Applies To:

Show Versions Show Versions

Manual Chapter: Working with the Application-Ready Security Policies
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

The Application Security Manager provides application-ready security policies that are preconfigured to address the security needs of specific enterprise applications. System-provided application security templates create working security policies that can immediately increase the security of an application.
In addition, you can develop security policy templates that are tailored to your environment and which appear in the list of application-security ready security policies. User-defined system templates are created from existing security policies or uploaded from template files.
When you select an application-ready security policy, the system automatically populates the security policy with the entities and optimizations that are specific to the application. Application-ready security policies are available for web applications that use either the HTTP or the HTTPS protocol.
The Deployment wizard offers a quick and automated method for deploying a security policy for well-known enterprise applications. From the Deployment wizard, you select the manual deployment scenario, then choose the application-ready security policy for the application you want to protect. For more information on working with the Deployment wizard, refer to the BIG-IP® Application Security Manager: Getting Started Guide.
When you use one of the application-ready security policies, the system builds the security policy in Transparent mode. This enables you to review and fine-tune the security policy before it is enforced. After you see that the security policy does not produce any false positives, you can place the security policy in Blocking mode.
You also have the option of starting automated policy building, and having the Real Traffic Policy Builder® add to the security policy based on examining the traffic. If you do, the security policy remains in Transparent mode until you set it to blocking. Refer to Stopping and starting automatic policy building for details on how to start the Policy Builder. For information on how to change the enforcement mode to blocking, see Configuring the enforcement mode.
The Rapid Deployment security policy is configured with a general set of security checks to minimize or eliminate the amount of false-positives, and reduce the complexity and length of the initial evaluation deployment period. By default, the Rapid Deployment security policy is in a globally transparent mode. You can enable blocking either globally or for individual security checks, as necessary. The Rapid Deployment security policy enables organizations to meet the majority of web application security requirements as outlined in PCI DSS v1.2 section 6, FISMA, HIPAA, and others.
When you use the Rapid Deployment security policy to create your security policy, the Application Security Manager automatically configures the following security optimizations:
Protection against data leakage in responses, for US Social Security Numbers, credit card numbers, and custom patterns
Select Create a policy manually or use templates.
From the Application-Ready Security Policy list, select Rapid Deployment security policy or Rapid Deployment security policy with Policy Builder enabled.
The security policy is initially created in transparent mode. To enforce the security policy, you need to check the policy blocking settings and set the enforcement mode to blocking.
If you create a security policy using the option Rapid Deployment Security Policy with Policy Builder Enabled, the security policy also enables the Real Traffic Policy Builder®, the automated policy building tool. The Policy Builder examines requests and responses from different sessions and different IP addresses, over a period of time. It then populates the security policy with legitimate security policy elements (file types, URLs, parameters, and so on), and puts them in staging. The Policy Builder ensures that the policy does not cause false positives.
The security policy is initially created in transparent mode. To enforce the security policy, you need to check the policy blocking settings and set the enforcement mode to blocking.
The ActiveSync application-ready security policies protect servers running Microsoft® ActiveSync® software, versions 1.0 or 2.0. Templates are available for both the HTTP and the HTTPS protocols.
ActiveSync is Microsofts protocol to synchronize mobile devices with the corporate Microsoft Exchange Server. Windows mobile and iPhone® devices use ActiveSync to synchronize email, contacts, and calendar data.
When you use an ActiveSync security policy to create your security policy, the Application Security Manager automatically configures the optimal security policy to protect the ActiveSync application. It also configures attack signatures to detect application-specific attack patterns.
If you are using the ActiveSync security policy, you must perform the following tasks to create the security policy with the template:
Select Create a policy manually or use templates.
From the Application-Ready Security Policy list, select the ActiveSync v1.0 v2.0 (http or https) security policy.
Note: If you are using OWA Exchange 2003 or 2007 with ActiveSync, select the OWA Exchange 2003/2007 with ActiveSync security policy.
The Lotus Domino 6.5 application-ready security policies protect servers running Lotus® Domino® software version 6.5.4. The templates are available for both the HTTP and the HTTPS protocols.
When you use a Lotus Domino 6.5 security policy to create your security policy, the Application Security Manager automatically configures the following optimizations to protect the Lotus Domino 6.5 application:
The illegal session ID in URL mechanism removes session ID information to prevent false-positive alarms for the Illegal URL violation.
If you are using the Lotus Domino 6.5 security policy, you must perform the following tasks to create the security policy with the template:
Select Create a policy manually or use templates.
From the Application-Ready Security Policy list, select the Lotus Domino 6.5 (http or https) security policy.
The OWA Exchange 2003, 2007, 2010 application-ready security policies protect servers running Microsoft® Outlook® Web Access (OWA) software with Microsoft® Exchange Server software. The templates are available for both the HTTP and the HTTPS protocols.
When you use an OWA Exchange security policy to create your security policy, the Application Security Manager automatically configures the following optimizations to protect the Outlook Web Access application:
Attack signatures detect application-specific attack patterns, including a customized signature that detects attack patterns in Microsoft Internet Explorer® requests.
If you are using an OWA Exchange security policy, perform the following tasks to create the security policy with the template:
Select Create a policy manually or use templates.
From the Application-Ready Security Policy list, select the OWA Exchange 2003, 2007, or 2010 (http or https) security policy.
Note: If you are using OWA Exchange 2003 or 2007 with ActiveSync, select the OWA Exchange 2003 or 2007 with ActiveSync security policy.
The Oracle 10g Portal application-ready security policies protect servers running the Oracle® Applications 10g database software. The templates are available for both the HTTP and the HTTPS protocols.
When you use the Oracle 10g Portal security policy to create your security policy, the Application Security Manager automatically configures the following optimizations to protect the Oracle database application:
If you are using the Oracle 10g Portal security policy, you must perform the following tasks to create the security policy with the template:
Select Create a policy manually or use templates.
From the Application-Ready Security Policy list, select the Oracle 10g Portal (http or https) security policy.
The Oracle Applications 11i application-ready security policies protect servers running the Oracle® Applications 11i database software. The templates are available for both the HTTP and the HTTPS protocols.
When you use the Oracle Applications 11i security policy to create your security policy, the Application Security Manager automatically configures the following optimizations to protect the Oracle database application:
If you are using the Oracle Applications 11i security policy, you must perform the following tasks to create the security policy with the template:
Select Create a policy manually or use templates.
From the Application-Ready Security Policy list, select the Oracle Applications 11i (http or https) security policy.
The PeopleSoft Portal 9 application-ready security policies protect servers running the PeopleSoft Portal 9 database software. The templates are available for both the HTTP and the HTTPS protocols.
When you use the PeopleSoft Portal 9 security policy to create your security policy, the Application Security Manager automatically configures the following optimizations to protect the database application:
If you are using the PeopleSoft Portal 9 security policy, you must perform the following tasks to create the security policy with the template:
Select Create a policy manually or use templates.
From the Application-Ready Security Policy list, select the PeopleSoft Portal 9 (http or https) security policy.
The SAP NetWeaver application-ready security policies protect servers running the SAP NetWeaver® 7 software. The templates are available for both the HTTP and the HTTPS protocols.
When you use an SAP NetWeaver security policy to create your security policy, the Application Security Manager automatically configures the following optimizations to protect the SAP NetWeaver application:
If you are using the SAP NetWeaver security policy, you must perform the following tasks to create the security policy with the template:
Select Create a policy manually or use templates.
From the Application-Ready Security Policy list, select the SAP NetWeaver 7 (http or https) security policy.
The SharePoint application-ready security policies protect servers running Microsoft® SharePoint® 2003, 2007, or 2010 software. The templates are available for both the HTTP and the HTTPS protocols.
When you use a SharePoint security policy to create your security policy, the Application Security Manager automatically configures the following optimizations to protect the SharePoint application:
The illegal session ID in URL mechanism removes session ID information to prevent false-positive alarms for the Illegal URL violation (SharePoint 2003 only).
If you are using the SharePoint 2003, 2007, or 2010 security policy, perform the following tasks to create the security policy with the template:
Select Create a policy manually or use templates.
From the Application-Ready Security Policy list, select the SharePoint 2003, 2007, or 2010 (http or https) security policy.
Managing large file uploads when using the application-ready security policies
The web applications for which you can use one of the application-ready security policies to configure a security policy frequently experience large file uploads (larger than 10 MB files). As a result, you may encounter clients that are blocked due to the large file uploads, and should not be. You can resolve this issue by disabling the Block flag for the security policy violation, Request length exceeds defined buffer size. By disabling the blocking action for this violation, the Security Enforcer inspects the headers in the associated request, but ignores the file upload itself.
1.
On the Main tab, expand Security, point to Application Security, and click Blocking.
The Blocking: Settings screen opens.
3.
In the Configuration area, ensure that the Enforcement Mode setting has the Blocking option enabled.
Note: You can change the Block flags only when the enforcement mode is Blocking.
4.
In the Access Violations area, locate the Request length exceeds defined buffer size violation, and in the Block column, clear the Block check box.
5.
Click the Save button to save any changes you may have made on this screen.
6.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)