Transcription
F5 (BIG-IP) WAF- Application Security Manager (ASM)IntroductionWeb applications can have a lot of different types of requests from anywhere for any reason. Somerequests are legitimate and can be handled by the web intended. Other requests might be maliciousor illegitimate and abuse the logic of your web application, consume bandwidth, or depleteresources on your application server.ASM is an advanced web application firewall that protects Layer 7 applications and their data bydefending against web-based attacks which can bypass traditional network firewalls.With ASM you get the flexibility to both create a negative or positive security model.A Negative Security model is also known as Blacklist model, as it works by allowing everything anddenies only those which are explicitly disallowed. The main advantage of implementing negativesecurity model in the network is it can be deployed rapidly, and it does not lead to more falseNetMinion Solutions reserves all rights and this material is having copy right policy.Contact us over info@netminion.net for any IT related courses or for any project fulfilment.
positives. Negative Security Model cannot prevent zero-day attacks because of its behavior. F5 ASMfirstly works as on negative security model with attack signature enforcement.Positive Security Model is also known as whitelist model, as it works by denying everything andallow only those which are explicitly allowed. All the firewalls including F5 LTM works on this model.The main advantage of implementing a positive security model in the network is that zero-dayattacks can be prevented. For F5 ASM we need to be tightening the security policy to step up forpositive security model.ASM Protection WaysASM protects against the OWASP Top 10 vulnerabilities and can help to meet PCI compliance.Additionally, ASM can mask details in HTTP responses, such as response codes, credit card numbers,and any other sensitive data identified by the administrator. If needed, ASM can also prevent clientsfrom obtaining specific resources, such as documents, from a web server. We required BIG-IP systemwith ASM licensed and provisioned.External traffic will flow through a network firewall and then make its way to the BIG-IP systemwhere a virtual server will apply a security policy. A security policy is a collection of rules thatdetermine what types of security checks will be applied to all HTTP requests.ASM applies security policy in lay man terms is a set of rules which is controlled and defined using alocal traffic policy. As an administrator we will have to create a security policy, which needs attachedto a virtual server, and in turns system automatically creates a local traffic policy. The local trafficpolicy forms a logical link between the local traffic components and the application security policy.NetMinion Solutions reserves all rights and this material is having copy right policy.Contact us over info@netminion.net for any IT related courses or for any project fulfilment.
Based on the security policy, ASM will determine if the traffic is illegitimate or legitimate. Dependingon the policy settings, our virtual server will either permit the request to our web server that hostsour web application or block the request.First Step for any application onboarding is to talk with application owners, learn about theinfrastructure of the network you are trying to protect. It will save you time and headaches in thelong run. Make a checklist to get information like application language, framework it is using, the OSit is using, either works for WebSocket or http/https, what all are the used parameters, predefinedfile types, URLs, and all other items and entities of application. ASM examines the traffic to ensurethat it meets the requirements of the security policy. It is a life cycle which is creating the policy andthen tuning it further.NetMinion Solutions reserves all rights and this material is having copy right policy.Contact us over info@netminion.net for any IT related courses or for any project fulfilment.
ASM Protection TypesSome of the most commonly used templates are Rapid Deployment, Fundamental, andComprehensive. Templates for specific applications, such as OWA and SharePoint, are also availablein F5.The Rapid Deployment security policy provides security features that minimize the number of falsepositive alarms and reduce the complexity and length of the deployment period. The system createsa simple security policy that protects against known security problems, such as evasion attacks, dataleakage, and buffer overflow attacks.The rapid deployment security policy operates in transparent mode (meaning that it does not blocktraffic unless you changed the enforcement mode and enforce the policy). If the system receives arequest that violates the security policy, the system logs the violation event, but does not block therequest. Suggestions for changes to the policy are added to the Traffic Learning screen.The Fundamental template provides enhanced security during the policy building process as thepolicy actively blocks violations. The Fundamental template is recommended for intermediate usersand may require more time to fine-tune.The Comprehensive template is intended to provide maximum security with all violations, features,and learning is turned on. The template is recommended for expert users.When building a security policy manually, the learning mode is set to Manual, and when building apolicy automatically, the learning mode is Automatic.ASM Protection Fine TuningOne of the difficulties in configuring a security policy is differentiating between violations which areactual attacks and those which are not. Some violations might be triggered by illegitimate activity;other violations might be triggered by legitimate activity and reveal a flaw in the security policy. Wecall these type of violations, false positives.Through the process of Learning, ASM helps eliminate false positive violations and helps to tune thesecurity policy by parsing all HTTP requests, categorizing the elements of each request, andidentifying them as potentially malicious or not over time.NetMinion Solutions reserves all rights and this material is having copy right policy.Contact us over info@netminion.net for any IT related courses or for any project fulfilment.
Learning suggestionsASM generates learning suggestions for requests that cause violations, the system also suggestsadding legitimate entities such as URLs, file types, or parameters that often appear in requests.Requests may be examining that cause learning suggestions to refine the security policy, it containsrecommendations to relax the security policy.When dealing with learning suggestions, make sure to relax the policy only where false positivesoccurred, and not in cases where a real attack caused a violation. You can use the violation ratings tohelp determine how likely a request was caused by an attack.Policy ModeWhen building a security policy manually, the learning mode is set to Manual, and when building apolicy automatically, the learning mode is Automatic.If the Policy Builder is in Automatic learning mode, it automatically takes the suggested action whenthe score (also known as the Learning Score) reaches 100 percent. (The score percentage is indicatedon the screen.) A suggestion reaches a score of 100% if that suggestion occurs a lot and if thechances of that traffic being a real violation are low, and/or if traffic that triggered the suggestioncomes from a trusted IP address.When you are creating a security policy, you specify an enforcement readiness period that indicatesa staging period for entities and attack signatures (typically 7 days). When entities or attacksignatures are in staging, the system does not enforce them. Instead, the system posts learningsuggestions for staged entities.When the enforcement readiness period is over and no learning suggestions are added for thestaging period duration (the default is 7 days), the file type, URL, parameter, cookie, signature, orredirection domain is considered ready to be enforced. Particularly if you are using manual learning,you can delve into the details to see if you want to enforce these entities in the security policy. Fromthe Enforcement Readiness summary on the Traffic Learning screen, you can enforce selectedentities to the security policy, or you can enforce all of the entities and signatures that are ready tobe enforced. If you are using automatic learning, you can still enforce entities manually, but thePolicy Builder enforces entities according to the learning and blocking settings. So you do not needto enforce entities in the security policy.NetMinion Solutions reserves all rights and this material is having copy right policy.Contact us over info@netminion.net for any IT related courses or for any project fulfilment.
Congrats! You now have a F5 BIG-IP ASM Policy that will certainly help protect your applications. Inaddition to this post please check out our more blog post on F5 Big-IP’s Application SecurityManager.NetMinion Solutions reserves all rights and this material is having copy right policy.Contact us over info@netminion.net for any IT related courses or for any project fulfilment.
F5 (BIG-IP) WAF- Application Security Manager (ASM) Introduction Web applications can have a lot of different types of requests from anywhere for any reason. Some requests are legitimate and can be handled by the web intended. Other requests might be malicious or illegitimate and abuse the logic of your web application, consume bandwidth, or .
