BIG-IP ASM Application Security Approach (Good)

Good protection

• Attack signatures
  • Add attack signatures to a new or existing security policy.
  • Select the attack signatures you need using the accuracy, severity, and system information provided for each one.
  • Assess the impact of attack signatures on an application during an initial staging period.
  • Monitor and evaluate violations in production using reporting that includes the contexts in which violations occur, details about possible attack types, and a rating for each violation.
  • Administrative effort required
    • Enable attack signatures for a new or existing policy.
    • Review reporting during staging to monitor and evaluate any false positives on new policies.
    • Automatically update your system and existing policies with the most current attack signatures.
• Transparent enforcement mode
  • Testing the security features in new policies by monitoring reported security violations.
  • Deploying new versions of applications and monitoring reported security violations.
  • Detecting patterns of malicious activity, such as attacks originating from particular geographic locations or targeting particular areas of an application.
  • Improving your awareness of application layer attacks on security policies that warrant only base-level security.
  • Administrative effort required
    • Enable the Transparent enforcement mode and the Alarm setting for the desired violations.
    • Regularly monitor reporting to review policy violation data.
• IP Intelligence
  • License the IP Intelligence feature on the BIG-IP system.
  • Enable the feature and the Alarm setting on IP intelligence categories of interest.
  • Ensure access to the data feed.
  • Administrative effort required
    • License the IP Intelligence feature on the BIG-IP system.
    • Enable the feature and the Alarm setting on IP intelligence categories of interest.
    • Ensure access to the data feed.
• Geolocation
  • IP geolocation feature identifies the origin of traffic at the country-level using a database of IPv4 and IPv6 addresses.
  • You can block or allow access to an application based on the geographic origin of the traffic.
• Protocol compliance
  • A common attack vector is confusing web servers, web applications, and security products using malicious content hidden in HTTP requests that web servers and simple HTTP proxies often fail to detect. Many HTTP servers and proxies don’t strictly enforce protocol conformance. Instead, they focus on successfully processing the request while ignoring HTTP request attributes that aren’t compliant.
  • BIG-IP ASM protocol compliance checks perform strict and detailed HTTP validation, which surpasses that of typical proxies—including the HTTP profile in the BIG-IP Local Traffic Manager (LTM) system—and detect, log, or block non-compliant and malicious traffic. If any of the 19 protocol enforcement checks trigger false positives with your application, you can easily remove them using Policy Builder.
  • Administrative effort required
    • After a representative sample of traffic passes through a newly deployed security policy, review protocol compliance learning suggestions for false positives.
    • When the system reports a high number of violations, remove checks that are causing false positives using Policy Builder.
• Protection from evasion techniques
  • HTTP permits several character encoding schemes, and hackers often leverage these schemes for attacks. However, most network security devices rely only on simple string matching validation and the input validation features that come with applications for detection. Similarly, hackers exploit common character sequences to bypass string matching validation, such as using ../ to navigate to a parent directory of interest.
  • To reduce the risk of false positives, most security devices bypass checking for these evasion techniques, because they are used in legitimate requests and aren’t overtly illegal or non-complaint.
  • However, most applications need protection from evasion techniques. Like HTTP protocol compliance checks, in the BIG-IP ASM system, you can enable checks for them, monitor reporting, and then disable any checks that cause false positives, with little risk to application performance.
  • Administrative effort required
    • After a representative sample of application traffic passes through a new security policy, the system evaluates HTTP requests against evasion technique violations, and either automatically enables or suggests that the administrator enable this feature.
• Protection from parameter exploits (denylisting)
  • When examining an HTTP request, parameter values are one of the most important components for careful review. At the heart of many vulnerabilities associated with parameters are some common misconceptions about them, including that:
    • Only the server sets parameters (false!)
    • They are limited to a subset of server-controlled values, such as choices in an HTML form (false!)
    • Client-side JavaScript evaluates and enforces parameters, such as text input from an HTML form (false!)
    • In fact, many exploits manipulate, modify, or embed malicious content in parameter values bound for web applications.
  • The BIG-IP ASM system offers multiple methods to protect against these threats, including denylisting.
    • In this approach, when the system parses parameters (both those in URIs and POST payloads).
      It validates the values against signature and metacharacter policies to identify known exploit patterns.
    • Should you encounter a false positive, Policy Builder adds that value to your security policy to prevent future violations, effectively slightly relaxing the default policy settings.
  • Administrative effort required
    • Enable signature detection in your security policy.
• Threat campaigns
  • When you have Advanced WAF, you can subscribe to Threat Campaigns, which is a feed that provides a set of data to evaluate whether incoming requests are malicious.
  • F5 developed and maintains Threat Campaigns using active research, honey pots, and other monitoring tools to understand how a cybercriminal or organization weaponized a vulnerability. Threat Campaigns also knows how vulnerabilities are being used, such as the payload of the attack, where the attack originates, various data elements (including specific headers and even the shell code of the attack).
  • F5 releases Threat Campaign updates as needed. F5 may post updates several times a week as it discovers new threats. You can schedule your system to download Threat Campaigns at the same time you download attack signature updates.
  • For example, consider the case of CVE-2017-5638, which is a vulnerability in the Apache Struts 2 Jakarta Multipart parser. When this vulnerability arrives with a particular string and a few other data points, and sends an echo kiss, Threat Campaigns can definitively identify it as an attack.
  • Though Threat Campaigns is a powerful tool, it is complimentary to attack signatures. For example, the request log for an occurrence of the CVE-2017-5638 vulnerability shows that it triggered both Threat Campaigns and any valid signatures.
  • Administrative effort required
    • Subscribe to the service.
    • The BIG-IP system checks for updates every eight hours. Choose how you would like to download updates:
      • Automatically (Real Time).
      • You select the days and times (Scheduled).
      • You install them manually (Disabled).

Table of Content

• Main Bookmarks
• F5 Bookmarks
  • F5 BIG-IP ASM
• Next
  • BIG-IP ASM Application Security Approach
    • Good Protection
    • Elevated Protection
    • High Protection
    • Maximum Protection