Manual Chapter : Creating Parent and Child Security Policies

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 13.0.1, 13.0.0
Manual Chapter

Overview: Creating parent and child security policies

You can use Application Security Manager™ (ASM) to create two layers of security policies: parent policies and child policies. Parent policies include mandatory policy elements, and child policies inherit those attributes from the parent. When the parent policy is updated, its child policies are automatically updated.

Parent policies let you

  • Create and maintain common elements and settings
  • Impose mandatory elements on child policies
  • Push a change to multiple child policies

You can specify which parts of the security policy must be inherited, which are optional, and which are not inherited. This way, you can keep child policies in sync with the changes in the global mandatory policies and still allow the child policies to address their own unique requirements. The inheritance follows the sections of the policy in the Learning and Blocking Settings: each part can be inherited or not inherited from the parent.

Creating a parent security policy

Parent security policies include features that you want to apply to multiple child security policies that can inherit those features.
  1. On the Main tab, click Security > Application Security > Security Policies > Policies List .
    The Policies List screen opens.
  2. Click Create New Policy.
    You only see this button when no policy is selected.
  3. In the Policy Name field, type a name for the policy.
  4. For Policy Type, select Parent.
  5. For Policy Template, select the template that you want to use for the parent policy, for example, select Fundamental to create a robust yet compact security policy that is appropriate for most applications.
    To create a stricter policy that enforces many violations, select Comprehensive instead.
  6. In the upper right corner, click Advanced.
  7. To use automatic policy building for this policy and child policies, leave the Learning Mode set to Automatic.
  8. For Application Language, leave the default of Unicode (utf-8) unless all child policies will use a specific language that you can select.
    Important: You cannot change this setting after you have created the security policy.
  9. To enable specific protections that will apply to this policy and its child policies, for Server Technologies, select as many of the technologies as are relevant to the back-end servers.
    The system adds attack signatures specific to the selected technologies.
  10. For Trusted IP Addresses, select which IP addresses to consider safe by all child policies.
    Option Description
    All Specifies that the policy trusts all IP addresses. This option is recommended only for traffic in a corporate lab or preproduction environment where all of the traffic is trusted. The policy is created faster when you select this option.
    Address List Specifies networks to consider safe. Fill in the IP Address and Netmask fields, then click Add. This option is typically used in a production environment where traffic could come from untrusted sources. The IP Address can be either an IPv4 or an IPv6 address.
    If you leave the trusted IP address list empty, the system treats all traffic as untrusted. In general, it takes more untrusted traffic, from different IP addresses, over a longer period of time to build a security policy.
  11. For the Policy Builder Learning Speed setting, select how fast to generate suggestions for the policy.
    Option Description
    Slow Use if your application supports a large number of requests from many sessions; for example, useful for web sites with lots of traffic. Policy Builder requires a large amount of unique traffic samples to make decisions in Automatic Learning Mode, or to reach a high learning score. This option creates the most accurate security policy, but it takes Policy Builder longer to collect the statistics.
    Medium Use if your application supports a medium number of requests, or if you are not sure about the amount of traffic on the application web site. This is the default setting.
    Fast Use if your application supports a small number of requests from a small number of sessions; for example, useful for web sites with less traffic. Policy Builder requires fewer unique traffic samples to make decisions in Automatic Learning Mode, or to reach a high learning score. However, choosing this option may present a greater chance of adding false entities to the security policy.
    Based on the option you select, the system sets greater or lesser values for the number of different user sessions, different IP addresses, and length of time before it adds suggestions to the security policy and if you are using automatic learning, enforces the elements.
  12. For the Signature Staging setting, verify that the default option Enabled is selected.
    New and updated attack signatures remain in staging for 7 days, and are recorded but not enforced (according to the learn, alarm, and block flags in the attack signatures configuration) during that time.
  13. For the Enforcement Readiness Period, retain the default setting of 7 days.
    This is how long entities remain in staging. During this period, you can test the security policy entities for false positives before enforcing them.
    During the enforcement readiness period, the security policy provides learning suggestions when it processes requests that do not meet the security policy; but the security policy does not alert or block that traffic, even if those requests trigger violations. You can review new entities and decide which are legitimate and include them in the security policy.
  14. If the application is not case-sensitive, disable the Policy is Case Sensitive check box. Otherwise, leave it selected.
    Important: You cannot change this setting after you have created the security policy.
  15. If you do not want the security policy to distinguish between HTTP/WebSocket and HTTPS/WebSocket Secure URLs, for Differentiate between HTTP/WS and HTTPS/WSS URLsselect Disabled.
  16. Click Create Policy to create the security policy.
    The system creates the parent security policy and displays the inheritance settings for each section of the policy (as on the Learning and Blocking Settings screen).
  17. For each of the Inheritance Settings, decide whether you want inheritance to child policies to be Mandatory (child inherits the settings), Optional (the child can decide), or None (no inheritance for this feature). When done, click Save Changes.
You have created a security policy that you can use as a parent policy for multiple child policies. The child policies inherit the settings from this parent policy, and you can change only a subset of the settings in the child policy. Future changes made to the parent policy are passed down to the child policies.

Configuring parent policy settings

After you create a parent security policy, you can review and adjust the policy settings to be sure they include the correct details that you want to use for child policies. Although this task is not required and the default values may suit your needs, it gets you familiar with the settings in the policy. This is the same process to follow if later you need to make changes to the parent policy and how it works.
  1. On the Main tab, click Security > Application Security > Policy Building > Learning and Blocking Settings .
    The Learning and Blocking Settings screen opens.
  2. In the Current edited security policy list near the top of the screen, verify that the policy shown is the parent security policy you want to work on.
  3. On the right side of the Learning and Blocking Settings screen, select Advanced.
    The screen displays the advanced configuration details for the parent security policy.
  4. For each of the settings, on the right you can see whether the setting has Mandatory Inheritance, Optional Inheritance, or No Inheritance.
  5. Expand each of the settings and review the default values for each of the areas. Adjust the values, if necessary. If you change any of the values, click Save, then Apply Policy.
    Tip: Descriptions of the settings are included in the online Help on the Help tab.
  6. On the Main tab, click Security > Application Security > Security Policies > Policies List .
    The Policies List screen opens.
  7. In the Policies List, select the parent policy you previously created.
    The policy summary is displayed on the right.
  8. Click Inheritance Settings.
  9. Review the Inheritance Settings, and make sure that inheritance is set properly for child policies to be Mandatory (child inherits the settings), Optional (the child can decide), or None (no inheritance for this feature). When done, click Save Changes.
You have configured the security policy settings of the parent policy that you can use when creating child security policies. If you already have created child policies, when you save the changes to the parent policy, the changes are automatically made to the child policies.

Creating a child security policy

Child security policies inherit settings from a parent security policy.
  1. On the Main tab, click Security > Application Security > Security Policies > Policies List .
    The Policies List screen opens.
  2. Click Create New Policy.
    You only see this button when no policy is selected.
  3. In the Policy Name field, type a name for the policy.
  4. For Policy Type, select Security.
  5. For Policy Template, select the template to use for the child policy, for example, select Fundamental to create a robust security policy that is appropriate for most applications.
    To create a strict security policy that enforces many violations, select Comprehensive instead.
  6. From the Parent Policy list, select the parent security policy to use for this policy.
  7. For Virtual Server, select an existing virtual server, click Configure new virtual server to to specify where to direct application requests, or leave it set to None for now.
    • Existing virtual servers are only listed if they have an HTTP profile, and are not associated with a local traffic policy.
    • To create a new virtual server, specify the protocol, virtual server name, virtual server destination IP address/network and port (IPv4 or IPv6), pool member address and port (address of the back-end application server), and logging profile.
    • If you select None, you will have to manually associate the security policy with a virtual server with an HTTP profile at a later time to activate the policy. (On the Security tab of the virtual server, set Application Security Policy to Enabled, then select the policy.)
  8. In the upper right corner, click Advanced.
    You can use default values for the Advanced settings but it's a good idea to take a look at them.
    • If you selected Fundamental or Comprehensive for the Policy Template, Learning Mode is set to Automatic and Enforcement Mode is set to Blocking.
      Tip: If you need to change these values, set application language to a value other than Auto detect.
    • If you know the Application Language, select it or use Unicode (utf-8).
    • To add specific protections (enforcing additional attack signatures) to the policy, for Server Technologies, select the technologies that apply to the back-end application servers.
    • You can configure trusted IP addresses that you want the security policy to consider safe.
  9. Click Create Policy to create the security policy.
  10. Click Inheritance Settings to see which parts of the policy are inherited from the parent and which can be declined or accepted.
    By default, all settings with optional inheritance are accepted.
  11. You can adjust option settings from Accepted to Decline. When done, click Save Changes.
ASM™ creates a child security policy that uses the mandatory settings specified in the parent policy. As a result, some of the Learning and Blocking Settings are unavailable in the child policy, and you can only change them in the parent policy.

The security policy immediately starts protecting your application. The enforcement mode of the security policy is set to Blocking. Traffic that is considered to be an attack such as traffic that is not compliant with HTTP protocol, has malformed payloads, uses evasion techniques, performs web scraping, contains sensitive information or illegal values is blocked. Other potential violations are reported but not blocked.

Tip: This is a good point at which send some traffic to test that you can access the application being protected by the child security policy and check that traffic is being processed correctly by the BIG-IP® system. Send the traffic to the virtual server destination address.

If the parent is changed, the child policy is automatically updated with the latest inherited (or accepted) settings.

Reviewing learning suggestions for parent and child policies

Before you can see learning suggestions on the system, the application protected by a child policy needs to have had some traffic sent to it.

After you create parent and child policies and begin sending traffic to the application protected by the child policy, the system provides learning suggestions concerning additions to the policies based on the traffic it sees. For example, you can have users or testers browse the web application. By analyzing the traffic to and from the application, Application Security Manager™ generates learning suggestions or ways to fine-tune the parent and child policies to better suit the traffic and secure the application.

Suggestions related to settings that are inherited appear locked in the child policy and can only be accepted in the parent policy.

Note: This task is primarily for building a security policy manually. If you are using the automatic learning mode, this task applies to resolving suggestions that require manual intervention, or for speeding up the enforcement of policy elements.
  1. On the Main tab, click Security > Application Security > Policy Building > Traffic Learning .
    The Traffic Learning screen opens, and lists suggestions based on traffic patterns and violations that the system has detected.
  2. Take a look at the Traffic Learning screen to get familiar with it.
    With no suggestions selected, graphical charts summarize policy activity and you see an enforcement readiness summary on the bottom right.
    Learning suggestions in the parent policy include a number on the right that shows how many of the child policies included that suggestion. A link lets you review the suggestion in the child policy.
  3. Review the learning suggestions as follows.
    1. Select a learning suggestion.
      Information is displayed about the action the system will take if you accept the suggestion, and what caused the suggestion.
    2. You can learn more about the suggestion by looking at the action, the number of samples it is based on, the violations caused and their violation ratings, and if available, by examining samples of the requests that caused the suggestion.
    3. With a request selected on the left, you can view data about the request on the right, including any violations it generated, the contents of the request itself, and the response (if any). Note that some requests may contain violations related to different suggestions.
      By examining the requests that caused a suggestion, you can determine whether it should be accepted.
    4. To add comments about the suggestion and the cause, click the Add Comment icon Add Comment icon to the right of the suggestion commands, and type the comments.
  4. Decide how to respond to the suggestions. You can start with the suggestions that have the highest learning scores, or those which you know to be valid for the application. These are the options.
    Option What happens
    Accept Suggestion The system modifies the policy by taking the suggested action, such as adding an entity that is legitimate.
    Note: For suggestions concerning inherited settings, this option only appears in the parent policy.
    Suggestions about adding file types, URLs, parameters, cookies, or redirection domains can only be accepted in child policies.
    Delete Suggestion The system removes the learning suggestion, but the suggestion reoccurs if new requests cause it. The learning score of the suggestion starts over from zero in that case.
    Ignore Suggestion The system does not change the policy and stops showing this suggestion on the Traffic Learning screen now and in the future. You can view ignored suggestions by filtering by Status Ignored.
    Note: If you are working in automatic learning mode, when the learning score reaches 100%, the system accepts most of the suggestions, or you can accept suggestions manually at any time. If you are using manual learning, when the learning score reaches 100% (or before that if you know the suggestions are valid), you need to accept the suggestions manually.

    If you know that a suggestion is valid, you can accept it at any time even before the learning score reaches 100%. The ones that reach 100% have met all the conditions so that they are probably legitimate entities.

  5. To put the security policy changes into effect immediately, click Apply Policy.