Applies To:

Show Versions Show Versions

Manual Chapter: Implementing a Security Policy for a Production Web Site or Application
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

In this implementation, we describe the process for automatically building a security policy that is based on untrusted traffic through a web site or web application. Untrusted traffic is traffic that can come from any source, and may or may not be malicious.
Important: This implementation assumes that you have already configured the network settings that are appropriate for your environment. Refer to Chapter 2, Reviewing Network Configuration Tasks, if you have not yet configured network connectivity.
After you configure the basic network properties, you configure the web application properties in the application security configuration. The web application properties include selecting the web application language and a traffic logging profile. For additional information on web applications, see the Working with Web Applications chapter, in the Configuration Guide for BIG-IP® Application Security Management.
Important: If you have not yet configured the basic local traffic settings, refer to Chapter 2, Reviewing Network Configuration Tasks, and perform those tasks. Once you have completed the tasks outlined in that chapter, you can proceed with this implementation.
1.
On the Main tab of the navigation pane, expand Application Security and click Web Applications.
The Web Applications screen opens.
2.
Click the Set Language link.
The Web Application Properties screen opens.
3.
Choose an application language encoding. For details, see Configuring the web application language, in the Working with Web Applications chapter of the Configuration Guide for BIG-IP® Application Security Management.
4.
Click Update.
The Web Application Properties screen opens.
5.
From the Logging Profile list, select Log all requests.
This is a system-supplied profile that specifies that the system logs all requests locally.
Note: Use the Log all requests logging profile during the deployment period only.
6.
If the web application includes session information in its URLs, then you can enable the Dynamic Sessions in URL setting. See Chapter 6, Extracting Dynamic Session Information from URLs, for more information.
Note: We recommend that you configure the Dynamic Sessions in URL setting before running the Policy Builder. Otherwise, the Policy Builder treats each object with session information as a unique object.
7.
Click Update.
The Application Security Manager ships with an extensive database of attack signatures. F5 Networks provides updates for the database as part of a valid service contract. To ensure that you have the most current attack signatures on your system, you need to obtain any available updates. For more information on attack signatures and updating the database, refer to the Working with Attack Signatures chapter, in the Configuration Guide for BIG-IP® Application Security Management, which is available in the AskF5 Knowledge Base, http://support.f5.com.
1.
On the Main tab of the Application Security navigation pane, expand Application Security, and then click Options.
The Attack Signatures screen opens.
2.
From the Attack Signatures menu, choose Attack Signatures Update.
The Attack Signatures Update screen opens.
3.
Download the latest attack signature file. For details, see Updating the system-supplied attack signatures, in the Working with Attack Signatures chapter of the Configuration Guide for BIG-IP® Application Security Management.
Now that you have configured the basic network and web application settings, we recommend that you verify that the application servers are receiving traffic.
4.
On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
The Application Security Configuration utility opens in a new browser session.
5.
On the Main tab of the Application Security navigation pane, click Requests.
The Requests List screen opens, where you should see several requests listed.
The next task in configuring a security policy for a production environment is to configure the Security Policy Setup Wizard to run the Policy Builder. The Policy Builder is an automated tool that discovers and populates the security policy with the web application entities. For more information on using the wizard, see the Working with the Security Policy Setup Wizard chapter of the Configuration Guide for BIG-IP® Application Security Management. For more information on using the Policy Builder, see the Building a Security Policy with the Policy Builder chapter of the Configuration Guide for BIG-IP® Application Security Management.
1.
On the Main tab of the Application Security navigation pane, click the Create New Security Policy icon (+) next to Policy.
The New Policy screen opens.
2.
Click the Run Policy Wizard button.
The Configure Security Policy Properties screen opens.
3.
In the Security Policy Name box, type the security policy name.
4.
Click Next.
The Configure Attack Signatures screen opens.
5.
In the Available Systems list, select the systems you want the security policy to protect, according to your infrastructure.
7.
Click Next.
The Select Configuration Mode screen opens.
8.
Set the Configuration Mode to Build security policy automatically.
This specifies that the system builds the security policy by running the Policy Builder.
9.
Click Next.
The Configure Policy Builder screen opens.
10.
If you have any traffic from trusted IP addresses, in the Trusted IPs setting, configure trusted IP addresses.
11.
Click Next.
The Policy Configuration Summary screen opens.
12.
Click Finish.
The Policy Builder Status screen opens.
The Policy Builder automatically runs, and builds the security policy based on the traffic through the web site or application. Note that the Policy Builder automatically performs the Apply Policy action at specific intervals.
Once the Policy Builder is running, you can configure any of the following additional options to further customize the security policy for your web site or application. The additional configuration options are:
When the Policy Enforcer blocks a request, the system returns the blocking response page to the offending client. There is a default blocking response page, or you can customize the page as needed. For additional information on using the blocking response page, refer to Configuring the response pages, in the Working With the Security Policy chapter of the Configuration Guide for BIG-IP® Application Security Management.
If the web application includes parameters that contain sensitive information, such as passwords, or user account numbers, you can configure them as sensitive parameters. For more information, see Configuring sensitive parameters, in the Working With the Security Policy chapter of the Configuration Guide for BIG-IP® Application Security Management.
For web applications that have login and logout screens, you can configure the valid access points for those screens, which prevents forceful browsing of the web application. For more information, see Configuring flow access to prevent forceful browsing, in the Working With the Security Policy chapter of the Configuration Guide for BIG-IP® Application Security Management.
Once you have started running the Policy Builder, you can review learning suggestions not handled by the Policy Builder. Note that you need only review the learning suggestions that are listed in Table 3.1. The Policy Builder automatically processes all other learning suggestions.
Important: As you review the learning suggestions, you may see some learning suggestions for entities that the Policy Builder has already processed. We recommend that you periodically clear all learning suggestions to remove the ones for entities that have been added to the security policy.
1.
2.
If the system displays any of the violations listed in Table 3.1, following, click the violation link, and either accept or clear the learning suggestions according to the guidelines that are documented in the listed solution. Solutions are available in the AskF5 Knowledge Base, https://support.f5.com.
After you review the learning suggestions not handled by the Policy Builder, you review requests that triggered attack signatures in staging. For detailed information about working with attack signatures, see the Working with Attack Signatures chapter in the Configuration Guide for BIG-IP® Application Security Management.
1.
2.
Click the Attack signature staging link.
The Attack Signature Staging screen opens.
Note: The Attack signature staging link appears after the staging period has completed, or if the system detects an occurrence of a staged attack signature.
3.
If you do not see the Attack signature staging link on the Traffic Learning screen, skip this task, and go directly to Reviewing, testing, and refining the security policy. Otherwise, proceed to step 4.
4.
In the Recent Incidents column, click a number link for the attack signature for which you want to review matching requests.
The Requests List popup screen opens.
5.
Click an object link.
The View Full Request Information pop-up screen opens.
6.
Examine the request that caused the violation. Based on the number of requests that the attack signature has and the staging duration, decide whether you want to lengthen the staging period.
8.
If the signature applies to parameters, click the arrow adjacent to the signature name to view the parameters that matched the signature.
9.
Decide how you want the Policy Enforcer to manage the attack signature as it applies to the parameters that the Policy Builder discovered. Note that once you select an action, the system removes the attack signature from staging.
Select Disable if you do not want the Policy Enforcer to enforce this attack signature for any future requests or parameters.
Select Disable on parameters if you do not want the Policy Enforcer to enforce the attack signature on the parameters that it matched. The system continues to enforce this attack signature on all other parameters, however.
Select Enable if you want the Policy Enforcer to start enforcing this attack signature.
If you cannot determine the appropriate action yet, leave the attack signature as is, in staging. The system does not block similar requests, and you may have more information regarding them in the future.
Important: The Policy Builder automatically enables attack signatures after the staging period (the default is 7 days) if they do not match requests, and if the system processes at least 10K of requests.
The final tasks in this implementation are to review, test, and refine the security policy to verify that it is protecting your web site in the way you intended.
1.
Verify that the Policy Builder is updating the security policy.
For example, on the Main tab of the Application Security navigation pane, click Parameters, and check the security policy's user-input parameters.
When you are confident that the Policy Builder has discovered the entities that make up the web application, you stop the Policy Builder, remove any match all (*) wildcard entities, and clear any remaining learning suggestions. You perform these tasks to prepare the security policy for the transition into the Blocking enforcement mode.
1.
On the Main tab of the Application Security navigation pane, click Policy.
The Security Policy Properties screen opens.
2.
From the Policy Builder menu, choose Status.
The Policy Builder Status screen opens.
3.
When the Policy Builder status graphs are close to zero (which means the Policy Builder is no longer discovering new or updated entities), click Stop to stop the Policy Builder.
Note: Depending on the traffic volume through your web site or web application, reaching the close-to-zero point may take anywhere from several hours to several days.
Tip: For each of the entities (object types, objects, and parameters), use the Filter option on the corresponding list screen to filter the lists so that they display only the match all (*) wildcard entities. For more information on wildcard entities, see the Working with Wildcard Entities chapter of the Configuration Guide for BIG-IP® Application Security Management.
1.
On the Main tab of the Application Security navigation pane, click Object Types.
The Object Types List screen opens.
2.
In the Object Types List area, in the Select column (far left), check the box next to the match all (*) wildcard object type, and then click the Delete button.
A confirmation popup screen opens.
3.
Click OK.
The screen refreshes.
6.
In the Objects List area, in the Select column (far left), check the box next to the match all (*) wildcard object, and then click the Delete button.
A confirmation popup screen opens.
7.
Click OK.
The screen refreshes.
9.
10.
In the Parameters List area, in the Select column (far left), check the box next to the match all (*) wildcard parameter, and then click the Delete button.
A confirmation popup screen opens.
11.
Click OK.
The screen refreshes.
Tip: For more information on working with learning suggestions, see the Refining the Security Policy Using Learning chapter of the Configuration Guide for BIG-IP Application Security Management.
1.
2.
In the Traffic Learning area, check the Select all violations check box.
3.
Click the Clear button to clear the selected learning suggestions.
4.
In the editing context area, click the Apply Policy button to put these policy changes into effect.
5.
Wait for more traffic. Review any new learning suggestions to verify that you do not have any false positives, that is, learning suggestions for legitimate entities.
Important: You may need to repeat this process a few times to refine the security policy to the point where you no longer receive false positives.
Tip: For more information on the enforcement mode, see the Working with the blocking configuration section of the Working with the Security Policy chapter in the Configuration Guide for BIG-IP® Application Security Management.
1.
On the Main tab of the Application Security navigation pane, click Policy.
The Security Policy Properties screen opens.
2.
In the Configuration area, for the Enforcement Mode setting, select Blocking.
3.
Click Save.
The system saves any changes you have made.
4.
In the editing context area, click Apply Policy.
The system activates the security policy.
5.
In the Configuration area, for the Web Application setting, click the web application name.
The Web Application Properties screen opens.
6.
In the Web Application Properties area, for the Logging Profile setting, select Log illegal requests.
This system-supplied profile specifies that the system logs illegal requests locally.
7.
Click Update.
The system saves any changes you may have made.

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)