Applies To:

Show Versions Show Versions

Manual Chapter: Refining the Security Policy Using Learning
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

12 
Once you have created a security policy with the Policy Builder, you can use the learning suggestions generated by the Learning Manager to fine-tune the security policy, and to eliminate false positive alarms. When you send client traffic through the Application Security Manager, you can use the Learning data to recognize the expected behavior of the traffic sent to the protected web application. You examine the requests that cause learning suggestions, and then use those learning suggestions to refine the security policy. You can also use the new entities (that is, entities that match a wildcard entity) to tighten the security policy. The resulting security policy does not prevent legal requests sent by legitimate users from accessing the protected web application.
Learning Manager
The Learning Manager parses the security policy violations that the Policy Enforcer generates, and generates learning suggestions based on those policy violations. As visitors move through the web application, the Learning Manager captures requests that contradict the current security policy settings, and records the learning suggestions on the Traffic Learning screen.
Traffic Learning screen
The Traffic Learning screen displays the learning suggestions that the Learning Manager generates. The learning suggestions are categorized by violation type, and can represent actual threats or false positives. It is important to note that the learning suggestions are based on the currently-active security policy. When you accept a learning suggestion, you are updating the security policy. On the Traffic Learning screen, the system also displays violations for which the system does not generate learning suggestions. These violations are related to RFC compliance or system resources, and do not update the security policy.
New Entities screen
When you configure wildcard entities, and you enable tightening for those entities, the system lists the entity types it finds on the New Entities screen. For each entity type, you can review the new entities, and decide whether to add them to the security policy.
Ignored Entities screen
The Ignored Entities screen lists the object types, objects, and flows that you have instructed the Learning Manager to disregard, that is, to stop generating learning suggestions for. Typically, the ignored entities are items that you do not want to be a part of the security policy.
The Learning Manager generates learning suggestions when the Learn flag is enabled for the violations on the Blocking Policy screen. (See Configuring the blocking actions, for more information.) When the system receives a request that triggers a violation, the Learning Manager then updates the Traffic Learning screen with learning suggestions based on the violating request information. From this screen, you can review the learning suggestions to determine whether the request triggered a legitimate security policy violation, or the violation represents a need to update the security policy.
The Traffic Learning screen also displays violations for which the system does not generate learning suggestions. Typically these violations are related to RFC compliance and system resources, rather than to security policy entities. The system displays these violations along with the learning suggestions to ease the security policy management tasks.
1.
2.
In the editing context area, ensure that the current edited security policy is the one for which you want to review the learning suggestions.
3.
In the View by box, select how you want the system to display the triggered violations.
4.
In the Traffic Learning area, click a violation type hyperlink to view the specific elements in the request that triggered the security policy violation and the corresponding learning suggestion.
The screen refreshes, and the system displays the violation details screen.
Note: In learning suggestions and on the View Full Request Information screen, the Application Security Manager displays and processes non-printable characters, that is, control characters, in the same manner as it displays and processes other characters. For example, the system displays the space character as 0x20.
You can review all of the requests that trigger a specific learning suggestion by examining the occurrences of that learning suggestion.
1.
2.
In the editing context area, ensure that the current edited security policy is the one for which you want to review the learning suggestions.
3.
In the Traffic Learning area, click a violation type hyperlink to view either the request or the specific elements in the request that triggered the security policy violation and the corresponding learning suggestion.
The screen refreshes, and the system displays the requests or request elements that caused the learning suggestions.
4.
In the Occurrences column, if available, click the number.
The requests list screen opens, and displays all of the requests that contained an item that triggered the learning suggestion.
Before you process a learning suggestion, it is very helpful to examine the details of the request that caused the learning suggestion. The View Full Request Information screen contains some or all of the following information:
Figure 12.1 shows an example of the View Full Request Information screen.
1.
2.
In the editing context area, ensure that the current edited security policy is the one for which you want to review the learning suggestions.
3.
In the Traffic Learning section, click a violation type hyperlink to view either the request or the specific elements in the request that triggered the security policy violation and the corresponding learning suggestion.
The screen refreshes, and the system displays the request or request elements that caused the learning suggestions.
4.
In the Occurrences column, if available, click the number.
The Requests List screen opens, and displays all of the requests that contained an item that triggered the learning suggestion.
5.
On the Requests List screen, in the Object column, click a requested object.
The View Full Request Information screen opens, where you can review the details of the request that triggered one or more learning suggestions.
If you want to review all of the requests for a web application that trigger learning violations, you can do so on the Requests screen.
2.
In the editing context area, ensure that the web application and security policy are those for which you want to review requests.
3.
Use the Filter option to display the requests that you are interested in reviewing. See the online help for descriptions of the filter settings.
The Learning Manager generates learning suggestions throughout the life of the security policy. When you are refining a new security policy, a majority of the learning suggestions are actually parameters and parameter values, or some other component of the application, that are missing from the security policy. When the Policy Enforcer detects violations for an existing policy, however, the violations may be related to a real attack, and therefore warrant more careful inspection before you accept the corresponding learning suggestions, and update the security policy. In both cases, you should carefully review the request for which the learning suggestion was generated.
Once you have reviewed the learning suggestions (violations) that the Learning Manager records on the Traffic Learning screen, you must decide what to do with them in regard to the security policy. You can do one of three things with the learning suggestion recommendation: accept it, clear it, or reject it.
When you accept a learning suggestion, the system updates the current edited security policy to accept the request entity that triggered the violation.
Important: There are some violations for which you cannot accept the learning suggestion, and consequently update the security policy. See Working with violations that require user interpretation, for more information.
1.
3.
Click a violation type hyperlink.
The learning suggestions properties screen opens. Note that the screens vary depending on the violation.
4.
Select a learning suggestion, and then click Accept.
The system updates the security policy with the element in the request that caused the learning suggestion.
When you clear a learning suggestion, the system deletes the learning suggestion, and does not update the security policy. The Learning Manager continues to generate learning suggestions for future instances of the violation.
1.
3.
Click a violation type hyperlink.
The violation properties screen opens.
4.
Select a learning suggestion, and then click Clear.
A Confirm Delete popup screen opens.
5.
Click OK.
The system deletes the learning suggestion.
When you reject a learning suggestion, the system deletes the learning suggestion, and updates the ignored entities list for the security policy. The Learning Manager does not report future instances of the violation. You can reject learning suggestions for the following violation types: illegal object type, non-existent object, illegal object, and illegal flow to object. These violations typically represent object types or web objects that are not part of the security policy, but for which the Learning Manager repeatedly generates learning suggestions.
1.
3.
Click a violation type hyperlink.
The violation properties screen opens. The information on these screens varies depending on the violation type.
4.
Select a learning suggestion, and then click Clear.
A Confirm Delete popup screen opens.
5.
Check the Reject items from learning? box, and then click OK.
The system deletes the learning suggestion, and updates the ignored entities list for the web application.
6.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
A confirmation popup screen opens.
7.
Click OK.
The system applies the updated security policy.
For a few violations, the learning suggestions do not represent an update to the security policy. Instead, the violations are indicative of an issue that requires user interpretation. The violations that require user interpretation are:
For these violations, we recommend that you review the violations, and determine whether they represent legitimate violations or false positives. You can disable these violations if they are not applicable to your web application, which turns off the blocking policy so that you are no longer notified of requests that trigger the violation. Alternately, you can clear the learning suggestions, and the Learning Manager continues to issue learning suggestions for the requests.
Important: The Learning Manager does not generate learning suggestions for requests that cause non-existent object violations if the web server sends an HTTP response with status codes in the 4XX or 5XX range.
If you do not want the system to display the violations that require user interpretation, you can disable the violation. When you disable a violation, the Policy Enforcer disables all of the blocking actions (the Learn, Alarm, and Block flags) for the violation. The system then ignores future instances of the violation, and passes the requests on to the web application resources.
1.
On the Main tab of the Application Security navigation pane, click Violations.
The Traffic Learning screen opens.
3.
In the Traffic Learning area, next to the violation name, check the Select box, and then click the Disable button.
A confirmation popup screen opens.
4.
Click OK.
The screen refreshes, and you no longer see the violation.
5.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
A confirmation popup screen opens.
6.
Click OK.
The system applies the updated security policy.
When you clear a violation, the system deletes the violation, but does not update the security policy. The Policy Enforcer continues to generate alarms for future instances of the violation, and the Learning Manager continues to generate learning suggestions.
1.
On the Main tab of the Application Security navigation pane, click Violations.
The Traffic Learning screen opens.
3.
Click a violation type hyperlink.
The violation properties screen opens.
4.
Select a violation, and then click Clear.
A Confirm Delete popup screen opens.
5.
Click OK.
The system deletes the learning suggestion.
When you reject a learning suggestion for an object, an object type, or a flow, the Application Security Manager adds the rejected item to the ignored entities list. When the system receives subsequent requests for those rejected items, the system no longer generates learning suggestions related to the rejected items. The system does, however, continue to log the requests.
1.
On the Main tab of the Application Security navigation pane, click Violations.
The Traffic Learning screen opens.
2.
In the editing context area, ensure that the current edited security policy is the one for which you want to review ignored entities.
3.
On the menu bar, click Ignored Entities.
The Ignored Entities screen opens, where you can review the ignored entities for the web application.
If you want the system to start generating learning suggestions for items that you have added to the ignored entities list, you remove those items from the list.
1.
On the Main tab of the Application Security navigation pane, click Violations.
The Traffic Learning screen opens.
2.
In the editing context area, ensure that the current edited security policy is the one for which you want to review ignored entities.
3.
On the menu bar, click Ignored Entities.
The Ignored Entities screen opens.
4.
In the list that contains the item you want to remove, check the Select box (in the far left column) next to the item, and then click the Clear button below the list.
5.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
When you use wildcard entities to build the security policy, and you have enabled tightening for those entities, as the system finds matching entities, it displays them on the New Entities screens. From the New Entities screens, you can decide whether you want to add the found explicit entities into the security policy. For additional information on wildcard entities, see Chapter 8, Working with Wildcard Entities.
On the New Object Types screen, you can review the explicit object type entities and the wildcard entities that they matched. You can also accept the new explicit object type to add it to the security policy.
1.
2.
On the menu bar, click New Entities.
The New Entities screen opens.
4.
In the New Entities area, in the Entity Type column, click Object Types. (Note that the entity type name becomes a hyperlink only when there are new entities.)
The New Object Types screen opens.
5.
In the Select column, check the Select box next to the explicit object type that you want to add to the security policy, and then click the Accept button.
The screen refreshes, and displays only those object types that you have not yet added to the security policy.
6.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
On the New Objects screen, you can review the explicit object entities and the wildcard entities that they matched. You can also accept the new explicit object to add it to the security policy.
1.
2.
On the menu bar, click New Entities.
The New Entities screen opens.
4.
In the New Entities area, in the Entity Type column, click Objects. (Note that the entity type name becomes a hyperlink only when there are new entities.)
The New Objects screen opens.
5.
In the Select column, check the Select box next to the explicit object that you want to add to the security policy, and then click the Accept button.
The screen refreshes, and displays only those objects that you have not yet added to the security policy.
6.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
On the New Parameters screen, you can review the explicit parameter entities and the wildcard entities that they matched. You can also accept the new explicit parameter to add it to the security policy.
1.
2.
On the menu bar, click New Entities.
The New Entities screen opens.
4.
In the New Entities area, in the Entity Type column, click Parameters. (Note that the entity type name becomes a hyperlink only when there are new entities.)
The New Objects screen opens.
5.
In the Select column, check the Select box next to the explicit parameter that you want to add to the security policy, and then click the Accept button.
The screen refreshes, and displays only those parameters that you have not yet added to the security policy.
6.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)