Applies To:

Show Versions Show Versions

Manual Chapter: Automatically Creating Security Policies for AJAX Applications
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Application security for applications that use AJAX

Application Security Manager™ can protect AJAX applications including those that use JSON or XML for data transfer between the client and the server. If the AJAX application uses XML for data transfer, the security policy requires that an XML profile be associated with a URL or parameter. If the AJAX application uses JSON for data transfer, the security policy requires that a JSON profile be associated with a URL or parameter. If the AJAX application uses HTTP for data transfer, no profile is needed.

You can also set up AJAX blocking response behavior for applications so that if a violation occurs during AJAX-generated traffic, the system displays a message or redirects the application user to another location.

Overview: Creating a security policy for applications that use AJAX

AJAX (Asynchronous JavaScript and XML) applications make requests to the server and send responses to the client formatted using XML or JavaScript Object Notation (JSON). You can create a security policy automatically for applications that use AJAX.

Task Summary

Automatically creating a security policy for an AJAX application

You can create a security policy only if you have performed the basic system configuration tasks including defining a VLAN, a self IP address, a local traffic pool, an application security class, and a virtual server, according to the needs of your networking environment.
Application Security Manager™ can automatically create a security policy that is tailored to secure an AJAX web application that uses JSON, XML, or HTTP parameters for data transfer. The Deployment wizard guides you through the tasks required to start automatic security policy creation.
  1. On the Main tab, click Application Security > Web Applications.
  2. Locate the web application you want to protect, and click the Configure Security Policy link next to it.
    Tip: If you do not see the web application, first create an application security class.
    The Deployment wizard opens the Select Deployment Scenario screen.
  3. For Deployment Scenario, select Create a policy automatically and click Next. The Configure Web Application Properties screen opens.
  4. From the Application Language list, select the language encoding of the application.
    Important: You cannot change this setting after you have created the security policy.
  5. Click Next. The Configure Attack Signatures screen opens.
  6. To configure attack signatures, move the systems used by your web application from the Available Systems list into the Assigned Systems list. The system adds the attack signatures needed to protect the selected systems.
  7. Click Next. The Configure Automatic Policy Building screen opens.
  8. Select Enable JSON/XML payload detection. The security policy includes content profile checks and can automatically detect advanced protocols (including JSON and XML).
  9. For blocking behavior to work properly with AJAX applications, select Enable Ajax blocking response behavior. If a violation occurs or if a user attempts to access the application without logging in, the system displays a popup message.
  10. For Policy Type, select an option to determine other security features to include in the policy:
    • Fundamental
    • Enhanced
    • Comprehensive
    Check boxes in the Security Policy Elements area of the screen show which security features are included when you select each type.
  11. For Rules, move the slider to change the strictness of the rules:
    Option Description
    Loose A smaller request sample; for example, useful for web sites with less traffic.
    Middle A medium number of requests. This is the default setting, and the one to use if you are not sure about the amount of traffic on the application web site.
    Tight A large request sample; for example, useful for web sites with lots of traffic.
  12. For Trusted IP Addresses, indicate which IP addresses to consider safe:
    Option Description
    All Specifies that the policy trusts traffic from all IP addresses. Recommended only for internal or test environments.
    Address List Specifies a list of networks to consider safe. To add a network, type the IP Address and Netmask, then click Add.
  13. Click Next to create the security policy. The Automatic Policy Building Status screen opens where you can view the current state of the security policy.
Policy Builder starts and automatically begins building the security policy. If the web application uses JSON or XML for data transfer, the system creates the appropriate default profile and associates it with a URL or parameter.

The next steps for reviewing policy building status and adding other security protections are the same as for any automatic policy building.

Reviewing security policy status

You can monitor the general progress of the Real Traffic Policy Builder®, see what policy elements the system has learned, and view additional details on the Automatic Policy Building Status screen.
  1. On the Main tab, click Application Security > Policy Building > Automatic > Status. The Automatic Policy Building Status screen opens.
  2. In the editing context area near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. Review any messages in the identification and messages area to learn what is currently happening on the system. For example, messages say when the Policy Builder is enabled, when the security policy was last updated, and the number of elements that were added.
  4. Review the status of the Real Traffic Policy Builder.
    Option Description
    Enabled The system is configured to automatically build a security policy, and the Policy Builder is processing traffic.
    Disabled The system is not processing traffic. Check the automatic policy building configuration.
    Detecting Language The system is still configuring the language after analyzing responses to identify the language of the web application. The Policy Builder is enabled, but it cannot add elements to the security policy until the language is set.
  5. Examine the General Progress of the security policy. A progress bar indicates the stability level of the security policy. The progress bar reaches 100% when the policy is stable, no new policy elements need to be added, and time and traffic thresholds have been reached.
  6. In the Policy Elements Learned table, review the number of elements that the Policy Builder has analyzed and added to the security policy.
  7. Optionally, in the Details tree view, click the expand button for any item to learn more about that security policy element, what the system has seen so far, and what it will take to stabilize an element.
When enough traffic from unique sessions occurs over a period of time, the system starts to enforce the file types and other elements in the security policy. When enforced as part of a stable policy, the files types and other elements are removed from the staging list.

Implementation results

The Real Traffic Policy Builder® creates a security policy that can protect applications that use AJAX with JSON or XML for data transfer between the client and the server. The system examines the traffic and creates an appropriate profile. If the application uses XML, the security policy includes one or more XML profiles associated with URLs or parameters. If the application uses JSON, the security policy includes one or more JSON profiles associated with URLs or parameters.

Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)