Applies To:

Show Versions Show Versions

Manual Chapter: Creating a Security Policy for Web Services
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

This implementation describes how to create a security policy to protect Web services traffic. Web services, also known as application services, allow different web-based applications from different sources to communicate with each other, because all communication is in XML and over the Internet protocol. Web services allow organizations to communicate data without intimate knowledge of each other's IT systems behind the firewall.
After you configure the basic network properties for the system, you configure the web application properties in the application security configuration. The web application properties include the web application language and a traffic logging profile. For additional information on the web application properties, see the Working with Web Applications chapter of the Configuration Guide for BIG-IP® Application Security Management, which is available in the AskF5SM Knowledge Base, http://support.f5.com.
Important: If you have not yet configured the basic local traffic settings, refer to Chapter 2, Reviewing Network Configuration Tasks, and perform those tasks. Once you have completed the tasks outlined in that chapter, you can proceed with this implementation.
1.
On the Main tab of the navigation pane, expand Application Security and click Web Applications.
A new browser session opens the Application Security Configuration utility on the Web Applications screen.
3.
In the Web Application Properties area, for the Application Language setting, select the language encoding that is most similar to the one defined in the applications XML schema file or WSDL document.
4.
For the Logging Profile setting, select Log illegal requests.
This system-supplied profile specifies that the system logs illegal requests locally.
5.
Click Update.
The Application Security Manager ships with an extensive database of attack signatures. F5 Networks provides updates for the database as part of a valid service contract. To ensure that you have the most current attack signatures on your system, you need to obtain any available updates. For more information on attack signatures and updating the database, refer to the Working with Attack Signatures chapter, in the Configuration Guide for BIG-IP® Application Security Management, which is available in the AskF5 Knowledge Base, http://support.f5.com.
1.
On the Main tab of the Application Security navigation pane, expand Application Security, and then click Options.
The Attack Signatures screen opens.
2.
From the Attack Signatures menu, choose Attack Signatures Update.
The Attack Signatures Update screen opens.
Download the latest attack signature file. For details, see Updating the system-supplied attack signatures, in the Working with Attack Signatures chapter of the Configuration Guide for BIG-IP® Application Security Management.
The next task in configuring the security policy for web services is to manually create a new security policy, and then configure some of the security policy properties. The security policy properties include:
1.
On the Main tab of the Application Security navigation pane, next to Policy, click the Create New Security Policy icon (+).
The New Policy screen opens.
2.
Above the Configuration area, select Advanced.
The screen refreshes, and displays additional configuration options.
3.
In the Security Policy Name box, type a unique name for the security policy.
4.
For the Maximum Cookie Header Length setting, type 1.
5.
Click Create.
The screen refreshes, and you see the new security policy in the list.
Tip: For more information on creating security policies, refer to the Working with the Security Policy chapter of the Configuration Guide for BIG-IP® Application Security Management.
Once you have created the new security policy, you disassociate the default attack signature sets from the security policy. The reason for this step is because the default sets apply to HTTP traffic, and not XML traffic. Note that the XML profile you create contains attack signatures that apply to XML traffic. See Creating and configuring an XML profile, for more information on the XML profile.
1.
On the Main tab of the Application Security navigation pane, click Attack Signatures.
The Attack Signature Sets Assignment screen opens.
3.
In the Attack Signature Sets Assignment area, check the Select All box to the left of the Signature Set Name column.
The system checks the Select box next to all signature sets in the list.
4.
Click the Move button (>>) to remove the attack signature sets from the Assigned Signature Sets list, and move them to the Available Signature Sets list.
5.
Click Update.
The blocking settings determine the actions that the system takes when the Policy Enforcer detects a security policy violation. For detailed information on the blocking policy settings, refer to the Configuring the blocking settings section of the Working with the Security Policy chapter, in the Configuration Guide for BIG-IP® Application Security Management.
1.
On the Main tab of the Application Security navigation pane, click Policy.
The Security Policy Properties screen opens.
3.
From the Blocking menu, choose Settings.
The Blocking Policy screen opens.
4.
On the Blocking Policy screen, in the Configuration area, for the Select All setting, check the Learn box and the Alarm box.
The system checks the Learn and Alarm flags for all of the listed violations.
5.
Click the Save button.
The Application Security Manager provides several blocking response pages. For XML applications, you can use the SOAP Fault blocking response page, which is formatted using XML. For more information on the blocking response pages, refer to the Configuring the response pages section of the Working with the Security Policy chapter, in the Configuration Guide for BIG-IP® Application Security Management.
1.
On the Main tab of the Application Security navigation pane, click Policy.
The Security Policy Properties screen opens.
3.
From the Blocking menu, choose Response Page.
The Blocking Response Page opens.
4.
In the Blocking Response Page area, click Edit.
The Blocking Response Page Properties screen opens.
5.
For the Response Type setting, select SOAP Fault.
6.
Click the Save button.
The system saves the changes, and opens the Blocking Response Page screen.
7.
In the editing context area, click the Apply Policy button to put the changes you have made into effect.
The next task in this implementation is to create and configure an XML profile. For detailed information on working with XML profiles, refer to the Protecting XML-Based Applications chapter of the Configuration Guide for BIG-IP® Application Security Management.
1.
On the Main tab of the Application Security navigation pane, click the Create New XML Profile icon (+) next to XML Profiles.
The Create New XML Profile screen opens.
2.
In the editing context area, ensure that the edited security policy is the one for which you want to create the XML profile.
3.
In the Create Profile area, in the Profile Name box, type a unique name for the XML profile.
4.
Optionally, in the Description box, type any relevant information about the new profile. Note that the text description box has a 255-character limit.
5.
In the Validation Configuration area, for the Configuration Files setting, select which type of WSDL document you are going to upload:
User-defined WSDL Document: Specifies a self-contained WSDL file, that is, one which does not contain a schema reference.
Referenced User-defined WSDL Document: Specifies a WSDL document that contains a schema reference.
Note: If your machine has Internet connectivity and a DNS entry, select User-defined WSDL Document even if you have an import reference inside the WSDL document. If your machine does not have internet connectivity, then search for the word import in the main WSDL document, and download the referenced document.
6.
Click Browse to search for the WSDL document to upload.
7.
If, for the File Type setting, you selected a referenced file type, in the Import URL box, type the URL that is defined in the location directive in the WSDL document.
Important: When WSDL document references another validation file, you first import the referenced file, and then upload the WSDL document. This allows the system to create a mapping between the files.
8.
Click Upload.
The screen refreshes, and for the Configuration Files setting, you see the uploaded files listed.
9.
Perform the upload process for every imported schema that is listed in the WSDL document or other referenced schema files.
Note: Please review SOL3624 to set up your machine with Internet connectivity to avoid uploading a WSDL document with an import reference. Solutions are available in the AskF5SM Knowledge Base, http://support.f5.com.
10.
In the Defense Configuration area, for the Applications setting, select any relevant application templates from the Available Applications list.
11.
Click the Move button (<<) to move the application templates to the Selected Applications list.
The system updates the profile settings according to the application templates that you selected.
12.
Click the Create button.
The screen refreshes, and displays the new XML profile on the XML Profiles screen.
13.
In the editing context area, click the Apply Policy button to put the security policy into effect.
14.
On the navigation pane, click Object Types.
The Object Types List screen opens.
16.
On the navigation pane, click Objects.
The Objects List screen opens.
The final task in this implementation is to review, test, and refine the security policy to verify that it is protecting your web services application in the way you intended.
1.
3.
On the navigation pane, click Learning.
The Traffic Learning screen opens.
5.
On the navigation pane, click Policy.
The Security Policy Properties screen opens.
7.
Click Save.
8.
In the editing context area, click the Apply Policy button to put the updated security policy into effect.

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)