Applies To:

Show Versions Show Versions

Manual Chapter: Configuring Security for HTTP Traffic
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

When you configure the HTTP security profile, the BIG-IP® Protocol Security Module provides the following security checks for HTTP traffic:
For the HTTP security profile, you can also configure either a blocking response page or a redirection. If the system detects a violation according to the security profile settings, and you have enabled the Block flag for the violation, then instead of forwarding the request, the Protocol Security Module either sends the blocking response page or redirects the client.
There are two methods for configuring security for HTTP traffic: use the default system configuration, or create new configuration objects as required by your environment. For information on using the default system configuration, refer to Configuring HTTP security using the default system configuration. For information on creating new configuration objects, refer to Configuring HTTP security using new configuration objects.
The easiest method for initiating HTTP protocol security for your HTTP virtual server traffic is to use the system default settings. You do this by enabling protocol security for the system-supplied HTTP service profile, and then associating that service profile with either a new or existing virtual server.
When you enable the Protocol Security setting for the system-supplied HTTP profile, the system automatically associates the default HTTP security profile (in the Protocol Security Module configuration) with this service profile.
1.
On the Main tab of the navigation pane, expand Local Traffic, and then click Profiles.
The HTTP Profiles screen opens.
2.
In the Name column, click http.
The Properties screen for the system-supplied HTTP profile opens.
3.
Check the Protocol Security check box to enable HTTP security checks.
4.
Click the Update button to save any changes you have made.
Once you have enabled protocol security, you can associate the HTTP service profile either with an existing virtual server or with a new virtual server. Refer to Configuring an HTTP virtual server, for more information.
If the default system configuration does not meet the requirements of your environment, you can create additional objects for HTTP security and traffic management, as required.
HTTP service profiles optimize HTTP traffic in the LAN. The HTTP service profile uses the HTTP security profile to detect potential security risks specific to the protocol.
Note: For more information about service profiles in general, refer to the Understanding Profiles chapter in the Configuration Guide for BIG-IP® Local Traffic Management. For information specific to the HTTP service profile, refer to Configuring HTTP standard profile settings, in the Managing Application Layer Traffic chapter in the same guide.
1.
On the Main tab of the navigation pane, expand Local Traffic and click Profiles.
The HTTP Profiles screen opens.
2.
Above the list area, click the Create button.
The New HTTP Profile screen opens.
3.
In the General Properties area, for the Name setting, type a unique name for the profile.
4.
For the Parent Profile setting, select the existing HTTP protocol from which you want the new profile to inherit settings. The default setting is http.
5.
Above the Settings area, check the Custom check box.
The system activates the editing mode for the individual settings.
6.
Check the Protocol Security check box to enable the HTTP security profile that you created.
8.
Click Finished.
The screen refreshes and displays the new HTTP service profile in the list.
The HTTP security profile specifies the security checks that are applicable to the HTTP service, and enforced by the Security Enforcer. In the security profile, you also specify whether the Protocol Security Module logs violations to a remote logging server. For more information, refer to Configuring remote logging.
1.
On the Main tab of the navigation pane, expand the Protocol Security section and click Security Profiles.
The HTTP Security Profiles screen opens in a new browser session.
2.
Above the HTTP Security Profiles area, click the Create button.
The New Security Profile screen opens.
3.
In the Profile Properties area, in the Profile Name box, type a unique name for the profile.
4.
For the Remote Logging setting, check the box to enable remote logging for this security profile.
5.
In the Defense Configuration area, you can modify the blocking policy settings for the security profile. If you do not check either Alarm or Block for a violation, the system does not perform the corresponding security check.
Check Alarm if you want the system to log any requests that trigger the security profile violation.
Check Block if you want the system to block requests that trigger the security profile violation.
Check both Alarm and Block if you want the system to perform both actions.
Note: For information on the specific security profile components, refer to Configuring the components of HTTP security profiles.
6.
7.
Click Create.
The screen refreshes, and you see the new security profile in the list.
The HTTP security profile consists of many different security checks for the various components of HTTP traffic. You can either use the default settings for the security checks, or you can modify the security checks as required by your environment.
The first security checks that Protocol Security Module performs are those related to RFC compliance for the HTTP protocol. If a request passes the compliance checks, then the system applies the security profile to the remainder of the request. You can also configure whether the system generates alarms, or blocks requests, for requests that trigger the HTTP protocol compliance failed violation.
When Protocol Security Module receives a request from a client, the first aspect of the request that the system validates is HTTP protocol compliance. If the request does not comply with the following subset of HTTP protocol validations, the Security Enforcer cannot continue enforcing the security profile, and may pass the request on to the application resources even though it is not a valid request. There are several HTTP protocol validations that may cause this situation:
Unparsable request content
This security check fails when the Protocol Security Module is unable to parse the incoming request.
Null in request
This security check fails when the incoming request contains a null character.
Several Content-Length headers
This security check fails when the incoming request contains more than one Content-Length header.
We recommend that you retain the default properties for the HTTP protocol security checks. As an additional precaution, you may want to enable the Block flag for this security check, even if you enable only the Alarm flag for the other security checks. When you do this, the Security Enforcer blocks all requests that are not compliant with the HTTP protocol standards, and performs the additional security checks only on valid HTTP traffic.
You can review and modify the validation options for HTTP protocol compliance on the HTTP Protocol Compliance tab of the HTTP security profile defense configuration.
1.
On the Main tab of the Protocol Security navigation pane, click Security Profiles.
The HTTP Security Profiles screen opens.
2.
In the HTTP Security Profiles area, in the Profile Name column, click the name of the security profile that you created.
The Profile Properties screen opens.
3.
In the Defense Configuration area, on the HTTP Protocol Checks tab, for the HTTP Protocol Checks setting, make any adjustments that are required. For an explanation of the individual security checks, refer to the online help.
4.
Click Update to retain any changes you may have made.
For every HTTP request that the Protocol Security Module receives, the Security Enforcer applies a pre-processor to the requests. The pre-processor detects coding methods for application attacks that are designed to avoid detection. These coding methods are known as evasion techniques. Evasion techniques trigger the Evasion technique detected violation. The evasion techniques that the Security Enforcer detects are:
In the HTTP security profile configuration, you can enable or disable the blocking policy for evasion techniques checks, but you cannot disable the evasion techniques detection. The system analyzes every request for evasion techniques, regardless of whether you have enabled the Alarm or Block actions for evasion techniques.
1.
On the Main tab of the Protocol Security navigation pane, click Security Profiles.
The HTTP Security Profiles screen opens.
2.
In the HTTP Security Profiles area, in the Profile Name column, click the name of the security profile that you created.
The Profile Properties screen opens.
3.
In the Defense Configuration area, on the HTTP Protocol Checks tab, for the Evasion Techniques Checks setting, check or clear the Alarm or Block check boxes as required.
Check Alarm if you want the system to log any requests that trigger the Evasion technique detected violation.
Check Block if you want the system to block any requests that trigger the Evasion technique detected violation.
Check both Alarm and Block if you want the system to perform both actions.
4.
Click Update to retain any changes you may have made.
In the HTTP security profile, by specifying valid maximum lengths for request components, the Security Enforcer can help prevent buffer overflow attacks. You can configure maximum lengths for URIs, query strings, POST data, and the entire request.
1.
On the Main tab of the Protocol Security navigation pane, click Security Profiles.
The HTTP Security Profiles screen opens.
2.
In the HTTP Security Profiles area, in the Profile Name column, click the name of the security profile that you created.
The Profile Properties screen opens.
4.
On the Lengths tab, for the Length Checks setting, make any adjustments to the length options as required.
5.
Check or clear the Alarm or Block check boxes as required.
Check Alarm if you want the system to log any requests that trigger length violations.
Check Block if you want the system to block any requests that trigger length violations.
Check both Alarm and Block if you want the system to perform both actions.
6.
Click Update to retain any changes you may have made.
The Protocol Security Module accepts certain HTTP methods by default. The default methods are GET, POST, and HEAD. The system treats any incoming HTTP request that uses an HTTP method other than the allowed methods as a violating request, that is, a request that does not comply with the security checks. If your application uses HTTP methods other than the default allowed methods, you can use the methods security check to manage them.
1.
On the Main tab of the Protocol Security navigation pane, click Security Profiles.
The HTTP Security Profiles screen opens.
2.
In the HTTP Security Profiles area, in the Profile Name column, click the name of the security profile that you created.
The Profile Properties screen opens.
4.
On the Methods tab, for the Methods setting, you can perform the following actions:
Select a method from the Available list, and add it to the Allowed list.
Type the name of a method in the Method box, and click the Add button to add it to the Available list. You can then move the new method to the Allowed list, by using the Move [<<] button. Use this option if the method you want to allow is not in the system-supplied list.
5.
Check or clear the Alarm or Block check boxes as required.
Check Alarm if you want the system to log any requests that trigger the Illegal method violation.
Check Block if you want the system to block any requests that trigger the Illegal method violation.
Check both Alarm and Block if you want the system to perform both actions.
6.
Click Update to retain any changes you may have made.
By default, the HTTP security profile permits all file types. For tighter security, you can create either an allowed file types list or a disallowed file types list. Note that you cannot create both an allowed file types list and a disallowed file types list.
When you create an allowed file types list, the Security Enforcer permits only requests whose file type matches one of those in the list to access the back-end resources. The system alarms, or blocks (if configured), for all other file types. You create the allowed file types list by selecting from the available file types list. You can also add custom file types to the available list.
Important: The file types lists are case-sensitive. For example, the Security Enforcer treats jsp and JSP as separate file types.
1.
On the Main tab of the Protocol Security navigation pane, click Security Profiles.
The HTTP Security Profiles screen opens.
2.
In the HTTP Security Profiles area, in the Profile Name column, click the name of the security profile that you created.
The Profile Properties screen opens.
4.
On the File Types tab, for the File Types setting, select Define Allowed from the list.
Select a file type from the Available list, and add it to the Allowed list.
Type a file type in the File type box, and click the Add button to add it to the Available list. You can then move the new file type to the Allowed list, by using the Move [<<] button. Use this option if the file type you want to allow is not in the system-supplied list.
6.
Check or clear the Alarm or Block check boxes as required.
Check Alarm if you want the system to log any requests that trigger the Illegal file type violation.
Check Block if you want the system to block any requests that trigger the Illegal file type violation.
Check both Alarm and Block if you want the system to perform both actions.
7.
Click Update to retain any changes you may have made.
If you create a disallowed file types list, the Security Enforcer permits all requests, except for those whose file type matches one of those in the list. The system alarms, or blocks (if configured) for the file types that match the disallowed file types list.
Important: The file types lists are case-sensitive. For example, the Security Enforcer treats jsp and JSP as separate file types.
1.
On the Main tab of the Protocol Security navigation pane, click Security Profiles.
The HTTP Security Profiles screen opens.
2.
In the HTTP Security Profiles area, in the Profile Name column, click the name of the security profile that you created.
The Profile Properties screen opens.
4.
On the File Types tab, for the File Types setting, select Define Disallowed from the list.
Select a file type from the Available list, and add it to the Disallowed list.
Type a file type in the File type box, and click the Add button to add it to the Available list. You can then move the new file type to the Disallowed list, by using the Move [<<] button. Use this option if the file type you want to disallow is not in the system-supplied list.
6.
Check or clear the Alarm or Block check boxes as required.
Check Alarm if you want the system to log any requests that trigger the Illegal file type violation.
Check Block if you want the system to block any requests that trigger the Illegal file type violation.
Check both Alarm and Block if you want the system to perform both actions.
7.
Click Update to retain any changes you may have made.
If your application uses custom headers that must occur in every request, you can use the mandatory headers option to include them in the security profile. If you specify mandatory headers in the security profile, then the Security Enforcer verifies that requests contain those headers. If a request does not contain the mandatory header, the system issues the Mandatory HTTP header is missing violation, and takes the action that you configure: alarm, block, or both.
1.
On the Main tab of the Protocol Security navigation pane, click Security Profiles.
The HTTP Security Profiles screen opens.
2.
In the HTTP Security Profiles area, in the Profile Name column, click the name of the security profile that you created.
The Profile Properties screen opens.
4.
For the Mandatory Headers setting, in the Headers box, type the name of the mandatory header, and click the Add button to add it to the Available list.
5.
Move the new mandatory header from the Available list to the Mandatory list, by using the Move [<<] button.
6.
Check or clear the Alarm or Block check boxes as required.
Check Alarm if you want the system to log any requests that trigger the Mandatory HTTP header is missing violation.
Check Block if you want the system to block any requests that trigger the Mandatory HTTP header is missing violation.
Check both Alarm and Block if you want the system to perform both actions.
7.
Click Update to retain any changes you may have made.
The HTTP security profile uses response checks to discover common vulnerabilities in server responses, for example, containing sensitive user data, or the wrong response code. The Data Guard response check detects sensitive user information in the server response. The allowed response codes list specifies which HTTP response codes are acceptable in the server response.
Depending on the application, a response may contain sensitive user information, such as credit card numbers, or social security numbers (U.S. only). You can configure the Data Guard feature to prevent responses from exposing this sensitive information. This process is known as response scrubbing. In addition to protecting credit card numbers and social security numbers, you can configure custom patterns, by using PCRE-compliant regular expressions, to match other types of sensitive information.
When the system detects sensitive information in a response, and you have enabled the Data Guard feature, the system generates the Information leakage detected violation. Additionally, if you have enabled the Block action, the system does not send the response to the client.
Important: When you enable the Mask Data option in the server response, the system replaces sensitive data with asterisk characters (****). We recommend that you enable this setting if you enable only the Alarm action for the Data Guard feature. Otherwise, when the system returns the response, the sensitive data is exposed to the client.
1.
On the Main tab of the Protocol Security navigation pane, click Security Profiles.
The HTTP Security Profiles screen opens.
2.
In the HTTP Security Profiles area, in the Profile Name column, click the name of the security profile that you created.
The Profile Properties screen opens.
4.
For the Data Guard setting, check the sensitive data that you want the system to identify in responses. The online help describes the options.
5.
Check the Mask data box if you want the system to replace the sensitive data in the response with asterisk characters.
6.
Check or clear the Alarm or Block check boxes as required.
Check Alarm if you want the system to log any requests that trigger the Information leakage detected violation.
Check Block if you want the system to block any requests that trigger the Information leakage detected violation.
Check both Alarm and Block if you want the system to perform both actions.
7.
Click Update to retain any changes you may have made.
For the HTTP security profile, the allowed response codes determine which response codes are acceptable within a server response. If the HTTP response code is in the 4XX range or the 5XX range, then only responses with a response code that appears in this list are returned as-is to the client. If a response contains a response code other than those specified in the allowed response code list, and the response code is in the 4XX range or the 5XX range, then the system issues the Illegal HTTP status in response violation, and, if blocking is enabled for this violation, blocks the response.
1.
On the Main tab of the Protocol Security navigation pane, click Security Profiles.
The HTTP Security Profiles screen opens.
2.
In the HTTP Security Profiles area, in the Profile Name column, click the name of the security profile that you created.
The Profile Properties screen opens.
4.
For the Allowed Response Codes setting, in the New Response Code box, type a response code and click the Add button to add the response code to the list. By default, the Allowed Response Codes list contains these response codes: 400, 401, 404, 407, 417, 503.
5.
Check or clear the Alarm or Block check boxes as required.
Check Alarm if you want the system to log any requests that trigger the Illegal HTTP status in response violation.
Check Block if you want the system to block any requests that trigger the Illegal HTTP status in response violation.
Check both Alarm and Block if you want the system to perform both actions.
6.
Click Save to save any changes you may have made to the security policy properties.
The Protocol Security Module has a default response page that it returns to the client when the client request, or the web server response, is blocked by the security profile. This page is the blocking response page.
1.
On the Main tab of the Protocol Security navigation pane, click Security Profiles.
The HTTP Security Profiles screen opens.
2.
In the HTTP Security Profiles area, in the Profile Name column, click the name of the security profile that you created.
The Profile Properties screen opens.
4.
For the Response Type setting, select one of the following options:
Default Response: Specifies that the system returns the system-supplied blocking response page. Note that you cannot edit HTML code on the default response page.
Custom Response: Specifies that the system returns a user-defined response page.
Redirect URL: Specifies that the system returns a redirect URL to the client.
Note: The settings on the screen change depending on the selection that you make for the Response Type setting.
5.
If you selected the Custom Response option in step 4, you can either modify the default text, or upload an HTML file.
a)
For the Response Header setting, click the Paste Default Response Header button, and make any changes as required. Note that you should use standard HTML syntax for this setting and the Response HTML Code setting.
b)
For the Response HTML Code setting, click the Paste Default Response HTML Code button, and make any changes as required.
a)
For the Upload HTML File setting, either type a path to an HTML response page in the box, or click Browse and navigate to an HTML response page.
b)
Click Upload when you are finished.
6.
If you selected the Redirect URL option in step 4, then in the Redirect URL box, type the URL to which the system redirects the client. The URL that you configure should be for a page that is not within the web application itself.
7.
Click Update to save changes you may have made.
Modifying associations between HTTP service profiles and HTTP security profiles
When you enable the Protocol Security setting on the HTTP service profile, the system automatically assigns the first-listed HTTP security profile to the service profile. If you have more than one security profile configured, you can change the associations on the Profile Assignment screen in the Protocol Security Module. On the Profile Assignment screen, you can review the current associations, including the HTTP service profile, the virtual server that uses the service profile, and the HTTP security profile.
1.
On the Main tab of the Protocol Security navigation pane, click Profiles Assignment.
The Profile Assignment screen opens.
2.
From the Profile Assignment menu, choose HTTP.
The Profile Assignment screen opens.
3.
In the HTTP Security Profiles Assignment area, in the Assigned Security Profile column, for each service profile select the HTTP security profile that you want the service profile to use.
4.
Click Save to retain any changes you may have made.
Note: If you have not yet created a virtual server that uses the HTTP service profile, you do not see any virtual servers in the Virtual Servers column.
You configure a local traffic virtual server and a default pool for the HTTP servers, and associate the HTTP service profile that you created. This automatically associates the HTTP security profile with the virtual server. The result is that when the virtual server receives HTTP traffic, the HTTP security profile in the Protocol Security Module scans the HTTP traffic for security vulnerabilities, and then the local traffic virtual server load balances any traffic that passes the scan.
Note: For detailed information about local traffic virtual servers, refer to the Configuring Virtual Servers chapter in the Configuration Guide for BIG-IP® Local Traffic Management, which is available from the AskF5 web site, https://support.f5.com.
1.
On the Main tab of the navigation pane, expand Local Traffic, and then click Virtual Servers.
The Virtual Servers screen opens.
2.
Above the list, click the Create button.
The New Virtual Server screen opens.
3.
In the General Properties area, for the Name setting, type a unique name for the virtual server.
4.
For the Destination setting, select the type, and type an address, or an address and mask, as appropriate for your network.
5.
For the Service Port setting, type either 80 (for HTTP) or 443 (for HTTPS) in the box. Alternately, select HTTP or HTTPS from the list.
6.
Above the Configuration area, select Advanced.
The screen refreshes, and displays additional configuration options.
7.
For the HTTP Profile setting, select the profile that you created with protocol security enabled.
8.
For the SNAT Pool setting, if your network configuration requires address translation, select Auto Map.
9.
In the Resources area, for the Default Pool setting, click the Create (+) button.
The New Pool screen opens.
10.
On the New Pool screen, in the Configuration area, for the Name setting, type a unique name for the pool.
11.
On the New Pool screen, in the Resources area, for the New Members setting, you can add members to the pool by typing the IP addresses and ports, or by selecting addresses from a list.
Select New Address to type the address and port of any HTTP servers that you want to add to the configuration. (Note that the system automatically adds them as nodes, too.)
Select Node List to select addresses from a list of servers that already exist in the local traffic configuration.
12.
On the New Pool screen, for the Service Port setting, select HTTP from the list.
13.
Click the Add button to add each node or address to the New Members list.
14.
Click Finished.
The screen refreshes, and returns you to the New Virtual Server screen. The new pool should be listed in the Default Pool setting.
15.
Click Finished on the New Virtual Server screen.
The screen refreshes, and you see the new virtual server in the list.
The system is now ready to scan HTTP traffic for vulnerabilities common to that protocol. See Reviewing violations statistics for HTTP security profiles, for information on reviewing the HTTP security attacks that the system detects.
The Protocol Security Module provides statistics and other information about requests that trigger HTTP security violations. If you have enabled the Alarm flag for a violation, and an incoming request triggers a violation, the Protocol Security Module logs the request, which you can review from the Statistics screen of the Protocol Security Module. If you have enabled the Block flag for any of the HTTP security violations, the Protocol Security Module blocks the request and sends the blocking response page, which includes the Support ID, to the offending client.
1.
2.
If the system has detected a violation, then the violation name becomes a hyperlink. Click the link to see details about the offending requests.
3.
Optionally, use the Search by Support ID (HTTP) setting to find a violation by the Support ID.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)