Forum Discussion

Mike_Maher's avatar
Mike_Maher
Icon for Nimbostratus rankNimbostratus
Feb 17, 2011

ASM Policy Blocking

So I am currently trying to determine what is best blocked at the ASM and what to allow to pass to the application security layer. So I realize that some of the blocks at ASM are subjective to what t...
app sec
BIG-IP Access Policy Manager (APM)
security
hooleylist's avatar
hooleylist
Icon for Cirrostratus rankCirrostratus
Feb 17, 2011
Hi Mike,

 

 

I agree that there isn't a perfect default set of checks to perform for any app. Here are some thoughts though on a baseline:

 

 

I'd skip:

 

 

Mandatory HTTP header is missing - only useful if the application requires a particular HTTP header but doesn't check to see that it's present. I've never seen such a requirement in an enterprise level app.

 

Failed to convert character - Not generally an issue in typical ISO-8859-1 / UTF8 web apps.

 

 

I'd add:

 

 

Illegal HTTP status in response - block 5xx responses from getting back to the client (and for cosmetic reasons, if the app does not have a custom 404 page, block 404s as well)

 

Illegal meta character in parameter name - consider blocking < or > (xss and other scripting attacks), ' (SQL injection), % (percent/URL encoding), &; (at least one of these three characters to prevent use in combination for unicode encoding),

 

Illegal meta character in header - see above

 

Illegal meta character in parameter value - see above

 

 

The metacharacter checks are the ones that take the longest to tune. But once you do, you end up with a very secure policy. The policy builder can help automate this process.

 

 

Aaron