Applies To:
Show VersionsBIG-IP ASM
- 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Types of security policies
You can create several types of security policies. It is a good idea to understand your options before you begin.
Security policy type | Description |
---|---|
Automatic security policy | Create a security policy for a web application by having the system examine traffic and create the policy based on statistical analysis of the traffic and the intended behavior of the application. The system stabilizes and enforces the security policy when it processes sufficient traffic over a period of time. You have the option of modifying the policy manually, as well, to speed up policy creation. |
Manual security policy | Use rapid deployment or an application-ready security policy (pre-configured template) to develop a security policy so you can develop a policy manually. The system creates a basic security policy that you can review and fine-tune. When the security policy includes all the protections that you need, and does not produce any false positives, you can enforce the security policy. |
Security policy integrated with vulnerability assessment tool | Create a security policy based on integrating the output from a vulnerability assessment tool, such as WhiteHat Sentinel, IBM® AppScan®, Trustwave® App Scanner (Cenzic), Qualys®, Quotium Seeker®, HP WebInspect, or a generic scanner if using another tool. Based on the results from an imported vulnerability report, Application Security Manager™ creates a policy that automatically mitigates the vulnerabilities on your web site. You can also review and fine-tune the policy. When the security policy includes all the protections that you need and does not produce any false positives, you can enforce the security policy. |
Parent security policy | Create a security policy that can form the basis of other related security policies. This is useful if you have several similar applications for which you want to create security policies. Selected settings in the parent policy are inherited by child policies that you create. By adjusting the parent policy, the child policies are changed as well. |
Child security policy | Create a security policy that is based on a parent security policy. When you create a child policy, the values for the settings are inherited from the parent. You can edit some of the settings and others can only be changed in the parent policy. |
Template security policy | Use a template to populate the attributes of a new policy. The template is only used when creating the policy - a security policy is always created based on a user-defined or system-supplied template. Unlike parent policies, the templates do not affect the policy after it is created. If you modify a template, policies created from them in the past are not affected. |
Preparing to create a security policy
Before you create and deploy a security policy, you should have an understanding of the application you are trying to protect and why you are trying to protect it. By defining your security problem, you will have an easier time creating and enforcing your security policy.
Some of the questions you might consider before you start are:
- How strict a policy do you want to create? Fundamental or comprehensive?
- How many applications do you want ASM to protect? If protecting multiple applications, how similar are they?
- Do you want to develop one policy for multiple applications, or are the applications different enough that you want to create separate policies for them?
- Are there a basic set of features that you want to control from a parent policy? Multiple policies can inherit settings from a parent policy.
- How much traffic and what types of traffic do the applications handle? HTTP, HTTPS, or both?
- Do the applications have lots of parameters and URLs associated with them? Or are they simple?
A strict, application-specific security policy can potentially take more time and effort to maintain, especially in light of application changes. A generic policy requires less maintenance, even when applied to multiple applications. Some situations will require more extensive tuning of the security policy while in other cases a simple policy will provide effective protection from attacks.
Overview: Creating a simple security policy
You can use the Application Security Manager™ (ASM) to help you build a security policy that is tailored to your environment. ASM can build a policy automatically, or you can do it manually. The policy building tool is called the Real Traffic Policy Builder® (referred to simply as the Policy Builder). The Policy Builder adds suggestions for strengthening a security policy based on settings that you configure, and the characteristics of the traffic going to and from the web application that the system is protecting. If using automatic learning, the system implements the learning suggestions and automatically builds the policy when sufficient traffic and time has passed. If using manual learning, you can review the suggestions and develop the policy adding the policy elements and features you want.
Here we take you through the steps of creating a simple security policy to introduce you to ASM.
Task summary
Creating a simple security policy
The system examines the traffic to the web application making suggestions for more specifically building the security policy. The Policy Builder selectively learns new entities like file types, parameters, and cookies used in requests to the application. When ASM processes sufficient traffic, it automatically adds the entities to the security policy, and enforces them.
The system applies a basic set of attack signatures to the security policy and puts them in staging (by default, for 7 days). If you specified server technologies, additional attack signatures are included. ASM reports common attacks discovered by comparison to the signatures but does not block these attacks until the staging period is over and they are enforced. That gives you a chance to be sure that these are actual attacks and not legitimate requests.
How the security policy is built
When you create a security policy, you have a basic security policy that immediately starts to protect your web application. The Real Traffic Policy Builder® starts examining the application traffic, and fine-tunes the security policy using the guidelines you configured.
The Policy Builder builds the security policy as follows:
- Adds policy elements and updates their attributes when ASM sees enough traffic from various users
- Examines application content and creates XML or JSON profiles as needed (if the policy includes JSON/XML payload detection)
- Configures attack signatures in the security policy
- Stabilizes the security policy when sufficient sessions over a period of time include the same elements
- Includes new elements if the site changes
The Policy Builder automatically discovers and populates the security policy with the policy elements (such as file types, URLs, parameters, and cookies). On the Traffic Learning screen, you can monitor general policy building progress, review learning suggestions and deal with those you must handle manually, and see the number of elements that have been included in the policy.
Automatic policy building characteristics
If you create a security policy with the Learning Mode set to Automatic, the Real Traffic Policy Builder® does automatic policy building. This is how it works:
- The security policy starts out loose, allowing most traffic, then the Policy Builder adds policy elements based on evaluating the traffic.
- By examining the traffic, the Policy Builder makes learning suggestions that you can review on the Traffic Learning screen to see the suggested additions to the security policy. You can select and examine each suggestion if you want to learn more about it. If using automatic policy building, you can still change the policy manually, or leave it up to the system to make the changes.
- The system sets the enforcement mode of the security policy to Blocking. Traffic with obvious violations is blocked right away.
- The system holds attack signatures in staging for 7 days (by default, you can adjust the length of staging): the system checks, but does not block traffic during the staging period. If a request causes an attack signature violation, the system disables the attack signature for the particular element (parameter, JSON or XML profile, or security policy). After the staging period is over, the Policy Builder removes attack signatures from staging if enough traffic from different sessions and different IP addresses was processed. The security policy enforces the enabled signatures and blocks traffic that causes a signature violation.
- The system enforces elements in the security policy when it has processed sufficient traffic and sessions over enough time, from different IP addresses, to determine the legitimacy of the file types, URLs, parameters, cookies, methods, and so on.
- After a while, the security policy stabilizes.
- If the web site for the application changes, the Policy Builder initially loosens the security policy then adds policy elements to the security policy, updates the attributes of policy elements, puts the added elements in staging, and enforces the new elements when traffic and time thresholds are met.
This is generally how the system automatically builds security policies. You can always control the way the security policy works by making changes manually and configuring additional layers of security based on the unique needs of your environment. Also, you have the option of changing the learning mode to Manual.
Reviewing learning suggestions
After you create a security policy and begin sending traffic to the application, the system provides learning suggestions concerning additions to the security policy based on the traffic it sees. For example, you can have users or testers browse the web application. By analyzing the traffic to and from the application, Application Security Manager™ generates learning suggestions or ways to fine-tune the security policy to better suit the traffic and secure the application.
Learning suggestions you must handle manually
Some learning suggestions must be resolved manually even if you are using the Automatic Learning Mode to create a security policy. Suggestions typically require manual intervention if they may have a large impact on the policy or involve changing an attribute that was manually and deliberately set in the policy, such as a disallowed geolocation or a session ID in a URL. In these cases, the system does not change the policy unless you accept the suggestion manually.
You can easily see the suggestions that you need to resolve manually because they are marked with an icon on the Traffic Learning screen as shown in the figure. You can also use the advanced filter to view the suggestions the have Learning Mode set to Manual, and this would list the suggestions you need to resolve.
Suggestions that must be resolved manually
If you are using the Manual Learning Mode, you must resolve all of the suggestions manually.
Reviewing outstanding security policy tasks
About additional application security protections
The Application Security Manager™ provides additional security protections for a security policy. Some of these protections are automatically enabled depending on the type of security policy you create.
Feature | Description and Location |
---|---|
DoS attack prevention | Prevents Denial of Service (DoS) attacks based on latency and/or transaction rates (also using behavioral analysis, geolocation, CAPTCHA challenge, heavy URL detection, proactive web scraping detection, and blacklisting). Click | . You create a DoS profile with Application Security enabled to configure Layer 7 DoS protection.
Brute force prevention | Stops attempts to break in to secured areas of a web application by trying exhaustive, systematic, login combinations. Click | .
IP Intelligence | Logs and blocks attacks from IP addresses that are in the IP Intelligence Database and are considered to have a bad reputation. Click | .
Web scraping detection | Mitigates web scraping (web data extraction) on web sites by attempting to determine whether a web client source is human. Click | .
Geolocation enforcement | Lets you specify countries from which users can and cannot access the web application. To set geolocation restrictions, click | .
CSRF protection | Prevents cross-site request forgery (CSRF) where a user is forced to perform unwanted actions on a web application where the user is currently authenticated. Click | .
Sensitive data masking | Protects sensitive data in responses such as a credit card number, U.S. Social Security number, or custom pattern. Click Mask Credit Card Numbers in Request Log option in the policy properties. | . Create sensitive parameters if needed (they are also masked); click . As an additional protection, set the
Anti-virus protection | Configures the system as an Internet Content Adaptation Protocol (ICAP) client so that an external ICAP server can inspect HTTP file uploads for viruses before releasing the content to the web server. To set up the ICAP server, click | .