Forum Discussion
daveu8282_20327
Feb 15, 2011Nimbostratus
Policy creation: who's in the driver's seat?
We have ASM 10.1.0 in-house. We've not yet gotten around to putting it into use but I've lately been asked to setting up policies for some of our applications. I've taken a look at the Getting Started manual and the Configuration manual but I'm still not sure on where to begin. My main challenge is that all of my history in our IT organization has been on the systems side of things especially OS (mostly Linux nowadays) and networking, but ASM configuration looks as though it's driven by the application. Since I am not acquainted with our applications beyond being able to log in to one or two of them, I'm not clear on how I'd proceed with the creation of an ASM app policy. Although I can click "Next/Next/Next/Finish" with the best of 'em, it seems to me that tailoring an ASM policy requires some level of understanding of the application not just overall OS/networking/etc. knowledge.
My question is pretty basic: who drives ASM policy creation at your shop: application owner, overall application architect/guru, systems guy, etc.? If you have a primary F5 ASM administrator, does he possess a strong knowledge of your applications or does he work closely with application experts? What kind of ASM administration role (if any) do you give to app owners?
My goal: convince the powers that be that we're going to have to get applications people involved in ASM policy creation and/or get the app people to work with me to get me up to speed on the apps which they'd like me to secure for them.
Thanks for your input!
Dave U.
- hooleylistCirrostratusHi Dave,
- Mike_MaherNimbostratusWell I am pretty much the ASM administrator at my company, or rather it belongs to my team, which is defined basically as a Perimeter Security group. So we mostly deal with network security, but this landed with us years ago when it was TrafficShield. I took it on from someone who left about 2 years ago and my background is mostly in network and systems security. Most of the time I setup the ASM and get the policy in learning mode in our test environment and then take time with the developers/application owners to go over what was learned in the policy and what I should accept. The whole process from test environment setup to production implementation takes about a month on average. I am currently working to define and document a process for all of this so that I can hand it to basically anyone on my team to work with a project for a new application. As well as documentation for the developers on suggested testing procedure, how ASM works, what it blocks on, and why. The problem I see with just handing over policy management to application owners/developers is that at least in my company they are not very security minded, and they just want to make it work and get it out there. Not to say they would purposely turn something off that they knew would create a security hole, but a lot of the time if you are not dealing with security on a day to day basis you don't necessarily think it all the way through, just like anything else.
- hooleylistCirrostratusYour situation is pretty similar to the customers I was working with on ASM. I don't like the idea of app owners exclusively maintaining the policy. Management generally already places too much emphasis on functionality and new features over security. If there is no one outside them and the app owners to dictate security policy, you end up with very open, insecure implementations.
- Mike_MaherNimbostratusSome will be specific to my company but some of them should be fairly generic, I will post as much as I can.
- Christopher_BooCirrostratusMike,
- Mike_MaherNimbostratusChris,
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects