Introduction
Web applications can have a lot of different types of requests from anywhere for any reason. Some requests are legitimate and can be handled by the web intended. Other requests might be malicious or illegitimate and abuse the logic of your web application, consume bandwidth, or deplete resources on your application server.
ASM is an advanced web application firewall that protects Layer 7 applications and their data by defending against web-based attacks which can bypass traditional network firewalls.
With ASM you get the flexibility to both create a negative or positive security model.
A Negative Security model is also known as Blacklist model, as it works by allowing everything and denies only those which are explicitly disallowed. The main advantage of implementing negative security model in the network is it can be deployed rapidly, and it does not lead to more false positives. Negative Security Model cannot prevent zero-day attacks because of its behavior. F5 ASM firstly works as on negative security model with attack signature enforcement.
Positive Security Model is also known as whitelist model, as it works by denying everything and allow only those which are explicitly allowed. All the firewalls including F5 LTM works on this model. The main advantage of implementing a positive security model in the network is that zero-day attacks can be prevented. For F5 ASM we need to be tightening the security policy to step up for positive security model.
ASM Protection Ways
ASM protects against the OWASP Top 10 vulnerabilities and can help to meet PCI compliance. Additionally, ASM can mask details in HTTP responses, such as response codes, credit card numbers, and any other sensitive data identified by the administrator. If needed, ASM can also prevent clients from obtaining specific resources, such as documents, from a web server. We required BIG-IP system with ASM licensed and provisioned.
External traffic will flow through a network firewall and then make its way to the BIG-IP system where a virtual server will apply a security policy. A security policy is a collection of rules that determine what types of security checks will be applied to all HTTP requests.
ASM applies security policy in lay man terms is a set of rules which is controlled and defined using a local traffic policy. As an administrator we will have to create a security policy, which needs attached to a virtual server, and in turns system automatically creates a local traffic policy. The local traffic policy forms a logical link between the local traffic components and the application security policy.
Based on the security policy, ASM will determine if the traffic is illegitimate or legitimate. Depending on the policy settings, our virtual server will either permit the request to our web server that hosts our web application or block the request.
First Step for any application onboarding is to talk with application owners, learn about the infrastructure of the network you are trying to protect. It will save you time and headaches in the long run. Make a checklist to get information like application language, framework it is using, the OS it is using, either works for WebSocket or http/https, what all are the used parameters, predefined file types, URLs, and all other items and entities of application. ASM examines the traffic to ensure that it meets the requirements of the security policy. It is a life cycle which is creating the policy and then tuning it further.
ASM Protection Types
Some of the most commonly used templates are Rapid Deployment, Fundamental, and Comprehensive. Templates for specific applications, such as OWA and SharePoint, are also available in F5.
The Rapid Deployment security policy provides security features that minimize the number of false positive alarms and reduce the complexity and length of the deployment period. The system creates a simple security policy that protects against known security problems, such as evasion attacks, data leakage, and buffer overflow attacks.
The rapid deployment security policy operates in transparent mode (meaning that it does not block traffic unless you changed the enforcement mode and enforce the policy). If the system receives a request that violates the security policy, the system logs the violation event, but does not block the request. Suggestions for changes to the policy are added to the Traffic Learning screen.
The Fundamental template provides enhanced security during the policy building process as the policy actively blocks violations. The Fundamental template is recommended for intermediate users and may require more time to fine-tune.
The Comprehensive template is intended to provide maximum security with all violations, features, and learning is turned on. The template is recommended for expert users.
When building a security policy manually, the learning mode is set to Manual, and when building a policy automatically, the learning mode is Automatic.
ASM Protection Fine Tuning
One of the difficulties in configuring a security policy is differentiating between violations which are actual attacks and those which are not. Some violations might be triggered by illegitimate activity; other violations might be triggered by legitimate activity and reveal a flaw in the security policy. We call these type of violations, false positives.
Through the process of Learning, ASM helps eliminate false positive violations and helps to tune the security policy by parsing all HTTP requests, categorizing the elements of each request, and identifying them as potentially malicious or not over time.
Learning suggestions
ASM generates learning suggestions for requests that cause violations, the system also suggests adding legitimate entities such as URLs, file types, or parameters that often appear in requests. Requests may be examining that cause learning suggestions to refine the security policy, it contains recommendations to relax the security policy.
When dealing with learning suggestions, make sure to relax the policy only where false positives occurred, and not in cases where a real attack caused a violation. You can use the violation ratings to help determine how likely a request was caused by an attack.
Policy Mode
When building a security policy manually, the learning mode is set to Manual, and when building a policy automatically, the learning mode is Automatic.
If the Policy Builder is in Automatic learning mode, it automatically takes the suggested action when the score (also known as the Learning Score) reaches 100 percent. (The score percentage is indicated on the screen.) A suggestion reaches a score of 100% if that suggestion occurs a lot and if the chances of that traffic being a real violation are low, and/or if traffic that triggered the suggestion comes from a trusted IP address.
When you are creating a security policy, you specify an enforcement readiness period that indicates a staging period for entities and attack signatures (typically 7 days). When entities or attack signatures are in staging, the system does not enforce them. Instead, the system posts learning suggestions for staged entities.
When the enforcement readiness period is over and no learning suggestions are added for the staging period duration (the default is 7 days), the file type, URL, parameter, cookie, signature, or redirection domain is considered ready to be enforced. Particularly if you are using manual learning, you can delve into the details to see if you want to enforce these entities in the security policy. From the Enforcement Readiness summary on the Traffic Learning screen, you can enforce selected entities to the security policy, or you can enforce all of the entities and signatures that are ready to be enforced. If you are using automatic learning, you can still enforce entities manually, but the Policy Builder enforces entities according to the learning and blocking settings. So you do not need to enforce entities in the security policy.
Congrats! You now have a F5 BIG-IP ASM Policy that will certainly help protect your applications. In addition to this post please check out our more blog post on F5 Big-IP’s Application Security Manager.
You may follow our YouTube channel for more detailed technical discussions, which is as follows –
We also offer a diverse library of pre-recorded videos for any online training or buy self-paced courses.
“Get enrolled now“.
Email:info@netminion.net, netminionsolutions@gmail.com
Helpline: +91-9599857762(IN), + 19024124779 (CA)
LinkedIn: https://www.linkedin.com/in/netminion-solutions/
Website: https://netminion.net
Videos Website: https://videos.netminion.in
Telegram Channel: https://t.me/NetMinionSolitionsOffical
Buy a Rack Rental : https://labs.netminion.net/page/login/index.php
Welcome to NetMinion Solutions, a leading education training institute/company to nurture minds and fostering a passion for learning. No matter if you are a beginner or a professional – our dedicated faculty and state-of-the-art facilities create an enriching environment where you can explore, innovate, and grow exponentially – academically and personally both.
We are committed to practical learning and provide cutting-edge lab solutions, to enhance your learning journey – including CCNA, CCNP & CCIE, data center, Wireless, Cloud, VMware, F5 -LTM, GTM, ASM, APM, Palo Alto, SD-WAN, Checkpoint, ACI and list goes on.
Keep Learning! Keep Growing! Keep investing!