Applies To:
Show VersionsBIG-IQ Centralized Management
- 5.0.0
About security policies in BIG-IQ Web Application Security
BIG-IQ® Web Application Security imports ASM™ application security policies from discovered BIG-IP® devices, and lists them on the Web Application Security policy editor Policies screen. Each security policy is assigned a unique identifier that it carries across the enterprise. This ensures that each policy is shown only once in the Policies screen, no matter how many devices it is attached to. In the BIG-IQ Web Application Security repository, policies are in XML format.
About subcollections in policies
Subcollections are groups of like objects related to the Web Application Security policy. Not all subcollections are visible in the Web Application Security policy editor. Other subcollections can be imported and deployed without being displayed. Generally, you can import subcollections from a BIG-IP® device and then deploy them without editing. Note that you cannot manage wildcard ordering for subcollections using the BIG-IQ user interface.The following are the supported versions of the BIG-IQ system and the BIG-IP device for each subcollection. Refer to the release notes for BIG-IQ® Centralized Management for detailed information on BIG-IP device and BIG-IQ system support, such as the minimum TMOS version supported for this release.
Subcollection | Discovery and Deployment Support | Edit Support using BIG-IQ GUI | Minimum BIG-IP Device Version Support | Comments |
---|---|---|---|---|
Policy and properties | Yes | Yes | Any | |
Character Sets | Yes | Yes | Any | The BIG-IQ user interface can be used to edit parameter names and parameter values. |
Data Guard | Yes | Yes | Any | |
File Types | Yes | Yes | Any | |
IP Address Exceptions | Yes | Yes | Any | |
Parameters | Yes | Yes | Any | |
Extractions | Yes | Yes | 11.6.0 | |
Response Pages | Yes | Yes | Any | |
Signatures | Yes | Yes | Any | |
Signature Sets and attack signature configuration | Yes | Yes | Any | No support for manual sets. |
Blocking settings - violations | Yes | Yes | Any | No support for user defined violations. |
Blocking settings - evasions | Yes | Yes | Any | |
Blocking settings - http protocol compliance | Yes | Yes | Any | |
Blocking settings - web services securities | Yes | Yes | Any | |
Policy Builder | Yes | No | Any | |
Allowed methods | Yes | Yes | Any | |
Headers | Yes | Yes | Any | |
Cookies | Yes | No | Any | |
Host names | Yes | No | Any | |
Geolocation enforcement | Yes | No | 11.6.0 | |
IP Intelligence | Yes | No | 11.6.0 | |
Redirection protection | Yes | No | 11.6.0 | |
Sensitive parameters | Yes | No | Any | |
Web scraping | Yes | No | 12.0.0 | |
CSRF protection | Yes | No | 11.6.0 | |
JSON Profiles | Yes | No | 11.6.0 | |
XML Profiles | Yes | No | 11.6.0 | |
GWT Profiles | Yes | No | 11.6.0 | |
URLs | Yes | No | Any | |
Login Pages | Yes | No | 11.6.0 | |
Login Enforcement | Yes | No | 11.6.0 | |
Brute Force Attack Preventions | Yes | No | 11.6.0 | |
Session Tracking Configuration | Yes | No | 11.6.0 | Only configuration is supported, there is no support for online tracking data. |
Editing security policies
Editing properties settings
Properties settings
These properties are the general configuration options and settings that determine the overall behavior and functionality of the security policy.
Property | Description |
---|---|
Name | Unique name of the security policy. The Name field is editable only on policy creation. |
Partition | Partition to which the security policy belongs. Only users with access to a partition can view the objects that it contains. If the policy resides in the Common partition, all users can access it. |
Description | Optional description of the security policy. Type in any helpful details about
the policy.
Note: This field is limited to 255 characters.
|
Full Path | Full path to which the security policy belongs. |
Application Language | A Language encoding for the web application, which determines how the security policy processes the character sets. The default language encoding determines the default character sets for URLs, parameter names, and parameter values. |
Security is case sensitive | If enabled, the security policy treats file types, URLs, and parameters as case-sensitive. When this setting is disabled (not checked), the system stores these policy elements in lowercase in the policy configuration. |
Learning Mode | Select one of the options:
|
Enforcement Mode | Specifies how the system processes a request that triggers a security policy violation. If Transparent, specifies that when the system receives a request that violates a policy parameter, the system logs the violation event, but does not block the request. If Blocking, specifies that when the system receives a request that violates a policy parameter, the system logs the violation event, blocks the request, and responds to the request by sending the Blocking Response page and Support ID information to the client. |
Enforcement Readiness Period | Use the control to indicate the number of days in the period. The default is 7
days. Both security policy entities and attack signatures remain in staging mode before the system suggests you enforce them. The system does not enforce policy entities and attack signatures in staging. Staging allows you to test the policy entities and the attack signatures for false positives without enforcing them. |
Mask Credit Card Numbers in Request Log | If enabled, credit card numbers are masked in the request log. If disabled (cleared), credit card numbers are not masked. |
Maximum HTTP Header Length | Maximum length of an HTTP header name and value that the system processes. The default setting is 8192 bytes. The system calculates and enforces the HTTP header length based on the sum of the length of the HTTP header name and value. To specify a value for length, type a different value in the field. To specify that any length is acceptable, clear the field. An empty field (a value of any) indicates that there are no restrictions on the HTTP header length up to 8192 bytes. |
Maximum Cookie Header Length | Maximum length of a cookie header name and value that the system processes. The default setting is 8192 bytes. The system calculates and enforces a cookie header length based on the sum of the length of the cookie header name and value. To specify a value for length, type a different value in the field. To specify that any length is acceptable, clear the field. An empty field (a value of any) indicates that there are no restrictions on the cookie header length up to 8192 bytes. |
Allowed Response Status Code | Specifies which requests the security policy permits, based on the HTTP response status codes they return. Click the gear icon to add or delete response codes. |
Dynamic Session ID in URL | Specifies how the security policy processes URLs that use dynamic sessions. Click
the gear icon to change the setting or create a custom pattern.
|
Trigger ASM iRule Events | When enabled, specifies that Web Application Security activates ASM™ iRule events. Specifies, when disabled, that Web Application Security does not activate ASM iRule events. The default setting is disabled. Leave this option disabled if you either have not written any ASM iRules® or have written iRules that are not ASM iRules. iRule events that are not ASM are triggered by the Local Traffic Manager™. Enable this option if you have written iRules that process ASM iRule events, and assigned them to a specific virtual server. |
Trust XFF Header | When set to No (the default), specifies that the system does not have confidence in an XFF (X-Forwarded-For) header in the request. Leave this option disabled if you think the HTTP header may be spoofed, or crafted, by a malicious client. With this setting disabled, if Web Application Security is deployed behind an internal proxy, the system uses the internal proxy’s IP address instead of the client’s IP address. If Web Application Security is deployed behind an internal or other trusted proxy, you can click the gear icon to change the setting and specify that the system has confidence in an XFF header in the request. Select the Trust XFF Headers check box and add a required custom header (use a-z, A-Z, no whitespace allowed). The system then uses the IP address that initiated the connection to the proxy instead of the internal proxy’s IP address. |
Handle Path Parameters | Specifies how the system handles path parameters that are attached to path
segments in URIs.
|
Editing blocking settings
Blocking settings
Blocking Setting | Description |
---|---|
Enforcement Mode | Specifies whether blocking is active or inactive for the security policy.
|
General Features |
|
HTTP protocol compliance failed | When the check box is cleared, the system does not enforce this sub-violation.
|
Attack Signatures | The system examines HTTP messages for known attacks by comparing them against known attack patterns. Click the Edit Settings link to edit the properties of that signature set. |
Evasion technique detected | When the check box is cleared, the system does not enforce this sub-violation.
|
File Types | When enabled, the system checks that the requested file type is configured as a
valid file type or not configured as an invalid file type.
|
URLs |
|
Parameters |
|
Sessions and Logins |
|
Cookies |
|
Content Profiles |
|
Web Services Security Failure |
|
CSRF Protection |
Cross-site request forgery (CSRF) is an attack that forces a user to
execute unwanted actions on a web application in which the user is currently
authenticated. When enabled, this setting specifies that you want the system to
protect the web application against CSRF attacks. Click the arrow icon to view and
edit the security policy’s CSRF protection configuration.
|
IP Addresses / Geolocations |
|
Headers |
|
Redirection Protection |
|
Data Guard | Specifies which information the system considers sensitive, including credit card
numbers, U.S. Social Security numbers, custom patterns, and file content.
|
Editing response page settings
You can view and edit the default response page, the login page response, the XML response page, and the AJAX response page.
Response page settings specify the content of the response that the system sends to the user when the security policy blocks a client request. You can also configure a redirect URL so that the system redirects the client to another location instead of displaying a response page. Edit the response pages for each policy object individually.
Editing Data Guard settings
Editing Headings and Methods settings
- Allowed methods. You can specify methods other web applications may use when requesting a
URL from another domain.
All security policies accept standard HTTP methods by default. If your web application uses HTTP methods other than the default allowed methods (GET, HEAD, and POST), you can add them to the security policy.
- HTTP headers. You can specify a list of request headers for other web applications hosted in different domains to use when requesting this URL.
Editing IP address settings
- Never blocking nor logging traffic sent from configured IP address exceptions.
- Not generating Learning Suggestions for traffic sent from configured IP address exceptions.
- Always allowing traffic sent from configured IP address exceptions.
Adding file types settings
Editing parameters settings
The GUI lists the configured parameters in a table of 5 columns: check box, Name, Value Type, Level, Staging. The name of the parameter is a link for entering the detail and/or edit mode for the parameter. A default parameter exists for all policies: * (asterisk). It is a pure wildcard with a value type of user-input, a level of global, and staging enabled.
Use the filter to search the column values of the parameter (Name, Value Type, Level, Staging).
- Define a parameter’s characteristics and add them to the policy by clicking Edit. The policy is placed under administrative lock and the fields become editable. To unlock, click Unlock.
- Create a new parameter by first clicking Edit and then Add.
- Delete a parameter by clicking Edit to enter edit mode, selecting
the check box of the parameter, clicking Delete, and clicking
Yes to confirm.
From the parameters list, you can select directly by clicking the parameter or you can select multiple parameters using the selection check box. Once selected, you can delete by clicking clicks Delete and confirming.
Editing extractions settings
As with the other policy subcollections, the GUI for extractions displays the Edit button (unless the policy is already locked for edit). Press this button to lock the policy and the system displays the Add, Delete and Unlock buttons. Note that Delete button is disabled until you select at least one extraction.
Use the filter to search the column values of the extraction.
To create an extraction configuration, click Edit. The policy is placed under administrative lock and the fields become editable. For details, consult the following steps. Then, click Add. The system displays the Extraction Configuration screen in with the default values filled in.
Editing character sets settings
Editing attack signatures settings
Viewing attack signatures lists
Customizing attack signatures lists
- Log in to BIG-IQ Security with Administrator, Security Manager, or Web Application Security Manager credentials.
- Navigate to the Attack Signatures screen: click Attack Signatures Lists. , select a policy name, and from the Policy objects list, select
- Type search text in the filter text field and press Enter.
-
For finer control over the filtering options, click Advanced
Filter and specify the appropriate settings.
Option Description Containing String Specify whether the screen displays signatures based on a string found in the signature name. The default empty field indicates that the screen displays all signatures. Type part of the signature name in the field to view signature names that contain a specific string. This search is not case-sensitive. Signature Type Specify what type of signatures the system displays: - All. Specifies all signatures, which is the default.
- Request. Specifies signatures that are configured to inspect the client request.
- Response. Specifies signatures that are configured to inspect the server response.
Risk Specify the risk level: - Low. Indicates the attack may assist the user in gathering knowledge to perpetrate further attacks, but does not cause direct damage or reveal highly sensitive data.
- Medium. Indicates the attack may reveal sensitive data, or cause moderate damage.
- High. Indicates the attack may cause a full system compromise, denial of service, and the like.
Enabled Specify whether the screen displays signatures based on their Enabled setting. This filter specifies only whether the signatures displayed are enabled or disabled for the entire security policy, without regard to parameter-specific settings. - All. Specifies all signatures, which is the default.
- No. Specifies signatures that are disabled.
- Yes. Specifies signatures that are enabled.
Signature ID Specify whether the screen displays signatures based on their ID number. (The system automatically provides the signature ID which cannot be changed.) The default empty field indicates that the screen displays all signatures. Type the signature ID in the field to view signatures with a specific signature ID. User Defined Specify whether the screen displays signatures based on who created them. - All. Specifies all signatures, which is the default.
- No. Specifies system-defined signatures.
- Yes. Specifies user-defined signatures.
Accuracy Specify the accuracy levels: - Low. Indicates a high likelihood of false positives.
- Medium. Indicates some likelihood of false positives.
- High. Indicates a low likelihood of false positives.
In Staging Specify whether the screen displays signatures based on each signature’s Perform Staging setting. This filter specifies whether the signatures displayed are in staging or not. This option is available only if signature staging is enabled in the security policy. - All. Specifies all signatures, which is the default.
- No. Specifies signatures currently not in staging.
- Yes. Specifies signatures currently in staging.
- When you have finished making your selections, click Apply Filter.
- When you are finished, click Save to save the modifications and unlock the policy.
Adding security policies
Importing security policies
If you replaced an existing policy, the imported security policy completely overwrites the existing security policy. Also, the imported policy is then associated with the virtual server and local traffic policy that was previously associated with the policy you replaced. The replaced policy is automatically archived with the inactive security policies.