Applies To:

Show Versions Show Versions

Manual Chapter: Creating a Security Policy Using a Test Environment
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

In this implementation, we describe the process for automatically building a security policy that is based on trusted traffic in a quality assurance or test environment. You create this security policy by using the Deployment Wizard. The Deployment Wizard guides you through the following tasks:
Verifying that the application servers are receiving traffic and that Application Security Manager is logging the traffic
Important: This implementation assumes that you have already configured the network settings that are appropriate for your environment. Refer to Chapter 2, Reviewing Network Configuration Tasks, if you have not yet configured network connectivity.
Once you have completed the network configuration and updated the system-supplied attack signatures, you are ready to start the Deployment Wizard. The Deployment Wizard automates several essential configuration tasks, to expedite the initial configuration of a security policy.
When you start the Deployment Wizard, you select a deployment scenario. Each deployment scenario includes preset configuration options. The configuration options are tailored to address the needs of the environment or application for which you are creating a security policy. For this implementation, which uses the QA lab deployment scenario, the default security policy uses these settings:
Adds wildcard match all (*) entities for object types, objects, and parameters.
Important: You can run the Deployment Wizard only for new, unconfigured web applications, so do not set the language encoding for a new web application if you want to use the Deployment Wizard.
Note: If you have not yet configured the basic local traffic settings, refer to Chapter 2, Reviewing Network Configuration Tasks, and perform those tasks. Once you have completed the tasks outlined in that chapter, you can proceed with this implementation.
1.
On the Main tab of the navigation pane, expand Application Security and click Web Applications.
The Web Applications screen opens.
2.
Click the Set Language link.
The Web Application Properties screen opens.
3.
In the Deployment Wizard area, click the Run Deployment Wizard button.
The ASM Deployment Wizard starts.
4.
5.
Click the Next button.
The Web Application Properties screen opens.
The web application properties include selecting the web application language and, optionally, configuring a URL for dynamic session IDs. For additional information on web application configuration, see the Working with Web Applications chapter in the Configuration Guide for BIG-IP® Application Security Management.
1.
On the Web Application Properties screen, for the Application Language setting, select one of the following options:
Leave the setting at the default value, Auto detect.
The Deployment Wizard determines the language encoding based on application data.
2.
If the web application includes session information in its URLs, then you can enable the Dynamic Sessions in URL setting. See Chapter 6, Extracting Dynamic Session Information from URLs, for more information.
3.
Click Next.
The screen refreshes, and displays the active security policy and the logging profile.
Before the Deployment Wizard starts the Policy Builder, the wizard verifies that the application servers are receiving traffic. In the messages and information area of the screen (near the top), you see a notification that the system is checking to see if Application Security Manager is logging requests. The Deployment Wizard moves to the next phase only after it has successfully logged one request.
The ASM logging failed.
If you see this message, then you need to review the networking configuration.
ASM logging started successfully.
If you see this message, then the Deployment Wizard starts the Policy Builder.
After the Deployment Wizard has successfully tested the logging mechanism, the wizard automatically starts the Policy Builder. The Policy Builder is an automated tool that discovers and populates the security policy with the web application entities. As the Policy Builder runs, you see status messages in the messages and information area of the screen. The status messages include information on the number of parsed requests, and the number of found object types, objects, and parameters.
The deployment scenario that you select when you first start the Deployment Wizard determines the Policy Builder settings. For this implementation, the Policy Builder uses the following settings:
The Traffic Source option is set to Live Traffic.
The Continuous Mode option is set to Run continuously.
The Track Site Changes option is set to On.
The Security Template option is set to Basic.
The Policy Builder runs until it no longer discovers new entities. Depending on your web application, and the typical traffic flow, this process may take from a few hours up to several days. Once the Policy Builder has finished running, you finalize the security policy, and exit the Deployment Wizard.
Note: For more information on the Policy Builder, see the Building a Security Policy with the Policy Builder chapter of the Configuration Guide for BIG-IP® Application Security Management.
The Deployment Wizard notifies you in the messages and information area of the screen when the Policy Builder has finished building the new security policy. At this point you can finalize the security policy, and finish the deployment process.
2.
Click Finish.
The Deployment Wizard performs the action you specified, and exits. The wizard also takes the following actions:
Clears the wildcard match all (*) entities from the object types, objects, and parameters lists (if required)
Changes the web application logging profile from Log all requests to Log illegal requests
Performs the Apply Policy action
You can configure any of the following additional options to further customize the security policy for your web site or application.
Custom blocking response page
When the Policy Enforcer blocks a request, the system returns the blocking response page to the offending client. You can use the default blocking response page, or you can customize the page as needed. For additional information, refer to Configuring the response pages, in the Working With the Security Policy chapter of the Configuration Guide for BIG-IP® Application Security Management.
Sensitive parameters
If the web application includes parameters that contain sensitive information, such as passwords or user account numbers, you can configure them as sensitive parameters. For more information, see Configuring sensitive parameters, in the Working With the Security Policy chapter of the Configuration Guide for BIG-IP® Application Security Management.
Flow access to prevent forceful browsing
For web applications that have login and logout screens, you can configure the valid access points for those screens, which prevents forceful browsing of the web application. For more information, see Configuring flow access to prevent forceful browsing, in the Working With the Security Policy chapter of the Configuration Guide for BIG-IP® Application Security Management.

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)