6Modifying wildcard file types ...............................................................................................4-8Deleting wildcard file types .................................................................................................4-8Sorting wildcard file types ....................................................................................................4-9

    Configuring wildcard URLs ........................................................................................................ 4-10Creating wildcard URLs .................................................................................................... 4-10Modifying wildcard URLs .................................................................................................. 4-12Deleting wildcard URLs ..................................................................................................... 4-12Sorting wildcard URLs ....................................................................................................... 4-13

    Configuring wildcard parameters ............................................................................................. 4-14Creating wildcard parameters ......................................................................................... 4-14Modifying wildcard parameters ....................................................................................... 4-17Deleting wildcard parameters .......................................................................................... 4-17Ordering wildcard parameters ........................................................................................ 4-18

    5Working with Parameters

    Understanding parameters ...........................................................................................................5-1viii

    Understanding how the system processes parameters ................................................5-1Working with global parameters .................................................................................................5-2

    Creating a global parameter ...............................................................................................5-2

  • Table of Contents

    Editing the properties of a global parameter ...................................................................5-4Deleting a global parameter ................................................................................................5-4

    Working with URL parameters ...................................................................................................5-5Creating a URL parameter ..................................................................................................5-5Editing the properties of a URL parameter .....................................................................5-7Deleting a URL parameter ...................................................................................................5-7

    Working with flow parameters ...................................................................................................5-8Creating a flow parameter ...................................................................................................5-8Editing the properties of a flow parameter .................................................................. 5-10Deleting a flow parameter ................................................................................................ 5-11

    Configuring parameter characteristics .................................................................................... 5-12Understanding parameter value types ........................................................................... 5-12Configuring static parameters .......................................................................................... 5-13Configuring parameter characteristics for user-input parameters .......................... 5-13Creating parameters without defined values ............................................................... 5-20Allowing multiple occurrences of a parameter in a request ..................................... 5-21Limiting the maximum number of parameters in a request ..................................... 5-22Making a flow parameter mandatory ............................................................................. 5-22Configuring XML parameters .......................................................................................... 5-23Configuring JSON parameters ......................................................................................... 5-24

    Working with dynamic parameters and extractions ........................................................... 5-25Configuring dynamic content value parameters .......................................................... 5-25Viewing the list of extractions ......................................................................................... 5-28Configuring parameter characteristics for dynamic parameter names .................. 5-28

    Working with the parameter character sets ......................................................................... 5-30Viewing and modifying the default parameter value character set .......................... 5-30Viewing and modifying the default parameter name character set ......................... 5-31

    Configuring sensitive parameters ............................................................................................. 5-32Configuring navigation parameters .......................................................................................... 5-33

    6Working with Attack Signatures

    Overview of attack signatures .....................................................................................................6-1Understanding the global attack signatures pool ............................................................6-1Overview of attack signature sets .....................................................................................6-2Understanding how the system uses attack signatures .................................................6-2

    Types of attacks that attack signatures detect .........................................................................6-3Managing the attack signatures pool ...........................................................................................6-6

    Working with the attack signatures pool filter ...............................................................6-6Viewing attack signature details ..........................................................................................6-8

    Updating the system-supplied attack signatures ................................................................... 6-10Important considerations when updating attack signatures ..................................... 6-10Configuring automatic updates for attack signatures ................................................. 6-11Configuring manual updates for attack signatures ...................................................... 6-12Viewing information about the most recent update .................................................. 6-13Receiving email notification of attack signature updates ........................................... 6-13

    Working with attack signature sets ......................................................................................... 6-14Viewing system-supplied signature sets ......................................................................... 6-14Creating an attack signature set ...................................................................................... 6-15Editing user-defined attack signature sets ..................................................................... 6-17Deleting a user-defined attack signature set ................................................................ 6-18Assigning attack signature sets to a security policy .................................................... 6-18Configuration Guide for BIG-IP Application Security Manager ix

    Viewing the attack signature sets for a specific security policy ............................... 6-19Viewing all attack signatures for a security policy ....................................................... 6-19Disabling an attack signature in a security policy ........................................................ 6-20

  • Table of Contents

    Configuring attack signatures for a security policy .............................................................. 6-20Modifying the blocking policy for attack signature sets ...................................................... 6-22Understanding attack signature staging ................................................................................... 6-23

    Managing signatures that generate learning suggestions ............................................ 6-23Enabling or disabling signatures in staging ..................................................................... 6-24Enforcing all attack signatures .......................................................................................... 6-25

    Managing user-defined attack signatures ................................................................................ 6-25Creating a user-defined attack signature ....................................................................... 6-26Modifying a user-defined attack signature ..................................................................... 6-27Deleting a user-defined attack signature ....................................................................... 6-27Importing user-defined attack signatures ...................................................................... 6-28Exporting user-defined attack signatures ...................................................................... 6-29

    7Protecting XML Applications

    Getting started with XML security .............................................................................................7-1Configuring security for SOAP web services ...........................................................................7-3Implementing web services security ...........................................................................................7-5

    Uploading certificates ............................................................................................................7-7Enabling encryption, decryption, signing, and verification of SOAP messages ........7-8Managing SOAP methods .................................................................................................. 7-14

    Configuring security for XML content .................................................................................... 7-15Responding to blocked XML requests ........................................................................... 7-17

    Fine-tuning XML defense configuration .................................................................................. 7-17Specifying attack signatures for content profiles .................................................................. 7-21Specifying meta characters for content profiles ................................................................... 7-22Masking sensitive XML data ....................................................................................................... 7-23Associating an XML profile with a URL .................................................................................. 7-24Associating an XML profile with a parameter ....................................................................... 7-25Modifying XML security profiles ............................................................................................... 7-26

    Editing an XML profile ....................................................................................................... 7-26Deleting an XML profile .................................................................................................... 7-27

    8Refining the Security Policy Using Learning

    Overview of the learning process ...............................................................................................8-1Working with learning suggestions .............................................................................................8-2

    Specifying explicit entities learning .....................................................................................8-4Viewing all requests that trigger a specific learning suggestion ...................................8-4Viewing the details of a specific request ...........................................................................8-5Viewing all requests for a specific security policy ..........................................................8-6

    Accepting or clearing learning suggestions ...............................................................................8-7Accepting a learning suggestion ..........................................................................................8-7Clearing a learning suggestion .............................................................................................8-8

    Using the Enforcement Readiness summary .............................................................................8-9Understanding staging ...........................................................................................................8-9Reviewing staging status .................................................................................................... 8-10Adding new entities to the security policy from staging ........................................... 8-10

    Understanding learnable and unlearnable violations ............................................................ 8-12Learnable violations ............................................................................................................ 8-12Unlearnable violations ........................................................................................................ 8-14x

    Disabling violations ............................................................................................................. 8-15Clearing violations .............................................................................................................. 8-16

    Viewing ignored entities ............................................................................................................. 8-16

  • Table of Contents

    Removing items from the ignored entities list ............................................................. 8-18Adding and deleting IP addresses exceptions ........................................................................ 8-19

    9Configuring General System Options

    Overview of general system options ..........................................................................................9-1Configuring interface and system preferences .........................................................................9-2Configuring external anti-virus protection ...............................................................................9-3Creating user accounts for security policy editing ..................................................................9-6Logging web application data ........................................................................................................9-7

    Response logging content headers ....................................................................................9-7Creating logging profiles .......................................................................................................9-8Associating a logging profile with a security policy ..................................................... 9-11ArcSight log message format ............................................................................................ 9-11Configuring the storage filter ........................................................................................... 9-12

    Setting event severity levels for security policy violations ................................................. 9-13Viewing the application security logs ....................................................................................... 9-14Validating regular expressions ................................................................................................... 9-15Configuring an SMTP mail server ............................................................................................. 9-16

    10Displaying Reports and Monitoring ASM

    Overview of the reporting tools .............................................................................................. 10-1Displaying an application security overview .......................................................................... 10-2Displaying a security policy summary and action items ...................................................... 10-3Reviewing details about requests ............................................................................................. 10-4

    Exporting requests .............................................................................................................. 10-5Clearing requests ................................................................................................................ 10-6

    Viewing event correlation .......................................................................................................... 10-7Event correlation criteria .................................................................................................. 10-7Viewing correlated events ................................................................................................ 10-8Setting up filters for event correlation .......................................................................... 10-9Clearing event correlation .............................................................................................. 10-10

    Viewing charts ............................................................................................................................. 10-11Interpreting graphical charts .......................................................................................... 10-12Scheduling and sending graphical charts using email ................................................. 10-13

    Viewing anomaly statistics ........................................................................................................ 10-14Viewing L7 DoS Attacks reports ................................................................................... 10-14Viewing Brute Force Attack reports ............................................................................ 10-15Viewing web scraping statistics ...................................................................................... 10-15

    Viewing session tracking status ............................................................................................... 10-17Viewing PCI Compliance reports ........................................................................................... 10-18Monitoring CPU usage .............................................................................................................. 10-19

    ASecurity Policy Violations

    Introducing security policy violations ........................................................................................A-1Viewing descriptions of violations ..............................................................................................A-1RFC violations .................................................................................................................................A-2Access violations ............................................................................................................................A-4Configuration Guide for BIG-IP Application Security Manager xi

    Length violations ............................................................................................................................A-6Input violations ...............................................................................................................................A-7Cookie violations .........................................................................................................................A-10

  • Table of Contents

    Negative security violations .......................................................................................................A-11Determining the type of attack detected by an attack signature ............................A-12

    Filtering requests by attack type ..............................................................................................A-12

    BWorking with the Application-Ready Security Policies

    Understanding application-ready security policies ................................................................. B-1Using the Deployment wizard to implement application-ready security policies .. B-1

    Using the Rapid Deployment security policies ........................................................................ B-2Overview of the Rapid Deployment security policy features .................................... B-2Creating a security policy using rapid deployment ....................................................... B-2Creating a security policy using rapid deployment with Policy Builder enabled .... B-3

    Using the ActiveSync security policies ...................................................................................... B-4Overview of the ActiveSync security policy features ................................................... B-4Configuring the system to secure the ActiveSync application ................................... B-4

    Using the Lotus Domino 6.5 security policies ........................................................................ B-5Overview of the Lotus Domino 6.5 security policy features ..................................... B-5Configuring the system to protect the Lotus Domino 6.5 application .................... B-5

    Using the OWA Exchange security policies ............................................................................ B-6Overview of the OWA Exchange security policy features ......................................... B-6Configuring the system to secure the OWA application ............................................ B-6

    Using the Oracle 10g Portal security policies ......................................................................... B-7Overview of the Oracle 10g Portal security policy features ...................................... B-7Configuring the system to protect the Oracle 10g Portal application ..................... B-7

    Using the Oracle Applications 11i security policies ............................................................... B-8Overview of the Oracle Applications 11i security policy features ........................... B-8Configuring the system to protect the Oracle Applications 11i application .......... B-8

    Using the PeopleSoft Portal 9 security policies ...................................................................... B-9Overview of the PeopleSoft Portal 9 security policy features ................................... B-9Configuring the system to protect the PeopleSoft Portal 9 application .................. B-9

    Using the SAP NetWeaver security policies ......................................................................... B-10Overview of the SAP NetWeaver security policy features ...................................... B-10Configuring the system to protect the SAP NetWeaver application ..................... B-10

    Using the SharePoint security policies .................................................................................... B-11Overview of the SharePoint security policy features ................................................. B-11Configuring the system to secure the SharePoint application ................................. B-11

    Managing large file uploads when using the application-ready security policies ............ B-12

    CSyntax for Creating User-Defined Attack Signatures

    Writing rules for user-defined attack signatures ....................................................................C-1Understanding the rule options .........................................................................................C-1

    Overview of rule option scopes .................................................................................................C-3Scope modifiers for the pcre and re2 rule options ......................................................C-4A note about normalization ...............................................................................................C-4

    Syntax for attack signature rules ................................................................................................C-5Using the content rule option ...........................................................................................C-5Using the uricontent rule option ......................................................................................C-5Using the headercontent rule option ...............................................................................C-6Using the valuecontent rule option ..................................................................................C-6Using the pcre and re2 rule options ................................................................................C-7xii

    Using the reference rule option ........................................................................................C-8Using the nocase modifier ..................................................................................................C-9Using the offset modifier .....................................................................................................C-9

  • Table of Contents

    Using the depth modifier ................................................................................................. C-10Using the distance modifier ............................................................................................. C-11Using the within modifier ................................................................................................. C-12Using the objonly modifier .............................................................................................. C-13Using the norm modifier .................................................................................................. C-13Using character escaping .................................................................................................. C-13Syntax considerations for parameter attack signatures ............................................ C-14Syntax considerations for response attack signatures .............................................. C-14Combining rule options .................................................................................................... C-15Rule combination example .............................................................................................. C-15Using the not character .................................................................................................... C-16

    DSystem Variables for Advanced Configuration

    Overview of system variables .....................................................................................................D-1WhiteHat Sentinel system variables .................................................................................D-5

    Viewing system variables ..............................................................................................................D-7Restoring the default settings for system variables ................................................................D-8

    Glossary

    IndexConfiguration Guide for BIG-IP Application Security Manager xiii

  • Table of Contentsxiv

  • 1Introducing the Application Security Manager

    Overview of the BIG-IP Application Security Manager

    Getting started with the user interface

    Finding help and technical support resources

  • Introducing the Application Security Manager

    Overview of the BIG-IP Application Security ManagerThe BIG-IP Application Security Manager protects mission-critical enterprise Web infrastructure against application-layer attacks, and monitors the protected web applications. The Application Security Manager can prevent a variety of web application attacks, such as: Manipulation of cookies or hidden fields SQL injection attacks intended to expose confidential information or to

    corrupt content Malicious exploitations of the application memory buffer to stop

    services, to get shell access, and to propagate worms Unauthorized user access to authenticated accounts using cross-site

    request forgery (CSRF) Unauthorized changes to server content using HTTP DELETE and PUT

    methods Attempts aimed at causing the web application to be unavailable or to

    respond slowly to legitimate users Layer 7 denial-of-service, brute force, and web scraping attacks Unknown threats, also known as zero-day threats

    The system can automatically develop a security policy to protect against security threats, and you can configure additional protections and customize the system response to threats.

    Summary of the Application Security Manager featuresThe Application Security Manager includes the following features. Integrated platform guaranteeing the delivery of secure application

    trafficBuilt on F5 Networks TMOS architecture, the ICSA-certified, positive-security Application Security Manager is fully integrated with the BIG-IP Local Traffic Manager.

    Automated security policy buildingApplication Security Manager uses an auto-adaptive approach to application delivery security, where the security policy is automatically built and updated based on observed traffic patterns. A Deployment wizard helps you create a security policy for your environment. Then the automated policy building feature, called the Real Traffic Policy Builder, examines requests and responses, and populates the security policy with legitimate security policy elements, based on what it finds in the traffic.

    Positive security modelThe Application Security Manager creates a robust positive security Configuration Guide for BIG-IP Application Security Manager 1 - 1

    policy to completely protect web applications from targeted web application layer threats, such as buffer overflows, SQL injection, cross-site scripting, parameter tampering, cookie poisoning, and others,

  • Chapter 1

    by allowing only valid application transactions. The positive security model is based on a combination of valid user session context and valid user input, as well as a valid application response.

    Protection using Attack SignaturesThe Attack Signatures in the Application Security Manager provide protection from generalized and known application attacks such as worms, SQL injection, cross-site scripting, and requests for restricted files and URLs. The Attack Signatures Update feature provides current, up-to-date signatures, so that your applications are protected from new attacks and threats.

    Integrated, simplified managementThe browser-based user interface provides network device configuration, centralized security policy management, and easy-to-read audit reports.

    Configurable security levelsThe Application Security Manager offers varying levels of security, from general protection of web site elements such as file types and character sets, to tailored, highly granular, application-specific security policies. This flexibility provides enterprises the ability to choose the level of security they need, and reduce management costs based on the amount of protection and risks acceptable in their business environment.

    Role-based administrationThe BIG-IP system supports role-based administration, which you can use to restrict access to various components of the product. For example, users with the Application Security Editor role can audit and maintain application security policies on a specific partition, but they have no access to general BIG-IP system administration.

    Configuration guide summaryTo use this guide, you must have installed the BIG-IP system, and have licensed and provisioned Application Security Manager. This guide focuses on configuring the application security components, including: Security policies Real Traffic Policy Builder

    Content profiles Monitoring, statistics, and logging

    For additional information about using Application Security Manager, refer to BIG-IP Application Security Manager: Implementations. It explains many features not covered in this guide.If you are using automatic security policy building, Application Security Manager directs you through the steps required to create these components. For those who require custom configuration of these components, this guide also contains information on how to manually create virtual servers, pools, 1 - 2

    and security policies to enforce application security. For overview information about local traffic objects including virtual servers, pools, and

  • Introducing the Application Security Manager

    profiles, refer to the BIG-IP Local Traffic Manager: Concepts. For details on configuring local traffic objects, refer to BIG-IP Local Traffic Manager: Implementations.When you provision Application Security Manager, the Protocol Security Manager is also included on the system and available for use (without needing to be provisioned separately). For information on working with protocol security objects, refer to the Configuration Guide for BIG-IP Protocol Security Manager.

    Getting started with the user interfaceYou log in and use the user interface to configure the Application Security Manager. The browser-based graphical user interface for the BIG-IP system is also called the Configuration utility. When you log into the BIG-IP system, the user interface provides the following components: Identification and messages area

    The identification and messages area is the screen region that is above the navigation pane, the menu bar, and the body. In this area, you find the system identification, including the host name and management IP address. This area is also where certain system messages display, for example, Activation Successful, which appears after a successful licensing process.

    Navigation paneThe navigation pane, on the left side of the screen, contains the Main tab, the Help tab, and the About tab. The Main tab provides links to the major configuration objects. The Help tab provides context-sensitive help for each screen. The About tab provides overview information about the BIG-IP system.

    Menu barThe menu bar, which is below the identification and messages area, and above the body on many screens, provides links to additional screens.

    BodyThe body is the screen area where the configuration settings display, and where the user configures the system. Configuration Guide for BIG-IP Application Security Manager 1 - 3

  • Chapter 1

    Finding help and technical support resourcesYou can find additional technical documentation and product information using the following resources: Online help for Application Security components

    Application Security Manager provides online help for each screen. The online help contains descriptions of each control and setting on the screen. Click the Help tab in the left navigation pane to view the online help.

    About tab in the navigation paneThe About tab in the navigation pane contains links to many useful web sites and resources, including the AskF5 Knowledge Base, the F5 Solution Center, the F5 DevCentral web site, plug-ins, SNMP MIBs, and SSH clients.

    F5 Networks Technical Support web siteThe F5 Networks Technical Support web site and knowledge base, http://support.f5.com, provides the latest documentation for the product, including: Release notes for the Application Security Manager BIG-IP Application Security Manager: Getting Started Guide BIG-IP Application Security Manager: Implementations

    BIG-IP TMOS: Implementations BIG-IP Local Traffic Manager: Implementations BIG-IP Device Service Clustering: Administration1 - 4

  • 2Building a Security Policy Automatically

    Overview of automatic policy building

    Configuring general policy building settings

    Configuring automatic policy building

    Viewing the automatic policy building status

    Stopping and starting automatic policy building

    Viewing automatic policy building logs

  • Building a Security Policy Automatically

    Overview of automatic policy buildingApplication Security Manager automates the process of creating a security policy to protect a web application. The system must be set up in a networking environment, and be capable of handling traffic to the application. This section provides an overview of setting up automatic policy building. The BIG-IP Application Security Manager: Getting Started Guide describes in detail how to use the Deployment wizard. For details about maintaining security policies, refer to BIG-IP Application Security Manager: Implementations.These are the primary steps involved in automatic policy building: Create the security policy.

    From the Active Security Policies list, click Create. Using the Deployment wizard, create a virtual server, pool, and then select the option Create a policy automatically.

    Let the system automatically add entities to the security policy.When the Deployment wizard finishes, the system starts the Real Traffic Policy Builder, the automated policy building tool. The Policy Builder examines requests and responses from different sessions and different IP addresses, over a period of time. It then populates the security policy with legitimate security policy elements (file types, URLs, parameters, and so on), and puts them in staging. The Policy Builder ensures that the policy does not cause false positives.

    Let the system stabilize the security policy.The security policy stabilizes after the system analyzes sufficient traffic, from different sessions and different IP addresses, over a period of time. Policy elements are moved out of staging and enforced as they meet the rule threshold values for stabilization. After that, traffic that violates the security policy generates security violations.

    Let the system track site changes and update the policy.If the web application changes and causes violations for enough different users and IP addresses, over a period of time, the Policy Builder makes the necessary adjustments to the security policy. After sufficient time passes, Policy Builder once again stabilizes the security policy.

    Review the automatic policy building status.On the Policy Building Status (Automatic) screen, you can review the current status of the security policy, see the policy elements that were added, and view details about the elements. If you want more control, you can enforce parts of the security policy from the status screen. The system logs all changes that you or the Policy Builder make to the security policy.

    You use the Policy Building Settings screen to configure and monitor automatic policy building. The features and settings discussed in this chapter relate directly to the different settings in various areas of the screen. Configuration Guide for BIG-IP Application Security Manager 2 - 1

  • Chapter 2

    Configuring general policy building settingsGeneral policy building settings determine how the security policy is built for both automatic policy building and manual policy building. The settings define the type of policy to create, and what level of Learning suggestions to provide (explicit entities learning and parameter level).

    Changing the policy typeThe policy type determines which security policy elements are included in the security policy. When you create a security policy, you can select one of the following policy types: Fundamental provides security at a level that is appropriate for most

    organizations, creating a robust security policy, which is highly maintainable and quick to configure. This is the default setting.

    Enhanced provides extra customization, creating a security policy with more granularity.

    Comprehensive provides the highest level of customization, creating a security policy with more granularity, but it may take longer to configure.

    Custom provides the level of security that you specify when you adjust settings such as which security policy elements are included in the security policy. The policy type changes to Custom if you change any of the default settings for a policy type.

    To change the policy type

    1. On the Main tab, expand Security, point to Application Security, Policy Building, and click Settings.The Settings screen opens.

    2. In the editing context area, ensure that the Current edited policy is the one that you want to update.

    3. In the General Policy Building Settings, for Policy Type, select a different type. The selected security policy elements and options change depending on the policy type you choose.

    4. Click Save to save your changes.

    5. To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.

    Table 2.1 lists each of the security policy elements listed in the Automatic Policy Building configuration, describes what the Policy Builder does when each element is enabled, and shows which policy type enables the element. 2 - 2

  • Building a Security Policy Automatically

    Security Policy ElementWhat the System Does (When Enabled)

    Policy Type

    Fundamental Enhanced Complete

    HTTP Protocol Compliance Creates the security policy with validation checks that ensure HTTP requests are formatted properly.

    X X X

    Evasion Techniques Detected

    Creates the security policy so it detects evasion techniques and performs normalization processes on URI and parameter input.

    X X X

    File Type Lengths Creates the security policy with length limitations per file type, based on legitimate web application traffic.

    X X X

    Attack Signatures Creates the security policy so it enables or disables attack signatures. Applies to signatures that can be set in the policy, parameters, content profiles, and cookies.

    X X X

    URL Meta Characters Creates the security policy with allowed meta characters for wildcard URLs, based on legitimate traffic.

    X X

    Parameter Name Meta Characters

    Creates the security policy with allowed meta characters for parameter names for wildcard parameters.

    X

    Parameters-URL Level Adds parameters at the URL level, only for specific URLs.

    X

    Value Meta Characters Creates the security policy with allowed meta-characters for parameter values, and content profiles, based on legitimate web application traffic. Applies to parameters and content profiles.

    X

    Allowed Methods Creates the security policy with allowed methods based on legitimate traffic.

    X X

    Request length exceeds defined buffer size

    Creates the security policy and enables the Request length exceeds defined buffer size violation.

    X X X

    Header Length Creates the security policy and enforces header length limitations based on legitimate web application traffic.

    X X XConfiguration Guide for BIG-IP Application Security Manager 2 - 3

    Table 2.1 Security policy elements for each policy type

  • Chapter 2

    Cookie Length Creates the security policy and limits cookie lengths based on legitimate web application traffic.

    X X X

    Failed to convert character Creates the security policy to enforce that the characters comply with the configured language encoding of the web applications security policy.

    X X X

    Content Profiles(Selected if JSON/XML payload detection is enabled when configuring automatic policy building using the Deployment wizard)

    Creates the security policy so that it validates XML and JSON request data for URLs or parameters. If traffic includes legitimate XML or JSON data, the Policy Builder edits existing XML or JSON profiles according to the data it detects. You can use this option only after selecting Add All Entities or Selective in the Explicit Entities Learning setting for URLs or parameters.

    X X

    Content Profiles- Automatically detect advanced protocols(Selected if JSON/XML payload detection is enabled when configuring automatic policy building using the Deployment wizard)

    Allows the system to add XML or JSON profiles as needed to the security policy, and configures their attributes according to the data the Policy Builder detects in legitimate XML or JSON data in URLs or parameters in the policy.

    Host Names Allows the system to add domain names used in the web application to the security policys list of host names. This allows the system to distinguish between internal and external links and forms.

    X X X

    CSRF URLs Verifies URLs against Cross-Site Request Forgery (CSRF) based on legitimate web application traffic. If Policy Builder detects an excessive rate of violations on a CSRF-protected URL, the system treats the violation as a false positive and removes the URL from the list of CSRF-protected URLs. To enforce CSRF URLs, you must enable at least one of the Learn/Alarm/Block check boxes of the CSRF attack detected violation.

    Security Policy ElementWhat the System Does (When Enabled)

    Policy Type

    Fundamental Enhanced Complete

    Table 2.1 Security policy elements for each policy type (Continued)2 - 4

  • Building a Security Policy Automatically

    Note that the list in Table 2.1 includes the violations and checks that are relevant only for automatic security policy building. The Application Security Manager includes many other security features that are not included in automatic policy building, such as response scrubbing using Data Guard, described in Chapter 3, and anomaly detection, described in Chapter 6.

    Configuring explicit entities learningYou can adjust the explicit entities learning settings for file types, URLs, parameters, and cookies. Explicit learning settings specify when Policy Builder adds, or suggests you add, explicit entities to the security policy. Note that if you change the Policy Type, the system also changes explicit entities learning settings.

    To configure explicit entities learning

    1. On the Main tab, expand Security, point to Application Security, Policy Building, and click Settings.The Settings screen opens.

    2. In the editing context area, ensure that the Current edited policy is the one that you want to update.

    3. In the General Policy Building Settings area, for the Explicit Entities Learning setting, select how to learn each type of entity (file types, URLs, parameters, and cookies). Never (wildcard only): Specifies that when false positives occur

    the system suggests relaxing the settings of the wildcard. This option results in a security policy that is easy to manage, but is not as strict. If Policy Builder is running, it does not add explicit entities that match a wildcard to the security policy. The wildcard entity remains in the security policy. The Policy Builder changes the attributes of any matched wildcard. If not running, Policy Builder suggests changing the attributes of matched wildcard entities, but does not suggest you add explicit entities that match the wildcard entity.

    Selective: Applies only to * wildcard. When false positives occur, adds an explicit entity with relaxed settings. This option serves as a good balance between security, policy size, and ease of maintenance. If Policy Builder is running, it adds explicit entities that do not match the attributes of the * wildcard, and does not remove the * wildcard. If Policy Builder is not running, the system suggests adding explicit entities that match the * wildcard.

    Add All Entities: Creates a comprehensive whitelist policy that includes all web site entities. This option results in a large, more Configuration Guide for BIG-IP Application Security Manager 2 - 5

    granular configuration with stricter security. If Policy Builder is running, it adds explicit entities that match a

  • Chapter 2

    wildcard to the security policy. When the security policy is stable, the * wildcard is removed. If Policy Builder is not running, the system suggests adding explicit entities that match the wildcard.

    4. Click Save to save your changes.

    5. To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.

    Adjusting the parameter levelYou can adjust how the system determines what parameters to add (automatic policy building) or suggests you add (manual policy building). The parameter levels are Global and URL. Global specifies that learning suggestions are based on the properties of entities that already exist in the security policy. URL specifies that learning suggestions are based on real traffic.In most cases, you do not need to change the default values of these settings.

    To adjust the parameter level

    1. On the Main tab, expand Security, point to Application Security, Policy Building, and click Settings.The Settings screen opens.

    2. In the editing context area, ensure that the Current edited policy is the one that you want to update.

    3. In the General Policy Building Settings area, for the Parameter Level setting, select the level of parameter to add. Global: Adds parameters at the global level for all URLs in the

    security policy. Default value for Fundamental and Enhanced policy types.

    URL: Adds parameters at the URL level, only for specific URLs. Default value for Comprehensive policy type.

    4. Click Save to save your changes.

    5. To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.2 - 6

  • Building a Security Policy Automatically

    Configuring automatic policy buildingApplication Security Manager completely configures the automated policy building settings according to the selections you make when using the Deployment wizard. You can review the settings, and change many of them later if needed.There are two levels of automated policy building settings: basic and advanced. The basic settings are sufficient for most installations, and require less work. The advanced level allows you to view and change all of the configuration settings if you want further control over security policy details. However, in most cases, you do not need to change the default values of these settings.

    Configuring automatic policy building settingsFigure 2.1 shows the basic automatic policy building settings on the Settings screen.

    Figure 2.1 Automatic Policy Building Settings (basic)Configuration Guide for BIG-IP Application Security Manager 2 - 7

  • Chapter 2

    To configure basic automatic policy building settings

    1. On the Main tab, expand Security, point to Application Security, Policy Building, and click Settings.The Settings screen opens.

    2. In the editing context area, ensure that the Current edited policy is the one that you want to update.

    3. In the General Policy Building Settings area, for Policy Type, select the type of security policy: Fundamental: Provides granularity sufficient for most

    organizations creating a generalized security policy that is fast to create and easy to maintain. This is the default setting.

    Enhanced: Provides additional granularity and security features suited for customers with higher (and, typically, specific) security needs). This policy type takes longer to implement.

    Comprehensive: Provides the most granular definitions, includes most security features, and is suited for advanced users or customers with extreme security needs. This policy type typically takes even longer to deploy and requires more maintenance.

    4. Leave the Explicit Entities Learning and Parameter Level settings at their default values.

    5. In the Automatic Policy Building Settings area, for Real Traffic Policy Builder, select the Enabled check box.The screen refreshes and displays more options.

    6. For Rules, move the slider to change the thresholds of the rules for the security policy: Fast: Builds a security policy using lower threshold values for

    the rules so they are likely to meet the thresholds more quickly; for example, this setting is useful for smaller web sites with less traffic. Selecting this value may create a less accurate security policy.

    Medium: Builds a security policy based on greater threshold values for the rules. This is the default setting and is recommended for most sites.

    Slow: Builds a security policy using even higher thresholds for the rules and takes longer to meet them; for example, this value is useful for large web sites with lots of traffic. Selecting this value may result in fewer false positives and create a more accurate security policy.

    Changing these settings also changes the chance of adding false entities to the policy.

    7. If you changed any of the settings, click Save.

    8. To put the security policy changes into effect immediately, click the 2 - 8

    Apply Policy button in the editing context area.When traffic is flowing to the application, the system examines requests and responses and begins to build the security policy.

  • Building a Security Policy Automatically

    This is all you are required to configure unless you want to examine the advanced configuration options. Skip to Viewing the automatic policy building status, on page 2-23, for what to do next.

    Configuring advanced automatic policy building settingsIf you want to review or change the configuration details of the Policy Builder, you can use the advanced automated policy building settings. However, in most cases, you do not need to change the default values of these settings.

    To configure advanced policy building settings

    If you are already on the Settings screen, start with step 4.

    1. On the Main tab, expand Security, point to Application Security, Policy Building, and click Settings.The Settings screen opens.

    2. In the editing context area, ensure that the Current edited policy is the one that you want to update.

    3. In the Automatic Policy Building Settings area, for Real Traffic Policy Builder, select the Enabled check box if it is not already selected.The screen refreshes and displays more options.

    4. Next to Automatic Policy Building Settings, select Advanced.The screen displays the advanced configuration details of the Policy Builder.

    5. Review the settings and modify them as needed. Refer to the online help or the following procedures for more information: For details about security policy elements, see Modifying security

    policy elements, on page 2-9. For details about rules, trusted IP addresses, and options, see

    Modifying the list of trusted IP addresses, on page 2-16.6. If you change any of the settings, click Save.

    7. To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.

    Modifying security policy elementsSecurity policy elements, such as file types, URLs, evasion technique violations, and so on, form the basis of the security policy that the automatic policy building process is creating. The selected security policy elements are the ones that the Policy Builder configures into the security policy based on Configuration Guide for BIG-IP Application Security Manager 2 - 9

    legitimate web application traffic. Figure 2.2 shows the security policy elements for a comprehensive security policy.

  • Chapter 2

    Figure 2.2 Security policy elements

    Each policy type enables a different granularity of policy elements. Refer to Table 2.1, on page 2-3, for a list of policy elements, descriptions of each, and which policy elements are included in each policy type. You can select the policy elements to include in the security policy, in which case, the system changes the Policy Type setting to Custom.

    To modify automatic policy building elements

    1. On the Main tab, expand Security, point to Application Security, Policy Building, and click Settings.The Settings screen opens.

    2. In the editing context area, ensure that the Current edited policy is the one that you want to update.

    3. In the Automatic Policy Building Settings, for Real Traffic Policy Builder, select the Enabled check box if it is not already selected.The screen refreshes and displays more options.

    4. To display all configuration options, next to Automatically Build Policy, select Advanced.

    5. In the Policy Type setting, for Include the following Security Policy Elements, select the security policy entities (or violation) that you want the Policy Builder to automatically configure when 2 - 10

    building the security policy. For details on the policy elements, see Table 2.1, on page 2-3.When you change the policy elements that are included in the

  • Building a Security Policy Automatically

    security policy, the Policy Type changes to Custom.

    6. Click Save to save your changes.

    7. To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.

    Modifying automatic policy building rulesDuring automatic policy building, the Policy Builder builds security policies in three stages. These stages each have separate sets of settings in the Rules area of the Settings screen. Rules in each stage determine when an element in the security policy moves from one stage to the next. Some of the rules have different values depending on whether the traffic comes from a trusted or untrusted source. The system generally considers trusted traffic and the policy elements it contains legitimate and adds them to the policy more quickly than those in untrusted traffic.You can adjust the values for the rules by changing the Policy Builder learning speed. Slow learning speed causes the system to create the policy by looking at more traffic, so the values in the rules are higher. Fast learning speed causes the system to build the policy from fewer requests, and the values you see in the rules are lower. Accept as Legitimate (Loosen)

    During this stage, the Policy Builder identifies legitimate application usage based on repeated behavior from sufficient different user sessions and IP addresses, over a period of time. The system updates the security policy accordingly. Based on wildcard matches, Policy Builder adds the legitimate policy entities (putting most into staging to learn their properties), and disables violations that are probably false positives. For example, when the Policy Builder sees the same file type, URL, parameter, or cookie from enough different user sessions and IP addresses over time, then it adds the entity to the security policy.

    Stabilize (Tighten)During this stage, the Policy Builder refines the security policy elements until the number of security policy changes stabilizes. For example, the Policy Builder enforces an entity type after it records a sufficient number of unique requests and sessions, for different IP addresses, over a sufficient length of time since the last time an explicit file type, URL, or parameter was added to the security policy. Similarly, the Policy Builder enforces the entity's attributes (takes them out of staging) after it records a sufficient number of unique requests and sessions from different IP addresses, over a sufficient length of time for a particular file type, URL, parameter, or cookie. When the traffic to the application no longer includes new elements and the Policy Builder has enforced the policy elements, the security policy is considered stable and its progress reaches 100%.Configuration Guide for BIG-IP Application Security Manager 2 - 11

  • Chapter 2

    Track Site ChangesThis setting determines whether the Policy Builder may make changes to the security policy after it is stable. If the setting is enabled and the Policy Builder discovers changes to the web application, it logs the change (Site change detected) and temporarily loosens the security policy to make the necessary adjustments. When the Policy Builder stabilizes the added elements, it retightens the security policy.Although it is not recommended, you can disable the Track Site Changes option. If you do, when the security policy progress reaches 100% stability, the system disables automatic policy building. The security policy is not updated unless you manually change it, or restart automatic policy building by re-enabling the Track Site Changes option.

    Figure 2.3 shows the Rules area of the Settings screen with the learning speed set to Slow.Advanced users can view and change the conditions under which the Policy Builder modifies the security policy during any of the three stages. Changing the values in any of the rules (to values not matching any of the default values) also changes the learning speed and chances of adding false entities settings to Custom (instead of Slow, Medium, and Fast).2 - 12

  • Building a Security Policy AutomaticallyConfiguration Guide for BIG-IP Application Security Manager 2 - 13

    Figure 2.3 Rules area of the Settings screen

  • Chapter 2

    Note

    F5 recommends that only advanced users change the automatic policy building rule settings. Use the default values in most cases.

    To modify automatic policy building rules

    1. On the Main tab, expand Security, point to Application Security, Policy Building, and click Settings.The Settings screen opens.

    2. In the editing context area, ensure that the Current edited policy is the one that you want to update.

    3. To display all configuration options, next to Automatic Policy Building Settings, select Advanced.

    4. In the Rules area, for Policy Builder learning speed, move the slider to change the thresholds of the rules for the security policy: Fast: Builds a security policy using lower threshold values for

    the rules so they are likely to meet the thresholds more quickly; for example, this setting is useful for smaller web sites with less traffic. Selecting this value may create a less accurate security policy.

    Medium: Builds a security policy based on greater threshold values for the rules. This is the default setting and is recommended for most sites.

    Slow: Builds a security policy using even higher thresholds for the rules and takes longer to meet them; for example, this value is useful for large web sites with lots of traffic. Selecting this value may result in fewer false positives and create a more accurate security policy.

    Changing these settings also changes the chance of adding false entities to the policy (the slider on the right).Note: F5 recommends that you use the learning speed slider to adjust the rules values, and skip to step 8.

    5. For the Accept as Legitimate (Loosen) rules, adjust the number of different sessions, different IP addresses, and the time spread after which the Policy Builder accepts and learns a security policy change from traffic. In this stage of security policy building, the Policy Builder adds entities, configures attributes (such as lengths and meta characters), places entities in staging, and disables violations.

    6. For the Stabilize (Tighten) rules adjust the number of requests, the number of different sessions, different IP addresses, and the time spread before the Policy Builder stabilizes the security policy elements. Stabilizing a security policy element may mean tightening it by 2 - 14

    deleting wildcard entities, removing entities from staging, and enforcing violations that did not occur.

  • Building a Security Policy Automatically

    7. For the Track Site Changes rules:

    a) The Enable Track Site Changes check box is selected by default. This box must remain selected if you want the Policy Builder to quickly loosen the security policy if changes to the web application cause violations.

    b) Select which traffic you want the Policy Builder to use to loosen the security policy: From Trusted and Untrusted Traffic: Specifies that the

    Policy Builder loosens the security policy based on all traffic. This is the default option.

    Only from Trusted Traffic: Specifies that the Policy Builder loosens the security policy based on traffic from trusted sources defined in the Trusted IP Addresses area on this screen.

    c) For untrusted and trusted traffic, adjust the number of different sessions and different IP addresses for which the system detects violations, over a period of time, after which the Policy Builder updates the security policy. In this stage of security policy building, the Policy Builder adds wildcard entities, places entities in staging, and disables violations.

    8. Click Save to save your changes.

    9. To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.Configuration Guide for BIG-IP Application Security Manager 2 - 15

  • Chapter 2

    Modifying the list of trusted IP addressesYou can create a list of trusted IP addresses that the Policy Builder considers safe in the Trusted IP addresses area of the Settings screen. Figure 2.4 shows the trusted IP addresses area.

    Figure 2.4 Trusted IP address list

    The Policy Builder processes traffic from trusted clients differently than traffic from untrusted clients. For clients with trusted IP addresses, the rules are configured so that the Policy Builder requires less traffic (by default, only 1 user session) to update the security policy with entity or other changes. It takes more traffic from untrusted clients to change the security policy (given the default values). Figure 2.5 shows the default Accept as Legitimate (Loosen) area of the Settings screen, configured for a fundamental security policy set to medium strictness. You can see that different values apply to trusted and untrusted traffic.2 - 16

  • Building a Security Policy Automatically

    Figure 2.5 Accept as Legitimate policy building rules for trusted and untrusted traffic

    Refer to Modifying the list of trusted IP addresses, on page 2-16, to learn more about how the rules affect the security policy.

    To modify the list of trusted IP addresses

    1. On the Main tab, expand Security, point to Application Security, Policy Building, and click Settings.The Settings screen opens.

    2. In the editing context area, ensure that the Current edited policy is the one that you want to update.

    3. To display all configuration options, next to Automatically Build Policy, select Advanced.

    4. In the Trusted IP Addresses area, for IP Addresses, specify which IP addresses to consider safe: To trust all IP addresses (for internal or test environments), select

    All. To add specific IP addresses or networks, select Address List,

    type the IP address and netmask, then click Add. The IP address or network range is added to the list. Add as many trusted IP addresses as needed.

    To delete IP addresses or networks, select the IP address in the list, then click Delete.

    5. Click Save to save your changes.Configuration Guide for BIG-IP Application Security Manager 2 - 17

    6. To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.

  • Chapter 2

    Modifying automatic policy building optionsWhen you create a security policy automatically, the Application Security Manager sets the automatic policy building options on the Settings screen (Advanced setting options). These options determine what type of entities the Policy Builder adds to the security policy. You can change the values of the settings in the Options area, shown in Figure 2.6, on page 2-19. Refer to the online help for details about all of the settings.The security policy learns from responses, by default, meaning that it adds elements found in trusted IP addresses or in responses that are legal and fully enforced. If the web application contains dynamic parameters, you can configure the Policy Builder to identify them. Dynamic parameters are parameters whose sets of accepted values can change, and usually depend on the user session. For more information on dynamic parameters, refer to Working with dynamic parameters and extractions, on page 5-25.The options also let you simplify your security policy by collapsing similar specific entities into one global entity. After a specified number of occurrences (10 by default), the system can combine: URL-level user-input value parameters into one global user-input value

    parameter User-input parameters (alphanumeric only) with similar names into one

    general name (replacing param1, param2, and param3 with param*) Cookies with similar names, replacing them with a wildcard cookie that

    matches all of the similarly named cookies. For example, cookie1 and cookie2 are replaced with cookie*

    Parameter-specific signature exceptions into a policy-level signature exception

    Content profiles, where each content profile contains one parameter/URL, replacing them with one content profile containing all parameters/URLs; (the Policy Builder collapses content profiles once, and then uses the collapsed co