Applies To:
Show VersionsBIG-IQ Centralized Management
- 6.0.0
F5 DataSafe Overview
F5® DataSafe™ protects web sites from Trojan attacks by encrypting data at the application layer on the client-side. Encryption is performed on the client-side using a public key generated by the BIG-IP® system and provided uniquely per session. When the encrypted information is received by the BIG-IP system, it is decrypted using a private key that is kept on the server-side. Users can view alerts on potential encryption attacks in the Data Protection log in the BIG-IP system or in a remote Syslog Server if you choose to configure one for receiving alerts.
- Configure a virtual server for the DataSafe profile.
- Create an initial DataSafe profile.
- Associate that profile with the virtual server.
Create a web application server node
Create a web application pool
Create a log publisher
You create a log publisher to specify where the BIG-IP system sends alert messages.
Create a custom HTTP profile
Create a virtual server
Configure general properties for an F5 DataSafe profile
Define URLs in the profile
Set a URL to be a login page
Configure a post-login URL
Associate an F5 DataSafe profile with a virtual server
General Configuration Options for F5 DataSafe Profiles and URLs
Configure advanced general settings on an F5 DataSafe profile
Enable an iRule to handle logins and alerts
iRule events
iRules® can subscribe to the ANTIFRAUD_ALERT event and the ANTIFRAUD_LOGIN event in F5® DataSafe™.
iRule event | Description |
---|---|
ANTIFRAUD_ALERT | Occurs when alerts are sent to the BIG-IP® system. |
ANTIFRAUD_LOGIN | Occurs when a user successfully logs in to the profile. Or if login validation is not configured, this event can occur if just the user name is identified. |
iRule Examples
The following example shows how an iRule uses the ANTIFRAUD_ALERT event to log all available information about an alert that was sent by the BIG-IP system to the location /var/log/ltm.
when ANTIFRAUD_ALERT{ log local0. "=========Anti-Fraud Alert=========" log local0. "Alert Identifier: [ANTIFRAUD::alert_id]" log local0. "Alert Type: [ANTIFRAUD::alert_type]" log local0. "Alert Component: [ANTIFRAUD::alert_component]" log local0. "Alert Details: [ANTIFRAUD::alert_details]" log local0. "Alert GUID: [ANTIFRAUD::alert_guid]" log local0. "Alert Device ID: [ANTIFRAUD::alert_device_id]" log local0. "Alert License ID: [ANTIFRAUD::alert_license_id]" log local0. "Alert Score: [ANTIFRAUD::alert_score]" log local0. "Alert Username: [ANTIFRAUD::alert_username]" log local0. "Alert HTTP Referrer: [ANTIFRAUD::alert_http_referrer]" log local0. "Alert Additional Info: [ANTIFRAUD::alert_additional_info]" }
The following example shows how an iRule uses the ANTIFRAUD_ALERT event to disable a specific alert according to its type.
when ANTIFRAUD_ALERT{ if {[ANTIFRAUD::alert_type] eq "components_validation"}{ log local0. "Alert Type is components validation" ANTIFRAUD::disable_alert log local0. "Disabled Alert" } }
The following example shows how an iRule uses the ANTIFRAUD_LOGIN event with its commands.
when ANTIFRAUD_LOGIN{ log local0. "=========Anti-Fraud Login=========" # read mode log local0. "Username: [ANTIFRAUD::username]" log local0. "GUID: [ANTIFRAUD::guid]" # write mode ANTIFRAUD::username "other_user" }
Values for iRule commands
The following values can be used in iRule commands:Value | Description |
---|---|
alert_id | For example, d4. |
alert_type | The type of alert. |
alert_component | An error type that is determined according to the alert_type. |
alert_details | Additional information regarding the alert. |
alert_device_id | Persistent browser identifier. |
alert_license_id | crc32 of the license id in hex. |
alert_transaction_data | Key-value list of all parameters marked to be attached. |
alert_username | When this command is used without any additional arguments, this is the name of
the user who triggered the alert. It is possible to use additional arguments to override the current user name (write mode), as shown in the ANTIFRAUD_LOGIN example above. |
alert_http_referrer | The URL of the site that was visited just before the Alert URL was visited. |
alert_additional_info | Shows additional information about the alert, such as the parameter values too long error message. |
disable_alert | Disables the current alert. |
Clone a profile
- In the General Properties screen of a cloned profile, some of the settings have an override check box. If this check box is not checked, then any changes made in the original profile will be copied to the cloned profile. If it is checked, then changes in the original profile are not copied to the cloned profile.
Clone a URL
Encrypting Data on the Application Level
Overview: Encrypting data on the application level
Application Layer Encryption protects against credential theft from man-in-the-middle (MITM) and MITM browser attacks, verifies whether a user is trying to use a fabricated password, validates the client-side password, and encrypts credentials in real-time upon submission. F5® DataSafe™ allows you to configure data encryption on the application level, so that sensitive data entered by a user on the client-side is protected against attempted fraud attacks that occur in the web application.