Manual Chapter : Adding BIG-IP DataSafe to the BIG-IP System

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 14.0.1, 14.0.0
Manual Chapter

Adding BIG-IP DataSafe to the BIG-IP System

Overview: Adding BIG-IP DataSafe to the BIG-IP system

F5® Networks security provides BIG-IP® DataSafe™, which protects users from Trojan attacks by encrypting data at the application layer on the client-side. Encryption is performed on the client-side using a public key generated by the BIG-IP system and provided uniquely per session. When the encrypted information is received by the BIG-IP system, it is decrypted using a private key that is kept on the server side. Users can view alerts on potential encryption attacks in the Data Protection log in the BIG-IP system or in a remote Syslog Server if you choose to configure one for receiving alerts.

In order to use BIG-IP DataSafe in the BIG-IP system, you need to provision Fraud Protection Service (FPS) for BIG-IP DataSafe, create a BIG-IP DataSafe profile, create a virtual server, and associate the profile with that virtual server.

Note:
  • The DataSafe Main JavaScript protects web applications with the content type text/html. If your web application is based on a different content type, you cannot apply the DataSafe Main JavaScript protection on it.
  • In most cases, the virtual server that you will create for your profile will be an SSL virtual server.

Provisioning Fraud Protection Service for BIG-IP DataSafe using the Configuration utility

You must provision Fraud Protection Service (FPS) for BIG-IP DataSafe before performing any of the other tasks for adding BIG-IP DataSafe to the BIG-IP System. You can provision FPS either from the Configuration utility in the BIG-IP system, or from the TMSH TMOS Shell command line interface. The following steps explain how to provision FPS from the Configuration utility in the BIG-IP system.
  1. On the Main tab, click System > Resource Provisioning .
  2. Go to the Fraud Protection Service (FPS) row in the list of modules, and in the Provisioning column select the check box and select one of the options from the list:
    • Dedicated: Specifies that the system allocates all CPU, memory, and disk resources to one module. When you select this option, the system sets all other modules to None (Disabled).
    • Nominal: Specifies that, when first enabled, a module gets the least amount of resources required. Then, after all modules are enabled, the module gets additional resources from the portion of remaining resources.
    • Minimum: Specifies that when the module is enabled, it gets the least amount of resources required. No additional resources are ever allocated to the module.
  3. Click Submit.

Provisioning Fraud Protection Service for BIG-IP DataSafe using TMSH

You must provision Fraud Protection Service (FPS) for BIG-IP DataSafe before performing any of the other tasks for adding BIG-IP DataSafe to the BIG-IP System. You can provision FPS either from the Configuration utility in the BIG-IP system, or from the TMSH TMOS Shell command line interface. The following steps explain how to provision FPS from TMSH.
  1. Open TMSH (tmsh).
  2. View the current provisioning of the system by typing list sys provision in the command line.
    The system displays the provision configuration. In this example, the system has nominal provisioning for LTM® and the other modules are not provisioned.
                                  
    
    sys provision afm { }
    sys provision am { }
    sys provision apm { }
    sys provision asm { }
    sys provision avr { }
    sys provision dos { }
    sys provision fps { }
    sys provision gtm { }
    sys provision ilx { }
    sys provision lc { }
    sys provision ltm {
        level nominal
    }
    sys provision pem { }
    sys provision sslo { }
    sys provision swg { }
    sys provision urldb { }
    
                               
    
  3. Modify provisioning for the FPS module by typing modify sys provision fps <level_type> in the command line, where <level_type> is one of the following:
    • dedicated: Specifies that the system allocates all CPU, memory, and disk resources to one module. When you select this option, the system sets all other modules to None (Disabled).
    • nominal: Specifies that, when first enabled, a module gets the least amount of resources required. Then, after all modules are enabled, the module gets additional resources from the portion of remaining resources.
    • minimum: Specifies that when the module is enabled, it gets the least amount of resources required. No additional resources are ever allocated to the module.
    For example, to set FPS provisioning to nominal, type modify sys provision fps level nominal
    The system displays the provision configuration. In this example, the system now has nominal provisioning for FPS.
                                  
    
    sys provision afm { }
    sys provision am { }
    sys provision apm { }
    sys provision asm { }
    sys provision avr { }
    sys provision dos { }
    sys provision fps {
        level nominal
    }
    sys provision gtm { }
    sys provision ilx { }
    sys provision lc { }
    sys provision ltm {
        level nominal
    }
    sys provision pem { }
    sys provision sslo { }
    sys provision swg { }
    sys provision urldb { }
    
                               
    
  4. Save the changes to the stored configuration by typing save sys config in the command line.
  5. Verify the current provisioning of the system by typing list sys provision in the command line.

Creating a node for a remote syslog server

Before creating a node for a remote syslog server, you must first provision FPS for BIG-IP DataSafe.

Creating a node for a remote syslog server only necessary if you want alerts sent to a remote syslog server. If you don't want alerts sent to a remote syslog server, skip this section

Note: An alternate way to create a node is to create a pool member. When you create a pool member, the BIG-IP® system automatically creates the corresponding node. For example, if you create pool member 10.10.20.30:80, the system automatically creates a node with the address 10.10.20.30.
  1. On the Main tab, expand Local Traffic, and click Nodes.
    The Node List screen opens.
  2. Click the Create button.
    The New Node screen opens.
  3. In the Name field, type a descriptive label for the node.
    Names are case-sensitive.
  4. In the Address field, types the IP address of the remote Syslog server.
  5. Click Finished.
    The screen refreshes, and the new node appears in the node list.

Creating a pool for a remote syslog server

Before creating a pool for a remote syslog server, you should create a node for the remote syslog server.

Creating a pool for a remote syslog server only necessary if you want alerts sent to a remote syslog server. If you don't want alerts sent to a remote syslog server, skip this section.

  1. On the Main tab, click Local Traffic > Pools .
    The Pool List screen opens.
  2. Click Create.
    The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. At the New Members setting, select Node List.
  5. In the Address field, select the IP address of the remote Syslog server.
  6. In the Service Port field, select HTTP or HTTPS from the list.
  7. Click Add.
  8. Click Finished.
The new pool appears in the Pools list.

Creating a web application server node

Before creating a web application server node, you must first provision FPS for BIG-IP DataSafe.

Local traffic pools use nodes as resources for load balancing. A node is an IP address that represents a server resource, which hosts applications.

Note:
  • If you plan to add your BIG-IP DataSafe profile to an existing virtual server (i.e., you are not going to create a new virtual server for your profile), you do not need to create a new web application node.
  • An alternate way to create a node is to create a pool member. When you create a pool member, the BIG-IP system automatically creates the corresponding node. For example, if you create pool member 10.10.20.30:80, the system automatically creates a node with the address 10.10.20.30.
  1. On the Main tab, expand Local Traffic, and click Nodes.
    The Node List screen opens.
  2. Click the Create button.
    The New Node screen opens.
  3. In the Name field, type a descriptive label for the node.
    Names are case-sensitive.
  4. In the Address field, type the IP address of the web application server.
  5. Click Finished.
    The screen refreshes, and the new node appears in the node list.

Creating a web application pool

Before creating a web application server pool, you must first create a web application server node.
You can create a pool of servers that you can group together to receive and process traffic.
Note:
  • If you plan to add your BIG-IP DataSafe profile to an existing virtual server (i.e., you are not going to create a new virtual server for your profile), you do not need to create a new web application pool.
  • Repeat the following steps for each desired pool.
  1. On the Main tab, click Local Traffic > Pools .
    The Pool List screen opens.
  2. Click Create.
    The New Pool screen opens.
  3. In the Name field, type a unique name for the web application pool.
  4. Using the New Members setting, add each resource that you want to include in the pool:
    1. Select Node List.
    2. For the Address option, select the IP address of the web application server.
    3. For the Service Port option, select HTTP or HTTPS from the list.
    4. Click Add.
  5. Click Finished.
The new pool appears in the Pools list.

Creating a remote high-speed log destination

Before creating a remote high-speed log destination, ensure that at least one pool of remote log servers exists on the BIG-IP system.
Create a log destination of the Remote High-Speed Log type if you want to have alerts sent to a remote syslog server. If you don't want alerts sent to a remote syslog server, skip this section.
  1. On the Main tab, click System > Logs > Configuration > Log Destinations .
    The Log Destinations screen opens.
  2. Click Create.
  3. In the Name field, type a unique, identifiable name for this destination.
  4. From the Type list, select Remote High-Speed Log.
  5. From the Pool Name list, select the remote syslog server pool that you defined previously.
  6. From the Protocol list, select the TCP protocol.
  7. Click Finished.

Creating a log publisher

Create a log publisher to specify where the BIG-IP system sends alert messages.
Note: If you want alerts sent to a remote syslog server, you need to create two log publishers, one for the local syslog server and one for the remote syslog server.
  1. On the Main tab, click System > Logs > Configuration > Log Publishers .
    The Log Publishers screen opens.
  2. Click Create.
  3. In the Name field, type a unique, identifiable name for this publisher.
  4. For the Destinations setting, select local-syslog from the Available list, and click << to move the destination to the Selected list.
  5. Click Finished.
    The list of Log Publishers appears, showing the Log Publisher you just created.
  6. If you want to have alerts sent to a remote syslog server, repeat steps 2-5, and at step 4 select the log destination that you created previously from the Available list.

Creating an initial BIG-IP DataSafe profile

Overview: Creating an initial profile

Typically, when you create your initial profile, you will want to:

  • Set general properties for the profile in the Profile Properties screen
  • Define URLs to be included in the profile
  • Set one of the URLs to be a login page
  • Configure a post-login URL (in certain situations)

Therefore, the instructions for creating an initial profile are presented according to these four stages.

Note: The DataSafe Main JavaScript protects web applications with the content type text/html. If your web application is based on a different content type, you cannot apply the DataSafe Main JavaScript protection on it.

Configuring general properties for a BIG-IP DataSafe profile

Configure general properties for a BIG-IP DataSafe profile to ensure proper encryption of data on your web site.
  1. On the Main tab, click Security > Data Protection > DataSafe Profiles .
    The DataSafe Profiles screen opens.
  2. Click Create.
    The Create New DataSafe Profile screen opens.
  3. Select the Customize All check box.
  4. In the Profile Name field, type a unique name for the profile.
  5. From the Parent Profile list, choose which parent profile you want to base your profile on.
    Note:
    • All undefined properties in the profile you are creating will be inherited from the parent profile. And any future changes to those properties in the parent profile will be automatically inherited by the profile you are creating.
    • URL properties are not inherited.
  6. If you previously created a Log Publisher for a remote Syslog server, select it from the Log Publisher list.
  7. From the Local Syslog Publisher list, select the Log Publisher that you previously created for the local Syslog server.
  8. If your web application is case-sensitive to URLs and SPA views, do the following:
    1. Click Advanced in the General Settings section.
      The Advanced settings appear.
    2. For the URLs are case sensitive setting, select the Enabled check box.
      Note:
      • You should enable this setting only if your web application is case-sensitive to URLs and SPA views.
      • This setting cannot be changed after initial creation of your profile and does not affect URL parameters in the profile.
  9. Click Create.
    The BIG-IP DataSafe profile has been created.
After creating your the profile, you should define the URLs that you want to include in your profile.

Defining URLs in the profile

Define URLs in your BIG-IP DataSafe profile to ensure proper protection of your web site.
  1. On the Main tab, click Security > Data Protection > DataSafe Profiles .
    The DataSafe Profiles screen opens.
  2. From the list of profiles, select the profile on which you want to define a URL.
    The DataSafe Profile Properties screen opens.
  3. In the DataSafe Configuration area, click URL List.
    The URL List opens.
  4. Click the Add URL button.
    The Create New URL screen opens.
  5. In the URL Path field, choose one of the following types for the URL path:
    • Explicit: Assign a specific URL path.
    • Wildcard: Assign a wildcard expression URL. Any URL that matches the wildcard expression is considered legal and will receive protection. For example, typing the wildcard expression /* specifies that any URL is allowed.
    Note: All URLs must start with a slash (/), for both Explicit and Wildcard types.
    1. If you chose Explicit, type the URL path.
    2. If you chose Wildcard, type the wildcard expression URL and if you want it to include a query string, select the Include Query String check box.
      The syntax for wildcard entities is based on shell-style wildcard characters. This following table lists the wildcard characters that you can use so that the entity name matches multiple objects.
      Wildcard character Matches
      * All characters
      ? Any single character
      [abcde] Exactly one of the characters listed
      [!abcde] Any character not listed
      [a-e] Exactly one character in the range
      [!a-e] Any character not in the range

      If a wildcard character is actually used as part of a real URL and you don't want it to be treated as a wildcard character, use \ and then the character to indicate that it should not be used as a wildcard character.

      Note: Regular expressions should not be used in Wildcard URLs.
  6. Click Advanced.
  7. If you want the BIG-IP DataSafe Main JavaScript to run on the web page of the URL, select the Enabled check box for Inject Main JavaScript (selected by default).
    When this setting is enabled, the BIG-IP DataSafe Main JavaScript also runs on all SPA views on this URL that are configured in the profile.
    Note:
    • The DataSafe Main JavaScript protects web applications with the content type text/html. If your web application is based on a different content type, you cannot apply the DataSafe Main JavaScript protection on it.
    • Inject Main JavaScript can be disabled for web pages that do not require fraud protection and only receive data from a protected page.
  8. If you want to change the default location where the BIG-IP DataSafe Main JavaScript is injected in the URL's web page, at Location of Main JavaScript Injection, do the following:
    • Select a position for the Main JavaScript (either before or after the tag you define).
    • In the Tag field, type the tag for determining where the Main JavaScript is placed.
    Note: The BIG-IP DataSafe Main JavaScript must be injected into the web page HTML before the CSS Element.
  9. If you want to change the default location of the Disabled JavaScript Detection Tag, at Location of Disabled JavaScript Detection Tag do the following:
    • Select a position for the Disabled JavaScript Detection Tag (either before or after the tag you define).
    • In the Tag field, type the tag for determining where the Disabled JavaScript Detection Tag is placed.
    The Disabled JavaScript Detection Tag detects if JavaScript has been disabled in your web browser.
  10. Leave the Additional function to be run before JavaScript load field blank unless instructed otherwise by F5®.
  11. Click Create to save your initial URL settings.

Setting a URL or SPA view to be a login page

Set a URL or Single Page Application (SPA) view in your profile to be a login page if you want to encrypt data on a login page in your web site.

  1. On the Main tab, click Security > Data Protection > DataSafe Profiles .
    The DataSafe Profiles screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the DataSafe Configuration area, click URL List.
    The URL List opens.
  4. Click the URL or view that you want to set as the login page, or click Add URL (or Add View) if you want to create a new URL or view to be a login page.
  5. In the URL Configuration (or View Configuration) area, select Parameters.
  6. Click the Add button.
    The Parameter Settings screen opens.
  7. In the Parameter Name field, choose one of the following types for the parameter name:
    • Explicit: Assign a specific parameter name.
    • Wildcard: Assign a wildcard expression for the parameter name. Any parameter name that matches the wildcard expression is considered legal and receives protection. For example, typing the wildcard expression * specifies that any parameter name is allowed.
    1. If you chose Explicit, type the parameter name.
    2. If you chose Wildcard, type the wildcard expression.
      The syntax for wildcard entities is based on shell-style wildcard characters. This following table lists the wildcard characters that you can use so that the entity name matches multiple objects.
      Wildcard character Matches
      * All characters
      ? Any single character
      [abcde] Exactly one of the characters listed
      [!abcde] Any character not listed
      [a-e] Exactly one character in the range
      [!a-e] Any character not in the range

      If a wildcard character is actually used as part of a parameter name and you don't want it to be treated as a wildcard character, use \ and then the character to indicate that it should not be used as a wildcard character.

      Note: A regular expression should not be used as part of the wildcard expression for a parameter name.
  8. Select Identify as Username.
    Note: Only one parameter per URL can have the attribute Identify as Username.
  9. Click Create and then Back to URL (or Back to View).
  10. Under URL Configuration (or View Configuration) select Login Page Properties.
    Note: Configuring the Login Page Properties is not required but recommended because a login cannot be verified as successful unless at least one of the criteria in the Login Page Properties is configured.
  11. For the URL is Login Page setting, select the Yes check box.
    The Login Page Properties appear.
    Note: If URL is Login Page is enabled, you must configure at least one of the Login Page Properties. If you configure more than one Login Page Property, then all the criteria for all properties must be fulfilled for the BIG-IP system to consider the login successful.
  12. In the A string that should appear in the response body field, type a string that should appear in the successful response to the login URL.
  13. In the A string that should NOT appear in the response body field, type a string that should not appear in the successful response to the login URL.
  14. In the Expected HTTP response status code field, select Specify and type the HTTP response status code that the server must return to the user upon successful login, or select None.
    Note: If you select None, HTTP response code is not used to determine a successful login.
  15. In the Expected response header field, type a header name that the successful response to the login URL must match.
  16. In the Expected cookie name field, type a cookie name that the successful response to the login URL must include.
  17. Click Save.
    The Login Page and Parameter settings are saved.
If the form action in the HTTP request from the login page does not refer to the login page URL, you need to also configure a post-login URL.

Configuring a post-login URL

You need to configure a post-login URL only if the login page sends the login request to a URL that is different from the login URL. (For example, the login page URL is /login.jsp, but it sends the user name and password to /validate.jsp).
Configure a post-login URL to ensure that the BIG-IP® system can retrieve the user name and decrypt the password.
  1. On the Main tab, click Security > Data Protection > DataSafe Profiles .
    The DataSafe Profiles screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the DataSafe Configuration area, click URL List.
    The URL List opens.
  4. Select the check box next to the login URL.
  5. Click the Clone button.
    The Clone URL pop-up screen opens.
  6. In the URL Path field, type the URL that is referred to in the form action of the HTTP request.
  7. Optional: In the Description field, type a description for the URL.
  8. Ensure that the Inject JavaScript setting is disabled.
  9. If the login URL contains SPA views and you want the post-login URL to inherit those views, select the Enabled check box by Views.
  10. Select the Enabled check box by Parameters.
  11. Click the Clone button in the Clone URL pop-up screen.
    Note: Once the new URL is created, there is no further dependency on the source URL and any future changes made to the source URL are not inherited by the new URL.
The BIG-IP system creates the post-login URL.

Creating a custom HTTP profile

This procedure should be performed only if SNAT or Auto Map is used for Source Address Translation in the virtual server.
An HTTP profile defines the way that you want the BIG-IP®system to manage HTTP traffic.
  1. On the Main tab, click Local Traffic > Profiles > Services > HTTP .
    The HTTP profile list screen opens.
  2. Click Create.
    The New HTTP Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. Select the Custom check box.
  5. In the Insert X-Forwarded-For field, select Enabled.
  6. Click Finished.
The custom HTTP profile now appears in the HTTP profile list screen.

Creating a virtual server

You can create a virtual server on the BIG-IP® system, where clients send application requests. The virtual server manages the network resources for the web application that you are securing with a security policy.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address/Mask field, type an address, as appropriate for your network.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a /32 prefix.
  5. In the Service Port field, type 80, or select HTTP from the list.
  6. From the HTTP Profile list:
    1. If you previously created an HTTP profile, then select the profile you created.
    2. Otherwise, select http.
  7. From the Source Address Translation list, select the appropriate translation.
  8. From the Default Pool list, select the pool that is configured for the application server.
  9. Click Finished.

Associating a profile with a virtual server

In order to complete the process of adding BIG-IP® DataSafe™ to a virtual server, you need to associate the profile with the virtual server.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. On the menu bar, from the Security menu, choose Policies.
  4. From the Anti-Fraud Profile list, select Enabled, and then from the Profile list, select the profile you created previously.
  5. Click Update to save the changes.