Manual Chapter : Overview: Web Application Security in BIG-IQ
Applies To:Show Versions
BIG-IQ Centralized Management
Overview: Web Application Security in BIG-IQ
Managing Web Application Security
You can manage and fine-tune your application security policy, whether it was imported from managed BIG-IP devices, or created directly on BIG-IQ's Web Application Security. Using centralized management, manage all of your enterprise's policies, regardless of their deployment across your enterprise's BIG-IP devices.
Importing Web Application Security policies
Web Application Security imports BIG-IP Application Security Manager™ (ASM) application security policies from discovered BIG-IP devices, and lists them on the Web Application Security policy editor Policies screen. Each security policy is assigned a unique identifier that it carries across the enterprise. This ensures that each policy is shown only once in the Policies screen ( ), no matter how many devices it is protecting. In the Web Application Security repository, policies are in XML format.
Policy compatibility with managed BIG-IP systems
ASM policies on managed BIG-IP systems must be compatible with your current version of BIG-IQ. Policies that are imported from, or exported to, a BIG-IP system that does not have proper version support, may result in unexpected policy behavior. This can include failed policy imports/exports and missing parameters.
For more information about BIG-IP version support on your current BIG-IQ system, see K34133507.
About subcollections in policiesIn BIG-IP,
Subcollectionsare groups of like objects you can configure to your policy. In BIG-IQ, all Web Application Security subcollections are available for management and configuration within the policy itself. Not all subcollections are visible in the Web Application Security policy editor. Generally, you can import and deploy most subcollections from BIG-IP device, however, management in using the BIG-IQ interface is not yet supported.
You cannot manage wildcard ordering for subcollections using the BIG-IQ Centralized Management user interface.
Import application security policies
Before you import a security policy from another system, make sure that the attack signatures and user-defined signatures are the same on both systems. Ensure that you have access to the exported policy file.
Imported policies, that share the same name as an existing policy, will overwrite the existing policy. You must change the name if you do not wish to overwrite your existing policy.
You can use Web Application Security to import security policies that were previously exported.
- Navigate to the Policies screen: click.
- On the Policies screen, click theImportbutton.
- On the Import Policy screen, select the security policy file by clickingChoose File..., and navigating to the file location.You can also drag and drop a file to theDrop Policy File Herefield.If the .xml file is designated as a child policy,Retain the Inheritance SettingsandParent Policiesfields appear. If the parent policy is not configured, you cannot import the policy.
- Select a policy name for the imported policy (optional).
- For child policies with a parent policy:
- Select a parent policy, select policy from theParent Policiesfield (required).By default, the parent policy in the imported file is selected. If the parent policy is not configured, you must select an option. If you selectNone, the child status of the imported policy is removed.
- To import the policy with the optional inheritance settings from the original parent policy, selectEnabledforRetain the Inheritance Settings.By default this option is disabled, which means the imported policy will accept all optional inheritance settings from the selected parent policy. If enabled, the imported policy will retain the optional inheritance settings in the .xml file, regardless of the selected parent policy.
After you have imported the policy, the system lists it in the Policies screen. The uploaded policy will have the same name as the .xml file, unless you provided a new policy name.
If you replaced an existing policy, the imported security policy completely overwrites the existing security policy. In addition, the imported policy is configured to the virtual server and local traffic policy that was associated with the overwritten policy.
Policy structure and inheritance
You can use Web Application Security to create and manage two layers of security policies: parent policies and child policies. Parent policies include mandatory policy elements, and child policies inherit those attributes from the parent. When the parent policy is updated, the associated child policies are automatically updated.
With parent policies you can:
- Create and maintain common elements and settings.
- Impose mandatory elements on child policies.
- Push a change to multiple child policies.
You can specify which parts of the security policy must be inherited, which are optional, and which are not inherited. This allows you to keep child policies synchronized with the changes in the global mandatory policies and still allow the child policies to address their own unique requirements.
You establish the parent and child policy relationship as follows:
- Identify the current policy as a parent policy.On the General Properties screen for the policy, set thePolicy TypetoParent Policy. Navigate to , then click the policy to edit, and click
- Set a policy to be the child policy of the parent policy.On the Inheritance Settings screen for the policy, select the parent policy for a child policy by selecting the parent policy name in theParent Policysetting. Navigate to , then click the policy to become a child policy and click .
- ClickSaveto save this policy as a child policy and display the inheritance properties.
- Continue to use the Inheritance Settings screen to accept or decline what is to be inherited from the parent policy.
By default, the
Parent Policyfield is set to
None, and there is no layered policy use (no child or parent policies).
Refer to the
BIG-IP Application Security Manager: Getting Startedguide for additional information on using parent and child layered policies.
Determining access permissions for child and parent policies
When adding or modifying the role type permissions associated with a Web Application Security policy, you need to be aware of whether the policy is a standalone policy without inheritance, a parent policy, or a child policy. You define access to policies using the New Role Type properties screen.
- ClickAdd. The New Role Type properties screen opens.
- Select Web Application Security (ASM) as the service. Those object types are displayed.
- SelectPolicies: Web Application Securityas the object type, and clickAdd Selected.
- To define access to standalone policies that do not use inheritance, select from the permissions without the Child or Parent prefix: Read, Add, Edit, or Delete.
- To define access to only child policies, select permissions with the Child prefix: Child Create, Child Delete, or Child Edit.
- To define access to only parent policies, select permissions with the Parent prefix: Parent Create, Parent Delete, or Parent Edit.
If you assign general permissions (Read, Add, Edit, or Delete) to a child or parent policy, you are assigning access to both parent and child policies. For example, assigning the Delete permission to a role allows that role to delete standalone policies, parent policies, and child policies. But, assigning the Child Delete permission to a role allows that role to delete only child policies, and not parent or standalone policies.
Regardless of the type of policy, you should always allow users Read access to the policy.
Create new Web Application Security policies
You can use BIG-IQ Web Application Security to add new application security policies for later deployment over your managed BIG-IP devices. The following is a basic overview for policy creation using BIG-IQ. For full policy configuration details see
Configuring Web Application Security policies.
- Go to.
- In the Policies screen, clickAddto display a screen for creating a new policy.The newly-created policy contains only the editable configuration (the configuration deployed to the BIG-IP device). Hidden values ca be views on the managed BIG-IP device, which acquires the configuration default values.
- Specify the following required information for the new Web Application Security policy:
- Type theName(required) of the security policy.
- Specify thePartitionto which the security policy belongs.Only users with access to a partition can view the objects that it contains. If the security policy resides in theCommonpartition, all users can access it.
- ForPolicy type, select whether you want to designate this as aParent PolicyorSecurity Policy(default). SeePolicy structure and Inheritancefor more information.
- ForPolicy Templateselect a template that suits your system's needs.The default template isRapid Deployment Policy, which meets the protection requirements for most applications. For more information about policy templates and their affected settings, seeGeneric Policy Templates.Once you save this policy, you cannot change this setting. You can, however, manually change template settings throughout the policy.
- ForApplication Language, you can change the template's default coding language, which determines how the security policy processes the character sets.The default language encoding determines the default character sets for URLs, parameter names, and parameter values.Once you save this policy, you cannot change this setting.
- to change the template'sEnforcement Mode, specify whether the protection is blocking is active (Blocking) or inactive (Transparent) for the security policy.You can enable or disable blocking for individual violations in the subsequent tables of settings and properties. Iftransparentappears, blocking is disabled for the security policy. This disables blocking for all options, and the check boxes to enable blocking are unavailable.
- When you are finished editing the properties, clickSave.This makes the remaining policy objects available for editing.
- In the Policy objects list on the left, click the next object to edit, and then click theEditbutton.For theAttack Signatures Listobject only, click theAttack Signatures Listobject, then in the Name column, click the signature name you want to edit, then clickEdit.
- ClickSaveto save the modifications to each policy object before moving to another one.
- ClickSavewhen you are finished editing.
The newly-created policy is added to the list of application security policies, and the new policy object exists in the working configuration of the BIG-IQ system. At this point, you can add it to any virtual server object in Web Application Security.
Ensure that your policy configuration includes features that support the BIG-IP device version over which it is deployed.
Export application security policies
You can use Web Application Security to export security policies. You can use the exported security policy as backup, or you can import it onto another system.
- Navigate to the Policies screen: click.
- Select the check box to the left of the security policy you want to export.TheExportbutton becomes active.
- Click theExportbutton to show a list, and select the BIG-IP version to use when exporting this security policy.
The policy is exported.
You can use the exported security policy as a backup, or you can import it onto another system. Note that the exported security policy includes any user-defined signature sets that are in the policy, but not the user-defined signatures themselves.
Removing security policies
BIG-IQ Web Application Security provides a way to remove ASM™ application security policies from the BIG-IQ database.
- Log in to BIG-IQ Security with Administrator, Security Manager, or Web Application Security Manager credentials.
- Navigate to the Policies screen: click.
- Select the check box to the left of the security policy you want to remove.TheRemovebutton becomes active.
- Click theRemovebutton.
- In the Remove Policies dialog box, confirm the removal by clickingRemove.
The application security policy is removed from the BIG-IQ system, and can be managed locally.