Manual Chapter : Fine-tuning Advanced XML Security Policy Settings

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

Fine-tuning XML defense configuration

Before you can perform this task, you must have created a security policy for an application that uses web services or XML, and created and associated an XML profile with the policy.
The defense configuration in an XML profile provides formatting and attack pattern checks for the XML data. The defense configuration complements the validation configuration to provide comprehensive security for XML data and web services applications. If your XML application has special requirements, you can adjust the defense configuration settings. This is an advanced task that is not required when creating a security policy for an XML application.
  1. On the Main tab, click Security > Application Security > Content Profiles > XML Profiles .
    The XML Profiles screen opens.
  2. Click the name of the XML profile for which you want to modify the advanced defense configuration settings.
    The XML Profile Properties screen opens.
  3. On the XML Firewall Configuration tab, from the Defense Configuration list, select Advanced.
    The screen displays additional defense configuration settings.
  4. For the Defense Level setting, select the protection level you want for the application.
    The defense level determines the granularity of the security inspection for the XML application. You can choose High, Medium, or Low and let the system determine the defense level settings. Or you can set the level, then adjust any of the settings to create a Custom defense level.
  5. Adjust the defense configuration settings as required by your application and traffic.
  6. Optionally, modify the attack signatures, meta characters, or sensitive data for this XML profile on the appropriate tabs.
  7. Click Update to update the XML profile.
  8. To put the security policy changes into effect immediately, click Apply Policy.
A trade-off occurs between ease of configuration and defense level. The higher the defense level, the more you may need to refine the security policy. For example, if you use the default defense level of High, the XML security is optimal; however, when you initially apply the security policy, the system may generate false-positives for some XML violations. However, a Low defense level may not protect the application as strictly but may cause fewer false positives.

The system checks requests that contain XML data to be sure that the data complies with the various document limits defined in the defense configuration of the security policy's XML profile. The system generally examines the message for compliance to boundaries such as the message's size, maximum depth, and maximum number of children. When the system detects a problem in an XML document, it causes the XML data does not comply with format settings violation, if the violation is set to Alarm or Block.

Advanced XML defense configuration settings

This table describes the defense configuration settings. The Defense Level setting in an XML profile determines the default values for the setting, or you can adjust them. A value of Any indicates unlimited; that is, up to the boundaries of an integer type.

Setting Description Default Values
Defense Level Specifies the level of protection that the system applies to XML documents, applications, and services. If you change any of the default settings, the system automatically changes the defense level to Custom. High, Medium, Low
Allow DTDs Specifies, when enabled, that the XML document can contain Document Type Definitions (DTDs). High: Disabled, Medium: Enabled, Low: Enabled
Allow External References Specifies, when enabled, that the XML document is allowed to list external references using operators, such as schemaLocation and SYSTEM. High: Disabled, Medium: Disabled, Low: Enabled
Tolerate Leading White Space Specifies, when enabled, that leading white spaces at the beginning of an XML document are acceptable. High: Disabled, Medium: Disabled, Low: Enabled
Tolerate Close Tag Shorthand Specifies, when enabled, that the close tag format </>, which is used in the XML encoding for Microsoft Office Outlook Web Access, is acceptable. High: Disabled, Medium: Disabled, Low: Enabled
Tolerate Numeric Names Specifies, when enabled, that the entity and namespace names can start with an integer (0-9). Note that this is a compatibility option for use with Microsoft Office Outlook Web Access. High: Disabled, Medium: Disabled, Low: Enabled
Allow Processing Instructions Specifies, when enabled, that the system allows processing instructions in the XML request. If you upload a WSDL file that references valid SOAP methods, this setting is inactive. High: Enabled, Medium: Enabled, Low: Enabled
Allow CDATA Specifies, when enabled, that the system permits the existence of character data (CDATA) sections in the XML document part of a request. High: Disabled, Medium: Enabled, Low: Enabled
Maximum Document Size Specifies, in bytes, the largest acceptable document size. High: 1024000, Medium: 10240000, Low: Any
Maximum Elements Specifies the maximum number of elements that can be in a single document. High: 65536, Medium: 512000, Low: Any
Maximum Name Length Specifies, in bytes, the maximum acceptable length for element and attribute names. High: 256, Medium: 1024, Low: Any
Maximum Attribute Value Length Specifies, in bytes, the maximum acceptable length for attribute values. High: 1024, Medium: 4096, Low: Any
Maximum Document Depth Specifies the maximum depth of nested elements. High: 32, Medium: 128, Low: Any
Maximum Children Per Element Specifies the maximum acceptable number of child elements for each parent element. High: 1024, Medium: 4096, Low: Any
Maximum Attributes Per Element Specifies the maximum number of attributes for each element. High: 16, Medium: 64, Low: Any
Maximum NS Declarations Specifies the maximum number of namespace declarations allowed in a single document. High: 64, Medium: 256, Low: Any
Maximum Namespace Length Specifies the largest allowed size, in bytes, for a namespace prefix in the XML part of a request. High: 256, Medium: 1024, Low: Any

Masking sensitive XML data

Before you can perform this task, you must have created a security policy, and created and associated an XML profile with the policy.
You can mask sensitive XML data so that it does not appear in the interface or logs. You set this up in the XML profile of a security policy.
  1. On the Main tab, click Security > Application Security > Content Profiles > XML Profiles .
    The XML Profiles screen opens.
  2. Click the name of the XML profile for which you want to mask sensitive data.
    The XML Profile Properties screen opens.
  3. Click the Sensitive Data Configuration tab.
    The screen displays Sensitive Data Configuration settings.
  4. For Namespace, select one of the options:
    Option Use
    Any Namespace When the sensitive data can appear in an element or attribute in any namespace.
    Custom When the sensitive data appears in an element or attribute in a particular namespace. Type the namespace prefix that can contain sensitive data.
    No Namespace When no namespace in the XML document has an element or attribute with a value that contains sensitive data.
  5. For Name:
    1. Select Element or Attribute to indicate whether the sensitive data appears as a value of either an XML element or an attribute.
    2. In the field, type the XML element or attribute whose value can contain sensitive data. Entries in this field are case-sensitive.
  6. Click Add to add the information you entered in the Namespace and Name fields to the Sensitive Data table and the XML profile.
  7. Click Update to update the XML profile.
  8. To put the security policy changes into effect immediately, click Apply Policy.
The system checks requests that contain XML data and if they contain sensitive data, that data is masked in logs and in request content shown in the Application Security Manager™.

Overriding meta characters based on content

Before you can perform this task, you must have previously created a JSON, XML, Google Web Toolkit (GWT), or Plain Text content profile.
You can have the system check for allowed or disallowed meta characters based on the content of a request as defined in content profiles (XML, JSON, GWT, or Plain Text). In addition, you can override the security policy settings so that the system avoids checking for meta characters in particular content.
  1. On the Main tab, point to Security > Application Security > Content Profiles and click a content profile type (XML, JSON, GWT, or Plain Text).
  2. In the profiles list, click the name of the content profile for which you want to override meta character checks.
    The profile properties screen opens.
  3. Click the Meta Characters tab (for XML) or Value Meta Characters (for JSON, plain text, or GWT).
  4. Select the appropriate check box:
    • For JSON, plain text, or GWT profiles, select the Check characters check box to have the system check for meta characters in JSON data.
    • For XML profiles, select Check element value characters to check meta characters in XML elements, and select Check attribute value characters to check meta characters in XML attributes.
  5. In the Global Security Policy Settings list, review the meta characters that are assigned to the security policy, and which are allowed or disallowed in the content profile.
  6. From the Global Security Policy Settings list, move any meta characters that you want to override for this content profile into the Overridden Security Policy Settings list.
  7. Set the meta character to Allow or Disallow in the overridden settings list (the opposite from the global setting).
  8. Click Update to update the content profile.
  9. To put the security policy changes into effect immediately, click Apply Policy.
If the content matches that defined in the content profile, meta characters are allowed or disallowed according to the overriden meta character settings in the content profile.

Managing SOAP methods

Before you can perform this task, you must have created a security policy, and created and associated an XML profile with the policy.You must have already uploaded a WSDL document in the XML profile.
When using a WSDL document in the XML profile, the system includes the relevant SOAP methods in the validation configuration. You can enable or disable the SOAP methods, as needed.
  1. On the Main tab, click Security > Application Security > Content Profiles > XML Profiles .
    The XML Profiles screen opens.
  2. Click the name of the XML profile for which you want to enable or disable one or more SOAP methods.
    The XML Profile Properties screen opens.
  3. On the XML Fireweall Configuration tab, in the Validation Configuration area, the Valid SOAP Methods table lists the SOAP methods used by the WSDL file you uploaded previously. Select or clear the Enabled check box for each method that you want to enable (allow) or disable (not allow).
  4. Click Update to update the XML profile.
  5. To put the security policy changes into effect immediately, click Apply Policy.
The XML profile is updated if you changed which SOAP methods are allowed by the security policy. If you disable a SOAP method, and a request contains that method, the system issues the SOAP method not allowed violation, and blocks the request if the enforcement mode is set to blocking.