Applies To:

Show Versions Show Versions

Manual Chapter: Configuration Guide for the BIG-IP® Application Security Module: Refining the Security Policy with Learning Tools
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


4

Refining the Security Policy with Learning Tools


Overview of the Learning tools

The Learning tools help you fine tune the security policies for a web application to recognize typical requests for the web application. When you start sending traffic through the Application Security Module, you can use the Learning tools to refine the security policy to recognize the expected behavior of traffic sent to the protected web application. You can then update the security policy based on this data. The result is that the security policy does not prevent legal requests from legitimate users from accessing the protected web application.

The Learning tools are as follows:

  • Policy Enforcer
    The Policy Enforcer applies the active security policy to each request for the web application. If the request complies with the security policy, the Policy Enforcer forwards the request on to the web application. If the request does not comply with the security policy, the Policy Enforcer generates a violation (or violations), and then either forwards the request or blocks the request, depending on the blocking mode of the policy.
  • Learning Manager
    The Learning Manager parses the security policy violations that the Policy Enforcer generates, and generates learning suggestions based on those policy violations. As visitors move through the web application, the Learning Manager captures requests that contradict the current policy settings, and records the learning suggestions on the Traffic Learning screen.
  • Traffic Learning screen
    The Traffic Learning screen displays learning suggestions that the Learning Manager generates. The learning suggestions are categorized by violation type. It is important to note that the learning suggestions are based on the currently-active security policy.
  • Crawler Learning screen
    You can configure the Crawler tool to run in Learning mode. The Crawler Learning screen displays the learning suggestions that the Crawler tool generates when you configure the Crawler tool in Learning mode. For information on using the Crawler tool in Learning mode, refer to Running the Crawler tool in Learning mode .
  • Auto-Accept tool
    The Auto-Accept tool automatically updates the security policy with any policy violations that it finds within a specific request. You can use the Auto-Accept tool to quickly and efficiently build a new security policy.
  • Forensics screen
    The request Forensics screen lists the incoming requests. From this screen, you can view the entire contents of the actual request. By default, this screen displays only requests for which the Policy Enforcer has detected one or more security policy violations. However, you can use the Filter option to display the requests based on the criteria of your choice.
  • Ignored Items screen
    The Ignored Items screen lists the object types, objects, and flows that you have instructed the Learning Manager to ignore, that is, to stop generating learning suggestions for. Typically, the ignored items are items that you do not want to be a part of the security policy.

Configuring the Learning accept mode

For each web application, the Learning process has three accept modes: for all security policies, for the active security policy, or for a specific security policy. The Learning accept mode determines how the system applies any changes, which are a result of the learning suggestions recorded by the Learning Manager, to the security policies.

For example, say that the Learning Manager records a learning suggestion for an illegal object type violation for a *.gif file, and you have selected the Learning accept mode, All Security Policies. When you accept the learning suggestion, the system updates all of the security policies for the web application to accept *.gif files, and the Learning Manager no longer records illegal object type violations for *.gif files, regardless of which security policy is active for the web application.

To configure the Learning accept mode

  1. On the Main tab in the navigation pane, expand Application Security, and then click Web Applications.
    The Web Applications list screen opens.
  2. Click a web application name.
    The Web Applications properties screen opens.
  3. In the Web Application Properties section, in the Accept Learning For list, select the Learning accept mode for this web application.
  4. Click Update.
    The system saves any changes you have made.
Important

The Learning Manager generates learning suggestions based on the traffic through the current active security policy, but can potentially update all of the security policies for the web application, based on the setting you configure for the Learning accept mode.

Working with the learning suggestions generated by the Learning Manager

When the Policy Enforcer finds a violation of the security policy in a request from a client, it logs the violation in the policy violations log. The Learning Manager generates learning suggestions by parsing this policy violations log. The Learning Manager then updates both the Traffic Learning screen and the Forensics screen with the violating request information. From these screens, you can review the learning suggestions and violating requests to determine whether you need to update the security policy.

To view the learning suggestions generated from real traffic

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Applications list screen opens.
  2. Click a web application name.
    The Web Application properties screen opens.
  3. On the menu bar, click Traffic Learning.
    The Traffic Learning screen opens, where you can review the current learning suggestions, and the number of occurrences for each violation category.

Figure 4.1 displays an example of the Traffic Learning screen, where there are learning suggestions for these violation types: Illegal object type, Non existent object, Length errors, Illegal meta character in header value, and Illegal meta character in parameter name.

Figure 4.1 Example of the Traffic Learning screen

Viewing a specific learning suggestion

On the Traffic Learning screen, the violation types become hyperlinks when the Learning Manager generates a learning suggestion.

To view the details of a learning suggestion

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Applications list screen opens.
  2. Click a web application name.
    The Web Application properties screen opens.
  3. On the menu bar, click Traffic Learning.
    The Traffic Learning screen opens.
  4. In the Traffic Learning section, click a violation type hyperlink to view the specific elements in the request that triggered the policy violation and the corresponding learning suggestion.
    The screen refreshes, and the system displays the specific violations that caused the learning suggestions.

Figure 4.2 displays the policy violations that triggered the illegal object type learning suggestions in the sample web application.

Figure 4.2 Example of illegal object type learning suggestions

Viewing the requests that trigger learning suggestions

You can review the requests that trigger the learning suggestions by examining the occurrences of each learning suggestion. For example, in Figure 4.2 , if you click the number of occurrences next to the object type gif, a screen similar to that shown in Figure 4.3 opens.

Figure 4.3 Example of requests that triggered an illegal object type learning suggestion

To view all of the requests that triggered a learning suggestion

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Applications list screen opens.
  2. Click a web application name.
    The Web Application Properties screen opens.
  3. On the menu bar, click Traffic Learning.
    The Traffic Learning screen opens.
  4. In the Traffic Learning section, click a violation type hyperlink to view the specific elements in the request that triggered the policy violation and the corresponding learning suggestion.
    The screen refreshes, and the system displays the request elements that caused the learning suggestions.
  5. In the Occurrences column, click the number.
    The requests list screen opens, and displays all of the requests that contained an item that triggered the learning suggestion.

Viewing the details of a specific request

Before you process a learning suggestion, it is very helpful to examine the details of the request that caused the learning suggestion. You can view the details of a specific request by clicking the requested object in the Object column on the Requests screen, as shown in Figure 4.3 .

To view a specific request that triggered a learning suggestion

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Applications list screen opens.
  2. Click a web application name.
    The Web Application properties screen opens.
  3. On the menu bar, click Traffic Learning.
    The Traffic Learning screen opens.
  4. In the Traffic Learning section, click a violation type hyperlink to view the specific elements in the request that triggered the policy violation and the corresponding learning suggestion.
    The screen refreshes, and the system displays the request elements that caused the learning suggestions.
  5. In the Occurrences column, click the number.
    The requests list screen opens, and displays all of the requests that contained an item that triggered the learning suggestion.
  6. In the Object column, click a request.
    The request details screen opens, where you can review the details of the request that triggered a learning suggestion, as shown in the example in Figure 4.4 .


Figure 4.4 Example of a request that triggered a learning suggestion

Processing the learning suggestions generated by the Learning Manager

The Learning Manager generates learning suggestions throughout the life of the security policy. When you are refining a new security policy, a majority of the learning suggestions are actually web objects, or some other component of the application, that are missing from the security policy. However, when the Policy Enforcer detects violations for an existing policy, the violations may be related to a real attack, and therefore warrant more careful inspection before you accept the corresponding learning suggestions, and update the security policy. In both cases, you should carefully review the request for which the learning suggestion was generated.

Once you have reviewed the learning suggestions (violations) that the Learning Manager records on the Traffic Learning screen, you must decide what to do with them in regard to the security policy. You can do one of three things with the recommendation: accept it, clear it, or reject it.

Accepting a learning suggestion

When you accept a learning suggestion, the system updates one or more of the web application's security policies to accept the request component that triggered the violation. The system determines which security policies to update based on the Learning accept mode that you configured for the web application. For more information on setting the Learning accept mode, see Configuring the Learning accept mode .

To accept a learning suggestion

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Applications list screen opens.
  2. Click a web application name.
    The Web Application properties screen opens.
  3. On the menu bar, click Traffic Learning.
    The Traffic Learning screen opens.
  4. Click a violation type hyperlink.
    The learning suggestions properties screen opens.
  5. Select a learning suggestion, and then click Accept.
    The system updates the security policy with the element in the request that caused the learning suggestion.

Clearing a learning suggestion

When you clear a learning suggestion, the system deletes the learning suggestion, and does not update the security policy. The Learning Manager continues to generate learning suggestions for future instances of the violation.

To clear a learning suggestion

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Applications list screen opens.
  2. Click a web application name.
    The Web Application properties screen opens.
  3. On the menu bar, click Traffic Learning.
    The Traffic Learning screen opens.
  4. Click a violation type hyperlink.
    The violation properties screen opens.
  5. Select a learning suggestion, and then click Clear.
    A Confirm Delete popup screen opens.
  6. Click OK.
    The system deletes the learning suggestion. The Learning Manager continues to report this policy violation as a learning suggestion.

Tip


For a description of the possible violation types that the Learning Manager can report, refer to Understanding security policy violations .

Rejecting a learning suggestion

When you reject a learning suggestion, the system deletes the learning suggestion, and updates the ignored items list for the security policy. The Learning Manager does not report future instances of the violation. You can reject learning suggestions for the following violation types: illegal object, non-existent object, and illegal flow to object.

To reject a learning suggestion

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Applications list screen opens.
  2. Click a web application name.
    The Web Application properties screen opens.
  3. On the menu bar, click Traffic Learning.
    The Traffic Learning screen opens.
  4. Click a violation type hyperlink.
    The violation properties screen opens. The information on these screens varies depending on the violation type.
  5. Select a learning suggestion, and then click Clear.
    A Confirm Delete popup screen opens.
  6. Check the Reject items from learning? box, and then click OK.
    The system deletes the learning suggestion, and updates the Ignored Items list for the web application. The Learning Manager no longer generates learning suggestions for this policy violation.

Additional considerations when processing learning suggestions

When you are processing the learning suggestions, we recommend that you process them in the following order. By doing so, you build the security policy in a logical fashion, first adding the object types, and then expanding the information about those object types. As you refine the security policy, the learning suggestions for each violation category should diminish.

  • Illegal object types
  • Length errors
  • Illegal objects
  • Illegal flows
  • Illegal query string or POST data
  • Illegal parameters
  • Illegal parameter values
Important

Use these guidelines only when you are processing learning suggestions generated either from known, safe traffic, or from the Crawler learning process. When you are processing learning suggestions from real client traffic, each much be considered a potential threat.
Important

The Learning Manager does not generate learning suggestions for requests that cause non-existent object violations if the web server sends an HTTP 404 response. This situation exists only if you are using an APC security policy in transparent mode.

Working with learning suggestions generated by the Crawler tool

When you are configuring a security policy with a high-security (APC) security level, you can use the Crawler tool to populate the security policy. You can run the Crawler tool in regular mode or Learning mode. In regular mode, the Crawler tool automatically updates the security policy with any web application components that it finds. In Learning mode, the Crawler tool records all of the web application objects that it finds on the Crawler Learning screen. One of the advantages of running the Crawler tool in Learning mode is that you can review all of the web objects that it finds, in a central location (the Crawler Learning screen), before you update the security policy. For more information on running the Crawler tool in Learning mode, see Running the Crawler tool in Learning mode .

You process the learning suggestions generated by the Crawler tool in the same manner as learning suggestions generated by the Learning Manager. Refer to Processing the learning suggestions generated by the Learning Manager , for additional information.

To view learning suggestions generated by the Crawler tool

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Applications list screen opens.
  2. Click a web application name.
    The Web Application properties screen opens.
  3. On the menu bar, click Crawler Learning.
    The Crawler Learning screen opens.
  4. Click a violation type hyperlink.
    The learning suggestions properties screen opens. The information on these screens varies depending on the violation type.

Overview of the Auto-Accept tool

The Auto-Accept tool facilitates the policy-building process, and complements the Learning Manager. You can configure the Auto-Accept tool to automatically update a security policy with certain types of information, which helps ease the setup and maintenance of a security policy. As you run safe traffic through the web application, the Auto-Accept tool updates the security policy with the components and elements that you specify in the Auto-Accept properties.

Important

We recommend that you use the Auto-Accept tool only with safe traffic, that is, traffic from a known, trusted source.

Important considerations regarding the Auto-Accept tool

You must use the Auto-Accept tool with ultimate care due to its immediate and comprehensive impact on the security policy. When you run the Auto-Accept tool, it automatically and instantly updates the security policy. As such, we recommend that you become familiar with the limitations of the tool before you use it to help build a security policy.

Configuration limitations of the Auto-Accept tool

The Auto-Accept tool has the following limitations.

  • The Auto-Accept tool does not automatically update a security policy with sensitive parameters, or illegal parameter data types.
  • The Auto-Accept tool works only with learning suggestions generated by the Learning Manager. The Auto-Accept tool does not accept violations generated by running the Crawler tool.
  • The Auto-Accept tool does not automatically update APC security policies with the names of modified domain cookies. All of these violations must be handled on an individual basis.
  • The Auto-Accept tool works only for security policies that use the simple flow mode.
  • The Auto-Accept tool cannot determine whether a certain request contains form-filling parameters, since the Auto-Accept tool does not get the response which precedes the request that it is supposed to auto-accept. As a result, the Auto-Accept tool has no way of knowing that the parameters and their values that appear in a given request are for a form that should be filled.

Configuring the Auto-Accept tool settings

You configure the Auto-Accept settings per security policy.

To configure the Auto-Accept tool settings

  1. On the Main tab in the navigation pane, expand Application Security, and then click Web Applications.
    The Web Applications list screen opens.
  2. Click a web application name.
    The Web Applications properties screen opens.
  3. In the Policies List, in the Policy Name column, click the security policy name.
    The Policy Properties screen opens.
  4. In the Build Tools section, click the Settings button for the Auto-Accept option.
    The Auto-Accept Properties screen opens, where you can configure the settings for the Auto-Accept tool.
  5. Click Update to save any changes you may have made. Alternately, click Restore Defaults to return the settings to their original configuration.

Table 4.1 lists the Auto-Accept properties and a description of their usage.

Table 4.1 Auto-Accept settings and descriptions
Auto-Accept setting
Description
Request Source IP
Specifies the IP addresses from whose requests the Auto-Accept tool distills security policy updates. We recommend that you specify only IP addresses from known, trusted sources.
Request Time Range
Specifies a length of time during which the Auto-Accept tool updates the security policy with the components and elements it discovers in requests.
Request Object
Specifies the objects in the request from which the Auto-Accept tool updates the components and elements of the security policy.

 

Note

If you configure one or more of the Auto-Accept settings, the Auto-Accept tool distills the security policy updates only from those requests which meet all of the specified criteria.

Running the Auto-Accept tool

Once you have configured the settings for the Auto-Accept tool, you can then run the tool. The Auto-Accept tool automatically updates the security policy wherever the security policy does not map to the web application.

Tip


We recommend that you run the Auto-Accept tool only after the web application has received traffic from a known, trusted source.

To run the Auto-Accept tool

  1. On the Main tab in the navigation pane, expand Application Security, and then click Web Applications.
    The Web Applications list screen opens.
  2. Click a web application name.
    The Web Applications properties screen opens.
  3. In the Policies List, in the Policy Name column, click the security policy name.
    The Policy Properties screen opens.
  4. In the Build Tools section, click the Start button next to the Auto-Accept option.
    A popup screen opens, where you confirm that you want to run the Auto-Accept tool.
  5. Click the Run Auto-Accept button.
    The Auto-Accept Status popup screen opens, where you can observe the progress of the Auto-Accept tool.

Overview of the Forensics screen

For each web application, the Application Security Module records the requested objects on the Forensics screen. The Forensics screen provides the following information about a request: the status of the request, the time of the request, the type of request, the requested object itself, the server response, and the IP address for the source of the request.

To view the Forensics screen for a web application

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Applications list screen opens.
  2. Click a web application name.
    The Web Application properties screen opens.
  3. On the menu bar, click Forensics.
    The Forensics screen opens.
  4. In the Requested Object column, click an object to view the details of the request.

Figure 4.5 shows an example of the Forensics screen.

Figure 4.5 Example of the Forensics screen

Overview of the Ignored Items screen

When you reject a learning suggestion for an object, an object type, or a flow, the Application Security Module adds the rejected item to the Ignored Items list. When the system receives subsequent requests for those rejected items, the system simply ignores that portion of the request.

To view the Ignored Items screen

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Applications list screen opens.
  2. Click a web application name.
    The Web Application properties screen opens.
  3. On the menu bar, click Ignored Items.
    The Ignored Items screen opens, where you can review the ignored items for the web application.

Figure 4.6 shows an example of the Ignored Items screen.

Figure 4.6 Example of the Ignored Items screen



Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)