Forum Discussion

AndOs's avatar
AndOs
Icon for Cirrostratus rankCirrostratus
Dec 20, 2016

Security considerations for APM portal access

Security considerations for APM portal access

 

We are publishing an application through APM with a portal access for the first time.

 

With no ASM in front, are there any security aspects we should consider for the actual "portal delivery"?

 

We can't do much about the application being published, but perhaps there are settings we should adjust that's not set out of the box for a portal app?

 

We've already set ACLs as described in theese posts

 

https://devcentral.f5.com/questions/portal-access-security-problem-manipulation-with-hex-string-in-url-mangle-allows-access-to-any-internal-website-how-to-restrict

 

https://devcentral.f5.com/articles/apm-security-protecting-internal-resources-using-acls

 

Is there anything else we should set as a best practice?

 

Any advice appreciated!

 

Thanks

 

/Andreas

 

application delivery
BIG-IP Access Policy Manager (APM)
portal
security

3 Replies

Sort By
  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Dec 20, 2016

    For security in Portal Access, we generally recommend against proxying the internet, so keep it to internal applications using the split settings in the rewrite profile, so that you're only rewriting your domain.

     

    So:

     

    Split, ACLs. Those are probably the two biggest concerns.

     

    • AndOs's avatar
      AndOs
      Icon for Cirrostratus rankCirrostratus
      Dec 22, 2016

      Thanks!

       

      Are URIs compared first against the rewrite and bypass list and then ACLs? Or how does the split setting in rewrite profile work together with ACLs?

       

    • Lucas_Thompson_'s avatar
      Lucas_Thompson_
      Historic F5 Account
      Dec 22, 2016

      Split settings are not relevant to ACLs except that any non-bypass content should be allowed by ACLs.

       

      ACLs control access once the user tries to request content, allow or deny.

       

      Split-settings control what rewrite tells the user about where the content is, either local or remote.