For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Nik_67256's avatar
Nik_67256
Icon for Nimbostratus rankNimbostratus
Aug 07, 2012

Data Guard - End users perspective

  Hello All,     Im trying to understand data guard better fro man end user perspective. The queries are:-       1) What effect does checking the SSN checkbox and not checking mask ...
config
design
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Aug 08, 2012
Hi Nik,

 

 

1) What effect does checking the SSN checkbox and not checking mask checkbox have ?

 

 

No effect:

 

 

From the online help:

 

If the security policy’s enforcement mode is Transparent and the Mask Data check box is checked, the system encodes the sensitive data by returning asterisks to the client instead of the sensitive data. (The system also returns asterisks if the enforcement mode is Blocking, the Data Guard: Information leakage detected violation Block check box is cleared, and the Alarm check box is checked.)

 

If the security policy’s enforcement mode is Blocking, and the Block check box for the Data Guard: Information leakage detected violation is checked, the system blocks the response.

 

 

 

You can check SOL8363 for details on Data Guard:

 

 

 

sol8363: Using the Mask Data setting to encode sensitive data returned by the BIG-IP ASM

 

https://support.f5.com/kb/en-us/solutions/public/8000/300/sol8363.html

 

 

When the security policy is in Transparent mode and the Mask Data setting is selected, the BIG-IP ASM encodes sensitive data returned by the web server by returning asterisk ( * ) characters to the client instead of the sensitive data.

 

 

When the security policy is in Blocking mode and the Mask Data setting is selected, and Information leakage detected blocking is disabled, the BIG-IP ASM encodes sensitive data by returning asterisks to the client instead of the sensitive data.

 

 

 

2) Will checking the mask data as well completely mask (****) the SSN . If so how are legitimate end users who need to work with the SSN work

 

 

Yes. They couldn't. How do you want ASM to differentiate between legitimate end users and those that should not be able to retrieve content containing SSNs? If you can differentiate between legitimate and illegitimate users you could send them to separate ASM policies with the check disabled.

 

 

3) I believe if in transparent mode and mask data and SSN is enabled , then SSN gets displayed as "*****" - is this understanding correct ?

 

Yes, see 1)

 

 

4) I believe if in Block mode and mask data and SSN is enabled , then SSN gets Blocked ot the end user - is this understanding correct ?

 

Yes, see 1)

 

 

5) If we do need to allo SSN data to be displayed to some end users while mask SSN data data to others , how do we do it ?

 

See 2)

 

 

Aaron