The Deployment wizard provides several different scenarios for creating and deploying security policies. Before you start creating a security policy, review the descriptions of each deployment scenario to help you decide which one is most appropriate for your organization.
|Create a security policy automatically (recommended)||Develops a security policy for a web application by examining traffic. In this scenario, the Real Traffic Policy Builder® automatically creates the security policy based on statistical analysis of the traffic and the intended behavior of the application. The system stabilizes and enforces the security policy when it processes sufficient traffic over a period of time. You have the option of modifying the policy manually, as well, to speed up policy creation.|
|Create a security policy manually or use templates (advanced)||Uses rapid deployment or an application-ready security policy (pre-configured template) to develop a security policy, or lets you develop a policy manually. The system creates a basic security policy that you can review and fine-tune. When the security policy includes all the protections that you need, and does not produce any false positives, you can enforce the security policy.|
|Create a security policy for XML and web services manually||Develops a security policy to protect web services or XML applications, such as those that use a WSDL or XML schema document. The system creates the security policy based on your configurations, and provides additional learning suggestions that you can review and fine-tune. When the security policy includes all the protections that you need, and does not produce any false positives, you can enforce the security policy.|
|Create a security policy using third party vulnerability assessment tool output||Creates a security policy based on integrating the output from a vulnerability assessment tool, such as WhiteHat Sentinel, IBM® AppScan®, Cenzic® Hailstorm®, Qualys, Quotium Seeker, HP WebInspect, or a generic scanner if using another tool. Based on the results from an imported vulnerability report, Application Security Manager™ creates a policy that automatically mitigates the vulnerabilities on your web site. You can also review and fine-tune the policy. When the security policy includes all the protections that you need and does not produce any false positives, you can enforce the security policy.|
You can use the Application Security Manager™ to help you build a security policy that is tailored to your environment. The automatic policy building tool is called the Real Traffic Policy Builder®. The Real Traffic Policy Builder (referred to simply as the Policy Builder) adds suggestions for creating a security policy based on settings that you configure using the Deployment wizard, and the characteristics of the traffic going to and from the web application that the system is protecting. If using automatic learning, the system implements the learning suggestions and automatically builds the policy when sufficient traffic and time has passed. If using manual learning, you can review the suggestions and develop the policy adding the policy elements and features you want.
|Fundamental||Creates a security policy enforcing HTTP protocol compliance, evasion techniques, explicit file types (including length checks), explicit parameters in selective mode at the global level, attack signatures, the violation Request Length Exceeds Defined Buffer Size, host names, header lengths, cookie lengths, the violation Failed to Convert Character, and learn explicit redirection domains.|
|Enhanced||Creates a security policy with all the elements of the Fundamental policy type; also checks for explicit URLs in selective mode plus meta characters, explicit parameter length checks in selective mode at the global level, methods, explicit cookies, and content profiles. If tracking user login sessions or using brute force protection, this is the recommended policy type.|
|Comprehensive||Creates a security policy with all the elements of the Enhanced policy type; also checks for explicit URLs and meta characters, explicit parameters and lengths at the URL level, parameter meta characters, and dynamic parameters.|
|Fast||Use if your application supports a small number of requests from a small number of sessions; for example, useful for web sites with less traffic. Policy Builder requires fewer unique traffic samples to make decisions in Automatic Learning Mode, or to reach a high learning score. However, choosing this option may present a greater chance of adding false entities to the security policy.|
|Medium||Use if your application supports a medium number of requests, or if you are not sure about the amount of traffic on the application web site. This is the default setting.|
|Slow||Use if your application supports a large number of requests from many sessions; for example, useful for web sites with lots of traffic. Policy Builder requires a large amount of unique traffic samples to make decisions in Automatic Learning Mode, or to reach a high learning score. This option creates the most accurate security policy, but it takes Policy Builder longer to collect the statistics.|
|All||Specifies that the policy trusts all IP addresses. This option is recommended for traffic in a corporate lab or preproduction environment where all of the traffic is trusted. The policy is created faster when you select this option.|
|Address List||Specifies networks to consider safe. Fill in the IP Address and Netmask fields, then click Add. This option is typically used in a production environment where traffic could come from untrusted sources. The IP Address can be either an IPv4 or an IPv6 address.|
When you finish running the Deployment wizard, you have created a basic security policy to protect your web application. The Real Traffic Policy Builder® starts examining the application traffic, and fine-tunes the security policy using the guidelines you configured.
The Policy Builder builds the security policy as follows:
The Policy Builder automatically discovers and populates the security policy with the policy elements (such as file types, URLs, parameters, and cookies). On the Policy Building screens, you can monitor general policy building progress, review learning suggestions and deal with those you must handle manually, and see the number of elements that have been included in the policy.
If you create a security policy with the Learning Mode set to Automatic, the Real Traffic Policy Builder® does automatic policy building. This is how it works:
This is the process describing what happens during the automatic policy building process. You can always control the way the security policy works by making changes manually and configuring additional layers of security based on the unique needs of your environment.
After you create a security policy, the system provides learning suggestions concerning additions to the security policy based on the traffic that is accessing the application. For example, you can have users or testers browse the web application. By analyzing the traffic to and from the application, Application Security Manager™ generates learning suggestions or ways to fine-tune the security policy to better suit the traffic and secure the application.
|Accept Suggestion||The system modifies the policy by taking the suggested action, such as adding an entity that is legitimate. If the entity that triggered the suggestion can be placed in staging (file types, URLs, parameters, cookies, or redirection domains), clicking Accept Suggestion displays a second option, Accept suggestion and enable staging on Matched <<entity>>. Click this option to accept the suggestion and place the matched entity in staging.|
|Delete Suggestion||The system removes the learning suggestion, but the suggestion reoccurs if new requests cause it. The learning score of the suggestion starts over from zero in that case.|
|Ignore Suggestion||The system does not change the policy and stops showing this suggestion on the Traffic Learning screen now and in the future. You can view ignored suggestions by filtering by status ignored.|
|Leave the suggestion||You can read the suggestions and wait to handle them until more traffic has passed through, or until you get more information. The suggestion remains in the list and no changes are made to the policy.|
If you know that a suggestion is valid, you can accept it at any time even before the learning score reaches 100%. The ones that reach 100% have met all the conditions so that they are probably legitimate entities.
Some learning suggestions must be resolved manually even if you are using the Automatic Learning Mode to create a security policy. Suggestions typically require manual intervention if they involve changing an attribute that was manually and deliberately set in the policy, such as a disallowed geolocation or a session ID in a URL. The system does not change the policy unless you accept the suggestion manually.
You can easily see the suggestions that you need to resolve manually because they are marked with an icon on the Traffic Learning screen as shown in the figure. You can also use the advanced filter to view the suggestions the have Learning Mode set to Manual, and this would list the suggestions you need to resolve.
Suggestions that must be resolved manually
If you are using the Manual Learning Mode, you must resolve all of the suggestions manually.
The Application Security Manager™ provides additional security protections that you can manually configure for a security policy.
|Feature||Description and Location|
|DoS attack prevention||Prevents Denial of Service (DoS) attacks based on latency and/or transaction rates (also using geolocation, CAPTCHA challenge, heavy URL detection, proactive web scraping detection, and blacklisting). Click. You need to create a DoS profile with Application Security enabled to configure Layer 7 DoS protection.|
|IP Address Intelligence||Logs and blocks attacks from IP addresses that are in the IP Address Intelligence Database and are considered to have a bad reputation. Click.|
|Web scraping detection||Mitigates web scraping (web data extraction) on web sites by attempting to determine whether a web client source is human. Click.|
|CSRF protection||Prevents cross-site request forgery (CSRF) where a user is forced to perform unwanted actions on a web application where the user is currently authenticated. Click.|
|Sensitive data masking||Protects sensitive data in responses such as a credit card number, U.S. Social Security number, or custom pattern. Click Mask Credit Card Numbers in Request Log option in the policy properties.. Create sensitive parameters if needed (they are also masked); click . As an additional protection, set the|
|Anti-virus protection through an ICAP server||Configures the system as an Internet Content Adaptation Protocol (ICAP) client so that an external ICAP server can inspect HTTP file uploads for viruses before releasing the content to the web server. To set up the ICAP server, click. To set the blocking settings (alarm and/or block) of the Virus Detected violation, click . Also check that the values of the system variables icap_uri and virus_header_name correspond to the ICAP server ( ).|