Applies To:

Show Versions Show Versions

Manual Chapter: Configuration Guide for BIG-IP® Application Security Management: 2 - Essential Configuration Tasks
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


2

Essential Configuration Tasks


Overview of the essential configuration tasks

This chapter is your guide to the essential configuration tasks you must complete to initially create and refine a standard security policy for a web application on the Application Security Manager. Implementing a security policy for a web application has two phases that correspond to the security policy modes: transparent and blocking. In phase one, the security policy operates in transparent mode to learn about the web application and the traffic that the web application processes. In phase two, you gradually activate the blocking mode to actively prevent illegal access to the web application.

The phase one configuration tasks are:

  • Define a local traffic pool.
    The local traffic pool contains the web server or application server resources that host the web application that you want to protect with a security policy. You create the local traffic pool, and then associate the pool with the application security class. See Defining a local traffic pool , for more information.
  • Define an application security class.
    When you define an application security class, the system automatically creates a corresponding web application and a default security policy in the Application Security Manager. See Defining an application security class , for more information.
  • Define a local traffic virtual server that uses the application security class as a resource.
    The local traffic virtual server load balances the network resources that host the web application you are securing. The application security class is the bridge that links the security policy to the web application traffic through the virtual server. You configure the virtual server, and then associate the application security class with the virtual server. See Defining a local traffic virtual server , for more information.
  • Set the language encoding for the web application.
    When you first create a web application in the application security configuration, you must configure the language encoding. See Configuring the web application language , for more information.
  • Evaluate the required security level for the web application.
    The type of security policy you configure depends on the required security level for the web application. Before you start configuring the security policy, you must assess the level of security that is appropriate for the web application, based on business requirements and available resources. See Determining the required security level for the web application , for more information.
  • Set the security policy to active.
    The active security policy is the security policy that the Policy Enforcer applies to incoming requests. See Setting the active policy for the web application , for more information.
  • Fine tune the security policy using the Learning process.
    See Refining the security policy using the Learning process , for more information.

The phase two configuration tasks are:

  • Gradually activate blocking mode for the security policy to start protecting the web application.
    Once you are confident that the Learning process is reporting only legitimate security policy violations, you can transition the security policy from transparent mode to blocking mode. In blocking mode, the Policy Enforcer blocks requests that do not comply with the security policy, and forwards requests that do comply to the web application. We recommend that you enable blocking gradually, so that you can fine-tune the security policy as needed. See Activating blocking mode on the security policy , for more information.
  • Periodically review the security policy settings.
    To ensure that the security policy is providing adequate application security, review the forensics, monitoring, and statistics information on a regular basis. See Maintaining and monitoring the security policy , for more information.

This chapter describes, in detail, the tasks that you perform to configure a standard security policy for a web application hosted on a local traffic virtual server.

Important

The tasks described in this chapter begin after you have installed the BIG-IP system, activated the license, and configured the appropriate network settings. If you have not yet completed these activities, refer to the Installation, Licensing, and Upgrades for BIG-IP Systems guide, and the BIG-IP Network and System Management Guide for additional information. Both of these guides are available at http://tech.f5.com.

Defining a local traffic pool

The first configuration task is to define a local traffic pool. The local traffic pool contains the resources that host the actual web application content that you want to protect with the security policy.

Important

The following procedure outlines only the basic pool configuration. For detailed information on configuring pools, refer to the Configuration Guide for BIG-IP® Local Traffic Management, which is available on the AskF5 Technical Support web site, http://tech.f5.com.

To define a local traffic pool

  1. On the Main tab of the navigation pane, expand Local Traffic, and then click Pools.
    The Pools list screen opens.
  2. Click the Create button.
    The New Pool screen opens.
  3. In the Configuration area, in the Name box, type a name for the pool.
  4. In the Resources area, for the New Members setting, in the Address box, type the IP address for the web server or application server that hosts the web application.
  5. In the Service Port box, type the service port number (for example, type 80 for the HTTP service), or select a service name from the list.
  6. Click the Add button to add the resource to the New Members list.
  7. Click the Finished button.
    The screen refreshes and the system displays the new pool in the pools list.

Defining an application security class

The second task is to configure an application security class. An application security class is the logical bridge, or link, between the local traffic components and the application security components. You use the application security class to specify to which incoming HTTP traffic the system applies application security before the virtual server forwards the traffic to the web application. When you configure an application security class, the system automatically creates a default web application and a corresponding security policy on the Application Security Manager. See Chapter 3, Working With Application Security Classes , for more information on application security classes.

To create an application security class

  1. On the Main tab of the navigation pane, expand Application Security, and then click Classes.
    The HTTP Class Profiles list screen opens.
  2. Click the Create button.
    The New HTTP Class Profile screen opens.
  3. In the General Properties area, in the Name box, type a name for the application security class.
  4. In the Configuration area, leave all of the settings at the defaults.
  5. In the Actions area, for the Send To setting, select Pool.
    The screen refreshes, and you see additional settings.
  6. For the Pool setting, select the local traffic pool that you created.
  7. Click Finished.
    The system adds the class, the default web application, and the corresponding security policy to the configuration, and displays the HTTP Class Profiles list screen.
Note

In the Configuration utility, the application security class and the HTTP Class Profile are different labels for the same object. The difference between the two objects is that, for the application security class, the Application Security setting is enabled by default. If you disable the Application Security setting on an application security class, you effectively turn off application security for the associated web application.

Defining a local traffic virtual server

The next configuration step is to define a virtual server on the local area network. The virtual server processes the incoming traffic, which includes applying the application security class to incoming HTTP traffic.

Important

The following procedure outlines only the basic virtual server configuration. For detailed information on virtual servers, and other local traffic components, refer to the Configuration Guide for BIG-IP® Local Traffic Management, which is available on the AskF5 Technical Support web site, http://tech.f5.com.

To configure a virtual server

  1. On the Main tab of the navigation pane, expand Local Traffic, and then click Virtual Servers.
    The Virtual Servers list screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name box, type a name for the virtual server.
  4. In the Destination option, select Host, and type an IP address.
  5. In the Service Port box, type 80. Alternately, you can select HTTP from the list.
  6. In the Configuration section, from the HTTP Profile list, select http.
  7. In the Resources section, for the HTTP Class Profiles setting, from the Available list, select the application security class that you created, and click the Move button (<<) to add the class to the Enabled list.
  8. Click Finished.
    The system updates the configuration, and the Virtual Server list screen opens, where you can see your newly created virtual server.
Important

For virtual servers that load balance resources for a web application that is protected by the Application Security Manager, you must configure an HTTP profile in addition to the application security class. Refer to steps 6 and 7 in the previous procedure.

Configuring the web application language

When you created the application security class, the Application Security Manager automatically created a default web application within the application security configuration. Before you can configure the corresponding security policy, you configure the language encoding for the web application. For more information on web applications and web application properties, see Chapter 4, Working With Web Applications .

To configure the web application properties

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Application Groups screen opens.
  2. In the Name column, click a web application name.
    The Web Application Properties screen opens.
  3. For the Application Language setting, select the language encoding in which the web application is written.
  4. Leave the remaining settings at the default values.
  5. Click Update.
    The screen refreshes, and you see the web application properties and the security policies list for the web application.
Important

You set the language encoding the first time you open the Web Application Properties screen. You cannot change the language encoding once you set it.

Determining the required security level for the web application

Before you start configuring the security policy itself, you need to determine the security level that you want the security policy to enforce. This decision is based on several factors: the complexity of the web application, how often you update the web application, the business and site requirements for protecting the web application, and the resources available to maintain the security policy. All of these factors affect not only how long it takes to get the Application Security Manager configured initially, but also the amount of time it takes to maintain the system over time.

Important

We recommend that you configure a standard security policy first, to protect the web application against the most common known threats, and to familiarize yourself with the functionality of the Application Security Manager. This chapter describes the tasks to configure a standard security policy.

Understanding the security levels

By default, the Application Security Manager provides three security levels for security policies: standard, enhanced standard, and high security (APC). The security levels affect the granularity of the security policy, which in turn affects the manageability of the security policy. In addition to the default security levels, you can customize the security levels to meet the security requirements for your web application. For additional information on security levels, refer to Configuring the security level .

  • Standard
    The standard security level protects the general objects that make up the web application, based on the built-in security logic of the Application Security Manager. The standard security level applies a security policy that uses a more generic set of rules, and requires less setup and maintenance time than an enhanced standard or APC security policy.
  • Enhanced standard
    An enhanced standard level of security is based on the protection offered by a standard security policy, and uses a more granular level of security to protect a small subset of objects in the application.
  • High security (APC)
    The high security (APC) security level provides a more granular level of security for the web application. The APC security level can protect individual parameters within the application, their associated objects, and also any flows to or from the object. The APC security level requires a longer setup time, as the security policy configuration is more closely tied to specific, individual objects and parameters in the application.

Understanding positive security logic

The Application Security Manager operates on the principle of positive security logic. Positive security logic means that, when the security policy is in blocking mode, the security policy permits only known, legitimate traffic through to the web application. Compare this to negative security logic, which means that the web application is subjected to all traffic, except that which is known to be a threat because it matches the built-in negative logic criteria. By using positive security logic in addition to negative security logic, the Application Security Manager protects the web application against both known and unknown threats (also known as zero-day threats).

The biggest advantage of deploying web application security based on positive security logic is that it blocks all access to the web application except for legitimate, known traffic. There may be times, however, when the system blocks a request that is actually legitimate, in other words, generates a false positive alarm. False positive alarms may occur when the web application changes, or when the security policy does not yet account for the entire web application. When this happens, you must adjust the security policy settings accordingly, so that the security policy does not block that type of request. This is an iterative process, and may take several days or weeks.

The goal of testing and fine-tuning the security policy with trustworthy traffic is to eliminate the false positive alarms. Once you have accomplished this goal, you can gradually enable blocking mode for the security policy, and be confident that the right clients are able to access the web application, and the web application is protected from the myriad known and unknown threats.

Setting the active policy for the web application

Once you have configured the basic security policy, you set the security policy to active for the web application. The active security policy is the security policy that the Policy Enforcer applies to incoming requests. If some aspect of the request does not comply with the active security policy, the Policy Enforcer generates an alarm, and the Learning Manager generates a learning suggestion. See Configuring the active security policy and Setting the active policy for a web application for additional information.

To set the active policy for a web application

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Applications list screen opens.
  2. Click a web application name.
    The Web Application Properties screen opens.
  3. In the Web Application Properties area, from the Active Security Policy list, select the security policy that you have been configuring.
  4. Click Update.
    The screen refreshes, and in the Security Policies List area, you see the Active icon next to the newly-active security policy.
Important

The Application Security Manager requires you to set the active policy every time you change a property of a security policy. When a security policy has been changed in any way, you see the Modified icon next to the security policy name, in the Security Policies List.

Refining the security policy using the Learning process

The Learning process evaluates incoming requests for the web application, and if a request contains an entity that does not comply with the security policy, the Learning Manager generates a learning suggestion. You can then examine the learning suggestion to determine whether the entity that caused the learning suggestion should be part of the security policy. For more information on the Learning process, and learning suggestions, see Chapter 8, Refining the Security Policy Using Learning .

When all of the learning suggestions generated by the Learning Manager represent invalid requests, for example, requests for non-existent information, or automated scripting attacks, you are ready to transition the security policy into blocking mode. You can also use the data in the Statistics section of the Configuration utility to help you decide whether the security policy is ready to be put into blocking mode. These reports provide data on all violations, not just the violations that trigger learning suggestions. For more information on the Statistics reports, see Chapter 9, Working with the Statistics and Monitoring Tools .

Security policies can be as restrictive as you need, based on the potential threats and network traffic that the web application processes. For additional details and information about working with security policies, refer to Chapter 5, Working With the Security Policy .

Activating blocking mode on the security policy

You can activate blocking mode gradually, using the Blocking Policy screen. For example, you can enable the Block flag for only the Illegal HTTP format violation, so that the Application Security Manager blocks any request that does not comply with the HTTP protocol standards. When you gradually activate blocking, you can continue to refine the security policy. Once you have activated blocking for the relevant security policy violations, you can consider that any alarms that the Policy Enforcer reports are for potentially harmful traffic.

To activate blocking mode for a security policy

  1. On the Main tab of the navigation pane, expand Application Security, and then click Web Applications.
    The Web Applications list screen opens.
  2. Click a web application name.
    The Web Application Properties screen opens.
  3. In the Security Policies List area, click the name of the security policy for which you want to activate blocking.
    The Policy Properties screen opens.
  4. In the Policy Properties area, for the Security Level setting, click the Edit button.
    The Blocking Policy screen opens.
  5. Clear the Disable Blocking check box.
  6. In the remaining sections of the screen, clear or check the Block and Alarm check boxes as needed.
  7. Click Save.
    The system updates the security policy with any changes you made.
  8. To put the security policy changes into effect immediately, click the Apply Policy button near the top of the screen.

Tip


The Security Reports screen, in Statistics, is a very good resource when you are deciding whether a security policy is ready to put into blocking mode. This screen displays how many instances of a violation have occurred.

Maintaining and monitoring the security policy

The Application Security Manager provides many reporting and monitoring tools, so that you can view and analyze the violations that the system detects in the traffic through the web application. By actively using the monitoring tools, you can be assured that your web applications are fully protected.

To view the monitoring tools

  1. On the Main tab of the navigation pane, expand Application Security, and then click Statistics.
    The Events Monitoring screen opens.
  2. On the menu bar, select the statistics type that you want to view.
  3. On each screen, you can use the Filter option to customize and refine the reports.

For additional information and details about the monitoring tools, refer to Chapter 9, Working with the Statistics and Monitoring Tools .




Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)