Applies To:

Show Versions Show Versions

Manual Chapter: Tracking Application Security Sessions with APM
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Tracking application security sessions using APM

You can track sessions using login pages configured from within Application Security Manager™ (ASM™), or have the policy retrieve the user names from Access Policy Manager®(APM™). This implementation describes how to set up session tracking for a security policy using APM to verify user credentials. Then, you can set up session awareness from within ASM to identify the user, session, or IP address that instigated an attack.

If you configure session tracking, you can view the user and session information in the application security charts.

Prerequisites for setting up session tracking with APM

In order to set up session tracking from within Application Security Manager™ (ASM™) so that the security policy retrieves the user names from Access Policy Manager ®(APM™), you need to perform basic these system configuration tasks according to the needs of your networking configuration:

  • Run the setup utility and create a management IP address.
  • License and provision ASM, APM, and Local Traffic Manager™ (LTM™).
  • Configure a DNS address (System > Configuration > Device > DNS).
  • Configure an NTP server (System > Configuration > Device > NTP).
  • Restart ASM (at the command line, type tmsh restart /sys service asm).

If you need more information about basic networking configuration on the BIG-IP® system, refer to the BIG-IP documentation.

Task summary

Use the following tasks to set up application security session tracking with APM authentication integrated.

Creating a VLAN

VLANs represent a collection of hosts that can share network resources, regardless of their physical location on the network.
  1. On the Main tab, click Network > VLANs. The VLAN List screen opens.
  2. Click Create. The New VLAN screen opens.
  3. In the Name field, type a unique name for the VLAN.
  4. For the Interfaces setting, click an interface number from the Available list, and use the Move button to add the selected interface to the Untagged list. Repeat this step as necessary.
  5. Click Finished. The screen refreshes, and displays the new VLAN in the list.

Creating a self IP address for a VLAN

Ensure that you have at least one VLAN configured before you create a self IP address.
Self IP addresses enable the BIG-IP® system, and other devices on the network, to route application traffic through the associated VLAN.
  1. On the Main tab, click Network > Self IPs. The Self IPs screen opens.
  2. Click Create. The New Self IP screen opens.
  3. In the Name field, type a unique name for the self IP.
  4. In the IP Address field, type an IP address. This IP address should represent the address space of the VLAN that you specify with the VLAN/Tunnel setting. The system accepts IP addresses in both the IPv4 and IPv6 formats.
  5. In the Netmask field, type the network mask for the specified IP address.
  6. From the VLAN/Tunnel list, select the VLAN to associate with this self IP address. If creating a self IP address for an address space:
    • On the internal network, select the VLAN that is associated with an internal interface or trunk.
    • On the external network, select the VLAN that is associated with an external interface or trunk.
  7. Use the default values for all remaining settings.
  8. Click Finished. The screen refreshes, and displays the new self IP address in the list.
The BIG-IP system can now send and receive TCP/IP traffic through the specified VLAN.

Creating a local traffic pool for application security

You can use a local traffic pool with Application Security Manager™ system to forward traffic to the appropriate resources.
Note: You can optionally create a pool as part of creating a security policy using the Deployment wizard.
  1. On the Main tab, click Local Traffic > Pools. The Pool List screen opens.
  2. Click Create. The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. In the Resources area, for the New Members setting, add to the pool the application servers that host the web application:
    1. Type an IP address in the Address field.
    2. In the Service Port field, type a port number (for example, type 80 for the HTTP service), or select a service name from the list.
    3. Click Add.
  5. Click Finished.
The BIG-IP® system configuration now includes a local traffic pool containing the resources that you want to protect using Application Security Manager™.

Creating an HTTP class

HTTP classes, also called application security classes, can specify which incoming HTTP traffic to route to the Application Security Manager™ for security inspection.
Note: Creating an HTTP class is optional. When you create a security policy using the Deployment wizard, the system automatically creates an HTTP class with application security enabled.
  1. On the Main tab, click Local Traffic > Profiles > Protocol > HTTP Class.
  2. Click Create. The New HTTP Class Profile screen opens.
  3. In the Name field, type a name for the HTTP class.
    Tip: This name is also the name of the security policy in Application Security Manager.
  4. From the Application Security list, select Enabled.
  5. Retain the default values for the other settings.
  6. Click Finished.
The system adds the HTTP class profile, and also creates a security policy with the same name as the class in the Application Security Manager.

Creating a virtual server to manage HTTPS traffic

You can create a virtual server to manage HTTPS traffic.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen displays a list of existing virtual servers.
  2. Click the Create button. The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. For the Destination setting, select Host and in the Address field, type the IP address for the virtual server.
  5. In the Service Port field, type 443 or select HTTPS from the list.
  6. From the Configuration list, select Advanced.
  7. From the HTTP Profile list, select http.
  8. For the SSL Profile (Client) setting, from the Available list, select clientssl, and using the Move button, move the name to the Selected list.
  9. Optional: From the SSL Profile (Server) list, select serverssl.
    Note: This setting ensures that there is an SSL connection between the HTTP virtual server and the external HTTPS server.
  10. From the SNAT Pool list, select Auto Map.
  11. In the Resources area, for the HTTP Class Profiles setting, move the application security class that you created into the Enabled list.
  12. From the Default Pool list, select the pool that is configured for application security.
  13. Click Finished.
The HTTPS virtual server appears in the Virtual Server List screen.

Creating a security policy automatically

Before you can create a security policy, you must perform the minimal system configuration tasks including defining a VLAN, a self IP address, and other tasks required according to the needs of your networking environment.
Application Security Manager™ can automatically create a security policy that is tailored to secure your web application.
  1. On the Main tab, click Application Security > Security Policies. The Active Policies screen opens.
  2. Click the Create button. The Deployment wizard opens to the Select Local Traffic Deployment Scenario screen.
  3. For the Local Traffic Deployment Scenario setting, specify a virtual server to use for the security policy.
    • Select Existing Virtual Server and click Next to use an existing virtual server (as long as it does not have an HTTP Class profile associated with it).
    • Select New Virtual Server and click Next to create a new virtual server and pool with basic configuration settings.
    The virtual server represents the web application you want to protect. The system automatically creates an HTTP Class with the same name as the virtual server. The Configure Local Traffic Settings screen opens.
  4. Configure the new or existing virtual server, and click Next. The Select Deployment Scenario screen opens.
  5. For Deployment Scenario, select Create a policy automatically and click Next. The Configure Security Policy Properties screen opens.
  6. From the Application Language list, select the language encoding of the application, or select Auto detect and let the system detect the language.
    Important: You cannot change this setting after you have created the security policy.
  7. If the application is not case-sensitive, clear the Security Policy is case sensitive check box. Otherwise, leave it selected.
    Important: You cannot change this setting after you have created the security policy.
  8. Click Next. The Configure Attack Signatures screen opens.
  9. To configure attack signatures, move the systems used by your web application from the Available Systems list into the Assigned Systems list. The system adds the attack signatures needed to protect the selected systems.
  10. For the Signature Staging setting, verify that the default option Enabled is selected.
    Note: Because the Real Traffic Policy Builder® begins building the security policy in Blocking mode, it is a good idea to keep signature staging enabled to make sure that false positives do not occur.
    New and updated attack signatures remain in staging for 7 days, and are not enforced (according to the learn, alarm, and block flags) during that time.
  11. Click Next. The Configure Automatic Policy Building screen opens.
  12. For Policy Type, select an option to determine the security features to include in the policy.
    Option Description
    Fundamental Creates a security policy enforcing HTTP request protocol compliance, evasion techniques, allowed file types (including length checks), attack signatures, the violation Request Length Exceeds Defined Buffer Size, and host names.
    Enhanced Creates a security policy with all the elements of the Fundamental policy type; also checks for global parameters (including length checks), cookies, and allowed methods to the security policy.
    Comprehensive Creates a security policy with all the elements of the Enhanced policy type; also checks for allowed URLs, meta characters on URLs, meta characters on parameters, URL parameters (instead of global parameters), and dynamic parameters.
    A bulleted list on the screen describes which security features are included in each type.
  13. For Rules, move the slider to set the Policy Builder learning speed.
    Option Description
    Fast Use for a small number of requests from a small number of sessions; for example, useful for web sites with less traffic. However, there is a greater chance of adding false entities to the security policy.
    Medium Use for a medium number of requests, or if you are not sure about the amount of traffic on the application web site. This is the default setting.
    Slow Use for a large number of requests from many sessions; for example, useful for web sites with lots of traffic. This option creates the most accurate security policy, but takes Policy Builder longer to collect the statistics.
    Based on the option you select, the system sets greater or lesser values for the number of different user sessions, different IP addresses, and length of time before it adds and enforces elements in the security policy.
  14. For Trusted IP Addresses, select which IP addresses to consider safe:
    Option Description
    All Specifies that the policy trusts all IP addresses. For example, if the traffic is in a corporate lab or preproduction environment where all of the traffic is trusted; the policy is created faster.
    Address List Specifies networks to consider safe. Fill in the IP Address and Netmask fields, then click Add. This option is typically used in a production environment where traffic could come from untrusted sources. The IP Address can be either an IPv4 or an IPv6 address.
    If you leave the trusted IP address list empty, the system treats all traffic as untrusted. In general, it takes more untrusted traffic, from different IP addresses, over a longer period of time to build a security policy.
  15. If you want the security policy to automatically detect JSON and XML protocols, select the JSON/XML payload detection check box. This option is available only for the Enhanced and Fundamental policy types. If requests contain legitimate XML or JSON data, the Policy Builder creates content profiles in the security policy according to the data it detects.
  16. If you want to display a response page when an AJAX request does not meet the security policy, select the AJAX blocking response behavior check box.
  17. Click Next. The Security Policy Configuration Summary opens where you can review the settings to be sure they are correct.
  18. Click Finish to create the security policy. The Automatic Policy Building Status screen opens where you can view the current state of the security policy.
The Policy Builder starts and automatically begins building the security policy by examining the traffic to the web application. The system sets the enforcement mode of the security policy to Blocking, but it does not block requests until the Policy Builder processes sufficient traffic, adds elements to the security policy, and enforces the elements.
Tip: This is a good point at which to test that you can access the application being protected by the security policy.

Creating an access profile

You create an access profile to provide the access policy configuration for a virtual server that establishes a secured session.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. Click Create. The New Profile screen opens.
  3. Type a name for the access profile.
  4. To configure timeout and session settings, select the Custom check box.
  5. In the Inactivity Timeout field, type the number of seconds that should pass before the access policy times out. Type 0 to set no timeout. If there is no activity (defined by the Session Update Threshold and Session Update Window settings in the Network Access configuration) between the client and server within the specified threshold time, the system closes the current session.
  6. In the Access Policy Timeout field, type the number of seconds that should pass before the access profile times out because of inactivity. Type 0 to set no timeout. You must select the associated Custom check box before you can configure this setting.
  7. In the Maximum Session Timeout field, type the maximum number of seconds the session can exist. Type 0 to set no timeout. You must select the associated Custom check box before you can configure this setting.
  8. In the Max Concurrent Users field, type the maximum number of users that can use this access profile at the same time. Type 0 to set no maximum. You must select the associated Custom check box before you can configure this setting.
  9. In the Max Sessions Per User field, type the maximum number of concurrent sessions that one user can start. Type 0 to set no maximum. You must select the associated Custom check box before you can configure this setting.
  10. In the Max In Progress Sessions Per Client IP field, type the maximum number of concurrent sessions that one client IP address can support. Type 0 to set no maximum. You must select the associated Custom check box before you can configure this setting.
  11. Select the Restrict to Single Client IP check box to restrict the current session to a single IP address. This setting associates the session ID with the IP address. You must select the associated Custom check box before you can configure this setting. With this setting enabled, upon a request to the session, if the IP address has changed, the request is redirected to a logout page, the session ID is deleted, and a log entry is written to indicate that a session hijacking attempt was detected. If such a redirect is not possible, the request is denied and the same events occur.
  12. To configure logout URIs, in the Configurations area, type each logout URI in the URI field, and then click Add.
  13. In the Logout URI Timeout field, type the delay in seconds before logout occurs for the customized logout URIs defined in the Logout URI Include list.
  14. In the SSO across Authentication Domains area, use the Domain Mode setting to select whether users log in to a single domain or multiple domains.
  15. If you selected Multiple Domains, then in the Primary Authentication URI field, type the primary URI for authentication.
  16. If the policy requires a secure cookie, in the Cookie Options area select the Secure check box to add the secure keyword to the session cookie. If you are configuring an LTM access scenario where you are using an HTTPS virtual server to authenticate the user, and then sending the user to an existing HTTP virtual server to use applications, clear this check box.
  17. If the access policy requires a persistent cookie, in the Cookie Options area select the Persistent check box. This sets cookies if the session does not have a webtop. When the session is first established, session cookies are not marked as persistent, but when the first response is sent to the client after the access policy completes successfully, the cookies are marked persistent. Persistent cookies are updated for the expiration timeout every 60 seconds. The timeout is equal to session inactivity timeout. If the session inactivity timeout is overwritten in the access policy, the overwritten value will be used to set the persistent cookie expiration.
  18. From the SSO Configuration list, select the SSO configuration.
  19. In the Domain Cookie field, specify a domain cookie, if required.
  20. In the Language Settings area, add and remove accepted languages, and set the default language. A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  21. Click Finished.
The access profile appears in the Access Profiles List.
To provide functionality with an access profile, you must configure the access policy. The default access policy for a profile denies all traffic and contains no actions. Click Edit in the Access Policy column to edit the access policy.

Configuring an access policy

You configure an access policy to provide authentication, endpoint checks, and resources for an access profile.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. Click the name of the access policy you want to edit.
  3. On the menu bar, click Access Policy.
  4. For the Visual Policy Editor setting, click the Edit access policy for Profile policy_name link. The visual policy editor opens the access policy in a separate window or tab.
  5. Click the [+] sign anywhere in your access profile to add your new policy action item. An Add Item window opens, listing Predefined Actions that are grouped by General Purpose, Authentication, and so on.
  6. From the General Purpose area, select Logon Page and click the Add Item button. The Logon Page Agent popup screen opens.
  7. Click Save. The Access Policy screen reopens.
  8. On the rule branch, click the plus sign (+) between Logon Page and Deny.
  9. Set up the appropriate authentication and client-side checks required for application access at your company, and click Add Item.
  10. Change the Successful rule branch from Deny to Allow and click the Save button.
  11. If needed, configure further actions on the successful and fallback rule branches of this access policy item, and save the changes.
  12. At the top of the screen, click the Apply Access Policy link to apply and activate your changes to this access policy.
  13. Click the Close button to close the visual policy editor.

Adding the access profile to the virtual server

Before you can perform this task, you need to create an access profile using Access Policy Manager™.
You associate the access profile with the virtual server created for the web application that Application Security Manager™ is protecting.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen displays a list of existing virtual servers.
  2. Click the name of the virtual server that manages the network resources for the web application you are securing.
  3. In the Access Policy area, from the Access Profile list, select the access profile.
  4. Click Update.
Your access policy is now associated with the virtual server.

Setting up ASM session tracking with APM

You can use session tracking to track, enforce, and report on user sessions and IP addresses. To perform tracking, you enable session awareness and indicate how to associate the application user name with the session.
  1. On the Main tab, click Application Security > Sessions and Logins > Session Tracking. The Session Tracking screen opens.
  2. For Session Awareness, select the Enabled check box.
  3. From the Application Username list, select Use APM Usernames and Session ID.
  4. For Track Violations and Perform Actions, select the Enabled check box.
  5. In the Violation Detection Period field, type the number of seconds that indicates the sliding time period to count violations for violation thresholds. The default is 900 seconds.
  6. If you want the system to block all activity for a user, session, or IP address when the number of violations exceeds the threshold, specify one or more of the following settings on the Block All tab.
    Note: For the system to block requests, the security policy Enforcement Mode must be set to blocking (see Policy > Blocking > Settings) and some violations must be set to block.
    Option Description
    Blocked URLs Specify which URLs to block after the number of violations exceeds the enabled thresholds. To block all URLs, select Block all URLs. To block authenticated URLs protected by login pages, select Block Authenticated URLs.
    Username Threshold Select Enable and specify the number of violations allowed before the system starts to block this user's activity.
    Session Threshold Select Enable and specify the number of violations allowed before the system starts to block activity for this HTTP session.
    IP Address Threshold Select Enable and specify the number of violations allowed before the system starts to block the activity of this IP address.
    Block All Period Specify how long to block users, sessions, or IP addresses if the number of violations exceeds the threshold. To block the user, session, or IP address indefinitely, click Infinite. Otherwise, click User-defined and type the number of seconds to block the traffic. The default is 600 seconds.
  7. If you want the system to log activity when the number of user, session, or IP address violations exceeds the threshold during the violation detection period, specify one or more of the following settings on the Log All Requests tab.
    Option Description
    Username Threshold Select Enable and specify the number of violations allowed before the system starts logging this user's activity for the log all requests period.
    Session Threshold Select Enable and specify the number of violations allowed before the system starts logging activity for this HTTP session for the log all requests period.
    IP Address Threshold Select Enable and specify the number of violations allowed before the system starts logging the activity of this IP address for the log all requests period.
    Log All Requests Period Specify how long the system should log all requests when any of the enabled thresholds is reached. Type the number of seconds in the field.
  8. If you want more tolerant blocking for selected violations, such as those prone to false positives, specify one or more of the following settings on the Delay Blocking tab.
    Note: For the system to block requests, the security policy Enforcement Mode must be set to blocking (see Policy > Blocking > Settings) and the specified violations must be set to block.
    Option Description
    Username Threshold Select Enable and specify the number of violations a user must cause before the system begins blocking this user for the delay blocking period.
    Session Threshold Select Enable and specify the number of violations users must cause (during the violation detection period) before the system begins blocking this HTTP session for the delay blocking period.
    IP Address Threshold Select Enable and specify the number of violations allowed before the system begins blocking this IP address for the delay blocking period.
    Delay Blocking Period Type the number of seconds that the system should block the user, session, or IP address when any of the enabled thresholds is reached.
    Associated Violations Move the violations for which you want delay blocking from the Available list into the Selected list. If the selected violations occur, the system does not block traffic until one of the enabled thresholds is reached. At that point, the system blocks traffic causing those violations for the user, session, or IP address, but allows other transactions to pass.
  9. Click Save.
After you set up session tracking, if any enabled threshold exceeds the number of violations during the detection period, the system starts the configured actions for block all, log all requests, and delay blocking.
Test that you can log in to the web application through the Access Policy Manager™ logon page. You can also test that the security policy works by generating violations and reviewing the application security logs.

Monitoring user and session information

To monitor user and session information, you first need to set up session tracking for the security policy.
You can use the reporting tools in Application Security Manager™ to monitor user and session details, especially when you need to investigate suspicious activity that is occurring with certain users, sessions, or IP addresses.
  1. On the Main tab, click Application Security Reporting. The Requests screen opens and shows all illegal requests that have occurred for this security policy.
  2. In the Requests List, click anywhere on a request. The screen displays details about the request including any violations associated with the request and other details, such as the source IP address, user name, and session ID.
  3. In the General Details area, next to the Username, Source IP Address, or Session ID, click the Show Session Awareness details link. The screen displays the session awareness action flags that you can set.
  4. Update the settings for your selections, as appropriate.
    Option Description
    Log All Requests When set to Enabled, the system immediately begins to log activity for the user, session, or IP address and continues for the log activity period (600 seconds by default).
    Delay Blocking When set to Enabled, the system is immediately more tolerant of blocking selected violations (configured using Policy > Session Awareness. The delay lasts for the delay blocking period (600 seconds by default).
    Block All When set to Enabled, the system blocks all activity for this user, session, or IP address until further notice.
  5. On the menu bar, click Session Tracking Status. You can see the list of action flags that you previously set. You can also add or release action flags from the Session Awareness screen.
  6. To see a graphical view of the violations, from the Charts menu, choose Charts. The Charts screen opens where you can view pie charts and bar charts.
  7. In the Charts area, next to View by, click the viewing criteria for the report you want to see. For example, you can view information about illegal requests by user name, session ID, or IP address. Then you can filter the Requests list by the top violator and examine request details for the user, session, or IP address.
  8. Examine the charts and review the data you need. Click Export to create a PDF of any charts you want to save.
After you set up session tracking, you can monitor the specific requests that cause violations by examining each request and reviewing graphical charts. From the Requests list, you can also set up logging, delay blocking, or block all requests for a specific user, session, or IP address.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)