Introducing the Application Security Module
Introducing the BIG-IP system
F5 Networks' BIG-IP® system is a port-based, multilayer switch that supports virtual local area network (VLAN) technology. Because hosts within a VLAN can communicate at the data-link layer (Layer 2), a BIG-IP system reduces the need for routers and IP routing on the network. This in turn reduces equipment costs and boosts overall network performance. At the same time, the BIG-IP system's multilayer capabilities enable the system to process traffic at other OSI layers. The BIG-IP system can perform IP routing at Layer 3, as well as manage and secure TCP, UDP, and other application traffic at Layers 4 through 7. The following software modules provide comprehensive traffic management and security for all traffic types. The modules are fully integrated to provide efficient solutions to meet any network, traffic management, and security needs.
- BIG-IP Local Traffic Manager
The BIG-IP system includes local traffic management features that help you make the most of network resources such as web servers. Using the powerful Configuration utility, you can customize the way that the BIG-IP system processes specific types of protocol and application traffic. By using features such as virtual servers, server pools, profiles, and iRulesTM, you ensure that traffic passing through the BIG-IP system is processed quickly and efficiently, while meeting all of your security needs. For more information, see the Configuration Guide for Local Traffic Management.
- BIG-IP Application Security Module
The Application Security Module provides web application protection from application-layer attacks. The Application Security Module protects Web applications from both generalized and targeted application layer attacks including buffer overflow, SQL injection, cross-site scripting, and parameter tampering.
Overview of the BIG-IP Application Security Module
The BIG-IP® Application Security Module is designed to protect mission-critical enterprise Web infrastructure against application layer attacks, and to monitor the protected web applications. The Application Security Module can prevent a variety of web application attacks, such as:
- Manipulation of cookies or hidden fields.
- Insertions of SQL commands or HTTP structures into user input fields in order to expose confidential information or to deface content.
- Malicious exploitations of the application memory buffer to stop services, to get shell access and to propagate worms.
- Unauthorized changes to server content using HTTP Delete and Put commands.
- Attempts aimed at causing the web application to be unavailable or to respond slowly to legitimate users.
- Forceful browsing.
- Unknown threats, also known as zero-day threats.
Summary of the Application Security Module features
The Application Security Module includes the following features.
- Integrated platform guaranteeing the delivery of secure application traffic
Built on F5 Networks' award-winning TMOS architecture, the ICSA-certified, positive security Application Security Module is fully integrated with the BIG-IP Local Traffic Manager.
- Attack Filters
The Attack Filters in the Application Security Module offer protection from generalized and known application attacks such as known worms, vulnerabilities, and requests for restricted files and objects.
- Positive Security Model
The Application Security Module creates a robust positive security policy to completely protect web applications from targeted web application layer threats, such as buffer overflows, SQL injection, cross-site scripting, cookie poisoning, and others, by allowing only valid application transactions. The positive security model is based on a combination of valid user session context and valid user input, as well as a valid application response.
- Integrated, simplified management
The browser-based Configuration utility provides network device configuration, centralized visual security policy management, and easy to read audit reports. Additional tools provide a highly automated and visual security policy building mechanism, based on a proprietary Crawler tool that automatically builds a map of all the valid application transactions and drastically simplifies the policy management.
- Role-based administration
The BIG-IP system supports role-based administration. Application owners can audit and maintain application policies, while network security personnel maintain the device.
- Configurable security levels
The module offers varying levels of security from basic intrusion protection services (IPS), to customizable, granular, application security policy enforcement. This flexibility provides enterprises the ability to choose the level of security they need, and reduce management costs based on the level of protection and risks acceptable to their business environment.
Introducing application security for the BIG-IP Local Traffic Manager
The Application Security Module is the front-line defense for web application resources managed by the BIG-IP Local Traffic Manager. When you configure a security policy using the Application Security Module, and then configure one or more local traffic virtual servers to use that policy, you exponentially reduce the possibility of your web application and resources becoming victims of application-layer attacks. The Application Security Module is fully integrated with the Local Traffic Manager, providing easy configuration and management of your web application security throughout the life of the application.
Highlights of this configuration guide
The Configuration Guide for the BIG-IP® Application Security Module contains configuration information for the all of the components of the module, including:
- Application Security Classes
- Web applications
- Security policies
- Monitoring tools
- Statistics and logging options
The Configuration Guide also contains information on configuring a local traffic virtual server to use an application security class to protect the web application resources. The application security class is the bridge between the Application Security Module and the Local Traffic Manager.
For detailed information on configuring the Local Traffic Manager objects, refer to the Configuration Guide for Local Traffic Management, which is available on the Technical Support web site, http://tech.f5.com.
Using the Configuration utility
The Configuration utility is the browser-based graphical user interface for the BIG-IP system. The Configuration utility provides access to the Application Security Module configuration objects, as well as the network, system, and local traffic configuration objects. Figure 1.1 displays the Welcome screen of the Configuration utility.
Figure 1.1 Welcome screen in the Configuration utility
All users need to use the web-based Configuration utility to license the system for the first time.
Browser support for the Configuration utility
You can use any of the following web browsers to access the Configuration utility.
- Microsoft® Internet Explorer™, version 5.0, 5.5, and 6.0
- Netscape® Navigator™, version 7.1
- Mozilla™, Firefox™, Camino™, and other browsers using the same engine as Netscape Navigator 7.1
For the most current list of the supported browsers for the Configuration utility, refer to the current release note at http://tech.f5.com.
Identifying referrer objects in the Configuration utility
In the Configuration utility, green URLs indicate non-referrer objects, while gold URLs indicate referrer objects. Referrers are web pages that can request other objects. For example, an HTML page can request a GIF, JPG, or PNG image file. The HTML page is a referrer, and the GIF, JPG, and PNG files are non-referrers.
Stylistic conventions in this document
To help you easily identify and understand certain types of information, this documentation uses the following stylistic conventions.
Using the solution examples
All examples in this documentation use only private IP addresses. When you set up the solutions we describe, you must use IP addresses suitable to your own network in place of our sample IP addresses.
Identifying new terms
When we first define a new term, the term is shown in bold italic text. For example, a referrer is a web page that calls other web objects, such as image files.
Identifying references to products
We refer to all products in the BIG-IP product family as BIG-IP systems. We refer to the software modules by their name, for example, we refer to the Local Traffic Manager module as simply the Local Traffic Manager. If configuration information relates to a specific hardware platform, we note the platform.
Identifying references to objects, names, and commands
We apply bold text to a variety of items to help you easily pick them out of a block of text. These items include web addresses, IP addresses, utility names, most controls in the Configuration utility, and portions of commands, such as variables and keywords. For example, the nslookup command requires that you include at least one <ip_address> variable.
Identifying references to other documents
We use italic text to denote a reference to another document. In references where we provide the name of a book as well as a specific chapter or section in the book, we show the book name in bold, italic text, and the chapter/section name in italic text to help quickly differentiate the two. For example, you can find information about local traffic virtual servers in the Configuration Guide for Local Traffic Management, Chapter 2, Configuring Virtual Servers.
Identifying command syntax
We show actual, complete commands in bold Courier text. Note that we do not include the corresponding screen prompt, unless the command is shown in a figure that depicts an entire command line screen. Table 1.1 explains additional special conventions used in command line syntax.
Table 1.1 Command line conventions used in this manual
Item in text
Continue to the next line without typing a line break.
You enter text for the enclosed item. For example, if the command has <your name>, type in your name.
Separates parts of a command.
Syntax inside the brackets is optional.
Indicates that you can type a series of items.
Finding help and technical support resources
You can find additional technical documentation and product information using the following resources:
- Online help for Application Security Module components
The Configuration utility has online help for each screen. The online help contains descriptions of each control and setting on the screen. Click the Help tab in the left navigation pane to view the online help for a screen.
- Welcome screen in the Configuration utility
The Welcome screen in the Configuration utility contains links to many useful web sites and resources, including the F5 Networks Technical Support web site, the F5 Solution Center, the F5 DevCentral web site, plug-ins, SNMP MIBs, the Policy Browser, and SSH clients.
- F5 Networks Technical Support web site
The F5 Networks Technical Support web site, http://tech.f5.com, you provides the latest documentation for the product, including:
- Release notes for the Application Security Module and the Local Traffic Manager, current and past
- Configuration Guide for Local Traffic Management
- Installation, Licensing, and Upgrades for BIG-IP Systems
- BIG-IP Network and System Management Guide
- Platform Guide: 1500, 3400, 6400, and 6800
- Technical notes
- Answers to frequently asked questions
- The AskF5 natural language question and answer engine
To access this site, you need to register at http://tech.f5.com.