Manual Chapter : Protecting Sensitive Data with Data Guard

Applies To:

BIG-IP ASM

  • 17.5.1
  • 17.5.0
back-action BIG-IP Application Security Manager: Implementations

Protecting Sensitive Data with Data Guard

In some web applications, a response may contain sensitive user information, such as credit card numbers or U.S. Social Security numbers. The Data Guard feature can prevent responses from exposing sensitive information by masking the data (this is also known as response scrubbing). Data Guard scans text in responses looking for the types of sensitive information that you specify.

Note: When you mask the data, the system replaces the sensitive data with asterisks (****). F5 Networks recommends that you enable this setting especially when the security policy enforcement mode is transparent. Otherwise, when the system returns a response, sensitive data could be exposed to the client.

Using Data Guard, you can configure custom patterns using PCRE regular expressions to protect other forms of sensitive information, and indicate exception patterns not to consider sensitive. You can also specify which URLs you want the system to examine for sensitive data.

The system can also examine the content of responses for specific types of files that you do not want to be returned to users, such as Microsoft Office documents, PDFs, ELF binary files, Mach object files, or Windows portable executables. File content checking causes the system to examine responses for the file content types you select. You can configure the system to block sensitive file content (according to the blocking setting of the DataGuard: Information Leakage Detected violation).

Data Guard examines responses that have the following content-type headers:

  • “text/…”
  • “application/x-shockwave-flash”
  • “application/sgml”
  • “application/x-javascript”
  • “application/xml”
  • “application/x-asp”
  • “application/x-aspx”
  • “application/xhtml+xml”

You can configure one additional user-defined response content-type using the system variable user_defined_accum_type. If response logging is enabled, these responses can also be logged.

You can configure the system to protect sensitive data. If a web server response contains a credit card number, U.S. Social Security number, or sensitive data that matches a pattern, then the system responds based on the enforcement mode setting.

Note:

In addition to fully masking matched sensitive data with asterisks (****), you can configure how many characters should remain visible at the start and end of each matched string (partial masking).

This option is available for:

  • Preset data types (such as credit card and U.S. Social Security numbers)
  • Custom patterns defined using regular expressions

  1. On the Main tab, clickSecurity > Application Security > Security Policies.  Select the existing policy and click Advanced Protection > Data Guard.

    The Data Guard screen opens.

  2. Toggle ON/OFF to activate Data Guard for the selected policy.

  3. To hide sensitive data, enable Mask Sensitive Data. If disabled, then the system sends the response, including the sensitive information, to the user.

    Note:

    • Mask Sensitive Data will be functional only if at least one sensitive data type is enabled (Credit Card Numbers, U.S. Social Security Numbers, Custom Patterns).
    • This setting is not relevant if blocking is enabled for the violation, because the system blocks responses containing sensitive data.

  4. Select Detect for the Credit Card Numbers, if you want the system to consider credit card numbers as sensitive data. If set toIgnore, the system will not consider credit card numbers as sensitive data.

    By default, the last 4 digits of a credit card number are exposed to allow legitimate parties to recognize and differentiate the number, such as on invoices. To change this, select a different number from the drop down box.

  5. Select Detect for the U.S. Social Security Numbers, if you want the system to consider U.S. Social Security numbers (in the form nnn-nn-nnnn, where n is an integer) as sensitive data. If set toIgnore, the system will not consider U.S. Social Security numbers as sensitive data.

    By default, the last 4 digits of a U.S. Social Security number are exposed to allow legitimate parties to recognize and differentiate the number, such as on forms. To change this, select a different number from the drop down box.

  6. Click Detect for Custom Patternsto specify additional sensitive data patterns that occur in the application:

    1. You can expose the required characters by entering the number of first and last characters to be exposed:

      • Enter a number in Expose in first characters
      • Enter a number in Expose in last characters

    2. In the New Pattern field, type a PCRE regular expression to specify the sensitive data pattern, then click Add. For example, 999-[/d][/d]-[/d][/d][/d][/d].

      Tip: You can validate the regular expression using the tool at Security > Options > Application Security > RegExp Validator.

    3. Add as many custom patterns as needed for the application.

  7. Click Detect for Custom Patterns to specify data patterns not to consider sensitive:

    1. In the New Pattern field, type a PCRE regular expression to specify the sensitive data pattern, then click Add.

      Note: Add as many custom patterns as needed for the application.

    2. If  you want to delete any patterns, clickRemove.

  8. Click Check for File Content Detection to review responses for specific file content (for example, to determine whether someone is trying to download a sensitive type of document). Select the different file formats from the file list as required.

  9. For Data Guard Protection Enforcementspecify which URLs to examine for sensitive data:

    • To inspect all URLs, use the default value of Ignore URLs in list, and do not add any URLs to the list.
    • To inspect all but a few specific URLs, use the default value of Ignore URLs in list, and add the exceptions to the list.
    • To inspect only specific URLs, select Enforce URLs in list, and add the URLs to check to the list. When adding URLs, you can type either explicit (/index.html) or wildcard (*xyz.html) URLs.

  10. Click Save to save your settings.

When the system detects sensitive information in a response, it generates the Data Guard: Information leakage detected violation (if the violation is set to alarm or block). If the security policy enforcement mode is set to blocking and the violation is set to block, the system does not send the response to the client.