Applies To:

Show Versions Show Versions

Manual Chapter: Building a Security Policy Automatically
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Application Security ManagerTM automates the process of creating a security policy to protect a web application. The system must be set up in a networking environment, and be capable of handling traffic to the application.
Set up the security policy
First, you use the Deployment wizard to perform initial configuration of a security policy for a web application. Either the Production Site or the QA Lab deployment will initiate automated policy building. You select a policy type to determine which elements to include in the security policy and how to set the rule thresholds. The BIG-IP® Application Security ManagerTM: Getting Started Guide describes in detail how to use the Deployment wizard.
Let the system automatically add entities to the security policy
When the Deployment wizard finishes and traffic is flowing to the application, the system starts the Real Traffic Policy BuilderTM, the automated policy building tool. The Policy Builder examines requests and responses, populates the security policy with legitimate security policy elements (file types, URLs, parameters, and so on), and puts them in staging if traffic (requests and responses) has the same policy elements, from many sources, over a period of time. If many users encounter the same violations, the violations are likely to be false positives, and the Policy Builder disables the relevant violations or attack signatures.
Let the system stabilize the security policy
The security policy stabilizes after the system analyzes sufficient traffic, from different sessions, over a period of time. Policy elements are moved out of staging and enforced as they meet the rule thresholds for stabilization.
Let the system track site changes and update the policy
If the web application changes, the Policy Builder makes the necessary adjustments, and puts the new element in staging. Once stability is reached again, the Policy Builder once again takes elements out of staging and stabilizes the security policy.
Review the automatic policy building status
On the Automatic Policy Building Status screen, you can review the current status of the security policy, see the policy elements that were added, and view details about the elements and violations listed. If you want more control, you can enforce parts of the security policy from the status screen. The system logs all changes that you or the Policy Builder make to the security policy.
You use the Automatic Policy Building Configuration screen to configure and monitor automatic policy building. The features and settings discussed in this chapter relate directly to the different settings in various areas of the screen.
Application Security Manager completely configures the automated policy building settings according to the selections you make when using the Deployment wizard. Configuring these settings may not be necessary in your environment. You can review the settings, and change them if needed.
There are two levels of automated policy building settings: basic and advanced. The basic settings are sufficient for most installations, and require less work. The advanced level allows you to view and change all of the configuration settings if you need further control over security policy details.
Figure 5.1 shows an Automatic Policy Building Configuration screen with the basic settings.
1.
In the navigation pane, expand Application Security and click Automatic Policy Building.
The Automatic Policy Building Configuration screen opens.
2.
In the editing context area, ensure that the edited web application and security policy are those that you want to update.
3.
For Automatically Build Policy, check the Enabled box if it is not already checked.
The screen refreshes and displays more options.
4.
For Policy Type, select the type of security policy you want to create:
Fundamentalprovides granularity sufficient for most organizations creating a generalized security policy that is easy to maintain. This policy type includes HTTP protocol compliance, evasion techniques, file types and lengths, attack signatures, and the request length exceeds predefined buffer size violation. This is the default setting.
Enhancedprovides additional granularity and security features suited for customers with higher (and, typically, specific) security needs). This policy type includes all elements in the Fundamental policy type, and also includes parameters and lengths (global level), cookies, and methods.
Completeprovides the most granular definitions, includes all security features, and is suited for advanced users or customers with extreme security needs. This policy type includes all elements in the Enhanced policy type, and adds URLs and meta characters, parameters (meta characters and URLs), and dynamic parameters (using statistics). This security policy typically takes longer to deploy.
5.
For Rules, move the slider to change the thresholds of the rules for the security policy:
Loose
Builds a security policy using lower threshold values for the rules so they are likely to meet the thresholds more quickly; for example, this setting is useful for smaller web sites with less traffic. Selecting this value may result in more false positives or create a less accurate security policy.
Middle
Builds a security policy based on a greater threshold values for the rules. This is the default setting and is recommended for most sites.
Tight
Builds a security policy using even higher threshold for the rules and takes longer to meet the thresholds; for example, this setting is useful for large web sites with lots of traffic. Selecting this value may provide fewer false positives and create a more accurate security policy.
6.
If you changed any of the settings, click Save.
When traffic is flowing to the application, the system examines requests and responses and begins to build the security policy. This is all you are required to configure unless you want to examine the advanced configuration options. Skip to Viewing the automatic policy building status, for what to do next.
If you want to review the configuration details of the Policy Builder, you can use the advanced automated policy building settings.
Figure 5.2 shows the Automatic Policy Building Configuration screen with the advanced settings.
1.
In the navigation pane, expand Application Security and click Automatic Policy Building.
The Automatic Policy Building Configuration screen opens.
2.
In the editing context area, ensure that the edited web application and security policy are those that you want to update.
3.
For Automatically Build Policy, check the Enabled box if it is not already checked.
The screen refreshes and displays more options.
4.
To display all configuration options, above the Automatically Build Policy area, select Advanced.
The screen displays the advanced configuration details of the Policy Builder.
5.
Review the settings and modify them as needed. Refer to the online help or the following procedures for more information:
The policy type determines which security policy elements are included in the security policy. When you create a security policy, you can select one of the following policy types:
Fundamental provides security at a level that is appropriate for most organizations, creating a robust security policy, which is highly maintainable and quick to configure. This is the default setting.
This policy type includes:
Enhanced provides extra customization, creating a security policy with more granularity. This policy type includes:
Complete provides an even higher level of customization, creating a security policy with more granularity, but may take longer to configure. This policy type includes:
Custom provides the level of security that you specify when you adjust which security policy elements are included in the security policy. The policy type changes to Custom if you change the values from one of the built-in types.
You can change the policy type on the Automatic Policy Building Configuration screen if you want to include a different set of security policy elements in the security policy.
1.
In the navigation pane, expand Application Security and click Automatic Policy Building.
The Automatic Policy Building Configuration screen opens.
2.
In the editing context area, ensure that the edited web application and security policy are those that you want to update.
3.
For Automatically Build Policy, check the Enabled box if it is not already checked.
The screen refreshes and displays more options.
4.
For Policy Type, select a different type.
The selected security policy elements and options change depending on the policy type you choose.
5.
Click Save to save your changes.
Table 5.1 lists each of the security policy elements listed in the Automatic Policy Building configuration, describes what the Policy Builder does when each element is enabled, and shows which policy type enables the element.
Configures the security policy to enable or disable validation checks that ensure HTTP requests are formatted properly.
Configures the security policy to detect evasion techniques and perform normalization processes on URI and parameter input.
Configures the security policy to add the explicit file types used by the application.
Constructs the security policy to configure length limitations per file type, based on legitimate web application traffic.
If you select Lengths but not File Types, the Policy Builder sets the lengths based on the wildcard (*) file type.
Configures the security policy to enable or disable attack signatures.
Configures the security policy to add allowed URLs, based on legitimate traffic.
Configures the security policy to add allowed meta characters for wildcard URLs, based on legitimate traffic.
If you select Meta Characters but not URLs, the Policy Builder configures the meta characters based on the widlcard (*) URLs for both HTTP and HTTPS.
Constructs the security policy to add allowed parameters, based on legitimate traffic.
ParametersValue Lengths
Constructs the security policy to limit every parameters length, based on legitimate traffic.
If you select Value Lengths but not Parameters, the Policy Builder adds a parameter (*) wildcard to the security policy and defines its length properties.
ParametersValue Meta Characters
Constructs the security policy to add allowed meta characters in parameter values.
If you select Value Meta-Characters but not Parameters, the Policy Builder adds a parameter (*) wildcard to the security policy and defines allowed meta-characters in parameter values.
ParametersName Meta Characters
Constructs the security policy to add allowed meta characters in parameter names for wildcard parameters.
If you select Name Meta-Characters but not Parameters, the Policy Builder adds a parameter (*) wildcard to the security policy and defines allowed meta-characters in parameter names.
Constructs the security policy to add allowed cookies, based on legitimate traffic.
Constructs the security policy to add allowed methods based on legitimate traffic.
Request Length Exceeds Predefined Buffer Size violation
Constructs the security policy to enable or disable the Request length exceeds predefined buffer size violation.
Note that the list in Table 5.1 includes the violations and checks that are relevant only for automatic security policy building. The Application Security Manager includes many other security features that are not included in automatic policy building, such as response scrubbing using Data GuardTM, described in Chapter 6, and anomaly detection, described in Chapter 7.
Security policy elements, such as file types, URLs, evasion technique violations, and so on, form the basis of the security policy that the automatic policy building process is creating. The selected security policy elements are the ones that the Policy Builder configures into the security policy based on legitimate web application traffic.
Each policy type enables a different granularity of policy elements. Refer to Table 5.1, for a list of policy elements, descriptions of each, and which policy elements are included in each policy type. For example, Figure 5.3 shows the security policy elements that are selected when you select the Fundamental policy type on the Automatic Policy Building Configuration screen.
For file types, URLs, and parameters, if you check the boxes under the element but not the element itself, the system adds a wildcard for the main element and learns the properties you selected.
1.
In the navigation pane, expand Application Security and click Automatic Policy Building.
The Automatic Policy Building Configuration screen opens.
2.
In the editing context area, ensure that the edited web application and security policy are those that you want to update.
3.
For Automatically Build Policy, check the Enabled box if it is not already checked.
The screen refreshes and displays more options.
4.
To display all configuration options, next from the Automatically Build Policy list, select Advanced.
5.
For Include the following Security Policy Elements, select the security policy entities (or violation) that you want the Policy Builder to automatically configure when building the security policy.
Note: For file types, URLs, and parameters, you can check the boxes under the element but not the element itself to add a wildcard. For details on the policy elements, see Table 5.1.
6.
Click Save to save your changes.
The Application Security Manager sets the automatic policy building options. These options determine what type of entities the Policy Builder adds to the security policy. You can change the values of the options.
If the web application contains dynamic parameters, you can configure the Policy Builder to identify them. Dynamic parameters are parameters whose sets of accepted values can change, and usually depend on the user session. For more information on dynamic parameters, refer to Working with dynamic parameters and extractions.
The options also let you simplify your security policy by collapsing similar specific entities into one global entity. After a specified number of occurrences (10 by default), the system can combine:
Figure 5.4 shows the Options area of the Automatic Policy Building screen.
1.
In the navigation pane, expand Application Security and click Automatic Policy Building.
The Automatic Policy Building Configuration screen opens.
2.
In the editing context area, ensure that the edited web application and security policy are those that you want to update.
3.
To display all configuration options, next to Automatically Build Policy, select Advanced.
4.
In the Options area, for Parameter Level, select how to add parameters to the security policy:
Tip: Both options are available only when both Parameters and URLs are selected in the security policy elements.
5.
Specify whether you want the Policy Builder to add dynamic parameters to the security policy, and if so, where to get them from:
If you do not want to include dynamic parameters, make sure both of the dynamic parameters check boxes are cleared, and skip to step 7.
To extract dynamic parameters from file types, make sure both the File Types and Parameters policy elements are already selected in the Security Policy Elements area.
To extract dynamic parameters from URLs, make sure the URLs and Parameters policy elements are selected. Selecting File Types, Parameters, and URLs also extracts dynamic parameters from URLs.
6.
To configure the conditions under which the Policy Builder adds dynamic parameters to the security policy, for Dynamic Parameters, perform the following tasks, as needed:
To add all hidden form input parameters from the application as dynamic parameters, check the All Hidden Fields box.
a) Check the Using statistics box. This box is checked by default.
b) Type the number of unique value sets that must be seen for a parameter for the system to consider it a dynamic content value. The default value is 10.
To specify the number of days the parameter must remain unstable before it changes into a user-input parameter, type a number in the box. The default value is 7 days.
Note: This number must be longer than the number of days specified in the Stabilize (Tighten) rule, or dynamic parameters will not have enough time to stabilize. For details, see Modifying automatic policy building rules.
7.
To simplify your security policy by combining common specific settings into a more global setting, for Collapse to Global, type the number of occurrences after which settings are combined.
8.
For Learn from traffic with the following HTTP Response Status Codes, type the response codes you want to add (for example, add specific codes like 304 or a class of codes like 3xx).
The Policy Builder extracts information from traffic based on transactions that return only those HTTP response status codes.
Tip: Normally, the Policy Builder learns only from legitimate traffic, so you should add response codes that are returned under normal usage conditions for your application.
All informational responses (the request was received; continuing to process it).
All successful responses (the request was received, understood, accepted, and processed successfully).
Specific codes such as 100, 306, 400, 404
Refer to Hypertext Transfer Protocol -- HTTP/1.1 specification (RFC-2616).
9.
For Maximum Security Policy Elements, if needed, adjust the maximum number of elements that can be added to the security policy:
File Types (the default value is 250)
URLs (the default is value 10000)
Parameters (the default value is 10000)
Allowed Modified Cookies (the default value is 100)
If the Policy Builder reaches the limit, it stops adding that type of security policy element. If this happens, you may need to intervene:
If the web site requires more than the maximum number of elements, you must increase the limits.
If the site includes a dynamic element that the Policy Builder cannot learn (such as dynamic sessions in URL or dynamically generated parameter names), either configure the security policy to include the element (for example, dynamic sessions in URL), or clear the element type. The Policy Builder should not be configured to learn that element type in such an environment.
10.
For File Types for which wildcard URLs will be configured, add the file types for which the Policy Builder adds a wildcard URL instead of adding an explicit URL. Common file types are included by default.
Tip: This setting is usually used for static content, such as images, for which a granular policy including every URL is not needed. For example, the Policy Builder adds the wildcard *.[Jj][Pp][Gg] instead of image1.jpg, image2.jpg, and image3.jpg.
11.
Click Save to save your changes.
During automatic policy building, the Policy Builder builds security policies in three stages. These stages correspond to the three settings in the Rules area of the Automatic Policy Building Configuration screen. Rules in each stage determine when an element in the security policy moves from one stage to the next. The rules have different values depending on whether the traffic comes from a trusted or untrusted source.
Accept as Legitimate (Loosen)
During this stage, the Policy Builder identifies legitimate application usage based on seeing repeated behavior from sufficient traffic, over a period of time. The system updates the security policy accordingly. Based on wildcard matches, Policy Builder adds the legitimate policy entities (putting most into staging to learn their properties), and disables violations that are probably false positives.
For example, when the Policy Builder sees the same file type, URL, parameter, or cookie from enough different user sessions over time, then it adds the entity to the security policy.
Stabilize (Tighten)
During this stage, the Policy Builder tightens the security policy elements when the rate of security policy changes stabilizes. For example, the Policy Builder enforces an entity type after it records a sufficient number of unique requests and sessions, over a sufficient length of time since the last time an explicit file type, URL, or parameter was added to the security policy.
Similarly, the Policy Builder enforces the entity's attributes (takes them out of staging) after it records a sufficient number of unique requests and sessions, over a sufficient length of time for a particular file type, URL, or parameter since the last time the entity's attributes or settings were updated.
When the traffic to the application no longer includes new elements that need to be added to the security policy and the Policy Builder has enforced the policy elements, the security policy is considered stable and its progress reaches 100%.
Track Site Changes
If a request causes a violation, the Policy Builder looks for changes to the web site. If the Policy Builder discovers changes, it logs the change (Site change detected) and temporarily loosens the security policy to make the necessary adjustments. When the Policy Builder stabilizes the added elements, it retightens the security policy.
Although it is not recommended, you can disable the Track Site Changes option. If you do, when the security policy progress reaches 100% stability, the system disables automatic policy building. The security policy is not updated unless you manually change it, or restart automatic policy building by re-enabling the Track Site Changes option.
Figure 5.5 shows the Rules area of the Automatic Policy Building Configuration screen.
Advanced users can view and change the conditions under which the Policy Builder modifies the security policy during any of the three stages. Changing the values in any of the rules (to values not matching any of the built-in levels) also changes the Rules slider to say Custom (instead of Loose and Tight).
Note: We recommend that only advanced users change the automatic policy building rule settings only for advanced users. F5 advises using the default values in most cases.
1.
In the navigation pane, expand Application Security and click Automatic Policy Building.
The Automatic Policy Building Configuration screen opens.
2.
In the editing context area, ensure that the edited web application and security policy are those that you want to update.
3.
To display all configuration options, next to Automatically Build Policy, select Advanced.
Loose
Builds a security policy quickly based on fewer requests; for example, useful for smaller web sites with less traffic.
Middle
Builds a security policy based on a medium number of requests. This is the default setting.
Tight
Builds a security policy based on a large number of requests; for example, useful for large web sites with lots of traffic.
5.
For the Accept as Legitimate (Loosen) rule, adjust the number of sessions, and the amount of time that must pass for the Policy Builder to accept and learn a security policy change from traffic.
In this stage of security policy building, the Policy Builder adds entities, configures attributes (such as lengths and meta characters), places entities in staging mode, and disables violations.
6.
For the Stabilize (Tighten) rule, adjust the number of requests, the number of sessions, and the amount of time that must pass for the Policy Builder to stabilize the security policy elements.
Stabilizing a security policy element may mean tightening it by deleting wildcard entities, removing entities from staging, and enforcing violations that did not occur.
7.
For the Track Site Changes rule:
a)
The Enable Track Site Changes check box is selected by default. This box must remain checked if you want the Policy Builder to quickly loosen the security policy if changes to the web application cause violations.
b)
Adjust the number of sessions, and the amount of time that must pass for the Policy Builder to update the security policy.
In this stage of security policy building, the Policy Builder adds wildcard entities, places entities in staging mode, and disables violations.
8.
Click Save to save your changes.
You can configure a set of trusted IP addresses for clients that the Policy Builder considers safe in the Trusted IP addresses area of the Automatic Policy Building Configuration screen.
The Policy Builder processes traffic from trusted clients differently than traffic from untrusted clients. For clients with trusted IP addresses, the rules are configured so that the Policy Builder requires less traffic (by default, only 1 user session) to update the security policy with entity or other changes. It takes more traffic from untrusted clients to change the security policy (given the default values).
Figure 5.6 shows the default Accept as Legitimate (Loosen) area of the Automatic Policy Building Configuration screen, configured for a fundamental security policy set to medium strictness. You can see that different values apply to trusted and untrusted traffic.
Refer to Modifying automatic policy building rules, to learn more about how the rules affect the security policy.
1.
In the navigation pane, expand Application Security and click Automatic Policy Building.
The Automatic Policy Building Configuration screen opens.
2.
In the editing context area, ensure that the edited web application and security policy are those that you want to update.
3.
To display all configuration options, next to Automatically Build Policy, select Advanced.
4.
In the Trusted IP Addresses area, for IP Addresses, specify which IP addresses to consider safe:
To add specific IP addresses or networks, select Address List, type the IP address and netmask, then click Add.
The IP address or network range is added to the list. Add as many trusted IP addresses as needed.
5.
Click Save to save your changes.
If you change the configuration settings and decide that you want to return them to the system default values, you can change the policy type or use the Restore Defaults button.
1.
In the navigation pane, expand Application Security and click Automatic Policy Building.
The Automatic Policy Building Configuration screen opens.
2.
In the editing context area, ensure that the edited web application and security policy are those that you want to update.
3.
To display all configuration options, next to Automatically Build Policy, select Advanced.
4.
For Policy Type, select the type of policy for which you want the default values.
The screen refreshes and displays the default values for the policy type you selected.
5.
Click Save to save the default configuration.
You can also click the Restore Defaults button at the bottom of the Automatic Policy Building Configuration screen. If you do, the system refreshes and displays the default values for the Fundamental policy type.
You can review the current state of the security policy by looking at the Automatic Policy Building Status screen. A progress bar shows approximately how close the security is to becoming stabilized. You can see a summary of the number of file types, URLs, parameters, and cookies that were added to the security policy.
If you want to understand more about what is happening in the security policy, you can use the Status screen to delve into the details of each policy element. You can override the automatic policy building process and change the security policy before sufficient traffic, sessions, or time has passed.
1.
In the navigation pane, expand Application Security, point to Automatic Policy Building, then click Status.
The Automatic Policy Building Status screen opens.
2.
In the editing context area, ensure that the edited web application and security policy are those for which you want to view the status.
3.
To view the number of policy elements that are in the current security policy, review the Policy Elements Learned area. Click the number in the Elements column to examine the specific elements for any entity type.
4.
In the Details area, click the expand buttons to show details about the security policy elements. You can make changes to the security policy, if you want, as follows:
In the details for HTTP Protocol Compliance, Evasion Techniques Detected, and Request Length Exceeds Predefined Buffer Size, click Enable to enforce a check or violation immediately, overriding the rules for adding them.
In the stability details for File Types, URLs, Parameters, Allowed Cookies, and Methods, click Enforce to enforce the entity by deleting the entity wildcard (*) from the security policy.
In the learning details for File Types, URLs, Parameters, Allowed Cookies, and Methods, click Accept to immediately add specific entities to the security policy, even though they have not met the rules to be accepted as legitimate.
In the Staging details for File Types, URLs, and Parameters, click Enforce to remove a specific entity from staging, and start enforcing its setting or attributes.
In the Signature stability details for Attack Signatures, click Enforce to remove all signatures from staging and enforce them.
In the learning details for Attack Signatures, you can see the list of signatures that the system detected, and which may be false positives. Click Disable to remove a signature from staging and disable it.
Figure 5.7 shows the Automatic Policy Building Status screen for a security policy that is still adding policy elements, and is about 25% stabilized. The security policy was developed for trusted traffic, and includes 7 file types, 25 URLs, 32 parameters, and 2 cookies.
When you use automatic policy building, the Policy Builder can update the security policy as needed, for example, if changes occur on the application web site. You can stop automatic policy building at any time, such as when the security policy stabilizes, and you think the web application will not change for a while.
For security policies that were created using one of the manual methods or imported from an earlier release, you can start automatic policy building, allowing the Policy Builder to add various web site entities to the security policy in order to enhance it.
1.
In the navigation pane, expand Application Security and click Automatic Policy Building.
The Automatic Policy Building Configuration screen opens.
2.
In the editing context area, ensure that the edited web application and security policy are those for which you want to stop automatic policy building.
3.
For Automatically Build Policy, clear the Enabled check box.
The screen refreshes and shows fewer options.
4.
Click Save to save the change.
5.
On the menu bar, click Status.
The automatic policy building State displays Disabled, and the system stops the Policy Builder. The security policy remains the same unless you change the configuration manually. Refer to Chapter 6, Manually Configuring Security Policies.
1.
In the navigation pane, expand Application Security and click Automatic Policy Building.
The Automatic Policy Building Configuration screen opens.
2.
In the editing context area, ensure that the edited web application and security policy are those that you want to update.
3.
For Automatically Build Policy, check the Enabled check box.
The screen refreshes and shows more options.
4.
Click Save to save the change.
5.
From the menu bar, click Status.
The automatic policy building State displays Enabled, and the Policy Builder restarts the automatic policy building process based on traffic and configuration settings. Refer to Configuring automatic policy building, if you want to adjust the settings.
The Application Security Manager creates a log file, called the policy log, for every security policy on the system. This policy log is useful to review changes, or understand when and why the security policy was changed. The automatic policy building policy log includes an entry for each event or action that the Policy Builder makes to the policy.
The system also maintains a second policy log that shows all changes that the Policy Builder or a user made to the security policy. Refer to Reviewing a log of all security policy changes, for how to display it.
1.
In the navigation pane, expand Application Security, point to Automatic Policy Building, then click Log.
The Automatic Policy Building Log screen opens.
2.
In the editing context area, ensure that the edited web application and security policy are those you are interested in.
3.
In the Filter area, adjust the filter settings, as needed.
4.
Click the Go button.
The screen refreshes, and displays the policy log for the web application and security policy that you selected. Figure 5.8 shows a portion of a sample automatic policy building policy log.
5.
In the Description column, click the + magnifying glass to view details about an element that was added to the security policy. For example, see the details for the *.[Pp][Dd][Ff] URL in Figure 5.8.
Tip: To display a policy log that shows additional information, such as including manual as well as automatic changes, navigate to the Policy >> Policy Log screen. For details, see Reviewing a log of all security policy changes.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)