Applies To:

Show Versions Show Versions

Manual Chapter: Working with the Application-Ready Security Policies
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

The Application Security ManagerTM provides application-ready security policies that are preconfigured to address the security needs of specific enterprise applications. Application security templates create working security policies that can immediately increase the security of an application.
When you select an application-ready security policy, the system automatically populates the security policy with the entities and optimizations that are specific to the application. Application-ready security policies are available to create policies for web applications that use either the HTTP or the HTTPS protocol.
The Deployment wizard offers a quick and automated method for deploying a security policy for well-known enterprise applications. From the Deployment wizard, you select the manual deployment scenario, then choose the application-ready security policy for the application you want to protect. For more information on working with the Deployment wizard, refer to the BIG-IP® Application Security ManagerTM: Getting Started Guide.
When you use one of the application-ready security policies, the system builds the security policy in Transparent mode to allow you to review and fine-tune the security policy before it is enforced. After you see that the security policy does not produce any false positives, you can place the security policy in Blocking mode.
You also have the option of starting automated policy building, and having the Policy Builder add to the security policy based on examining the traffic. If you do, the security policy remains in Transparent mode until you set it to blocking. Refer to Stopping and starting automatic policy building for details on how to start the Policy Builder. For information on how to change the enforcement mode to blocking, see Configuring the enforcement mode.
The Rapid Deployment security policy is configured with a general set of security checks to minimize or eliminate the amount of false-positives, and reduce the complexity and length of the initial evaluation deployment period. By default, the Rapid Deployment security policy is in a globally transparent mode. You can enable blocking either globally or for individual security checks, as necessary. The Rapid Deployment security policy enables organizations to meet the majority of web application security requirements as outlined in PCI DSS v1.2 section 6, FISMA, HIPPA, and others.
When you use the Rapid Deployment security policy to create your security policy, the Application Security Manager automatically configures the following security optimizations:
Protection against data leakage in responses, for US Social Security Numbers, credit card numbers, and custom patterns
The ActiveSync application-ready security policies protect servers running Microsoft® ActiveSync® software, versions 1.0 or 2.0. Templates are available for both the HTTP and the HTTPS protocols.
ActiveSync is Microsofts protocol to synchronize mobile devices with the corporate Microsoft Exchange Server. Windows mobile and iPhone® devices use ActiveSync to synchronize email, contacts, and calendar data.
When you use an ActiveSync security policy to create your security policy, the Application Security Manager automatically configures the optimal security policy to protect the ActiveSync application. It also configures attack signatures to detect application-specific attack patterns.
If you are using the ActiveSync security policy, you must perform the following tasks to create the security policy with the template:
Select the ActiveSync v1.0 v2.0 (http or https) security policy.
Note: If you are using OWA Exchange 2003 or 2007 with ActiveSync, select the OWA Exchange 2003/2007 with ActiveSync security policy.
The OWA Exchange 2003 application-ready security policies protect servers running Microsoft® Outlook® Web Access (OWA) software with Microsoft® Exchange Server 2003 software. The templates are available for both the HTTP and the HTTPS protocols.
Note: If you are creating a security policy for servers running Microsoft Exchange Server 2007 software, you should use the OWA Exchange 2007 security policy instead of this template. Refer to Using the OWA Exchange 2007 security policy, for more information.
When you use an OWA Exchange 2003 security policy to create your security policy, the Application Security Manager automatically configures the following optimizations to protect the Outlook Web Access application:
Attack signatures detect application-specific attack patterns, including a customized signature that detects attack patterns in Microsoft Internet Explorer® requests.
If you are using an OWA Exchange 2003 security policy, you must perform the following tasks to create the security policy with the template:
Select the OWA Exchange 2003 (http or https) security policy.
Note: If you are using OWA Exchange 2003 with ActiveSync, select the OWA Exchange 2003 with ActiveSync security policy.
The OWA Exchange 2007 application-ready security policies protect servers running Microsoft® Outlook® Web Access (OWA) software with Microsoft® Exchange Server 2007 software. Templates are available for both the HTTP and the HTTPS protocols.
Note: If you are creating a security policy for servers running Microsoft Exchange Server 2003 software, then you should use the OWA Exchange 2003 template instead of this template. Refer to Using the OWA Exchange 2003 security policy, for more information.
When you use an OWA Exchange 2007 security policy to create your security policy, the Application Security Manager automatically configures the following optimizations to protect the Outlook Web Access application:
Attack signatures detect application-specific attack patterns, including a customized factory signature that detects attack patterns in Internet Explorer requests.
If you are using an OWA Exchange 2007 security policy, there are several tasks you perform before you create the actual security policy with the template. The tasks are:
Select the OWA Exchange 2007 (http or https) security policy.
Note: If using OWA Exchange 2007 with ActiveSync, select the OWA Exchange 2007 with ActiveSync security policy.
The SharePoint 2003 application-ready security policies protect servers running Microsoft® SharePoint® 2003 software. The templates are available for both the HTTP and the HTTPS protocols.
When you use a SharePoint 2003 security policy to create your security policy, the Application Security Manager automatically configures the following optimizations to protect the SharePoint application:
The illegal session ID in URL mechanism removes session ID information to prevent false-positive alarms for the Illegal URL violation.
If you are using the SharePoint 2003 security policy, you must perform the following tasks to create the security policy with the template:
Select the SharePoint 2003 (http or https) security policy.
The SharePoint 2007 application-ready security policies protect servers running Microsoft® SharePoint® 2007 software. The templates are available for both the HTTP and the HTTPS protocols.
When you use a SharePoint 2007 security policy to create your security policy, the Application Security Manager automatically configures the following optimizations to protect the SharePoint application:
If you are using the SharePoint 2007 security policy, you must perform the following tasks to create the security policy with the template:
Select the SharePoint 2007 (http or https) security policy.
The Lotus Domino 6.5 application-ready security policies protect servers running Lotus® Domino® software version 6.5.4. The templates are available for both the HTTP and the HTTPS protocols.
When you use a Lotus Domino 6.5 security policy to create your security policy, the Application Security Manager automatically configures the following optimizations to protect the Lotus Domino 6.5 application:
The illegal session ID in URL mechanism removes session ID information to prevent false-positive alarms for the Illegal URL violation.
If you are using the Lotus Domino 6.5 security policy, you must perform the following tasks to create the security policy with the template:
Select the Lotus Domino 6.5 (http or https) security policy.
The Oracle Applications 10g application-ready security policies protect servers running the Oracle® Applications 10g database software. The templates are available for both the HTTP and the HTTPS protocols.
When you use the Oracle Applications 10g security policy to create your security policy, the Application Security Manager automatically configures the following optimizations to protect the Oracle database application:
If you are using the Oracle Applications 11i security policy, you must perform the following tasks to create the security policy with the template:
Select the Oracle Applications 10g (http or https) security policy.
The Oracle Applications 11i application-ready security policies protect servers running the Oracle® Applications 11i database software. The templates are available for both the HTTP and the HTTPS protocols.
When you use the Oracle Applications 11i security policy to create your security policy, the Application Security Manager automatically configures the following optimizations to protect the Oracle database application:
If you are using the Oracle Applications 11i security policy, you must perform the following tasks to create the security policy with the template:
Select the Oracle Applications 11i (http or https) security policy.
The PeopleSoft Portal 9 application-ready security policies protect servers running the PeopleSoft Portal 9 database software. The templates are available for both the HTTP and the HTTPS protocols.
When you use the PeopleSoft Portal 9 security policy to create your security policy, the Application Security Manager automatically configures the following optimizations to protect the database application:
If you are using the PeopleSoft Portal 9 security policy, you must perform the following tasks to create the security policy with the template:
Select the PeopleSoft Portal 9 (http or https) security policy.
The SAP NetWeaver application-ready security policies protect servers running the SAP NetWeaver® 7 software. The templates are available for both the HTTP and the HTTPS protocols.
When you use an SAP NetWeaver security policy to create your security policy, the Application Security Manager automatically configures the following optimizations to protect the SAP NetWeaver application:
If you are using the SAP NetWeaver security policy, you must perform the following tasks to create the security policy with the template:
Select the SAP NetWeaver 7 (http or https) security policy.
You can select the WhiteHat Sentinel Baseline application-ready security policy if deploying using the WhiteHat Sentinel Scanner software. WhiteHat Sentinel, integrated with Application Security Manager, provides scanning technology that identifies, manages, and remediates website vulnerabilities.
When you use the WhiteHat Sentinel Baseline security policy to create your security policy, the Application Security Manager automatically configures a baseline security policy to work with WhiteHat Sentinel. Through integration with Application Security Manager, the WhiteHat Sentinel service can configure security policy rules to protect against vulnerabilities discovered in a web application.
With the WhiteHat Sentinel Baseline security policy, you can protect applications against cross-site scripting, SQL injection, predictable resource location, command injection, XPath injection, path traversal, and HTTP response splitting.
If you are using the WhiteHat Sentinel Baseline security policy, you must perform the following tasks to create the security policy:
Select the WhiteHat Sentinel Baseline security policy.
In the WhiteHat Sentinel user interface, review the vulnerabilities on the Details screen and update the Application Security Manager security policy to mitigate the found vulnerabilities.
If you have an existing security policy protecting a web application, in WhiteHat Sentinel, when you select the web application in the firewall area, a WhiteHat-baseline security policy is automatically created. F5 Networks recommends that you use the WhiteHat-baseline security policy to protect the application.
Managing large file uploads when using the application-ready security policies
The web applications for which you can use one of the application-ready security policies to configure a security policy frequently experience large file uploads (larger than 10 MB files). As a result, you may encounter clients that are blocked due to the large file uploads, and should not be. You can resolve this issue by disabling the Block flag for the security policy violation, Request length exceeds defined buffer size. By disabling the blocking action for this violation, the Security Enforcer inspects the headers in the associated request, but ignores the file upload itself.
1.
In the navigation pane, expand Application Security and click Policy.
The Policy Properties screen opens.
2.
From the Blocking menu, choose Settings.
The Blocking Policy screen opens.
4.
In the Configuration area, ensure that the Enforcement Mode setting has the Blocking option enabled.
Note: You can change the Block flags only when the enforcement mode is Blocking.
5.
In the Access Violations area, locate the Request length exceeds defined buffer size violation, and in the Block column, clear the Block check box.
6.
Click the Save button to save any changes you may have made on this screen.
7.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)