Applies To:

Show Versions Show Versions

Manual Chapter: Refining the Security Policy Using Learning
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

14 
You can use learning process resources to help while building a security policy. When you send client traffic through the Application Security Manager, the Learning data provides information on requests or responses that do not comply with the current security policy and triggered a violation. The reason for triggering a violation can be either a false positive (typically seen during the process of building a policy), or an actual attack on the site.
The system generates learning suggestions for requests that cause violations and do not pass the security policy checks. You examine the requests that cause learning suggestions, and then use the suggestions to refine the security policy. In some cases, learning suggestions may contain recommendations to relax the security policy due to attacks. When dealing with learning suggestions, you need to make sure to relax the policy only where false positives occurred, and not in cases where a real attack caused a violation.
Learning Manager
The Learning Manager examines the security policy violations that the Security Enforcer identifies, and generates learning suggestions based on those policy violations. As visitors move through the web application, the Learning Manager captures requests that contradict the current security policy settings, and records the learning suggestions on the Traffic Learning screen.
Traffic Learning screen
The Traffic Learning screen displays the learning suggestions that the Learning Manager generates. The learning suggestions are categorized by violation type, and can represent actual threats or false-positives. It is important to note that the learning suggestions are based on the currently active security policy. When you accept a learning suggestion, you are updating the currently active security policy.
Staging-Tightening screen
The Staging-Tightening screen displays a summary of security policy entities in staging or with tightening enabled, that may have learning suggestions, and may be ready to be enforced. For file types, parameters, and URLs, you can review the entities, and decide whether to add them to the security policy.
Ignored Entities screen
The Ignored Entities screen lists the file types, URLs, and flows that you have instructed the Learning Manager to disregard, that is, to stop generating learning suggestions for. Typically, the ignored entities are items that you do not want to be a part of the security policy.
View Full Request Information screen
On the Reporting Requests screen, click a Requested URL in the Requests List to display the View Full Request Information screen, which lists any violations and details associated with the request. You can review this information, and then if you want to accept the learning suggestion, click the Learn button to update the active security policy.
The Learning Manager generates learning suggestions when the Learn flag is enabled for the violations on the Blocking Policy screen. (See Configuring the blocking actions, for how to set the flag.) When the system receives a request that triggers a violation, the Learning Manager then updates the Traffic Learning screen with learning suggestions based on the violating request information (see Figure 14.1 for an example screen). From this screen, you can review the learning suggestions to determine whether the request triggered a legitimate security policy violation, or the violation represents a need to update the security policy.
Making decisions about which learning suggestions to use requires some general understanding of application security and specific knowledge of the protected application (for example, recognizing valid traffic). Often, you should consider accepting a learning suggestion when you see that it has occurred multiple times, from many different source IP addresses. Repeated learning suggestions typically indicate valid traffic behavior that requires relaxing the security policy.
The Traffic Learning screen also displays violations for which the system does not generate learning suggestions. Typically, these violations are related to RFC compliance and system resources, rather than to security policy entities. The system displays these violations along with the learning suggestions to ease the security policy management tasks
1.
In the Application Security navigation pane, click Manual.
The Traffic Learning screen opens.
2.
In the editing context area, ensure that the current edited security policy is the one for which you want to review the learning suggestions.
3.
In the View by box, select how you want the system to display the triggered violations.
4.
In the Traffic Learning area, click a violation hyperlink to view the specific elements in the request that triggered the security policy violation and the corresponding learning suggestion.
The screen refreshes, and the system displays the violation details screen.
Note: In learning suggestions and on the View Full Request Information screen, the Application Security Manager displays and processes non-printable characters, that is, control characters, in the same manner as it displays and processes other characters. For example, the system displays the space character as 0x20.
Before you process a learning suggestion, it is very helpful to examine the details of the request that caused the learning suggestion. You can review all of the requests that trigger a specific learning suggestion by examining the occurrences of that learning suggestion.
1.
In the Application Security navigation pane, click Manual.
The Traffic Learning screen opens.
2.
In the editing context area, ensure that the current edited security policy is the one for which you want to review the learning suggestions.
3.
In the Traffic Learning area, click a violation hyperlink to view either the Requests List for unlearnable violations, or the specific elements in the request that triggered the security policy violation and the corresponding learning suggestion.
4.
In the Occurrences column, click the number.
The requests list screen opens, and displays all of the requests that triggered the learning suggestion.
1.
In the Application Security navigation pane, click Manual.
The Traffic Learning screen opens.
2.
In the editing context area, ensure that the current edited security policy is the one for which you want to review the learning suggestions.
3.
In the Traffic Learning section, click a violation hyperlink to view either the request or the specific elements in the request that triggered the security policy violation and the corresponding learning suggestion.
The screen refreshes, and the system displays the request or request elements that caused the learning suggestions.
4.
In the Occurrences column, if available, click the number.
The Requests List screen opens, and displays all of the requests that contained an item that triggered the learning suggestion.
Note: Some violations have no Occurrences number.
5.
In the Requests List area, in the URL column, click a URL link.
The View Full Request Information screen opens, where you can review the request that triggered the learning suggestion.
Figure 14.2 shows an example of the View Full Request Information screen. It shows the violations associated with the request, and details about the request.
6.
For each violation with a Learn button, click Learn button to open the violations learning screen where you can accept or clear the systems learning suggestions to the security policy one value at a time.
8.
If you are sure that the request is trusted, click Accept.
The system then directs you to the Automatic Policy Building Status screen where you can see the status of the Policy Builder.
Tip: The system does not display the Accept button when the Policy Builder is already running or if the request is legal.
9.
To remove Learning suggestions without changing the security policy, select the ones to remove, and then click the Clear button.
If you want to review all of the requests for a web application that trigger learning suggestions, you can do so on the Requests screen.
1.
In the Application Security navigation pane, click Reporting.
The Requests screen opens.
2.
In the editing context area, ensure that the web application and security policy are those for which you want to review requests.
3.
In the Filter list, select Custom.
4.
For the Web Applications setting, select the name of the web application for which you want to see requests.
5.
Click the Go button.
The screen refreshes, and in the Requests list area, you see the requests for the selected web application only.
The Learning Manager generates learning suggestions throughout the life of the security policy. When the system detects violations of a security policy, the violations may be related to a real attack, and may therefore warrant more careful inspection before being accepted into the security policy.
You can review learning suggestions (violations) on the Traffic Learning screen, and accept or clear each suggestion, as described following. You can also view learning suggestions from the Staging-Tightening Summary screen, as described in Working with entities in staging or with tightening enabled.
By default, learning suggestions are presented for the active policy. When you accept a learning suggestion, the system updates the current edited security policy to accept the request entity that triggered the violation. It is possible to accept learning suggestions for a policy that is not active, however, so care must be taken to select the policy for which you want to accept learning suggestions.
1.
In the Application Security navigation pane, click Manual.
The Traffic Learning screen opens.
3.
Click a violation hyperlink.
The learning suggestions properties screen opens. Note that the screens vary depending on the violation.
4.
Select one or more learning suggestions, and then click Accept.
The system updates the security policy with the element in the request that caused the learning suggestion.
Tip: To accept all of the suggestions on the screen, click Accept All.
When you clear a learning suggestion, the system deletes the learning suggestion, and does not update the security policy. The Learning Manager continues to generate learning suggestions for future instances of the violation.
1.
In the Application Security navigation pane, click Manual.
The Traffic Learning screen opens.
3.
Click a violation hyperlink.
The violation properties screen opens.
4.
Select one or more learning suggestions, and then click Clear.
A Confirm Delete popup screen opens.
Tip: To clear all of the suggestions on the screen, click Clear All.
5.
Click OK.
The system deletes the learning suggestion.
You use the Staging-Tightening summary (shown in Figure 14.3) to review file types, URLs, and parameters that are in staging or with tightening enabled, and you can delve into the details to see if you want to add these entities to the security policy. You can add selected entities to the security policy, or you can enforce all of the entities that are ready to be enforced.
You can click the numbers in the columns to display details about the entities that are in staging or with tightening enabled. For example, Figure 14.4 shows the learning suggestions that are displayed when you click the number link in the Have Suggestions column of the file types entity.
When you look at the learning suggestions, you can clear them or go back to the staging-tightening summary and enforce the entities.
You can perform tightening on wildcard entities (file types, URLs, and parameters) to learn explicit entities. When you enable tightening for a wildcard entity, and the system receives a request that contains an entity that matches the wildcard entity, the system generates a learning suggestion for the found entity. You can then review the new entities, and decide which are legitimate entities for the web application.
Tightening allows you to develop a more specific policy that is more accurate and in alignment with the traffic. Such a policy can provide better security, but requires more tuning to make sure all the specific entities that you add are accurately configured.
If the Policy Builder is active, and the traffic source is trusted (either by definition or because of heuristic decisions), the Policy Builder automatically adds the new specific entity to the security policy.
When you create a security policy using the Deployment wizard, the system automatically creates wildcards for file types and parameters and enables tightening on selected entities (depending on the scenario you select). As traffic is sent to the web application, the system learns the explicit properties of the files, URLs, and parameters and displays the Staging-Tightening screen where you can decide which ones to add to the policy.
Tip: Use tightening on wildcard entities to build the security policy with explicit entities of this type, adding entities using the Enforce and Enforce Ready buttons. When you disable wildcard tightening for an entity, the system automatically places the entity into staging. For additional information on wildcard entities, see Chapter 10, Working with Wildcard Entities.
When an entity is in staging, the system does not block any requests for this entity. Instead, it posts learning suggestions for staged entities on the Learning screens.
Tip: Use staging on wildcard entities to build the security policy without specifying explicit entities of this type.
Staging is also useful when a site update occurs for a web application. Without staging, you might need to change the blocking policy enforcement mode for the entire web site to transparent to discover any new URLs or parameters in the updated web application. With staging, you can add any new URLs or parameters to the security policy, and place only the new entities in staging allowing the system to generate learning alerts.
If a file type, URL, or parameter is in staging or has tightening enabled, the system displays a light bulb icon in the Staging or Tightening column of the file types, URLs, or parameters. For example, Figure 14.5 shows the Allowed File Types List with three files types in staging.
Yellow indicates that learning suggestions are available. Move the cursor over the light bulb icon to see whether the staging period is over, or not.
Orange indicates that no learning suggestions are available and the staging period is over. This entity is ready to be taken out of staging, and be enforced.
Move the cursor over the light bulb to see when the entity was placed in staging and the last time the properties of this entity were changed (the Last staging event time date and time). Figure 14.6 shows an example of the information that you can view.
After you create a security policy and traffic is sent to the web application, you can review the entities that are in staging or with tightening enabled and add the entities to the security policy. When the staging or tightening period is over and no learning suggestions have been added for seven days, the file type, URL, or parameter is considered ready to be enforced. You can enforce the entities one at a time or, if they are ready to be enforced, you can enforce them all at once.
1.
On the Application Security navigation pane, point to Manual and click Staging-Tightening Summary.
The Staging-Tightening Summary screen opens.
3.
In the Staging-Tightening Summary, check to see if a number appears in the In Staging-Tightening column.
A number greater than zero indicates that entities of that type are in staging or with tightening.
4.
Click the number in the In Staging-Tightening column.
The allowed file types, URLs, or parameters list opens showing the entities that you can enforce.
6.
Click Enforce.
The system takes the following actions:
To enforce all file types, URLs, and parameters that are ready to be enforced
1.
On the Application Security navigation pane, point to Manual and click Staging-Tightening Summary.
The Staging-Tightening Summary screen opens.
4.
Click the Enforce Ready button.
The system takes the following actions:
For a few violations, the learning suggestions do not represent an update to the security policy. Instead, the violations require user interpretation. The Policy Builder cannot resolve these violations, and displays them on the Automatic Policy Building Status screen.
For these violations, F5 Networks recommends that you review the violations, and determine whether they represent legitimate violations or false-positives. You can disable these violations if they are not applicable to your web application, which turns off the blocking policy so that you are no longer notified of requests that trigger the violation. Alternately, you can clear the learning suggestions, and Application Security Manager continues to issue learning suggestions for the requests.
Important: Application Security Manager does not generate learning suggestions for requests if the web server sends an HTTP response that includes status codes in the 400-599 range.
If you do not want the system to display the violations that require user interpretation, you can disable the violation. When you disable a violation, you can select whether to disable all or some of the blocking actions (the Learn, Alarm, and Block flags) for the violation. The system then ignores future instances of the violation, and passes the requests on to the web application resources.
Warning: Disabling violations or signature sets can have severe consequences. Be sure that you understand the ramifications of the disabling action before completing it.
1.
In the Application Security navigation pane, click Manual.
The Traffic Learning screen opens.
4.
Click the Disable Violation button.
A confirmation popup screen opens.
5.
Click OK.
The screen refreshes, and you no longer see the violation.
6.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
A confirmation popup screen opens.
7.
Click OK.
The system applies the updated security policy.
When you clear a violation, the system deletes the violation, but does not update the security policy. The Security Enforcer continues to generate alarms for future instances of the violation, and the Learning Manager continues to generate learning suggestions relative to the violation.
1.
In the Application Security navigation pane, click Manual.
The Traffic Learning screen opens.
3.
In the View by box, select whether to view by Violations, Parameters, URLS, or File Types.
4.
In the list, check the box next to a violation, and then click Clear.
A Confirm Delete popup screen opens.
5.
Click OK.
The system deletes the learning suggestion.
When you reject a learning suggestion for a URL, a file type, or a flow, the Application Security Manager adds the rejected item to the ignored entities list. When the system receives subsequent requests for those rejected items, the system no longer generates learning suggestions related to the rejected items. The system does, however, continue to log the requests.
1.
In the Application Security navigation pane, click Manual.
The Traffic Learning screen opens.
2.
In the editing context area, ensure that the current edited security policy is the one for which you want to review ignored entities.
3.
On the menu bar, click Ignored Entities.
The Ignored Entities screen opens showing the number of ignored entities for file types, URLs, and parameters. If ignored entities exist for an entity type, that type becomes a link that you can click to view a list of all entities logged within that category.
If you want the system to start generating learning suggestions for items that were previously added to the ignored entities list, you can remove those items from the list.
1.
In the Application Security navigation pane, click Manual.
The Traffic Learning screen opens.
2.
In the editing context area, ensure that the current edited security policy is the one for which you want to review ignored entities.
3.
On the menu bar, click Ignored Entities.
The Ignored Entities screen opens.
4.
Check the Select box (far left) for the entity type whose ignored entities you want to remove, and click the Clear button.
5.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)