Applies To:

Show Versions Show Versions

Manual Chapter: Working with the Security Policy Templates
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

The security policy templates contain pre-defined configurations to address the security needs of specific web applications. When you select a security policy template, the system automatically populates the security policy with entities and optimizations that are specific to the corresponding web application. For all of the security policy templates, you have the option of creating a security policy for either the HTTP protocol or the HTTPS protocol. Note that for some of the applications, there are additional configuration steps, besides simply specifying the security policy template.
Application Security Manager includes security policy templates for the Microsoft® Outlook® Web Access, Microsoft® SharePoint®, Lotus® Domino®, Oracle® database applications, and the SAP NetWeaver® platform. Application Security Manager also includes a generic security policy template for rapid deployment. Using this template is the quickest way to implement application security with the Application Security Manager.
For new, unconfigured web applications, you can use the Deployment Wizard to implement the security policy templates instead of following the manual tasks outlined in this appendix. For details, refer to the BIG-IP® Application Security Manager: Implementations guide, which is available on the AskF5SM web site, https://support.f5.com.
Another option for implementing the security policy templates is to use the Security Policy Setup Wizard. To use this wizard, you create a web application, and set the web application language. You then create a new security policy for the web application, and use the Security Policy Setup Wizard to configure the security policy. When you use this wizard, specify a security policy template, specify attack signature sets for the security policy, and also control the settings for the Policy Builder. For more information, refer to Chapter 6, Working with the Security Policy Setup Wizard.
This chapter describes the system-supplied optimizations and the configuration process for manually implementing the security policy templates.
The Rapid Deployment security policy template is configured with a reduced set of security checks to minimize or eliminate the amount of false positives and the complexity and length of the initial evaluation deployment period. By default, the Rapid Deployment security policy template is in a globally-transparent mode. You can enable blocking either globally or for individual security checks, as necessary. The Rapid Deployment security policy template offers enables organizations to meet the majority of web application security requirements as outlined in PCI DSS v1.1 section 6, FISMA, HIPPA, and others.
When you use the Rapid Deployment security policy template to create your security policy, the Application Security Manager automatically configures the following security optimizations:
Protection against data leakage in responses, for US Social Security Numbers, credit card numbers, and custom patterns
If you are using the Rapid Deployment security policy template, there are several tasks you perform before you create the actual security policy with the template. The tasks are:
Create a new security policy, and select the Rapid Deployment security policy template.
The local traffic pool contains the application server resources for the application. For detailed information on configuring pools, refer to the Configuration Guide for BIG-IP® Local Traffic Management.
1.
On the Main tab of the navigation pane, expand Local Traffic, and then click Pools.
The Pools list screen opens.
2.
Click the Create button.
The New Pool screen opens.
3.
In the Configuration area, in the Name box, type a name for the pool.
4.
In the Resources area, for the New Members setting, in the Address box, type the IP address for the application server that hosts the application.
5.
In the Service Port box, type 80 for HTTP or 443 for HTTPS.
6.
Click the Add button to add the resource to the New Members list.
7.
Click the Finished button.
The screen refreshes and the system displays the new pool in the pools list.
When you create an application security class, the system automatically creates a web application and default security policy in the application security configuration. For more information on application security classes, refer to Chapter 3, Working with Application Security Classes.
1.
On the Main tab of the Application Security navigation pane, click Classes.
The HTTP Class Profiles list screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
3.
In the General Properties area, in the Name box, type a name for the application security class.
5.
In the Actions area, for the Send To setting, select Pool.
The screen refreshes, and you see additional settings.
6.
For the Pool setting, select the local traffic pool that you created.
7.
Click Finished.
The system adds the class, the default web application, and the corresponding security policy to the configuration, and displays the HTTP Class Profiles list screen.
The local traffic virtual server processes incoming requests for the application. When traffic matches the application security class, the virtual server forwards the traffic to the Application Security Manager for inspection. For more information on local traffic virtual servers, refer to the Configuration Guide for BIG-IP® Local Traffic Management.
1.
On the Main tab of the navigation pane, expand Local Traffic, and then click Virtual Servers.
The Virtual Servers list screen opens.
2.
Click the Create button.
The New Virtual Server screen opens.
3.
In the Name box, type a name for the virtual server.
4.
In the Destination option, select Host, and type an IP address.
5.
In the Service Port box, type 80 (for HTTP) or 443 (for HTTPS). Alternately, you can select HTTP or HTTPS from the list.
6.
In the Configuration section, from the HTTP Profile list, select http.
7.
In the Resources section, for the HTTP Class Profiles setting, from the Available list, select the application security class that you created, and click the Move button (<<) to add the class to the Enabled list.
8.
Click Finished.
The system updates the configuration, and the Virtual Server list screen opens, where you can see your newly created virtual server.
Important: For virtual servers that load balance resources for a web application that is protected by the Application Security Manager, you must configure an HTTP profile in addition to the application security class. Refer to steps 6 and 7 in the previous procedure.
The web application properties determine the general characteristics of the web application in the context of the application security configuration. For detailed information about web applications, refer to Chapter 4, Working with Web Applications.
1.
On the Main tab of the Application Security navigation pane, click Web Applications.
The Web Applications screen opens.
2.
In the Name column, click the web application name that matches the application security class that you created.
The Web Application Properties screen opens.
3.
For the Application Language setting, select the language encoding that matches that of the application you are protecting.
4.
Click the Update button.
The system save the changes that you have made.
With Application Security Manager, you can create a custom attack signature set that is based on the systems that support the web application. After you create the custom attack signature set, and create the new security policy, you assign the set to the security policy.
1.
2.
3.
Above the Attack Signature Sets list, click Create.
The Create Signature Set screen opens.
4.
In the Create Signature Set area, in the Name box, type a unique name for the signature set.
7.
Next, use the Move button (<<) to add any systems that apply to your configuration from the Available Systems list to the Assigned Systems list.
8.
Click Create.
The screen refreshes, and you see the new signature set in the Signatures Set list.
1.
On the Main tab of the Application Security navigation pane, click Policies List.
The Security Policies screen opens.
2.
Above the Security Policies area, click the Create button.
The New Policy screen opens.
3.
For the Security Policy Name setting, type a unique name for the security policy.
4.
For the Web Application setting, select the web application that corresponds to the application security class that you created.
5.
For the Security Policy Template setting, select Rapid Deployment security policy.
6.
Optionally, in the Security Policy Description box, type a description of the new security policy.
7.
Leave the Enforcement Mode setting at the default, Transparent.
8.
Click the Create button.
The system updates the configuration, and the screen refreshes to display the Security Policy Properties screen.
The final step, before you make the new security policy the active security policy, is to assign the custom attack signature set to the new security policy.
1.
On the Main tab of the Application Security navigation pane, click Attack Signatures.
The Attack Signature Sets Assignment screen opens.
3.
In the Attack Signature Sets Assignment area, in the Available Signature Sets list, click the custom signature set that you created, and use the Move button (<<) to add the signature set to the Assigned Signature Sets list.
4.
Click the Update button to save the changes.
5.
To put the security policy into effect, click the Apply Policy button in the editing context area.
A confirmation popup screen opens.
6.
Click OK.
The system makes the new security policy the active security policy.
Tip: Once you have run traffic through the web application for a while, you can transition the security policy to blocking mode. See Working with the blocking configuration, for more information.
The OWA Exchange 2003 security policy templates protect servers running Microsoft® Outlook® Web Access (OWA) software. The templates apply to servers running Microsoft® Exchange Server 2003 software. The templates are available for both the HTTP and the HTTPS protocols.
Important: If you are creating a security policy for servers running Microsoft Exchange Server 2007 software, then you need to use the OWA Exchange 2007 security policy template instead of this template. Refer to Using the OWA Exchange 2007 security policy template, for more information.
When you use an OWA Exchange 2003 security policy template to create your security policy, the Application Security Manager automatically configures the following optimizations to protect the Outlook Web Access application:
Attack signatures detect application-specific attack patterns, including a customized factory signature that detects attack patterns in Microsoft Internet Explorer® requests.
If you are using an OWA Exchange 2003 security policy template, there are several tasks you perform before you create the actual security policy with the template. The tasks are:
Configure the web application settings, including setting the web application language, and defining a custom pattern for dynamic sessions in URLs.
Create a new security policy using an OWA Exchange 2003 security policy template.
The local traffic pool contains the application server resources for the OWA application. For detailed information on configuring pools, refer to the Configuration Guide for BIG-IP® Local Traffic Management.
1.
On the Main tab of the navigation pane, expand Local Traffic, and then click Pools.
The Pools list screen opens.
2.
Click the Create button.
The New Pool screen opens.
3.
In the Configuration area, in the Name box, type a name for the pool.
4.
In the Resources area, for the New Members setting, in the Address box, type the IP address for the application server that hosts the OWA application.
5.
In the Service Port box, type 80 (for HTTP) or 443 (for HTTPS). Alternately, you can select HTTP or HTTPS from the list.
6.
Click the Add button to add the resource to the New Members list.
7.
Click the Finished button.
The screen refreshes and the system displays the new pool in the pools list.
When you create an application security class for the OWA application, the system automatically creates a web application and default security policy in the application security configuration. For more information on application security classes, refer to Chapter 3, Working with Application Security Classes.
1.
On the Main tab of the Application Security navigation pane, click Classes.
The HTTP Class Profiles list screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
3.
In the General Properties area, in the Name box, type a name for the application security class.
5.
In the Actions area, for the Send To setting, select Pool.
The screen refreshes, and you see additional settings.
6.
For the Pool setting, select the local traffic pool that you created.
7.
Click Finished.
The system adds the class, the default web application, and the corresponding security policy to the configuration, and displays the HTTP Class Profiles list screen.
The local traffic virtual server processes incoming requests for the application. When traffic matches the application security class, the virtual server forwards the traffic to the Application Security Manager for inspection. For more information on local traffic virtual servers, refer to the Configuration Guide for BIG-IP® Local Traffic Management.
1.
On the Main tab of the navigation pane, expand Local Traffic, and then click Virtual Servers.
The Virtual Servers list screen opens.
2.
Click the Create button.
The New Virtual Server screen opens.
3.
In the Name box, type a name for the virtual server.
4.
In the Destination option, select Host, and type an IP address.
5.
In the Service Port box, type 80 (for HTTP) or 443 (for HTTPS). Alternately, you can select HTTP or HTTPS from the list.
6.
In the Configuration section, for the HTTP Profile setting, select http.
7.
For the SSL Profile (Client) setting, select clientssl.
8.
For the SSL Profile (Server) setting, select serverssl.
9.
In the Resources section, for the HTTP Class Profiles setting, from the Available list, select the application security class that you created, and click the Move button (<<) to add the class to the Enabled list.
10.
Click Finished.
The system updates the configuration, and the Virtual Server list screen opens, where you can see your newly created virtual server.
Important: For virtual servers that load balance resources for a web application that is protected by the Application Security Manager, you must configure an HTTP profile in addition to the application security class. Refer to step 6 in the previous procedure.
The web application properties determine the general characteristics of the web application, in the context of the application security configuration. For detailed information about web applications, refer to Chapter 4, Working with Web Applications.
1.
On the Main tab of the Application Security navigation pane, click Web Applications.
The Web Applications screen opens.
2.
In the Name column, click the web application name that matches the application security class that you created.
The Web Application Properties screen opens.
3.
For the Application Language setting, select Unicode (utf-8).
4.
For the Dynamic Sessions in URL setting, select Custom pattern, and then in the Value box, type the following regular expression:
5.
Optionally, in the Description box, type a description for the regular expression.
6.
Click the Update button.
The system saves the changes that you have made.
1.
On the Main tab of the Application Security navigation pane, click Policies List.
The Security Policies screen opens.
2.
Above the Security Policies area, click the Create button.
The New Policy screen opens.
3.
For the Security Policy Name setting, type a unique name for the security policy.
4.
For the Web Application setting, select the web application that corresponds to the application security class that you created for the OWA application.
5.
For the Security Policy Template setting, select OWA Exchange 2003 (http) or OWA Exchange 2003 (https).
6.
Optionally, in the Security Policy Description box, type a description of the new security policy.
7.
Leave the Enforcement Mode setting at the default, Transparent.
8.
Click the Create button.
The system updates the configuration, and the screen refreshes to display the Security Policy Properties screen.
9.
To put the security policy into effect, click the Apply Policy button in the editing context area.
A confirmation popup screen opens.
10.
Click OK.
The system applies the updated security policy.
Tip: Once you have run traffic through the web application for a while, you can transition the security policy to blocking mode. See Working with the blocking configuration, for more information.
The OWA Exchange 2007 security policy templates protect servers running Microsoft® Outlook® Web Access (OWA) software. The templates apply to servers running Microsoft® Exchange Server 2007 software. The templates are available for both the HTTP and the HTTPS protocols.
Important: If you are creating a security policy for servers running Microsoft Exchange Server 2003 software, then you need to use the OWA Exchange 2003 template instead of this template. Refer to Using the OWA Exchange 2003 security policy template, for more information.
When you use an OWA Exchange 2007 security policy template to create your security policy, the Application Security Manager automatically configures the following optimizations to protect the Outlook Web Access application:
Attack signatures detect application-specific attack patterns, including a customized factory signature that detects attack patterns in Internet Explorer requests.
If you are using an OWA Exchange 2007 security policy template, there are several tasks you perform before you create the actual security policy with the template. The tasks are:
Create a new security policy, and select the OWA Exchange 2007 security policy template.
The local traffic pool contains the application server resources for the OWA application. For detailed information on configuring pools, refer to the Configuration Guide for BIG-IP® Local Traffic Management.
1.
On the Main tab of the navigation pane, expand Local Traffic, and then click Pools.
The Pools list screen opens.
2.
Click the Create button.
The New Pool screen opens.
3.
In the Configuration area, in the Name box, type a name for the pool.
4.
In the Resources area, for the New Members setting, in the Address box, type the IP address for the application server that hosts the OWA application.
5.
In the Service Port box, type 80 (for HTTP) or 443 (for HTTPS). Alternately, you can select HTTP or HTTPS from the list.
6.
Click the Add button to add the resource to the New Members list.
7.
Click the Finished button.
The screen refreshes and the system displays the new pool in the pools list.
When you create an application security class for the OWA application, the system automatically creates a web application and default security policy in the application security configuration. For more information on application security classes, refer to Chapter 3, Working with Application Security Classes.
1.
On the Main tab of the Application Security navigation pane, click Classes.
The HTTP Class Profiles list screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
3.
In the General Properties area, in the Name box, type a name for the application security class.
5.
In the Actions area, for the Send To setting, select Pool.
The screen refreshes, and you see additional settings.
6.
For the Pool setting, select the local traffic pool that you created.
7.
Click Finished.
The system adds the class, the default web application, and the corresponding security policy to the configuration, and displays the HTTP Class Profiles list screen.
The local traffic virtual server processes incoming requests for the application. When traffic matches the application security class, the virtual server forwards the traffic to the Application Security Manager for inspection. For more information on local traffic virtual servers, refer to the Configuration Guide for BIG-IP® Local Traffic Management.
1.
On the Main tab of the navigation pane, expand Local Traffic, and then click Virtual Servers.
The Virtual Servers list screen opens.
2.
Click the Create button.
The New Virtual Server screen opens.
3.
In the Name box, type a name for the virtual server.
4.
In the Destination option, select Host, and type an IP address.
5.
In the Service Port box, type 80 (for HTTP) or 443 (for HTTPS). Alternately, you can select HTTP or HTTPS from the list.
6.
In the Configuration section, for the HTTP Profile setting, select http.
7.
For the SSL Profile (Client) setting, select clientssl.
8.
For the SSL Profile (Server) setting, select serverssl.
9.
In the Resources section, for the HTTP Class Profiles setting, from the Available list, select the application security class that you created, and click the Move button (<<) to add the class to the Enabled list.
10.
Click Finished.
The system updates the configuration, and the Virtual Server list screen opens, where you can see your newly created virtual server.
Important: For virtual servers that load balance resources for a web application that is protected by the Application Security Manager, you must configure an HTTP profile in addition to the application security class. Refer to step 6 in the previous procedure.
The web application language specifies the language encoding of the application. Setting the web application language determines the default character set that the security policy enforces. For detailed information about web applications, refer to Chapter 4, Working with Web Applications.
1.
On the Main tab of the Application Security navigation pane, click Web Applications.
The Web Applications screen opens.
2.
In the Name column, click the web application name that matches the application security class that you created.
The Web Application Properties screen opens.
3.
For the Application Language setting, select Unicode (utf-8).
4.
Click the Update button.
The system saves the changes that you have made.
1.
On the Main tab of the Application Security navigation pane, click Policies List.
The Security Policies screen opens.
2.
Above the Security Policies area, click the Create button.
The New Policy screen opens.
3.
For the Security Policy Name setting, type a unique name for the security policy.
4.
For the Web Application setting, select the web application that corresponds to the application security class that you created for the OWA application.
5.
For the Security Policy Template setting, select OWA Exchange 2007 (http) or OWA Exchange 2007 (https).
6.
Optionally, in the Security Policy Description box, type a description of the new security policy.
7.
Leave the Enforcement Mode setting at the default, Transparent.
8.
Click the Create button.
The system updates the configuration, and the screen refreshes to display the Security Policy Properties screen.
9.
To put the security policy into effect, click the Apply Policy button in the editing context area.
A confirmation popup screen opens.
10.
Click OK.
The system applies the updated security policy.
When you apply the OWA Exchange 2007 security policy template, the system automatically populates the security policy with several objects. To make the security policy more effective, you need to replace the generic domain name (exchange2007.local) in a few of the objects with a domain name that is appropriate for your application and environment.
2.
In the editing context area, ensure that the listed security policy is the one you created using the OWA Exchange 2007 security policy template.
a)
In the Objects List area, click an object name.
The Object Properties screen opens.
b)
On the Object Properties screen, in the Object Name setting, replace exchange2007.local with a domain name that is appropriate for your application.
d)
Click Update.
The screen refreshes, and displays the Objects List screen.
5.
To put the updated security policy into effect, click the Apply Policy button in the editing context area.
A confirmation popup screen opens.
6.
Click OK.
The system applies the updated security policy.
Tip: Once you have run traffic through the web application for a while, you can transition the security policy to blocking mode. See Working with the blocking configuration, for more information.
The SharePoint 2007 security policy templates protect servers running Microsoft® SharePoint® 2007 software. The templates are available for both the HTTP and the HTTPS protocols.
When you use a SharePoint 2007 security policy template to create your security policy, the Application Security Manager automatically configures the following optimizations to protect the SharePoint application:
Attack signatures detect application-specific attack patterns, including a customized factory signature that detects attack patterns in Microsoft® Internet Explorer requests.
If you are using the SharePoint 2007 security policy template, there are several tasks you perform before you create the actual security policy with the template. The tasks are:
Create a new security policy, and select the SharePoint 2007 security policy template.
The local traffic pool contains the application server resources for the SharePoint application. For detailed information on configuring pools, refer to the Configuration Guide for BIG-IP® Local Traffic Management.
1.
On the Main tab of the navigation pane, expand Local Traffic, and then click Pools.
The Pools list screen opens.
2.
Click the Create button.
The New Pool screen opens.
3.
In the Configuration area, in the Name box, type a name for the pool.
4.
In the Resources area, for the New Members setting, in the Address box, type the IP address for the application server that hosts the SharePoint application.
5.
In the Service Port box, type 80 (for HTTP) or 443 (for HTTPS). Alternately, you can select HTTP or HTTPS from the list.
6.
Click the Add button to add the resource to the New Members list.
7.
Click the Finished button.
The screen refreshes and the system displays the new pool in the pools list.
When you create an application security class for the SharePoint application, the system automatically creates a web application and default security policy in the application security configuration. For more information on application security classes, refer to Chapter 3, Working with Application Security Classes.
1.
On the Main tab of the Application Security navigation pane, click Classes.
The HTTP Class Profiles list screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
3.
In the General Properties area, in the Name box, type a name for the application security class.
5.
In the Actions area, for the Send To setting, select Pool.
The screen refreshes, and you see additional settings.
6.
For the Pool setting, select the local traffic pool that you created.
7.
Click Finished.
The system adds the class, the default web application, and the corresponding security policy to the configuration, and displays the HTTP Class Profiles list screen.
The local traffic virtual server processes incoming requests for the application. When traffic matches the application security class, the virtual server forwards the traffic to the Application Security Manager for inspection. For more information on local traffic virtual servers, refer to the Configuration Guide for BIG-IP® Local Traffic Management.
1.
On the Main tab of the navigation pane, expand Local Traffic, and then click Virtual Servers.
The Virtual Servers list screen opens.
2.
Click the Create button.
The New Virtual Server screen opens.
3.
In the Name box, type a name for the virtual server.
4.
In the Destination option, select Host, and type an IP address.
5.
In the Service Port box, type 80 (for HTTP) or 443 (for HTTPS). Alternately, you can select HTTP or HTTPS from the list.
6.
In the Configuration section, for the HTTP Profile setting, select http.
7.
For the SSL Profile (Client) setting, select clientssl.
8.
For the SSL Profile (Server) setting, select serverssl.
9.
In the Resources section, for the HTTP Class Profiles setting, from the Available list, select the application security class that you created, and click the Move button (<<) to add the class to the Enabled list.
10.
Click Finished.
The system updates the configuration, and the Virtual Server list screen opens, where you can see your newly created virtual server.
Important: For virtual servers that load balance resources for a web application that is protected by the Application Security Manager, you must configure an HTTP profile in addition to the application security class. Refer to step 6 in the previous procedure.
The web application language specifies the language encoding of the application. Setting the web application language determines the default character set that the security policy enforces. For detailed information about web applications, refer to Chapter 4, Working with Web Applications.
1.
On the Main tab of the Application Security navigation pane, click Web Applications.
The Web Applications screen opens.
2.
In the Name column, click the web application name that matches the application security class that you created.
The Web Application Properties screen opens.
3.
For the Application Language setting, select Unicode (utf-8).
4.
Click the Update button.
The system saves the changes that you have made.
1.
On the Main tab of the Application Security navigation pane, click Policies List.
The Security Policies screen opens.
2.
Above the Security Policies area, click the Create button.
The New Policy screen opens.
3.
For the Security Policy Name setting, type a unique name for the security policy.
4.
For the Web Application setting, select the web application that corresponds to the application security class that you created for the SharePoint application.
5.
For the Security Policy Template setting, select SharePoint 2007.
6.
Optionally, in the Security Policy Description box, type a description of the new security policy.
7.
Leave the Enforcement Mode setting at the default, Transparent.
8.
Click the Create button.
The system updates the configuration, and the screen refreshes to display the Security Policy Properties screen.
9.
To put the security policy into effect, click the Apply Policy button in the editing context area.
A confirmation popup screen opens.
10.
Click OK.
The system applies the updated security policy.
Tip: Once you have run traffic through the web application for a while, you can transition the security policy to blocking mode. See Working with the blocking configuration, for more information.
The Lotus Domino 6.5 security policy templates protect servers running Lotus® Domino® software version 6.5.4. The templates are available for both the HTTP and the HTTPS protocols.
When you use a Lotus Domino 6.5 security policy template to create your security policy, the Application Security Manager automatically configures the following optimizations to protect the Lotus Domino 6.5 application:
The illegal session ID in URL mechanism removes session ID information to prevent false positive alarms for the Non-existent object violation.
If you are using the Lotus Domino 6.5 security policy template, there are several tasks you perform before you create the actual security policy with the template. The tasks are:
Configure the web application settings, including setting the web application language, and defining a custom pattern for dynamic sessions in URLs.
Create a new security policy, and select the Lotus Domino 6.5 security policy template.
The local traffic pool contains the application server resources for the Lotus Domino 6.5 application. For detailed information on configuring pools, refer to the Configuration Guide for BIG-IP® Local Traffic Management.
1.
On the Main tab of the navigation pane, expand Local Traffic, and then click Pools.
The Pools list screen opens.
2.
Click the Create button.
The New Pool screen opens.
3.
In the Configuration area, in the Name box, type a name for the pool.
4.
In the Resources area, for the New Members setting, in the Address box, type the IP address for the application server that hosts the Lotus Domino 6.5 application.
5.
In the Service Port box, type 80 (for HTTP) or 443 (for HTTPS). Alternately, you can select HTTP or HTTPS from the list.
6.
Click the Add button to add the resource to the New Members list.
7.
Click the Finished button.
The screen refreshes and the system displays the new pool in the pools list.
When you create an application security class for the Lotus Domino 6.5 application, the system automatically creates a web application and default security policy in the application security configuration. For more information on application security classes, refer to Chapter 3, Working with Application Security Classes.
1.
On the Main tab of the Application Security navigation pane, click Classes.
The HTTP Class Profiles list screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
3.
In the General Properties area, in the Name box, type a name for the application security class.
5.
In the Actions area, for the Send To setting, select Pool.
The screen refreshes, and you see additional settings.
6.
For the Pool setting, select the local traffic pool that you created.
7.
Click Finished.
The system adds the class, the default web application, and the corresponding security policy to the configuration, and displays the HTTP Class Profiles list screen.
The local traffic virtual server processes incoming requests for the application. When traffic matches the application security class, the virtual server forwards the traffic to the Application Security Manager for inspection. For more information on local traffic virtual servers, refer to the Configuration Guide for BIG-IP® Local Traffic Management.
1.
On the Main tab of the navigation pane, expand Local Traffic, and then click Virtual Servers.
The Virtual Servers list screen opens.
2.
Click the Create button.
The New Virtual Server screen opens.
3.
In the Name box, type a name for the virtual server.
4.
In the Destination option, select Host, and type an IP address.
5.
In the Service Port box, type 80 (for HTTP) or 443 (for HTTPS). Alternately, you can select HTTP or HTTPS from the list.
6.
In the Configuration section, from the HTTP Profile list, select http.
7.
In the Resources section, for the HTTP Class Profiles setting, from the Available list, select the application security class that you created, and click the Move button (<<) to add the class to the Enabled list.
8.
Click Finished.
The system updates the configuration, and the Virtual Server list screen opens, where you can see your newly created virtual server.
Important: For virtual servers that load balance resources for a web application that is protected by the Application Security Manager, you must configure an HTTP profile in addition to the application security class. Refer to steps 6 and 7 in the previous procedure.
The web application properties determine the general characteristics of the web application in the context of the application security configuration. For detailed information about web applications, refer to Chapter 4, Working with Web Applications.
1.
On the Main tab of the Application Security navigation pane, click Web Applications.
The Web Applications screen opens.
2.
In the Name column, click the web application name that matches the application security class that you created.
The Web Application Properties screen opens.
3.
For the Application Language setting, select Western European (ISO-8859-1).
4.
For the Dynamic Sessions in URL setting, select Custom pattern, and then in the Value box, type the following regular expression:
5.
Optionally, in the Description box, type a description for the regular expression.
6.
Click the Update button.
The system saves the changes that you have made.
1.
On the Main tab of the Application Security navigation pane, click Policies List.
The Security Policies screen opens.
2.
Above the Security Policies area, click the Create button.
The New Policy screen opens.
3.
For the Security Policy Name setting, type a unique name for the security policy.
4.
For the Web Application setting, select the web application that corresponds to the application security class that you created for the Lotus Domino 6.5 application.
5.
For the Security Policy Template setting, select Lotus Domino 6.5.
6.
Optionally, in the Security Policy Description box, type a description of the new security policy.
7.
Leave the Enforcement Mode setting at the default, Transparent.
8.
Click the Create button.
The system updates the configuration, and the screen refreshes to display the Security Policy Properties screen.
9.
To put the security policy into effect, click the Apply Policy button in the editing context area.
A confirmation popup screen opens.
10.
Click OK.
The system applies the updated security policy.
Tip: Once you have run traffic through the web application for a while, you can transition the security policy to blocking mode. See Working with the blocking configuration, for more information.
The Oracle Applications 11i security policy templates protect servers running the Oracle® Applications 11i database software. The templates are available for both the HTTP and the HTTPS protocols.
When you use the Oracle Applications 11i security policy template to create your security policy, the Application Security Manager automatically configures the following optimizations to protect the Oracle database application:
If you are using the Oracle Applications 11i security policy template, there are several tasks you perform before you create the actual security policy with the template. The tasks are:
Create a new security policy, and select the Oracle Applications 11i security policy template.
The local traffic pool contains the application server resources for the Oracle Applications 11i application. For detailed information on configuring pools, refer to the Configuration Guide for BIG-IP® Local Traffic Management.
1.
On the Main tab of the navigation pane, expand Local Traffic, and then click Pools.
The Pools list screen opens.
2.
Click the Create button.
The New Pool screen opens.
3.
In the Configuration area, in the Name box, type a name for the pool.
4.
In the Resources area, for the New Members setting, in the Address box, type the IP address for the application server that hosts the Oracle Applications 11i application.
5.
In the Service Port box, type 8000.
6.
Click the Add button to add the resource to the New Members list.
7.
Click the Finished button.
The screen refreshes and the system displays the new pool in the pools list.
When you create an application security class for the Oracle Applications 11i application, the system automatically creates a web application and default security policy in the application security configuration. For more information on application security classes, refer to Chapter 3, Working with Application Security Classes.
1.
On the Main tab of the Application Security navigation pane, click Classes.
The HTTP Class Profiles list screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
3.
In the General Properties area, in the Name box, type a name for the application security class.
5.
In the Actions area, for the Send To setting, select Pool.
The screen refreshes, and you see additional settings.
6.
For the Pool setting, select the local traffic pool that you created.
7.
Click Finished.
The system adds the class, the default web application, and the corresponding security policy to the configuration, and displays the HTTP Class Profiles list screen.
The local traffic virtual server processes incoming requests for the application. When traffic matches the application security class, the virtual server forwards the traffic to the Application Security Manager for inspection. For more information on local traffic virtual servers, refer to the Configuration Guide for BIG-IP® Local Traffic Management.
1.
On the Main tab of the navigation pane, expand Local Traffic, and then click Virtual Servers.
The Virtual Servers list screen opens.
2.
Click the Create button.
The New Virtual Server screen opens.
3.
In the Name box, type a name for the virtual server.
4.
In the Destination option, select Host, and type an IP address.
5.
In the Service Port box, type 80 (for HTTP) or 443 (for HTTPS). Alternately, you can select HTTP or HTTPS from the list.
6.
In the Configuration section, from the HTTP Profile list, select http.
7.
In the Resources section, for the HTTP Class Profiles setting, from the Available list, select the application security class that you created, and click the Move button (<<) to add the class to the Enabled list.
8.
Click Finished.
The system updates the configuration, and the Virtual Server list screen opens, where you can see your newly created virtual server.
Important: For virtual servers that load balance resources for a web application that is protected by the Application Security Manager, you must configure an HTTP profile in addition to the application security class. Refer to steps 6 and 7 in the previous procedure.
The web application language specifies the language encoding of the application. Setting the web application language determines the default character set that the security policy enforces. For detailed information about web applications, refer to Chapter 4, Working with Web Applications.
1.
On the Main tab of the Application Security navigation pane, click Web Applications.
The Web Applications screen opens.
2.
In the Name column, click the web application name that matches the application security class that you created.
The Web Application Properties screen opens.
3.
For the Application Language setting, select Unicode (utf-8).
4.
Click the Update button.
The system saves the changes that you have made.
Now you can create a security policy for the web application that uses the Oracle Applications 11i security policy template.
1.
On the Main tab of the Application Security navigation pane, click Policies List.
The Security Policies screen opens.
2.
Above the Security Policies area, click the Create button.
The New Policy screen opens.
3.
For the Security Policy Name setting, type a unique name for the security policy.
4.
For the Web Application setting, select the web application that corresponds to the application security class that you created for the Oracle application.
5.
For the Security Policy Template setting, select Oracle Applications 11i.
6.
Optionally, in the Security Policy Description box, type a description of the new security policy.
7.
Leave the Enforcement Mode setting at the default, Transparent.
8.
Click the Create button.
The system updates the configuration, and the screen refreshes to display the Security Policy Properties screen.
9.
To put the security policy into effect, click the Apply Policy button in the editing context area.
A confirmation popup screen opens.
10.
Click OK.
The system applies the updated security policy.
Tip: Once you have run traffic through the web application for a while, you can transition the security policy to blocking mode. See Working with the blocking configuration, for more information.
The SAP NetWeaver security policy templates protect servers running the SAP NetWeaver® software. The templates are available for both the HTTP and the HTTPS protocols.
When you use an SAP NetWeaver security policy template to create your security policy, the Application Security Manager automatically configures the following optimizations to protect the SAP NetWeaver application:
If you are using an SAP NetWeaver security policy template, there are several tasks you perform before you create the actual security policy with the template. The tasks are:
Create a new security policy, and select an SAP NetWeaver security policy template.
The local traffic pool contains the application server resources for the SAP NetWeaver application. For detailed information on configuring pools, refer to the Configuration Guide for BIG-IP® Local Traffic Management.
1.
On the Main tab of the navigation pane, expand Local Traffic, and then click Pools.
The Pools list screen opens.
2.
Click the Create button.
The New Pool screen opens.
3.
In the Configuration area, in the Name box, type a name for the pool.
4.
In the Resources area, for the New Members setting, in the Address box, type the IP address for the application server that hosts the SAP NetWeaver application.
5.
In the Service Port box, type 80. Alternately, you can select HTTP from the list.
6.
Click the Add button to add the resource to the New Members list.
7.
Click the Finished button.
The screen refreshes and the system displays the new pool in the pools list.
When you create an application security class for the SAP NetWeaver application, the system automatically creates a web application and default security policy in the application security configuration. For more information on application security classes, refer to Chapter 3, Working with Application Security Classes.
1.
On the Main tab of the Application Security navigation pane, click Classes.
The HTTP Class Profiles list screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
3.
In the General Properties area, in the Name box, type a name for the application security class.
5.
In the Actions area, for the Send To setting, select Pool.
The screen refreshes, and you see additional settings.
6.
For the Pool setting, select the local traffic pool that you created.
7.
Click Finished.
The system adds the class, the default web application, and the corresponding security policy to the configuration, and displays the HTTP Class Profiles list screen.
The local traffic virtual server processes incoming requests for the application. When traffic matches the application security class, the virtual server forwards the traffic to the Application Security Manager for inspection. For more information on local traffic virtual servers, refer to the Configuration Guide for BIG-IP® Local Traffic Management.
1.
On the Main tab of the navigation pane, expand Local Traffic, and then click Virtual Servers.
The Virtual Servers list screen opens.
2.
Click the Create button.
The New Virtual Server screen opens.
3.
In the Name box, type a name for the virtual server.
4.
In the Destination option, select Host, and type an IP address.
5.
In the Service Port box, type 80 (for HTTP) or 443 (for HTTPS). Alternately, you can select HTTP or HTTPS from the list.
6.
In the Configuration section, from the HTTP Profile list, select http.
7.
In the Resources section, for the HTTP Class Profiles setting, from the Available list, select the application security class that you created, and click the Move button (<<) to add the class to the Enabled list.
8.
Click Finished.
The system updates the configuration, and the Virtual Server list screen opens, where you can see your newly created virtual server.
Important: For virtual servers that load balance resources for a web application that is protected by the Application Security Manager, you must configure an HTTP profile in addition to the application security class. Refer to steps 6 and 7 in the previous procedure.
The web application language specifies the language encoding of the application. Setting the web application language determines the default character set that the security policy enforces. For detailed information about web applications, refer to Chapter 4, Working with Web Applications.
1.
On the Main tab of the Application Security navigation pane, click Web Applications.
The Web Applications screen opens.
2.
In the Name column, click the web application name that matches the application security class that you created.
The Web Application Properties screen opens.
3.
For the Application Language setting, select Unicode (utf-8).
4.
Click the Update button.
The system save the changes that you have made.
1.
On the Main tab of the Application Security navigation pane, click Policies List.
The Security Policies screen opens.
2.
Above the Security Policies area, click the Create button.
The New Policy screen opens.
3.
For the Security Policy Name setting, type a unique name for the security policy.
4.
For the Web Application setting, select the web application that corresponds to the application security class that you created for the SAP NetWeaver application.
5.
For the Security Policy Template setting, select SAP NetWeaver (http) or SAP NetWeaver (https).
6.
Optionally, in the Security Policy Description box, type a description of the new security policy.
7.
Leave the Enforcement Mode setting at the default, Transparent.
8.
Click the Create button.
The system updates the configuration, and the screen refreshes to display the Security Policy Properties screen.
9.
To put the security policy into effect, click the Apply Policy button in the editing context area.
A confirmation popup screen opens.
10.
Click OK.
The system applies the updated security policy.
Tip: Once you have run traffic through the web application for a while, you can transition the security policy to blocking mode. See Working with the blocking configuration, for more information.
The web applications for which you can use one of the security policy templates to configure a security policy frequently experience large file uploads (larger than 10 MB files). As a result, you may encounter clients that are blocked due to the large file uploads, and should not be. You can resolve this issue by disabling the Block flag for the security policy violation, Request length exceeds defined buffer size. By disabling the blocking action for this violation, the Policy Enforcer inspects the headers in the associated request, but ignores the file upload itself.
1.
On the Main tab of the Application Security navigation pane, click Policy.
The Security Policy Properties screen opens.
2.
From the Blocking menu, choose Settings.
The Blocking Policy screen opens.
4.
In the Configuration area, for the Enforcement Mode setting, select Blocking. (This step is necessary only if the enforcement mode is currently Transparent)
Note: You can change the Block flags only when the enforcement mode is Blocking.
5.
In the Access Violations area, locate the Request length exceeds defined buffer size violation.
7.
In the Configuration area, for the Enforcement Mode setting, select Transparent. (This step is necessary only if you changed the enforcement mode in step 4, and do not want the enforcement mode to be Blocking.)
8.
Click the Save button to save any changes you may have made on this screen.
9.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)