Manual Chapter : Protecting Sensitive Data with Data Guard

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

About protecting sensitive data with Data Guard

In some web applications, a response may contain sensitive user information, such as credit card numbers or social security numbers (U.S. only). The Data Guard feature can prevent responses from exposing sensitive information by masking the data (this is also known as response scrubbing). Data Guard scans text in responses looking for the types of sensitive information that you specify.

Note: When you mask the data, the system replaces the sensitive data with asterisks (****). F5 Networks recommends that you enable this setting especially when the security policy enforcement mode is transparent. Otherwise, when the system returns a response, sensitive data could be exposed to the client.

Using Data Guard, you can configure custom patterns using PCRE regular expressions to protect other forms of sensitive information, and indicate exception patterns not to consider sensitive. You can also specify which URLs you want the system to examine for sensitive data.

The system can also examine the content of responses for specific types of files that you do not want to be returned to users, such as Microsoft Office documents, PDFs, ELF binary files, Mach object files, or Windows portable executables. File content checking causes the system to examine responses for the file content types you select. You can configure the system to block sensitive file content (according to the blocking setting of the DataGuard: Information Leakage Detected violation).

Response headers that Data Guard inspects

Data Guard examines responses that have the following content-type headers:

  • "text/..."
  • "application/x-shockwave-flash"
  • "application/sgml"
  • "application/x-javascript"
  • "application/xml"
  • "application/x-asp"
  • "application/x-aspx"
  • "application/xhtml+xml"

You can configure one additional user-defined response content-type using the system variable user_defined_accum_type. If response logging is enabled, these responses can also be logged.

Protecting sensitive data

You can configure the system to protect sensitive data. If a web server response contains a credit card number, U.S. Social Security number, or pattern that matches a pattern, then the system responds based on the enforcement mode setting.
  1. On the Main tab, click Security > Application Security > Data Guard .
    The Data Guard screen opens.
  2. In the Current edited security policy list near the top of the screen, verify that the security policy shown is the one you want to work on.
  3. Select the Data Guard check box.
  4. If you want the system to consider credit card numbers as sensitive data, select the Credit Card Numbers check box.
  5. If you want the system to consider U.S. social security numbers (in the form nnn-nn-nnnn, where n is an integer) as sensitive data, select the U.S. Social Security Numbers check box.
  6. To specify additional sensitive data patterns that occur in the application:
    1. Select the Custom Patterns check box.
    2. In the New Pattern field, type a PCRE regular expression to specify the sensitive data pattern, then click Add. For example, 999-[/d][/d]-[/d][/d][/d][/d].
      Tip: You can validate the regular expression using the tool at Security > Options > Application Security > RegExp Validator .
    3. Add as many custom patterns as needed for the application.
  7. To specify data patterns not to consider sensitive:
    1. Select the Exception Patterns check box.
    2. In the New Pattern field, type a PCRE regular expression to specify the sensitive data pattern, then click Add.
    3. Add as many custom patterns as needed for the application.
  8. If, in responses (when not blocked), you want the system to replace the sensitive data with asterisks (****), select the Mask Data check box.
    This setting is not relevant if blocking is enabled for the violation, because the system blocks responses containing sensitive data.
  9. To review responses for specific file content (for example, to determine whether someone is trying to download a sensitive type of document):
    1. For the File Content Detection setting, select the Check File Content check box.
      The screen displays a list of available file types.
    2. Move the file types you want the system to consider sensitive from the Available list into the Members list.
  10. To specify which URLs to examine for sensitive data, use the Enforcement Mode setting:
    • To inspect all URLs, use the default value of Ignore URLs in list, and do not add any URLs to the list.
    • To inspect all but a few specific URLs, use the default value of Ignore URLs in list, and add the exceptions to the list.
    • To inspect only specific URLs, select Enforce URLs in list, and add the URLs to check to the list.
    When adding URLs, you can type either explicit (/index.html) or wildcard (*xyz.html) URLs.
  11. Click Save to save your settings.

When the system detects sensitive information in a response, it generates the Data Guard: Information leakage detected violation (if the violation is set to alarm or block). If the security policy enforcement mode is set to blocking and the violation is set to block, the system does not send the response to the client.