Manual Chapter : Configuring Application Security Session Tracking

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Manual Chapter

Configuring Application Security Session Tracking

Overview: Tracking application security sessions using login pages

You can track sessions using login pages configured from within Application Security Manager™ (ASM™), or have the policy retrieve the user names from Access Policy Manager®(APM®). This implementation describes how to set up session tracking for a security policy using login pages. The advantage of using session tracking is that you are able to identify the user, session, or IP address that instigated an attack.

When creating login pages for the application, you define the URLs, parameters, and validation criteria required for users to log in to the application. User and session information is included in the system logs so you can track a particular session or user. The system can log activity, or block a user or session if either generates too many violations.

If you configure session awareness, you can view the user and session information in the application security charts.

Task Summary

Creating login pages

In your security policy, you can create a login page to specify a login URL that presents a site that users must pass through to gain access to the web application. The login URL commonly leads to the login page of the web application.
  1. On the Main tab, click Security > Application Security > Sessions and Logins .
    The Login Pages List screen opens.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. Click Create.
    The New Login Page screen opens.
  4. For the Login URL setting, specify a URL that users must pass through to get to the application.
    1. From the list, select the type of URL: Explicit or Wildcard.
    2. Select either HTTP or HTTPS based on the type of traffic the web application accepts.
    3. Type an explicit URL or wildcard expression in the field.
      When you click in the field, the system lists URLs that it has seen, and you can select a URL from the list. Or, you can type explicit URLs in the format /login, and wildcard URLs without the slash, such as *.php.
  5. From the Authentication Type list, select the method the web server uses to authenticate the login URL's credentials with a web user.
    Option Description
    None The web server does not authenticate users trying to access the web application through the login URL. This is the default setting.
    HTML Form The web application uses a form to collect and authenticate user credentials. If using this option, you also need to type the user name and password parameters written in the code of the HTML form.
    HTTP Basic Authentication The user name and password are transmitted in Base64 and stored on the server in plain text.
    HTTP Digest Authentication The web server performs the authentication; user names and passwords are not transmitted over the network, nor are they stored in plain text.
    NTLM Microsoft LAN Manager authentication (also called Integrated Windows Authentication) does not transmit credentials in plain text, but requires a continuous TCP connection between the server and client.
  6. In the Access Validation area, define at least one validation criteria for the login page response.
    If you define more than one validation criteria, the response must meet all the criteria before the system allows the user to access the application login URL.
    Note: The system checks the access validation criteria on the response of the login URL only if the response has one of the following content-types: text/html, text/xml, application/sgml, application/xml, application/html, application/xhtml, application/x-asp, and application/x-aspx.
  7. Click Create to add the login page to the security policy.
    The new login page is added to the login pages list.
  8. Add as many login pages as needed for your web application.
  9. In the editing context area, click Apply Policy to put the changes into effect.
The security policy now has one or more login pages associated with it.
You can now configure how the login pages are enforced, including the authentication URLs, logout URLs, and whether or not the login pages have time limits.

Enforcing login pages

Login enforcement settings prevent forceful browsing attacks where attackers gain access to restricted parts of the web application by supplying a URL directly. You can use login enforcement to force users to pass through one URL (known as the login URL) before being allowed to display a different URL (known as the target URL) where they can access restricted pages and resources. Login enforcement settings specify how the security policy enforces login pages including the expiration time, authenticated URLs, and logout URLs. You can also use authenticated URLs to enforce idle time-outs on applications that are missing this functionality.
  1. On the Main tab, click Security > Application Security > Sessions and Logins > Login Enforcement .
    The Login Enforcement screen opens.
  2. If you want the login URL to be valid for a limited time, set Expiration Time to Enabled, and type a value, in seconds.
  3. For the Authenticated URLs setting, specify the target URLs that users can access only by way of the login URL:
    1. In the Authenticated URLs field, type the target URL name in the format /private.php (wildcards are allowed).
    2. Click Add to add the URL to the list of authenticated URLs.
    3. Repeat to add as many authenticated URLs as needed.
  4. Optionally, use the Logout URLs setting to specify the URLs used to log out of the web application:
    1. In the Logout URLs field, type the URL in the format /logout.html (explicit URLs only).
    2. Click Add.
    3. Repeat to add as many logout URLs as needed.
  5. Click Save to save your settings.
  6. To put the security policy changes into effect immediately, click Apply Policy.
If you specify authenticated URLs and a user tries to bypass them, the system issues the Login URL bypassed violation. If a user session is idle and exceeds the expiration time, the system now issues the Login URL expired violation, and the user can no longer reach the authenticated URLs. For both login violations, if the enforcement mode is blocking, the system now sends the Login Page Response to the client (see Application Security > Blocking > Response Pages ).

Setting up session tracking

You can use session tracking to track, enforce, and report on user sessions and IP addresses. To perform tracking, you enable session awareness and indicate how to associate the application user name with the session. You can also determine whether to track violations and perform logging or blocking actions based on the number of violations per user, session, and IP address.
  1. On the Main tab, click Security > Application Security > Sessions and Logins > Session Tracking .
    The Session Tracking screen opens.
  2. In the Session Tracking Configuration area, for Session Awareness, select the Enabled check box.
  3. Use the Application Username setting to specify the login pages for the application:
    1. From the list, select Use Login Pages.
    2. Move the login pages for the application from the Available list to the Selected list.
      If the login page is not listed, click Add to create it.
  4. In the Violation Detection Actions area, select the Track Violations and Perform Actions, check box.
  5. In the Violation Detection Period field, type the number of seconds that indicates the sliding time period to count violations for violation thresholds.
    The default is 900 seconds.
  6. If you want the system to block all activity for a user, session, or IP address when the number of violations exceeds the threshold, specify one or more of the following settings on the Block All tab.
    Note: For the system to block requests, the security policy Enforcement Mode must be set to blocking (see Security > Application Security > Blocking > Settings ) and some violations must be set to block.
    Option Description
    Blocked URLs Specify which URLs to block after the number of violations exceeds the enabled thresholds. To block all URLs, select Block all URLs. To block authenticated URLs protected by login pages, select Block Authenticated URLs.
    Username Threshold Select Enable and specify the number of violations allowed before the system starts to block this user's activity.
    Session Threshold Select Enable and specify the number of violations allowed before the system starts to block activity for this HTTP session.
    IP Address Threshold Select Enable and specify the number of violations allowed before the system starts to block the activity of this IP address.
    Block All Period Specify how long to block users, sessions, or IP addresses if the number of violations exceeds the threshold. To block the user, session, or IP address indefinitely, click Infinite. Otherwise, click User-defined and type the number of seconds to block the traffic. The default is 600 seconds.
  7. If you want the system to log activity when the number of user, session, or IP address violations exceeds the threshold during the violation detection period, specify one or more of the following settings on the Log All Requests tab.
    Option Description
    Username Threshold Select Enable and specify the number of violations allowed before the system starts logging this user's activity for the log all requests period.
    Session Threshold Select Enable and specify the number of violations allowed before the system starts logging activity for this HTTP session for the log all requests period.
    IP Address Threshold Select Enable and specify the number of violations allowed before the system starts logging the activity of this IP address for the log all requests period.
    Log All Requests Period Specify how long the system should log all requests when any of the enabled thresholds is reached. Type the number of seconds in the field.
  8. If you want more tolerant blocking for selected violations, such as those prone to false positives, specify one or more of the following settings on the Delay Blocking tab.
    Note: For the system to block requests, the security policy Enforcement Mode must be set to blocking (see Security > Application Security > Blocking > Settings ) and the specified violations must be set to block.
    Option Description
    Username Threshold Select Enable and specify the number of violations a user must cause before the system begins blocking this user for the delay blocking period.
    Session Threshold Select Enable and specify the number of violations users must cause (during the violation detection period) before the system begins blocking this HTTP session for the delay blocking period.
    IP Address Threshold Select Enable and specify the number of violations allowed before the system begins blocking this IP address for the delay blocking period.
    Delay Blocking Period Type the number of seconds that the system should block the user, session, or IP address when any of the enabled thresholds is reached.
    Associated Violations Move the violations for which you want delay blocking from the Available list into the Selected list. If the selected violations occur, the system does not block traffic until one of the enabled thresholds is reached. At that point, the system blocks traffic causing those violations for the user, session, or IP address, but allows other transactions to pass.
  9. Click Save to save your settings.
After you set up session tracking, if any enabled threshold exceeds the number of violations during the detection period, the system starts the configured actions (block all, log all requests, or delay blocking).

Monitoring user and session information

To monitor user and session information, you first need to set up session tracking for the security policy.
You can use the reporting tools in Application Security Manager™ to monitor user and session details, especially when you need to investigate suspicious activity that is occurring with certain users, sessions, or IP addresses.
  1. On the Main tab, click Security Reporting Application Session Tracking Status.
    The Session Tracking Status screen opens and shows the users, sessions, and IP addresses that the system is currently tracking for this security policy.
  2. From the Action list, select the action by which to filter the data.
    Action Description
    All Specifies that the screen displays all entries. This is the default value.
    Block All Specifies that the system displays sessions whose requests the system blocks after the configured threshold was reached.
    Log All Requests Specifies that the system displays sessions whose requests the system logs after the configured threshold was reached.
    Delay Blocking Specifies that the system displays sessions whose requests the system delayed blocking until the configured threshold was reached.
  3. From the Scope list, specify the scope (username, session, or IP address) by which to filter the data.
    Option Description
    Alt Specifies that the screen displays all entries. This is the default value.
    Username Specifies that the system displays usernames whose illegal requests exceeded the security policy’s threshold values.
    Session Specifies that the system displays identification numbers of illegal sessions that exceeded the security policy’s threshold values.
    IP Address Specifies that the system displays IP addresses where illegal requests from these IP addresses exceeded the security policy’s threshold values.
  4. If you want to filter the information by value, in the Value field, type the username, session identification number, IP address, or string. If empty, the screen displays all entries.
  5. When you finish specifying the filter details, click Go.
    The Session Tracking Status list now shows the information specified in the Filter setting.
After you set up session tracking, you can monitor the specific requests that cause violations by examining each request and reviewing graphical charts.

Tracking specific user and session information

To monitor user and session information, you first need to set up session tracking for the security policy.
You can configure Application Security Manager™ to log, block, or delay blocking requests from a specific username, session, or source IP address.
  1. On the Main tab, click Security > Reporting > Application > Session Tracking Status .
    The Session Tracking Status screen opens and shows the users, sessions, and IP addresses that the system is currently tracking for this security policy.
  2. Next to the Session Tracking Status list, click Add.
    The Add Session to Tracking screen opens.
  3. From the Action list, select the action that the system will take if it detects the specified username, session, or IP address.
    Action Description
    Block All Specifies that the system blocks all requests from a specific username, session, or IP address for the configured period of time.
    Log All Requests Specifies that the system blocks all requests from a specific username, session, or IP address for the configured period of time.
    Delay Blocking Specifies that the system will delay blocking the associated violations from a specific username, session, or IP address until the threshold is reached; then they will be blocked for the configured period of time.
  4. From the Scope list, specify whether the system is tracking a specific Username (the default value), Session, or IP Address.
  5. In the Value field, type the unique username, session identification number, or IP address that you want to track, based on what you selected in the Scope option.
  6. Click Add.
    The system adds the entry to the Session Tracking list and immediately begins to enforce it.
If the system detects the specific username, session, or IP address, it takes that action you configured for it.