Manual Chapter : Configuring Security Policy Blocking

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 16.0.1, 16.0.0, 15.1.0, 15.0.1, 15.0.0
Manual Chapter

Configuring Security Policy Blocking

About security policy blocking

You can configure how Application Security Manager handles requests that violate the security policy in several ways.
Method
Description
Blocking actions
Blocking actions for each of the security policy violations, along with the enforcement mode, determine the action that will be taken when the violation occurs. If a violation set to alarm or block occurs on an entity that is in staging, it is not enforced.
Evasion techniques
Sophisticated hackers have figured out coding methods that normal attack signatures do not detect. These methods are known as
evasion techniques
. You can choose which evasion techniques you want Application Security Manager to identify, and configure blocking actions that occur if any of the selected techniques is detected.
HTTP Protocol Compliance
The system performs validation checks on HTTP requests to ensure that the requests are formatted properly. You can configure which validation checks are enforced by the security policy.
Web Services Security
You can configure which web services security errors must occur for the system to learn, log, or block requests that trigger the errors.
Response pages
When the enforcement mode of the security policy is blocking, and a request (or response) triggers a violation for which the Block action is enabled, the system returns the response page to the client. If you configure login pages, you can also configure a response page for blocked access.

Changing security policy enforcement

Security policies can be in one of two enforcement modes: transparent or blocking. The
enforcement mode
specifies whether the system simply logs or blocks a request that triggers a security policy violation. You can manually change the enforcement mode for a security policy depending on how you want the system to handle traffic that causes violations.
  1. On the Main tab, click
    Security
    Application Security
    Policy Building
    Learning and Blocking Settings
    .
    The Learning and Blocking Settings screen opens.
  2. In the
    Current edited security policy
    list near the top of the screen, verify that the security policy shown is the one you want to work on.
  3. For the
    Enforcement Mode
    setting, specify how to treat traffic that causes violations.
    • To block traffic that causes violations (that are set to block), select
      Blocking
      .
    • To stop allow traffic even if it causes violations so you can review the violations, select
      Transparent
      .
  4. Click
    Save
    to save your settings.
  5. To put the security policy changes into effect immediately, click
    Apply Policy
    .
When the enforcement mode is set to
transparent
, traffic is not blocked even if a violation is triggered. The system typically logs the violation event (if the Learn flag is set on the violation). You can use this mode along with an enforcement readiness period when you first put a security policy into effect to make sure that no false positives occur that would stop legitimate traffic.
When the enforcement mode is set to
blocking
, traffic is blocked if it causes a violation (that is configured for blocking), and the enforcement readiness period is over. You can use this mode when you are ready to enforce a security policy.

Configuring blocking actions for violations

You can configure the Learn, Alarm, and Block flags, or
blocking actions
, for each violation. The blocking actions (along with the enforcement mode) determine how the system processes requests that trigger the corresponding violation.
  1. On the Main tab, click
    Security
    Application Security
    Policy Building
    Learning and Blocking Settings
    .
    The Learning and Blocking Settings screen opens.
  2. In the
    Current edited security policy
    list near the top of the screen, verify that the security policy shown is the one you want to work on.
  3. Adjust the
    Enforcement Mode
    setting if needed.
    • To block traffic that causes violations, select
      Blocking
      .
    • To allow traffic even if it causes violations (allowing you to make sure that legitimate traffic would not be blocked), select
      Transparent
      .
    You can only configure the Block flag on violations if the enforcement mode is set to
    Blocking
    .
  4. From the list, select
    Advanced
    .
  5. Review each of the Policy Building Settings so you understand how the security policy handles requests that cause the associated violations, and adjust if necessary. You need to expand most of the settings to see the violations.
    To the right of Policy Building Settings, click
    Blocking Settings
    to see and adjust all of the violations at once.
    Option
    What happens when selected
    Learn
    The system generates learning suggestions for requests that trigger the violation (except learning suggestions are not generated for requests that return HTTP responses with 400 or 404 status codes).
    Alarm
    When selected, the system marks requests that trigger the violation as illegal. The system also records illegal requests in the Charts screen, the system log (
    /var/log/asm
    ), and possibly in local or remote logs (depending on the settings of the logging profile).
    Block
    The system blocks requests that trigger the violation when (1) the security policy is in the blocking enforcement mode, (2) a violation occurs, and (3) the entity is enforced. The system sends the blocking response page (containing a Support ID to identify the request) to the client.
  6. Expand the violations that are links to display more granular details or subviolations for which you can enable blocking properties.
    You can enable or disable blocking subviolations for HTTP protocol compliance, evasion techniques, and web services security.
  7. Click
    Save
    to save your settings.
  8. To put the security policy changes into effect immediately, click
    Apply Policy
    .
Entities in staging, attack signatures in staging, and wildcards set to add all entities do not cause violations, and consequently are not blocked. But if the enforcement mode is blocking and violations are set to Block, traffic causing those violations is blocked. If violations are set to Alarm, the system logs the violations. For violations set to Learn, the system generates learning suggestions if the violation occurs.
You can now configure the response that the system sends when a request is blocked.

Configuring HTTP protocol compliance validation

The first security checks that Application Security Manager performs are those for RFC compliance with the HTTP protocol. The system validates HTTP requests to ensure that the requests are formatted properly. For each security policy, you can configure which HTTP protocol checks the system performs, and specify what happens if requests are not compliant.
  1. On the Main tab, click
    Security
    Application Security
    Policy Building
    Learning and Blocking Settings
    .
    The Learning and Blocking Settings screen opens.
  2. In the Policy Building Settings area, for the
    HTTP protocol compliance failed
    violation, set the blocking settings as needed.
    Select this Option
    When You Want to
    Learn
    Generate learning suggestions for requests that trigger the violation.
    Alarm
    Record requests that trigger the violation in ASM Charts, the system log (
    /var/log/asm
    ), and possibly in local or remote logs (depending on the logging profile settings).
    Block
    Block requests that trigger the violation (the enforcement mode must be set to
    Blocking
    ).
  3. Expand the
    HTTP protocol compliance failed
    setting.
    The HTTP subviolations are displayed.
  4. Select or clear the HTTP protocol checks, as required.
    For an explanation of any individual HTTP validation, click it.
  5. Click
    Save
    to save your settings.
  6. To put the security policy changes into effect immediately, click
    Apply Policy
    .
If the
HTTP protocol compliance failed
violation is set to
Learn
,
Alarm
, or
Block
, the system performs the protocol compliance checks. If the
Enforcement Mode
is set to
Blocking
and the violation is set to block, the system blocks requests that are not compliant with the selected HTTP protocol validations.
If a request is too long and causes the
Request length exceeds defined buffer size
violation, the system stops validating protocol compliance for that request.

Configuring blocking actions for evasion techniques

For every HTTP request, Application Security Manager examines the request for evasion techniques, which are coding methods that attackers use to avoid detection by attack signatures and intrusion prevention systems. You can enable or disable the blocking properties of specific evasion techniques in the
Evasion technique detected
violation.
  1. On the Main tab, click
    Security
    Application Security
    Policy Building
    Learning and Blocking Settings
    .
    The Learning and Blocking Settings screen opens.
  2. In the
    Current edited security policy
    list near the top of the screen, verify that the security policy shown is the one you want to work on.
  3. Adjust the
    Enforcement Mode
    setting if needed.
    • To block traffic that causes violations, select
      Blocking
      .
    • To allow traffic even if it causes violations (allowing you to make sure that legitimate traffic would not be blocked), select
      Transparent
      .
    You can only configure the Block flag on violations if the enforcement mode is set to
    Blocking
    .
  4. Review the
    Evasion technique detected
    violation and adjust the
    Learn
    ,
    Alarm
    , and
    Block
    flags as required.
  5. Expand the
    Evasion technique detected
    setting.
    The evasion technique subviolations are displayed.
  6. Enable or disable the evasion technique subviolations, as required.
    For an explanation of an individual subviolation, click it.
  7. Click
    Save
    to save your settings.
  8. To put the security policy changes into effect immediately, click
    Apply Policy
    .
If a request uses any of the selected evasion techniques, the system reacts according to how you configured the blocking settings for the
Evasion technique detected
violation. If the
Enforcement Mode
is set to
Blocking
and the violation is set to block, the system blocks requests that use selected evasion techniques.

Configuring blocking actions for web services security

It only makes sense to select learning and blocking settings for web services security errors if you previously created a security policy to protect a web application that uses XML formatting or employs web services. The security policy must have an XML profile (with web services security enabled) associated with it.
You can select which web services security errors must occur for the system to learn, log, or block requests that trigger the errors. These errors are subviolations of the parent violation,
Web Services Security failure
.
  1. On the Main tab, click
    Security
    Application Security
    Policy Building
    Learning and Blocking Settings
    .
    The Learning and Blocking Settings screen opens.
  2. In the
    Current edited security policy
    list near the top of the screen, verify that the security policy shown is the one you want to work on.
  3. Adjust the
    Enforcement Mode
    setting if needed.
    • To block traffic that causes violations, select
      Blocking
      .
    • To allow traffic even if it causes violations (allowing you to make sure that legitimate traffic would not be blocked), select
      Transparent
      .
    You can only configure the Block flag on violations if the enforcement mode is set to
    Blocking
    .
  4. From the list, select
    Advanced
    .
  5. Expand the
    Content Profiles
    setting.
    The content profile violations and
    Web Services Security failure
    subviolations are displayed.
  6. Review the
    Web Services Security failure
    setting and adjust the
    Learn
    ,
    Alarm
    , and
    Block
    flags as required.
  7. For Web Services Security failure subviolations, enable or disable the web services subviolations, as required for your application.
    For an explanation of any individual subviolation, click it.
    The selected subviolations are the ones that will cause the
    Web Services Security failure
    violation to occur.
  8. Click
    Save
    to save your settings.
  9. To put the security policy changes into effect immediately, click
    Apply Policy
    .
If a request causes one of the enabled errors to occur, web services security stops parsing the document. How the system reacts depends on how you configured the blocking settings for the
Web Services Security failure
violation:
  • If configured to Learn or Alarm when the violation occurs, the system does not encrypt or decrypt the SOAP message, and sends the original document to the web service.
  • If configured to Block when the violation occurs, the system blocks the traffic and prevents the document from reaching its intended destination. The system sends a blocking response page. If the XML profile associated with the policy is configured to use an XML blocking response page, it uses the XML response. Otherwise, it uses the default response page.
  • If a web services security violation occurs on an entity in staging, for example, a URL in staging associated with an XML profile, the violation (set to alarm or block) is not enforced.