big-ip application security manager getting started guide

BIG-IP® Application Security Manager™:

Getting Started Guide

version 10.2

MAN-0285-02

Product VersionThis manual applies to product version 10.2 of the BIG-IP® Application Security Manager™.

Publication DateThis manual was published on May 3, 2010.

Legal Notices

CopyrightCopyright © 2010, F5 Networks, Inc. All rights reserved.

F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumes no responsibility for the use of this information, nor any infringement of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent, copyright, or other intellectual property right of F5 except as specifically described by applicable user licenses. F5 reserves the right to change specifications at any time without notice.

TrademarksF5, F5 Networks, the F5 logo, BIG-IP, 3-DNS, Access Policy Manager, APM, Acopia, Acopia Networks, Application Accelerator, Ask F5, Application Security Manager, ASM, ARX, Data Guard, Edge Client, Edge Gateway, Enterprise Manager, EM, FirePass, FreedomFabric, Global Traffic Manager, GTM, iControl, Intelligent Browser Referencing, Internet Control Architecture, IP Application Switch, iRules, Link Controller, LC, Local Traffic Manager, LTM, Message Security Module, MSM, NetCelera, OneConnect, Packet Velocity, Protocol Security Module, PSM, Real Traffic Policy Builder, SSL Accelerator, SYN Check, Traffic Management Operating System, TMOS, TrafficShield, Transparent Data Reduction, uRoam, VIPRION, WANJet, WAN Optimization Module, WOM, WebAccelerator, WA, and ZoneRunner, are trademarks or service marks of F5 Networks, Inc., in the U.S. and other countries, and may not be used without F5's express written consent.

All other product and company names herein may be trademarks of their respective owners.

PatentsThis product protected by U.S. Patent 6,311,278. Other patents pending.

Export Regulation NoticeThis product may include cryptographic software. Under the Export Administration Act, the United States government may consider it a criminal offense to export this product from the United States.

RF Interference WarningThis is a Class A product. In a domestic environment this product may cause radio interference, in which case the user may be required to take adequate measures.

FCC ComplianceThis equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This unit generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case the user, at his own expense, will be required to take whatever measures may be required to correct the interference.

Any modifications to this device, unless expressly approved by the manufacturer, can void the user's authority to operate this equipment under part 15 of the FCC rules.

BIG-IP® Application Security Manager™: Getting Started Guide i

Canadian Regulatory ComplianceThis class A digital apparatus complies with Canadian I CES-003.

Standards ComplianceThis product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable to Information Technology products at the time of manufacture.

AcknowledgmentsThis product includes software developed by Bill Paul.

This product includes software developed by Jonathan Stone.

This product includes software developed by Manuel Bouyer.

This product includes software developed by Paul Richards.

This product includes software developed by the NetBSD Foundation, Inc. and its contributors.

This product includes software developed by the Politecnico di Torino, and its contributors.

This product includes software developed by the Swedish Institute of Computer Science and its contributors.

This product includes software developed by the University of California, Berkeley and its contributors.

This product includes software developed by the Computer Systems Engineering Group at the Lawrence Berkeley Laboratory.

This product includes software developed by Christopher G. Demetriou for the NetBSD Project.

This product includes software developed by Adam Glass.

This product includes software developed by Christian E. Hopps.

This product includes software developed by Dean Huxley.

This product includes software developed by John Kohl.

This product includes software developed by Paul Kranenburg.

This product includes software developed by Terrence R. Lambert.

This product includes software developed by Philip A. Nelson.

This product includes software developed by Herb Peyerl.

This product includes software developed by Jochen Pohl for the NetBSD Project.

This product includes software developed by Chris Provenzano.

This product includes software developed by Theo de Raadt.

This product includes software developed by David Muir Sharnoff.

This product includes software developed by SigmaSoft, Th. Lockert.

This product includes software developed for the NetBSD Project by Jason R. Thorpe.

This product includes software developed by Jason R. Thorpe for And Communications, http://www.and.com.

This product includes software developed for the NetBSD Project by Frank Van der Linden.

This product includes software developed for the NetBSD Project by John M. Vinopal.

This product includes software developed by Christos Zoulas.

This product includes software developed by the University of Vermont and State Agricultural College and Garrett A. Wollman.

In the following statement, "This software" refers to the Mitsumi CD-ROM driver: This software was developed by Holger Veit and Brian Moore for use with "386BSD" and similar operating systems. "Similar operating systems" includes mainly non-profit oriented systems for research and education, including but not restricted to "NetBSD," "FreeBSD," "Mach" (by CMU).

This product includes software developed by the Apache Group for use in the Apache HTTP server project (http://www.apache.org/).

This product includes software licensed from Richard H. Porter under the GNU Library General Public License (© 1998, Red Hat Software), www.gnu.org/copyleft/lgpl.html.

This product includes the standard version of Perl software licensed under the Perl Artistic License (© 1997, 1998 Tom Christiansen and Nathan Torkington). All rights reserved. You may find the most current standard version of Perl at http://www.perl.com.

This product includes software developed by Jared Minch.

ii

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).

This product includes cryptographic software written by Eric Young ([email protected]).

This product contains software based on oprofile, which is protected under the GNU Public License.

This product includes RRDtool software developed by Tobi Oetiker (http://www.rrdtool.com/index.html) and licensed under the GNU General Public License.

This product contains software licensed from Dr. Brian Gladman under the GNU General Public License (GPL).

This product includes software developed by the Apache Software Foundation (http://www.apache.org).

This product includes Hypersonic SQL.

This product contains software developed by the Regents of the University of California, Sun Microsystems, Inc., Scriptics Corporation, and others.

This product includes software developed by the Internet Software Consortium.

This product includes software developed by Nominum, Inc. (http://www.nominum.com).

This product contains software developed by Broadcom Corporation, which is protected under the GNU General Public License.

This product includes the Zend Engine, freely available at http://www.zend.com.

This product contains software developed by NuSphere Corporation, which is protected under the GNU Lesser General Public License.

This product contains software developed by Erik Arvidsson and Emil A Eklund.

This product contains software developed by Aditus Consulting.

This product contains software developed by Dynarch.com, which is protected under the GNU Lesser General Public License, version 2.1 or above.

This product contains software developed by MaxMind LLC, and is protected under the GNU Lesser General Public License, as published by the Free Software Foundation.

This product contains software developed by InfoSoft Global (P) Limited.

This product includes software written by Steffen Beyer and licensed under the Perl Artistic License and the GPL.

This product includes software written by Makamaka Hannyaharamitu © 2007-2008.

BIG-IP® Application Security Manager™: Getting Started Guide iii

Table of Contents

Table of Contents

1Getting Started with BIG-IP Application Security Manager

Getting started with creating a security policy ........................................................................1-1Creating a security policy for a production site .............................................................1-1Creating a security policy for a QA lab or test site ......................................................1-1Creating a security policy for a web service or XML application ..............................1-2Creating a security policy from a template ......................................................................1-2

Getting started with the user interface .....................................................................................1-3Overview of components of the Configuration utility ..................................................1-4Browser support ....................................................................................................................1-4

Finding help and technical support ..............................................................................................1-5Exploring related documentation .......................................................................................1-5

2Performing Basic Configuration Tasks

Getting started with basic configuration tasks .........................................................................2-1Configuring a VLAN .......................................................................................................................2-3Configuring a self IP address ........................................................................................................2-4Defining a local traffic pool ...........................................................................................................2-5Defining an application security class .........................................................................................2-6Creating a virtual server ................................................................................................................2-7Optional network configuration tasks .......................................................................................2-8

3Creating a Security Policy Automatically

Overview of creating a security policy with the Real Traffic Policy Builder .....................3-1Designing security to meet your requirements ..............................................................3-1

Creating a security policy ..............................................................................................................3-3Fine-tuning the security policy .....................................................................................................3-5Reviewing security policy status ..................................................................................................3-5Updating attack signatures automatically ..................................................................................3-9Adding more security protection ............................................................................................. 3-10

4Creating a Security Policy for Web Services

Overview of creating a security policy for web services .......................................................4-1Designing XML security for your application ..................................................................4-1

Creating a web service security policy ......................................................................................4-2Creating an XML profile ................................................................................................................4-3

Creating a basic XML profile ...............................................................................................4-4Creating an XML profile with WSDL validation .............................................................4-5Creating an XML profile with XML schema validation .................................................4-7Associating an XML profile with a URL or parameter ..................................................4-8

Developing the security policy using traffic ..............................................................................4-9Fine-tuning the security policy .................................................................................................. 4-10Enforcing the security policy ..................................................................................................... 4-12Customizing the blocking response page ............................................................................... 4-13

BIG-IP® Application Security Manager™: Getting Started Guide vii

Table of Contents

5Creating a Security Policy Using Rapid Deployment

Overview of Rapid Deployment ..................................................................................................5-1Creating a Rapid Deployment security policy ..........................................................................5-2Fine-tuning the rapid deployment policy ...................................................................................5-3Enforcing the security policy ........................................................................................................5-4

6Deploying an Application-Ready Security Policy

Overview of application-ready security templates ..................................................................6-1Creating an application-ready security policy ..........................................................................6-2Fine-tuning the application-ready security policy ....................................................................6-3Enforcing the security policy ........................................................................................................6-4

ADeployment Scenario Settings

Settings for Production Site deployment ..................................................................................A-1Policy Builder settings ..........................................................................................................A-2

Settings for QA Lab deployment ................................................................................................A-4Settings for Web Services deployment .....................................................................................A-5Settings for Rapid Deployment ...................................................................................................A-6

Glossary

Index

viii

1

Getting Started with BIG-IP Application Security Manager

• Getting started with creating a security policy

• Getting started with the user interface

• Finding help and technical support


Getting started with creating a security policyYou can use the BIG-IP® Application Security Manager™ to develop a security policy that protects your web application server. Using the Deployment wizard, your organization can quickly create a security policy that meets the majority of web application security requirements as outlined in PCI DSS v1.1 section 6, FISMA, HIPAA, and others.

The Deployment wizard takes you through the steps required for creating and deploying security policies for several different scenarios. Before you start using the Deployment wizard, review the following descriptions of each deployment scenario, to help you decide which one is most appropriate for your organization.

Creating a security policy for a production siteWhen you want to develop a security policy for a web application by examining live traffic in a production environment, you can use the Production Site deployment scenario. The system builds the security policy based on statistical analysis of the traffic and the intended behavior of the application. In this environment, the application users could come from many different sources, and the traffic is considered to be untrusted.

Use Production Site deployment for:

• Automatic policy building, where Application Security Manager builds the security policy by a statistical analysis of the traffic

• Actual application traffic, where the traffic used to develop the security policy is from typical clients (untrusted)

To run the Deployment wizard using the Production Site deployment scenario, refer to Chapter 3, Creating a Security Policy Automatically.

Creating a security policy for a QA lab or test siteYou can use the QA Lab deployment scenario to develop a security policy for an environment where the traffic is generally considered safe, such as internal corporate traffic or traffic in a QA lab. In this environment, you generally know who the application users are, and trust that their traffic is not detrimental or malicious.

Use QA Lab deployment for:

• Automatic policy building, where Application Security Manager builds the security policy based on the traffic

• Trusted traffic, where the traffic used to develop the security policy is considered safe

To run the Deployment wizard using the QA Lab deployment scenario, refer to Chapter 3, Creating a Security Policy Automatically.

BIG-IP® Application Security Manager™: Getting Started Guide 1 - 1

Chapter 1

Creating a security policy for a web service or XML applicationIf you want to develop a security policy for a web service or XML application, use the Web Services deployment scenario. The system provides learning suggestions, but some manual intervention is required for creating security policies.

Use Web Services deployment when you want to protect either of the following types of applications:

• Web services or XML applications

• Applications that use a WSDL or XML schema document

To run the Deployment wizard using the Web Services deployment scenario, refer to Chapter 4, Creating a Security Policy for Web Services.

Creating a security policy from a templateIf you want to work with a preconfigured security policy, use the Manual Deployment scenario. The security policy created is usable as is, and you can optionally add security features to enhance it. When using the Manual Deployment scenario, you can select one of the following options:

◆ Rapid Deployment You want to deploy quickly a preconfigured security policy that provides application security protection against known vulnerabilities.

Refer to Chapter 5, Creating a Security Policy Using Rapid Deployment, for more information.

◆ Application-Ready Security PolicyYou want to use a preconfigured security policy for one of the following enterprise applications:

• Microsoft® ActiveSync® 1.0 or 2.0

• Lotus® Domino® 6.5

• Microsoft® Outlook Web Access® Exchange (2003 and 2007)

• Microsoft® Outlook Web Access® Exchange (2003 and 2007) with ActiveSync®

• Microsoft® SharePoint (2003 and 2007)

• SAP® NetWeaver® 7

• Oracle® 10g

• Oracle® Applications 11i

• PeopleSoft® Portal 9

• WhiteHat Sentinel Baseline

Refer to Chapter 6, Deploying an Application-Ready Security Policy, for more information.

1 - 2


Getting started with the user interfaceThe browser-based graphical user interface for the BIG-IP system is called the Configuration utility. You log on and use the Configuration utility to set up the system and configure the Application Security Manager.

Figure 1.1 shows the Welcome screen.

Figure 1.1 Welcome screen


Chapter 1

Overview of components of the Configuration utilityThe Configuration utility contains the following components:

◆ The identification and messages areaThe identification and messages area of the Configuration utility is the screen region that is above the navigation pane, the menu bar, and the body. In this area, you find the system identification, including the host name, and management IP address. This area is also where certain system messages display, for example Activation Successful, which appears after a successful licensing process.

◆ The navigation paneThe navigation pane, on the left side of the screen, contains the Main tab, the Help tab, and the About tab. The Main tab provides links to the major configuration objects. The Help tab provides context-sensitive help for each screen in the Configuration utility. The About tab provides overview information about the BIG-IP system.

◆ The menu barThe menu bar, which is above the body, provides links to additional screens.

◆ The bodyThe body is the screen area where the configuration settings display, and where the user configures the system.

Browser supportThe Application Security Manager works with a majority of the commonly available web browsers, for example, Microsoft® Internet Explorer® and Mozilla® Firefox®. For the most current list of the supported browsers, refer to the current release note on the Ask F5SM Knowledge Base web site, https://support.f5.com.

1 - 4


Finding help and technical supportYou can find additional technical documentation and product information using the following resources.

◆ Online helpApplication Security Manager provides online help for each screen. The online help contains descriptions of each control and setting on the screen. Click the Help tab in the navigation pane to view the online help.

◆ Welcome screen The Welcome screen contains links to many useful web sites and resources, including the Ask F5SM Knowledge Base, the F5 Solution Center, the F5 DevCentral web site, plug-ins, SNMP MIBs, and SSH clients. The screen is shown previously in Figure 1.1, on page 1-3.

◆ F5 Technical Support web siteThe F5 Technical Support web site, https://support.f5.com, provides the latest documentation for the product. To access this site, you need to register at https://support.f5.com.

Exploring related documentation

Important

This guide is written with the assumption that you have installed the BIG-IP system, and have licensed and provisioned the Application Security Manager on the system. Refer to the product documentation (described following) if you need more information on these tasks.

In addition to this guide, you can refer to several other documents for details about the BIG-IP system and Application Security Manager. The complete documentation set is available on the F5 Technical Support web site, https://support.f5.com.

The following guides are particularly useful for configuring Application Security Manager:

◆ Configuration Guide for BIG-IP® Application Security Manager™This guide explains how to fine-tune security policies to include additional security, such as anomaly detection, CSRF protection, sensitive data masking, and antivirus protection through an ICAP server. It also describes security reporting tools.

◆ BIG-IP® Systems: Getting Started GuideThis guide describes all the setup tasks you must complete to install, license, provision, and configure initial settings for any BIG-IP system.

◆ TMOS® Management Guide for BIG-IP® SystemsThis guide contains information you need to configure and maintain the network and system-related components of the BIG-IP system, such as configuring VLANs, assigning self IP addresses, creating administrative user accounts, and maintaining high availability.


Chapter 1

◆ Configuration Guide for BIG-IP® Local Traffic Manager™This guide contains information you need for configuring the BIG-IP system to manage local network traffic, such as creating virtual servers and load balancing pools, configuring application and protocol profiles, implementing health monitors, and setting up remote authentication.

◆ Platform GuidesThe platform guides include information about the BIG-IP system hardware.

1 - 6

2

Performing Basic Configuration Tasks

• Getting started with basic configuration tasks

• Configuring a VLAN

• Configuring a self IP address

• Defining a local traffic pool

• Defining an application security class

• Creating a virtual server

• Optional network configuration tasks


Getting started with basic configuration tasksYou must complete several essential network configuration tasks before you can run the Application Security Manager™ Deployment wizard to create a security policy. This chapter describes the minimum tasks that must be completed.

For detailed information about the network management and system management options that are available on a BIG-IP® system, refer to the TMOS® Management Guide for BIG-IP® Systems. For detailed information about the local traffic configuration options, refer to the Configuration Guide for BIG-IP® Local Traffic Manager™.

Important

Each network topology is unique. When defining network settings for the deployment scenarios, you must make any necessary configuration adjustments to address the specific requirements of your network.

The basic network configuration tasks you must complete are:

◆ Define a VLAN.A VLAN is a group of one or more hosts on a local area network (LAN) that operate in the same IP address space. See Configuring a VLAN, on page 2-3, for more information.

◆ Define a self IP address.A self IP address is an IP address that you associate with a VLAN, to access hosts in that VLAN. See Configuring a self IP address, on page 2-4, for more information.

◆ Define a local traffic pool.The local traffic pool contains the web server or application server resources that host the web application that you want to protect with a security policy. You create the local traffic pool, and then associate the pool with an application security class. See Defining a local traffic pool, on page 2-5, for more information.

◆ Define an application security class.Application security classes filter HTTP requests to determine which traffic the Application Security Manager inspects. When you define an application security class, the system automatically creates a corresponding web application and a default security policy in the Application Security Manager configuration. See Defining an application security class, on page 2-6, for more information.

◆ Create a virtual server that uses the application security class as a resource.The local traffic virtual server load balances the network resources that host the web application you are securing. You configure the virtual server, and then associate the application security class with it. See Creating a virtual server, on page 2-7, for more information.


Chapter 2

◆ Optional network configuration optionsThe BIG-IP system has several additional configuration options available, to help you further customize the network and system setup. See Optional network configuration tasks, on page 2-8, for more information.

Important

The tasks described in this chapter begin after you have installed the BIG-IP system, activated the license, and configured the appropriate network settings for the BIG-IP system itself, for example, the management port. If you have not yet completed these activities, refer to the BIG-IP® Systems: Getting Started Guide and the TMOS® Management Guide for BIG-IP® Systems for additional information.

2 - 2


Configuring a VLANThe first task in configuring the local traffic network is to create a VLAN. A VLAN (virtual local area network) is a logical subset of hosts on a local area network (LAN) that operate in the same IP address space. For BIG-IP systems, you create a VLAN, and then associate physical interfaces with that VLAN. In this way, any host that sends traffic to a BIG-IP system interface is logically a member of the VLAN or VLANs to which that interface belongs.

To configure a VLAN

1. On the Main tab of the navigation pane, expand Network, and then click VLANs.The VLAN List screen opens.

2. Click the Create button.The New VLAN screen opens.

3. In the Name box, type a unique name for the VLAN.

4. For the Interfaces setting, click an interface number or trunk name in the Available box, and use a Move button (<< or >>) to move the interface number to the Untagged box. Repeat this step as necessary.

5. Click Finished.The screen refreshes, and displays the new VLAN in the VLAN list.

Tip

For detailed information about working with VLANs on BIG-IP systems, see the Configuring VLANS and VLAN Groups chapter in the TMOS® Management Guide for BIG-IP® Systems.


Chapter 2

Configuring a self IP addressOnce you have created a VLAN, you can configure a self IP address. A self IP address is an IP address that you associate with a VLAN, to access hosts in that VLAN.

To configure a self IP address

1. On the Main tab of the navigation pane, expand Network, and then click Self IPs.The Self IP List screen opens.

2. Click the Create button.The Self IPs screen opens.

3. In the IP Address box, type the self IP address that you want to assign to a VLAN.

4. In the Netmask box, type a netmask.

5. For the VLAN setting, select the name of the VLAN to which you want to assign the self IP address.

6. Click Finished.The screen refreshes, and displays the new self IP address in the list.

Tip

For detailed information about self IP addresses, see the Configuring Self IP Addresses chapter in the TMOS® Management Guide for BIG-IP® Systems.

2 - 4


Defining a local traffic poolThe next configuration task is to define a local traffic pool. The local traffic pool contains the resources, for example, application servers and database servers, that host the actual web application content that you want to protect with the Application Security Manager.

The following procedure outlines basic pool configuration. For detailed information on configuring pools, refer to the Configuration Guide for BIG-IP® Local Traffic Manager™.

To define a local traffic pool

1. On the Main tab of the navigation pane, expand Local Traffic, and then click Pools.The Pool List screen opens.

2. Click the Create button.The New Pool screen opens.

3. In the Configuration area, in the Name box, type a name for the pool.

4. In the Resources area, for the New Members setting, in the Address box type the IP address for the web server or application server that hosts the web application.

5. In the Service Port box, type the service port number (for example, type 80 for the HTTP service), or select a service name from the list.

6. Click the Add button to add the resource to the New Members list.

7. Click the Finished button.The screen refreshes and the system displays the new pool in the list.


Chapter 2

Defining an application security classThe next task is to configure an application security class. The application security class filters the incoming HTTP traffic, and forwards traffic that matches the filters to the Application Security Manager for security inspection.

When you configure an application security class, the system automatically creates a default web application in the Application Security Manager configuration. For more information on application security classes, see the Working with Application Security Classes chapter in the Configuration Guide for BIG-IP® Application Security Manager™.

To create an application security class

1. On the Main tab of the navigation pane, expand Application Security, and then click Classes.The HTTP Class Profiles screen opens.

2. Click the Create button.The New HTTP Class Profile screen opens.

3. In the General Properties area, in the Name box, type a name for the application security class.

Tip: This name is also used for the web application so you may want to use a name that relates to the application name.

4. In the Configuration area, leave all of the settings at the defaults.

5. In the Actions area, check the Custom check box located at the right of the Send To setting and select Pool.The screen refreshes, and you see additional settings.

6. For the Pool setting, select the local traffic pool that you created.

7. Click Finished.The system adds the class, the default web application, and the corresponding security policy to the configuration, and displays the HTTP Class Profiles screen.

Note

Although you can create an application security class from the Local Traffic section on the Main tab, F5 Networks strongly recommends that you follow the steps above, beginning from Application Security instead because this method enables the Application Security setting by default. The setting is not enabled by default when you initiate the class creation from the Local Traffic section. If the Application Security setting is not enabled, you effectively turn off application security for the associated web application.

2 - 6


Creating a virtual serverThe next task is to define a virtual server on the local area network. A virtual server is a traffic-management object that is represented by an IP address and a service. When a virtual server receives a request, it distributes that request to the appropriate back-end resources. That distribution includes applying the application security class to incoming HTTP traffic.

The following procedure outlines the basic virtual server configuration. For detailed information on virtual servers, and other local traffic components, refer to the Configuration Guide for BIG-IP® Local Traffic Manager™.

Important

For virtual servers that load balance resources for a web application that is protected by the Application Security Manager, you must configure an HTTP profile in addition to the application security class. Refer to steps 6 and 7 in the following procedure.

Tip

If you are creating an SSL virtual server, refer to the Managing SSL Traffic chapter of the Configuration Guide for BIG-IP® Local Traffic Manager™.

To create a virtual server

1. On the Main tab of the navigation pane, expand Local Traffic, and then click Virtual Servers.The Virtual Server List screen opens.

2. Click the Create button.The New Virtual Server screen opens.

3. In the Name box, type a name for the virtual server.

4. In the Destination option, select Host, and type an IP address.

5. In the Service Port box, type 80 or select HTTP from the list.

6. Above the Configuration area, select Advanced.The screen refreshes, and displays additional configuration options.

7. In the Configuration area, for the HTTP Profile setting, select http. Note that this step is required.

8. For the SNAT Pool setting, select Auto Map.

9. In the Resources area, for the HTTP Class Profiles setting, from the Available list, select the application security class that you created, and click the Move button (<<) to add the class to the Enabled list.

10. Click Finished.The system updates the configuration, and the Virtual Server list screen opens, where you can see your newly created virtual server.


Chapter 2

Optional network configuration tasksMany other network configuration options are available on the BIG-IP system. Depending on your network environment, you may need to configure the following additional networking features of the BIG-IP system:

• DNS

• NTP

• Routes

• Packet filters

• Spanning tree

• Trunks

• ARP

• Redundant system

Refer to the TMOS® Management Guide for BIG-IP® Systems for detailed information on configuring these and other options.

2 - 8

3

Creating a Security Policy Automatically

• Overview of creating a security policy with the Real Traffic Policy Builder

• Creating a security policy

• Fine-tuning the security policy

• Reviewing security policy status

• Updating attack signatures automatically

• Adding more security protection


Overview of creating a security policy with the Real Traffic Policy Builder

You can use the Application Security Manager™ to automatically build a security policy that is tailored to your environment. The automatic policy building tool is called the Real Traffic Policy Builder™. The Real Traffic Policy Builder (referred to as the Policy Builder) creates a security policy based on settings that you configure using the Deployment wizard, and the characteristics of the traffic going to and from the web application that the system is protecting.

You can use the procedure described in this chapter to create a security policy for either a production site exposed to untrusted traffic or a QA site where traffic is trusted.

Important

The procedures in this deployment start after you have configured the network settings that are appropriate for your environment. Refer to Chapter 2, Performing Basic Configuration Tasks, if you have not yet configured network connectivity.

Designing security to meet your requirementsBefore you get started, consider your answers to the following questions so that you can design a security policy to meet your needs:

◆ Will you initially deploy the security policy you are developing in a production environment or a trusted QA environment?Some companies develop a security policy in a test lab within the corporate network before putting it into production. The QA Lab scenario develops the policy faster because the traffic is trusted. The Production Site scenario develops a security policy with exposure to untrusted Internet traffic; how long it takes depends on the amount of type of traffic on the application web site.

◆ Do you want to create a security policy for a web service that uses XML? If so, refer to Chapter 4, Creating a Security Policy for Web Services.

◆ What features of the web application require protection? What type of security policy do you want the system to create?You can select a security policy type, that is, fundamental, enhanced, or complete. A fundamental policy type protects fewer application entities, enhanced protects additional entities, and the complete policy type protects even more entities. The Deployment wizard, shown in Figure 3.1, on page 3-2, describes what is included in each of the policy types.

◆ How strict do you want to make the rules for building a security policy?You can set the strictness of the rules. A security policy built with loose rules requires less traffic to determine the policy settings, whereas a policy built with strict rules requires a larger traffic sample to determine the policy settings.


Chapter 3

Figure 3.1 shows the configure Automatic Policy Building screen of the Deployment wizard, where you configure how you want the Policy Builder to develop the security policy.

Figure 3.1 Configure automatic policy building screen showing policy types

The policy type you choose depends on how strict you want the security policy to be. It is useful to understand basically how the application works, and generally how many people use it on a typical day. This information is useful when determining whether to set the rules to Loose or Tight. Setting the rules to Loose causes the system to build and enforce the security policy with fewer requests. If many users access the application daily, you can use the Tight setting, thus developing the security policy from more requests.

Once you have an idea about the type of security policy you want to develop, you can get started.

3 - 2


Creating a security policyApplication Security Manager can automatically create a tailored security policy for your web application in either a production or QA environment. You use the Deployment wizard to guide you through the tasks required to start automatic security policy creation. For example, Figure 3.2 shows a web application, called webapp, ready to start the Deployment wizard.

Figure 3.2 Configure Security Policy link starts the Deployment wizard

You can create a security policy only if you have already configured the basic local traffic settings, as described in Chapter 2, Performing Basic Configuration Tasks.

To create a security policy

1. On the Main tab of the navigation pane, expand Application Security and click Web Applications.The Web Applications screen opens.

2. Locate the web application you want to protect and click the Configure Security Policy link next to it.The Deployment wizard opens the Select Deployment Scenario screen.

Tip: The application name matches the class name created in Defining an application security class, on page 2-6.

3. On the Select Deployment Scenario screen, for Deployment Scenario, click the appropriate option:

• Production Site (Untrusted Traffic)Select this option if the system is in a production area.

• QA Lab (Trusted Traffic)Select this option if the system is in a test area within the corporate network, where the application is used only as intended (no malicious requests).

• Web Services (XML + WSDL/User Schema)Select this option for web services or XML applications, and refer to Chapter 4, Creating a Security Policy for Web Services.

• Manual DeploymentSelect this option to use the rapid deployment policy or one of the preconfigured baseline security templates. For rapid deployment, see Chapter 5, Creating a Security Policy Using Rapid Deployment; for security policy templates, see Chapter 6, Deploying an Application-Ready Security Policy.


Chapter 3

4. Click Next.The Configure Web Application Properties screen opens.

5. For Application Language, use one of the following options:

• Leave the setting at the default value, Auto detect.When Policy Builder starts, it determines the language encoding based on application data.

• From the list, select a specific language encoding.

6. Click Next.The Configure Attack Signatures screen opens.

7. For the Systems setting, from the Available Systems list, select the systems that apply to your web application and move them into the Assigned Systems list.

8. Click Next.The Configure Automatic Policy Building screen opens.

9. For Policy Type, select one of the following options to determine the security features to include in the policy:

• Fundamental (the default policy type)

• Enhanced

• Complete

The screen lists what security features are included in each type.

10. For Rules, move the slider to change the strictness of the rules:

• Loose builds a security policy quickly based on a smaller request sample; for example, useful for web sites with less traffic.

• Middle builds a security policy based on a medium number of requests. This is the default setting, and the one to use if you are not sure about the amount of traffic on the application web site.

• Tight builds a security policy based on a large request sample; for example, useful for web sites with lots of traffic.

11. For Trusted IP Addresses, specify which IP addresses to consider safe:

• All specifies that the policy trusts all IP addresses. This is the default setting for the QA deployment scenario.

• Address List specifies that you will add networks to consider safe. Type the IP address and netmask, then click Add. This is the default setting for the Production Site scenario.

12. Click Next to start checking for traffic. When the system detects traffic going to the web application, the Policy Builder starts and automatically begins creating the security policy. The Automatic Policy Building Status screen opens where you can view the current state of the security policy.

3 - 4


Fine-tuning the security policyWhen you finish running the Deployment wizard, you have created a basic security policy to protect your web application. The Policy Builder starts examining the application traffic and fine-tunes the security policy using the guidelines you configured.

The Policy Builder continues running and building the security policy in the following order:

• Adds policy elements that meet the criteria for being legitimate

• Configures attack signatures in the security policy

• Stabilizes the security policy when sufficient sessions over a period of time include the same elements

• Includes new elements if the site changes

For a summary of the default settings used when creating security policies, refer to Appendix A, Deployment Scenario Settings.

Reviewing security policy statusThe Policy Builder automatically discovers and populates the security policy with the policy elements (such as file types, URLs, parameters, and cookies). As the Policy Builder runs, you see status messages in the identification and messages area of the screen. The Policy Builder adds to the security policy, and you can monitor the general progress.

You can monitor the general progress of the Policy Builder, see what policy elements the system has learned, and view the details of the security policy on the Automatic Policy Building Status screen.

Figure 3.3, on page 3-6, shows an example of the Automatic Policy Building Status screen for a web application called class1, with these characteristics:

• It was created using the Production site deployment scenario.

• The traffic is untrusted.

• The Policy Builder has added 4 file types, 9 URLs, 3 parameters, and 1 cookie based on the application traffic.

• The security policy is about 25% complete.

• The system is tracking site changes.


Chapter 3

Figure 3.3 Automatic policy building status showing security policy summary

To review automatic policy building status

1. On the Main tab of the navigation pane, expand Application Security, point to Automatic Policy Building, and click Status. The Automatic Policy Building Status screen opens.

2. In the editing context area near the top of the screen, verify that the edited security policy is the one whose status you want to review.

3 - 6


3. Review the messages in the identification and messages area to learn about what is currently happening on the system. For example, messages say when the Policy Builder is enabled, when the security policy was last updated, and the number of elements that were added.

4. Review the status of the security policy:

• For State, the status says one of the following:

• Enabled means the system is configured correctly, and the Policy Builder is processing traffic.

• Detecting Language means the system is still detecting the language of the web application. The Policy Builder is enabled, but it does not add elements to the security policy until the language is set. Note that the system can determine the language only after it receives application traffic.

• Disabled means the system may not be detecting traffic. Check your network configuration. For basic configuration details, see Chapter 2, Performing Basic Configuration Tasks.

• General Progress shows a progress bar that indicates the stability level of the security policy. The progress bar reaches 100% when the policy is stable, no new policy elements need to be added, and time and traffic thresholds have been reached.

5. In the Policy Elements Learned table, review the number of elements that the Policy Builder has analyzed and added to the security policy.

6. Optionally, in the Details tree view, click any item to learn more about that security policy element, what the system has seen so far, and what it will take to accept the element as legitimate.

For example, Figure 3.4, on page 3-8, shows the file types that the Policy Builder has learned and put in staging.


Chapter 3

Figure 3.4 Details about the file types in staging

When enough traffic from unique sessions occurs over a period of time, the system starts to enforce the file types and other elements in the security policy. When enforced as part of a stable policy, the files types and other elements are removed from the staging list.

Figure 3.5, on page 3-9, shows a security policy that has stabilized, and the progress bar has reached 100%. This means that the security policy is not causing false positives, it is not changing, and it is stable.

3 - 8


Figure 3.5 Example of stabilized security policy

If the application web site changes and the system identifies the changes as legitimate, the system adds the new elements to the security policy and puts them in staging. The system enforces the elements in the security policy when sufficient traffic and instances of the elements have occurred and do not cause violations.

Updating attack signatures automaticallyAttack signatures are rules or patterns that identify attacks or classes of attacks that could pose a threat to your web application. The Application Security Manager includes an extensive set of attack signatures. Because new application threats are constantly being developed, F5 Networks provides attack signature updates to protect applications from the new threats. You can configure the system so that it automatically updates the attack signatures when updates become available.

To schedule automatic attack signature updates

1. On the Main tab of the navigation pane, expand Application Security, point to Options, Attack Signatures, and then click Attack Signatures Update.The Attack Signatures Update screen opens.

2. For Update Mode, click Scheduled.

3. For the Update Interval, specify how often you want the system to check for updates (daily, weekly, or monthly).

4. If you want the system to update all active security policies, leave the Auto Apply Policy After Update box checked.

5. Click the Save Settings button.


Chapter 3

The chapter called Working with Attack Signatures in the Configuration Guide for BIG-IP® Application Security Manager™ provides more information about attack signatures. For details about allowing signature file updates through a firewall or an HTTPS proxy, refer to Solution 8217, Updating the BIG-IP ASM attack signatures, on the F5 technical support web site (https://support.f5.com).

Adding more security protectionThe Application Security Manager provides additional security protections that you can configure, such as:

• Anomaly detection

• CSRF protection

• Sensitive data masking

• Antivirus protection through an ICAP server

For details about these and other security features that you can add to the security policy, refer to the Configuration Guide for BIG-IP® Application Security Manager™.

3 - 10

4

Creating a Security Policy for Web Services

• Overview of creating a security policy for web services

• Creating a web service security policy

• Creating an XML profile

• Developing the security policy using traffic

• Fine-tuning the security policy

• Enforcing the security policy

• Customizing the blocking response page


Overview of creating a security policy for web services

The Application Security Manager™ can create a security policy to verify XML format, and validate XML document integrity against a WSDL or XSD file. The security policy can also handle encryption and decryption for web services.

The Web Services deployment scenario in the Deployment wizard leads you through the steps required to create a security policy to protect web services or XML transactions.

Important


Designing XML security for your applicationBefore you get started, you need to understand a bit about the application you are developing a security policy for. For example, you need to know the answers to the following questions:

◆ Does the web application use a WSDL or XML schema (XSD) file to validate the XML documents?Some web services use a WSDL or XML schema document to validate whether the incoming traffic complies with XML language rules. If the application uses a WSDL or XSD file, you need a copy of the file.

◆ Does the application use a URL or parameter to point to the XML documents that you want to protect?You will need to know the URL or parameter that the application uses.


Chapter 4

Creating a web service security policyApplication Security Manager can create a security policy tailored to protect a web services application. You use the Deployment wizard to guide you through the tasks required for initiating automatic security policy creation.

For example, Figure 4.1 shows the webapp web application ready to start the Deployment wizard.

Figure 4.1 Configure Security Policy link starts the Deployment wizard

You can create a security policy only if you have already configured the basic local traffic settings, as described in Chapter 2, Performing Basic Configuration Tasks.

To create a security policy for a web service


2. Locate the XML web application you want to protect and click the Configure Security Policy link next to it. The Deployment wizard opens the Select Deployment Scenario screen.


3. For Deployment Scenario, select Web Services (XML + WSDL/User Schema) and click Next.The Configure Web Application Properties screen opens.

4. For the Application Language setting, select the language encoding to determine the character set for URLs, parameter names, and parameter values in the web application.



Tip: It is best to apply only the attack signatures for the systems that are in your environment, not all of them.

The system adds the attack signatures for the systems you selected.

4 - 2


7. Click Next.The Create New XML Profile screen opens and displays the message: The initial configuration of the web application is complete. You can now create a new XML profile.

Continue with the next task, Creating an XML profile, following.

Creating an XML profileThe next task in this deployment is to create and configure an XML profile to define the XML properties that you want the security policy to enforce. You can create a basic XML profile, one with WSDL validation, or one with XML schema file validation. Note that the steps in this part of the Deployment wizard differ depending on which type of XML profile you are creating.

• To create a basic XML profile, see Creating a basic XML profile, following.

• To create an XML profile that validates XML against a WSDL document, see Creating an XML profile with WSDL validation, on page 4-5.

• To create an XML profile that validates XML against an XML schema file, see Creating an XML profile with XML schema validation, on page 4-7.

Note

For detailed information on working with XML profiles and web services encryption, refer to the Protecting XML Applications chapter in the Configuration Guide for BIG-IP® Application Security Manager™.


Chapter 4

Creating a basic XML profileAfter you finish creating a security policy for a web services application, the Deployment wizard takes you to where you can create an XML profile. The XML profile provides defense configuration, which defines formatting and attack pattern checks for XML data. The default defense configuration level is high, which is the strictest defense level.

Before you can complete this task, you must have created a security policy using the Web Services deployment scenario, as described in Creating a web service security policy, on page 4-2.

To create a basic XML profile

1. If you are on the Create New XML screen, skip to step 2. If not, in the navigation pane, expand Application Security, and next to

XML Profiles, click the (Create) icon.The Create New XML Profile screen opens.

2. On the Create New XML Profile screen, for Profile Name, type a unique name for the XML profile.

3. Click Create.The Associate XML Profile screen opens.

4. For the Associate XML Profile setting, specify whether the XML profile is associated with a URL or a parameter:

• URL validates XML data found in requests to this URL.

• Parameter validates XML data in a parameter; also select the parameter level:

• Global Parameter specifies that this is a global parameter that has no association with URLs.

• URL Parameter specifies that this parameter is associated with a specific URL, a protocol (HTTP or HTTPS), and a target URL path.

5. Click Next, and proceed to the next task.

• If you selected URL in step 3, the New URL screen opens. Refer to To create a new URL, on page 4-8, to continue with the wizard.

• If you selected Global Parameter in step 3, the Add Parameter screen opens. Refer to To create a new global parameter, on page 4-8 to continue with the wizard.

• If you selected URL Parameter in step 3, the New URL screen opens. Refer to To create a new URL parameter, on page 4-8, to continue with the wizard.

4 - 4


Creating an XML profile with WSDL validation When you create an XML profile that validates the configuration based on the contents of a WSDL document, the system populates the security policy with the URLs and methods in the WSDL document. The resulting security policy then enforces the allowed (or disallowed) methods for the Web services application.

You can also enable encryption and decryption of web services. For details on how to configure encryption, refer to Implementing web services security, in Chapter 12 of the Configuration Guide for BIG-IP® Application Security Manager™.

To create an XML profile with WSDL validation

1. On the Create New XML Profile screen, in the Create Profile area, in the Profile Name box, type a unique name for the XML profile.

2. In the Validation Configuration area, for the File option of the Configuration Files setting, click Browse and navigate to the WSDL document.

3. Click Upload.The screen displays the uploaded files.

4. For the Follow Schema Links setting, clear the check box if you do not want the system to retrieve referenced links that are in the WSDL document. By default, this setting is enabled.

5. To permit SOAP messages to contain attachments, check the Allow Attachments in SOAP Messages box.

6. If you do not want the system to validate SOAPAction headers, click to clear the Validate SOAPAction Header check box. By default, this setting is enabled.

7. In the Valid SOAP Methods setting, for any method that you do not want the system to permit, clear the Enabled check box. By default, all methods are enabled.

8. Click Create.In most cases, the system automatically associates a URL or parameter with the application based on a WSDL file, and displays the new XML profile on the XML Profiles screen. Continue with Developing the security policy using traffic, on page 4-9.

9. If a URL was not automatically associated, the Associate XML Profile screen opens where you can associate a URL or parameter with the profile.

a) For Associate XML Profile, select URL or Parameter.

b) If you select Parameter, also select the parameter level (either Global Parameter or URL Parameter).


Chapter 4

10. Click Next, and proceed to the next task.

• If you selected URL in step 9, the New URL screen opens. Refer to To create a new URL, on page 4-8, to continue with the wizard.

• If you selected Global Parameter in step 9, the Add Parameter screen opens. Refer to To create a new global parameter, on page 4-8, to continue with the wizard.

• If you selected URL Parameter in step 9, the New URL screen opens. Refer to To create a new URL parameter, on page 4-8, to continue with the wizard.

4 - 6


Creating an XML profile with XML schema validationYou can create an XML profile that validates XML transactions based on an XML schema file (*.xsd).

To create an XML profile with XML schema validation

1. On the XML Profiles screen, in the Create Profile area, in the Profile Name box, type a unique name for the XML profile.

2. For the File setting, click Browse and navigate to the XML schema file.

3. Click Upload.The screen displays the uploaded files.

4. For the Follow Schema Links setting, clear the check box if you do not want the system to retrieve referenced links that are in the XML schema file. By default, this setting is enabled.

5. To permit SOAP messages to contain attachments, check the Allow Attachments in SOAP Messages box.

6. Click Create.The Associate XML Profile screen opens.

7. For the Associate XML Profile setting, specify whether the XML profile is associated with a URL or a parameter:

• URL validates XML data found in requests to this URL.

• Parameter validates XML data in a parameter; also select the parameter level:

• Global Parameter specifies that this is a global parameter that has no association with URLs.

• URL Parameter specifies that this parameter is associated with a specific URL, a protocol (HTTP or HTTPS), and a target URL path.

8. Click Next.The response (next step) is dependent on your previous choice:

• If you select URL in step 7, the New URL screen opens. Refer to To create a new URL, on page 4-8, to continue with the wizard.

• If you select Global Parameter in step 7, the Add Parameter screen opens. Refer to To create a new global parameter, on page 4-8, to continue with the wizard.

• If you select URL Parameter in step 7, the New URL screen opens. Refer to To create a new URL parameter, on page 4-8, to continue with the wizard.


Chapter 4

Associating an XML profile with a URL or parameterThe Deployment wizard guides you to one of the following tasks, based on which type of URL or parameter you decided to associate with the XML profile. Depending on your choice, the system takes you to a screen where you can create the URL, global parameter, or URL parameter that contains the XML document that the application uses.

To create a new URL

1. On the New Allowed URL screen, for the URL setting, type the explicit URL or wildcard URL that represents the web application.

2. Click Next.The URL List screen opens. Refer to Developing the security policy using traffic, on page 4-9, to continue with the Deployment wizard.

To create a new global parameter

1. On the Add Parameter screen, for the Parameter Name setting, type the name of the parameter.

2. Click Create.The Parameters List screen opens. Refer to Developing the security policy using traffic, on page 4-9, to continue with the Deployment wizard.

To create a new URL parameter

1. On the New Allowed URL screen, for the URL setting, type the explicit URL or a wildcard URL.

2. Click Next.The Add Parameter screen opens.

3. For the Parameter Name setting, type a name for the parameter.

4. Click Create.The URL Parameters screen opens. Refer to Developing the security policy using traffic, on page 4-9, to continue with the Deployment wizard.

Tip

See the Configuration Guide for BIG-IP® Application Security Manager™ for detailed information on configuring URLs and parameters.

4 - 8


Developing the security policy using trafficOnce you have created a security policy with an XML profile, traffic must be going to the web application in order for the system to provide learning suggestions concerning additions to the security policy. For example, you can have users or testers browse the web application. The Deployment wizard verifies that the application servers are receiving traffic, and processes the traffic to gather the information needed to create the security policy. The system provides status messages in the identification and messages area near the top of the screen to let you know what is happening.

To develop the security policy using traffic

1. In the navigation pane, expand Application Security and click Policy.

2. In the identification and messages area of the screen, you see messages describing the status. Table 4.1 lists examples of the messages you may see, and provides suggested actions.

Status Message Recommended Action

Checking to see if ASM is detecting traffic If you see this message, the Application Security Manager is parsing and analyzing received requests. Allow the system several minutes to analyze requests.

The ASM did not detect any traffic If you see this message, you need to verify the networking configuration (check the VLAN, self IP address, pool, HTTP class, and virtual server). See Chapter 2, Performing Basic Configuration Tasks.

The ASM detected traffic successfully.Waiting for a minimum of 10000 requests and at least one hour from running the wizard.The ASM detected n requests during x minutes and y seconds.

If you see these messages, the Application Security Manager has detected traffic and will sample requests until it processes at least 10,000 requests, and at least one hour has passed since you started the Deployment wizard.

Processing XML violations for at least one hour

After successfully detecting traffic and sampling requests, the Application Security Manager processes XML violations for at least one hour. Based on what it finds in the traffic sample and the violations, Application Security Manager automatically adjusts security policy settings to match the traffic and eliminate false positives. You need to wait until the system samples requests for at least one hour.

The system did not detect any new XML violations over the last hour

For at least an hour, none of the traffic going to or from the application has included XML violations. When you see the message, you can continue with the next task, Fine-tuning the security policy.

Table 4.1 Status messages and suggested actions


Chapter 4

Fine-tuning the security policyWhen analyzing the traffic to and from the XML application, the Application Security Manager generates learning suggestions or ways to fine-tune the security policy to better suit the traffic. The Deployment wizard notifies you, in the identification and messages area of the screen, when the security policy is stable and no XML violations have occurred for at least one hour. You see messages and a link, as shown in Figure 4.2.

.

Figure 4.2 Link to Traffic Learning screen to fine-tune the security policy

The Traffic Learning link takes you to the Traffic Learning screen where you can evaluate each suggestion individually, and decide whether to add it to the policy.

To fine-tune the security policy

1. In the identification and messages area of the screen, click the Traffic Learning link.

Tip: If you do not see the message, in the navigation pane, you can also click Manual Policy Building.

The Traffic Learning screen opens, and lists violations that the system has found against the security policy based on real traffic.

2. In the Traffic Learning area, click each violation hyperlink sequentially, and view the information provided. The screen shows the instances of the violation and the resulting learning suggestions.

3. For each violation, review the specific learning suggestions and decide whether you want to accept or clear the suggestion:

• Accept: Select a learning suggestion, click Accept, and then click Apply Policy.The system updates the security policy to allow the element.

• Clear: Select a learning suggestion, click Clear.The system removes the learning suggestion and continues to generate suggestions for that violation.

• Cancel: Click Cancel to return to the Traffic Learning screen.

4 - 10


4. On the Traffic Learning screen, review the violations and consider whether you want to permit any of them (for example, if a violation is causing false positives). Select the violations you want to allow and click Disable Violation, then OK.The system clears the Learn, Alarm, and Block settings for those violations.

5. To put the security policy into effect immediately, click Apply Policy, then OK.

Note

For more information on the learning process and learning suggestions, refer to the Refining the Security Policy Using Learning chapter in the Configuration Guide for BIG-IP® Application Security Manager™.


Chapter 4

Enforcing the security policyWhen you finish dealing with the learning suggestions for the security policy, and the violations that you see are legitimate (not false positives), you can begin to enforce the security policy. To enforce the security policy, you change the enforcement mode from transparent to blocking.

When the enforcement mode is set to blocking and the violations you want to enforce are set to block, the security policy no longer allows requests that cause these violations to reach the back-end resources. Instead, the security policy blocks the request, and sends the blocking response page to the client.

For more information on the blocking policy, the enforcement mode, and how the system processes requests that trigger violations, refer to the Manually Configuring Security Policies chapter of the Configuration Guide for BIG-IP® Application Security Manager™.

To enforce blocking on the security policy

1. On the Main tab of the navigation pane, expand Application Security, point to Policy, then click Blocking.The Policy Blocking Settings screen opens.

2. For the Enforcement Mode setting, select Blocking.The system activates the Block flags for all the violations. A default set of violations is already set to block.

3. Check or clear the Block check boxes for the violations, as required (or use the default settings).

4. Click the Save button.

5. In the editing context area, click the Apply Policy button to immediately put the changes into effect.

Tip

The Blocking icon (hand) above the editing context area indicates that the security policy is in blocking mode. Click the Blocking icon to see a list of the violations for which the system will block traffic.

4 - 12


Customizing the blocking response pageYou can configure the page that displays on the client screen when a request is blocked. If your XML application does not parse HTML, you may want to use the SOAP Fault blocking response page instead, which is formatted using XML. For more information on the blocking response pages, refer to Configuring the response pages in the Configuration Guide for BIG-IP® Application Security Manager™.

To customize the blocking response page

1. On the Main tab of the navigation pane, expand Application Security, point to Policy, and click Response Page.The Response Page screen opens.

2. In the editing context area, ensure that the edited security policy is the one that you just created.

3. In the Blocking Response Page area, click Edit. The Blocking Response Page Properties screen opens.

4. For the Response Type setting, select SOAP Fault.

5. Click the Save button.The system saves the changes, and opens the Blocking Response Page screen.

6. In the editing context area, click the Apply Policy button to put the changes you have made into effect.

Note

For a summary of the default settings for this security policy, refer to Settings for Web Services deployment, on page A-5.


Chapter 4

4 - 14

5

Creating a Security Policy Using Rapid Deployment

• Overview of Rapid Deployment

• Creating a Rapid Deployment security policy

• Fine-tuning the rapid deployment policy



Overview of Rapid DeploymentThe Rapid Deployment security policy provides security features that minimize the number of false positive alarms and reduce the complexity and length of the deployment period. By default, the Rapid Deployment security policy includes the following security checks:

• Performs HTTP compliance checks

• Stops information leakage

• Prevents illegal methods

• Checks response codes

• Enforces cookie RFC compliance

• Applies attack signatures to requests and responses

With the Rapid Deployment security policy, your organization can quickly create a security policy that meets the majority of web application security requirements. It is a set policy that does not change unless you configure additional security features. For additional information about the Rapid Deployment security policy, see the Working with the Application-Ready Security Policies appendix, in the Configuration Guide for BIG-IP® Application Security Manager™.

Important



Chapter 5

Creating a Rapid Deployment security policyYou can use rapid deployment to create a security policy quickly. The Deployment wizard takes you through the steps required for rapid deployment.

To use rapid deployment


2. Locate the web application you want to protect and click the Configure Security Policy link next to it. The Deployment wizard opens with the Select Deployment Scenario screen.

3. For Deployment Scenario, select Manual Deployment and click Next.The Configure Security Policy Properties screen opens.

4. For Application Language, specify the language encoding of the application.

5. From the Application-Ready Security Policy list, select the appropriate policy:

• For HTTP traffic, select Rapid Deployment security policy (http).

• For HTTPS traffic, select Rapid Deployment security policy (https).



Tip: It is best to apply only the attack signatures for the systems in your environment, not all of them.

8. Click Next.The Policy Configuration Summary screen opens.

9. Review the settings for the new security policy. To change any of the settings, click Back to return to the appropriate screen.

10. If you are satisfied with the security policy configuration, click Finish.The system creates the security policy. For a summary of the default settings for this security policy, refer to Settings for Rapid Deployment, on page A-6.

5 - 2


Fine-tuning the rapid deployment policyOnce you have created a security policy, traffic must be going to the web application for the system to provide learning suggestions concerning additions to the security policy. For example, you can have users or testers browse the web application. When analyzing the traffic to and from the application, the Application Security Manager generates learning suggestions or ways to fine-tune the security policy to better suit the traffic.

When you first create a rapid deployment security policy, it operates in transparent mode (meaning that it does not block traffic). When the system receives a request that violates the security policy, the system logs the violation event, but does not block the request.

To fine-tune the rapid deployment security policy

1. In the navigation pane, expand Application Security and click Manual Policy Building.The Traffic Learning screen opens, and lists violations that the system has found against the security policy based on real traffic.









Chapter 5





1. On the Main tab of the navigation pane, expand Application Security, point to Policy, Blocking, then click Settings.The Blocking Policy screen opens.





5 - 4

6

Deploying an Application-Ready Security Policy

• Overview of application-ready security templates

• Creating an application-ready security policy

• Fine-tuning the application-ready security policy



Overview of application-ready security templatesThe Application Security Manager™ provides application-ready security policies, which are baseline templates for the following enterprise applications:

• Microsoft® ActiveSync® 1.0, 2.0

• Lotus® Domino® 6.5

• Microsoft® Outlook Web Access® Exchange 2003

• Microsoft® Outlook Web Access® Exchange 2007

• Oracle® Portal 10g

• Oracle® Applications 11i

• PeopleSoft® Portal Solutions 9

• SAP® NetWeaver® 7

• Microsoft® SharePoint® 2003

• Microsoft® SharePoint® 2007

• WhiteHat Sentinel Baseline

Important



Chapter 6

Creating an application-ready security policyThe Deployment wizard takes you through the steps required to create an application-ready security policy for one of the supported enterprise applications.

To create a security policy from an application template


2. Locate the web application you want to protect and click the Configure Security Policy link next to it. The Deployment wizard opens the Select Deployment Scenario screen.


3. For Deployment Scenario, select Manual Deployment and click Next.The Configure Security Policy Properties screen opens.

4. For Application Language, specify the language encoding of the application.

5. For the Application-Ready Security Policy setting, select the HTTP or HTTPS security policy template for your enterprise application.

6. For Staging-Tightening Period, type the number of days you want to test the security policy and provide learning suggestions before enforcing it. The default value is 7 days.

7. Click Next.The Policy Configuration Summary screen opens.

8. If you are satisfied with the security policy configuration, click Finish.The system creates the security policy for the enterprise application. For details about the default settings, refer to Appendix B, Working with the Application-Ready Security Policies, in the Configuration Guide for BIG-IP® Application Security Manager™.

6 - 2


Fine-tuning the application-ready security policyOnce you have created a security policy, traffic must be going to the web application for the system to provide learning suggestions concerning additions to the security policy. For example, you can have users or testers browse the web application. When analyzing the traffic to and from the application, the Application Security Manager generates learning suggestions or ways to fine-tune the security policy to better suit the traffic.

When you first create an application-ready security policy, it operates in transparent mode (meaning that it does not block traffic). When the system receives a request that violates the security policy, the system logs the violation event, but does not block the request.

To fine-tune the rapid deployment security policy

1. In the navigation pane, expand Application Security and click Manual Policy Building.The Traffic Learning screen opens, and lists violations that the system has found against the security policy based on real traffic.









Chapter 6





1. On the Main tab of the navigation pane, expand Application Security, point to Policy, Blocking, then click Settings.The Policy Blocking Settings screen opens.





6 - 4

A

Deployment Scenario Settings

• Settings for Production Site deployment

• Settings for QA Lab deployment

• Settings for Web Services deployment

• Settings for Rapid Deployment


Settings for Production Site deploymentThe security policy that is created when you use the Production Site deployment scenario, has the following default settings:

• The enforcement mode is set to Blocking.

• The wildcard match all (*) entities are added for file types, URLs, parameters, and cookies.

• Signature staging is enabled.

• Tightening is enabled for file types.

• The Staging-Tightening Period is set to 7 days.

• The Policy Blocking Settings screen has the Learn, Alarm, and Block flags enabled for the following violations:

• Evasion technique detected (subviolations not enabled)

• HTTP protocol compliance failed (subviolations not enabled)

• Illegal file type

• Illegal meta character in parameter name

• Illegal meta character in URL

• Illegal URL

• Illegal POST data length

• Illegal query string length

• Illegal request length

• Illegal URL length

• Illegal dynamic parameter value

• Illegal meta character in parameter value

• Illegal parameter

• Illegal parameter value length

• Modified domain cookie(s)

• The Policy Blocking Settings screen has the Learn flag enabled for the following violations:

• Illegal method

• Request length exceeds defined buffer size

• The Policy Attack Signature Sets screen has the Learn, Alarm, and Block flags enabled for the assigned signature sets.

• The system is logging illegal requests.

Here are some of the characteristics of the security policy you created:

• The security policy starts out loose, then adds policy elements based on the application traffic, which is all untrusted. (The application traffic in a QA Lab deployment is all trusted, and this is the only difference between the Production Site and QA Lab deployments.)

BIG-IP® Application Security Manager™: Getting Started Guide A - 1

Appendix A

• The enforcement mode is set to Blocking, but nothing is blocked until the Policy Builder sees sufficient traffic, adds elements to the security policy, and enforces the elements.

• Attack signatures are held in staging for 7 days: the system checks, but does not block traffic during the staging period. The system tracks incidents that occur for each attack signature, and provides learning suggestions.

• The Policy Builder enforces elements in the security policy when it has processed sufficient traffic and sessions over a period of time long enough to determine the legitimacy of the file types, URLs, parameters, cookies, methods, and so on.

• The policy building process has stabilized, but the Policy Builder continues running. If the web site for the application changes, the Policy Builder adds policy elements or loosens the security policy, puts the added elements in staging, and enforces the new elements when traffic and time thresholds are met.

Policy Builder settingsWhen you use the Production Site deployment scenario, the Policy Builder starts automatically and uses the following settings:

• Policy Builder treats all IP addresses as untrusted, except those you specified as trusted when using the Deployment wizard.

• The Enable Track Site Changes option is enabled (checked).

• The Collapse to Global option is set to 10.

• The security policy elements that are automatically added to the policy depend on the policy type you selected, as shown in Table A.1.

A - 2


Security Policy Elementautomatically added to the security policy

When you select this policy type

Fundamental Enhanced Complete

HTTP Protocol Compliance X X X

Evasion Techniques Detected X X X

File Types X X X

Lengths X X X

Attack Signatures X X X

URLs X

Meta characters X

Parameters X X

Value Lengths X X

Value Meta Characters X

Name Meta Characters X

Allowed Modified Cookies X X

Allowed Methods X X

Request Length Exceeds Predefined Buffer Size violation X X X

Parameter Level Global URL

Dynamic Parameters Using statistics 10 unique

values sets

Table A.1 Security policy elements for each policy type


Appendix A

Settings for QA Lab deploymentThe security policy created when you use the QA Lab deployment scenario has the same default settings as the Production Site deployment, with the following exception:

• All application traffic is considered to be trusted.

For details on the default settings, refer to Settings for Production Site deployment, on page A-1.

A - 4


Settings for Web Services deploymentThe security policy created when you use the Web Services deployment scenario has the following default settings:

• The enforcement mode is set to Transparent.


• The wildcard match all (*) entities are added for file types, URLs, and parameters.



• The selected attack signature sets are enabled.

• The Policy Blocking Settings screen has the following violations enabled:

• Cookie not RFC-compliant

• Evasion technique detected (subviolations not enabled)

• HTTP protocol compliance failed (subviolations not enabled)

• Illegal file type

• Illegal meta character in parameter name

• Illegal meta character in URL

• Illegal URL

• Illegal POST data length

• Illegal query string length

• Illegal request length

• Illegal URL length

• Illegal attachment in SOAP message

• Illegal dynamic parameter value

• Illegal parameter

• Illegal parameter value length

• Malformed XML data

• SOAP method not allowed

• Web Services Security failure (subviolations are all disabled)

• XML data does not comply with format settings

• XML data does not comply with schema or WSDL document

• Modified ASM cookie

• Modified domain cookie(s)

• The Policy Blocking Settings screen has the Learn flag enabled for the following violations:

• Illegal method



Appendix A

Settings for Rapid DeploymentThe security policy created when you use the Rapid Deployment security policy template has the following default settings:

• The enforcement mode is set to Transparent.

• All file types are allowed.



• The wildcard match all (*) entities are added for file types, URLs, parameters, and cookies.


• The signature sets you selected are enabled.

• The Policy Blocking Settings screen has the following violations enabled:

• Cookie not RFC-compliant

• Evasion technique detected (all subviolations enabled)

• HTTP protocol compliance failed (selected subviolations enabled)

• Mandatory HTTP header is missing

• Illegal HTTP status in response

• Illegal method


• Failed to convert character

• Modified ASM cookie

• The Policy Blocking Settings screen has the Learn and Alarm flags enabled for the Information leakage detected violation.

A - 6

Glossary

Glossary

active security policy

The active security policy is the security policy whose criteria are determining the legitimacy of incoming requests for the web application. A web application can have only one active policy at a time.

application-ready security policy

An application-ready security policy is a security policy template that is preconfigured with the appropriate settings for specific enterprise applications.

application security class

An application security class is the logical bridge, or link, between the local traffic components and the application security components of a BIG-IP system. You use the application security class to specify to which incoming HTTP traffic the system applies application security.

attack signature

An attack signature is a rule or pattern that the system compares with traffic to identify attacks on a web application and its components. See also attack signature set.

attack signature set

An attack signature set is a group of individual attack signatures. Rather than apply individual attack signatures to a security policy, you apply one or more attack signature sets. See also attack signature.

blocking actions

The blocking actions specify what happens when a request does not comply with the active security policy. The blocking actions include the Learn flag, the Alarm flag, and the Block flag. When enabled, the Policy Enforcer processes the requests according to the flags. See also blocking mode, blocking policy.

blocking mode

A security policy is in blocking mode when the enforcement mode is blocking, and one or more Block flags are enabled. In blocking mode, when a request triggers a violation, rather than forwarding the request to the corresponding web application, the Application Security Manager returns the blocking response page, which includes a Support ID, to the client. See also enforcement mode, Support ID, transparent mode.

blocking policy

The blocking policy specifies how the Policy Enforcer processes a request (or response) that does not comply with the active security policy. The blocking policy is made up of the enforcement mode and the blocking actions (Learn, Alarm, and Block flags). See also blocking mode, blocking actions.

BIG-IP® Application Security Manager™: Getting Started Guide Glossary - 1

Glossary

blocking response page

The blocking response page is the default response page that the Policy Enforcer returns to a client when the client request, or the web server response, is blocked by the security policy.

character set

A character set is a collection of alphanumeric and meta characters for a language.

deployment scenarios

When you use the Deployment wizard, deployment scenarios represent several typical environments that specify how to build the security policy.

Deployment wizard

The Deployment wizard automates the fundamental tasks required to initially build and deploy a security policy.

enforcement mode

The enforcement mode determines what actions the Policy Enforcer takes when a request or response triggers a security policy violation. See also blocking mode, transparent mode.

entity

An entity is one of the many components of a web application. File types, URLs, flows, parameters, headers, methods, and character sets are all examples of entities.

file type

A file type is the file type extension that represents the URLs in a web application. For example, JSP, ASP, GIF, and PNG are file types.

headers

See HTTP headers.

HTTP (HyperText Transfer Protocol)

HyperText Transfer Protocol (HTTP) is the protocol used by the World Wide Web. HTTP defines how messages are formatted and transmitted, and how a web browser requests data and how a web server responds.

HTTP class

See application security class.

HTTP headers

In an HTTP request, the HTTP headers specify the behavior and characteristics of the request.

Glossary - 2

Glossary

HTTP method

In an HTTP request, the HTTP method (or simply, method) indicates the action that the client would like the server to perform for the requested resource. The most common methods are GET and POST.

learning process

The learning process is the process of making a security policy more accurate by verifying how the security policy complies with traffic requests. If the learning process finds discrepancies between the security policy and the traffic requests, it translates the discrepancies into a learning suggestion for modifying the security policy.

learning suggestion

When a request triggers a violation, and the Learn flag is enabled for that violation, the Learning Manager generates a learning suggestion. The learning suggestion contains information about what in the request caused the violation. Not all violations generate learning suggestions.

method

See HTTP method.

safe traffic

See trusted traffic.

Secure Sockets Layer (SSL)

See SSL (Secure Sockets Layer).

security policy

In the Application Security Manager, the security policy is a set of rules that enables the Application Security Manager to understand whether a request for a web application is valid.

security policy violation

A security policy violation occurs when some aspect of a request or response does not comply with the security policy for a web application. See also security policy, web application.

session ID

A session ID is a string of data that identifies a user to a web server. This string can be contained in a cookie or in the URL. A session ID can track a user’s session as he uses the web site.


Glossary

SSL (Secure Sockets Layer)

Secure Sockets Layer (SSL) is a standard protocol designed to provide an encrypted connection between two systems such as a web server and web browser. SSL uses two keys, a public key known to everyone, and a private key known to the recipient of the message.

staging

Staging is a state during which the system applies the security policy to the web application traffic, but does not block traffic (even if traffic causes a violation that is supposed to be blocked). The system provides staging suggestions when requests match an attack signature or violate the security policy.

staging period

The staging period is the amount of time web application entities and attack signatures remain in staging before the system suggests that you enforce them.

Support ID

The Support ID identifies a request that triggers a security policy violation. When the enforcement mode is blocking, the system sends the blocking response page, which includes the Support ID, to the offending client. See also blocking mode, blocking response page, enforcement mode.

template

See application-ready security policy.

tightening

Tightening is the process by which a security policy discovers the explicit file types, URLs, or parameters that match wildcard entities. See also wildcard entity.

transparent mode

When the enforcement mode for a security policy is transparent, the Policy Enforcer forwards all requests to the web application, even if a request triggers a security policy violation. See also blocking mode, enforcement mode.

trusted traffic

Trusted traffic is traffic generated by a controlled group of users, those who are known not to be potential attackers. Example sources of trusted traffic are internal test groups or employees, or traffic generated by users on an internal LAN.

Glossary - 4

Glossary

URI (Universal Resource Identifier)

The Universal Resource Identifier (URI) specifies the name of a web URL in a request. For example, in this web address http://www.siterequest.com/index.html, the URI is /index.html.

URL (Universal Resource Locator)

A Universal Resource Locator (URL) is the standard method for specifying the location of an object on the Internet.

violation

See security policy violation.

web application

A web application is an application delivered to users from a web server to a web client, such as a web browser, over a network. See also web service.

web service

A web service is a self-contained, self-describing, modular web application that can be published, located, and invoked across the Web. See also web application.

wildcard entity

A wildcard entity is a web application entity in the security policy that contains one or more shell-style wildcard characters in its name. You can use wildcard entities to represent file types, URLs, and parameters. See also entity, file type, URL (Universal Resource Locator).


Glossary

Glossary - 6

Index

Aapplication language

defining for automatic policy building 3-4defining for web services 4-2

application securityusing automatic policy building 3-3using rapid deployment 5-1using templates 6-1using web services deployment scenario 4-2

application security classescreating 2-6defining 2-1

application serversand local traffic pool 2-5verifying received traffic 4-9

application templates 1-2, 6-1application-ready security policies

creating 6-2described 1-2fine-tuning 6-3

Application-Ready Security Policy setting 6-2attack signatures, updating 3-9Automatic Policy Building Status screen 3-5

Bbasic configuration tasks

configuring a self IP address 2-4creating a pool 2-5creating a virtual server 2-7creating a VLAN 2-3creating an application security class 2-6performing optional network 2-8summary 2-1

BIG-IP systeminstalling 2-2licensing 1-5, 2-2upgrading 1-5

Blocking icon 4-12blocking mode

indicating 4-12setting 4-12, 5-4, 6-4

blocking response page, customizing for XML 4-13browsers, supported 1-4

Ccompliance, security 1-1Configuration utility 1-3, 1-4

Ddeployment scenario settings

for production site A-1for QA Lab A-4for Rapid Deployment A-6for Web Services A-5

deployment scenariosand Manual Deployment 1-2and production site 1-1and QA Lab 1-1and Web Services 1-2descriptions 1-1selecting 3-3

Deployment wizardcreating application-ready security policy 6-2creating production site security policy 3-3creating QA security policy 3-3creating web services security policy 4-2using Rapid Deployment 5-2

design considerations 3-1documentation set 1-5

Eenforcement mode

setting 4-12, 5-4, 6-4enterprise applications

using preconfigured security policies 1-2, 6-1

FFISMA compliance 1-1

Gglobal parameters, creating 4-8

Hhand icon

See Blocking icon.Help tab 1-4help, online 1-5HIPAA compliance 1-1HTTP class

See application security classes.HTTP profiles, configuring 2-7

Llearning suggestions

and Policy Builder 4-10processing 4-10

links, following schema 4-5local traffic pools

defining 2-1, 2-5

MMain tab, about 1-4Manual Deployment scenario

understanding 1-2menu bar 1-4

BIG-IP® Application Security Manager™: Getting Started Guide Index - 1

Index

Nnetwork configuration tasks

and additional options 2-2creating a local traffic pool 2-5creating a virtual server 2-7creating a VLAN 2-3creating an application security class 2-6performing optional 2-8summarized 2-1

Oonline help 1-5

Pparameters

creating global 4-8creating URL 4-8

PCI compliance 1-1Policy Builder

reviewing policy status 3-5Policy Builder default settings

in production site deployment A-2policy type 3-2policy types 3-1pools

See local traffic pools.product documentation, finding 1-5production site deployment scenario

and default settings A-1creating a security policy 3-1understanding 1-1

profile, creating XML 4-3

QQA Lab deployment scenario

and default settings A-4creating a security policy 3-1

RRapid Deployment security policy

and default settings A-6deploying 5-1

rule strictness 3-1rules slider 3-4

Sschema file validation, configuring 4-7security

and production site default settings A-1and QA lab default settings A-4and Rapid Deployment default settings A-6and web services default A-5

security policyand design considerations 3-1creating application-ready 6-1creating automatically 3-1creating web services 4-2fine-tuning application-ready 6-3fine-tuning automatic creation 3-5fine-tuning web services 4-10stabilizing 3-8using Rapid Deployment 5-1

self IP address, defining 2-1, 2-4SOAP Fault, blocking response page 4-13SOAP messages 4-5, 4-7SOAPAction header 4-5status messages 3-5system messages, viewing 1-4

TTechnical Support web site 1-5templates, creating security policy from 6-2traffic

verifying 4-9transparent mode

setting 4-12, 5-4, 6-4trusted IP addresses 3-4

UURL parameters

creating 4-8URLs

creating 4-8user interface, introducing 1-3

Vverification messages

for application server traffic 4-9virtual LANs

See VLANs.virtual servers

creating 2-7defined 2-7

VLANscreating 2-3defined 2-1

Wweb applications

and hosted content 2-5creating default 2-6

Web Services deployment scenarioand default settings A-5overview 4-1understanding 1-2

Index - 2

Index

web services security policycreating 4-2developing using traffic 4-9fine-tuning 4-10

Welcome screen 1-3, 1-5WSDL documents

importing to XML profile 4-5

XXML profiles

associating URLs or parameters 4-8creating basic 4-4creating for security policy 4-3creating with schema validation 4-7importing WSDL documents 4-5

XML security policy, creating 4-2XML transactions

and Web Services deployment scenario 4-1XSD files, validating 4-7

BIG-IP® Application Security Manager™: Getting Started Guide Index - 3

big-ip application security manager getting started guide

Documents