Applies To:

Show Versions Show Versions

Manual Chapter: Creating a Security Policy Automatically
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Automatic policy building

You can use the Application Security Manager™ to automatically build a security policy that is tailored to your environment. The automatic policy building tool is called the Real Traffic Policy Builder®. The Real Traffic Policy Builder (referred to simply as the Policy Builder) creates a security policy based on settings that you configure using the Deployment wizard, and the characteristics of the traffic going to and from the web application that the system is protecting.

Deployment scenarios when creating security policies

The Deployment wizard provides several different scenarios for creating and deploying security policies. Before you start creating a security policy, review the descriptions of each deployment scenario, to help you decide which one is most appropriate for your organization.

Deployment scenario Description
Create a policy automatically (recommended) Develops a security policy for a web application by examining traffic. In this scenario, the Policy Builder automatically creates the security policy based on statistical analysis of the traffic and the intended behavior of the application. The system stabilizes and enforces the security policy when it processes sufficient traffic over a period of time.
Create a policy manually or use templates Uses rapid deployment or an application-ready security policy (preconfigured template) to develop a security policy, or lets you develop a policy manually. The system creates a basic security policy that you can review and fine-tune. When the security policy includes all the protections that you need and does not produce any false positives, you can enforce the security policy.
Create a policy for XML and web services manually Develops a security policy to protect web services or XML applications, such as those that use a WSDL or XML schema document. The system creates the security policy based on your configurations, and provides additional learning suggestions that you can review and fine-tune. When the security policy includes all the protections that you need and does not produce any false positives, you can enforce the security policy.
Create a policy using third party vulnerability assessment tool output Creates a security policy based on integrating the output from a vulnerability assessment tool, such as WhiteHat Sentinel. Based on the results from an imported vulnerability report, Application Security Manager automatically mitigates the vulnerabilities on your web site. You can also review and fine-tune the policy. When the security policy includes all the protections that you need and does not produce any false positives, you can enforce the security policy.

Screen shot of Configure Security Policy link

To create a security policy, you use the Deployment wizard. Click Application Security > Web Applications to show the web applications list. Web applications are created automatically when you create an application security class of the same name. The Configure Security Policy link for the web application is what starts the Deployment wizard.

This figure shows the web applications list with a web application called jsonmanual, ready to begin creating a security policy.

Creating a security policy automatically

Before you can create a security policy, you must have performed the basic system configuration tasks including defining a VLAN, a self IP address, a local traffic pool, an application security class, and a virtual server, according to the needs of your networking environment.
Application Security Manager™ can automatically create a security policy that is tailored to secure your web application in either a production or QA environment. The Deployment wizard guides you through the tasks required to start automatic security policy creation.
  1. On the Main tab, click Application Security > Web Applications.
  2. Locate the web application you want to protect, and click the Configure Security Policy link next to it.
    Tip: If you do not see the web application, first create an application security class.
    The Deployment wizard opens the Select Deployment Scenario screen.
  3. For Deployment Scenario, select Create a policy automatically and click Next. The Configure Web Application Properties screen opens.
  4. From the Application Language list, select the language encoding of the application.
    Important: You cannot change this setting after you have created the security policy.
  5. If the web application is not case-sensitive, clear the Security Policy is case sensitive check box. Otherwise, leave it checked.
    Important: You cannot change this setting after you have created the security policy.
  6. Click Next. The Configure Attack Signatures screen opens.
  7. To configure attack signatures, move the systems used by your web application from the Available Systems list into the Assigned Systems list. The system adds the attack signatures needed to protect the selected systems.
  8. Click Next. The Configure Automatic Policy Building screen opens.
  9. If you want the security policy to automatically detect JSON and XML protocols, select Enable JSON/XML payload detection. If requests contain legitimate XML or JSON data, the Policy Builder creates content profiles in the security policy according to the data it detects.
  10. For Policy Type, select an option to determine the security features to include in the policy:
    Option Description
    Fundamental Creates a security policy enforcing HTTP request protocol compliance, evasion techniques, allowed file types (including length checks), attack signatures, the violation Request Length Exceeds Predefined Buffer Size, and host names.
    Enhanced Creates a security policy with all the elements of the Fundamental policy type, checks for allowed URLs, meta characters on URLs, global parameters (including length checks), cookies, and allowed methods to the security policy.
    Comprehensive Creates a security policy with all the elements of the Enhanced policy type, and checks for meta characters on parameters, URL parameters (instead of global parameters), and dynamic parameters.
    The Description also lists which security features are included in each type.
  11. For Rules, move the slider to change the strictness of the rules.
    Note: If you select a tighter setting, the rules are more strict and it takes Policy Builder more time to collect the statistics needed to build the policy.
    Option Description
    Loose Use for a smaller request sample; for example, useful for web sites with less traffic.
    Middle Use for a medium number of requests. This is the default setting, and the one to use if you are not sure about the amount of traffic on the application web site.
    Tight Use for a large request sample; for example, useful for web sites with lots of traffic.
  12. For Trusted IP Addresses, indicate which IP addresses to consider safe:
    Option Description
    All Specifies that the policy trusts all IP addresses, for example, if the traffic is in a corporate lab or preproduction environment where all of the traffic is trusted. The policy is created faster.
    Address List Specifies networks to consider safe. Type the IP Address and Netmask, then click Add. This option is typically used in a production environment where traffic could come from untrusted sources.
  13. Click Next to create the security policy. The Automatic Policy Building Status screen opens where you can view the current state of the security policy.
The Policy Builder starts and automatically begins building the security policy based on the traffic to the web application.

How the security policy is built

When you finish running the Deployment wizard, you have created a basic security policy to protect your web application. The Policy Builder starts examining the application traffic, and fine-tunes the security policy using the guidelines you configured.

The Policy Builder builds the security policy as follows:

  • Adds policy elements once ASM sees enough traffic from various users
  • Examines application content and creates XML or JSON profiles if needed
  • Configures attack signatures in the security policy
  • Stabilizes the security policy when sufficient sessions over a period of time include the same elements
  • Includes new elements if the site changes

The Policy Builder automatically discovers and populates the security policy with the policy elements (such as file types, URLs, parameters, and cookies). As the Policy Builder runs, you see status messages in the identification and messages area at the top of the screen. You can monitor general policy building progress, and see the number of elements that are included in the policy.

Automatic policy building characteristics

When you create a security policy using automatic policy building, it has the following characteristics:

  • The security policy starts out loose, allowing traffic, then the Policy Builder adds policy elements based on evaluating the traffic.
  • The system sets the enforcement mode of the security policy to Blocking, but does not block requests until the Policy Builder sees sufficient traffic, adds elements to the security policy, and enforces the elements.
  • The system holds attack signatures in staging for 7 days (by default): the system checks, but does not block traffic during the staging period. If a parameter causes an attack signature violation, the system adds the parameter to the security policy. After the staging period is over, the security policy enforces the signatures that have not been detected and blocks traffic that causes a signature violation.
  • The system enforces elements in the security policy when it has processed sufficient traffic and sessions over enough time to determine the legitimacy of the file types, URLs, parameters, cookies, methods, and so on.
  • The security policy stabilizes.
  • If the web site for the application changes, the Policy Builder adds policy elements to the security policy, puts the added elements in staging, and enforces the new elements when traffic and time thresholds are met.

Reviewing security policy status

You can monitor the general progress of the Real Traffic Policy Builder®, see what policy elements the system has learned, and view additional details on the Automatic Policy Building Status screen.
  1. On the Main tab, click Application Security > Policy Building > Automatic > Status. The Automatic Policy Building Status screen opens.
  2. In the editing context area near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. Review any messages in the identification and messages area to learn what is currently happening on the system. For example, messages say when the Policy Builder is enabled, when the security policy was last updated, and the number of elements that were added.
  4. Review the status of the Real Traffic Policy Builder.
    Option Description
    Enabled The system is configured to automatically build a security policy, and the Policy Builder is processing traffic.
    Disabled The system is not processing traffic. Check the automatic policy building configuration.
    Detecting Language The system is still configuring the language after analyzing responses to identify the language of the web application. The Policy Builder is enabled, but it cannot add elements to the security policy until the language is set.
  5. Examine the General Progress of the security policy. A progress bar indicates the stability level of the security policy. The progress bar reaches 100% when the policy is stable, no new policy elements need to be added, and time and traffic thresholds have been reached.
  6. In the Policy Elements Learned table, review the number of elements that the Policy Builder has analyzed and added to the security policy.
  7. Optionally, in the Details tree view, click the expand button for any item to learn more about that security policy element, what the system has seen so far, and what it will take to stabilize an element.
When enough traffic from unique sessions occurs over a period of time, the system starts to enforce the file types and other elements in the security policy. When enforced as part of a stable policy, the files types and other elements are removed from the staging list.

Screen shot of stabilized security policy

This figure shows a security policy that has stabilized, and the progress bar has reached 100%. This means that the security policy is not causing false positives, and it is stable. You can display the screen shown in the figure by clicking Application Security > Policy Building > Automatic > Status on the Main tab of the system.

Stabilized security policy

Additional application security protections

The Application Security Manager™ provides additional security protections that you can manually add to a security policy.

Feature Description and Location
DoS attack prevention Prevents Denial of Service (DoS) attacks based on latency and transaction rates. Click Application Security > Anomaly Detection > DOS Attack Prevention.
Brute force attack prevention Protects the system against illegal login attempts where a hacker tries to log in to a URL numerous times, running many combinations of user names and passwords, until the intruder successfully logs in. Click Application Security > Anomaly Detection > Brute Force Attack Prevention.
IP Enforcement Prevents attacks performed by specific IP addresses using a violation threshold. Click Application Security > Anomaly Detection > IP Enforcer.
Web scraping detection Mitigates web scraping (web data extraction) on web sites by attempting to determine whether a web client source is human. Click Application Security > Anomaly Detection > Web Scraping.
CSRF protection Prevents cross-site request forgery (CSRF) where a user is forced to perform unwanted actions on a web application where the user is currently authenticated. Click Application Security > CSRF Protection .
Sensitive data masking (Data Guard) Protects sensitive data in responses such as a credit card number, U.S. Social Security number, or custom pattern. Click Application Security > Data Guard.
Antivirus protection through an ICAP server Configures the system as an Internet Content Adaptation Protocol (ICAP) client so that an external ICAP server can inspect HTTP file uploads for viruses before releasing the content to the web server. To set up the ICAP server, click Application Security > Options > Anti-Virus Protection. To configure antivirus protection on the security policy, click Application Security > Policy > Anti-Virus Protection.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)