Applies To:

Show Versions Show Versions

Manual Chapter: Creating a Security Policy for a Production Environment
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

In this implementation, we describe the process for automatically building a security policy, with the Policy Builder, for traffic through a production web site or web application. The Policy Builder is an automated tool that builds the security policy based on settings that you configure using the Deployment Wizard. For this implementation, the Deployment Wizard guides you through the following tasks:
Verifying that the application servers are receiving traffic and that Application Security Manager is logging the traffic
Important: This implementation assumes that you have already configured the network settings that are appropriate for your environment. Refer to Chapter 2, Reviewing Basic Configuration Tasks, if you have not yet configured network connectivity.
Once you have completed the network configuration, you are ready to start the Deployment Wizard. The Deployment Wizard automates several essential configuration tasks, to expedite the initial configuration of a security policy.
When you start the Deployment Wizard, you select a deployment scenario. Each deployment scenario includes preset configuration options. The configuration options are tailored to address the needs of the environment or application for which you are creating a security policy.
Note: If you have not yet configured the basic local traffic settings, refer to Chapter 2, Reviewing Basic Configuration Tasks, and perform those tasks. Once you have completed the tasks outlined in that chapter, you can proceed with this implementation.
1.
On the Main tab of the navigation pane, in the Application Security section, click Web Applications.
The Web Applications screen opens in a new browser session.
2.
In the Name column, click the web application name that matches the application security class name.
The Select Deployment Scenario screen opens.
3.
For the Deployment Scenario setting, select Production Site (Untrusted Traffic).
4.
Click the Next button.
The Configure Web Application Properties screen opens.
In this step of the wizard, you specify the language encoding for the web application. Specifying the application language determines the default character set that the security policy enforces. For additional information on web application configuration, see the Working with Web Applications chapter in the Configuration Guide for BIG-IP® Application Security Management.
1.
On the Configure Web Application Properties screen, for the Application Language setting, select one of the following options:
Leave the setting at the default value, Auto detect.
When the Policy Builder starts, it determines the language encoding based on application data.
2.
Click Next.
The Configure Attack Signatures screen opens.
Attack signatures represent known attack patterns. In this step of the wizard, you create an attack signatures set based on the systems that are in your environment. The Application Security Manager assigns the selected sets to the security policy, and applies those signatures to the requests for the associated web application. There is also a set of generic attack signatures that is automatically assigned to the security policy.
In this step, you also configure whether the system activates signature staging. When attack signature staging is enabled, the system keeps track of how many times an attack signature detects an attack pattern, but does not activate blocking for that signature until the staging time has passed.
1.
On the Configure Attack Signatures screen, for the Systems setting, from the Available Systems list, select (by clicking) the systems that apply to your web application.
Tip: Hold the Ctrl key to select more than one system in the list.
3.
If you do not want the system to keep the signatures in the staging state, clear the Enable Signatures Staging check box. Otherwise, leave the box checked, which is the default setting.
4.
For the Staging Period setting, specify the length of time for which the signatures are in the staging state. The default is 7 days. Note that this setting is not applicable if you have cleared the Enable Signatures Staging setting.
5.
Click Next.
The Configure Trusted IP Addresses screen opens.
Note: For more information on attack signatures and signature staging, refer to the Working with Attack Signatures chapter in the Configuration Guide for BIG-IP® Application Security Management.
In this step of the Deployment Wizard, you configure trusted IP addresses. Trusted IP addresses represent known clients or users, for example, an internal test team. When you configure trusted IP addresses in the Deployment Wizard, the Policy Builder instantly updates the security policy with any new or updated entities that the trusted traffic may generate.
For more information on trusted IP addresses, heuristics, and the Policy Builder in general, refer to the Building a Security Policy Automatically with the Policy Builder chapter in the Configuration Guide for BIG-IP® Application Security Management.
1.
On the Configure Trusted IP Addresses screen, for the Trusted IP Addresses setting, select Address List.
4.
When finished, click Next.
The Web Application Properties screen opens, and the Deployment Wizard verifies that the system is receiving traffic.
1.
On the Configure Trusted IP Addresses screen, for the Trusted IP Addresses setting, select Address Range.
2.
In the From box, type an IP address that represents the beginning of the IP address range.
3.
In the To box, type an IP address that represents the end of the IP address range.
4.
Click Next.
The Web Application Properties screen opens, and the Deployment Wizard verifies that the system is receiving traffic.
Before the Deployment Wizard starts the Policy Builder, the wizard verifies that the application servers are receiving traffic. In the messages and information area of the screen (near the top), you see a notification that the system is checking to see if Application Security Manager is logging requests. The Deployment Wizard moves to the next phase only after it has successfully logged at least one request.
The ASM logging failed.
If you see this message, then you need to review the networking configuration.
ASM logging started successfully.
If you see this message, then the Deployment Wizard starts the Policy Builder.
Checking to see if ASM is logging requests.
If you see this message, the Application Security Manager may still be parsing and analyzing received requests. Allow the system several minutes to analyze requests.
After the Deployment Wizard has successfully tested the logging mechanism, the wizard automatically starts the Policy Builder. The Policy Builder is an automated tool that discovers and populates the security policy with the web application entities. As the Policy Builder runs, you see status messages or a progress bar in the messages and information area of the screen. The status messages include information on the number of parsed requests, and the number of found file types, URLs, and parameters. Figure 3.1 shows an example of the status messages in the Policy Builder.
The Policy Builder runs until it determines that the new security policy is stable, that is, has little to no change. Depending on your web application, and the typical traffic flow, this process may take from a few hours up to several days. Once the Policy Builder determines that the security policy is stable, you finalize the security policy, and exit the Deployment Wizard.
Note: For more information on the Policy Builder, see the Building a Security Policy Automatically with the Policy Builder chapter of the Configuration Guide for BIG-IP® Application Security Management.
The Deployment Wizard notifies you, in the messages and information area of the screen, when the Policy Builder has finished building the new security policy, and determines that the security policy is at a stable point. This point occurs when there are few or no new learning suggestions for a period of time. Once the security policy is stable, you can finalize the security policy and finish the deployment process. You can also finalize the deployment at any time by clicking the Skip button in the messages and information area.
Important: Finalizing the deployment by clicking the Skip button does not stop the Policy Builder. For information on stopping the Policy Builder, refer to the Stopping the Policy Builder section of the Building a Security Policy Automatically with the Policy Builder chapter, in the Configuration Guide for BIG-IP® Application Security Management.
When you finalize the Deployment Wizard, the Policy Builder takes a series of actions that are based on your selection in the finalization step. The possible actions are:
Clears the wildcard match all (*) entities from the file types and parameters list.
Retains the wildcard match all (*) entity in the URLs list.
Retains the wildcard match all (*) entity in the file types, URLs, and parameters lists.
Clears the wildcard match all (*) entities from the file types and parameters list.
Retains the wildcard match all (*) entity in the URLs list.
1.
In the Finish the Deployment area, for the Actions setting, select the action that you want the Deployment Wizard to take.
2.
For the Enable Signature Staging setting, clear the check box if you do not want the system to put detected attack signature patterns in a staging period. Otherwise, leave the box checked, which is the default setting.
3.
For the Stop Policy Builder setting, check the box if you want the Policy Builder to stop processing requests.
4.
Click Finish.
The Deployment Wizard performs the action you specified, and exits. The wizard also takes the following actions:
Changes the web application logging profile from Log all requests to Log illegal requests.
Performs the Apply Policy action.
If there are learning suggestions that the Policy Builder could not resolve, you evaluate each individually, and decide which course of action you want to take.
You can accept the learning suggestion, which updates the security policy with the suggested entity. Click the Apply Policy button to put the updated security policy into effect.
You can disable the learning suggestion, which clears the learning suggestion, and disables the Learn, Alarm, and Block flags on the Blocking Policy screen. The Learning Manager no longer generates the disabled learning suggestion, once you click the Apply Policy button to put the updated security policy into effect.
You can clear the learning suggestion. The Learning Manager continues to generate learning suggestions for the violation.
For more information on the learning process and learning suggestions, refer to the Refining the Security Policy Using Learning chapter in the Configuration Guide for BIG-IP® Application Security Management.
Once you have a stable security policy, and the violations that you see represent legitimate security policy violations (that is, they are requests that are not safe or that you would not allow for your application), you can transition the enforcement mode from transparent to blocking. When the enforcement mode is blocking, and in the blocking policy you enable the Block flag for a violation, the Security Enforcer no longer allows offending requests to reach the back-end resources. Instead, the Security Enforcer blocks the request, and sends the blocking response page to the client. The blocking response page includes a Support ID, which identifies the violating request in the Application Security Manager logs.
You do not have to enable blocking for all applicable violations. Instead, you can phase in blocking by enabling the Block flag only for selected violations. For example, you can change the enforcement mode to blocking, and disable all the Block flags for all of the violations. As the system processes requests, you can examine any new violations that occur. At this point, you can either update the security policy, or if the violation is not application traffic that you want to allow, enable the Block flag for that violation. The next time a similar request comes in, the system blocks the request.
For more information on the blocking policy, the enforcement mode, and how the system processes requests that trigger violations, refer to the Working with the Security Policy chapter of the Configuration Guide for BIG-IP® Application Security Management.
1.
On the Main tab of the Application Security navigation pane, click Policy.
The Security Policy Properties screen opens.
2.
From the Blocking menu, choose Settings.
The Blocking Policy screen opens.
3.
In the Configuration area, for the Enforcement Mode setting, select Blocking.
The system activates the Block flag for all of the violations.
5.
Click the Save button.
6.
In the editing context area, click the Apply Policy button to immediately put the changes into effect.
Tip: The Hand icon above the editing context area indicates that the security policy is in blocking mode. Click the Hand icon to see a list of the violations that have the Block flag enabled.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)