Applies To:
Show VersionsBIG-IP ASM
- 13.0.0
About security policy blocking
You can configure how Application Security Manager™ handles requests that violate the security policy in several ways.
Method | Description |
---|---|
Blocking actions | Blocking actions for each of the security policy violations, along with the enforcement mode, determine the action that will be taken when the violation occurs. If a violation set to alarm or block occurs on an entity that is in staging, it is not enforced. |
Evasion techniques | Sophisticated hackers have figured out coding methods that normal attack signatures do not detect. These methods are known as evasion techniques. You can choose which evasion techniques you want Application Security Manager to identify, and configure blocking actions that occur if any of the selected techniques is detected. |
HTTP Protocol Compliance | The system performs validation checks on HTTP requests to ensure that the requests are formatted properly. You can configure which validation checks are enforced by the security policy. |
Web Services Security | You can configure which web services security errors must occur for the system to learn, log, or block requests that trigger the errors. |
Response pages | When the enforcement mode of the security policy is blocking, and a request (or response) triggers a violation for which the Block action is enabled, the system returns the response page to the client. If you configure login pages, you can also configure a response page for blocked access. |
Changing security policy enforcement
When the enforcement mode is set to transparent, traffic is not blocked even if a violation is triggered. The system typically logs the violation event (if the Learn flag is set on the violation). You can use this mode along with an enforcement readiness period when you first put a security policy into effect to make sure that no false positives occur that would stop legitimate traffic.
When the enforcement mode is set to blocking, traffic is blocked if it causes a violation (that is configured for blocking), and the enforcement readiness period is over. You can use this mode when you are ready to enforce a security policy.
Configuring blocking actions for violations
Configuring HTTP protocol compliance validation
If the HTTP protocol compliance failed violation is set to Learn, Alarm, or Block, the system performs the protocol compliance checks. If the Enforcement Mode is set to Blocking and the violation is set to block, the system blocks requests that are not compliant with the selected HTTP protocol validations.
If a request is too long and causes the Request length exceeds defined buffer size violation, the system stops validating protocol compliance for that request.
Configuring blocking actions for evasion techniques
Configuring blocking actions for web services security
- If configured to Learn or Alarm when the violation occurs, the system does not encrypt or decrypt the SOAP message, and sends the original document to the web service.
- If configured to Block when the violation occurs, the system blocks the traffic and prevents the document from reaching its intended destination. The system sends a blocking response page. If the XML profile associated with the policy is configured to use an XML blocking response page, it uses the XML response. Otherwise, it uses the default response page.
- If a web services security violation occurs on an entity in staging, for example, a URL in staging associated with an XML profile, the violation (set to alarm or block) is not enforced.