Day 2

1. Security Model
2. Policy Types
3. Entities
4. Data Guard
5. Rapid Deployment Policy
6. IP Address Exception
7. Policy Properties
8. Policy Tuning Detailed
 Security Models

• 1. Positive Security Model :- Learn and fix the entities and

parameters of application and allow only what is defined under
policy.

• 2. Negative Security Model :- Define all suspicious things and block

them, rest all is trusted traffic and will be allowed.

• Best Practice :-- Use both and try to bridge gap between both.
 Positive Security Model

Allowed File Types Allowed URL Allowed Parameters

Web-Server

Client Allowed HTTP

Response Code
 Negative Security Model

Check RFC Compliance Evasion Detection Attack Signature

Web-Server

Client Match Attack Signature Data Guard / Info Leaks

 What is a Security Policy & Violations ?

• Security Policy : - Set of definition's for classifying HTTP legitimate or

illegitimate.

• Violation : - An event which violates rules established in security

policy.
 Deployment of Security Policy
Basic Workflow

Policy Name Policy Type Policy Template Virtual Server

 Advance Policy Deployment Workflow

Choose Learning Choose Choose Application Choose Server

Mode Enforcement Mode Language Technologies

Choose
Signature Staging Enforcement
Readiness Period
• Learning Modes :- How ASM handles the policy building process

1. Automatic :- Will automatically accept learning suggestions once

they reach 100%

2. Manual :- Will require the administrator to accept every

suggestion

3. Disable :- Will cause that ASM does not create any learning
suggestions.
• Enforcement Mode :- Specifies how the system processes a request
that triggers a security policy violation.

• 1. Transparent :- Learn Traffic, Generate alarms but doesn’t block any

traffic.

• 2. Blocking :- Learn Traffic, Generate alarms and block traffic that

matches violations
 Application Language

• Every web application has a encoding language which determines

character sets browser use to display the text.
• Ways to determine the encoding method.
• 1. validator.w3.org
• 2. packet capture : in header “content-type:text/html; charset=utf-8”
• 3. view source in browser
• 4. ask the developer
• 5. curl –v <ip address>
 Policy Types

Standalone Policy Parent Policy

Child Child Child

Policy-1 Policy-2 Policy-3
Parent Policy Inheritance Settings
 Policy Building Process

• Automatic :- Automatically learns the application components and

entities and build security policy. Mostly used for large environments
and with lengthy applications.

• Manual :- Require manual intervention to learn and understand policy

entities and components and manual policy building process.
 Automatic Policy Building Templets

Automatic Policy Template

Fundamental Policy Comprehensive Policy

 Manual Policy Building Templets

Manual Policy Template

Rapid Deployment Policy Application Ready Policy

 Overview: Rapid Deployment
• The Rapid Deployment security policy provides security features that minimize the number of false positive alarms and reduce the complexity
and length of the deployment period. By default, the Rapid Deployment security policy includes the following security checks:
• Performs HTTP compliance checks
• Checks for mandatory HTTP header
• Stops information leakage
• Prevents illegal HTTP methods from being used in a request
• Checks response codes
• Enforces cookie RFC compliance
• Applies attack signatures to requests (and responses, if applying signatures to responses)
• Evasion technique detected
• Access from disallowed Geolocation
• Access from disallowed User/Session/IP
• Request length exceeds defined buffer size
• Disallowed file upload content detected
• Failed to convert character
• Modified ASM™ cookie
 Other Policy Templates

• Passive Deployment Policy : - In passive mode, ASM analyzes a copy of the traffic but does
not modify it. It cannot enforce any actions, but can log events and display reports. This method is non-
intrusive and The use case for this is customers evaluating our products with minimal risk, no performance
impact, and in need of quick deployment. A policy based on the Passive Deployment Template is
recommended in this scenario because it cannot impact traffic.

• API Security Policy : - The API protection you deploy with this solution is a basic generic
policy and is setup in transparent mode. It will start out with a large set of signatures from the API
Security template
 Auto L7 Policy

• When we apply an ASM policy to virtual server an asm_auto_l7_(VS-

NAME) will automatically be created to forward traffic to ASM
module.
• This can be checked at VIP-Resources.
• Format is asm_auto_l7_(VIP-Name)
 Data Guard
• In some web applications, a response may contain sensitive user information, such as credit card
numbers or social security numbers (U.S. only). The Data Guard feature can prevent responses
from exposing sensitive information by masking the data (this is also known as response
scrubbing).
• When you mask the data, the system replaces the sensitive data with asterisks (****)
• Using Data Guard, you can configure custom patterns using PCRE regular expressions to protect
other forms of sensitive information, and indicate exception patterns not to consider sensitive.
You can also specify which URLs you want the system to examine for sensitive data.
• The system can examine the content of responses for specific types of files that you do not want
to be returned to users, such as ELF binary files or Microsoft Word documents. File content
checking causes the system to examine responses for the file content types you select, and to
block sensitive file content (depending on the blocking modes), but it does not mask the sensitive
file content.
Response headers that Data Guard inspects
• Data Guard examines responses that have the following content-type headers:

• "text/..."
• "application/x-shockwave-flash"
• "application/sgml"
• "application/x-javascript"
• "application/xml"
• "application/x-asp"
• "application/x-aspx"
• "application/xhtml+xml"
• You can configure one additional user-defined response content-type using the system variable
user_defined_accum_type. If response logging is enabled, these responses can also be logged.
• When adding URLs, you can type either explicit (/index.html) or
wildcard (*xyz.html) URLs.

• When the system detects sensitive information in a response, it

generates the Data Guard: Information leakage detected violation (if
the violation is set to alarm or block).

• If the security policy enforcement mode is set to blocking and the

violation is set to block, the system does not send the response to the
client.
 Data Guard Custom Patterns

• To identify something in data write custom regex as below to match

numeric number in the format of xxx xxx xxx

• [0-9][0-9][0-9] [0-9][0-9][0-9] [0-9][0-9][0-9]

• This is match 9 digit numeric value with space.

• Go to website in sell an item and in description put “123 345 567”

• You can validate the regular expression using the tool at Security >
Options > Application Security > RegExp Validator.
Data Guard Options
 Managing IP address Exceptions
• An IP address exception is an IP address that you want the system to
treat in a specific way for a security policy. For example, you can
specify IP addresses from which the system should always trust traffic,
IP addresses for which you do not want the system to generate
learning suggestions for the traffic, and IP addresses for which you
want to exclude information from the logs.
• You can use the IP address exception feature to create exceptions for
IP addresses of internal tools that your company uses, such as
penetration tools, manual or automatic scanners, or web scraping
tools. You can add an IP address exception, and instruct the system
how to handle traffic coming from that address.
 Block this IP Address

• For To never block traffic from this IP address, select Never block this
IP Address.

• To always block traffic from this IP address, select Always block this
IP.

• To block according to policy rules, select Policy Default.

IP Address Exceptions Options
Policy Properties
 Violations

Violations

Entities Violations Item Violations

 Entity Violations

• Generated by below matches

• File Types
• URL
• Redirect domain
• Parameters
• Cookies
• Headers
 Item Violation

• Generated by below matches

• HTTP Protocol Check

• Attack Signature
• Evasion Techniques
• Data Guard
 Violation Rating : Threat Scale

Rating Definitions

0 Not Rated No Violation

1 Most Likely False Positive

2 Looks like False Positive but Requires Examination

3 Require Further Examinations

4 Looks like a Threat but Requires Examination

5 Defiantly a Threat
Legal and illegal Triggered Violations Request
illegal Request
Blocked Request
 Staging and Enforcement Modes
• Staging : - Allows the ASM to build list of false positive without
dropping any packets.

• Enforcement : - Enforcing the policy or settings.

1. Transparent Mode : -Allows traffic to pass through
even if they match violations.
2. Blocking Mode : - Drop all packets and generate
alarms for all packets matching violations.
By Default Fundamental / Comprehensive Policy.
 Enforcement Readiness Period

• Time period when ASM inspect traffic flowing through ASM module for
that policy which are in readiness period.

• Change in the parameter value or setting will reset the readiness

period.

• Default is 7 Days.

• Can be Changed at any time.

 Traffic Suggestions

• Accept Suggestion : - Will accept the suggestion and will add the
parameter to the policy which is suggested.

• Ignore : - Ignore this current suggestion and will not show same
match suggestion again under traffic learning.

• Delete : - Will delete the suggestion from current list but can show
same suggestion again if there are match.
 Parameters Flags

• Learn : - ASM Generates learning suggestion in traffic learning page if

there is match with parameters.

• Alarm : - ASM Generate alarm and log if there are match with
parameters.

• Block : - ASM can block request which matches with parameters if

policy is also set in blocking state. Blocking page will be
displayed on client browser
 Request Options at Event Logs Page

• From Event logs pages we can accept the request without even
reviewing the same at learning page. There are 3 options available
with each request.

• 1. Delete Request :- Will delete specific request from event log page.
• 2. Export Request : - Will export the request details.
• 3. Accept Request :- Will accept the request and whatever is the
suggestion of same on traffic learning page will be accepted.
same can be seen in enforcement readiness summery page.