Applies To:

Show Versions Show Versions

Manual Chapter: Using Vulnerability Assessment Tools for a Security Policy
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Vulnerability assessment policy building

Application Security Manager™ (ASM) integrates with services, such as IBM® Rational® AppScan®, Cenzic® Hailstorm®, and QualysGuard®, as well as WhiteHat Sentinel, that perform vulnerability assessments of web applications. Vulnerability assessment services identify, classify, and report potential security holes or weaknesses in the code of your web site.

You can use the vulnerability assessment deployment scenario to create a baseline security policy that is integrated with a vulnerability assessment tool. By using vulnerability assessment tool output, the system suggests updates to the security policy that can protect against the vulnerabilities that the tool found. You can choose which of the vulnerabilities you want the security policy to handle, retest to be sure that the security policy protects against the vulnerabilities, then enforce the security policy when you are ready.

If you have an existing security policy that was created using a different deployment scenario, you can also incorporate use of a vulnerability assessment tool with that policy.

Creating a security policy using vulnerability assessment tool output

To integrate vulnerability assessment tool output with Application Security Manager™ (ASM), you need recent scanner output for the web application that you want to protect, in the form of an XML file.

Before you can create a security policy using ASM™, you need to complete the basic BIG-IP® system configuration tasks including creating a VLAN, a self IP address, and other tasks, according to the needs of your networking environment.

Vulnerability assessment tools scan web applications to identify security threats. You can use the resulting scanner output to create a baseline security policy.
  1. On the Main tab, click Security > Application Security > Security Policies > Active Policies. The Active Policies screen opens.
  2. Click the Create button. The Deployment Wizard opens to the Select Local Traffic Deployment Scenario screen.
  3. For the Local Traffic Deployment Scenario setting, specify a virtual server to use for the security policy.
    • Select Existing Virtual Server and click Next to use an existing virtual server (as long as it does not have an HTTP Class profile associated with it).
    • Select New Virtual Server and click Next to create a new virtual server and pool with basic configuration settings.
    The virtual server represents the web application you want to protect. The system automatically creates an HTTP class profile and a security policy with the same name as the virtual server. The Configure Local Traffic Settings screen opens.
  4. Configure the new or existing virtual server, and click Next. The Select Deployment Scenario screen opens.
  5. For Deployment Scenario, select Create a policy using third-party vulnerability assessment tool output and click Next.
  6. From the Application Language list, select the language encoding of the application, leave the other settings at their default values, and click Next.
    Important: You cannot change this setting after you select the language encoding and have finished running the Deployment Wizard.
    The Vulnerability Assessments Settings screen opens.
  7. From the Vulnerability Assessment Tool list, select the vulnerability assessment tool that you use to scan your web application for problems.
  8. For the Configure exceptions for the scanner IP Address setting, specify any IP addresses that you want the security policy to allow, and how to deal with them.
    1. Type the IP address and netmask of the scanner.
    2. Select the appropriate check boxes for learning suggestions, logging, and blocking traffic from this IP address.
  9. Click Next. The Security Policy Configuration Summary screen opens.
  10. Review the settings for the security policy. When you are satisfied with the security policy configuration, click Finish. The system creates the security policy and opens the Import Vulnerabilities screen specific to the vulnerability assessment tool you are using.
  11. In the Import previously saved vulnerabilities file field, type the name of the XML file output from the vulnerabilities assessment tool, or browse to the file. If using the Cenzic vulnerability assessment tool, additional settings allow you to connect to an existing Cenzic Cloud account, create a trial account, and request a new scan. Refer to the online help for details about the settings.
  12. Click Import. The system imports the vulnerabilities file to the Application Security Manager.
The system creates a baseline security policy for your web application but does not yet protect against the vulnerabilities or enforce the policy.
Review and resolve vulnerabilities on the Vulnerabilities screen, so that the security policy protects against them.

Adding vulnerability assessment to an existing security policy

To integrate vulnerability assessment tool output with a security policy, you need recent scanner output for the web application you want to protect, in the form of an XML file.
You can integrate a vulnerability assessment tool into an existing security policy, to incorporate the assessment results into the policy.
  1. On the Main tab, click Security > Application Security > Vulnerability Assessments > Settings. The Vulnerability Assessments Settings screen opens.
  2. From the Vulnerability Assessment Tool list, select the vulnerability assessment tool that you want to use to scan your web application for problems.
    Important: You cannot change the vulnerability assessment tool for a security policy after you import vulnerabilities.
  3. Click Save.
  4. On the menu bar, click Import Vulnerabilities. The Import Vulnerabilities screen opens.
  5. In the Import previously saved vulnerabilities file field, type the name of the XML file output from the vulnerabilities assessment tool, or browse to the file. If using the Cenzic vulnerability assessment tool, additional settings allow you to connect to an existing Cenzic Cloud account, create a trial account, and request a new scan. Refer to the online help for details about the settings.
  6. Click Import. The system imports the vulnerabilities file to the Application Security Manager.
  7. In the editing context area, click Apply Policy to immediately put the changes into effect.
The system associates the vulnerability assessment tool with the security policy, and imports the vulnerabilities.
Review and resolve vulnerabilities on the Vulnerabilities screen, so that the security policy protects against them.

Resolving vulnerabilities

Before you can resolve vulnerabilities for a security policy, the security policy must be associated with a vulnerability assessment tool, and have the vulnerabilities file imported to it.
When you resolve vulnerabilities detected by third-party scanners, Application Security Manager™ (ASM™) configures the security policy to protect against them.
  1. On the Main tab, click Security > Application Security > Vulnerability Assessments. The Vulnerabilities screen opens.
  2. In the Current edited policy list, verify that the edited security policy is the one you want to work on.
  3. In the Vulnerabilities Found and Verified area, review the vulnerabilities that the assessment tool has detected and verified.
    Tip: Click a row in the table to display details about the vulnerability.
  4. For the vulnerabilities that are shown as Resolvable, select the vulnerabilities you want the system to resolve (or ignore), and click the appropriate button.
    Option Description
    Resolve and Stage Updates the security policy to protect again the vulnerability and puts parameters in staging. Entities in staging do not cause violations, and this allows you to fine-tune their settings without causing false positives.
    Resolve Updates the security policy to protect again the vulnerability.
    Ignore Changes the ASM Status of the selected vulnerability from Pending to Ignore. If later you decide to protect against this vulnerability, you can select it and click Cancel Ignore.
    BIG-IP® ASM reviews the prerequisites and then displays a list of the changes it will make to fix the vulnerability.
  5. If you agree with the changes, click Resolve. ASM modifies the security policy to protect against the vulnerabilities that you chose to Resolve and ignores the rest. In the Vulnerabilities list, the ASM Status column for the vulnerability changes to Mitigated, if appropriate.
  6. Click Apply Policy to save the changes to the security policy. The system updates the security policy to prevent the handled vulnerabilities from reoccurring.
  7. If using WhiteHat Sentinel, select all of the vulnerabilities you dealt with and click Retest to have the WhiteHat Sentinel service verify whether the vulnerability still exists.
The security policy for your web application protects against the vulnerabilities that the vulnerability assessment tool discovered and which you resolved.
You can also review vulnerabilities that ASM cannot resolve automatically, and update the security policy manually to protect against them.

Fine-tuning a security policy

After you create a security policy, the system provides learning suggestions concerning additions to the security policy based on the traffic that is accessing the application. For example, you can have users or testers browse the web application. By analyzing the traffic to and from the application, Application Security Manager™ generates learning suggestions or ways to fine-tune the security policy to better suit the traffic and secure the application.

Note: If you are using the Policy Builder to add elements to the security policy, you can skip this task.
  1. On the Main tab, click Security > Application Security > Policy Building > Manual Traffic Learning. The Manual Traffic Learning screen opens, and lists violations and learning suggestions that the system has found based on real traffic.
  2. In the Traffic Learning area, click on each violation to review the details of the learning suggestions. By default, a security policy is put into an enforcement readiness period for seven days. During this time, you can examine learning suggestions and adjust the security policy without blocking traffic.
  3. Decide how to handle the learning suggestions.
    Option Description
    Clear Select a learning suggestion, and click Clear. The system removes the learning suggestion and continues to generate suggestions for that violation.
    Clear All To remove all existing learning suggestions from the list, regardless of whether you have selected any of them, click Clear All.
    Cancel Click Cancel to return to the Manual Traffic Learning screen.
  4. On the Manual Traffic Learning screen, review the violations and consider whether you want to permit any of them (for example, if a violation is causing false positives). Select any violations you do not want the security policy to trigger, and click Disable Violation. A popup screen opens, and you can verify that you want to disable the violations or cancel the action.
  5. To activate the updated security policy, at the top right of the screen, click Apply Policy, and then click OK to confirm.
  6. To view outstanding tasks for the security policy, on the Main tab, click Security > Overview > Application > Tasks. The Tasks screen opens.
  7. Examine the summary screen for information about recommended tasks that you need to complete.
    1. Review the Tasks to do area, which lists system tasks and security policy tasks that should be completed.
    2. Click the links in the Tasks to do area to go to the screen where you can perform the recommended action.
    3. In the Quick Links area, click any of the links to gain access to common configuration and reporting screens.
The security policy now includes elements unique to your web application.
Periodically review the learning suggestions on the Manual Traffic Learning screen to determine whether the violations are legitimate, or if they are false positives that indicate a need to update the security policy.

Enforcing a security policy

To perform enforcement tasks, the security policy must be operating in transparent mode, and created manually. Traffic should be moving through Application Security Manager™, allowing users to access the web application for which you set up the security policy.
When you enforce a security policy, the system blocks requests that cause violations that are set to block.
  1. On the Main tab, click Security > Application Security > Blocking > Settings. The Settings screen opens.
  2. In the Current edited policy list, verify that the edited security policy is the one you want to work on.
  3. For each violation, review the settings so you understand how the security policy handles requests that cause the violation.
    Option Description
    Learn If selected, the system generates learning suggestions for requests that trigger the violation.
    Alarm If selected, the system records requests that trigger the violation in the Charts screen, the system log (/var/log/asm), and possibly in local or remote logs (depending on the settings of the logging profile).
    Block If selected (and the enforcement mode is set to Blocking), the system blocks requests that trigger the violation.
  4. For the Enforcement Mode setting, select Blocking.
  5. Click Save.
  6. In the editing context area, click the Current edited policy link. The Properties screen opens.
  7. To change the number of days the security policy remains in staging, change the value in the Enforcement Readiness Period field. The security policy does not block traffic during the enforcement readiness period even if violations occur. If you want to immediately block traffic that causes violations, set the value of this field to 0. For details, see the online help.
  8. Click Save.
  9. In the editing context area, click Apply Policy to immediately put the changes into effect.
  10. For a quick summary of system activity, look at the Overview screen (Security > Overview > Summary).
After the enforcement readiness period is over and the enforcement mode is set to blocking, the security policy no longer allows requests that cause violations set to block, to reach the back-end resources. Instead, the security policy blocks the request, and sends the blocking response page to the client.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)