Applies To:

Show Versions Show Versions

Manual Chapter: Introducing the Application Security Manager
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

The BIG-IP® Application Security Manager protects mission-critical enterprise Web infrastructure against application-layer attacks, and monitors the protected web applications. The Application Security Manager can prevent a variety of web application attacks, such as:
Malicious exploitations of the application memory buffer to stop services, to get shell access, and to propagate worms
Integrated platform guaranteeing the delivery of secure application traffic
Built on F5 Networks TMOS® architecture, the ICSA-certified, positive-security Application Security Manager is fully integrated with the BIG-IP Local Traffic Manager.
Full support in the iControl SDK
The iControl SDK includes full support for the application security functionality.
Attack Signature protection
The Attack Signatures in the Application Security Manager offer protection from generalized and known application attacks such as known worms, vulnerabilities, and requests for restricted files and URLs. The Attack Signatures Update feature provides current, up-to-date signatures, so that your applications are always protected from new attacks and threats.
Positive security model
The Application Security Manager creates a robust positive security policy to completely protect web applications from targeted web application layer threats, such as buffer overflows, SQL injection, cross-site scripting, parameter tampering, cookie poisoning, and others, by allowing only valid application transactions. The positive security model is based on a combination of valid user session context and valid user input, as well as a valid application response.
Integrated, simplified management
The browser-based Configuration utility provides network device configuration, centralized visual security policy management, and easy-to-read audit reports. Additional tools provide a highly automated and visual security policy building mechanism, based on a proprietary Policy Builder that automatically builds a map of all the valid application transactions and drastically simplifies the security policy management.
Role-based administration
The BIG-IP system supports role-based administration, which you can use to restrict access to various components of the product. For example, users with the Application Security Policy Editor role can audit and maintain application security policies but have no access to the network or general system administration.
Configurable security levels
The Application Security Manager offers varying levels of security, from general protection of web site elements such as file types and character sets, to tailored, highly granular, application-specific security policies. This flexibility provides enterprises the ability to choose the level of security they need, and reduce management costs based on the level of protection and risks acceptable to their business environment.
This configuration guide also contains information on configuring a local traffic virtual server to use an application security class to protect the web application resources. The application security class is the bridge between the local traffic components and the application security components.
Important: For detailed information on configuring the local traffic objects, refer to the Configuration Guide for BIG-IP® Local Traffic Manager. For information on the protocol security objects, refer to the Configuration Guide for BIG-IP® Protocol Security Module. Both of these guides are available in the Ask F5SM Knowledge Base,
The browser-based graphical user interface for the BIG-IP system is called the Configuration utility. You log on and use the Configuration utility to set up the system and configure the Application Security Manager.
Figure 1.1 shows the Welcome screen of the Configuration utility.
The identification and messages area
The identification and messages area of the Configuration utility is the screen region that is above the navigation pane, the menu bar, and the body. In this area, you find the system identification, including the host name and management IP address. This area is also where certain system messages display, for example Activation Successful, which appears after a successful licensing process.
The navigation pane
The navigation pane, on the left side of the screen, contains the Main tab, the Help tab, and the About tab. The Main tab provides links to the major configuration objects. The Help tab provides context-sensitive help for each screen in the Configuration utility. The About tab provides overview information about the BIG-IP system.
The menu bar
The menu bar, which is below the identification and messages area, and above the body, provides links to additional screens.
The body
The body is the screen area where the configuration settings display, and where the user configures the system.
When you click most options in the Application Security section of the navigation pane, the Configuration utility opens a second screen for application security.
This document refers to the navigation pane of the BIG-IP Configuration utility as simply the navigation pane. This document refers to the navigation pane for the Application Security Configuration utility as the Application Security navigation pane.
In the Configuration utility for Application Security, blue URLs indicate non-referrer URLs, while gold URLs indicate referrer URLs. Referrers are web pages that can request other URLs. For example, an HTML page can request a GIF, JPG, or PNG image file. The HTML page is the referrer, and the GIF, JPG, and PNG files are non-referrers.
Note: The Application Security Manager systems Referrer is similar to the HTTP Referer header. F5 Networks recommends that you configure referrers for complex objects, such as HTML pages, but not for embedded objects, such as GIF files.
Figure 1.2 illustrates a referrer URL (/register.php) and several non-referrer URLs.
For a list of the supported browsers for the Configuration utility, refer to the current release notes on the Ask F5SM Knowledge Base web site,
Online help for Application Security components
The Configuration utility has online help for each screen. The online help contains descriptions of each control and setting on the screen. Click the Help tab in the left navigation pane to view the online help.
Welcome screen in the Configuration utility
The Welcome screen in the Configuration utility contains links to many useful web sites and resources, including the Ask F5SM Knowledge Base, the F5 Solution Center, the F5 DevCentral web site, plug-ins, SNMP MIBs, and SSH clients.
F5 Networks Technical Support web site
The F5 Networks Technical Support web site,, provides the latest documentation for the product, including:
BIG-IP® Application Security Manager: Getting Started Guide
Configuration Guide for BIG-IP® Local Traffic Manager
Configuration Guide for BIG-IP® Protocol Security Module
BIG-IP® Systems: Getting Started Guide
TMOS® Management Guide for BIG-IP® Systems
Ask F5SM Knowledge Base
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)