Applies To:

Show Versions Show Versions

Manual Chapter: Creating a Security Policy for XML Applications
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Creating a security policy for web services

Use the Application Security Manager™ to create a security policy for a web application that uses XML formatting or web services. The security policy can verify XML format, and validate XML document integrity against a WSDL or XSD file. The security policy can also handle encryption and decryption for web services.

The Deployment wizard guides you through the steps required to create a security policy to protect web services or XML transactions.

Considerations for developing XML security

Before you get started, you need to understand a bit about the application you are developing a security policy for. For example, you need to know the answers to the following questions:

  • Does the web application use a WSDL or XML schema (XSD) file to validate the XML documents? Some web services use a WSDL or XML schema document to validate whether the incoming traffic complies with XML language rules. If the application uses a WSDL or XSD file, you need a copy of the file.
  • Does the application use a URL or parameter to point to the server that you want to protect? You need to know the URLs or parameters that the application uses.

Creating a security policy for web services

Before you can create a security policy using ASM™, you need to complete the basic BIG-IP® system configuration tasks including creating a VLAN, a self IP address, and other tasks according to the needs of your networking environment.
Application Security Manager™ can help create a security policy that is tailored to protect a web services application. The Deployment Wizard guides you through the tasks required.
  1. On the Main tab, click Security > Application Security > Security Policies > Active Policies. The Active Policies screen opens.
  2. Click the Create button. The Deployment Wizard opens to the Select Local Traffic Deployment Scenario screen.
  3. For the Local Traffic Deployment Scenario setting, specify a virtual server to use for the security policy.
    • Select Existing Virtual Server and click Next to use an existing virtual server (as long as it does not have an HTTP Class profile associated with it).
    • Select New Virtual Server and click Next to create a new virtual server and pool with basic configuration settings.
    The virtual server represents the web application you want to protect. The system automatically creates an HTTP class profile and a security policy with the same name as the virtual server. The Configure Local Traffic Settings screen opens.
  4. Configure the new or existing virtual server, and click Next. The Select Deployment Scenario screen opens.
  5. For Deployment Scenario, click Create a policy for XML and web services manually and click Next. The Configure Security Policy Properties screen opens.
  6. From the Application Language list, select the language encoding of the application, then click Next.
    Important: You cannot change this setting after you have created the security policy.
  7. If the application is not case-sensitive, clear the Security Policy is case sensitive check box. Otherwise, leave it selected.
    Important: You cannot change this setting after you have created the security policy.
  8. If you do not want the system to distinguish URLs by protocol, clear the Differentiate between HTTP and HTTPS URLS check box.
  9. Click Next. The Configure Attack Signatures screen opens.
  10. To configure attack signatures, move the systems used by your web application from the Available Systems list into the Assigned Systems list. The system adds the attack signatures needed to protect the selected systems.
  11. Retain the default value of Enabled for the Signature Staging setting. New and updated attack signatures remain in staging for seven days.
  12. Click Next. The Security Policy Configuration Summary screen opens.
  13. Review the settings for the security policy. When you are satisfied with the security policy configuration, click Finish. The system creates the security policy, and the Create New XML Profile screen opens and displays the message: The initial configuration of the web application is complete. You can now create a new XML profile.
The Deployment Wizard creates the security policy. You can now configure the security policy for XML validation.
If your application has no WSDL or XML schema validation, create a basic XML profile. If the application uses a WSDL file, create an XML profile with WSDL validation. If the application uses an XML schema file, create an XML profile with XML schema validation.

Creating a basic XML profile

Before you can complete this task, you must have created a security policy using the Deployment wizard option, Create a policy for XML and web services manually.
If your web service includes XML data (without WSDL or schema validation), follow these steps to create a basic XML profile that defines the formatting and attack pattern checks for the security policy. You associate the XML profile with a URL or parameter.
  1. If you are on the Create New XML Profile screen, skip to step 2. If not, at the top of the screen, click the Create new XML profile link. The Create New XML Profile screen opens.
  2. For Profile Name, type a unique name.
  3. Select the Use XML Blocking Response Page check box to send an XML response page when the security policy blocks a request that contains XML content that does not comply with this XML profile.
  4. To allow SOAP messages to have attachments, select the Allow Attachments in SOAP Messages check box.
  5. In the Defense Configuration area, for Defense Level, select High (the default value), Medium, or Low to specify the level of protection the security policy provides for XML applications and services. The system determines the defense configuration settings. You can review the settings by selecting Advanced next to Defense Configuration.
  6. Click Create. The Associate XML Profile screen opens.
  7. For the Associate XML Profile setting, specify whether to associate the XML profile with a URL or a parameter:
    Option Description
    URL Validates XML data found in requests to this URL.
    Parameter Validates XML data in a parameter. You also select the parameter level:

    Global Parameter specifies that this is a global parameter that has no association with URLs.

    URL Parameter specifies that this parameter is associated with a specific URL, a protocol (HTTP or HTTPS), and a target URL path.

  8. Click Next. The New Allowed URL or Add Parameter screen opens, depending on which entity you choose to associate with the XML profile.
  9. Create the URL or parameter to associate with the XML profile. Your steps depend on which option you selected.
    Option Description
    URL Type the explicit URL or wildcard URL that represents the web application, and click Next.
    Global Parameter Type the name of the parameter, and click Create.
    URL Parameter Type the explicit URL or wildcard URL that represents the web application, and click Next.

    Type the name of the parameter, and click Create.

    The system creates the URL or parameter and displays the list of entities.
The system automatically associates the XML profile with the URL, global parameter, or URL parameter.
Next, you can review the status of the security policy you created.

Creating an XML profile with WSDL validation

Before you can complete this task, you must have created a security policy using the Deployment wizard option, Create a policy for XML and web services manually. Ensure that you have the WSDL file you want to use for validation. The WSDL file must comply with W3C XML schema specifications and use UTF-8 character encoding.
Follow these steps to include an WSDL document in an XML profile. The resulting security policy can then enforce the allowed (or disallowed) methods and URLs.
  1. If you are on the Create New XML Profile screen, skip to step 2. If not, at the top of the screen, click the Create new XML profile link. The Create New XML Profile screen opens.
  2. For Profile Name, type a unique name.
  3. Select the Use XML Blocking Response Page check box to send an XML response page when the security policy blocks a request that contains XML content that does not comply with this XML profile.
  4. In the Validation Configuration area, for the File option of the Configuration Files setting, click Browse and navigate to the WSDL document.
  5. Click Upload. The screen lists the uploaded file.
  6. If the imported file references another URL (and the setting is available), for Import URL, type the URL.
  7. To allow SOAP messages to have attachments, select the Allow Attachments in SOAP Messages check box.
  8. In the Defense Configuration area, for Defense Level, select High (the default value), Medium, or Low to specify the level of protection the security policy provides for XML applications and services. The system determines the defense configuration settings. You can review the settings by selecting Advanced next to Defense Configuration.
  9. Click Create. In most cases, the system automatically associates a URL or parameter with the application based on the WSDL file. If the XML Profiles screen opens, you are done creating the profile. Otherwise, the Associate XML Profile screen opens, and you can continue with the next step.
  10. For the Associate XML Profile setting, specify whether to associate the XML profile with a URL or a parameter:
    Option Description
    URL Validates XML data found in requests to this URL.
    Parameter Validates XML data in a parameter. You also select the parameter level:

    Global Parameter specifies that this is a global parameter that has no association with URLs.

    URL Parameter specifies that this parameter is associated with a specific URL, a protocol (HTTP or HTTPS), and a target URL path.

  11. Click Next. The New Allowed URL or Add Parameter screen opens, depending on which entity you choose to associate with the XML profile.
  12. Create the URL or parameter to associate with the XML profile. Your steps depend on which option you selected.
    Option Description
    URL Type the explicit URL or wildcard URL that represents the web application, and click Next.
    Global Parameter Type the name of the parameter, and click Create.
    URL Parameter Type the explicit URL or wildcard URL that represents the web application, and click Next.

    Type the name of the parameter, and click Create.

    The system creates the URL or parameter and displays the list of entities.
The security policy includes the XML profile with WSDL validation.
Next, you can review the status of the security policy you created.

Creating an XML profile with XML schema validation

Before you can complete this task, you must have created a security policy using the option Create a policy for XML and web services manually. You need to have the XML schema file you want to use for validation, and it must comply with W3C XML schema specifications and use UTF-8 character encoding.
Follow these steps to incorporate the schema file into the XML profile.
  1. If you are on the Create New XML Profile screen, skip to step 2. If not, at the top of the screen, click the Create new XML profile link. The Create New XML Profile screen opens.
  2. For Profile Name, type a unique name.
  3. Select the Use XML Blocking Response Page check box to send an XML response page when the security policy blocks a request that contains XML content that does not comply with this XML profile.
  4. In the Validation Configuration area, for the Configuration Files setting File option, click Browse to navigate to the XML schema file (.xsd), then click Upload.
  5. If the imported file references another URL (and the setting is available), for Import URL, type the URL.
  6. To allow SOAP messages to have attachments, select the Allow Attachments in SOAP Messages check box.
  7. In the Defense Configuration area, for Defense Level, select High (the default value), Medium, or Low to specify the level of protection the security policy provides for XML applications and services. The system determines the defense configuration settings. You can review the settings by selecting Advanced next to Defense Configuration.
  8. Click Create. The Associate XML Profile screen opens.
  9. For the Associate XML Profile setting, specify whether to associate the XML profile with a URL or a parameter:
    Option Description
    URL Validates XML data found in requests to this URL.
    Parameter Validates XML data in a parameter. You also select the parameter level:

    Global Parameter specifies that this is a global parameter that has no association with URLs.

    URL Parameter specifies that this parameter is associated with a specific URL, a protocol (HTTP or HTTPS), and a target URL path.

  10. Click Next. The New Allowed URL or Add Parameter screen opens, depending on which entity you choose to associate with the XML profile.
  11. Create the URL or parameter to associate with the XML profile. Your steps depend on which option you selected.
    Option Description
    URL Type the explicit URL or wildcard URL that represents the web application, and click Next.
    Global Parameter Type the name of the parameter, and click Create.
    URL Parameter Type the explicit URL or wildcard URL that represents the web application, and click Next.

    Type the name of the parameter, and click Create.

    The system creates the URL or parameter and displays the list of entities.
The security policy includes the XML profile with XML schema validation.
Next, you can review the status of the security policy you created.

Reviewing the status of an XML security policy

Before you can complete this task, you must create a security policy using the option Create a policy for XML and web services manually, and traffic must be flowing to the application through the BIG-IP® system.
You can monitor the general progress of the XML security policy created using the Deployment Wizard. The system processes the traffic to gather information needed to create the security policy, and displays messages about its progress.
  1. On the Main tab, click Security > Application Security > Security Policies > Active Policies. The Active Policies screen opens.
  2. Click the security policy name. The Properties screen opens.
  3. Review the messages in the identification and messages area to learn about the security policy status.
    Status message Description
    The initial configuration of the security policy is complete. Checking to see if ASM is detecting traffic. The Application Security Manager™ is parsing and analyzing received requests. Allow the system several minutes to analyze requests.
    The ASM did not detect any traffic. Verify the networking configuration (check the VLAN, self IP address, pool, HTTP class, and virtual server).
    ASM detected traffic successfully. Waiting for a minimum of 10000 requests and at least one hour from running the wizard for the name security policy. The ASM detected n requests during x hours and y minutes. Application Security Manager detected traffic and will sample requests until it processes at least 10,000 requests, and at least one hour has passed since you started the Deployment wizard.
    Processing XML violations for at least one hour for the name security policy. The ASM found n new XML violations during xx minutes and yy seconds. After successfully detecting traffic and sampling requests, the Application Security Manager processes XML violations. Based on what it finds in the traffic sample and the violations, Application Security Manager automatically adjusts security policy settings to match the traffic and eliminate false positives. The system samples requests for at least one hour.
    The system did not detect any new XML violations over the last hour for the name security policy. You can now go to the Traffic Learning page to fine-tune the security policy. For at least an hour, none of the traffic going to or from the application has caused XML violations. When you see this message, you can fine-tune the security policy.
    Timed out while waiting for sufficient number of requests for the security policy. Checking XML violations status. The system processed insufficient traffic to finish building the security policy. Check to be sure that traffic can access the web application.

Fine-tuning an XML security policy

Before you can complete this task, you must have created a security policy using the web services deployment scenario, and have seen the message:

The system did not detect any new XML violations over the last hour

When no XML violations have occurred for at least an hour, the security policy includes learning suggestions based on the traffic. You can evaluate each suggestion and decide whether to add it to the security policy.
  1. In the identification and messages area of the screen, click the Traffic Learning link.
    Tip: If you do not see the link, click Security > Application Security > Policy Building > Manual Traffic Learning.
    The Traffic Learning screen opens, and lists violations that the system has found based on real traffic.
  2. In the Traffic Learning area, click on each violation to review the details of the learning suggestions. By default, a security policy is put into an enforcement readiness period for seven days. During this time, you can examine learning suggestions and adjust the security policy without blocking traffic.
  3. On the Manual Traffic Learning screen, review the violations and consider whether you want to permit any of them (for example, if a violation is causing false positives). Select any violations you do not want the security policy to trigger, and click Disable Violation. A popup screen opens, and you can verify that you want to disable the violations or cancel the action.
  4. To activate the updated security policy, at the top right of the screen, click Apply Policy, and then click OK to confirm.
The security policy includes elements unique to your web service or XML application but it is not blocking the requests that cause violations.

Enforcing a security policy

To perform enforcement tasks, the security policy must be operating in transparent mode, and created manually. Traffic should be moving through Application Security Manager™, allowing users to access the web application for which you set up the security policy.
When you enforce a security policy, the system blocks requests that cause violations that are set to block.
  1. On the Main tab, click Security > Application Security > Blocking > Settings. The Settings screen opens.
  2. In the Current edited policy list, verify that the edited security policy is the one you want to work on.
  3. For each violation, review the settings so you understand how the security policy handles requests that cause the violation.
    Option Description
    Learn If selected, the system generates learning suggestions for requests that trigger the violation.
    Alarm If selected, the system records requests that trigger the violation in the Charts screen, the system log (/var/log/asm), and possibly in local or remote logs (depending on the settings of the logging profile).
    Block If selected (and the enforcement mode is set to Blocking), the system blocks requests that trigger the violation.
  4. For the Enforcement Mode setting, select Blocking.
  5. Click Save.
  6. In the editing context area, click the Current edited policy link. The Properties screen opens.
  7. To change the number of days the security policy remains in staging, change the value in the Enforcement Readiness Period field. The security policy does not block traffic during the enforcement readiness period even if violations occur. If you want to immediately block traffic that causes violations, set the value of this field to 0. For details, see the online help.
  8. Click Save.
  9. In the editing context area, click Apply Policy to immediately put the changes into effect.
  10. For a quick summary of system activity, look at the Overview screen (Security > Overview > Summary).
After the enforcement readiness period is over and the enforcement mode is set to blocking, the security policy no longer allows requests that cause violations set to block, to reach the back-end resources. Instead, the security policy blocks the request, and sends the blocking response page to the client.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)