Applies To:

Show Versions Show Versions

Manual Chapter: Working with Application Security Manager
Manual Chapter
Table of Contents   |   << Previous Chapter

11 
Working with Application Security Manager Policies and Attack Signatures
Starting with BIG-IP® Application Security Manager (ASM) version 10.0.1, Enterprise Manager helps you to easily manage security policies and ASM attack signature files among multiple devices. Once web applications are installed and initial configuration is completed on each Application Security Manager device, you can stage changesets to deploy new security policies or make modifications to existing security policies. You can deploy the changeset immediately, or at a designated time in the future.
Important: Distributed security policies include ASM attack signature set definitions, and not the ASM attack signatures themselves. For the security policies to work properly, the ASM attack signatures (including custom signatures) must be the same on all systems to which you are deploying the security policies. For information about installing and completing the initial configuration of Application Security Manager web applications, refer to the Configuration Guide for BIG-IP® Application Security Manager.
Note: When staging and deploying changesets, Enterprise Manager interprets the instance data based on metadata embedded in the configuration. Therefore, important binary configuration information is hidden because it is not editable.
Staging and deploying security policies to your Application Security Policy devices using the Stage Security Policy Changeset wizard involves three main procedures.
1.
On the Main tab, expand Enterprise Management, and click Tasks.
The Task List Screen opens.
2.
Click the New Task button.
The New Task screen opens.
3.
In the Application Security section, select Stage a Security Policy Changeset.
4.
Click the Next button.
The Stage Security Policy Changeset wizard opens.
Continue working through the wizard screens, as described in the following pages, to copy a stage a security policy image for selected devices.
On the Step 1 screen of the Stage Security Policy Changeset wizard, you select a security policy and the devices on which to deploy the security policy.
1.
From the Source Device list, select the device to which you want to deploy the security policy.
The Source Device list changes to show only the devices in the device list you selected.
2.
From the Source Device list, select the source device that contains the security policy you want to deploy.
The Security Policy list changes to show only the policies available on the source device you selected.
3.
From the Security Policy list, select the security policy that you want to deploy.
The security policy names correspond to the security policy names on the Application Security Manager system you selected.
4.
From the Target Device List list, select an option.
The Compatible Devices table changes to display the devices in accordance with the option you selected.
5.
In the Target Device Filter section, select an option on which to filter and display the compatible devices based on the following criteria:
Compatible Devices in Standby Mode or Offline Mode displays only compatible devices currently in Standby or Offline mode.
Compatible with Security Policy displays all devices compatible with the image that you selected in the Security Policy list.
Incompatible with Security Policy displays only Application Security Manager devices that are not compatible with the selected security policy.
6.
In the Compatible Devices in Standby or Offline Mode table, select the check box next to the device that you want to update.
7.
Click Next to move to the screen where you select security policy changesets and verify security policy settings, Step 2 of 2.
On the Step 2 screen of the Stage Security Policy Changeset wizard, you can create a staged changeset and confirm security policy settings.
1.
In the Changeset Description field, type a new description for the staged changeset.
2.
From the Create Archive(s) list, select one of the following options for archiving information about the device:
Create archive for each device before deploying prompts the system to create a configuration archive of the target device before deployment.
Do not create archive prompts the system not to create a configuration archive of the target device before deployment.
3.
From the Archive Options list, specify whether to include private keys in the archive, if applicable.
4.
In the Policy Settings table, for Policy Name, type a name for the security policy on the target system.
5.
For Policy Description, type a description for the security policy on the target system.
6.
For Apply Policy?, indicate whether you want to apply the security policy on the target system upon deployment.
7.
For Webapp name, select an web application from the list to associate with the deployed security policy on the target device.
8.
To use the settings you specified for steps 4 through 7, click the Copy to All button to copy the settings to all other target devices, where possible.
9.
Click Deploy Staged Changeset Now to deploy the staged changeset you configured or click Save Staged Changes to save the staged changeset to deploy at a later time.
The Staged Changesets table opens. When you deploy the security policy, the system stores it in the Common partition of the target device.
Note: When you upgrade an Application Security Manager device, the device detects any invalid ASM attack signature file. The Enterprise Manager system then displays a message indicating that the signature file is out of date. To clear this message and finalize the upgrade, you can update the ASM attack signature file. For information about how to update ASM attack signatures, see Viewing installation task progress.
In addition to managing the installation of software and hotfix upgrades, Enterprise Manager can assist you in managing ASM attack signatures for the BIG-IP Application Security Manager.
ASM attack signatures are the foundation of the Application Security Manager systems negative security logic. ASM attack signatures are rules or patterns that identify attacks or classes of attacks on a web application and its components. For more information about how to use ASM attack signatures with an Application Security Manager system, see the Configuration Guide for BIG-IP® Application Security Manager.
With Enterprise Manager, you can import system-supplied ASM attack signatures into the image repository and deploy them to as many managed devices as you require. Additionally, you can use Enterprise Manager to check for updated system-supplied ASM attack signatures and import them into the image list automatically. Once you obtain the signature updates, you can deploy them to your managed BIG-IP Application Security Manager devices.
Important: For the security policies to work properly, the ASM attack signatures (including custom signatures) must be the same on all systems to which you are deploying the security policies.
As new threats are discovered, F5 regularly updates Application Security Manager ASM attack signature files. You can configure Enterprise Manager to automatically check for, and download, newly updated ASM attack signature definitions for images stored in the image repository. This feature helps you avoid performing unnecessary and potentially frequent manual checks for updated ASM attack signature files.
If you do not want to automatically update signature images, you can configure an alert to notify you that updates are available, so that you can check for, and download these updates manually. See Updating ASM attack signature images manually, for instructions about manually updating ASM attack signature images.
Important: Enterprise Manager checks for updated ASM attack signature files from downloads.f5.com. For the system to communicate with the F5 servers, you must configure the Enterprise Manager system settings to use your network DNS server.
If updated signatures are available for any ASM attack signature in the software repository, you can schedule automatic update downloads. Then, after you download the updates, you can start an Application Security Manager ASM attack signature installation task to upgrade managed BIG-IP Application Security Manager systems. See Installing attack signatures to one or more devices, for more information.
1.
On the Main tab, expand Enterprise Management, and click Tasks.
The Task List screen opens.
2.
On the menu bar, click Schedules and select Attack Signature Updates.
3.
From the Check for Updates list, select an update option for the ASM attack signature images.
Never: Enterprise Manager does not automatically check for updated ASM attack signature images.
Daily: The system checks for updated signatures once each day.
Weekly: The system checks for updated signatures once a week.
Monthly: The system checks for updated signatures once a month.
Based on your selection, the table changes to display additional options for Day of the Week, Day of the Month, and Start Time.
4.
Depending on the frequency you selected, you can specify a day of the week, month, and time of day that you want Enterprise Manager to check for updates for ASM attack signature images in the repository.
5.
If you want Enterprise Manager to instantly download new images to the repository, select the Automatically Download New Updates check box.
6.
Click Save Changes.
If you choose not to automatically download updated ASM attack signature images, you can configure the system to trigger an alert when it finds new Application Security Manager signature updates. This alert is enabled by default, but you must specify the action you want the system to take if the alert is triggered. See Creating alerts for Enterprise Manager, for instructions.
If you receive an alert to check for updates, or if you want to periodically check for updates, you can update all ASM attack signatures stored in the image repository from the ASM attack signatures list screen.
1.
On the Main tab, expand Enterprise Management, click Repository and select ASM Attack Signature List.
2.
Above the list, click the Check for New Signatures button.
The Check for New Signatures screen opens and displays the status of the check for new signatures task.
The screen refreshes at regular intervals as the system checks for available updates for the signature files listed in the Available ASM Attack Signatures section. After the task completes, the system indicates whether an update is available for the signature files in the repository.
Before you manually download ASM attack signature images, you must have previously checked for updated attack signatures.
1.
On the Main tab, expand Enterprise Management, click Repository and select ASM Attack Signature List.
2.
Above the list, click the Import button.
The Import ASM Attack Signature File screen opens.
3.
Click the Browse button to browse to the location of the ASM Attack Signature file.
4.
Click the Import button.
An import status indicator appears, displaying information about the packages as they are downloaded to the image repository.
The screen refreshes at regular intervals until the system updates all of the ASM attack signature files you selected on the previous screen. At any time, you can click Exit to Task List to open the Task List Screen.
Note: You can also use the import image procedure to update attack signature images. See Managing ASM attack signatures for Application Security Manager, for information about adding attack signature images to the image repository.
Because you want to regularly update attack signatures on Application Security Manager systems in the network, it is important to have a simple method of deploying signatures to many devices at once. You can use the ASM Attack Signature Installation wizard to create an Application Security Manager attack signature installation task. An ASM attack signature installation task is a series of jobs that you configure to install, to one or more managed devices, an Application Security Manager attack signature stored in the Enterprise Manager image repository. Each job consists of one individual signature update per device.
1.
On the Main tab, expand Enterprise Management, and click Tasks.
The Task List screen opens, displaying all running and completed tasks.
2.
Click the New Task button.
The New Task screen opens.
3.
For the Application Security setting, select Install Attack Signature.
4.
Click the Next button.
The Install ASM Attack Signature wizard opens.
Continue working through the wizard screens, as described in the following pages, to install attack signatures on selected devices.
Important: If the attack signature that you want to install is not available in the signature list, you may need to download the attack signature image, or import it to the image repository. See Downloading and managing software images.
1.
From the Product Version list, select the product version associated with the signature that you are planning to install.
The attack signatures table changes to display signatures compatible with the software version you selected.
2.
3.
Click the Next button.
You can select the target devices for the ASM attack signature installation on the Step 2 screen of the ASM Attack Signature Installation wizard.
1.
From the Device List, specify the types of devices displayed.
2.
From the Device Filter list, further narrow the managed devices displayed.
Compatible Devices In Standby Mode: displays all managed devices on which you can install the selected ASM attack signatures that are in Standby mode.
Compatible with Attack Signature: displays all managed devices on which you can install the selected attack signature.
3.
In the Compatible Devices table, select the check box next to the devices on which you want to install the ASM attack signature.
4.
Click the Next button to move to the Step 3 of 4 screen.
You can set error handling options for the ASM attack signature installation task on the Step 3 screen of the ASM Attack Signature Installation wizard.
1.
From the Device Error Behavior list, select the action you want the system to take if an error occurs during installation.
Continue task on remaining devices: The system continues installing the ASM attack signature for selected devices on which an error was not encountered, until the task is finished.
Cancel task on remaining devices: The system immediately stops the task if an error occurs, and does not install the ASM attack signature on any devices still pending.
2.
Click the Next button to move to the Step 4 of 4 screen.
You can review task settings, change the task name for the ASM attack signature installation task, and initiate the task in Step 4 of the ASM Attack Signature Installation wizard.
1.
To change the task name, in the Task Name field, type a new name.
This name appears in the task list while the task is running, and after the task finishes.
3.
To make changes, click the Back button, and navigate to the screen that contains the options you want to change.
4.
To start installation task, click the Start Task button.
The Task Properties screen opens, displaying details relevant to the task that you configured.
Table of Contents   |   << Previous Chapter

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)