For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

2 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Jan 31, 2017

    nat

     

    It depends on what you really mean by "server cloaking". In its simplest form this would be preventing response headers from exposing backend server information i.e. application in use and its version. Is this what you mean?

     

    If so, then ASM removes the Server response HTTP header by default so this is one way to perform server cloaking. To check this is working fire up your favourite HTTP inspection app (fiddler, httpwatch, httpfox, developer tools etc.) and check the response headers from a web app behind an ASM.

     

    Hope this helps,

     

    N

     

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Jan 31, 2017

    Hi Nathaneil,

     

    "Server Cloaking" is a technique/configuration that strips unnessesary HTTP-Headers from your HTTP-Responses, that may otherwise help an attacker to identify the underlying OS / webserver version during the mapping of your network and to become able to launch tailordered attacks right after.

     

    Server cloaking is not supported by ASM and does require the use of iRules, to remove those HTTP::header in transit.

     

    You may read the following article to understand how it works. Make sure to also read the comments of this post, since they are containing alternative approaches (e.g. via [HTTP::header sanitize] or the use of HTTP profiles settings to cloak the responses as needed.

     

    https://devcentral.f5.com/articles/security-irules-101-engage-cloak

     

    Cheers, Kai