Forum Discussion

Vijith_182946's avatar
Vijith_182946
Icon for Cirrostratus rankCirrostratus
Feb 26, 2016

Baseline security

Hi Techies, I am on top of ongoing implementation project of F5 infrastructure that includes all the top modules. We are in the process of setting up a new service model mainly around WAF (ASM) for our client. This is something new service for us and lots of things are planned to establish the service. We already have a Global Target Operating Model (TOM) and Incident process etc, and I also asked to prepare a Security Baseline for F5 ASM. Could you guys please guide me how i can start on this. Is there any security baseline standards (may be generic) from F5? I thought of starting as a base of OWASP top 10 and mapping this to the ASM configuration..Any thought on this please?

 

Cheers Vijith

 

  • It's difficult to define "baseline standards" as every application is different and their are variances in security needs. In many cases, ASM implementations begin with a security policy based on the Rapid Deployment template, which will cover the OWASP Top 10, will provide HTTP RFC compliance, attack signatures, and evasion detection protection. As you get more comfortable with ASM and improve at interpreting and handling violations, you can develop a more comprehensive policy by layering on more protection for allowing only specific file types, URLs, and various types of parameter protection.
  • Hello Mate,

     

    As Eric arlready said, it is difficult to define baseline without understanding the application. However, to start with generic approach, cover OWASP 10.

     

    For the ASM implementations, select the suitable implementation method according to your requirements. ASM can create the policy automatically according to your traffic flow but again that depends on your requirement.

     

    -Jinshu

     

  • Thanks Erik for the reply, We have policies that works well. But what i am looking for is more of a business side of minimum/baseline level of security configuration (settings) when creating policies..like the acceptable length of URL to be 2048. We have many applications (legacy) that uses more than 2048 which is considered as a risk. If an alert occur and i go back to application team with recommended size of 2048 he is going to ask me the 'what is your baseline configuration settings'? or he will say 'What's F5 recommendation (i know its silly and hard to explain to these guys !) . We need this documentation to convince the client/business that you cannot deviate the standards. If deviation we will ask for RAF ( Risk acceptance Form) to be approved by management so that this risk wont kept on our (security guys) shoulder. Simply i need to noted down all the baseline configuration settings in a document and approved by security & application owner.