Manual Chapter :
Fine-tuning Advanced XML Security Policy Settings
Applies To:
Show VersionsBIG-IP ASM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0
Fine-tuning Advanced XML Security Policy Settings
Fine-tuning XML defense configuration
Before you can perform this task, you
must have created a security policy for an application that uses web services or XML,
and created and associated an XML profile with the policy.
The defense configuration in an XML profile provides formatting and attack pattern
checks for the XML data. The defense configuration complements the validation
configuration to provide comprehensive security for XML data and web services
applications. If your XML application has special requirements, you can adjust the
defense configuration settings. This is an advanced task that is not required when
creating a security policy for an XML application.
- On the Main tab, click.The XML Profiles screen opens.
- Click the name of the XML profile for which you want to modify the advanced defense configuration settings.The XML Profile Properties screen opens.
- On the XML Firewall Configuration tab, from theDefense Configurationlist, selectAdvanced.The screen displays additional defense configuration settings.
- For theDefense Levelsetting, select the protection level you want for the application.The defense level determines the granularity of the security inspection for the XML application. You can chooseHigh,Medium, orLowand let the system determine the defense level settings. Or you can set the level, then adjust any of the settings to create aCustomdefense level.
- Adjust the defense configuration settings as required by your application and traffic.
- Optionally, modify the attack signatures, meta characters, or sensitive data for this XML profile on the appropriate tabs.
- ClickUpdateto update the XML profile.
- To put the security policy changes into effect immediately, clickApply Policy.
A trade-off occurs between ease of configuration and defense level. The higher the
defense level, the more you may need to refine the security policy. For example, if you
use the default defense level of
High
, the XML security is
optimal; however, when you initially apply the security policy, the system may generate
false-positives for some XML violations. However, a Low
defense
level may not protect the application as strictly but may cause fewer false
positives.The system checks requests that contain XML data to be sure that the
data complies with the various document limits defined in the defense configuration
of the security policy's XML profile. The system generally examines the message for
compliance to boundaries such as the message's size, maximum depth, and maximum
number of children. When the system detects a problem in an XML document, it causes
the
XML data does not comply with format settings
violation, if the
violation is set to Alarm or Block.Advanced XML defense configuration settings
This table describes the defense configuration settings. The
Defense
Level
setting in an XML profile determines the default values for the setting, or
you can adjust them. A value of Any
indicates unlimited; that is, up to
the boundaries of an integer type.Setting |
Description |
Default Values |
---|---|---|
Defense Level |
Specifies the level of protection that the system applies to XML documents,
applications, and services. If you change any of the default settings, the system
automatically changes the defense level to Custom . |
High, Medium, Low |
Allow DTDs |
Specifies, when enabled, that the XML document can contain Document Type
Definitions (DTDs). |
High: Disabled, Medium: Enabled, Low: Enabled |
Allow External References |
Specifies, when enabled, that the XML document is allowed to list external
references using operators, such as schemaLocation and SYSTEM. |
High: Disabled, Medium: Disabled, Low: Enabled |
Tolerate Leading White Space |
Specifies, when enabled, that leading white spaces at the beginning of an XML
document are acceptable. |
High: Disabled, Medium: Disabled, Low: Enabled |
Tolerate Close Tag Shorthand |
Specifies, when enabled, that the close tag format </>, which is used in the
XML encoding for Microsoft Office Outlook Web Access, is acceptable. |
High: Disabled, Medium: Disabled, Low: Enabled |
Tolerate Numeric Names |
Specifies, when enabled, that the entity and namespace names can start with an
integer (0-9). Note that this is a compatibility option for use with Microsoft Office
Outlook Web Access. |
High: Disabled, Medium: Disabled, Low: Enabled |
Allow Processing Instructions |
Specifies, when enabled, that the system allows processing instructions in the
XML request. If you upload a WSDL file that references valid SOAP methods, this
setting is inactive. |
High: Enabled, Medium: Enabled, Low: Enabled |
Allow CDATA |
Specifies, when enabled, that the system permits the existence of character data
(CDATA) sections in the XML document part of a request. |
High: Disabled, Medium: Enabled, Low: Enabled |
Maximum Document Size |
Specifies, in bytes, the largest acceptable document size. |
High: 1024000, Medium: 10240000, Low: Any |
Maximum Elements |
Specifies the maximum number of elements that can be in a single document. |
High: 65536, Medium: 512000, Low: Any |
Maximum Name Length |
Specifies, in bytes, the maximum acceptable length for element and attribute
names. |
High: 256, Medium: 1024, Low: Any |
Maximum Attribute Value Length |
Specifies, in bytes, the maximum acceptable length for attribute values. |
High: 1024, Medium: 4096, Low: Any |
Maximum Document Depth |
Specifies the maximum depth of nested elements. |
High: 32, Medium: 128, Low: Any |
Maximum Children Per Element |
Specifies the maximum acceptable number of child elements for each parent
element. |
High: 1024, Medium: 4096, Low: Any |
Maximum Attributes Per Element |
Specifies the maximum number of attributes for each element. |
High: 16, Medium: 64, Low: Any |
Maximum NS Declarations |
Specifies the maximum number of namespace declarations allowed in a single
document. |
High: 64, Medium: 256, Low: Any |
Maximum Namespace Length |
Specifies the largest allowed size, in bytes, for a namespace prefix in the XML
part of a request. |
High: 256, Medium: 1024, Low: Any |
Masking sensitive XML data
Before you can perform this task, you
must have created a security policy, and created and associated an XML profile with the
policy.
You can mask sensitive XML data so that it does not appear in the interface or
logs. You set this up in the XML profile of a security policy.
- On the Main tab, click.The XML Profiles screen opens.
- Click the name of the XML profile for which you want to mask sensitive data.The XML Profile Properties screen opens.
- Click the Value Masking tab.The screen displays Value Masking settings.
- ForNamespace, select one of the options:OptionUseAny NamespaceWhen the sensitive data can appear in an element or attribute in any namespace.CustomWhen the sensitive data appears in an element or attribute in a particular namespace. Type the namespace prefix that can contain sensitive data.No NamespaceWhen no namespace in the XML document has an element or attribute with a value that contains sensitive data.
- ForName:
- SelectElementorAttributeto indicate whether the sensitive data appears as a value of either an XML element or an attribute.
- In the field, type the XML element or attribute whose value can contain sensitive data. Entries in this field are case-sensitive.
- ClickAddto add the information you entered in theNamespaceandNamefields to the Sensitive Data table and the XML profile.
- ClickUpdateto update the XML profile.
- To put the security policy changes into effect immediately, clickApply Policy.
The system checks requests that contain XML data and if they contain sensitive data,
that data is masked in logs and in request content shown in the Application Security Manager.
Overriding meta characters based on content
Before you can perform this task, you must have previously created a JSON, XML,
Google Web Toolkit (GWT), or Plain Text content profile.
You can have the system check for allowed or disallowed meta characters based on
the content of a request as defined in content profiles (XML, JSON, GWT, or Plain Text).
In addition, you can override the security policy settings so that the system avoids
checking for meta characters in particular content.
- On the Main tab, point toand click a content profile type (XML,JSON,GWT, orPlain Text).
- In the profiles list, click the name of the content profile for which you want to override meta character checks.The profile properties screen opens.
- Click the Meta Characters tab (for XML) or Value Meta Characters (for JSON, plain text, or GWT).
- Select the appropriate check box:
- For JSON, plain text, or GWT profiles, select theCheck characterscheck box to have the system check for meta characters in JSON data.
- For XML profiles, selectCheck element value charactersto check meta characters in XML elements, and selectCheck attribute value charactersto check meta characters in XML attributes.
- In theGlobal Security Policy Settingslist, review the meta characters that are assigned to the security policy, and which are allowed or disallowed in the content profile.
- From theGlobal Security Policy Settingslist, move any meta characters that you want to override for this content profile into theOverridden Security Policy Settingslist.
- Set the meta character toAlloworDisallowin the overridden settings list (the opposite from the global setting).
- ClickUpdateto update the content profile.
- To put the security policy changes into effect immediately, clickApply Policy.
If the content matches that defined in the content profile, meta characters are
allowed or disallowed according to the overriden meta character settings in the content
profile.
Managing SOAP methods
Before you can perform this task, you
must have created a security policy, and created and associated an XML profile with the
policy.You must have already uploaded a WSDL document in the XML profile.
When using a WSDL document in the XML profile, the system includes the relevant
SOAP methods in the validation configuration. You can enable or disable the SOAP
methods, as needed.
- On the Main tab, click.The XML Profiles screen opens.
- Click the name of the XML profile for which you want to enable or disable one or more SOAP methods.The XML Profile Properties screen opens.
- On the XML Fireweall Configuration tab, in the Validation Configuration area, theValid SOAP Methodstable lists the SOAP methods used by the WSDL file you uploaded previously. Select or clear theEnabledcheck box for each method that you want to enable (allow) or disable (not allow).
- ClickUpdateto update the XML profile.
- To put the security policy changes into effect immediately, clickApply Policy.
The XML profile is updated if you changed which SOAP methods are allowed by the
security policy. If you disable a SOAP method, and a request contains that method, the
system issues the
SOAP method not allowed violation
, and blocks the
request if the enforcement mode is set to blocking.