Manual Chapter : Creating Parent and Child Security Policies

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 15.1.0, 15.0.1, 15.0.0, 14.1.2, 14.1.0
Manual Chapter

Creating Parent and Child Security Policies

Overview: Creating parent and child security policies

You can use Application Security Manager (ASM) to create two layers of security policies: parent policies and child policies. Parent policies include mandatory policy elements, and child policies inherit those attributes from the parent. When the parent policy is updated, its child policies are automatically updated.
Parent policies let you
  • Create and maintain common elements and settings
  • Impose mandatory elements on child policies
  • Push a change to multiple child policies
You can specify which parts of the security policy must be inherited, which are optional, and which are not inherited. This way, you can keep child policies in sync with the changes in the global mandatory policies and still allow the child policies to address their own unique requirements. The inheritance follows the sections of the policy in the Learning and Blocking Settings: each part can be inherited or not inherited from the parent.

Creating a parent security policy

Parent security policies include features that you want to apply to multiple child security policies that can inherit those features.
  1. On the Main tab, click
    Security
    Application Security
    Security Policies
    Policies List
    .
    The Policies List screen opens.
  2. Click
    Create New Policy
    .
    You only see this button when no policy is selected.
  3. In the
    Policy Name
    field, type a name for the policy.
  4. For
    Policy Type
    , select
    Parent
    .
  5. For
    Policy Template
    , select the template that you want to use for the parent policy, for example, select
    Fundamental
    to create a robust yet compact security policy that is appropriate for most applications.
    To create a stricter policy that enforces many violations, select
    Comprehensive
    instead.
  6. In the upper right corner, click
    Advanced
    .
  7. To use automatic policy building for this policy and child policies, leave the
    Learning Mode
    set to
    Automatic
    .
  8. For
    Application Language
    , leave the default of
    Unicode (utf-8)
    unless all child policies will use a specific language that you can select.
    You cannot change this setting after you have created the security policy.
  9. To enable specific protections that will apply to this policy and its child policies, for
    Server Technologies
    , select as many of the technologies as are relevant to the back-end servers.
    The system adds attack signatures specific to the selected technologies.
  10. For
    Trusted IP Addresses
    , select which IP addresses to consider safe by all child policies.
    All
    Specifies that the policy trusts all IP addresses. This option is recommended only for traffic in a corporate lab or preproduction environment where all of the traffic is trusted. The policy is created faster when you select this option.
    Address List
    Specifies networks to consider safe. Fill in the
    IP Address
    and
    Netmask
    fields, then click
    Add
    . This option is typically used in a production environment where traffic could come from untrusted sources. The IP Address can be either an IPv4 or an IPv6 address.
    If you leave the trusted IP address list empty, the system treats all traffic as untrusted. In general, it takes more untrusted traffic, from different IP addresses, over a longer period of time to build a security policy.
  11. For the
    Policy Builder Learning Speed
    setting, select how fast to generate suggestions for the policy.
    Option
    Description
    Slow
    Use if your application supports a large number of requests from many sessions; for example, useful for web sites with lots of traffic. Policy Builder requires a large amount of unique traffic samples to make decisions in Automatic Learning Mode, or to reach a high learning score. This option creates the most accurate security policy, but it takes Policy Builder longer to collect the statistics.
    Medium
    Use if your application supports a medium number of requests, or if you are not sure about the amount of traffic on the application web site. This is the default setting.
    Fast
    Use if your application supports a small number of requests from a small number of sessions; for example, useful for web sites with less traffic. Policy Builder requires fewer unique traffic samples to make decisions in Automatic Learning Mode, or to reach a high learning score. However, choosing this option may present a greater chance of adding false entities to the security policy.
    Based on the option you select, the system sets greater or lesser values for the number of different user sessions, different IP addresses, and length of time before it adds suggestions to the security policy and if you are using automatic learning, enforces the elements.
  12. For the
    Signature Staging
    setting, verify that the default option
    Enabled
    is selected.
    New and updated attack signatures remain in staging for 7 days, and are recorded but not enforced (according to the learn, alarm, and block flags in the attack signatures configuration) during that time.
  13. For the
    Enforcement Readiness Period
    , retain the default setting of
    7
    days.
    This is how long entities remain in staging. During this period, you can test the security policy entities for false positives before enforcing them.
    During the enforcement readiness period, the security policy provides learning suggestions when it processes requests that do not meet the security policy; but the security policy does not alert or block that traffic, even if those requests trigger violations. You can review new entities and decide which are legitimate and include them in the security policy.
  14. If the application is not case-sensitive, disable the
    Policy is Case Sensitive
    check box. Otherwise, leave it selected.
    You cannot change this setting after you have created the security policy.
  15. If you do not want the security policy to distinguish between HTTP/WebSocket and HTTPS/WebSocket Secure URLs, for
    Differentiate between HTTP/WS and HTTPS/WSS URLs
    select
    Disabled
    .
  16. Click
    Create Policy
    to create the security policy.
    The system creates the parent security policy and displays the inheritance settings for each section of the policy (as on the Learning and Blocking Settings screen).
  17. For each of the
    Inheritance Settings
    , decide whether you want inheritance to child policies to be
    Mandatory
    (child inherits the settings),
    Optional
    (the child can decide), or
    None
    (no inheritance for this feature). When done, click
    Save Changes
    .
You have created a security policy that you can use as a parent policy for multiple child policies. The child policies inherit the settings from this parent policy, and you can change only a subset of the settings in the child policy. Future changes made to the parent policy are passed down to the child policies.

Configuring parent policy settings

After you create a parent security policy, you can review and adjust the policy settings to be sure they include the correct details that you want to use for child policies. Although this task is not required and the default values may suit your needs, it gets you familiar with the settings in the policy. This is the same process to follow if later you need to make changes to the parent policy and how it works.
  1. On the Main tab, click
    Security
    Application Security
    Policy Building
    Learning and Blocking Settings
    .
    The Learning and Blocking Settings screen opens.
  2. In the
    Current edited security policy
    list near the top of the screen, verify that the policy shown is the parent security policy you want to work on.
  3. On the right side of the Learning and Blocking Settings screen, select
    Advanced
    .
    The screen displays the advanced configuration details for the parent security policy.
  4. For each of the settings, on the right you can see whether the setting has
    Mandatory Inheritance
    ,
    Optional Inheritance
    , or
    No Inheritance
    .
  5. Expand each of the settings and review the default values for each of the areas. Adjust the values, if necessary. If you change any of the values, click
    Save
    , then
    Apply Policy
    .
    Descriptions of the settings are included in the online Help on the Help tab.
  6. On the Main tab, click
    Security
    Application Security
    Security Policies
    Policies List
    .
    The Policies List screen opens.
  7. In the Policies List, select the parent policy you previously created.
    The policy summary is displayed on the right.
  8. Click
    Inheritance Settings
    .
  9. Review the
    Inheritance Settings
    , and make sure that inheritance is set properly for child policies to be
    Mandatory
    (child inherits the settings),
    Optional
    (the child can decide), or
    None
    (no inheritance for this feature). When done, click
    Save Changes
    .
You have configured the security policy settings of the parent policy that you can use when creating child security policies. If you already have created child policies, when you save the changes to the parent policy, the changes are automatically made to the child policies.

Creating a child security policy

Child security policies inherit settings from a parent security policy.
  1. On the Main tab, click
    Security
    Application Security
    Security Policies
    Policies List
    .
    The Policies List screen opens.
  2. Click
    Create New Policy
    .
    You only see this button when no policy is selected.
  3. In the
    Policy Name
    field, type a name for the policy.
  4. For
    Policy Type
    , select
    Security
    .
  5. For
    Policy Template
    , select the template to use for the child policy, for example, select
    Fundamental
    to create a robust security policy that is appropriate for most applications.
    To create a strict security policy that enforces many violations, select
    Comprehensive
    instead.
  6. From the
    Parent Policy
    list, select the parent security policy to use for this policy.
  7. For
    Virtual Server
    , select an existing virtual server, click
    Configure new virtual server
    to specify where to direct application requests, or leave it set to
    None
    for now.
    • Existing virtual servers are only listed if they have an HTTP profile, and are not associated with a local traffic policy.
    • To create a new virtual server, specify the protocol, virtual server name, virtual server destination IP address/network and port (IPv4 or IPv6), pool member address and port (address of the back-end application server), and logging profile.
    • If you select
      None
      , you will have to manually associate the security policy with a virtual server with an HTTP profile at a later time to activate the policy. (On the Security tab of the virtual server, set
      Application Security Policy
      to
      Enabled
      , then select the policy.)
  8. In the upper right corner, click
    Advanced
    .
    You can use default values for the Advanced settings but it's a good idea to take a look at them.
    • If you selected
      Fundamental
      or
      Comprehensive
      for the
      Policy Template
      ,
      Learning Mode
      is set to
      Automatic
      and
      Enforcement Mode
      is set to
      Blocking
      .
      If you need to change these values, set application language to a value other than
      Auto detect
      .
    • If you know the
      Application Language
      , select it or use
      Unicode (utf-8)
      .
    • To add specific protections (enforcing additional attack signatures) to the policy, for
      Server Technologies
      , select the technologies that apply to the back-end application servers.
    • You can configure trusted IP addresses that you want the security policy to consider safe.
  9. Click
    Create Policy
    to create the security policy.
  10. Click
    Inheritance Settings
    to see which parts of the policy are inherited from the parent and which can be declined or accepted.
    By default, all settings with optional inheritance are accepted.
  11. You can adjust option settings from
    Accepted
    to
    Decline
    . When done, click
    Save Changes
    .
ASM creates a child security policy that uses the mandatory settings specified in the parent policy. As a result, some of the Learning and Blocking Settings are unavailable in the child policy, and you can only change them in the parent policy.
The security policy immediately starts protecting your application. The enforcement mode of the security policy is set to Blocking. Traffic that is considered to be an attack such as traffic that is not compliant with HTTP protocol, has malformed payloads, uses evasion techniques, performs web scraping, contains sensitive information or illegal values is blocked. Other potential violations are reported but not blocked.
This is a good point at which send some traffic to test that you can access the application being protected by the child security policy and check that traffic is being processed correctly by the BIG-IP system. Send the traffic to the virtual server destination address.
If the parent is changed, the child policy is automatically updated with the latest inherited (or accepted) settings.

Reviewing learning suggestions for parent and child policies

Before you can see learning suggestions on the system, the application protected by a child policy needs to have had some traffic sent to it.
After you create parent and child policies and begin sending traffic to the application protected by the child policy, the system provides learning suggestions concerning additions to the policies based on the traffic it sees. For example, you can have users or testers browse the web application. By analyzing the traffic to and from the application, Application Security Manager generates learning suggestions or ways to fine-tune the parent and child policies to better suit the traffic and secure the application.
Suggestions related to settings that are inherited appear locked in the child policy and can only be accepted in the parent policy.
This task is primarily for building a security policy manually. If you are using the automatic learning mode, this task applies to resolving suggestions that require manual intervention, or for speeding up the enforcement of policy elements.
  1. On the Main tab, click
    Security
    Application Security
    Policy Building
    Traffic Learning
    .
    The Traffic Learning screen opens, and lists suggestions based on traffic patterns and violations that the system has detected.
  2. Take a look at the Traffic Learning screen to get familiar with it.
    With no suggestions selected, graphical charts summarize policy activity and you see an enforcement readiness summary on the bottom right.
    Learning suggestions in the parent policy include a number on the right that shows how many of the child policies included that suggestion. A link lets you review the suggestion in the child policy.
  3. Review the learning suggestions as follows.
    1. Select a learning suggestion.
      Information is displayed about the action the system will take if you accept the suggestion, and what caused the suggestion.
    2. You can learn more about the suggestion by looking at the action, the number of samples it is based on, the violations caused and their violation ratings, and if available, by examining samples of the requests that caused the suggestion.
    3. With a request selected on the left, you can view data about the request on the right, including any violations it generated, the contents of the request itself, and the response (if any). Note that some requests may contain violations related to different suggestions.
      By examining the requests that caused a suggestion, you can determine whether it should be accepted.
    4. To add comments about the suggestion and the cause, click the Add Comment icon Add Comment icon to the right of the suggestion commands, and type the comments.
  4. Decide how to respond to the suggestions. You can start with the suggestions that have the highest learning scores, or those which you know to be valid for the application. These are the options.
    Option
    What happens
    Accept Suggestion
    The system modifies the policy by taking the suggested action, such as adding an entity that is legitimate.
    For suggestions concerning inherited settings, this option only appears in the parent policy.
    Suggestions about adding file types, URLs, parameters, cookies, or redirection domains can only be accepted in child policies.
    Delete Suggestion
    The system removes the learning suggestion, but the suggestion reoccurs if new requests cause it. The learning score of the suggestion starts over from zero in that case.
    Ignore Suggestion
    The system does not change the policy and stops showing this suggestion on the Traffic Learning screen now and in the future. You can view ignored suggestions by filtering by Status
    Ignored
    .
    If you are working in automatic learning mode, when the learning score reaches 100%, the system accepts most of the suggestions, or you can accept suggestions manually at any time. If you are using manual learning, when the learning score reaches 100% (or before that if you know the suggestions are valid), you need to accept the suggestions manually.
    If you know that a suggestion is valid, you can accept it at any time even before the learning score reaches 100%. The ones that reach 100% have met all the conditions so that they are probably legitimate entities.
  5. To put the security policy changes into effect immediately, click
    Apply Policy
    .