Manual Chapter : Overview: Web Application Security in BIG-IQ

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.3.0, 8.2.0, 8.1.0
Manual Chapter

Overview: Web Application Security in BIG-IQ

Managing Web Application Security

You can manage and fine-tune your application security policy, whether it was imported from managed BIG-IP devices, or created directly on BIG-IQ's Web Application Security. Using centralized management, manage all of your enterprise's policies, regardless of their deployment across your enterprise's BIG-IP devices.
Web Application Security imports BIG-IP Application Security Manager (ASM) application security policies from discovered BIG-IP devices, or from imported XML files stored locally. Once imported, policies are listed on the Web Application Security Policies screen. Each security policy is assigned a unique identifier that it carries across the enterprise. This ensures that each policy is shown only once in the Policies screen (
Configuration
SECURITY
Web Application Security
Policies
), no matter how many devices it is protecting. In the Web Application Security repository, policies are in XML format.
For application-level Denial of Service (DoS) attack protection, configuration, and management, see
Managing DDoS Attacks using BIG-IQ
on
support.f5.com
.

Importing Web Application Security policies from BIG-IP

When you discover and import BIG-IP device and services to BIG-IQ, you import all policies as well. For more information about discovering, or re-discovering devices, see
Managing BIG-IP devices from BIG-IQ
on
support.f5.com
.

Policy compatibility with managed BIG-IP systems

ASM policies on managed BIG-IP systems must be compatible with your current version of BIG-IQ. Policies that are imported from, or exported to, a BIG-IP system that does not have proper version support, may result in unexpected policy behavior. This can include failed policy imports/exports and missing parameters.
For more information about BIG-IP version support on your current BIG-IQ system, see K34133507.

About subcollections in policies

In BIG-IP,
Subcollections
are groups of like objects you can configure to your policy. In BIG-IQ, all Web Application Security subcollections are available for management and configuration within the policy itself. Not all subcollections are visible in the Web Application Security policy editor. Generally, you can import and deploy most subcollections from BIG-IP device, however, management in using the BIG-IQ interface is not yet supported.
You cannot manage wildcard ordering for subcollections using the BIG-IQ Centralized Management user interface.

Import application security policies from locally saved file

Before you import a security policy from another system, make sure that the attack signatures and user-defined signatures are the same on both systems. Ensure that you have access to the exported policy file.
Imported policies, that share the same name as an existing policy, will overwrite the existing policy. You must change the name if you do not wish to overwrite your existing policy.
You can use Web Application Security to import security policies that were previously exported and saved locally in XML format, or replace an existing policy under the same name.
  1. Go to the Policies screen
    Configuration
    SECURITY
    Web Application Security
    Policies
    .
  2. On the Policies screen, click the
    Import
    button.
  3. Import a security policy file by clicking
    Choose File...
    and navigating to the file location, or drag and drop a file directly to the
    Drop Policy File Here
    area.
    If the .xml file is designated as a child policy,
    Retain the Inheritance Settings
    and
    Parent Policies
    fields appear. If the parent policy is not configured, you cannot import the policy.
  4. For child policies with a parent policy:
    1. Select a parent policy, select policy from the
      Parent Policies
      field (required).
      By default, the parent policy in the imported file is selected. If the parent policy is not configured, you must select an option. If you select
      None
      , the child status of the imported policy is removed.
    2. To import the policy with the optional inheritance settings from the original parent policy, select
      Enabled
      for
      Retain the Inheritance Settings
      .
      By default this option is disabled, which means the imported policy will accept all optional inheritance settings from the selected parent policy. If enabled, the imported policy will retain the optional inheritance settings in the .xml file, regardless of the selected parent policy.
  5. Enter a policy name for the imported policy (optional).
  6. Click
    Import
    .
After you have imported the policy, the system lists it in the Policies screen. The uploaded policy will have the same name as the .xml file, unless you provided a new policy name.
If you replaced an existing policy, the imported security policy completely overwrites the existing security policy. In addition, the imported policy is configured to the virtual server and local traffic policy that was associated with the overwritten policy.

Export application security policies

You can use Web Application Security to export security policies. You can use the exported security policy as backup, or you can import it onto another system.
  1. Navigate to the Policies screen: click
    Configuration
    SECURITY
    Web Application Security
    Policies
    .
  2. Select the check box to the left of the security policy you want to export.
    The
    Export
    button becomes active.
  3. Click the
    Export
    button to show a list, and select the BIG-IP version to use when exporting this security policy.
The policy is exported.
You can use the exported security policy as a backup, or you can import it onto another system. Note that the exported security policy includes any user-defined signature sets that are in the policy, but not the user-defined signatures themselves.

Policy structure and inheritance

You can use Web Application Security to create and manage two layers of security policies: parent policies and child policies. Parent policies include mandatory policy elements, and child policies inherit those attributes from the parent. When the parent policy is updated, the associated child policies are automatically updated.
With parent policies you can:
  • Create and maintain common elements and settings.
  • Impose mandatory elements on child policies.
  • Push a change to multiple child policies.
You can specify which parts of the security policy must be inherited, which are optional, and which are not inherited. This allows you to keep child policies synchronized with the changes in the global mandatory policies and still allow the child policies to address their own unique requirements.
You establish the parent and child policy relationship as follows:
  1. Identify the current policy as a parent policy.
    On the General Properties screen for the policy, set the
    Policy Type
    to
    Parent Policy
    . Navigate to
    Configuration
    SECURITY
    Web Application Security
    Policies
    , then click the policy to edit, and click
    POLICY PROPERTIES
    General Properties
  2. Set a policy to be the child policy of the parent policy.
    On the Inheritance Settings screen for the policy, select the parent policy for a child policy by selecting the parent policy name in the
    Parent Policy
    setting. Navigate to
    Configuration
    SECURITY
    Web Application Security
    Policies
    , then click the policy to become a child policy and click
    POLICY PROPERTIES
    Inheritance Settings
    .
  3. Click
    Save
    to save this policy as a child policy and display the inheritance properties.
  4. Continue to use the Inheritance Settings screen to accept or decline what is to be inherited from the parent policy.
By default, the
Parent Policy
field is set to
None
, and there is no layered policy use (no child or parent policies).
Refer to the
BIG-IP Application Security Manager: Getting Started
guide for additional information on using parent and child layered policies.

Establish a parent and child policy relationship

Configure policies to have a parent or child status, and establish a parent-child relationship structure to ensure child policy inheritance attributes.
You can only create parent policies from a new policy.
  1. Go to
    Configuration
    SECURITY
    Web Application Security
    Policies
    .
  2. Select the name of the policy you would like to designate as a parent policy.
    The screen displays the policy's
    General Properties
    .
    1. For a parent policy, select
      Parent Policy
      If you select the option you can configure inheritance settings for child policies.
    2. For a child, or unaffiliated policy, select
      Security Policy
  3. From the menu to the left, click
    Inheritance Settings
    .
  4. From the
    Parent Policy
    field select the name of a parent policy.
  5. Click
    Save & Close
    .
You have now establish the policy inheritance status and child policy relationship. Child policies will automatically have the inheritance settings provided by the parent policy.
Modify the default parent policy inheritance settings and policy configuration, as required.

Determining access permissions for child and parent policies

When adding or modifying the role type permissions associated with a Web Application Security policy, you need to be aware of whether the policy is a standalone policy without inheritance, a parent policy, or a child policy. You define access to policies using the New Role Type properties screen.
  1. Click
    System
    ROLE MANAGEMENT
    Custom Role Types
    .
  2. Click
    Add
    . The New Role Type properties screen opens.
  3. Select Web Application Security (ASM) as the service. Those object types are displayed.
  4. Select
    Policies: Web Application Security
    as the object type, and click
    Add Selected
    .
  • To define access to standalone policies that do not use inheritance, select from the permissions without the Child or Parent prefix: Read, Add, Edit, or Delete.
  • To define access to only child policies, select permissions with the Child prefix: Child Create, Child Delete, or Child Edit.
  • To define access to only parent policies, select permissions with the Parent prefix: Parent Create, Parent Delete, or Parent Edit.
If you assign general permissions (Read, Add, Edit, or Delete) to a child or parent policy, you are assigning access to both parent and child policies. For example, assigning the Delete permission to a role allows that role to delete standalone policies, parent policies, and child policies. But, assigning the Child Delete permission to a role allows that role to delete only child policies, and not parent or standalone policies.
Regardless of the type of policy, you should always allow users Read access to the policy.

Create new Web Application Security policies

You can use BIG-IQ Web Application Security to add new application security policies for later deployment over your managed BIG-IP devices. The following is a basic overview for policy creation using BIG-IQ. For full policy configuration details see
Editing Web Application Security policies
.
  1. Go to
    Configuration
    SECURITY
    Web Application Security
    Policies
    .
  2. In the Policies screen, click
    Add
    to display a screen for creating a new policy.
    The newly-created policy contains only the editable configuration (the configuration deployed to the BIG-IP device). Hidden values ca be views on the managed BIG-IP device, which acquires the configuration default values.
  3. Specify the following required information for the new Web Application Security policy:
    1. Type the
      Name
      (required) of the security policy.
    2. Specify the
      Partition
      to which the security policy belongs.
      Only users with access to a partition can view the objects that it contains. If the security policy resides in the
      Common
      partition, all users can access it.
    3. For
      Policy type
      , select whether you want to designate this as a
      Parent Policy
      or
      Security Policy
      (default). See
      Policy structure and Inheritance
      for more information.
      Once you save this policy, you cannot change this setting.
    4. For
      Policy Template
      select a template that suits your system's needs.
      The default template is
      Rapid Deployment Policy
      , which meets the protection requirements for most applications. For more information about policy templates and their affected settings, see
      Generic Policy Templates
      .
      Once you save this policy, you cannot change this setting. You can, however, manually change template settings throughout the policy.
  4. For
    Application Language
    , you can change the template's default coding language, which determines how the security policy processes the character sets.
    The default language encoding determines the default character sets for URLs, parameter names, and parameter values.
    Once you save this policy, you cannot change this setting.
  5. to change the template's
    Enforcement Mode
    , specify whether the protection is blocking is active (
    Blocking
    ) or inactive (
    Transparent
    ) for the security policy.
    You can enable or disable blocking for individual violations in the subsequent tables of settings and properties. If
    transparent
    appears, blocking is disabled for the security policy. This disables blocking for all options, and the check boxes to enable blocking are unavailable.
  6. When you are finished editing the properties, click
    Save
    .
    This makes the remaining policy objects available for editing.
  7. In the Policy objects list on the left, click the next object to edit, and then click the
    Edit
    button.
    For the
    Attack Signatures List
    object only, click the
    Attack Signatures List
    object, then in the Name column, click the signature name you want to edit, then click
    Edit
    .
  8. Click
    Save
    to save the modifications to each policy object before moving to another one.
  9. Click
    Save & Close
    when you are finished editing.
The newly-created policy is added to the list of application security policies, and the new policy object exists in the working configuration of the BIG-IQ system. At this point, you can add it to any virtual server object in Web Application Security.
Ensure that your policy configuration includes features that support the BIG-IP device version over which it is deployed.
Once you have completed the mandatory settings, you can fine tune the policy to meet your protection needs. See
Editing Web Application Security Policies
for more information.

Removing security policies

BIG-IQ Web Application Security provides a way to remove ASM application security policies from the BIG-IQ database.
  1. Log in to BIG-IQ Security with Administrator, Security Manager, or Web Application Security Manager credentials.
  2. Navigate to the Policies screen: click
    Web Application Security
    Policy Editor
    .
  3. Select the check box to the left of the security policy you want to remove.
    The
    Remove
    button becomes active.
  4. Click the
    Remove
    button.
  5. In the Remove Policies dialog box, confirm the removal by clicking
    Remove
    .
The application security policy is removed from the BIG-IQ system, and can be managed locally.