You heard us talk about WAFs and ASM. So now it’s time to discuss how to create a basic F5 BIG-IP ASM Policy which is a security policy using F5’s Application Security Manager (ASM). With ASM you get the flexibility to both create a negative or positive security model. Negative security model means: I will block bad stuff. Positive security model means: I will only allow known good application traffic, everything else will be blocked.
Here is where I like to start — these instructions are for version 13:
1. Talk to the application owner.
The first step is to learn about the infrastructure of the network you are trying to protect. If this is your own application then obviously you can skip this step. However, if you are applying policies for someone else, get in contact with the developers and learn about their system. It will save you time and headaches in the long run. Google also has an awesome tool called the Wappalyzer which is a plug that will detect what servers and frameworks a website is currently using. Once you have a basic understanding we can dive into creating a policy.
2. Create the new F5 BIG-IP ASM Policy
Go to Security > Application Security > Security Policies > Create New Policy
In the first field you will name the policy. Personally, I recommend naming the policy based on the virtual server that you will be applying the policy on. Select Policy Type as “Security”. Go in the top right and select show advanced settings. Basic will not have all the information that we need.
For a basic application we will be selecting the fundamental policy template first. This is a good initial policy because it is a basic template that we can add stuff to. It is an efficient and less confusing way to implement an ASM policy. Next, under Virtual Server specify “none” — we can apply it to the Virtual Server later manually. There is no need to do it now. In the learning field we will most definitely want to select manual learning mode. Some people prefer automatic mode. In my opinion, it is worth the extra time it takes for the control that you receive. With Automatic mode, when a learning suggestion has enough hits, it will automatically be added to the policy. Note: You must select an application language before changing this field. We will select Unicode 8.
After selecting a language change learning mode to manual. Next, select any server technologies that you are aware of such as IIS, Linux, Tomcat, MySql and so forth. I would also disable signature staging as well as differentiating between HTTP and HTTPS.
Now that we have filled out our settings for this policy we will hit create. We now have a very basic policy that we can apply to a virtual server and start tuning.
3. View Policy
Go to Security > Application Security > Policy Building > Learning and Blocking Settings
This is what you should see. This page will be where we can fine tune our policy and therefore make the necessary changes that certainly will result in a more secure policy.
This will show you many details about your policy including: attack signatures, content profiles, parameters, sessions, cookies, and certainly more. Because of this we will be using this menu on a daily basis when tuning our policy and as a result you will certainly become familiar with it.
IMPORTANT: Make sure policy is in transparent mode when applied because you want to be able to place policy on a production server while monitoring the attacks without blocking anything to insure that no legitimate requests get blocked.
4. Apply Policy
Now that we have finally created our policy, we are ready to apply it. Next we will go to our Virtual Servers under local traffic and select our VIP.We will go to the security tab at the top and click on policies. Enable ASM Policy and select our policy. Next make sure to enable log illegal requests as well and finally click update.
5. Monitor Traffic
After we have allowed traffic to go through for a few days we can start to observe the event logs and therefore begin tuning our policy.
Go to Security > Event Logs > Application > Requests
This is where we will see requests coming in and be able to tune the policy accordingly based on the traffic that we see.
Congrats! You now have a F5 BIG-IP ASM Policy that will certainly help protect your applications. Therefore security threats no longer seem like the threat they once did because we are taking security into our own hands. In addition to this post please check out my blog post on how to analyze requests on F5 Big-IP’s Application Security Manager.