Manual Chapter : Fine-tuning Advanced XML Security Policy Settings

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0
Manual Chapter

Fine-tuning Advanced XML Security Policy Settings

Fine-tuning XML defense configuration

Before you can perform this task, you must have created a security policy for an application that uses web services or XML, and created and associated an XML profile with the policy.
The defense configuration in an XML profile provides formatting and attack pattern checks for the XML data. The defense configuration complements the validation configuration to provide comprehensive security for XML data and web services applications. If your XML application has special requirements, you can adjust the defense configuration settings. This is an advanced task that is not required when creating a security policy for an XML application.
  1. On the Main tab, click
    Security
    Application Security
    Content Profiles
    XML Profiles
    .
    The XML Profiles screen opens.
  2. Click the name of the XML profile for which you want to modify the advanced defense configuration settings.
    The XML Profile Properties screen opens.
  3. On the XML Firewall Configuration tab, from the
    Defense Configuration
    list, select
    Advanced
    .
    The screen displays additional defense configuration settings.
  4. For the
    Defense Level
    setting, select the protection level you want for the application.
    The defense level determines the granularity of the security inspection for the XML application. You can choose
    High
    ,
    Medium
    , or
    Low
    and let the system determine the defense level settings. Or you can set the level, then adjust any of the settings to create a
    Custom
    defense level.
  5. Adjust the defense configuration settings as required by your application and traffic.
  6. Optionally, modify the attack signatures, meta characters, or sensitive data for this XML profile on the appropriate tabs.
  7. Click
    Update
    to update the XML profile.
  8. To put the security policy changes into effect immediately, click
    Apply Policy
    .
A trade-off occurs between ease of configuration and defense level. The higher the defense level, the more you may need to refine the security policy. For example, if you use the default defense level of
High
, the XML security is optimal; however, when you initially apply the security policy, the system may generate false-positives for some XML violations. However, a
Low
defense level may not protect the application as strictly but may cause fewer false positives.
The system checks requests that contain XML data to be sure that the data complies with the various document limits defined in the defense configuration of the security policy's XML profile. The system generally examines the message for compliance to boundaries such as the message's size, maximum depth, and maximum number of children. When the system detects a problem in an XML document, it causes the
XML data does not comply with format settings
violation, if the violation is set to Alarm or Block.

Advanced XML defense configuration settings

This table describes the defense configuration settings. The
Defense Level
setting in an XML profile determines the default values for the setting, or you can adjust them. A value of
Any
indicates unlimited; that is, up to the boundaries of an integer type.
Setting
Description
Default Values
Defense Level
Specifies the level of protection that the system applies to XML documents, applications, and services. If you change any of the default settings, the system automatically changes the defense level to
Custom
.
High, Medium, Low
Allow DTDs
Specifies, when enabled, that the XML document can contain Document Type Definitions (DTDs).
High: Disabled, Medium: Enabled, Low: Enabled
Allow External References
Specifies, when enabled, that the XML document is allowed to list external references using operators, such as schemaLocation and SYSTEM.
High: Disabled, Medium: Disabled, Low: Enabled
Tolerate Leading White Space
Specifies, when enabled, that leading white spaces at the beginning of an XML document are acceptable.
High: Disabled, Medium: Disabled, Low: Enabled
Tolerate Close Tag Shorthand
Specifies, when enabled, that the close tag format </>, which is used in the XML encoding for Microsoft Office Outlook Web Access, is acceptable.
High: Disabled, Medium: Disabled, Low: Enabled
Tolerate Numeric Names
Specifies, when enabled, that the entity and namespace names can start with an integer (0-9). Note that this is a compatibility option for use with Microsoft Office Outlook Web Access.
High: Disabled, Medium: Disabled, Low: Enabled
Allow Processing Instructions
Specifies, when enabled, that the system allows processing instructions in the XML request. If you upload a WSDL file that references valid SOAP methods, this setting is inactive.
High: Enabled, Medium: Enabled, Low: Enabled
Allow CDATA
Specifies, when enabled, that the system permits the existence of character data (CDATA) sections in the XML document part of a request.
High: Disabled, Medium: Enabled, Low: Enabled
Maximum Document Size
Specifies, in bytes, the largest acceptable document size.
High: 1024000, Medium: 10240000, Low: Any
Maximum Elements
Specifies the maximum number of elements that can be in a single document.
High: 65536, Medium: 512000, Low: Any
Maximum Name Length
Specifies, in bytes, the maximum acceptable length for element and attribute names.
High: 256, Medium: 1024, Low: Any
Maximum Attribute Value Length
Specifies, in bytes, the maximum acceptable length for attribute values.
High: 1024, Medium: 4096, Low: Any
Maximum Document Depth
Specifies the maximum depth of nested elements.
High: 32, Medium: 128, Low: Any
Maximum Children Per Element
Specifies the maximum acceptable number of child elements for each parent element.
High: 1024, Medium: 4096, Low: Any
Maximum Attributes Per Element
Specifies the maximum number of attributes for each element.
High: 16, Medium: 64, Low: Any
Maximum NS Declarations
Specifies the maximum number of namespace declarations allowed in a single document.
High: 64, Medium: 256, Low: Any
Maximum Namespace Length
Specifies the largest allowed size, in bytes, for a namespace prefix in the XML part of a request.
High: 256, Medium: 1024, Low: Any

Masking sensitive XML data

Before you can perform this task, you must have created a security policy, and created and associated an XML profile with the policy.
You can mask sensitive XML data so that it does not appear in the interface or logs. You set this up in the XML profile of a security policy.
  1. On the Main tab, click
    Security
    Application Security
    Content Profiles
    XML Profiles
    .
    The XML Profiles screen opens.
  2. Click the name of the XML profile for which you want to mask sensitive data.
    The XML Profile Properties screen opens.
  3. Click the Value Masking tab.
    The screen displays Value Masking settings.
  4. For
    Namespace
    , select one of the options:
    Option
    Use
    Any Namespace
    When the sensitive data can appear in an element or attribute in any namespace.
    Custom
    When the sensitive data appears in an element or attribute in a particular namespace. Type the namespace prefix that can contain sensitive data.
    No Namespace
    When no namespace in the XML document has an element or attribute with a value that contains sensitive data.
  5. For
    Name
    :
    1. Select
      Element
      or
      Attribute
      to indicate whether the sensitive data appears as a value of either an XML element or an attribute.
    2. In the field, type the XML element or attribute whose value can contain sensitive data. Entries in this field are case-sensitive.
  6. Click
    Add
    to add the information you entered in the
    Namespace
    and
    Name
    fields to the Sensitive Data table and the XML profile.
  7. Click
    Update
    to update the XML profile.
  8. To put the security policy changes into effect immediately, click
    Apply Policy
    .
The system checks requests that contain XML data and if they contain sensitive data, that data is masked in logs and in request content shown in the Application Security Manager.

Overriding meta characters based on content

Before you can perform this task, you must have previously created a JSON, XML, Google Web Toolkit (GWT), or Plain Text content profile.
You can have the system check for allowed or disallowed meta characters based on the content of a request as defined in content profiles (XML, JSON, GWT, or Plain Text). In addition, you can override the security policy settings so that the system avoids checking for meta characters in particular content.
  1. On the Main tab, point to
    Security
    Application Security
    Content Profiles
    and click a content profile type (
    XML
    ,
    JSON
    ,
    GWT
    , or
    Plain Text
    ).
  2. In the profiles list, click the name of the content profile for which you want to override meta character checks.
    The profile properties screen opens.
  3. Click the Meta Characters tab (for XML) or Value Meta Characters (for JSON, plain text, or GWT).
  4. Select the appropriate check box:
    • For JSON, plain text, or GWT profiles, select the
      Check characters
      check box to have the system check for meta characters in JSON data.
    • For XML profiles, select
      Check element value characters
      to check meta characters in XML elements, and select
      Check attribute value characters
      to check meta characters in XML attributes.
  5. In the
    Global Security Policy Settings
    list, review the meta characters that are assigned to the security policy, and which are allowed or disallowed in the content profile.
  6. From the
    Global Security Policy Settings
    list, move any meta characters that you want to override for this content profile into the
    Overridden Security Policy Settings
    list.
  7. Set the meta character to
    Allow
    or
    Disallow
    in the overridden settings list (the opposite from the global setting).
  8. Click
    Update
    to update the content profile.
  9. To put the security policy changes into effect immediately, click
    Apply Policy
    .
If the content matches that defined in the content profile, meta characters are allowed or disallowed according to the overriden meta character settings in the content profile.

Managing SOAP methods

Before you can perform this task, you must have created a security policy, and created and associated an XML profile with the policy.You must have already uploaded a WSDL document in the XML profile.
When using a WSDL document in the XML profile, the system includes the relevant SOAP methods in the validation configuration. You can enable or disable the SOAP methods, as needed.
  1. On the Main tab, click
    Security
    Application Security
    Content Profiles
    XML Profiles
    .
    The XML Profiles screen opens.
  2. Click the name of the XML profile for which you want to enable or disable one or more SOAP methods.
    The XML Profile Properties screen opens.
  3. On the XML Fireweall Configuration tab, in the Validation Configuration area, the
    Valid SOAP Methods
    table lists the SOAP methods used by the WSDL file you uploaded previously. Select or clear the
    Enabled
    check box for each method that you want to enable (allow) or disable (not allow).
  4. Click
    Update
    to update the XML profile.
  5. To put the security policy changes into effect immediately, click
    Apply Policy
    .
The XML profile is updated if you changed which SOAP methods are allowed by the security policy. If you disable a SOAP method, and a request contains that method, the system issues the
SOAP method not allowed violation
, and blocks the request if the enforcement mode is set to blocking.