Forum Discussion
AndOs
Cirrostratus
CirrostratusSecurity considerations for APM portal access
Security considerations for APM portal access
We are publishing an application through APM with a portal access for the first time.
With no ASM in front, are there any security aspects we should consider for the actual "portal delivery"?
We can't do much about the application being published, but perhaps there are settings we should adjust that's not set out of the box for a portal app?
We've already set ACLs as described in theese posts
https://devcentral.f5.com/questions/portal-access-security-problem-manipulation-with-hex-string-in-url-mangle-allows-access-to-any-internal-website-how-to-restrict
https://devcentral.f5.com/articles/apm-security-protecting-internal-resources-using-acls
Is there anything else we should set as a best practice?
Any advice appreciated!
Thanks
/Andreas
For security in Portal Access, we generally recommend against proxying the internet, so keep it to internal applications using the split settings in the rewrite profile, so that you're only rewriting your domain.
So:
Split, ACLs. Those are probably the two biggest concerns.
AndOsThanks!
Are URIs compared first against the rewrite and bypass list and then ACLs? Or how does the split setting in rewrite profile work together with ACLs?
Split settings are not relevant to ACLs except that any non-bypass content should be allowed by ACLs.
ACLs control access once the user tries to request content, allow or deny.
Split-settings control what rewrite tells the user about where the content is, either local or remote.
