Manual Chapter : Using Rapid Deployment

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Manual Chapter

Overview: Rapid deployment

The Rapid Deployment security policy provides security features that minimize the number of false positive alarms and reduce the complexity and length of the deployment period. By default, the Rapid Deployment security policy includes the following security checks:

  • Performs HTTP compliance checks
  • Checks for mandatory HTTP headers
  • Stops information leakage
  • Prevents illegal HTTP methods from being used in a request
  • Checks response codes
  • Enforces cookie RFC compliance
  • Applies attack signatures to requests (and responses, if applying signatures to responses)
  • Detects evasion technique
  • Prevents access from disallowed geolocations
  • Prevents access from disallowed users, sessions, and IP addresses
  • Checks whether request length exceeds defined buffer size
  • Detects disallowed file upload content
  • Checks for characters that failed to convert
  • Looks for requests with modified ASM cookies

With the Rapid Deployment security policy, your organization can quickly create a security policy that meets the majority of web application security requirements.

Task summary

Creating a security policy using rapid deployment

Before you can create a security policy using ASM, you need to complete the basic BIG-IP system configuration tasks including creating a VLAN, a self IP address, and other tasks, according to the needs of your networking environment.

You can use rapid deployment to create a security policy quickly. The Deployment wizard takes you through the steps required for rapid deployment.
  1. On the Main tab, click Security > Application Security > Security Policies. The Active Policies screen opens.
  2. Click the Create button. The Deployment wizard opens to the Select Local Traffic Deployment Scenario screen.
  3. For the Local Traffic Deployment Scenario setting, specify a virtual server to use for the security policy.
    • To secure an existing virtual server that has no security policy associated with it, select Existing Virtual Server and click Next.
    • To create a new virtual server and pool with basic configuration settings, select New Virtual Server and click Next.
    • To create an active but unused security policy, select Do not associate with Virtual Server and click Next. No traffic will go through this security policy until you associate it with a virtual server. The Policy Builder cannot begin automatically creating a policy until traffic is going to ASM through the virtual server.
    The virtual server represents the web application you want to protect. The Configure Local Traffic Settings screen opens if you are adding a virtual server. Otherwise, the Select Deployment Scenario screen opens.
  4. If adding a virtual server, configure the new or existing virtual server, and click Next.
    • If creating a new virtual server, specify the protocol, name, virtual server destination address and port, and pool member IP address and port.
    • If using an existing virtual server, it must have an HTTP profile and cannot be associated with a local traffic policy.
    • If you selected Do not associate with Virtual Server, you will have to manually associate the security policy with a virtual server at a later time. On the policy properties screen, you need to specify a name for the security policy.
    The name of the virtual server becomes the name of the security policy. The Select Deployment Scenario screen opens.
  5. For Deployment Scenario, select Create a policy manually or use templates and click Next. The Configure Security Policy Properties screen opens.
  6. From the Application Language list, select the language encoding of the application.
    Important: You cannot change this setting after you have created the security policy.
  7. From the Application-Ready Security Policy list, select Rapid Deployment security policy. Some systems may include the option Rapid Deployment security policy with Policy Builder enabled. This option starts the Policy Builder which can add elements to the policy based on examining application traffic, put them in staging, and enforce them when ready.
  8. For the Enforcement Readiness Period, retain the default setting of 7 days. During this period, you can test the security policy entities for false positives before enforcing them. During the enforcement readiness period, the security policy provides learning suggestions when it processes requests that do not meet the security policy; but the security policy does not alert or block that traffic, even if those requests trigger violations. You can review new entities and decide which are legitimate and include them in the security policy.
  9. Click Next. The Configure Attack Signatures screen opens.
  10. To configure attack signatures, move the systems used by your web application from the Available Systems list into the Assigned Systems list. The system adds the attack signatures needed to protect the selected systems.
  11. Retain the default value of Enabled for the Signature Staging setting. New and updated attack signatures remain in staging for seven days, and during that time, they are not enforced (according to the learn, alarm, and block flags selected for each of the signature sets), and only generate alerts for traffic that matches the signature. At the end of the staging period, the system automatically enforces the signatures that did not receive any hits.
  12. If using the Rapid Deployment security policy (without Policy Builder), you can select Enabled for the Apply Signatures to Responses setting to have the system use the signatures to inspect responses.
  13. Click Next. The Security Policy Configuration Summary screen opens.
  14. Review the settings for the security policy. When you are satisfied with the security policy configuration, click Finish. The system creates the security policy and opens the Properties screen.
The system creates a simple security policy that protects against known vulnerabilities, such as evasion attacks, data leakage, and buffer overflow attacks. The rapid deployment security policy operates in transparent mode (meaning that it does not block traffic unless you changed the enforcement mode). If the system receives a request that violates the security policy, the system logs the violation event, but does not block the request.

Fine-tuning a security policy

After you create a security policy, the system provides learning suggestions concerning additions to the security policy based on the traffic that is accessing the application. For example, you can have users or testers browse the web application. By analyzing the traffic to and from the application, Application Security Manager generates learning suggestions or ways to fine-tune the security policy to better suit the traffic and secure the application.

Note: If you are using the Policy Builder to add elements to the security policy, you can skip this task. This option is primarily for building a security policy manually.
  1. On the Main tab, click Security > Application Security > Policy Building > Manual Traffic Learning. The Manual Traffic Learning screen opens, and lists violations that the system has detected.
  2. In the Traffic Learning area, click each violation hyperlink, then review and handle learning suggestions:
    Option Description
    Accept Select a learning suggestion, click Accept, and then click Apply Policy. The system updates the security policy to allow the file type, URL, parameter, or other element.
    Clear Select a learning suggestion, and click Clear. The system removes the learning suggestion and continues to generate suggestions for that violation.
    Cancel Click Cancel to return to the Manual Traffic Learning screen.
    By default, a security policy is put into a staging-tightening period for seven days. During this time, you can examine learning suggestions and adjust the security policy without blocking traffic.
  3. To find out more about a violation and its occurrences, when you click a violation hyperlink and see what caused the violation, click the number in the Occurrences column. The Requests List popup screen opens, and you can see the requests that caused the violation including a violation rating of the request. (Ratings are from 1 to 5, where is the most severe.)
  4. To decide whether the request is an attack or a false positive, look at the violation rating.
    1. Click Violation Rating on the Request List screen.
    2. Look at the bar chart that displays the violation rating and number of occurrences.
    3. If the violation rating is 1 or 2, it is most likely a false positive and you can close the Requests List, select the violation, and click Accept. This accepts the learning suggestion to the security policy. What this means depends on the violation. It could be to allow a parameter or URL that looks suspicious but is allowed on your web site, it might mean to unselect certain security failures, or it might mean to disable an attack signature.
    4. If the violation rating is 4 or 5, it is most likely an attack and you can close the Requests List, select the violation, and click Clear. You probably do not want to change the policy to accept a suggestion that would allow an attack, so you would clear the suggestion without changing the policy.
    5. If the violation rating is 3, the request needs further investigation. You can go back to the Requests List and click the request to examine it more closely.
  5. On the Manual Traffic Learning screen, review the violations and consider whether you want to permit any of them (for example, if a violation is causing false positives). Select any violations you do not want the system to trigger, and click Disable Violation. A popup screen opens, and you can verify that you want to disable the violations or cancel the action.
  6. To put the security policy changes into effect immediately, click Apply Policy.
  7. On the Main tab, click Security > Overview > Application > Action Items. The Action Items screen opens.
  8. Examine the Action Items screen for information about recommended actions that you need to complete.
    1. Review the Suggested Action Items area, which lists system tasks and security policy tasks that should be completed.
    2. Click the links in the Suggested Action Items area to go to the screen where you can perform the recommended action.
    3. In the Quick Links area, click any of the links to gain access to common configuration and reporting screens.
The security policy now includes elements unique to your web application.
It is a good idea to periodically review the learning suggestions on the Manual Traffic Learning screen to determine whether the violations are legitimate, or if they are false positives that indicate a need to update the security policy.

Enforcing a security policy

You only need to enforce a security policy if it was created manually (not using the automatic policy builder), and it is operating in transparent mode. Traffic should be moving through Application Security Manager, allowing users to access the web application for which you set up the security policy.
When you enforce a security policy, the system blocks requests that cause violations that are set to block.
  1. On the Main tab, click Security > Application Security > Blocking. The Settings screen opens.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. For the Enforcement Mode setting, select Blocking.
  4. For each violation, review the settings so you understand how the security policy handles requests that cause the violation, and adjust if necessary.
    Option Description
    Learn If selected, the system generates learning suggestions for requests that trigger the violation.
    Alarm If selected, the system records requests that trigger the violation in the Charts screen, the system log (/var/log/asm), and possibly in local or remote logs (depending on the settings of the logging profile).
    Block If selected (and the enforcement mode is set to Blocking), the system blocks requests that trigger the violation.
    Tip: Click the information icon preceding a violation for a description of it.
  5. Click Save to save your settings.
  6. On the Main tab, click Security > Application Security > Security Policies. The Active Policies screen opens.
  7. Click the name of the security policy you want to work on. The Properties screen opens.
  8. To change the number of days the security policy remains in staging, change the value in the Enforcement Readiness Period field. The security policy does not block traffic during the Enforcement Readiness Period even if violations occur.
  9. If you want to block traffic that causes violations, you need to enforce violations. One way to do this is:
    1. Set the Enforcement Readiness Period to 0.
    2. Click Save.
    3. On the Main tab, click Security > Application Security > Policy Building > Enforcement Readiness.
    4. Click Enforce Ready.
  10. To put the security policy changes into effect immediately, click Apply Policy.
  11. For a quick summary of system activity, look at the Overview screen (Security > Overview > Application). The Summary screen displays statistical information about Application Security traffic.
After the enforcement readiness period is over and the enforcement mode is set to blocking, the security policy no longer allows requests that cause violations set to block to reach the back-end resources. Instead, the security policy blocks the request, and sends the blocking response page to the client.