For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

newf5learner_13's avatar
newf5learner_13
Icon for Nimbostratus rankNimbostratus
Feb 22, 2017

F5 ASM deployment for production traffic in transparent mode.

Hi Experts,   I'm new to the F5 ASM deployment, so posting here with my concerns.   Background information: I have enabled ASM for the VIPs which are already in production. I don't have any t...
application delivery
ASM Advanced WAF
security
Vijith_182946's avatar
Vijith_182946
Icon for Cirrostratus rankCirrostratus
Feb 23, 2017

Hi, First of all, do you think 7 day enforcement is enough for traffic learning? We usually go for at least 14 days to a month. You need sufficient amount of traffic to get ASM learn the traffic behavior. Once we have enough traffic and violation events perform the violation analysis one-by-one. You need to work with Apps team and challenge them about these violations, many cases you need to remediate the false positives and some other cases you need to challenge them. I think you also should decide on positive and negative security models you planning to go ahead. We usually go this flow of violations

 

1) RFC compliance 2) Length Limits 3) Valid File Types 4) Valid URLs 5) Valid Parameters 6) Parameter Compliance 7) Valid meta characters 8) HTTP Method / Headers 9 Attack Signatures / Virus

 

hope this helps

 

  • newf5learner_13's avatar
    newf5learner_13
    Icon for Nimbostratus rankNimbostratus
    Feb 23, 2017

    thanks for the reply.

     

    What are the negative security violations in the traffic learning?

     

    Can I accept the suggestions the policy builder listed above? Can I consider the suggestions are the valid ones to be accepted in the policy and so that they will not be triggered as an event further?

     

  • Amine_Kadimi's avatar
    Amine_Kadimi
    Icon for MVP rankMVP
    Feb 23, 2017

    I'm not sure exporting an application security policy and reusing it for other VIPs will bring any advantage, as most applications don't share the same components and don't work similarly, each specific application will have its own urls, parameters, cookies, and file types that the ASM will have to know, this is positive approache. In the negative approach, each application will need each own sets of attack signatures targeting the specific components of the applications (OS, database, php, asp...).

     

  • newf5learner_13's avatar
    newf5learner_13
    Icon for Nimbostratus rankNimbostratus
    Feb 23, 2017

    Thanks Amine and Vijith

     

    I read some article where it was stated that F5 recommends creating a baseline policy for the environment which includes basic security requirements that are embedded into the policy components. And such policy can be considered as template which can be re-used. So, was thinking if I can make a standard policy and try replicating it in transparent mode with enforcement period of 7 days for all the other VIPs.

     

    could you please let me know what are the negative security violations in the traffic learning? Should we allow them or enforce them?

     

  • Amine_Kadimi's avatar
    Amine_Kadimi
    Icon for MVP rankMVP
    Feb 23, 2017

    Negative security is "Allow all except what I already know is an attack" Positive security is "Drop all except what I already know is not an attack"

     

    For the former, you don't really need learning because ASM already knows the attacks that must trigger drops (signatures, HTTP Compliance...). You may need to activate staging for the signatures which may be considered as a kind of learning.

     

    For the later, this is where the learning is really significant. The ASM needs to know what is the normal and legitimate traffic in order to drop anything else.

     

    Yes, you need to activate the negative security violations (such as attack signatures). Enforcing an attack signature is actually removing the staging from it.