Manual Chapter : Using Rapid Deployment to Create a Security Policy

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Manual Chapter

Using Rapid Deployment to Create a Security Policy

Overview: Rapid deployment

The Rapid Deployment security policy provides security features that minimize the number of false positive alarms and reduce the complexity and length of the deployment period. By default, the Rapid Deployment security policy includes the following security checks:
  • Performs HTTP compliance checks
  • Checks for mandatory HTTP headers
  • Stops information leakage
  • Prevents illegal HTTP methods from being used in a request
  • Checks response codes
  • Enforces cookie RFC compliance
  • Applies attack signatures to requests (and responses, if applying signatures to responses)
  • Detects evasion technique
  • Prevents access from disallowed geolocations
  • Prevents access from disallowed users, sessions, and IP addresses
  • Checks whether request length exceeds defined buffer size
  • Detects disallowed file upload content
  • Checks for characters that failed to convert
  • Looks for requests with modified ASM cookies
With the Rapid Deployment security policy, your organization can quickly create a security policy that meets the majority of web application security requirements.

Task summary

Creating a security policy using rapid deployment

Before you can create a security policy using ASM, you need to complete the basic BIG-IP system configuration tasks including creating a VLAN, a self IP address, and other tasks, according to the needs of your networking environment.
You can use rapid deployment to create a security policy quickly. The Deployment wizard takes you through the steps required for rapid deployment.
  1. On the Main tab, click
    Security
    Application Security
    Security Policies
    Policies List
    .
    The Policies List screen opens.
  2. Click
    Create New Policy
    .
    You only see this button when no policy is selected.
  3. In the
    Policy Name
    field, type a name for the policy.
  4. Leave
    Policy Type
    , set to
    Security
    .
  5. For
    Policy Template
    , select
    Rapid Deployment Policy
    .
  6. For
    Virtual Server
    , click
    Configure new virtual server
    to specify where to direct application requests.
    1. For
      What type of protocol does your application use?
      , select
      HTTP
      ,
      HTTPS
      , or both.
    2. In the
      Virtual Server Name
      field, type a unique name.
    3. In the
      HTTP/HTTPS Virtual Server Destination
      field, type the address in IPv4 (
      10.0.0.1
      ) or IPv6 (
      2001:ed8:77b5:2:10:10:100:42/64
      ) format, and specify the service port.
      If you want multiple IP addresses to be directed here, use the
      Network
      setting.
    4. In the
      HTTP/HTTPS Pool Member
      setting, specify the addresses of the back-end application servers.
    5. If you have chosen HTTPS protocol, in the
      SSL Profile (Client)
      field, select clientssl to enable the
      HTTP/2 Profile (Client)
      field.
    6. If you have chose HTTPS protocol, in the
      SSL Profile (Server)
      field, select serverssl to enable the
      HTTP/2 Profile (Server)
      field.
    7. From the
      Logging Profile
      list, select a profile such as
      Log illegal requests
      to determine which events are logged on the system.
  7. In the upper right corner, click
    Advanced
    .
    You can use default values for the Advanced settings but it's a good idea to take a look at them.
    • Leave
      Learning Mode
      set to
      Manual
      and
      Enforcement Mode
      set to
      Transparent
    • If you know the
      Application Language
      , select it or use
      Unicode (utf-8)
      .
    • To add specific protections (enforcing additional attack signatures) to the policy, select the server technologies that apply to the backend application servers.
  8. Click
    Create Policy
    to create the security policy.
The system creates a simple security policy that protects against known security problems, such as evasion attacks, data leakage, and buffer overflow attacks. The rapid deployment security policy operates in transparent mode (meaning that it does not block traffic unless you changed the enforcement mode and enforce the policy). If the system receives a request that violates the security policy, the system logs the violation event, but does not block the request. Suggestions for changes to the policy are added to the Traffic Learning screen.

Reviewing learning suggestions

Before you can see learning suggestions on the system, it needs to have had some traffic sent to it.
After you create a security policy and begin sending traffic to the application, the system provides learning suggestions concerning additions to the security policy based on the traffic it sees. For example, you can have users or testers browse the web application. By analyzing the traffic to and from the application, Application Security Manager generates learning suggestions or ways to fine-tune the security policy to better suit the traffic and secure the application.
This task is primarily for building a security policy manually. If you are using the automatic learning mode, this task applies to resolving suggestions that require manual intervention, or for speeding up the enforcement of policy elements.
  1. On the Main tab, click
    Security
    Application Security
    Policy Building
    Traffic Learning
    .
    The Traffic Learning screen opens, and lists suggestions based on traffic patterns and violations that the system has detected.
  2. Take a look at the Traffic Learning screen to get familiar with it.
    With no suggestions selected, the right pane displays sections that facilitate the reviewer decision-making process. These include graphical charts that summarize policy activity, a summary of top violations in
    Reduce Potential False-positive Alerts
    , an enforcement readiness summary and a summary of suggestions to add new entity or delete an obsolete entity.
  3. To change the order in which the suggestions are listed, or refine what is included in the list, use the filters at the top of the column. Click the search icon to see basic and advanced filters.
  4. Review the learning suggestions as follows.
    1. Select a learning suggestion.
      Information is displayed about the action the system will take if you accept the suggestion, and what caused the suggestion.
    2. Select a suggestion to learn more about what caused it by looking at the action, the number of samples it is based on, the violations caused and their violation ratings, and if available, by examining samples of the requests that caused the suggestion.
    3. Select a request to view data about the request on the right, including any violations it generated, the contents of the request itself, and the response (if any).
      By examining the requests that caused a suggestion, you can determine whether it should be accepted.
    4. To add comments about the suggestion and the cause, click the Add Comment icon Add Comment icon to the right of the suggestion commands, and type the comments.
  5. Decide how to respond to the suggestion. You can start with the suggestions that have the highest learning scores, or those which you know to be valid for the application. These are the options.
    Option
    What happens
    Accept Suggestion
    The system modifies the policy by taking the suggested action, such as adding an entity that is legitimate. If the entity that triggered the suggestion can be placed in staging (file types, URLs, parameters, cookies, or redirection domains), clicking
    Accept Suggestion
    displays a second option,
    Accept suggestion
    and enable staging on Matched <<entity>>. Click this option to accept the suggestion and place the matched entity in staging.
    Delete Suggestion
    The system removes the learning suggestion, but the suggestion reoccurs if new requests cause it. The learning score of the suggestion starts over from zero in that case.
    Ignore Suggestion
    The system does not change the policy and stops showing this suggestion on the Traffic Learning screen now and in the future. You can view ignored suggestions by filtering by status ignored.
    If you are working in automatic learning mode, when the learning score reaches 100%, the system can accept most of the suggestions if you selected the
    Learning Mode Auto-apply Policy
    , or you can accept suggestions manually at any time. If you are using manual learning, when the learning score reaches 100% (or before that if you know the suggestions are valid), you need to accept the suggestions manually.
    If you know that a suggestion is valid, you can accept it at any time even before the learning score reaches 100%. The ones that reach 100% have met all the conditions so that they are probably legitimate entities.
  6. To put the security policy changes into effect immediately, click
    Apply Policy
    .
By default, a security policy is put into an enforcement readiness period for seven days. During that time, you can examine learning suggestions and adjust the security policy making sure that users can access the application. The security policy then includes elements unique to your web application.
It is a good idea to periodically review the learning suggestions on the Traffic Learning screen to determine whether the violations are legitimate and caused by an attack, or if they are false positives that indicate a need to update the security policy. Typically, a wide recurrence of violations at some place in the policy (with a low violation rating and a high learning score) indicates that they might be false positives, and hence the policy should be changed so that they will not be triggered anymore. If the violations seem to indicate true attacks (for example, they have a high violation rating), the policy should stay as is, and you can review the violations that it triggered.

Enforcing a security policy

You only need to enforce a security policy if it was created manually (not using automatic learning), and if it is operating in transparent mode. Traffic should be moving through Application Security Manager, allowing users to access the web application for which you set up the security policy.
When you enforce a security policy, the system blocks requests that cause violations that are set to block.
  1. On the Main tab, click
    Security
    Application Security
    Policy Building
    Learning and Blocking Settings
    .
    The Learning and Blocking Settings screen opens.
  2. In the
    Current edited security policy
    list near the top of the screen, verify that the security policy shown is the one you want to work on.
  3. For the
    Enforcement Mode
    setting, select
    Blocking
    .
  4. To see the Policy Building Settings, in the upper right corner, click
    Advanced
    .
  5. Review each of the Policy Building Settings so you understand how the security policy handles requests that cause the associated violations, and adjust if necessary. You need to expand most of the settings to see the violations.
    To the right of Policy Building Settings, click
    Blocking Settings
    to see and adjust all of the violations at once.
    Option
    What happens when selected
    Learn
    The system generates learning suggestions for requests that trigger the violation (except learning suggestions are not generated for requests that return HTTP responses with 400 or 404 status codes).
    Alarm
    When selected, the system marks requests that trigger the violation as illegal. The system also records illegal requests in the Charts screen, the system log (
    /var/log/asm
    ), and possibly in local or remote logs (depending on the settings of the logging profile).
    Block
    The system blocks requests that trigger the violation when (1) the security policy is in the blocking enforcement mode, (2) a violation occurs, and (3) the entity is enforced. The system sends the blocking response page (containing a Support ID to identify the request) to the client.
  6. Click
    Save
    to save your settings.
  7. To put the security policy changes into effect immediately, click
    Apply Policy
    .
When the enforcement mode is set to blocking, the security policy no longer allows requests that cause violations set to block to reach the back-end resources. Instead, the security policy blocks the request, and sends the blocking response page to the client.