Applies To:

Show Versions Show Versions

Manual Chapter: Fine-tuning HTTP Security Profiles
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Increasing HTTP traffic security

The HTTP security profile consists of many different security checks for the various components of HTTP traffic. This implementation shows you how to fine-tune your HTTP security profile as required by your environment. The custom checks are described under the assumption that you have already created a custom HTTP security profile but have no other prerequisite or special order. You need configure only the custom checks that you are interested in.

You can achieve a greater level of security when you configure Protocol Security Manager™ to perform the following checks:

  • HTTP Protocol Checks that are related to RFC compliance and actions to take resulting from a violation
  • Request Checks, such as length, allowable HTTP request methods, inclusion or exclusion of file types, and custom headers that must occur in every request
  • Blocking Page configuration which describes the page to display in the event of a blocked request when a violation is encountered

About RFC compliance and validation checks

When Protocol Security Manager™ receives an HTTP request from a client, the first validation check that the system performs is to ensure that it is RFC protocol compliant. If the request passes the compliance checks, the system applies the security profile to the request. So that your system fully validates RFC compliance, keep the following HTTP Protocol Checks enabled (they are enabled by default):

  • Several Content-Length headers: This security check fails when the incoming request contains more than one content-length header.
  • Null in request: This security check fails when the incoming request contains a null character.
  • Unparsable request content: This security check fails when the Protocol Security Manager is unable to parse the incoming request.

Modifying HTTP protocol compliance checks

F5 Networks® recommends that you retain the default properties for the HTTP protocol security checks. This task allows you to take additional precautions such as enabling the Block flag for the HTTP Protocol Checks setting, even if you enable only the Alarm flag for the other security checks. When you do this, the system blocks all requests that are not compliant with HTTP protocol standards, and performs additional security checks only on valid HTTP traffic.
  1. On the Main tab, click Security > Protocol Security > Security Profiles > HTTP. The Security Profiles: HTTP screen opens.
  2. In the HTTP Security Profiles area, in the Profile Name column, click the name of the security profile that you are modifying. The HTTP Profile Properties screen opens.
  3. On the HTTP Protocol Checks tab, for the HTTP Protocol Checks setting, select the check boxes for the protocol checks that you want the system to validate.
  4. Select Alarm or Block to indicate how you want the system to respond to a triggered violation. The default setting is Alarm.
    • Alarm: The system logs any requests that trigger the violation.
    • Block: The system blocks any requests that trigger the violation.
    • Alarm and Block: The system both logs and blocks any requests that trigger the violation.
  5. Click Update to retain changes.
The BIG-IP® system is now enabled for compliance checks on all valid HTTP traffic.

About evasion techniques checks

Protocol Security Manager™ can examine HTTP requests for methods of application attack that are designed to avoid detection. When found, these coding methods, called evasion techniques, trigger the Evasion technique detected violation. Protocol Security Manager can detect evasion techniques, such as these:

  • Directory traversal, for example, a/b/../c turns into a/c
  • Multiple decoding passes
  • Multiple backslash characters in a URI, for example, \\servername
  • Bare byte decoding (higher than ASCII-127) in a URI
  • Apache whitespace characters (0x09, 0x0b, or 0x0c)
  • Bad unescape

By default, the system logs requests that contain evasion techniques. You can also block requests with evasion techniques..

Configuring HTTP protocol evasion techniques blocking policy

Protocol Security Manager™ enables you to detect, log, alarm, and block evasion techniques detected in HTTP traffic.
  1. On the Main tab, click Security > Protocol Security > Security Profiles > HTTP. The Security Profiles: HTTP screen opens.
  2. In the HTTP Security Profiles area, in the Profile Name column, click the name of the security profile that you are modifying. The HTTP Profile Properties screen opens.
  3. On the HTTP Protocol Checks tab, for the Evasion Techniques Checks setting, select or clear the Alarm or Block check boxes, as required.
    Option Description
    Alarm The system logs any requests that trigger the violation. This is the default setting.
    Block The system blocks any requests that trigger the violation.
    Alarm and Block The system both logs and blocks any requests that trigger the violation.
  4. Click Update to retain changes.

About the types of HTTP request checks

Protocol Security Manager™ can perform several types of checks on HTTP requests to ensure that the requests are well-formed and protocol-compliant.

Length checks
Specify valid maximum lengths for request components to help prevent buffer overflow attacks.
Method checks
Specify which HTTP methods the system allows in requests.
File type checks
Specify which file types users can or cannot access.
Mandatory headers
Specify custom headers that must occur in every request.
Null in request
This security check fails when the incoming request contains a null character.
Unparsable request content
This security check fails when the system is unable to parse the incoming request.

Configuring length checks for HTTP traffic

With Protocol Security Manager ™ you can specify valid maximum lengths for request components in HTTP security profiles to prevent buffer overflow attacks. You can set maximum lengths for URLs, query strings, POST data, and the entire request.
  1. On the Main tab, click Security > Protocol Security > Security Profiles > HTTP. The Security Profiles: HTTP screen opens.
  2. In the Profile Name column, click the name of the security profile for which you want to configure length checking. The Profile Properties screen opens.
  3. Click the Request Checks tab.
  4. For each option of the Length Checks setting, specify Any to allow any length or click Length and specify the maximum length you want to allow.
  5. Select Alarm or Block, to indicate how you want the system to respond to a triggered violation. The default setting is Alarm.
    • Alarm: The system logs any requests that trigger the violation.
    • Block: The system blocks any requests that trigger the violation.
    • Alarm and Block: The system both logs and blocks any requests that trigger the violation.
  6. For the Request Length Exceeds Defined Buffer Size setting, select or clear Alarm and Block, as needed.
    • Alarm: The system logs any requests that are longer than allowed by the long_request_buffer_size internal parameter (the default is 10,000,000 bytes).
    • Block The system blocks any requests that are longer than allowed by the long_request_buffer_size internal parameter (the default is 10,000,000 bytes).
    • Alarm and BlockThe system both logs and blocks any requests that trigger the violation.
  7. Click Update to retain changes.

Specifying which HTTP methods to allow

The Protocol Security Manager™ accepts certain HTTP methods by default. The default allowed methods are GET, HEAD, and POST. The system treats any incoming HTTP request that includes an HTTP method other than the allowed methods as a violating request. Later, you can decide how to handle each violation.
  1. On the Main tab, click Security > Protocol Security > Security Profiles > HTTP. The Security Profiles: HTTP screen opens.
  2. In the Profile Name column, click the name of the security profile for which you want to modify allowable HTTP methods. The Profile Properties screen opens.
  3. Click the Request Checks tab.
  4. For the Methods setting, specify which HTTP methods to allow: The default allowed methods are GET, HEAD, and POST.
    • From the Available list, select the methods you want to allow in a request and move them to the Allowed list.
    • To add a new method to the Available list: type the name in the Method field, click Add to add it to the list, and move it to the Allowed list.
  5. Select Alarm or Block, to indicate how you want the system to respond to a triggered violation. The default setting is Alarm.
    • Alarm: The system logs any requests that trigger the violation.
    • Block: The system blocks any requests that trigger the violation.
    • Alarm and Block: The system both logs and blocks any requests that trigger the violation.
  6. Click Update to retain changes.

Including or excluding files by type in HTTP security profiles

By default, the HTTP security profile permits all file types in a request. For tighter security, you can create a list that specifies either all file types you want to allow, or a list specifying all the file types you do not want allowed.
  1. On the Main tab, click Security > Protocol Security > Security Profiles > HTTP. The Security Profiles: HTTP screen opens.
  2. In the Profile Name column, click the name of the security profile you want to update. The Profile Properties screen opens.
  3. Click the Request Checks tab.
  4. For the File Types setting, specify whether you want to create a list of allowed or disallowed file types, and which files you want in the list.
    • To create a list of file types that are permitted in requests, select Define Allowed.
    • To create a list of file types not permitted, select Define Disallowed.
    • Select file types from the Available list, and move them to the Allowed or Disallowed list.
    • To add a new file type, type the name in the File Type field, click Add to add it to the Available list, and then move it to the Allowed or Disallowed list.
    Important: If the profile is case-sensitive, the file types are case-sensitive. For example, jsp and JSP will be treated as separate file types.
  5. Select Alarm or Block, to indicate how you want the system to respond to a triggered violation. The default setting is Alarm.
    • Alarm: The system logs any requests that trigger the violation.
    • Block: The system blocks any requests that trigger the violation.
    • Alarm and Block: The system both logs and blocks any requests that trigger the violation.
The page you configured is displayed every time one of the security checks set to Block has been violated.

Configuring a mandatory header for an HTTP security profile

When the BIG-IP® system is managing an application that uses custom headers that must occur in every request, you can specify mandatory HTTP headers in the security profile. The Protocol Security Manager™ verifies that all requests contain those headers. If a request does not contain the mandatory header, the system issues the Mandatory HTTP header is missing violation, and takes the action that you configure: Alarm, Block, or both.
  1. On the Main tab, click Security > Protocol Security > Security Profiles > HTTP. The Security Profiles: HTTP screen opens.
  2. In the Profile Name column, click the name of the security profile for which you want to configure a Mandatory Header alarm. The Profile Properties screen opens.
  3. Click the Request Checks tab.
  4. For the Mandatory Headers setting, specify the header that must be in the request:
    1. In the Header field, type the name of the mandatory header, and click the Add button to add it to the Available list.
    2. Move the new mandatory header from the Available list to the Mandatory list.
    3. Select or clear the Alarm or Block check boxes as required.
    Option Description
    Alarm The system logs any responses that trigger the Mandatory HTTP header is missing violation. This is the default setting.
    Block The system blocks any requests that trigger the Mandatory HTTP header is missing violation.
    Alarm and Block The system both logs and blocks any requests that trigger the Mandatory HTTP header is missing violation.
  5. Click Update to retain changes.
All HTTP requests are checked for the mandatory headers you have selected.

Configuring the blocking response page for HTTP security profiles

If your security profile is set up to block requests that violate one or more of the security checks, the Protocol Security Manager® displays a page, called the blocking response page, on the client's screen. The default blocking response page states that the request was rejected, and provides a support ID. You can also configure the system to redirect the client to a specific web site instead of displaying the blocking response page.
  1. On the Main tab, click Security > Protocol Security > Security Profiles > HTTP. The Security Profiles: HTTP screen opens.
  2. In the Profile Name column, click the name of the security profile for which you want to configure a blocking page. The Profile Properties screen opens.
  3. Click the Blocking Page tab.
  4. For the Response Type setting, select one of the options:
    • Default Response: Specifies that the system returns the system-supplied blocking response page. Though you cannot edit the HTML code on the default blocking page, you can copy it into a custom response and edit it.
    • Custom Response: Specifies that the system returns a response page that you design or upload.
    • Redirect URL: Specifies that the system redirects the client to the specified URL.
    • SOAP Fault: Specifies that the system displays a blocking page in standard SOAP fault message format. Though you cannot edit the SOAP fault code, you can copy it into a custom response and edit it.
    The settings on the screen change depending on the selection that you make for the Response Type setting.
  5. If you selected the Custom Response option, you can either create a new response or upload an HTML file.
    • To create a custom response, make the changes you want to the default responses for the Response Header and Response Body settings using HTTP syntax for the content, and click Upload.
    • To upload an HTML file for the response body, navigate to an existing HTML response page, and Click Upload.
  6. If you selected Redirect URL, type the full path of the web page to which the system should redirect the client in the Redirect URL field.
  7. Click Update to retain changes.
The system displays the response page when a violation occurs on any of the security checks set to Block.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)