Professional Documents
Culture Documents
version 9.4
MAN-0225-01
Product Version
This manual applies to product version 9.4 of the BIG-IP Application Security Manager.
Publication Date
This manual was published on February 23, 2007.
Legal Notices
Copyright
Copyright 2005 - 2007, F5 Networks, Inc. All rights reserved.
F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5
assumes no responsibility for the use of this information, nor any infringement of patents or other rights of
third parties which may result from its use. No license is granted by implication or otherwise under any
patent, copyright, or other intellectual property right of F5 except as specifically described by applicable
user licenses. F5 reserves the right to change specifications at any time without notice.
Trademarks
F5, F5 Networks, the F5 logo, BIG-IP, 3-DNS, iControl, Internet Control Architecture, IP Application
Switch, iRules, OneConnect, Packet Velocity, SYN Check, Control Your World, ZoneRunner, uRoam,
FirePass, TrafficShield, Swan, WANJet, WebAccelerator, and TMOS are registered trademarks or
trademarks, and Ask F5 is a service mark, of F5 Networks, Inc. in the U.S. and certain other countries. All
other trademarks mentioned in this document are the property of their respective owners. F5 Networks'
trademarks may not be used in connection with any product or service except as permitted in writing by
F5.
Patents
This product protected by U.S. Patents 6,311,278. Other patents pending.
RF Interference Warning
This is a Class A product. In a domestic environment this product may cause radio interference, in which
case the user may be required to take adequate measures.
FCC Compliance
This equipment has been tested and found to comply with the limits for a Class A digital device pursuant
to Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmful
interference when the equipment is operated in a commercial environment. This unit generates, uses, and
can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual,
may cause harmful interference to radio communications. Operation of this equipment in a residential area
is likely to cause harmful interference, in which case the user, at his own expense, will be required to take
whatever measures may be required to correct the interference.
Any modifications to this device, unless expressly approved by the manufacturer, can void the user's
authority to operate this equipment under part 15 of the FCC rules.
Acknowledgments
This product includes software developed by Bill Paul.
This product includes software developed by Jonathan Stone.
This product includes software developed by Manuel Bouyer.
This product includes software developed by Paul Richards.
This product includes software developed by the NetBSD Foundation, Inc. and its contributors.
This product includes software developed by the Politecnico di Torino, and its contributors.
This product includes software developed by the Swedish Institute of Computer Science and its
contributors.
This product includes software developed by the University of California, Berkeley and its contributors.
This product includes software developed by the Computer Systems Engineering Group at the Lawrence
Berkeley Laboratory.
This product includes software developed by Christopher G. Demetriou for the NetBSD Project.
This product includes software developed by Adam Glass.
This product includes software developed by Christian E. Hopps.
This product includes software developed by Dean Huxley.
This product includes software developed by John Kohl.
This product includes software developed by Paul Kranenburg.
This product includes software developed by Terrence R. Lambert.
This product includes software developed by Philip A. Nelson.
This product includes software developed by Herb Peyerl.
This product includes software developed by Jochen Pohl for the NetBSD Project.
This product includes software developed by Chris Provenzano.
This product includes software developed by Theo de Raadt.
This product includes software developed by David Muir Sharnoff.
This product includes software developed by SigmaSoft, Th. Lockert.
This product includes software developed for the NetBSD Project by Jason R. Thorpe.
This product includes software developed by Jason R. Thorpe for And Communications,
http://www.and.com.
This product includes software developed for the NetBSD Project by Frank Van der Linden.
This product includes software developed for the NetBSD Project by John M. Vinopal.
This product includes software developed by Christos Zoulas.
This product includes software developed by the University of Vermont and State Agricultural College and
Garrett A. Wollman.
In the following statement, "This software" refers to the Mitsumi CD-ROM driver: This software was
developed by Holger Veit and Brian Moore for use with "386BSD" and similar operating systems.
"Similar operating systems" includes mainly non-profit oriented systems for research and education,
including but not restricted to "NetBSD," "FreeBSD," "Mach" (by CMU).
This product includes software developed by the Apache Group for use in the Apache HTTP server project
(http://www.apache.org/).
This product includes software licensed from Richard H. Porter under the GNU Library General Public
License ( 1998, Red Hat Software), www.gnu.org/copyleft/lgpl.html.
This product includes the standard version of Perl software licensed under the Perl Artistic License (
1997, 1998 Tom Christiansen and Nathan Torkington). All rights reserved. You may find the most current
standard version of Perl at http://www.perl.com.
This product includes software developed by Jared Minch.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/).
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
This product contains software based on oprofile, which is protected under the GNU Public License.
ii
This product includes RRDtool software developed by Tobi Oetiker (http://www.rrdtool.com/index.html)
and licensed under the GNU General Public License.
This product contains software licensed from Dr. Brian Gladman under the GNU General Public License
(GPL).
This product includes software developed by the Apache Software Foundation <http://www.apache.org/>.
This product includes Hypersonic SQL.
This product contains software developed by the Regents of the University of California, Sun
Microsystems, Inc., Scriptics Corporation, and others.
This product includes software developed by the Internet Software Consortium.
This product includes software developed by Nominum, Inc. (http://www.nominum.com).
This product contains software developed by Broadcom Corporation, which is protected under the GNU
General Public License.
This product includes the Zend Engine, freely available at http://www.zend.com.
This product contains software developed by NuSphere Corporation, which is protected under the GNU
Lesser General Public License.
This product contains software developed by Erik Arvidsson and Emil A Eklund.
This product contains software developed by Aditus Consulting.
This product contains software developed by Dynarch.com, which is protected under the GNU Lesser
General Public License, version 2.1 or above.
1
Introducing Application Security Management
Introducing the BIG-IP system .....................................................................................................1-1
Overview of the BIG-IP Application Security Manager ..........................................................1-2
Summary of the Application Security Manager features ...............................................1-2
Introducing application security for the BIG-IP Local Traffic Manager .....................1-3
Highlights of this configuration guide ................................................................................1-3
Using the Configuration utility .....................................................................................................1-5
Browser support for the Configuration utility ...............................................................1-6
Identifying referrer objects in the Configuration utility ................................................1-6
Stylistic conventions in this document .......................................................................................1-7
Using the solution examples ...............................................................................................1-7
Identifying new terms ............................................................................................................1-7
Identifying references to products .....................................................................................1-7
Identifying references to objects, names, and commands ............................................1-7
Identifying references to other documents .....................................................................1-7
Identifying command syntax ................................................................................................1-8
Finding help and technical support resources ..........................................................................1-9
2
Essential Configuration Tasks
Overview of the essential configuration tasks .........................................................................2-1
Defining a local traffic pool ...........................................................................................................2-3
Defining an application security class .........................................................................................2-4
Defining a local traffic virtual server ...........................................................................................2-5
Configuring the web application language .................................................................................2-6
Determining the required security level for the web application ........................................2-7
Understanding the security levels ......................................................................................2-7
Understanding positive security logic ...............................................................................2-8
Setting the active policy for the web application .....................................................................2-9
Refining the security policy using the Learning process ...................................................... 2-10
Activating blocking mode on the security policy .................................................................. 2-11
Maintaining and monitoring the security policy .................................................................... 2-12
3
Working With Application Security Classes
What is an application security class? ........................................................................................3-1
Understanding the difference between an application security class and an HTTP class
profile ........................................................................................................................................3-1
Creating a basic application security class .......................................................................3-2
Understanding the traffic classifiers ............................................................................................3-3
How the system applies the traffic classifiers ..................................................................3-3
Using the Hosts traffic classifier .........................................................................................3-3
Using the URI Paths traffic classifier ..................................................................................3-4
Using the Headers traffic classifier ....................................................................................3-5
Using the Cookies traffic classifier .....................................................................................3-6
Understanding the actions for the application security class ................................................3-7
Using the Rewrite URI action .............................................................................................3-7
4
Working With Web Applications
What is a web application? ...........................................................................................................4-1
Viewing the configured web applications .........................................................................4-1
5
Working With the Security Policy
What is a security policy? .............................................................................................................5-1
Chapter overview ..................................................................................................................5-1
Working with the security policy properties ...........................................................................5-2
Working with the general policy properties ...................................................................5-3
Configuring the security policy name and description ..................................................5-3
Viewing the security policys corresponding web application .....................................5-4
Configuring the security level .............................................................................................5-4
Configuring the blocking mode ..........................................................................................5-6
Configuring the maximum HTTP header length ............................................................5-7
Configuring the maximum cookie header length ...........................................................5-8
Configuring the flow mode ..................................................................................................5-9
Working with the negative regular expressions pool ................................................ 5-10
Overview of the Policy Builder ........................................................................................ 5-14
Working with the Blocking Response Page property ................................................ 5-14
Working with the Sensitive Parameters property ...................................................... 5-16
Working with the Allowed Modified Cookies property ........................................... 5-17
Working with the Allowed Methods property ............................................................ 5-18
Working with the Navigation Parameters property .................................................. 5-19
Working with the security policy entities .............................................................................. 5-20
Working with the Object Types entity ......................................................................... 5-20
Working with the Web Objects entity ......................................................................... 5-26
Working with the Parameters entity ............................................................................. 5-27
Working with the Flows entity ........................................................................................ 5-27
Working with the Character Sets entity ....................................................................... 5-30
Setting the active policy for a web application ...................................................................... 5-33
Determining when to set the active security policy ................................................... 5-33
Working with the Blocking Policy settings ............................................................................ 5-35
Configuring the Learn, Alarm, and Block flags ............................................................. 5-35
How the Policy Enforcer enforces security policies ............................................................ 5-37
Understanding security policy violations ................................................................................ 5-38
Overview of RFC violations ............................................................................................. 5-38
Overview of access violations .......................................................................................... 5-39
Overview of length violations .......................................................................................... 5-39
Overview of input violations ............................................................................................ 5-40
Overview of cookie violations ......................................................................................... 5-41
Overview of negative security violations ...................................................................... 5-42
Maintaining a security policy ...................................................................................................... 5-43
viii
Table of Contents
6
Building a Security Policy With the Policy Builder
Overview of the Policy Builder ....................................................................................................6-1
Configuring the general settings for the Policy Builder .........................................................6-2
Configuring a Policy Builder domain .................................................................................6-2
Configuring the Start Points general setting ....................................................................6-4
Configuring the Form Fillers general setting ...................................................................6-5
Configuring the Page Not Found Criteria general setting ...........................................6-6
Configuring the Properties general setting ......................................................................6-6
Configuring the Object Types Associations general settings ......................................6-7
Understanding the Policy Builder operation modes ............................................................ 6-10
Configuring and using the Real Traffic (Responses) operation mode .................... 6-10
Configuring and using the Real Traffic (Requests) operation mode ....................... 6-12
Configuring and using the Generated Traffic operation mode ................................ 6-14
Running the Policy Builder ......................................................................................................... 6-19
Viewing the status of the Policy Builder ................................................................................. 6-20
Stopping the Policy Builder ........................................................................................................ 6-21
Working with the Policy Builder log ....................................................................................... 6-22
7
Working With Parameters
Understanding parameters ...........................................................................................................7-1
Understanding how the Policy Enforcer processes parameters ..........................................7-2
Working with global parameters .................................................................................................7-3
Creating a global parameter ................................................................................................7-3
Editing the properties of a global parameter ...................................................................7-4
Deleting a global parameter ................................................................................................7-5
Working with web object parameters .......................................................................................7-6
Creating a web object parameter ......................................................................................7-6
Editing the properties of a web object parameter .........................................................7-7
Deleting a web object parameter ......................................................................................7-8
Working with flow parameters ...................................................................................................7-9
Creating a flow parameter ...................................................................................................7-9
Editing the properties of a flow parameter .................................................................. 7-10
Deleting a flow parameter ................................................................................................ 7-11
Configuring parameter characteristics .................................................................................... 7-13
Understanding parameter types ...................................................................................... 7-13
A note about configuring parameters ............................................................................ 7-14
Configuring parameter characteristics for static parameters ................................... 7-14
Configuring parameter characteristics for user-input parameters .......................... 7-15
Configuring the Allow Empty Value setting .................................................................. 7-20
Configuring the Is Mandatory Parameter setting ........................................................ 7-23
Working with dynamic parameters and extractions ........................................................... 7-25
Configuring dynamic content value parameters .......................................................... 7-25
8
Refining the Security Policy Using Learning
Overview of the Learning process ..............................................................................................8-1
Working with the learning suggestions generated by the Learning Manager ...................8-2
Viewing a specific learning suggestion ...............................................................................8-2
Viewing the requests that trigger learning suggestions .................................................8-3
Viewing the details of a specific request ...........................................................................8-3
Processing the learning suggestions generated by the Learning Manager .........................8-5
Accepting a learning suggestion ..........................................................................................8-5
Clearing a learning suggestion .............................................................................................8-6
Rejecting a learning suggestion ...........................................................................................8-6
Additional considerations when processing learning suggestions ..............................8-7
Overview of the Ignored Items screen ......................................................................................8-9
Removing items from the Ignored Items list ...................................................................8-9
9
Working with the Statistics and Monitoring Tools
Overview of the statistics and monitoring tools .....................................................................9-1
Working with the Events Monitoring report ...........................................................................9-1
Filtering the Monitoring list .................................................................................................9-2
Saving and restoring the events data .................................................................................9-2
Working with the Security reports ............................................................................................9-4
Viewing the Security reports ..............................................................................................9-4
Filtering the Security reports ..............................................................................................9-4
Working with the Attacks reports .............................................................................................9-6
Viewing the Attacks reports ...............................................................................................9-6
Filtering the Attacks reports ...............................................................................................9-6
Working with the Executive reports .........................................................................................9-8
Viewing the Executive reports ............................................................................................9-8
Working with the Forensics screen ...........................................................................................9-9
Filtering the Forensics list ....................................................................................................9-9
10
General System Options
Configuring a user account for policy editing only .............................................................. 10-1
Viewing the application security log files ................................................................................ 10-2
Working with the system-supplied regular expressions ..................................................... 10-3
Overview of the regular expressions pool ................................................................... 10-3
Creating a user-defined regular expression .................................................................. 10-3
Validating a user-defined regular expression ................................................................ 10-4
Overview of the default negative regular expressions pool for security policies 10-5
A
Internal Parameters for Advanced Configuration
Overview of internal parameters ...............................................................................................A-1
B
Upgrading from TrafficShield 3.2.X to BIG-IP Application Security Manager
x
Table of Contents
C
Platform-Specific Hazardous Substance Levels, for China
4100 platform .................................................................................................................................C-1
Glossary
Index
xii
1
Introducing Application Security
Management
1-2
Introducing Application Security Management
Important
For detailed information on configuring the local traffic objects, refer to the
Configuration Guide for BIG-IP Local Traffic Management, which is
available on the Ask F5 Technical Support web site, http://tech.f5.com.
1-4
Introducing Application Security Management
Important
All users need to use the web-based Configuration utility to license the
system for the first time.
Note
For the most current list of the supported browsers for the Configuration
utility, refer to the current release note on the Ask F5 Technical Support
web site, http://tech.f5.com.
1-6
Introducing Application Security Management
\
Continue to the next line without typing a line break.
< >
You enter text for the enclosed item. For example, if the command
has <your name>, type in your name.
|
Separates parts of a command.
[ ]
Syntax inside the brackets is optional.
...
Indicates that you can type a series of items.
1-8
Introducing Application Security Management
1 - 10
2
Essential Configuration Tasks
This chapter describes, in detail, the tasks that you perform to configure a
standard security policy for a web application hosted on a local traffic
virtual server.
Important
The tasks described in this chapter begin after you have installed the BIG-IP
system, activated the license, and configured the appropriate network
settings. If you have not yet completed these activities, refer to the
Installation, Licensing, and Upgrades for BIG-IP Systems guide, and the
BIG-IP Network and System Management Guide for additional
information. Both of these guides are available at http://tech.f5.com.
2-2
Essential Configuration Tasks
Important
The following procedure outlines only the basic pool configuration. For
detailed information on configuring pools, refer to the Configuration Guide
for BIG-IP Local Traffic Management, which is available on the Ask F5
Technical Support web site, http://tech.f5.com.
Note
In the Configuration utility, the application security class and the HTTP
Class Profile are different labels for the same object. The difference
between the two objects is that, for the application security class, the
Application Security setting is enabled by default. If you disable the
Application Security setting on an application security class, you effectively
turn off application security for the associated web application.
2-4
Essential Configuration Tasks
Important
The following procedure outlines only the basic virtual server configuration.
For detailed information on virtual servers, and other local traffic
components, refer to the Configuration Guide for BIG-IP Local Traffic
Management, which is available on the Ask F5 Technical Support web site,
http://tech.f5.com.
Important
For virtual servers that load balance resources for a web application that is
protected by the Application Security Manager, you must configure an
HTTP profile in addition to the application security class. Refer to steps 6
and 7 in the previous procedure.
Important
You set the language encoding the first time you open the Web Application
Properties screen. You cannot change the language encoding once you set
it.
2-6
Essential Configuration Tasks
Important
We recommend that you configure a standard security policy first, to protect
the web application against the most common known threats, and to
familiarize yourself with the functionality of the Application Security
Manager. This chapter describes the tasks to configure a standard security
policy.
2-8
Essential Configuration Tasks
Important
The Application Security Manager requires you to set the active policy every
time you change a property of a security policy. When a security policy has
been changed in any way, you see the Modified icon next to the security
policy name, in the Security Policies List.
2 - 10
Essential Configuration Tasks
Tip
The Security Reports screen, in Statistics, is a very good resource when you
are deciding whether a security policy is ready to put into blocking mode.
This screen displays how many instances of a violation have occurred.
For additional information and details about the monitoring tools, refer to
Chapter 9, Working with the Statistics and Monitoring Tools.
2 - 12
3
Working With Application Security Classes
Tip
We recommend that you create the application security classes from the
Application Security section on the Main tab of the navigation pane so that
the system automatically enables the application security options for you.
Tip
For additional information on the options on this screen, click the Help tab
in the navigation pane.
3-2
Working With Application Security Classes
Note
Tip
Just by configuring the valid host headers for the web application, you get
immunity to most of the worms that are spread by an IP address as a value
in the Host header.
Tip
For information on the other options on this screen, click the Help tab in the
navigation pane.
3-4
Working With Application Security Classes
Tip
For information on the other options on this screen, click the Help tab in the
navigation pane.
Note
If you want to classify traffic using the Cookie header, use the Cookies
traffic classifier instead of the Headers traffic classifier. See Using the
Cookies traffic classifier, on page 3-6, for more information.
8. Click Finished.
The system adds the new application security class, the
corresponding web application, and a default security policy to the
configuration, and displays the HTTP Class Profiles list screen.
Tip
For information on the other options on this screen, click the Help tab in the
navigation pane.
Tip
For information on the other options on this screen, click the Help tab in the
navigation pane.
3-6
Working With Application Security Classes
two applications are the same site, but on the server side they are different
applications. You can use the Rewrite URI action to transparently redirect
the client to the appropriate application.
You use Tcl expressions for this setting. If you use a static URI, the system
maps the static URI for every incoming request. For details on using Tcl
expressions, and Tcl syntax, see the F5 Networks Dev Central web site,
http://devcentral.f5.com.
Note
The Rewrite URI action is applicable only if you are using the Hosts or URI
Paths traffic classifiers.
Tip
See the F5 Dev Central web site, http://devcentral.f5.com, for information
on Tcl expressions and syntax.
3-8
4
Working With Web Applications
Note
Note
Important
You must set the application language before you can see or work with any
of the other web application properties, or configure security policies for
the web application. Note that once you set the web application language,
you cannot change it.
4-2
Working With Web Applications
Important
You can set the active security policy from most screens in the
Configuration utility, in addition to setting it from the Web Application
Properties screen, as described above. For more information on setting the
active security policy, see Setting the active policy for a web application, on
page 5-33.
Tip
If your web application receives a high volume of requests, you may want to
log only those requests that violate the active security policy so that the
system resources are not overburdened.
Note
4-4
Working With Web Applications
Important
The Dynamic Sessions in URL option applies only to security policies that
use the high security level. If you enable this setting and you use only a
standard security level, the Policy Enforcer ignores the dynamic session
setting.
Important
Using the Reconfigure button to clear the configuration information for a
web application is a permanent action, and cannot be undone. Use this
setting with caution.
4-6
Working With Web Applications
4-8
Working With Web Applications
The system disables the web application because a web application must
have a corresponding application security class.
Note
Note
While only one security policy can be active for a given web application,
you may have several security policies configured to meet various business
requirements for the web application.
4 - 10
5
Working With the Security Policy
Chapter overview
This chapter contains information about the following aspects of the security
policy.
Security policy properties
The security policy properties determine the overall characteristics and
behavior of the security policy. The security policy properties specify
how the security policy interacts with the security policy entities. The
security policy properties also specify how the security policy processes
and responds to security policy violations.
Security policy entities
The security policy entities compose the security policy. The security
policy entities can include web objects, object types, parameters, flows,
character sets, and regular expressions.
Managing the security policy
Security policies may need to be modified over time, as the protected
web application changes. In addition to the tools that you can use to build
and refine a security policy (the Policy Builder and the Learning
process), you can manually add, edit, or delete almost every entity in the
security policy.
The following sections of this chapter describe the security policy properties
in detail.
Important
Any time you make a change to a security policy, no matter how small, you
must apply the security policy to make it the active security policy. Once you
set the active security policy, the Policy Enforcer enforces any changes you
have made. To set the active policy, refer to Setting the active policy for a
web application, on page 5-33, for detailed information.
5-2
Working With the Security Policy
6. Click the Save button to save any changes you may have made.
7. To put the security policy changes into effect immediately, click the
Apply Policy button near the top of the screen.
5-4
Working With the Security Policy
SQL injection
Cross-site scripting
Cookie poisoning
Buffer overflow
Parameter tampering (lengths and meta characters)
Forceful browsing (file type enforcement)
Stealth commanding
Back-door and debug options
Third-party misconfiguration
Enhanced Standard
An enhanced standard level of security is based on the protection offered
by a standard security policy, but uses high security to protect a small
subset of objects in the application. For example, a security policy that
uses the enhanced standard security level might include flows or
user-input parameters, in addition to the object types, meta characters,
and negative regular expressions that are in a standard security policy.
An enhanced standard policy protects the web application with a
combination of positive and negative security logic.
High Security (APC)
An APC security policy protects against common, known attacks (like a
standard security policy does), and also protects individual parameters
within the application, their associated web objects, and any flows to or
from the objects. When you have fully configured an APC security
policy, and put it into blocking mode, it applies mostly positive security
logic. (See Understanding positive security logic, on page 2-8, for more
information.) The APC security level requires a longer setup time, as the
security policy configuration is more closely tied to specific entities in
the application.
Custom
Whenever you modify any of the default settings on the Blocking Policy
screen, and you save the modifications, the system saves the security
level as Custom. You can modify the default settings for any of the
system-supplied security levels (Standard, Enhanced Standard, or High
Security) to create a custom security level. Note that you can create only
one custom security policy.
4. In the Policy Properties area, for the Security Level setting, click
the Edit button.
The Blocking Policy screen opens.
5. Make any changes on this screen that are pertinent to your web
application.
6. Click Save to save any changes you may have made to the Blocking
Policy settings.
7. To put the security policy changes into effect immediately, click the
Apply Policy button near the top of the screen.
Note
On the Blocking Policy screen, the default settings change depending on the
security level of the security policy. For full details on working with the
Blocking Policy screen, refer to Working with the Blocking Policy settings,
on page 5-35.
5-6
Working With the Security Policy
6. To put the security policy changes into effect immediately, click the
Apply Policy button near the top of the screen.
Tip
You can specify whether a violation triggers a learning suggestion on the
Blocking Policy screen. See Configuring the Learn, Alarm, and Block
flags, on page 5-35, for more information.
You activate blocking mode at the point in time when you can reasonably
assume that the security policy is accurate; meaning, all resources are
present and all attribute values meet the requirements of legitimate real-life
traffic and, therefore, any further alarms should be considered suspicious.
Note that you can activate blocking mode, and enable the Block flags in
phases. For example, you can enable blocking for only the illegal HTTP
format and RFC violations first, and then slowly enable blocking for the
remaining applicable violations.
Note
We advise you not to activate blocking mode until the security policy does
not generate any alarms over several days.
5-8
Working With the Security Policy
Note
We recommend that, for most web applications, you use the simple flow
mode. If you need the additional security of the advanced flow mode for a
particular aspect of your web application, we recommend that you define a
flow parameter. For additional information on flow parameters, see
Working with flow parameters, on page 7-9.
Important
Always maintain the same flow mode that was used to initially create a
specific policy. We do not recommend that you switch back and forth
between Simple and Advanced flow modes.
Note
Tip
Click a regular expression name to view the syntax for the regular
expression.
5 - 10
Working With the Security Policy
Table 5.1 describes how the system applies the negative regular expressions
to each entity.
Parameter=Value The parameter key and value pairs included in the request,
Pairs either in the query string or in the POST data.
Table 5.1 How the system applies negative regular expressions to entities
5 - 12
Working With the Security Policy
5 - 14
Working With the Security Policy
4. Above the Blocking Response Page area, click the Show button.
The Blocking Response Page popup screen opens, where you can
view the text as it appears to recipients.
Note
6. Click OK.
The popup closes, and on the Policy Properties screen, you can see
the newly-created sensitive parameter in the Sensitive Parameters
list.
7. To put the security policy changes into effect immediately, click the
Apply Policy button near the top of the screen.
5 - 16
Working With the Security Policy
In addition to creating allowed cookies, you can also edit or delete existing
allowed cookies, as required by changes in the web application. Simply
check the box next to an existing allowed cookie, and click either the Edit
or Delete button below the Allowed Modified Cookies section.
In addition to creating allowed methods, you can also edit or delete existing
allowed methods, as required by changes in the web application. Simply
check the box next to an existing allowed method, and click either the Edit
or Delete button below the Allowed Methods section.
5 - 18
Working With the Security Policy
Important
Object types are case-sensitive. As a result, the security policy processes
JPG and jpg files as separate object types.
Table 5.2 describes the object type flags, and lists the applicable security
level.
Check objects Specifies, when checked, that if an incoming request Applies to high security
contains an object of the corresponding object type, the (APC)
security policy validates the specific object against the
Web Objects list for the security policy. If the specific
object is not in the Web Objects list, the security policy
logs a violation event, and if in blocking mode, blocks the
request.
Check flows Specifies, when checked, that the security policy Applies to high security
validates the flows to web objects of the corresponding (APC)
object type.
5 - 20
Working With the Security Policy
Is Referrer Specifies that the object type can include references to Applies to high security
other object types. For example, an HTML file may (APC)
contain references to image files. Therefore, the HTML
file is a referrer.
Object Length Specifies the acceptable length, in bytes, for an object of Applies to all security
this object type, in the context of an HTTP request. levels
Request Length Specifies the maximum acceptable length, in bytes, for Applies to all security
the HTTP request that contains the object type. levels
Query String Length Specifies the maximum acceptable length, in bytes, for Applies to all security
the query string portion of a URL that contains the object levels
type.
POST Data Length Specifies the maximum acceptable length, in bytes, for Applies to all security
the POST data of an HTTP request that contains the levels
object type.
Check Response Specifies that the system validate the web server Applies to all security
response to the incoming HTTP request that contains the levels
object type.
You can build the list of object types entities in the security policy in three
ways:
You can run the Policy Builder. See Chapter 6, Building a Security
Policy With the Policy Builder, for more information.
You can accept an object type from a learning suggestion. See Accepting
a learning suggestion, on page 8-5.
You can manually add each object type, as explained in this section.
Note
When you run the Policy Builder to detect object types, the system
automatically creates a no_ext object type in the following cases: objects
with no file extension, and objects with file extensions longer than eight
characters.
5 - 22
Working With the Security Policy
Note
Tip
You can validate a user-defined regular expression before you add it to the
Allowed objects RegExp list. See Validating a user-defined regular
expression, on page 10-4, for more information.
5 - 24
Working With the Security Policy
5 - 26
Working With the Security Policy
Tip
If the web object name is in gold letters, the web object is a referrer.
Referrers call other web objects within the web application.
the web application, by scanning the links and references within the objects.
The Learning process maps new and changed flows, once the Policy Builder
has initially mapped the web application. Note that you can also manually
add and edit the application flows, however, we recommend that you use the
automated tools to help you maintain the flows configuration.
Note
Application flows do not apply to security policies that use the standard
level of security.
Note
If the Flow Mode is simple, then the system treats all web objects as entry
points, and there is no flow information on the Flows screen for the web
object.
5 - 28
Working With the Security Policy
10. To put the security policy changes into effect immediately, click the
Apply Policy button near the top of the screen.
YG The security policy allows the character or meta character Header values, object paths,
wherever it occurs. parameter names, parameter
values
NG The security policy never allows the meta character, and the Header values, object paths,
Policy Enforcer generates an Illegal meta character violation parameter names, parameter
when it encounters the meta character in a request. values
5 - 30
Working With the Security Policy
6. In the Actions area, in the Action column for each character, you
can either leave the action at the default setting, or you can modify
the action.
7. Click Save to save any changes you may have made.
8. To put the security policy changes into effect immediately, click the
Apply Policy button near the top of the screen.
Tip
To restore the default character set definitions, you can click the Restore
Defaults button at any time.
5 - 32
Working With the Security Policy
You can also set the active security policy from most of the screens
throughout the Application Security Manager. Simply click the Apply
Policy button that is near the top of most screens.
The Active icon next to a security policy name indicates the active
security policy. You may also see an A in square brackets [A] to indicate
the active security policy. Only one security policy can be the active
security policy.
The Modified icon next to a security policy name indicates that the
security policy has been modified. You may also see an M in square
brackets [M] to indicate a modified security policy.
You need to set the active security policy in the following cases:
Before opening the web application to any user traffic, either for testing
or for regular business.
Every time that you make a change in the security policy. If you do not
re-activate the security policy, the latest changes are not reflected to the
web application.
Whenever you change the active security policy for a web application.
5 - 34
Working With the Security Policy
Note
The blocking mode that you use determines the default Blocking Policy
settings.
default settings on the Blocking Policy screen are determined by the security
level (see Configuring the security level, on page 5-4, for more information
about the security level).
The system takes the following actions when the flags are enabled:
Learn flag
When the Learn flag is enabled for a violation, and a request triggers the
violation, the system generates learning suggestions, and logs the request
in the Forensic information. Note that there are some violations for
which the system cannot generate learning suggestions. These violations
have the Log Only notation next to the Learn flag.
Alarm flag
When the Alarm flag is enabled for a violation, and a request triggers the
violation, the system logs the request in the Forensic information, and
also logs a security event on the Statistics >> Events screen.
Block flag
When the Block flag is enabled for a violation and the security policy is
in blocking mode, the system performs the Alarm flag actions when a
request or response triggers the violation. Additionally, the system does
not forward the request to the application, and sends the blocking
response page (which contains a Support ID to identify the request) to the
offending client. If a response from the web application triggers a
violation for which blocking is enabled, the system sends the blocking
response page to the client instead of the response.
Note
When the Block flag is enabled, the system automatically enables the Alarm
flag, too.
5 - 36
Working With the Security Policy
Illegal HTTP format The format of the incoming request does not comply with the standards as
specified in the RFCs for HTTP. Note that the local traffic parser may prevent
certain poorly-formed requests from reaching the Application Security Manager. In
these cases, the system does not generate this violation.
Non-RFC request The request does not comply with the RFC for the HTTP protocol.
Not RFC compliant cookie The format of the Cookie header in the request does not comply with the standards
as specified in the RFCs for HTTP.
Important
The Application Security Manager does not generate learning suggestions
for RFC violations. The system does, however, log requests that generate
RFC violations in the Forensics information for the web application.
5 - 38
Working With the Security Policy
Illegal entry point The incoming request references an object that is not defined as an entry point.
Illegal flow to object The incoming request references a flow that is not found in the security policy.
Illegal object type The incoming request references an object type not found in the security policy.
Illegal method The incoming request references a HTTP request method that is not found in the
security policy.
Non-existent object The incoming request references an object that is not found in the security policy.
Illegal cookie length The incoming request includes a Cookie header that exceeds the acceptable
length as specified in the security policy.
Illegal header length The incoming request includes an HTTP header that exceeds the acceptable
length as specified in the security policy.
Illegal object length The incoming request references an object whose length exceeds the acceptable
length as specified in the security policy.
Illegal POST data length The incoming request contains POST data whose length exceeds the acceptable
length as specified in the security policy.
Illegal query string length The incoming request contains a query string whose length exceeds the
acceptable length as specified in the security policy.
Illegal request length The incoming request length exceeds the acceptable length as specified in the
security policy.
Request length exceeds defined The incoming request is larger than the buffer for Policy Enforcer parser.
buffer size
Failure to convert character The incoming request contains a character that does not comply with the encoding
of the web application (the character set of the security policy), and the Policy
Enforcer can not to convert the character to current the encoding.
Forbidden Null in request The incoming request contains a NULL character (0x00).
Illegal dynamic parameter value The incoming request contains a dynamic parameter value that does not comply
with the security policy
Illegal empty parameter value The incoming request contains a parameter whose value is empty when it must
contain a value.
Illegal meta character in The incoming request includes a defined parameter whose value contains a meta
parameter value (defined character that is not allowed according to the parameters definition.
parameter)
Illegal number of mandatory The incoming request contains either too few or too many mandatory parameters
parameters on a flow. Note that only flows can contain mandatory parameters.
Illegal parameter The incoming request contains a parameter that is not defined in the security
policy.
Illegal parameter data type The incoming request contains a parameter for which the data type does not match
the data type that is defined in the security policy. This data types that this violation
applies to are integer, email, and phone.
Illegal parameter numeric value The incoming request contains a parameter whose value is not in the range of
decimal or integer values defined in the security policy
Illegal parameter value length The incoming request contains a parameter whose value length does not match
the value length that is defined in the security policy. Note that this violation is
relevant only for user input parameters.
Illegal Query-String or POST The incoming request contains a query string or POST data that is not found in the
data security policy.
Illegal static parameter value The incoming request contains a static parameter whose value is not defined in the
security policy.
Malicious parameter value The incoming request includes a parameter whose value contains a pattern that
matches a negative regular expression (attack pattern) in the security policy.
Null in multi-part parameter The incoming multi-part request has a parameter value whose contains a NULL
value character (0x00).
5 - 40
Working With the Security Policy
Parameter value doesn't comply The incoming request contains an alphanumeric parameter value that does not
with regular expression match the expected pattern specified by the regular-expression field for that
parameter.
Value too long for pattern The incoming request contains a parameter value that is too long for the Policy
checks Enforcer to apply regular expressions.
Note
Expired timestamp The time stamp in the HTTP cookie is old, which indicates that a client
session has expired.
Illegal session ID in URL The incoming request contains a session ID value that does not match the
session ID value from a previous request from the same client.
Modified ASM cookie The incoming request contains an Application Security Manager (ASM)
cookie that has been modified or tampered with.
Modified domain cookie(s) The domain cookies in the HTTP request do not match the original domain
cookies or are not defined as allowed modified domain cookies in the security
policy.
Wrong message key The incoming request contains an ASM cookie that was created in another
session.
Note
Illegal HTTP status in response The server response contains an HTTP status code that is not defined in the
security policy.
Illegal meta character in header The incoming request includes a header whose value contains a meta character
that is not defined in the security policy. Note that if you accept the meta character
that caused the violation, the Application Security Manager updates the character
set for header values to include the meta character.
Illegal meta character in object The incoming request includes an object that contains a meta character that is not
defined in the security policy.
Illegal meta character in The incoming request includes a parameter name that contains a meta character
parameter name that is not defined in the security policy.
Illegal meta character in The incoming request includes a parameter that is not defined in the security
parameter value (undefined policy, and whose value contains a meta character that is not allowed, according to
parameter) the security policy character set.
Illegal pattern in header value The incoming request includes a header whose value contains a pattern that
matches a negative regular expression (attack pattern) in the security policy.
Illegal pattern in object The incoming request includes an object that contains a pattern that matches a
negative regular expression (attack pattern) in the security policy.
Illegal pattern in The incoming request includes a parameter and value, which together contain a
parameter=value pairs pattern that matches a negative regular expression (attack pattern) in the security
policy
Illegal pattern in response The HTTP response contains a pattern that matches a negative regular expression
(attack pattern) in the security policy.
5 - 42
Working With the Security Policy
Important
Remember that if you make any configuration changes in the security policy,
the changes do not take effect until you set the active policy. See Setting the
active policy for a web application, on page 5-33 for more information.
Note
When you copy a security policy, the system does not export the data from
the Policy Builder log. See Working with the Policy Builder log, on page
6-22, for information on the Policy Builder log.
Important
In the Security Policies List, the Active icon next to a security policy
indicates that this policy is active. The Modified icon indicates that the
security policy has been modified, and you must click the Set Active Policy
button to implement any changes in the security policy.
5 - 44
Working With the Security Policy
upgrade the system software, to create a backup copy, or to use the exported
security policy in a policy merge. (See Merging two security policies, on
page 5-45, for more information on merging policies.)
Note
When you export a security policy, the system does not export the data from
the Policy Builder log. See Working with the Policy Builder log, on page
6-22, for information on the Policy Builder log.
If you enable verbose logging for the merge, the Merge Report also contains
the following information:
Entities that are in the target security policy only
Entities in the target security policy whose values are different from
those in the merged security policy (If this occurs, the system does not
change the target security values.)
Once the merge is complete, you have the option of saving the Policy Merge
Report as a text file (*.txt), so that you can review the details of the merge,
and resolve any conflicts, or errors, that may have occurred.
5 - 46
Working With the Security Policy
Important
The names of security policies must be unique within the Application
Security Manager. If the imported policy already exists in the current the
Application Security Manager environment, the system renames imported
security policy by adding a sequential number to the end of the name.
Important
You cannot remove a security policy that is currently active. The active
policy for a web application has the Active icon next to the name in the
Security Policies List.
Tip
In the Security Policies List, on the Web Application Properties screen, the
security policy version number is in square brackets next to the security
policy name.
5 - 48
Working With the Security Policy
5 - 50
6
Building a Security Policy With the Policy
Builder
Tip
The general settings for the Policy Builder apply to all of the Policy Builder
operation modes.
The following sections of this chapter describe the Policy Builder general
settings, and how to configure them.
6-2
Building a Security Policy With the Policy Builder
Important
You must configure a Policy Builder domain if you plan to run the Policy
Builder in either the Real Traffic (Responses) operation mode, or the
Generated Traffic operation mode. For more information on the operation
modes, see Understanding the Policy Builder operation modes, on page
6-10.
The Policy Builder domain settings should match the client SSL and server
SSL settings for the local traffic virtual server with which the application
security class is associated. Otherwise the Policy Builder cannot gain direct
access to the web server that is hosting the web application. You can
configure the Policy Builder domain settings to use any combination of
HTTP and HTTPS. Table 6.1 shows the mapping.
Table 6.1 Mapping virtual server settings to Policy Builder domain settings
c) In the Port box, type the port for the HTTPS service, typically
443.
d) If the system should encrypt traffic from the web server, check
the Use Encryption box.
5. Click OK.
The system adds the new Policy Builder domain to the
configuration.
Important
You must configure a start point if you plan to run the Policy Builder in the
Generated Traffic operation mode. For more information on the operation
modes, see Understanding the Policy Builder operation modes, on page
6-10.
6-4
Building a Security Policy With the Policy Builder
4. Click OK.
The system adds the new start point to the Policy Builder Generated
Traffic settings.
Tip
If your web application has more than one start point, we recommend that
you run the Policy Builder one or more times to scan the public access areas
of the web application, and then run the Policy Builder with the login
information configured, to scan the secure areas of the web application.
Tip
Sometimes the parameter names are not self-explanatory, and you may need
to consult with the web application programmer. If it is available to you,
you can also search the HTML source code for this information.
Tip
The Policy Builder always follows the redirect link, if one is configured. The
Policy Builder identifies the page behind the link, and avoids the link if the
identified page is included in the Page Not Found list.
6-6
Building a Security Policy With the Policy Builder
Analyze JavaScript Specifies whether the Policy Builder analyzes Enabled (checked)
or ignores JavaScript code. This is useful if the
scripts contain references to links that can be
followed, or if they include form fields that need
to be filled.
Create back flows Specifies whether the Policy Builder creates Enabled (checked)
back flows in the security policy for referrer
objects. You can use the back flow information
to impose rules on navigating backwards, which
occurs when the visitor uses the Back button.
Create cache flows Specifies whether the Policy Builder creates Enabled (checked)
flows in the security policy for objects that a
web browser can cache, for example, image
files.
Table 6.2 The Properties options in the Policy Builder general settings
The default settings provided in the object type associations list cover the
most common file types and associations, and you can adapt them to your
needs by checking or clearing boxes. Table 6.3 provides a description of the
default file types and their corresponding file type associations.
Option Description
Is Entry Point This option specifies whether all web objects of this type can be entry points to the
web application. If the security policys flow mode is Simple, the system considers
all web objects to be entry points.
Is Referrer This option specifies whether objects of this type may contain references to other
files. For example, an HTML page that contains an HREF link or a CGI file that calls
another file, are referrers. Picture and sound files cannot be referrers because
these objects never contain links to other objects, and are not web pages.
Don't Check Flow This option specifies whether the system ignores or validates the flows to or from
objects of this file type.
Don't Check Object This option specifies whether the system ignores or validates the requests referring
to files (objects) of this type.
Table 6.3 The object type associations in the Policy Builder general settings
6-8
Building a Security Policy With the Policy Builder
With all three operation modes, the Policy Builder uses the collected
information to immediately populate the security policy. The resulting
security policy contains web objects, entry point flows, and parameters
within the entry point flows. You can review all of the additions and updates
to the security policy in the Policy Builder log. For more information, refer
to Working with the Policy Builder log, on page 6-22.
6 - 10
Building a Security Policy With the Policy Builder
Configuring the filter options for the Real Traffic (Responses) operation
mode
In addition to the general settings for the Policy Builder, you can apply
several filter options to the Real Traffic (Responses) operation mode. The
filter options determine from which responses the Policy Builder extracts
the web application information that it uses to build or update the security
policy. You can use any combination of filter options, or you can run the
Policy Builder with the default options for this operation mode. Table 6.4
provides a description of the filter options for this operation mode.
Request Source IP Filters the responses by the source IP address of the client request.
Request Time Range Filters the responses to those that occur within the specified time range.
Request Object Filters the responses by a requested object within the web application.
Traffic Filters the responses by traffic that generated learning suggestions and generated
alerts.
HTTP Response Code Filters the responses by the HTTP response code within the response.
Table 6.4 Filter options for the Real Traffic (Responses) operation mode
Running the Policy Builder in the Real Traffic (Responses) operation mode
Before you run the Policy Builder in the Real Traffic (Responses) operation
mode, you need to configure a Policy Builder domain (in the Policy Builder
general settings), if you have not already done so. See Configuring a Policy
Builder domain, on page 6-2, for more information. You must also turn on
traffic sampling. For more information, see Enabling traffic sampling for the
Policy Builder, on page 4-4.
Tip
When you run the Policy Builder in Real Traffic (Responses) mode, the
system generates a series of graphs on the Run Policy Builder screen. You
can use the graphs to help decide when to stop the Policy Builder, and start
using learning to refine the security policy. The graphs display the number
of new and updated web objects, parameters, and flows. When the updates
reach zero, the Policy Builder has added all of the entities that it can find.
Configuring the filter options for the Real Traffic (Requests) operation
mode
The filter options determine from which requests the Policy Builder extracts
the web application information that it uses to build or update the security
policy. You can use any combination of filter options, or you can run the
Policy Builder with the default options for this operation mode. Table 6.5
provides a description of the filter options for this operation mode.
6 - 12
Building a Security Policy With the Policy Builder
Request Source IP Filters the requests by the source IP address of the client request.
Request Time Range Filters the requests to those that occur within the specified time range.
Request Object Filters the requests by a requested object within the web application.
Traffic Filters the requests by traffic that generated learning suggestions and by traffic that
generated alerts.
HTTP Response Code Filters the requests by the HTTP response code within the response.
Table 6.5 Filter options for the Real Traffic (Requests) operation mode
Running the Policy Builder in the Real Traffic (Requests) operation mode
8. Click the Start button below the Policy Builder area to start the
Policy Builder.
The Run Policy Builder popup screen opens, where you can monitor
the status of the Policy Builder.
Note
In the Real Traffic (Requests) operation mode, the Policy Builder adds all
parameters as the User-Input parameter type.
6 - 14
Building a Security Policy With the Policy Builder
Configuring the Logout Pages setting for the Generated Traffic operation mode
If the web application contains a page designed to log a visitor out of the
web application, you need to instruct the Generated Traffic operation mode
not to follow the logout link. Otherwise, when you run the Policy Builder in
Generated Traffic operation mode, it logs out of the web application before
it has fully scanned the application. For example, many web applications
have an Exit or Logout link right on the home page, which would cause the
Policy Builder to exit the application as soon as it enters. You can prevent
this behavior by using the Logout Pages setting to identify the logout points
that the Generated Traffic operation mode should avoid.
Note
Configuring the Properties settings for the Generated Traffic operation mode
The Properties section provides additional ways to customize the Policy
Builder Generated Traffic operation mode. For example, you can adjust the
frequency at which the Generated Traffic operation mode probes the web
application.
Accept untrusted SSL Specifies whether the Policy Builder Generated Traffic Enabled (checked)
certificates operation mode accepts untrusted SSL certificates.
Minimal delay between worm The Policy Builder Generated Traffic operation mode is a 250
requests to web application mechanism similar to a central unit sending out multiple
(milliseconds) simultaneous probes to the different areas of the web
application in order to register web application
components. Each probe exercises the web application by
following links and filling in forms, similar to an actual user.
This process increases the traffic to the web application.
The Policy Builder Generated Traffic operation mode can
send the probes in quick or slow succession. Quicker
bursts create more traffic. A burst is measured in terms of
the number of seconds to wait before sending the next
probe. If your web application is active and currently
serving visitors, consider increasing this value in order to
slow down the Policy Builder.
Number of threads to be used This parameter also relates to simultaneous probe activity. 7
by the policy builder A smaller number of threads decreases the Policy
Builders bandwidth consumption, which keeps more
bandwidth available for actual visitors.
Number of times the policy For this property, specify the number of samples that are 5
builder fetches requests with sufficient for the Policy Builder to scan when it discovers
the same structure identical structures. Applications may contain many
identical structures within objects, where only the
parameter values differ. The following examples illustrate
identical structures that differ only by the parameter
values:
http://www.myapp.htm?par=111
http://www.myapp.htm?par=222
http://www.myapp.htm?par=333
http://www.myapp.com?par=222&meter=567
http://www.myapp.com?par=333&meter=123
To reduce the policy building time (and the accompanying
traffic), you can instruct the Policy Builder to scan only a
few (and not all) of such identical structures, assuming that
all others behave in the same way.
Note: A higher value yields a more accurate security
policy, however, it takes a longer amount of time for the
Policy Builder to complete the process.
Table 6.6 Properties options for the Policy Builder Generated Traffic settings
6 - 16
Building a Security Policy With the Policy Builder
Maximum number of requests When the Policy Builder encounters a form, it processes it 1
generated for each form by the as many times as the number of pre-defined parameter
form iterator values included in it. For example, a list containing ten
objects causes the Policy Builder to process the form ten
times. You can reduce crawling time and traffic, however,
by instructing the Policy Builder to process only a few of
the objects and not all of them.
For this property, specify the number of samples you
deem it sufficient for the Policy Builder to process from the
same form with different values. A higher value yields a
more accurate policy with longer crawling times.
Emulate browser If the web application works only with a particular Internet Microsoft IE
browser, select the relevant browser name from the list.
The Policy Builder uses this property to select the
User-Agent header data when it scans the web
application.
Table 6.6 Properties options for the Policy Builder Generated Traffic settings
Configuring the HTTP Authentication settings for the Generated Traffic operation mode
If the web application uses HTTP authentication, then you can use the
HTTP Authentication settings to configure the login criteria. The Generated
Traffic operation mode accepts all RFC 2617 authentication formats, as well
as the Microsoft NTLM authentication format.
2. Click Save.
The system updates the HTTP authentication settings.
6 - 18
Building a Security Policy With the Policy Builder
Note
Closing the Policy Builder Status popup screen does not stop the Policy
Builder when it is running. To stop the Policy Builder, refer to Stopping the
Policy Builder, on page 6-21.
6 - 20
Building a Security Policy With the Policy Builder
6 - 22
7
Working With Parameters
Understanding parameters
Understanding parameters
Parameters are an integral entity in any web application. When you define
parameters in a security policy, you are tightening the security for the web
application. Application Security Manager evaluates defined parameters,
meta characters, query string lengths, and POST data lengths as part of a
positive security logic check. The system evaluates undefined parameters as
part of a negative security logic check. The Policy Enforcer verifies
parameters in the context of a security policy, not a web application. In other
words, any parameters that you configure in a security policy are enforced
only by that security policy.
You can define parameters as global parameters, web object parameters, and
flow parameters. For information on configuring global parameters, see
Working with global parameters, on page 7-3. For information on
configuring web object parameters, see Working with web object
parameters, on page 7-6. For information on configuring flow parameters,
see Working with flow parameters, on page 7-9.
There are several types of parameters that you can configure: static content,
dynamic content, dynamic name, and user-input. You can also configure
parameters for which the system does not check or verify the value. With the
exception of dynamic parameter names, you can configure a global, object,
or flow parameter as any parameter type. The dynamic parameter name type
is applicable only to flow parameters. Refer to Understanding parameter
types, on page 7-13 for more information.
If a parameter is defined more than once in the request context, the Policy
Enforcer applies only the more specific definition. For example, the
parameter param_1 is defined as a static content global parameter, and also
defined as a user-input object parameter. When the Application Security
Manager receives a request for the parameters object, the Policy Enforcer
generates any violations based on the object parameter definition, not the
global parameter definition.
7-2
Working With Parameters
Tip
If you want the Policy Enforcer to start enforcing this parameter, be sure to
make the security policy active. See Setting the active policy for a web
application, on page 5-33, for more information.
7-4
Working With Parameters
Important
The following task assumes that the web object for which you want to create
a parameter is already configured in the security policy. If this is not the
case, refer to Working with the Web Objects entity, on page 5-26, for
information on adding a web object to the configuration.
7-6
Working With Parameters
Tip
If you want the Policy Enforcer to start enforcing this parameter, be sure to
make the security policy active. See Setting the active policy for a web
application, on page 5-33, for more information.
7-8
Working With Parameters
Note
The Policy Builder defines all parameters as flow parameters, that is,
parameters in the context of a flow.
Important
The following task assumes that the flow for which you want to create a
parameter is already configured in the security policy. If this is not the case,
refer to Working with the Flows entity, on page 5-27, for information on
adding a flow to the configuration.
6. In the Flows List, click the name of the flow to which you want to
add a parameter.
The Flow Properties screen opens.
7. Above the List of Flow Parameters area, click the Create button.
The Flow Parameter Properties screen opens.
8. In the Create New Parameter area, fill in the information as
required.
See the online help for information on the parameter name
settings.
See Understanding parameter types, on page 7-13, for
information on the parameter types options.
If the parameter is required in the context of the flow, check the
Is Mandatory Parameter setting. Note that only flows can have
mandatory parameters. (See Configuring the Is Mandatory
Parameter setting, on page 7-23, for more information.)
If the parameter is acceptable without a value, check the Allow
Empty Value setting. (See Configuring the Allow Empty Value
setting, on page 7-20, for more information.)
9. In the Parameter Characteristics area, fill in the information as
required. Note that the parameter type determines the applicable
parameter characteristics. See Configuring parameter
characteristics, on page 7-13, for more information.
10. Click the Create button to add the new parameter to the security
policy.
Tip
If you want the Policy Enforcer to start enforcing this parameter, be sure to
make the security policy active. See Setting the active policy for a web
application, on page 5-33, for more information.
7 - 10
Working With Parameters
7. In the List of Flow Parameters area, in the Select column (far left),
check the box next to the parameter that you want to remove from
the flow, and then click the Remove button.
The system displays a popup confirmation screen.
8. Click OK.
The system deletes the parameter.
7 - 12
Working With Parameters
Tip
If you want the Policy Enforcer to start enforcing this parameter, be sure to
make the security policy active. See Setting the active policy for a web
application, on page 5-33, for more information.
7 - 14
Working With Parameters
Tip
You can configure any parameter as a user-input parameter if you want the
system to apply a broader verification to the parameter values.
Note
Tip
If you want the Policy Enforcer to start enforcing this parameter, be sure to
make the security policy active. See Setting the active policy for a web
application, on page 5-33, for more information.
7 - 16
Working With Parameters
Tip
If you want the Policy Enforcer to start enforcing this parameter, be sure to
make the security policy active. See Setting the active policy for a web
application, on page 5-33, for more information.
Tip
If you want the Policy Enforcer to start enforcing this parameter, be sure to
make the security policy active. See Setting the active policy for a web
application, on page 5-33, for more information.
Note
We recommend that you use the email data type only if the web application
has client-side data validation for the parameter.
7 - 18
Working With Parameters
Tip
If you want the Policy Enforcer to start enforcing this parameter, be sure to
make the security policy active. See Setting the active policy for a web
application, on page 5-33, for more information.
Tip
If you want the Policy Enforcer to start enforcing this parameter, be sure to
make the security policy active. See Setting the active policy for a web
application, on page 5-33, for more information.
Note
We recommend that you use the phone data type only if the web application
has client-side data validation for the parameter.
Tip
Be sure to make the security policy active if you want the Policy Enforcer to
start enforcing this parameter. See Setting the active policy for a web
application, on page 5-33, for more information.
7 - 20
Working With Parameters
alert if a client request does not provide a value. The Allow Empty Value
setting is applicable to global parameters, web object parameters, and flow
parameters.
Configuring the Allow Empty Value setting for a web object parameter
You can configure the Allow Empty Value setting either from the Object
Properties screen of the associated web object, or from the Object Parameter
Properties screen. To change the Allow Empty Value setting from the
Object Parameter Properties screen, refer to Editing the properties of a web
object parameter, on page 7-7. Use the following procedure to change the
setting from the Object Properties screen of the associated web object.
7 - 22
Working With Parameters
Note
7. In the List of Flow Parameters area, in the Select column (far left),
check the box next to the parameter for which you want to change
the Is Mandatory Parameter setting.
8. In the Is Mandatory Parameter column, check or clear the check box
as required for any parameters you selected in the previous step.
9. Click the Save button (below the List of Flow Parameters) to save
any changes you may have made.
7 - 24
Working With Parameters
Note
You should define the extractions for a DCV parameter before you apply the
security policy that includes the parameters. If you do not, when you apply
the security policy, the policy validator generates a warning that the
security policy contains dynamic parameters that do not have extractions
defined.
Object types Use this setting when you want the system to extract dynamic parameters from files
of a certain type. Note that the available object types are those that are already a
part of the security policy.
Web objects Use this setting when you want the system to extract dynamic parameters from
specific web objects.
7 - 26
Working With Parameters
Regexp Use this setting when you want the system to extract dynamic parameters that
match a regular expression pattern. Note that this setting is available only when
you select Advanced (above the Extract Items area).
All items Use this setting when you want the system to extract dynamic parameters from all
text-based objects and object types. Note that this setting is available only when
you select Advanced (above the Extract Items area).
Search in links Use this setting when you want the system to extract dynamic parameter values
from links (href tags) within an object.
Search entire form Use this setting when you want the system to extract dynamic parameter values
from all areas of a form.
Search within form Use this setting when you want the system to extract dynamic parameter values
from a specific frame or parameter within in a form.
Search in XML Use this setting when you want the system to extract dynamic parameter values
from within XML entities.
Search in response body Use this setting when you want the system to extract dynamic parameter values
from the body of a response.
Configuring an extraction
You can configure an extraction that creates a global DCV parameter. When
you create an extraction by using the Extractions screen, you have the option
of associating it with an existing DCV parameter, or creating a new
parameter (by typing a new name in Step 6 of the following task). If you
type a new name, the system automatically creates a new global DCV
parameter, because extractions must be associated with a DCV parameter.
They cannot exist independently.
To create an extraction
1. On the Main tab of the navigation pane, expand Application
Security and then click Web Applications.
The Web Application Groups screen opens.
2. In the Name column, click the name of the web application for
which you are creating an extraction.
The Web Application Properties screen opens.
3. In the Security Policies List area, in the Security Policy Name
column, click the name of the security policy that will enforce the
extraction.
The Policy Properties screen opens.
7 - 28
Working With Parameters
7 - 30
8
Refining the Security Policy Using Learning
8-2
Refining the Security Policy Using Learning
8-4
Refining the Security Policy Using Learning
Tip
For a description of the violation types, refer to Understanding security
policy violations, on page 5-38.
8-6
Refining the Security Policy Using Learning
Tip
For more information on the Ignored Items list, see Overview of the
Ignored Items screen, on page 8-9.
As the learning suggestions diminish, you can turn on blocking for those
violations for which you receive no learning suggestions for several days.
The Learning Manager does not generate learning suggestions for all
possible violations. As such, we recommend that you review the violations
report, in the Forensics information, before you start enabling the blocking
mode, to ensure that those violations are not occurring. For more
information on enabling the blocking mode, see Configuring the blocking
mode, on page 5-6.
Important
Use these guidelines only when you are processing learning suggestions
generated from known, trustworthy traffic. When you are processing
learning suggestions from real client traffic, each learning suggestion or
violation must be considered a potential threat.
Important
The Learning Manager does not generate learning suggestions for requests
that cause non-existent object violations if the web server sends an HTTP
response with status codes in the 4XX or 5XX range.
8-8
Refining the Security Policy Using Learning
8 - 10
9
Working with the Statistics and Monitoring
Tools
9-2
Working with the Statistics and Monitoring Tools
9-4
Working with the Statistics and Monitoring Tools
9-6
Working with the Statistics and Monitoring Tools
Note
If, on the Blocking Policy screen, only Learn flags are enabled, the
Executive reports screen displays no data because the system does not issue
any alerts. See Working with the Blocking Policy settings, on page 5-35,
for more information.
9-8
Working with the Statistics and Monitoring Tools
4. Click Go.
The screen refreshes, and the Forensics list displays only those
events that match the specified time criteria.
9 - 10
10
General System Options
10 - 2
General System Options
Note
If you are unfamiliar with regular expression syntax, you can find many
helpful books at technology book web sites.
Note
Important
In general, we recommend that you use the system-supplied regular
expressions as is. If you are an advanced user, and you are familiar with
POSIX-compliant regular expressions, then you may want to create
user-defined regular expressions to add to the regular expressions pool.
Important
We strongly recommend that you use the RegExp Validator to validate the
syntax of any user-defined regular expressions.
10 - 4
General System Options
You can modify the default pools contents on a global level, or within the
context of a security policy. The following sections of this chapter explain
how to modify the default pool on a global level. To modify the regular
expressions within the context of a security policy, refer to Working with the
negative regular expressions pool, on page 5-10.
Note
Important
Restoring the default settings for the default negative regular expression
pool does not update specific security policy pools with any regular
expressions that you may have removed. See Adding a negative regular
expression to the pool for a security policy, on page 5-11, for more
information.
10 - 6
General System Options
10 - 8
A
Internal Parameters for Advanced
Configuration
Important
We recommend that you change the values for the internal parameters only
with the guidance of the technical support staff.
Table A.1 lists the internal parameters, their default value, and a description
of their purpose.
cookie_renewal_time_stamp 300 Defines how often the bd utility renews the ASM
cookie time. This internal parameter is tightly
coupled with cookie_expiration_time_out (in
seconds).
A-2
Internal Parameters for Advanced Configuration
A-4
B
Upgrading from TrafficShield 3.2.X to
BIG-IP Application Security Manager
Introduction
Introduction
This appendix describes, in detail, the standard process for upgrading a
TrafficShield Application Firewall version 3.2.X system to BIG-IP
Application Security Manager version 9.4. This upgrade completely
replaces the version 3.2.X software, and cannot be reversed.
The upgrade process involves the following tasks.
Prepare the system for the upgrade.
Back up the current 3.2.X configuration and export the configuration
file to a remote location.
Run the collect_ts_info.pl script on the 3.2.X system, and save the
resulting file to a remote location. The collect_ts_info.pl script
collects configuration information that you will need once you have
installed the version 9.4 software.
Install the BIG-IP Application Security Manager software.
License the version 9.4 software. You must obtain a new registration key
to license the software. To obtain the new registration keys, contact F5
Technical Support with the serial numbers from the units you are
upgrading.
Configure the local traffic, network, and system settings.
Configure the application security class and web application settings.
Import the saved security policies into the new configuration.
Important
Because each deployment of TrafficShield Application Firewall is unique,
this document covers the more general and common tasks related to the
upgrade process. You must evaluate your individual requirements to finalize
the upgrade.
Upgrade compatibility
You can apply the version 9.4 upgrade only to systems running
TrafficShield Application Firewall, version 3.2.0 or version 3.2.1, on the
4100 hardware platform. F5 Networks does not support this upgrade on any
other source or target versions.
Additional resources
In addition to this guide, the following technical publications and other
resources provide extensive information on the functionality of the BIG-IP
9.X systems:
BIG-IP Network and System Management Guide
Configuration Guide for BIG-IP Local Traffic Management
The Ask F5 Technical Support web site, http://tech.f5.com
The release notes for this release
B-2
Upgrading from TrafficShield 3.2.X to BIG-IP Application Security Manager
Run the collect_ts_info.pl script on the 3.2.X system. This script collects
configuration information that you will need once you have installed the
version 9.4 software.
Tip
The system saves the exported configuration file using a default naming
convention, ts_config_mm-dd-yy_hh-mm.tsc, where mm-dd-yy_hh-mm
represents the date and time at which you first save the file. You can modify
the name before saving the file, as required.
Note
For details on installing the service pack on a version 3.2.X system, refer to
the readme file that is available from the location of the service pack.
B-4
Upgrading from TrafficShield 3.2.X to BIG-IP Application Security Manager
Note
We recommend that you review the tasks associated with both installation
methods, and then decide which method best suits your needs.
Note
Important
You must connect the PXE installation server to the same network to which
the management port on the BIG-IP unit is connected.
Note
If you are installing the software by directly connecting the PXE installation
server to the target 4100 system, you must use a cross-over cable to connect
to the management port (MGMT). If you are connecting the PXE
installation server by using a router or hub, then you can use a standard
Ethernet cable to connect to the MGMT port.
Once you have designated a host, you complete the following steps to
configure the host to be a PXE installation server.
B-6
Upgrading from TrafficShield 3.2.X to BIG-IP Application Security Manager
Note: You may need to change the BIOS setting on the host so that
the host system tries to boot first from the CD-ROM drive, and then
from the local drive. Refer to the host systems documentation to
learn how to change the BIOS setting.
2. Press Enter to use VT100 terminal emulation, or type the name of
the terminal emulator you are using.
After you select the terminal type, the following screen opens:
Maintenance OS Options
Serve Provide network installation services
Install Install software onto hard disk
Reboot Reboot to your current system
Exit Exit to maintenance shell
3. Select the default, Serve, and then select OK (by pressing Enter).
The Network Install Setup screen opens, where you can review
important information about configuring a PXE installation server.
4. When you are finished reading the network installation information,
press Enter to continue with the setup.
The following prompt displays:
Use existing DHCP server on subnet [no]?
6. If your subnet consists only of the installation server and the target
4100 unit, or is otherwise a private subnet, you can use the default
IP addresses by simply pressing Enter after each prompt. If other
machines share the subnet, and there is a possibility of addressing
conflicts, substitute the appropriate unique IP addresses and ranges.
Note: When you enter the IP address of the server, you need to enter
only the last octet. When completing the lower and upper ranges for
the clients, enter number(s) that represent the range of IP addresses
from which the PXE server can assign IP addresses to the clients.
When you have finished entering the addresses, the system displays
a summary of the information, and asks you to confirm the
addresses.
Booting the target 4100 system from the PXE installation server
After you configure the PXE installation server, you are ready to perform
the network boot from the console of the target 4100 system on which you
wish to install the software.
Important
You must connect the PXE installation server either directly to the
management port on the 4100 unit, or to the network to which the
management interface is connected.
B-8
Upgrading from TrafficShield 3.2.X to BIG-IP Application Security Manager
9. Press Enter to continue, or type the terminal type you are using. We
recommend that you use vt100.
10. A number of messages scroll by and then the BIG-IP installer script
starts. The installer script guides you through the numerous
installation options. When the installer script asks you which
software package to install, ensure that you select the LTM and
ASM version 9.4 package.
Tip: Use the arrow and Tab keys to navigate the installer script
options. Use the Enter key or highlighted letter key to select an
option from a menu, and use the spacebar to toggle select boxes on
or off.
11. After you have completed the prompts for the installer, review the
installation options you have selected.
12. To transfer the files from the PXE server and begin the installation,
press Enter.
The software takes several minutes to install. Once the installation is
complete, you see the following message on the console:
Press return to reboot the machine.
13. Press Enter, and wait for the target 4100 system to reboot.
You see a login prompt similar to this example when the system has
finished rebooting.
BIG-IP 9.4 Build 401.1
Kernel 2.4.21-9.4.0smp on an i686
bigip login:
Performing a CD installation
An alternate way to install the software is to use a USB CD-ROM that is
connected directly to the USB port on the 4100 unit.
Download the installation CD-ROM ISO image from F5 Networks and
burn an image CD, as described in Downloading the installation
CD-ROM ISO image from F5 Networks, on page B-5.
Boot the target 4100 system from the CD-ROM drive and install the
software.
9. Press Return (Enter), and wait for the target 4100 system to reboot.
You see a login prompt similar to this example when the system has
finished rebooting.
BIG-IP 9.4 Build 401.1
Kernel 2.4.21-9.4.0smp on an i686
bigip login:
B - 10
Upgrading from TrafficShield 3.2.X to BIG-IP Application Security Manager
Tip
You can also configure the MGMT address by using the LCD display on the
4100 unit. See the Installation, Licensing, and Upgrades for BIG-IP
Systems guide for more information on using the LCD.
3. After you run this utility and add an IP address, net mask, and
gateway to your management port, you can log in to the
Configuration utility (graphical user interface), and license the unit.
Important
You cannot use a 3.2.X registration key to license the newly-installed
version 9.4 software. Please contact Technical Support to obtain a new
registration key for the 9.4 software. For the most current information on
obtaining a new registration key, refer to the BIG-IP Application Security
Manager version 9.4 release notes, which are available at
http://tech.f5.com.
3. At the password prompt, type the default user name admin and the
default password admin, and click OK.
The Licensing screen of the Configuration utility opens.
4. To begin the licensing process, click the Activate button. Follow the
on-screen prompts to license the system. For additional information,
click the Help tab.
Important
Reboot the system once you have finished licensing the software.
B - 12
Upgrading from TrafficShield 3.2.X to BIG-IP Application Security Manager
Note
Tip
For a mapping of the TrafficShield version 3.2.X settings to their BIG-IP
version 9.4 counterpart, refer to Converting 3.2.X network settings to
BIG-IP 9.4 network settings, on page B-15.
Self IP addresses
Self IP addresses are the IP addresses owned by the BIG-IP system that
you use to access devices in VLANs. For information on configuring self
IP addresses, see Chapter 8, Configuring Self IP Addresses, in the
BIG-IP Network and System Management Guide.
Important
The MGMT port address and the self IP addresses must not share the same
network.
B - 14
Upgrading from TrafficShield 3.2.X to BIG-IP Application Security Manager
3.2.X Network Setting 9.4 Network Setting For information on the version 9.4 setting, see
Service IP Virtual Server destination Configuration Guide for BIG-IP Local Traffic
address Management, Chapter 2, Configuring Virtual Servers
IP to Web server SNAT address or SNAT Configuration Guide for BIG-IP Local Traffic
Automap (both SNAT types Management, Chapter 13, Configuring SNATs and NATs
use self IP addresses)
Server IP Node address. Nodes become Configuration Guide for BIG-IP Local Traffic
pool members in the local Management, Chapter 3, Configuring Nodes
traffic configuration.
Private IP Primary failover address; used BIG-IP Network and System Management Guide,
only for redundant systems. Chapter 15, Setting Up a Redundant System
These are self IP addresses
configured specifically for
communications between the
units in the redundant system.
Alias IP Floating IP address; relevant BIG-IP Network and System Management Guide,
only to redundant systems. The Chapter 15, Setting Up a Redundant System
floating IP address designation
is used only on the self IP
address that is shared between
the units in a redundant
system.
Tip
Before you configure these local traffic objects, we recommend that you
review the relevant chapters in the Configuration Guide for BIG-IP Local
Traffic Management, which is available on the Ask F5 web site,
http://tech.f5.com.
To configure a node
1. On the Main tab of the navigation pane, expand Local Traffic, and
then click Nodes.
The Nodes List screen opens.
2. Click the Create button.
The New Node screen opens.
3. For the Address setting, type the IP address of the node.
4. Specify, retain, or change each of the other settings.
5. Click Finished.
The screen refreshes, and you see the newly-created node in the
Nodes List screen.
To configure a pool
1. On the Main tab of the navigation pane, expand Local Traffic, and
then click Pools.
The Pools screen opens.
2. Click the Create button.
The New Pool screen opens.
3. For the Name setting, type a name for the pool.
B - 16
Upgrading from TrafficShield 3.2.X to BIG-IP Application Security Manager
You now have a basic local traffic configuration. The last major task is to
create the application security configuration and associate it with the local
traffic configuration.
Note
B - 18
Upgrading from TrafficShield 3.2.X to BIG-IP Application Security Manager
Note
In the Configuration utility, the application security class and the HTTP
Class profile are different labels for the same object. The difference between
the two objects is that, for the application security class, the Application
Security setting is enabled by default. If you disable the Application
Security setting on an application security class, you effectively turn off
application security for the associated web application.
Important
If you are importing more than one security policy for a web application, be
sure to set one of the security policies as the active security policy.
Note
When you import your 3.2.X security policies into the version 9.4
configuration, the system may generate request length violations due to
internal increases in the request size on the 9.4 platform. If you receive
request length violations on your imported security policies, you can resolve
the problem by increasing the maximum HTTP header length setting in the
security policy properties.
B - 20
Upgrading from TrafficShield 3.2.X to BIG-IP Application Security Manager
Important
We recommend that you take both the primary and standby units offline for
the duration of the upgrade and migration process.
Export and save the existing configuration from the TrafficShield 3.2.X
system. See Preparing the 3.2.X system for the upgrade, on page B-2, for
specific steps of this task. Note that this is an optional step for the
standby unit.
Perform the following tasks on the first unit of the redundant system.
Install the BIG-IP Application Security Manager software. See
Installing the BIG-IP version 9.4 software, on page B-5, for the
specific steps of this task.
Configure the IP address for the management interface. See
Configuring an IP address for the management interface, on page
B-11, for the specific steps of this task.
Activate the license. See Licensing the software using the
Configuration utility, on page B-12, for the specific steps of this task.
Specify the high availability settings. See Configuring the high
availability settings, on page B-23, for the specific steps of this task.
Specify the primary and (optional) secondary failover addresses. See
Configuring the failover addresses, on page B-23, for the specific
steps of this task.
Configure any VLANs and additional self IPs as required by the
networking aspect of the application security configuration. Refer to
the BIG-IP Network and System Management Guide, Chapter 7,
Configuring VLANs and VLAN Groups, and Chapter 8, Configuring
Self IP Addresses, for additional information on these features.
Configure the local traffic options. See Configuring the basic local
traffic settings, on page B-16, for additional information.
Create the application security configuration. See Creating the
application security configuration, on page B-18, and also Chapter 2,
Essential Configuration Tasks.
Perform the following tasks on the second unit of the redundant system.
Install the BIG-IP Application Security Manager software. See
Installing the BIG-IP version 9.4 software, on page B-5, for the
specific steps of this task.
Configure the IP address for the management interface. See
Configuring an IP address for the management interface, on page
B-11, for the specific steps of this task.
Activate the license. See Licensing the software using the
Configuration utility, on page B-12, for the specific steps of this task.
Specify the high availability settings. See Configuring the high
availability settings, on page B-23, for the specific steps of this task.
Specify the primary and (optional) secondary failover addresses. See
Configuring the failover addresses, on page B-23, for the specific
steps of this task.
Configure any VLANs and additional self IPs as required by the
networking aspect of the application security configuration. Refer to
the BIG-IP Network and System Management Guide, Chapter 7,
Configuring VLANs and VLAN Groups, and Chapter 8, Configuring
Self IP Addresses, for additional information on these features.
Connect the units by using the failover cable. See Connecting the
failover cable, on page B-24.
B - 22
Upgrading from TrafficShield 3.2.X to BIG-IP Application Security Manager
Synchronize the configuration from the first unit to the second unit. See
Synchronizing the configuration, on page B-24.
Note
The following tasks assume that you are configuring the high availability
settings as a part of running the Setup utility for the first time. For
additional information on the running the Setup utility, refer to Installation,
Licensing, and Upgrades for BIG-IP Systems, Chapter 3, Licensing and
Configuring the BIG-IP System.
Important
The Application Security Manager does not recognize or use the secondary
failover addresses in the event of a failover, even if you configure them. We
recommend that you configure only the primary failover addresses.
Tip
For quick information about the redundancy settings, click the Help tab in
the navigation pane.
B - 24
Upgrading from TrafficShield 3.2.X to BIG-IP Application Security Manager
Units:
+-------------------+--------------+------------------+-----------------------+------+-------------+
| Unit id | Private IP | IP to WEB-Server | IP to WEB-Server mask | Role | Shield Active
|
+-------------------+--------------+------------------+-----------------------+------+-------------+
| 00:00:00:00:00:00 | 172.30.40.50 | 172.30.40.51 | 255.255.255.0 | TSMS | YES |
+-------------------+--------------+------------------+-----------------------+------+-------------+
IP Alias:
Route table:
Permanent IPs:
+------+-------------------+-----------------+---------------+-----------+
| Role | Unit id | IP | Mask | Interface |
+------+-------------------+-----------------+---------------+-----------+
| TSMS | 00:00:00:00:00:00 | 192.168.10.103 | 255.255.255.0 | 0 |
+------+-------------------+-----------------+---------------+-----------+
Bcmconfig settings:
+--------------------------------------------------------------------------+
Unit Id | Interface 1.1 | Interface 1.2 |
+--------------------------------------------------------------------------+
00:00:00:00:00:00 | UP (Speed:100 FD) | Down |
+--------------------------------------------------------------------------+
Preparing web-application settings ...
Web-applications:
General settings:
+------------------+-------------------------------+--------------------------------+
| Log All Requests | Treat referrer headerinfo as HTTP | Use dynamic session in URL |
+------------------+-------------------------------+--------------------------------+
| NO | NO | NO |
+------------------+-------------------------------+--------------------------------+
HTTP settings:
+---------------+--------------+-----------------+
| Web Server IP | Service Port | Web Server Port |
+---------------+--------------+-----------------+
| 192.168.10.10 | 80 | 80 |
+---------------+--------------+-----------------+
HTTPS settings:
+---------------+--------------+-----------------+-----------------+---------+---------------------+
| Web Server IP | Service Port | Web Server Port | Keep SSL to Web | Key | Cert
|
+---------------+--------------+-----------------+-----------------+---------+---------------------+
| 192.168.10.10 | 443 | 443 | YES | ssl_key.1 | ssl_certificate_inter.1
|
+---------------+--------------+-----------------+--------------+-----------+----------------------+
Figure B.1 Example ts_conf.txt output file generated by the ts_collect_info.pl script
B - 26
Upgrading from TrafficShield 3.2.X to BIG-IP Application Security Manager
Policy List:
+-----------------------+
| Policy Name |
+-----------------------+
| my_webapp1_policy.com |
+-----------------------+
Users Settings:
+-----------+---------------+-----------------+--------+
| User Name | User Group | Web-Application | Active |
+-----------+---------------+-----------------+--------+
| user | Administrator | All | YES |
+-----------+---------------+-----------------+--------+
Aliases List:
Modifiers:
OK
Figure B.1 Example ts_conf.txt output file generated by the ts_collect_info.pl script
B - 28
C
Platform-Specific Hazardous Substance
Levels, for China
4100 platform
Platform-Specific Hazardous Substance Levels, for China
4100 platform
This table lists hazardous substances controlled by China, and shows how
the F5 Networks 4100 platform components conform to the standards.
C-2
Glossary
Glossary
application flow
See flow.
blocking mode
A security policy is in blocking mode when one or more Block flags are
enabled. When a security policy is in blocking mode, and a request triggers
a violation, rather than forwarding the request to the corresponding web
application, the Application Security Manager returns the blocking response
page with a Support ID to the client.
buffer overflow
A buffer overflow occurs when an application attempts to store more data in
a temporary storage area than is allowed. When data in a buffer exceeds the
size of the buffer, adjacent buffers can overflow, corrupting the data already
stored there. In a buffer overflow attack, an attacker can incorporate
additional codes designed to trigger specific actions which could send new
instructions to the attacked system in order to damage the user's files,
change data, or disclose confidential information.
client-side scripting
Client-side scripting is a feature that exists on the client side (such as a web
browser) of a client-server system to extend the functionality of web pages
written in HyperText markup language (HTML). For example, JavaScript,
JScript, and VBScript are client-side scripting languages. See also Java
applets.
content spoofing
Content spoofing is an attack technique that attempts to trick a user into
thinking that false web site content is legitimate.
cookie
A cookie is a message sent to a Web browser by a Web server, that the
server can retrieve at a later time. The browser stores the message in a text
file. Cookies are usually used to track a users actions when browsing a site.
See also cookie manipulation.
cookie manipulation
Cookie manipulation is the process of altering or modifying cookie values
on a client systems web browser in order to exploit security issues within a
web application. An attacker can manipulate cookie values on the client
system to fraudulently authenticate themselves to a web site. See also
cookie.
cross-site scripting
Cross-site scripting (XSS) is a type of exploit where information from one
context, where it is not trusted, can be inserted into another context, where it
is. For example, an attacker can insert malicious coding into a link that
appears trustworthy, but when a user follows the link, the embedded code is
submitted as a part of the client systems request, which could allow the
attacker access to the client system. See also client-side scripting.
Denial of Service
Denial of Service (DoS) is an attack technique on a network or web site that
is designed to render the network or site useless by flooding it with
excessive traffic. Processing the excess traffic can consume CPU cycles,
memory usage, traffic bandwidth, and disk space, causing the system to
become inaccessible to normal activity.
directory traversal
Directory traversal is an exploit that lets attackers access restricted
directories and execute commands in areas beyond the normal web server
directory. User access to web sites is typically restricted to the document
root directory, or CGI root directory.
dynamic parameter
A dynamic parameter is a parameter whose set of accepted values can
change, and usually depend on the user session. For example, within a
banking web application, the account number parameter is a dynamic
parameter, since each user has one or more unique account numbers. See
also static parameter.
dynamic value
See dynamic parameter.
entity
An entity is one of the many components of a web application. Web objects,
flows, parameters, and character sets are all examples of entities.
Glossary - 2
Glossary
entry point
An entry point is a web page from which a user can access the
corresponding web application.
flow
Flow is the defined access path for a browser to get from one object to
another specific object within a web application. Flow is also known as
application flow.
flow parameter
Parameters that are defined within the context of an application flow are
known as flow parameters. See also global parameter, web object
parameter.
global parameter
Within the Application Security Manager configuration, global parameters
are defined parameters that are not associated with a specific web object or a
specific application flow. The Policy Enforcer validates global parameters
wherever they occur. See also flow parameter, web object parameter.
HTTP class
See application security class.
Java
Java is a programming language developed by Sun Microsystems. Java
programs can run on most computing platforms because runtime
environments exists for most common operating systems. See also
client-side scripting, JavaScript.
Java applets
Java applets are small Java applications that can be embedded in a web page
and run on a client system by Java-compatible web browser. See also
client-side scripting, Java, JavaScript.
JavaScript
JavaScript is a scripting language that is used to create dynamic or
interactive web page content. See also client-side scripting, Java applets.
known directory
See predictable file location.
learning process
The learning process is the process of making a security policy more
accurate by verifying how the security policy complies with traffic requests.
If the learning process finds discrepancies between the security policy and
the traffic requests, it translates the discrepancies into a learning suggestion
for modifying the security policy.
learning suggestion
When a request triggers a violation, and the Learn flag is enabled for that
violation, the Learning Manager generates a learning suggestion. The
learning suggestion contains information about what in the request caused
the violation.
meta character
A meta character is a special character in a program or form field that can
control or give information about other characters. They may have special
meaning to programming languages, operating systems, or database queries.
null injection
Null injection is an attack technique that bypasses sanity checking filters by
adding null-byte characters to a URL. If a user-input string contains a null
character (0\), the web application on the site may stop processing the string
at the null insertion point. This is a form of meta character injection. See
also meta character injection, parameter tampering.
Glossary - 4
Glossary
object
See web object.
OS commanding
OS commanding is an attack technique where an attacker runs operating
system commands by manipulating application input. See also form field
manipulation, parameter tampering.
parameter
See flow parameter, global parameter, web object parameter.
parameter tampering
Parameter tampering is an attack technique in which the attacker tries to
gain access to the web application by changing the parameter name and
value pairs in a URL. This exploit is also referred to as URL manipulation.
See also URL manipulation.
referrer
A referrer is a web page that can request other objects. For example, an
HTML page can request a GIF, JPG, or PNG file. The HTML page is a
referrer; the image files are not.
regular expression
A regular expression (regexp) is a sequence of characters that provides the
user with a powerful, flexible, and efficient test processing tool.
safe traffic
Safe traffic is traffic generated by a controlled group of users, those who are
known not to be potential attackers.
security policy
In the Application Security Manager, the security policy is a set of rules that
enables the Application Security Manager to understand whether a request is
valid for a web application.
session credential
A session credential is a string of data that identifies a user to a web server.
This string can be contained in a cookie or in the URL. See also session ID.
session fixation
Session fixation is a technique that an attacker can use to force a different
value to a users session credential. See also session credential, session ID.
session hijacking
Session hijacking is the act of compromising a users session. If an attacker
hijacks a users session, the attacker may appear to be the legitimate user to
the web server. See also session credential, session ID.
session ID
A session ID is a string of data that identifies a user to a web server. This
string can be contained in a cookie or in the URL. A session ID can track a
users session as he uses the web site.
session manipulation
Session manipulation is an attack technique where an attacker alters a
session ID or session credential value in order to masquerade as a different
user. See also session credential, session hijacking, session ID.
SQL injection
SQL injection is an attack technique used on database-driven web sites
where an attacker runs unauthorized SQL commands by exploiting insecure
code on a system to bypass the firewall in front of the SQL database. See
also form field manipulation, parameter tampering.
static parameter
A static parameter is a parameter in a request whose values are chosen from
a known set of values, for example, the name of a country, a Yes/No form
field, and so on. See also dynamic parameter.
Glossary - 6
Glossary
static value
See static parameter.
target frame
A target frame is the frame in a browser session to which the web object is
loaded.
transparent mode
A security policy is in transparent mode when blocking is disabled. When a
security policy is in transparent mode, the Application Security Manager
forwards all requests to the web application. See also blocking mode.
URL manipulation
URL manipulation describes the process of changing the parameter name
and value pairs of a web application. Also known as parameter tampering.
web application
A web application is an application delivered to users from a web server to a
web client, such as a web browser, over a network.
web object
A web object is an individual page within a web application.See also
referrer.
Glossary - 8
Index
Index
Index - 2
Index
J M
JavaScript code Malicious parameter value 5-40
analyzing 6-7 mandatory parameters
and application flows 7-10
maximum cookie header length 5-8
K maximum HTTP header length 5-7
known attack patterns Merge Report 5-45
recognizing 5-10 merge security policy 5-45
known threats meta characters
protecting web applications 2-8 for user-input parameters 7-15
Modified ASM cookie violation 5-41
L Modified domain cookie(s) violation 5-41
Modified icon 5-33
language encoding
monitoring tools
and default character set 5-31
about 2-12, 9-1
for web applications 4-2
support for double-byte 4-2
support for single-byte 4-2 N
Learn flag Navigation Parameters
and blocking mode 5-7 configuring 5-19
enabling learning suggestions 8-2 navigation parameters
Learn flag, about 5-36 deleting 5-19
learning editing 5-19
and target security policy 4-5 navigation parameters property 5-2
Learning data negative logic check 5-23
refining a security policy 8-1 negative regular expressions
Learning Manager system-supplied 10-3
about 8-1 negative regular expressions pool
processing learning suggestions 8-5 for security policy 5-10
Learning process removing entries from 5-13
and configuring parameters 7-14 viewing 5-10
and enabling blocking mode 5-7 negative security logic
and length violations 5-39 defined 2-8
configuring flows 5-27 negative security violations
Learning process resources 8-1 about 5-42
learning suggestions types of 5-42
accepting 8-5 no_ext object type 5-21
Index - 4
Index
Index - 6
Index
about 5-1 T
applying negative regular expressions to 5-11 target security policy
security policy management 10-1 about 4-5
security policy properties and learning 4-5
about 5-1 TCL expressions
and flow mode 5-9 using 3-3
and maximum cookie header length 5-8 Tcl expressions
and maximum HTTP header length 5-7 rewriting URIs 3-8
security policy versions 5-48 Technical Support web site 1-9
security policy violations traffic classifier types 3-1
and blocking mode 2-11 traffic classifiers
detecting legitimate 8-2 applying 3-3
generating alarms 5-6 for cookies 3-6
tracking trends 9-1 for headers 3-5
types 5-38 for hosts 3-3
security reports for URI paths 3-4
about 9-1, 9-4 in application security classes 3-1, 3-3
filtering 9-4 Traffic Learning screen
viewing 9-4 and Learning process 8-1
send to pool action processing learning suggestions 8-5
in application security class 3-7 traffic sampling
sensitive data, managing 5-16 and Policy Builder Continuous Mode 6-19
sensitive parameters enabling 4-4
deleting 5-17 for Policy Builder 4-4
editing 5-17 TrafficShield Application Firewall
in web applications 5-16 upgrade compatibility B-1
Sensitive Parameters property upgrading to BIG-IP version 9.4 B-1
about 5-2 transparent mode
configuring 5-16 and blocking 5-6
creating 5-16 configuring 5-35
server SSL settings defined 2-1, 5-6
and Policy Builder domains 6-3
session IDs
and DCV parameters 7-13 U
simple flow mode ungrouped web applications 4-7
and entry points 5-26 unknown threats
standard security level protecting web applications from 2-8
about 2-7, 5-4 upgrading software
and object types 5-22 and exporting security policies 5-45
start point URI paths traffic classifier 3-4
and Generated Traffic operation mode 6-4 user activity
configuring for Policy Builder 6-4 and application security 10-2
defined 6-4 logging actions 10-2
static content value parameters user management 10-1
See static parameters. user roles
static parameters about 10-1
about 7-13 using Application Security Policy Editor role 10-1
See also dynamic parameters user-defined regular expressions
statistics reports 9-1 adding user-defined to security policy 5-11
stylistic conventions 1-7 creating 10-3
support ID validating 10-4
and blocking mode 5-6 user-input parameters
system resource allocation about 7-13
for Policy Builder Generated Traffic operation mode and alpha-numeric data type 7-15
6-16 and binary data type 7-16
and configuring parameter characteristics 7-15
Index - 8