Manual Chapter : Protecting Sensitive Data with Data Guard

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 16.0.1, 16.0.0, 15.1.0, 15.0.1, 15.0.0
Manual Chapter

Protecting Sensitive Data with Data Guard

About protecting sensitive data with Data Guard

In some web applications, a response may contain sensitive user information, such as credit card numbers or U.S. Social Security numbers. The Data Guard feature can prevent responses from exposing sensitive information by masking the data (this is also known as
response scrubbing
). Data Guard scans text in responses looking for the types of sensitive information that you specify.
When you
mask
the data, the system replaces the sensitive data with asterisks (****). F5 Networks recommends that you enable this setting especially when the security policy enforcement mode is transparent. Otherwise, when the system returns a response, sensitive data could be exposed to the client.
Using Data Guard, you can configure custom patterns using PCRE regular expressions to protect other forms of sensitive information, and indicate exception patterns not to consider sensitive. You can also specify which URLs you want the system to examine for sensitive data.
The system can also examine the content of responses for specific types of files that you do not want to be returned to users, such as Microsoft Office documents, PDFs, ELF binary files, Mach object files, or Windows portable executables. File content checking causes the system to examine responses for the file content types you select. You can configure the system to block sensitive file content (according to the blocking setting of the
DataGuard: Information Leakage Detected
violation).

Response headers that Data Guard inspects

Data Guard examines responses that have the following content-type headers:
  • "text/..."
  • "application/x-shockwave-flash"
  • "application/sgml"
  • "application/x-javascript"
  • "application/xml"
  • "application/x-asp"
  • "application/x-aspx"
  • "application/xhtml+xml"
You can configure one additional user-defined response content-type using the system variable
user_defined_accum_type
. If response logging is enabled, these responses can also be logged.

Protecting sensitive data

You can configure the system to protect sensitive data. If a web server response contains a credit card number, U.S. Social Security number, or pattern that matches a pattern, then the system responds based on the enforcement mode setting.
  1. On the Main tab, click
    Security
    Application Security
    Data Guard
    .
    The Data Guard screen opens.
  2. In the
    Current edited security policy
    list near the top of the screen, verify that the security policy shown is the one you want to work on.
  3. Select the
    Data Guard
    check box.
  4. If you want the system to consider credit card numbers as sensitive data, select the
    Credit Card Numbers
    check box.
    By default, the last 4 digits of a credit card number are exposed to allow legitimate parties to recognize and differentiate the number, such as on invoices. To change this, select a different number from the drop down box.
  5. If you want the system to consider U.S. Social Security numbers (in the form
    nnn-nn-nnnn
    , where
    n
    is an integer) as sensitive data, select the
    U.S. Social Security Numbers
    check box.
    By default, the last 4 digits of a U.S. Social Security number are exposed to allow legitimate parties to recognize and differentiate the number, such as on forms. To change this, select a different number from the drop down box.
  6. To specify additional sensitive data patterns that occur in the application:
    1. Select the
      Custom Patterns
      check box.
    2. In the
      New Pattern
      field, type a PCRE regular expression to specify the sensitive data pattern, then click
      Add
      . For example,
      999-[/d][/d]-[/d][/d][/d][/d]
      .
      You can validate the regular expression using the tool at
      Security
      Options
      Application Security
      RegExp Validator
      .
    3. Add as many custom patterns as needed for the application.
  7. To specify data patterns not to consider sensitive:
    1. Select the
      Exception Patterns
      check box.
    2. In the
      New Pattern
      field, type a PCRE regular expression to specify the sensitive data pattern, then click
      Add
      .
    3. Add as many custom patterns as needed for the application.
  8. If, in responses (when not blocked), you want the system to replace the sensitive data with asterisks (****), select the
    Mask Data
    check box.
    This setting is not relevant if blocking is enabled for the violation, because the system blocks responses containing sensitive data.
  9. To review responses for specific file content (for example, to determine whether someone is trying to download a sensitive type of document):
    1. For the
      File Content Detection
      setting, select the
      Check File Content
      check box.
      The screen displays a list of available file types.
    2. Move the file types you want the system to consider sensitive from the
      Available
      list into the
      Members
      list.
  10. To specify which URLs to examine for sensitive data, use the
    Enforcement Mode
    setting:
    • To inspect all URLs, use the default value of
      Ignore URLs in list
      , and do not add any URLs to the list.
    • To inspect all but a few specific URLs, use the default value of
      Ignore URLs in list
      , and add the exceptions to the list.
    • To inspect only specific URLs, select
      Enforce URLs in list
      , and add the URLs to check to the list.
    When adding URLs, you can type either explicit (
    /index.html
    ) or wildcard (
    *xyz.html
    ) URLs.
  11. Click
    Save
    to save your settings.
When the system detects sensitive information in a response, it generates the
Data Guard: Information leakage detected
violation (if the violation is set to alarm or block). If the security policy enforcement mode is set to blocking and the violation is set to block, the system does not send the response to the client.