You can use the Application Security Manager™ to automatically build a security policy that is tailored to your environment. The automatic policy building tool is called the Real Traffic Policy Builder®. The Real Traffic Policy Builder (referred to simply as the Policy Builder) creates a security policy based on settings that you configure using the Deployment wizard, and the characteristics of the traffic going to and from the web application that the system is protecting.
The Deployment wizard provides several different scenarios for creating and deploying security policies. Before you start creating a security policy, review the descriptions of each deployment scenario, to help you decide which one is most appropriate for your organization.
|Create a policy automatically (recommended)||Develops a security policy for a web application by examining traffic. In this scenario, the Real Traffic Policy Builder® automatically creates the security policy based on statistical analysis of the traffic and the intended behavior of the application. The system stabilizes and enforces the security policy when it processes sufficient traffic over a period of time.|
|Create a policy manually or use templates (advanced)||Uses rapid deployment or an application-ready security policy (pre-configured template) to develop a security policy, or lets you develop a policy manually. The system creates a basic security policy that you can review and fine-tune. When the security policy includes all the protections that you need and does not produce any false positives, you can enforce the security policy.|
|Create a policy for XML and web services manually||Develops a security policy to protect web services or XML
applications, such as those that use a WSDL or XML schema document. The
system creates the security policy based on your configurations, and
provides additional learning suggestions that you can review and
fine-tune. When the security policy includes all the protections that
you need and does not produce any false positives, you can enforce the
Important: This type of policy requires that you either assign the /Common/Log all requests logging profile, or a different logging profile that logs all requests to the virtual server in order to successfully deploy the policy.
|Create a policy using third party vulnerability assessment tool output||Creates a security policy based on integrating the output from a vulnerability assessment tool, such as WhiteHat Sentinel, IBM® Rational® AppScan®, Cenzic® Hailstorm®, and QualysGuard®, and Generic Scanner. Based on the results from an imported vulnerability report, Application Security Manager automatically mitigates the vulnerabilities on your web site. You can also review and fine-tune the policy. When the security policy includes all the protections that you need and does not produce any false positives, you can enforce the security policy.|
|Fundamental||Creates a security policy that enforces HTTP request protocol compliance, evasion techniques, explicit file types (including length checks), explicit global parameters (if learn explicit entities is enabled), attack signatures, the violation Request Length Exceeds Defined Buffer Size, and host names.|
|Enhanced||Creates a security policy with all the elements of the Fundamental policy type; also adds explicit URLs (if learn explicit entities is enabled) and global parameters (including length checks), checks meta characters in URLs, cookies, allowed methods, and applies the JSON or XML content profiles (if configured).|
|Comprehensive||Creates a security policy with all the elements of the Fundamental policy type; also checks for meta characters in URLs and parameters, adds explicit URL parameters, with length checks (more specific than global parameters), dynamic parameters, cookies, allowed methods, and applies the JSON or XML content profiles (if configured).|
|Fast/High||Use for a small number of requests from a small number of sessions; for example, useful for web sites with less traffic. However, there is a greater chance of adding false entities to the security policy.|
|Medium||Use for a medium number of requests, or if you are not sure about the amount of traffic on the application web site. This is the default setting.|
|Slow/Low||Use for a large number of requests from many sessions; for example, useful for web sites with lots of traffic. This option creates the most accurate security policy, but takes Policy Builder longer to collect the statistics.|
|All||Specifies that the policy trusts all IP addresses. For example, if the traffic is in a corporate lab or pre-production environment where all of the traffic is trusted, the policy is created faster.|
|Address List||Specifies the networks to consider safe. Enter data into the IP Address and Netmask fields, then click Add. This option is typically used in a production environment where traffic could come from untrusted sources. The IP address can be either an IPv4 or an IPv6 address.|
When you finish running the Deployment wizard, you have created a basic security policy to protect your web application. The Real Traffic Policy Builder® starts examining the application traffic, and fine-tunes the security policy using the guidelines you configured.
The Policy Builder builds the security policy as follows:
The Policy Builder automatically discovers and populates the security policy with the policy elements (such as file types, URLs, parameters, and cookies). As the Policy Builder runs, you see status messages in the identification and messages area at the top of the screen. You can monitor general policy building progress, and see the number of elements that are included in the policy.
When you create a security policy using automatic policy building, it has the following characteristics:
|Enabled||The system is configured to automatically build a security policy, and the Policy Builder is processing traffic.|
|Disabled||The system is not processing traffic. Check the automatic policy building configuration.|
|Detecting Language||The system is still configuring the language after analyzing responses to identify the language of the web application. The Policy Builder is enabled, but it cannot add elements to the security policy until the language is set.|
The Application Security Manager™ provides additional security protections that you can manually configure for a security policy.
|Feature||Description and Location|
|Brute force attack prevention||Protects the system against illegal login attempts where a hacker tries to log in to a URL numerous times, running many combinations of user names and passwords, until the intruder successfully logs in. Click.|
|Web scraping detection||Mitigates web scraping (web data extraction) on web sites by attempting to determine whether a web client source is human. Click.|
|CSRF protection||Prevents cross-site request forgery (CSRF) where a user is forced to perform unwanted actions on a web application where the user is currently authenticated. Click.|
|Sensitive data masking (Data Guard)||Protects sensitive data in responses such as a credit card number, U.S. Social Security number, or custom pattern. Click.|
|Anti-virus protection through an ICAP server||Configures the system as an Internet Content Adaptation Protocol (ICAP) client so that an external ICAP server can inspect HTTP file uploads for viruses before releasing the content to the web server. To set up the ICAP server, click. To configure anti-virus protection on a security policy, click .|
|Geographic access restrictions||Prevents access to the protected application from specified countries. To configure geographic access restrictions, click.|