Applies To:

Show Versions Show Versions

Manual Chapter: Creating a Security Policy Using a Test Environment
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

In this implementation, we describe a process for automatically building a security policy based on trusted traffic. All traffic should come from trusted IP addresses and should be legal. No attacks should be sent.
Important: This implementation assumes that you have already configured the network settings that are appropriate for your environment. Refer to Chapter 2, Reviewing Network Configuration Tasks, if you have not yet configured network connectivity.
After you configure the basic network properties, you configure the web application properties in the application security configuration. The web application properties include selecting the web application language and a traffic logging profile. For additional information on web applications, see the Working with Web Applications chapter, in the Configuration Guide for BIG-IP® Application Security Management.
Important: If you have not yet configured the basic local traffic settings, refer to Chapter 2, Reviewing Network Configuration Tasks, and perform those tasks. Once you have completed the tasks outlined in that chapter, you can proceed with this implementation.
1.
On the Main tab of the navigation pane, expand Application Security and click Web Applications.
The Web Applications screen opens.
2.
Click the Set Language link.
The Web Application Properties screen opens.
3.
Choose an application language encoding.
For details, see Configuring the web application language, in the Working with Web Applications chapter of the Configuration Guide for BIG-IP® Application Security Management.
4.
Click Update.
The Web Application Properties screen opens.
5.
From the Logging Profile list, select Log all requests. This is a system-supplied profile that specifies that the system logs all requests locally.
Note: Use the Log all requests logging profile during the deployment period only.
6.
If the web application includes session information in its URLs, then you can enable the Dynamic Sessions in URL setting. See Chapter 6, Extracting Dynamic Session Information from URLs, for more information.
Note: We recommend that you configure the Dynamic Session in URL setting before running the Policy Builder. Otherwise, the Policy Builder treats each object with session information as a unique object.
7.
Click Update.
The Application Security Manager ships with an extensive database of attack signatures. F5 Networks provides updates for the database as part of a valid service contract. To ensure that you have the most current attack signatures on your system, you need to obtain any available updates. For more information on attack signatures and updating the database, refer to the Working with Attack Signatures chapter, in the Configuration Guide for BIG-IP® Application Security Management, which is available in the AskF5 Knowledge Base, http://support.f5.com.
1.
On the Main tab of the Application Security navigation pane, expand Application Security, and then click Options.
The Attack Signatures screen opens.
2.
From the Attack Signatures menu, choose Attack Signatures Update.
The Attack Signatures Update screen opens.
3.
Download the latest attack signature file. For details, see Updating the system-supplied attack signatures, in the Working with Attack Signatures chapter of the Configuration Guide for BIG-IP® Application Security Management.
Now that you have configured the basic network and web application settings, we recommend that you verify that the application servers are receiving traffic.
4.
On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
The Application Security Configuration utility opens in a new browser session.
5.
On the Main tab of the Application Security navigation pane, click Requests.
The Requests List screen opens, where you should see several requests listed.
The next task in configuring a security policy for testing is to configure the Security Policy Setup Wizard to run the Policy Builder. For building this security policy, you configure the Policy Builder to use traffic from trusted sources. Trusted traffic is traffic that is known to be from legitimate sources, for example, a quality assurance team, or an employee group. For more information on using the wizard, see the Working with the Security Policy Setup Wizard chapter, in the Configuration Guide for BIG-IP® Application Security Management. For more information on using the Policy Builder, see the Building a Security Policy with the Policy Builder chapter, in the Configuration Guide for BIG-IP® Application Security Management.
1.
On the Main tab of the Application Security navigation pane, click the Create New Security Policy icon (+) next to Policy.
The New Policy screen opens.
2.
Click the Run Policy Wizard button.
The Configure Security Policy Properties screen opens.
3.
In the Security Policy Name box, type the security policy name.
4.
Click Next.
The Configure Attack Signatures screen opens.
5.
In the Available Systems list, select the systems you want the security policy to protect, according to your infrastructure.
6.
Click the Move button (<<) to transfer the selected systems from the Available Systems list to the Assigned Systems list.
7.
Click Next.
The Select Configuration Mode screen opens.
8.
Set the Configuration Mode to Build security policy automatically.
This specifies that the system builds the security policy by running the Policy Builder.
9.
Click Next.
The Configure Policy Builder screen opens.
10.
For the Security Template setting, select Basic.
Tip: To configure all IP addresses as trusted, select Address Range, and type 0.0.0.0 in the From box, and 255.255.255.255 in the To box.
12.
Click Next.
The Policy Configuration Summary screen opens, where you can review the settings you specified.
13.
Click Finish.
The system starts the Policy Builder, and the Policy Builder Status screen opens.
15.
Browse the web application with enough traffic until you are sure that you reasonably cover the web site. As you browse the web application the Policy Builder updates the security policy, and automatically performs the Apply Policy action at specific intervals.
Once the Policy Builder is running, you can configure any of the following additional options to further customize the security policy for your web site or application. The additional configuration options are:
When the Policy Enforcer blocks a request, the system returns the blocking response page to the offending client. There is a default blocking response page, or you can customize the page as needed. For additional information on using the blocking response page, refer to Configuring the response pages, in the Working With the Security Policy chapter of the Configuration Guide for BIG-IP® Application Security Management.
If the web application includes parameters that contain sensitive information, such as passwords, or user account numbers, you can configure them as sensitive parameters. For more information, see Configuring sensitive parameters, in the Working With the Security Policy chapter of the Configuration Guide for BIG-IP® Application Security Management.
For web applications that have login and logout screens, you can configure the valid access points for those screens, which prevents forceful browsing of the web application. For more information, see Configuring flow access to prevent forceful browsing, in the Working With the Security Policy chapter of the Configuration Guide for BIG-IP® Application Security Management.
Once you have started running the Policy Builder, you should review the learning suggestions that the Policy Builder cannot process, to automatically update the security policy. For these learning suggestions, you manually update the security policy, as required for your web site or application.
Important: As you review the learning suggestions, you may see some learning suggestions for entities that the Policy Builder has already processed. We recommend that you periodically clear all learning suggestions to remove the ones for entities that have been added to the security policy.
1.
2.
If the system displays any of the violations listed in Table 4.1, following, click the violation link, and either accept or clear the learning suggestions according to the guidelines that are documented in the listed solution. Solutions are available in the AskF5SM Knowledge Base, http://support.f5.com.
After you review the learning suggestions not handled by the Policy Builder, you review requests that triggered attack signatures in staging. Because the traffic source for this security policy is from trusted IP addresses, the Policy Builder should automatically disable any attack signatures that the traffic triggers. For detailed information about working with attack signatures, see the Working with Attack Signatures chapter in the Configuration Guide for BIG-IP® Application Security Management.
1.
2.
Click the Attack signature staging link.
The Attack Signature Staging screen opens.
Note: The Attack signature staging link appears after the staging period has completed, or if the system detects an occurrence of a staged attack signature.
3.
If you do not see the Attack signature staging link on the Traffic Learning screen, skip this task, and go directly to Reviewing, testing, and refining the security policy. Otherwise, proceed to step 4.
4.
In the Attack Signature Staging area, in the Action column, verify that the Policy Builder automatically disabled all of the attack signatures.
Important: The Policy Builder enables attack signatures after the staging period (the default is 7 days) if the attack signatures do not match requests, and if the system processes at least 10K of requests.
The final tasks in this implementation are to review, test, and refine the security policy to verify that it is protecting your web site in the way you intended.
1.
Verify that the Policy Builder is updating the security policy.
For example, on the Main tab of the Application Security navigation pane, click Parameters, and check the security policy's user-input parameters.
As your trusted clients browse the web application, the Policy Builder discovers new and updated entities, and periodically activates the security policy it is building. When you are confident that the Policy Builder has found all the new and updated entities, you stop the Policy Builder, clear any learning suggestions, and set the security policy to Blocking. At this point, you can deploy the security policy in a production environment, if applicable.
1.
On the Main tab of the Application Security navigation pane, click Policy.
The Security Policy Properties screen opens.
2.
From the Policy Builder menu, choose Status.
The Policy Builder Status screen opens.
Tip: For more information on working with learning suggestions, see the Refining the Security Policy Using Learning chapter of the Configuration Guide for BIG-IP Application Security Management.
1.
2.
In the Traffic Learning area, check the Select all violations check box.
3.
Click the Clear button to clear the selected learning suggestions.
4.
In the editing context area, click the Apply Policy button to put these policy changes into effect.
5.
From a different browser session, browse the web application, and then return to the browser session for the Application Security Manager.
6.
7.
Review the new learning suggestions, if any, to verify that you do not have any false positives, that is, learning suggestions for legitimate entities.
Important: You may need to repeat this process a few times to refine the security policy to the point where you no longer receive false positives.
Tip: For more information on the enforcement mode, see the Working with the blocking configuration section of the Working with the Security Policy chapter in the Configuration Guide for BIG-IP Application Security Management.
1.
On the Main tab of the Application Security navigation pane, click Policy.
The Security Policy Properties screen opens.
2.
In the Configuration area, for the Enforcement Mode setting, select Blocking.
3.
Click Save.
The system saves any changes you have made.
4.
In the editing context area, click Apply Policy.
The system activates the security policy.
5.
In the Configuration area, for the Web Application setting, click the web application name.
The Web Application Properties screen opens.
6.
In the Web Application Properties area, for the Logging Profile setting, select Log illegal requests.
This system-supplied profile specifies that the system logs illegal requests locally.
7.
Click Update.
The system saves any changes you may have made.

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)