F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IP Application Security Manager: Implementations
  3. Protecting Sensitive Data with Data Guard
Manual Chapter : Protecting Sensitive Data with Data Guard

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 17.5.1, 17.5.0
Manual Chapter

Protecting Sensitive Data with Data Guard

About protecting sensitive data with Data Guard

In some web applications, a response may contain sensitive user information, such as credit card numbers or U.S. Social Security numbers. The Data Guard feature can prevent responses from exposing sensitive information by masking the data (this is also known as
response scrubbing
). Data Guard scans text in responses looking for the types of sensitive information that you specify.
When you
mask
 the data, the system replaces the sensitive data with asterisks (****). F5 Networks recommends that you enable this setting especially when the security policy enforcement mode is transparent. Otherwise, when the system returns a response, sensitive data could be exposed to the client.
Using Data Guard, you can configure custom patterns using PCRE regular expressions to protect other forms of sensitive information, and indicate exception patterns not to consider sensitive. You can also specify which URLs you want the system to examine for sensitive data.
The system can also examine the content of responses for specific types of files that you do not want to be returned to users, such as Microsoft Office documents, PDFs, ELF binary files, Mach object files, or Windows portable executables. File content checking causes the system to examine responses for the file content types you select. You can configure the system to block sensitive file content (according to the blocking setting of the
DataGuard: Information Leakage Detected
 violation).

Response headers that Data Guard inspects

Data Guard examines responses that have the following content-type headers:
  • "text/..."
  • "application/x-shockwave-flash"
  • "application/sgml"
  • "application/x-javascript"
  • "application/xml"
  • "application/x-asp"
  • "application/x-aspx"
  • "application/xhtml+xml"
You can configure one additional user-defined response content-type using the system variable
user_defined_accum_type
. If response logging is enabled, these responses can also be logged.

Protecting sensitive data

You can configure the system to protect sensitive data. If a web server response contains a credit card number, U.S. Social Security number, or sensitive data that matches a pattern, then the system responds based on the enforcement mode setting.
In addition to fully masking matched sensitive data with asterisks (****), you can configure how many characters should remain visible at the start and end of each matched string (partial masking).
This option is available for:
  • Preset data types (such as credit card and U.S. Social Security numbers)
  • Custom patterns defined using regular expressions
  1. On the Main tab, click
    Security
    Application Security
    Security Policies
    .  Select the existing policy and click
    Advanced Protection
    Data Guard
    .
    The Data Guard screen opens.
  2. Toggle
    ON/OFF
     to activate Data Guard for the selected policy.
  3. To hide sensitive data, enable
    Mask Sensitive Data
    . If disabled, then the system sends the response, including the sensitive information, to the user.
    • Mask Sensitive Data
       will be functional only if at least one sensitive data type is enabled (Credit Card Numbers, U.S. Social Security Numbers, Custom Patterns).
    • This setting is not relevant if blocking is enabled for the violation, because the system blocks responses containing sensitive data.
  4. Select
    Detect
     for the
    Credit Card Numbers
    , if you want the system to consider credit card numbers as sensitive data. If set to
    Ignore
    , the system will not consider credit card numbers as sensitive data.
    By default, the last 4 digits of a credit card number are exposed to allow legitimate parties to recognize and differentiate the number, such as on invoices. To change this, select a different number from the drop down box.
  5. Select
    Detect
     for the
    U.S. Social Security Numbers
    , if you want the system to consider U.S. Social Security numbers (in the form nnn-nn-nnnn, where n is an integer) as sensitive data. If set to
    Ignore
    , the system will not consider U.S. Social Security numbers as sensitive data.
    By default, the last 4 digits of a U.S. Social Security number are exposed to allow legitimate parties to recognize and differentiate the number, such as on forms. To change this, select a different number from the drop down box.
  6. Click
    Detect
     for
    Custom Patterns
    to specify additional sensitive data patterns that occur in the application:
    1. You can expose the required characters by entering the number of first and last characters to be exposed:
      • Enter a number in
        Expose in first characters
      • Enter a number in
        Expose in last characters
    2. In the
      New Pattern
       field, type a PCRE regular expression to specify the sensitive data pattern, then click
      Add
      . For example,
      999-[/d][/d]-[/d][/d][/d][/d]
      .
      You can validate the regular expression using the tool at
      Security
      Options
      Application Security
      RegExp Validator
      .
    3. Add as many custom patterns as needed for the application.
  7. Click
    Detect
     for
    Custom Patterns
     to specify data patterns not to consider sensitive:
    1. In the
      New Pattern
       field, type a PCRE regular expression to specify the sensitive data pattern, then click
      Add
      .
      Add as many custom patterns as needed for the application.
    2. If  you want to delete any patterns, click
      Remove
      .
  8. Click
    Check
     for
    File Content Detection
     to review responses for specific file content (for example, to determine whether someone is trying to download a sensitive type of document). Select the different file formats from the file list as required.
  9. For
    Data Guard Protection Enforcement
    specify which URLs to examine for sensitive data:
    • To inspect all URLs, use the default value of
      Ignore URLs in list
      , and do not add any URLs to the list.
    • To inspect all but a few specific URLs, use the default value of
      Ignore URLs in list
      , and add the exceptions to the list.
    • To inspect only specific URLs, select
      Enforce URLs in list
      , and add the URLs to check to the list.
    When adding URLs, you can type either explicit (
    /index.html
    ) or wildcard (
    *xyz.html
    ) URLs.
  10. Click
    Save
     to save your settings.
When the system detects sensitive information in a response, it generates the
Data Guard: Information leakage detected
 violation (if the violation is set to alarm or block). If the security policy enforcement mode is set to blocking and the violation is set to block, the system does not send the response to the client.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information