Applies To:

Show Versions Show Versions

Manual Chapter: Performing Essential Configuration Tasks
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

This chapter describes the essential configuration tasks that are required to create a security policy for a web application on the Application Security Manager.
Note: You can optionally perform the networking configuration tasks as part of creating a security policy using the Deployment wizard.
Define a local traffic pool.
The local traffic pool contains the web server or application server resources that host the web application that you want to protect with a security policy. You create the local traffic pool, and later associate the pool with a virtual server. See Defining a local traffic pool, for more information.
Define an HTTP class.
When you define an HTTP class (with application security enabled), the system automatically creates a corresponding security policy in the Application Security Manager. See Defining an HTTP class, for more information.
Define a local traffic virtual server that uses the HTTP class as a resource.
The local traffic virtual server load balances the network resources that host the web application you are securing. The HTTP class links the security policy to the web application traffic through the virtual server. You can configure the virtual server, and then associate the HTTP class with the virtual server. See Defining a local traffic virtual server, for more information.
Run the Deployment wizard.
Using the Deployment wizard, you can create a security policy based on one of several typical deployment scenarios. See Running the Deployment wizard, for more information.
Review outstanding configuration tasks.
By using the Overview Summary screen, you can see a list of outstanding tasks (such as whether a signature update is available), policy building status, and links to tasks recommended for each security policy.
Periodically review the security policy details.
To ensure that the security policy is providing adequate application security, review the requests, charts, and statistics. See Maintaining and monitoring the security policy, for more information.
This chapter describes the general tasks that you perform to configure a security policy for a web application hosted on a local traffic virtual server. The chapter does not address specific deployments or environments. For additional implementations that address the needs of a particular environment, refer to the BIG-IP® Application Security Manager: Getting Started Guide, which is available in the AskF5 Knowledge Base, http://support.f5.com.
Important: The tasks described in this chapter begin after you have installed the BIG-IP system, and have licensed and provisioned the Application Security Manager. If you have not yet completed these activities, refer to the release notes for additional information.
The first manual configuration task is to define a local traffic pool. The local traffic pool contains the resources that host the web application content that you want to protect with the security policy.
1.
On the Main tab, expand Local Traffic, and then click Pools.
The Pool List screen opens.
2.
Click the Create button.
The New Pool screen opens.
3.
In the Name field, type a name for the pool.
4.
In the Resources area, for the New Members setting, specify the servers that are to be members of the pool:
a)
In the Address field, type the IP address for the web server or application server that hosts the web application.
b)
In the Service Port field, type the service port number (for example, type 80 for the HTTP service), or select a service name from the list.
c)
Click the Add button to add the resource to the New Members list.
5.
Click the Finished button.
The screen refreshes and the system displays the new pool in the pools list.
The second manual configuration task is to configure an HTTP class. On the Application Security Manager, you use an HTTP class to specify the traffic where the system applies application security before the virtual server forwards the traffic to the web application.
When you manually create an HTTP class, the system automatically creates a default security policy in the Application Security Manager. For more information on HTTP classes, see Chapter 3, Working with HTTP Classes.
1.
On the Main tab, expand Local Traffic, point to Profiles, Protocol, then click HTTP Class.
The HTTP Class screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
3.
In the Name field, type a name for the HTTP class.
4.
Select the Custom check box to enable the configuration settings
5.
For Application Security, select Enabled.
7.
Click Finished.
The system adds the class, a security policy (which is unconfigured at this point), and displays the HTTP Class screen.
The next essential configuration task is to define a virtual server on the local area network. The virtual server processes the incoming traffic, which includes applying the HTTP class to incoming HTTP traffic.
Note: If you have a standalone Application Security Manager system, you can optionally create a virtual server as part of creating a security policy using the Deployment wizard.
1.
On the Main tab, expand Local Traffic, and then click Virtual Servers.
The Virtual Server List screen opens.
2.
Click the Create button.
The New Virtual Server screen opens.
3.
In the Name field, type a name for the virtual server.
4.
For the Destination setting, select Host, and type an IP address.
5.
In the Service Port field, type 80. Alternately, you can select http from the list.
6.
In the Configuration area, from the HTTP Profile list, select http.
7.
For the Source Address Translation setting, select Auto Map.
Note: If internal traffic uses a different VLAN from external traffic, you can leave this set to None.
8.
In the Resources area, for the HTTP Class Profiles setting, from the Available list, select the HTTP class that you created, and move it into the Enabled list.
9.
From the Default Pool list, select the pool that contains the resources you want to secure.
10.
Click Finished.
The Virtual Server List screen opens, where you can see the newly created virtual server.
Note: For virtual servers that load balance resources for a web application that is protected by the Application Security Manager, you must configure an HTTP profile in addition to the HTTP class.
After you have completed the phase one tasks, which set up the local area network, you are ready for the phase two tasks. The phase two tasks include configuring the security policy, and monitoring the security policy.
You build a security policy for a web application using the Deployment wizard. The Deployment wizard automates the fundamental tasks required to initially build and deploy a security policy. The Deployment wizard provides several deployment scenarios, which represent several typical environments that use application security, to guide you through the configuration process.
1.
On the Main tab, expand Security, point to Application Security and click Security Policies.
The Active Policies screen opens.
2.
Click Create.
The Deployment wizard opens.
3.
For Local Traffic Deployment Scenario, select the appropriate option:
Existing Virtual Server
Select this option if you already created a virtual server. (You will have fewer steps to complete.)
New Virtual Server
Select this if you want to create a new virtual server.
4.
Click Next.
HTTP
If you select HTTP, you are only required to specify one existing virtual server.
HTTPS
If you select HTTPS, you are only required to specify one existing virtual server.
HTTP and HTTPS
If you select HTTP and HTTPS, you are required to specify two existing virtual servers. Both servers are associated with the security policy.
6.
For Virtual Server Name, type the name of the virtual server to create, or if using an existing one, select it from the HTTP Virtual Server list.
7.
For HTTP(S) Virtual Server Destination, specify the virtual server or servers.
a)
Select Host to specify a single IP address, or Network for a range of IP addresses.
b)
In the Address field, type the IP address for the web server or application server that hosts the web application, or select an existing node from the list.
c)
In the Service Port field, type the service port number (for example, type 80 for the HTTP service), or select a service name from the list.
8.
If using HTTPS protocol, select an SSL profile for either the client or server.
An SSL Profile for the client is used between the BIG-IP and the user browser, while an SSL Profile for the server is used between the BIG-IP and the server.
9.
For the HTTP(S) Pool Member setting, specify the IP address of the back-end server and the port to which the back-end web application is listening.
a)
Select the option that indicates whether you are creating a new node or using an existing one from the node list.
b)
In the Address field, type the external IP address of the back-end server.
c)
If specifying a network address, for Mask, type the mask that represents the range.
d)
In the Service Port field, type the service port number (for example, type 80 for the HTTP service), or select a service name from the list.
10.
Click Next.
The Select Deployment Scenario screen opens.
11.
For the Deployment Scenario setting, select the appropriate option:
Create a policy automatically
Select this option if you want the system to build a security policy by examining production or QA traffic.
Create a policy manually or use templates
Select this option for rapid deployment or to create a security policy from a security policy template.
Create a policy for XML and web services manually
Select this option to protect a web service or XML application.
Important: If you choose the create a policy for XML and web services manually scenario, make sure you either assign the /Common/Log all requests logging profile, or a different logging profile that logs all requests to the virtual server in order to successfully deploy the policy.
Create a policy using third party vulnerability assessment tool output
Select this option to build a security policy automatically based on the vulnerabilities found by a tool like WhiteHat Sentinel, IBM AppScan, Cenzic Hailstorm, or QualysGuard.
12.
Follow through the screens of the wizard. The options differ slightly depending on the option you choose.
The Description area of each wizard screen provides additional information about the screen. The online help describes each of the options on the screen.
For more information about running the Deployment wizard for a specific deployment scenario, refer to the BIG-IP® Application Security Manager: Getting Started Guide, which is available on the AskF5 web site, http//:support.f5.com.
The Application Security Manager provides many reporting and monitoring tools, so that you can view and analyze the violations that the system detects in the traffic passing through the web application. By actively using the reporting and monitoring tools, you can make sure that your web applications are fully protected.
1.
On the Main tab, expand Security and click Reporting.
The Application Charts screen opens.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)