Applies To:

Show Versions Show Versions

Manual Chapter: Creating a Security Policy Automatically
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview of creating a security policy with the Real Traffic Policy Builder
You can use the Application Security ManagerTM to automatically build a security policy that is tailored to your environment. The automatic policy building tool is called the Real Traffic Policy BuilderTM. The Real Traffic Policy Builder (referred to as the Policy Builder) creates a security policy based on settings that you configure using the Deployment wizard, and the characteristics of the traffic going to and from the web application that the system is protecting.
You can use the procedure described in this chapter to create a security policy for either a production site exposed to untrusted traffic or a QA site where traffic is trusted.
Important: The procedures in this deployment start after you have configured the network settings that are appropriate for your environment. Refer to Chapter 2, Performing Basic Configuration Tasks, if you have not yet configured network connectivity.
Before you get started, consider your answers to the following questions so that you can design a security policy to meet your needs:
Will you initially deploy the security policy you are developing in a production environment or a trusted QA environment?
Some companies develop a security policy in a test lab within the corporate network before putting it into production. The QA Lab scenario develops the policy faster because the traffic is trusted. The Production Site scenario develops a security policy with exposure to untrusted Internet traffic; how long it takes depends on the amount of type of traffic on the application web site.
What features of the web application require protection? What type of security policy do you want the system to create?
You can select a security policy type, that is, fundamental, enhanced, or complete. A fundamental policy type protects fewer application entities, enhanced protects additional entities, and the complete policy type protects even more entities. The Deployment wizard, shown in Figure 3.1, describes what is included in each of the policy types.
How strict do you want to make the rules for building a security policy?
You can set the strictness of the rules. A security policy built with loose rules requires less traffic to determine the policy settings, whereas a policy built with strict rules requires a larger traffic sample to determine the policy settings.
Figure 3.1 shows the configure Automatic Policy Building screen of the Deployment wizard, where you configure how you want the Policy Builder to develop the security policy.
The policy type you choose depends on how strict you want the security policy to be. It is useful to understand basically how the application works, and generally how many people use it on a typical day. This information is useful when determining whether to set the rules to Loose or Tight. Setting the rules to Loose causes the system to build and enforce the security policy with fewer requests. If many users access the application daily, you can use the Tight setting, thus developing the security policy from more requests.
Application Security Manager can automatically create a tailored security policy for your web application in either a production or QA environment. You use the Deployment wizard to guide you through the tasks required to start automatic security policy creation. For example, Figure 3.2 shows a web application, called webapp, ready to start the Deployment wizard.
On the Main tab of the navigation pane, expand Application Security and click Web Applications.
The Web Applications screen opens.
Locate the web application you want to protect and click the Configure Security Policy link next to it.
The Deployment wizard opens the Select Deployment Scenario screen.
Tip: The application name matches the class name created in Defining an application security class.
On the Select Deployment Scenario screen, for Deployment Scenario, click the appropriate option:
Production Site (Untrusted Traffic)
Select this option if the system is in a production area.
QA Lab (Trusted Traffic)
Select this option if the system is in a test area within the corporate network, where the application is used only as intended (no malicious requests).
Web Services (XML + WSDL/User Schema)
Select this option for web services or XML applications, and refer to Chapter 4, Creating a Security Policy for Web Services.
Manual Deployment
Select this option to use the rapid deployment policy or one of the preconfigured baseline security templates. For rapid deployment, see Chapter 5, Creating a Security Policy Using Rapid Deployment; for security policy templates, see Chapter 6, Deploying an Application-Ready Security Policy.
Click Next.
The Configure Web Application Properties screen opens.
For Application Language, use one of the following options:
Leave the setting at the default value, Auto detect.
When Policy Builder starts, it determines the language encoding based on application data.
Click Next.
The Configure Attack Signatures screen opens.
For the Systems setting, from the Available Systems list, select the systems that apply to your web application and move them into the Assigned Systems list.
Click Next.
The Configure Automatic Policy Building screen opens.
For Policy Type, select one of the following options to determine the security features to include in the policy:
Fundamental (the default policy type)
For Rules, move the slider to change the strictness of the rules:
Loose builds a security policy quickly based on a smaller request sample; for example, useful for web sites with less traffic.
Middle builds a security policy based on a medium number of requests. This is the default setting, and the one to use if you are not sure about the amount of traffic on the application web site.
Tight builds a security policy based on a large request sample; for example, useful for web sites with lots of traffic.
For Trusted IP Addresses, specify which IP addresses to consider safe:
All specifies that the policy trusts all IP addresses. This is the default setting for the QA deployment scenario.
Address List specifies that you will add networks to consider safe. Type the IP address and netmask, then click Add. This is the default setting for the Production Site scenario.
Click Next to start checking for traffic.
When the system detects traffic going to the web application, the Policy Builder starts and automatically begins creating the security policy. The Automatic Policy Building Status screen opens where you can view the current state of the security policy.
When you finish running the Deployment wizard, you have created a basic security policy to protect your web application. The Policy Builder starts examining the application traffic and fine-tunes the security policy using the guidelines you configured.
The Policy Builder automatically discovers and populates the security policy with the policy elements (such as file types, URLs, parameters, and cookies). As the Policy Builder runs, you see status messages in the identification and messages area of the screen. The Policy Builder adds to the security policy, and you can monitor the general progress.
You can monitor the general progress of the Policy Builder, see what policy elements the system has learned, and view the details of the security policy on the Automatic Policy Building Status screen.
Figure 3.3, shows an example of the Automatic Policy Building Status screen for a web application called class1, with these characteristics:
On the Main tab of the navigation pane, expand Application Security, point to Automatic Policy Building, and click Status.
The Automatic Policy Building Status screen opens.
In the editing context area near the top of the screen, verify that the edited security policy is the one whose status you want to review.
Review the messages in the identification and messages area to learn about what is currently happening on the system. For example, messages say when the Policy Builder is enabled, when the security policy was last updated, and the number of elements that were added.
For State, the status says one of the following:
Enabled means the system is configured correctly, and the Policy Builder is processing traffic.
Detecting Language means the system is still detecting the language of the web application. The Policy Builder is enabled, but it does not add elements to the security policy until the language is set. Note that the system can determine the language only after it receives application traffic.
Disabled means the system may not be detecting traffic. Check your network configuration. For basic configuration details, see Chapter 2, Performing Basic Configuration Tasks.
General Progress shows a progress bar that indicates the stability level of the security policy. The progress bar reaches 100% when the policy is stable, no new policy elements need to be added, and time and traffic thresholds have been reached.
In the Policy Elements Learned table, review the number of elements that the Policy Builder has analyzed and added to the security policy.
Optionally, in the Details tree view, click any item to learn more about that security policy element, what the system has seen so far, and what it will take to accept the element as legitimate.
For example, Figure 3.4, shows the file types that the Policy Builder has learned and put in staging.
When enough traffic from unique sessions occurs over a period of time, the system starts to enforce the file types and other elements in the security policy. When enforced as part of a stable policy, the files types and other elements are removed from the staging list.
Figure 3.5, shows a security policy that has stabilized, and the progress bar has reached 100%. This means that the security policy is not causing false positives, it is not changing, and it is stable.
If the application web site changes and the system identifies the changes as legitimate, the system adds the new elements to the security policy and puts them in staging. The system enforces the elements in the security policy when sufficient traffic and instances of the elements have occurred and do not cause violations.
Attack signatures are rules or patterns that identify attacks or classes of attacks that could pose a threat to your web application. The Application Security Manager includes an extensive set of attack signatures. Because new application threats are constantly being developed, F5 Networks provides attack signature updates to protect applications from the new threats. You can configure the system so that it automatically updates the attack signatures when updates become available.
On the Main tab of the navigation pane, expand Application Security, point to Options, Attack Signatures, and then click Attack Signatures Update.
The Attack Signatures Update screen opens.
For Update Mode, click Scheduled.
For the Update Interval, specify how often you want the system to check for updates (daily, weekly, or monthly).
If you want the system to update all active security policies, leave the Auto Apply Policy After Update box checked.
Click the Save Settings button.
The chapter called Working with Attack Signatures in the Configuration Guide for BIG-IP® Application Security ManagerTM provides more information about attack signatures. For details about allowing signature file updates through a firewall or an HTTPS proxy, refer to Solution 8217, Updating the BIG-IP ASM attack signatures, on the F5 technical support web site (
For details about these and other security features that you can add to the security policy, refer to the Configuration Guide for BIG-IP® Application Security ManagerTM.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)