Forum Discussion

mframpton_60606's avatar
mframpton_60606
Icon for Nimbostratus rankNimbostratus
Oct 31, 2008

Encrypted database?

Does anyone know if the backend database that stores the learned information is encrypted? We have sensitive information going through our ASM that needs to either be x'ed out or encrypted to keep with our PCI compliance. We noticed that this information was being logged as clear text. I found the option to x out via parameter name, however I cannot seem to find anything that tells me if the backend database is encrypted or also clear text.

 

 

TIA!
app sec
BIG-IP Access Policy Manager (APM)
security
  • Bill_Beverley_7's avatar
    Bill_Beverley_7
    Historic F5 Account
    Nov 04, 2008
    Hi,

     

     

    Further to Aaron's post - for PCI compliance purposes I would suggest that you configure the ASM's "Sensitive Parameters" settings (Application Security -> Policy, Advanced Tab -> Sensitive Parameters).

     

     

    By assigning parameters as sensitive, their values will replaced with *'s in the log files (local and/or remote) and in the MySQL database. My understanding of the PCI auditing process is that this would remove the requirement to encryt the logs or the database columns as they no longer contain cardholder details but Aaron could probably give you a better steer on that than I.

     

     

    Rgds

     

     

    Bill
  • Ido_Breger_3805's avatar
    Ido_Breger_3805
    Historic F5 Account
    Nov 05, 2008
    Bill is correct, if you define the parameter that carries the encrypted information as "sensitive", ASM will not log its data anywhere, not in the log file and not in the internal learning database. This will solve your compliance issue.

     

    Cheers,

     

    Ido
  • mframpton_60606's avatar
    mframpton_60606
    Icon for Nimbostratus rankNimbostratus
    Nov 06, 2008
    Thanks for the responses!

     

    The problem that lies with the sensitive parameters option is that it requires that you know the parameter that uses that information. That's all and good if your company has a firm grip on how those parameters are defined. Unfortunately our company at this time doesn't not dictate what parameters names the application programmers can use, thus making it impossible for us (the network folks) to ever be 100% sure all values are getting caught. I was hoping there might be a more global way to filter, but I haven't found it yet. We may have to export the database and scan it somehow.
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Nov 07, 2008
    I think it would be prohibitively expensive in terms of performance to do some kind of wildcard or regex match against all parameter values to mask potentially sensitive data in logs/database. But maybe it would still be a worthwhile enhancement request to make to F5.

     

     

    You can run asmqvkiew from the command to dump the MySQL database to a text file (gzip compressed tar archive).

     

     

    tar xvfz /var/tmp/asm_snapshot.example.com.tar.gz *asm_mysql.dump

     

     

    You could search for credit card numbers or other sensitive data using regexes (Click here)

     

     

    Aaron
  • AaronJB's avatar
    AaronJB
    Icon for SIRT rankSIRT
    Nov 07, 2008
    I'm pretty sure there is an existing enhancement request open to add the ability to define sensitive parameters by wildcards (thus defining a single "*" would give you the functionality you're looking for), so I'd definitely suggest firing up a support case to at least have your voice added to that request.

     

     

    Aaron