Applies To:

Show Versions Show Versions

Manual Chapter: Creating a Security Policy for XML Transactions
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

The Application Security Manager can create a security policy to enforce the correct use of XML and the definitions defined in the WSDL or schema for site traffic. The Web Services deployment scenario describes how to create a security policy to protect web services or XML transactions. An XML-transaction security policy checks XML traffic to verify that it is valid and well-formed and, depending on your settings, can validate XML-document integrity against a specified WSDL or XSD file.
You create this security policy by using the Deployment wizard. The Deployment wizard guides you through the following tasks:
Verifying that the application servers are receiving traffic and that Application Security Manager is logging the traffic
Important: The procedures in this deployment start after you have configured the network settings that are appropriate for your environment. Refer to Chapter 2, Performing Basic Configuration Tasks, if you have not yet configured network connectivity.
The Deployment wizard guides you through the tasks required for creating a security policy. When you start the Deployment wizard, you select a deployment scenario. Each deployment scenario includes preset configuration options. The configuration options are tailored to address the needs of the environment or application for which you are creating a security policy. In this case, you are designing a security policy to protect a web service.
1.
On the Main tab of the navigation pane, expand Application Security and click Web Applications.
The Web Applications screen opens in a new browser session.
2.
In the Name column, click the web application name that matches the application security class name that you created in Defining an application security class.
The Select Deployment Scenario screen opens.
3.
For Deployment Scenario, select Web Services (XML + WSDL / User Schema).
4.
Click the Next button.
The Configure Web Application Properties screen opens.
In this step, you specify the web application language, which is the language encoding. The web application language determines the character set that the security policy enforces. For additional information on configuring web application properties, see the Working with Web Applications chapter in the Configuration Guide for BIG-IP® Application Security Manager.
1.
On the Configure Web Application Properties screen, for the Application Language setting, select a specific language from the list.
2.
Click Next.
The Configure Attack Signatures screen opens.
Attack signatures represent known attack patterns that the system can check for. In this step of the wizard, you create an attack signature set for the security policy. By default, a set of generic attack signatures is included in every policy. You can add attack signatures depending on the systems in your networking configuration.
This step also puts the attack signatures in staging. Staging means that the system applies the attack signatures to the web application traffic, but does not block traffic during the staging period (even if traffic matches a signature that is supposed to be blocked). The system tracks the number of incidents that occur for each attack signature and provides learning suggestions.
At the end of the staging period (seven days, by default), you can review the attack signatures on the Traffic Learning screen (Application Security >> Manual >> Traffic Learning). You can click Enforce Signatures to remove from staging all signatures that were not hit during the staging period, and start enforcing them. Only signatures that had hits are left on the screen, and you can investigate them to see if they are false positives or if they indicate actual attacks.
1.
On the Configure Attack Signatures screen, for the Systems setting, from the Available Systems list, select the systems that apply to your web application.
Tip: Hold the Ctrl key to select more than one system in the list.
3.
Click Next.
The Create New XML Profile screen opens and displays the message The initial configuration of the web application is complete. You can now create a new XML profile.
Note: For more information on attack signatures and signature staging, refer to the Working with Attack Signatures chapter in the Configuration Guide for BIG-IP® Application Security Manager.
The next task in this deployment is to create and configure an XML profile to define the XML data that needs to be protected. You can create a basic XML profile, one with WSDL validation for web services, or one with schema file validation. Note that the steps in this part of the Deployment wizard differ depending on which type of XML profile you are creating.
Note: For detailed information on working with XML profiles and web services encryption, refer to the Protecting XML Applications chapter in the Configuration Guide for BIG-IP® Application Security Manager.
You can create a basic XML profile for defense configuration. The defense configuration provides formatting and attack pattern checks for XML data. The default defense configuration level is high, which is the strictest defense level.
1.
On the Create New XML Profile screen, for Profile Name, type a unique name for the XML profile.
2.
Click Create.
The Associate XML Profile screen opens.
3.
For the Associate XML Profile setting, select either URL or Parameter. If you select Parameter, also select the parameter level (either Global Parameter or URL Parameter).
4.
Click Next, and proceed to the next task.
 
If you selected URL in step 3, the New URL screen opens. Refer to To create a new URL, to continue with the wizard.
 
If you selected Global Parameter in step 3, the New Parameter screen opens. Refer to To create a new global parameter to continue with the wizard.
 
If you selected URL Parameter in step 3, the New URL screen opens. Refer to To create a new URL parameter, to continue with the wizard.
When you create an XML profile that validates the configuration based on the contents of a WSDL document, the system populates the security policy with the URLs and methods in the WSDL document. The resulting security policy then enforces the allowed (or disallowed) methods for the Web services application.
1.
On the Create New XML Profile screen, in the Create Profile area, in the Profile Name box, type a unique name for the XML profile.
2.
In the Validation Configuration area, for the File option of the Configuration Files setting, click Browse and navigate to the WSDL document.
3.
Click Upload.
The screen displays the uploaded files.
4.
For the Follow Schema Links setting, clear the check box if you do not want the system to retrieve referenced links that are in the WSDL document. By default, this setting is enabled.
5.
To permit SOAP messages to contain attachments, check the Allow Attachments in SOAP Messages box.
6.
For the Validate SOAPAction Header setting, clear the check box if you do not want the system to validate the SOAPAction header. By default, this setting is enabled.
7.
Click Create.
In most cases, the system automatically associates a URL or parameter with the application based on a WSDL file, and displays the new XML profile on the XML Profiles screen. Continue with Verifying that the application servers are receiving traffic.
8.
If a URL was not automatically associated, the Associate XML Profile screen opens where you can associate a URL or parameter with the profile.
a)
For Associate XML Profile, select URL or Parameter. If you select Parameter, also select the parameter level (either Global Parameter or URL Parameter).
b)
Click Next, and proceed to the next task.
 
If you selected URL in step 8a, the New URL screen opens. Refer to To create a new URL, to continue with the wizard.
 
If you selected Global Parameter in step 8a, the New Parameter screen opens. Refer to To create a new global parameter to continue with the wizard.
 
If you selected URL Parameter in step 8a, the New URL screen opens. Refer to To create a new URL parameter, to continue with the wizard.
1.
On the XML Profiles screen, in the Create Profile area, in the Profile Name box, type a unique name for the XML profile.
2.
For the File setting, click Browse and navigate to the schema file.
3.
Click Upload.
The screen displays the uploaded files.
4.
For the Follow Schema Links setting, clear the check box if you do not want the system to retrieve referenced links that are in the schema file. By default, this setting is enabled.
5.
Click Create.
The Associate XML Profile screen opens.
6.
For the Associate XML Profile setting, select either URL or Parameter. If you select Parameter, also select the parameter level (either Global Parameter or URL Parameter).
7.
Click Next.
The response (next step) is dependent on your previous choice:
 
If you select URL in step 6, the New URL screen opens. Refer to To create a new URL, to continue with the wizard.
 
If you select Global Parameter in step 6, the New Parameter screen opens. Refer to To create a new global parameter, to continue with the wizard.
 
If you select URL Parameter in step 6, the New URL screen opens. Refer to To create a new URL parameter, to continue with the wizard.
The Deployment wizard guides you to one of the following tasks, based on which type of URL or parameter you decided to associate the XML profile with. Depending on your choice, you next create the URL, global parameter, or URL parameter that the application uses.
1.
On the New Allowed URL screen, for the URL setting, type the explicit URL or wildcard URL that represents the web application.
2.
Click Next.
The URL List screen opens. Refer to Verifying that the application servers are receiving traffic, to continue with the Deployment wizard.
1.
On the New Parameter screen, for the Parameter Name setting, type the name of the parameter.
2.
Click Create.
The Parameters List screen opens. Refer to Verifying that the application servers are receiving traffic, to continue with the Deployment wizard.
1.
On the New Allowed URL screen, for the URL setting, type the explicit URL or a wildcard URL.
2.
Click Next.
The New Parameter screen opens.
3.
On the New Parameter screen, for the Parameter Name setting, type a name for the parameter.
4.
Click Create.
The URL Parameters screen opens. Refer to Verifying that the application servers are receiving traffic, to continue with the Deployment wizard.
Tip: See the Configuration Guide for BIG-IP® Application Security Manager for detailed information on configuring URLs and parameters.
Before the Deployment wizard starts updating the security policy, the wizard verifies that the application servers are receiving traffic. In the messages and information area of the screen (near the top), you see a notification that the system is checking to see if Application Security Manager is detecting traffic.
 
Checking to see if ASM is detecting traffic
If you see this message, the Application Security Manager may still be parsing and analyzing received requests. Allow the system several minutes to analyze requests.
 
The ASM did not detect any traffic
If you see this message, you need to review the networking configuration (check the VLAN, self IP address, pool, HTTP class, and virtual server). See Chapter 2, Performing Basic Configuration Tasks.
 
The ASM detected traffic successfully.
Waiting for a minimum of 10000 requests and at least one hour from running the wizard.
The ASM detected n requests during x minutes and y seconds.
If you see these messages, the Application Security Manager has detected traffic and will sample requests until it processes at least 10,000 requests, and at least one hour has passed since you started the Deployment wizard.
 
Checking for XML violations
After successfully detecting traffic and sampling requests, the Application Security Manager processes XML violations for at least one hour. Based on what it finds in the traffic sample and the violations, Application Security Manager automatically adjusts security policy settings to match the traffic to eliminate false positives.
The Deployment wizard notifies you, in the messages and information area of the screen, when you can finalize the deployment of the XML security policy. After the Application Security Manager determines that the security policy is at a stable point, you see messages and a link, as shown in Figure 6.1.
Click the Finalize the deployment link.
The Finish the Deployment screen opens where you have three choices for exiting the Deployment wizard.
When you finalize the Deployment wizard, the system takes a series of actions that are based on your selection in the finalization step. The possible choices are:
Exit the Deployment Wizard without fine-tuning the security policy. Learning suggestions are kept.
When you select this action, the system:
Exit the Deployment Wizard without fine-tuning the security policy. Learning suggestions are deleted.
When you select this action, the system:
 
Removes all learning suggestions, even those that the system discovered and did not add to the security policy.
1.
On the Finish the Deployment screen, for the Actions setting, select the action that you want the Deployment wizard to take.
2.
For the Enable Signature Staging setting, clear the check box if you do not want to configure a staging period for signatures (during which attack patterns are detected but not blocked). Otherwise, leave the box checked, which is the default setting.
Tip: F5 Networks recommends that you leave the box checked. New signatures that you receive through the live update service are placed in staging before they are enforced.
3.
Click Finish.
The Deployment wizard performs the action you specified. The wizard also changes the web application logging profile from Log all requests to Log illegal requests.
When the new security policy is applied to the web services traffic, the Application Security Manager may start generating learning suggestions or ways to fine-tune the security policy to better suit the traffic. After finalizing the Deployment wizard, you can evaluate each suggestion individually, and decide whether to add it to the policy.
1.
On the Application Security navigation pane, click Manual.
The Traffic Learning screen opens.
2.
In the Traffic Learning section, click a violation hyperlink.
The screen shows the instances of that violation and resulting learning suggestions.
Tip: For violations that generate many learning suggestions that you want to accept, consider disabling the violation (step 4).
 
Accept: Select a learning suggestion, click Accept, and then click Apply Policy.
The system updates the security policy to allow the element.
 
Clear: Select a learning suggestion, click Clear.
The system removes the learning suggestion continues to generate suggestions for that violation.
 
Cancel: To return to the Traffic Learning screen, click Cancel.
4.
On the Traffic Learning screen, review the violations and consider whether you want to allow any of them. Select the violations you want to allow and click Disable Violation, then OK.
The system clears the Learn, Alarm, and Block settings for those violations.
5.
Click Apply Policy, then OK.
Note: For more information on the learning process and learning suggestions, refer to the Refining the Security Policy Using Learning chapter in the Configuration Guide for BIG-IP® Application Security Manager.
Once you have a stable security policy, and the violations that you see represent legitimate security policy violations (that is, they are requests that are not safe or that you would not allow for your application), you can transition the enforcement mode from transparent to blocking. When the enforcement mode is blocking, and in the blocking policy you enable the Block flag for a violation, the Security Enforcer no longer allows offending requests to reach the back-end resources. Instead, the Security Enforcer blocks the request, and sends the blocking response page to the client. The blocking response page includes a Support ID, which identifies the violating request in the Application Security Manager logs.
You do not have to enable blocking for all applicable violations. Instead, you can phase in blocking by enabling the Block flag only for selected violations. For example, you can change the enforcement mode to blocking, and disable all the Block flags for all of the violations. As the system processes requests, you can examine any new violations that occur. You can then either update the security policy, or if the violation is not application traffic that you want to allow, enable the Block flag for that violation. The next time a similar request comes in, the system blocks the request.
For more information on the blocking policy, the enforcement mode, and how the system processes requests that trigger violations, refer to the Manually Configuring Security Policies chapter of the Configuration Guide for BIG-IP® Application Security Manager.
1.
On the Main tab of the Application Security navigation pane, click Policy.
The Security Policy Properties screen opens.
2.
From the Blocking menu, choose Settings.
The Blocking Policy screen opens.
3.
In the Configuration area, for the Enforcement Mode setting, select Blocking.
The system activates the Block flags (unavailable when the mode is set to Transparent).
4.
Click or clear the Block check boxes, as required, for the violations.
5.
Click the Save button.
6.
In the editing context area, click the Apply Policy button to immediately put the changes into effect.
Tip: The Blocking icon (hand) above the editing context area indicates that the security policy is in blocking mode. Click the Blocking icon to see a list of the violations for which the system will block traffic.
The Application Security Manager provides several blocking response pages. If your XML application does not parse HTML, you may want to use the SOAP Fault blocking response page, which is formatted using XML. For more information on the blocking response pages, refer to the Configuring the response pages section of the Manually Configuring Security Policies chapter, in the Configuration Guide for BIG-IP® Application Security Manager.
1.
On the Main tab of the Application Security navigation pane, click Policy.
The Security Policy Properties screen opens.
3.
From the Blocking menu, choose Response Page.
The Blocking Response Page opens.
4.
In the Blocking Response Page area, click Edit.
The Blocking Response Page Properties screen opens.
5.
For the Response Type setting, select SOAP Fault.
6.
Click the Save button.
The system saves the changes, and opens the Blocking Response Page screen.
7.
In the editing context area, click the Apply Policy button to put the changes you have made into effect.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)