Applies To:

Show Versions Show Versions

Manual Chapter: Creating a Security Policy for a Production Environment
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

You can use the Application Security Manager Policy Builder to automatically build a security policy that protects a production system exposed to untrusted Internet traffic. The Policy Builder is an automated tool that creates a security policy based on settings that you configure using the Deployment wizard.
Verifying that the application servers are receiving traffic and that Application Security Manager is logging the traffic
Important: The procedures in this deployment start after you have configured the network settings that are appropriate for your environment. Refer to Chapter 2, Performing Basic Configuration Tasks, if you have not yet configured network connectivity.
The Deployment wizard guides you through the tasks required for creating a security policy. When you start the Deployment wizard, you select a deployment scenario. Each deployment scenario includes preset configuration options. The configuration options are tailored to address the needs of the environment or application for which you are creating a security policy. In this case, you are designing a security policy to protect untrusted traffic in a production site.
1.
On the Main tab of the navigation pane, expand Application Security and click Web Applications.
The Web Applications screen opens in a new browser session.
2.
In the Name column, click the web application that matches the application security class name that you created in Defining an application security class.
The Select Deployment Scenario screen opens.
3.
For Deployment Scenario, use the default value, Production Site (Untrusted Traffic).
4.
Click the Next button.
The Configure Web Application Properties screen opens.
In this step of the wizard, you specify the language encoding for the web application. Specifying the application language determines the default character set that the security policy enforces. For additional information on web application configuration, see the Working with Web Applications chapter in the Configuration Guide for BIG-IP® Application Security Manager.
1.
On the Configure Web Application Properties screen, for the Application Language setting, select one of the following options:
 
Leave the setting at the default value, Auto detect.
When the Policy Builder starts, it determines the language encoding based on application data.
2.
Click Next.
The Configure Attack Signatures screen opens.
Attack signatures represent known attack patterns that the system can check for. In this step of the wizard, you create an attack signature set for the security policy. By default, a set of generic attack signatures is included in every policy. You can add attack signatures depending on the systems in your networking configuration.
This step also puts the attack signatures in staging. Staging means that the system applies the attack signatures to the web application traffic, but does not block traffic during the staging period (even if traffic matches a signature that is supposed to be blocked). The system tracks the number of incidents that occur for each attack signature and provides learning suggestions.
At the end of the staging period (seven days, by default), you can review the attack signatures on the Traffic Learning screen (Application Security >> Manual >> Traffic Learning). You can click Enforce Signatures to remove from staging all signatures that were not hit during the staging period, and start enforcing them. Only signatures that had hits are left on the screen, and you can investigate them to see if they are false positives or if they indicate actual attacks.
1.
On the Configure Attack Signatures screen, for the Systems setting, from the Available Systems list, select the systems that apply to your web application.
Tip: Hold the Ctrl key to select more than one system in the list.
3.
Click Next.
The Configure Trusted IP Addresses screen opens.
Note: For more information on attack signatures and signature staging, refer to the Working with Attack Signatures chapter in the Configuration Guide for BIG-IP® Application Security Manager.
In this step of the Deployment wizard, you configure trusted IP addresses. Trusted IP addresses represent known clients or users, for example, an internal test team. When you add trusted IP addresses in the Deployment wizard, the Policy Builder instantly updates the security policy with any new or updated entities that the trusted traffic may generate.
For more information on trusted IP addresses, heuristics, and the Policy Builder in general, refer to the Building a Security Policy Automatically with the Policy Builder chapter in the Configuration Guide for BIG-IP® Application Security Manager.
1.
On the Configure Trusted IP Addresses screen, for the Trusted IP Addresses setting, select Address List.
4.
When finished, click Next.
The Web Application Properties screen opens, and a message states The initial configuration of the web application is complete.
1.
On the Configure Trusted IP Addresses screen, for the Trusted IP Addresses setting, select Address Range.
2.
In the From box, type an IP address that represents the beginning of the IP address range.
3.
In the To box, type an IP address that represents the end of the IP address range.
4.
Click Next.
The Web Application Properties screen opens, and a message states The initial configuration of the web application is complete.
Before the Deployment wizard starts the Policy Builder, the wizard verifies that the application servers are receiving traffic. In the messages and information area of the screen (near the top), you see a notification that the system is checking to see if Application Security Manager is detecting traffic. The Deployment wizard moves to the next phase only after it has successfully detected at least one request.
1.
Open a new browser session to the web application using the IP address of the virtual server that you set up on the BIG-IP system.
 
Checking to see if ASM is detecting traffic
If you see this message, the Application Security Manager may still be parsing and analyzing received requests. Allow the system several minutes to analyze requests.
 
The ASM did not detect any traffic
If you see this message, you need to review the networking configuration (check the VLAN, self IP address, pool, HTTP class, and virtual server). See Chapter 2, Performing Basic Configuration Tasks.
 
The Policy Builder is running
If you see this message, the system has started the Policy Builder.
After the system detects traffic, the Deployment wizard automatically starts the Policy Builder. The Policy Builder is an automated tool that discovers and populates the security policy with the web application entities. As the Policy Builder runs, you see status messages or a progress bar in the messages and information area of the screen. The status messages include information on the number of parsed requests, and the number of found file types, URLs, and parameters. Figure 4.1 shows an example of the status messages in the Policy Builder.
The Policy Builder runs until it determines that the new security policy is stable, that is, has little to no change. Depending on your web application, and the typical traffic flow, this process may take from a few hours up to several days. Once the Policy Builder determines that the security policy is stable, you finalize the security policy, and exit the Deployment wizard.
Note: For more information on the Policy Builder, see the Building a Security Policy Automatically with the Policy Builder chapter of the Configuration Guide for BIG-IP® Application Security Manager.
The Deployment wizard notifies you, in the messages and information area of the screen, when the Policy Builder has finished building the new security policy, and determines that the security policy is at a stable point. This point occurs when few or no new learning suggestions occur for a period of time. When the security policy is stable, you can fine-tune the security policy by checking for false positives and finish the deployment process. You can also finalize the deployment at any time by clicking the Skip button in the messages and information area.
Important: Finalizing the deployment by clicking the Skip button does not stop the Policy Builder. For information on stopping the Policy Builder, refer to the Stopping the Policy Builder section of the Building a Security Policy Automatically with the Policy Builder chapter, in the Configuration Guide for BIG-IP® Application Security Manager.
When you finalize the Deployment wizard, the Policy Builder takes a series of actions that are based on your selection in the finalization step. The possible choices are:
Go to the Traffic Learning page to fine-tune the security policy.
When you select this choice, the system performs the following actions:
 
Removes the wildcard match all (*) entities from the file types and parameters list.
 
Retains the wildcard match all (*) entity in the URLs list.
 
Exit the Deployment Wizard without fine-tuning the security policy. Learning suggestions are kept.
When you select this choice, the system performs the following actions:
 
Retains the wildcard match all (*) entity in the file types, URLs, and parameters lists.
Exit the Deployment Wizard without fine-tuning the security policy. Learning suggestions are deleted.
When you select this choice, the system performs the following actions:
 
Removes the wildcard match all (*) entities from the file types and parameters list.
 
Retains the wildcard match all (*) entity in the URLs list.
Note: If you do not fine-tune the security policy and switch to blocking mode, users could be blocked if they trigger certain violations.
1.
In the Finish the Deployment area, for the Actions setting, select the action that you want the Deployment wizard to take.
2.
For the Enable Signature Staging setting, clear the check box if you do not want the system to put detected attack signature patterns in a staging period. Otherwise, leave the box checked, which is the default setting.
3.
For the Stop Policy Builder setting, check the box if you want the Policy Builder to stop processing requests.
4.
Click Finish.
The Deployment wizard performs the action you specified, and exits. The wizard also takes the following actions:
 
Changes the web application logging profile from Log all requests to Log illegal requests.
 
Performs the Apply Policy action.
When the new security policy is applied to the production traffic, the Application Security Manager may start generating learning suggestions or ways to fine-tune the security policy to better suit the traffic. You can evaluate each suggestion individually, and decide whether to add it to the policy.
1.
On the Application Security navigation pane, click Manual.
The Traffic Learning screen opens.
2.
In the Traffic Learning section, click a violation hyperlink.
The screen shows the instances of that violation and resulting learning suggestions.
 
Accept: Select a learning suggestion, click Accept, and then click Apply Policy.
The system updates the security policy to allow the element.
Tip: For violations that generate many learning suggestions that you want to accept, consider disabling the violation (step 4).
 
Clear: Select a learning suggestion, and click Clear.
The system removes the learning suggestion continues to generate suggestions for that violation.
 
Cancel: To return to the Traffic Learning screen, click Cancel.
4.
On the Traffic Learning screen, review the violations and consider whether you want to allow any of them. Select the violations you want to allow and click Disable Violation, then OK.
The system clears the Learn, Alarm, and Block settings for those violations.
5.
Click Apply Policy, then OK.
Note: For more information on the learning process and learning suggestions, refer to the Refining the Security Policy Using Learning chapter in the Configuration Guide for BIG-IP® Application Security Manager.
Once you have a stable security policy, and the violations that you see represent legitimate security policy violations (that is, they are requests that are not safe or that you would not allow for your application), you can transition the enforcement mode from transparent to blocking. When the enforcement mode is blocking, and in the blocking policy you enable the Block flag for a violation, the Security Enforcer no longer allows offending requests to reach the back-end resources. Instead, the Security Enforcer blocks the request, and sends the blocking response page to the client. The blocking response page includes a Support ID, which identifies the violating request in the Application Security Manager logs.
You do not have to enable blocking for all applicable violations. Instead, you can phase in blocking by enabling the Block flag only for selected violations. For example, you can change the enforcement mode to blocking, and disable all the Block flags for all of the violations. As the system processes requests, you can examine any new violations that occur. You can then either update the security policy, or if the violation is not application traffic that you want to allow, enable the Block flag for that violation. The next time a similar request comes in, the system blocks the request.
For more information on the blocking policy, the enforcement mode, and how the system processes requests that trigger violations, refer to the Manually Configuring Security Policies chapter of the Configuration Guide for BIG-IP® Application Security Manager.
1.
On the Main tab of the Application Security navigation pane, click Policy.
The Security Policy Properties screen opens.
2.
From the Blocking menu, choose Settings.
The Blocking Policy screen opens.
3.
In the Configuration area, for the Enforcement Mode setting, select Blocking.
The system activates the Block flags (unavailable when the mode is set to Transparent). Figure 4.3 shows enforcement set to blocking.
4.
Click or clear the Block check boxes, as required, for the violations.
5.
Click the Save button.
6.
In the editing context area, click the Apply Policy button to immediately put the changes into effect.
Tip: The Blocking icon (hand) above the editing context area indicates that the security policy is in blocking mode. Click the Blocking icon to see a list of the violations for which the system will block traffic.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)