Forum Discussion

BlackBolt_22590's avatar
BlackBolt_22590
Icon for Nimbostratus rankNimbostratus
Mar 22, 2017

Some questions about ASM module from a beginner

Hello Everyone,

 

My company recently bought some ASM licences for our F5 Big IP and i'm in charge of defining the security policies but I have no experience in it so far and a read only account so it's pretty hard to run some tests and that's why i have some questions for you:

 

1/What's the difference between Transparent and blocking in Enforcement mod and what suits the most with both of them in signature set (learn/alarm/block)?

 

2/What does "staging signature" means? What if i dont set a signature set, what does the policy block?

 

3/ What's the difference between Block in policy (enforcement mod) and block in signature set option? Also correct me if i'm wrong but learn allows me to use the "manual traffic learning" option to see which threats the policy has detected and alarm is a log system-like?

 

4/What happen if i activate both block option?

 

5/Scenario that would be much alike what i will do to deploy my policies:

 

I want to observe which threats and who are doing them on my VS already in production before deciding what to block, what would be the best configuration:

 

Transparent as "enforcement mod", "attack signatures configuration" in learn/alarm mod with and ERP of let's say 30 days or something else?

 

After finishing my analyzes, where can i see what have been signaled by the signatures and where can i decide if i block then or not.

 

8/What happen once the ERP is over? Do I have to change the enforcement mod once the analyse is over (Transparent ->blocking for exemple). Will my policy keep checking if new threat will be detected?

 

I know it's a lot of questions to answer but i have no one else to turn to so thank you very much in advance.

 

Regards,

 

  • Have a look in these links:

     

    https://devcentral.f5.com/articles/the-big-ip-application-security-manager-part-1-what-is-the-asm

     

    https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-getting-started-13-0-0.html

     

    https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-13-0-0.html

     

    They should answer your questions, and generate more questions. Anyway, post the questions you still have after, and will try to answer them.

     

    Also, you can install a virtual machine with F5, and play with ASM for free.

     

    https://f5.com/products/trials/product-trials

     

  • Hello all,

     

    So I finally was able to perform some tests on a lab on VMWare Workstation on a lab with Hack-it-yourself PHP. I reproduced one attack to see the behavior of both policy construction (automatic and manual): . Here are the scenario for both construction mod after creation :

     

    Manual:

     

    Signature stagging : enabled

     

    Renforcement Mod: Blocking

     

    Learn Alarm Block checked for 3

     

    ERP: 7 Days

     

    Automatic:

     

    Signature stagging : enabled

     

    Renforcement Mod: Blocking

     

    Learn Alarm Block checked for 3.

     

    Policy Builder Enabled

     

    ERP: 7 Days

     

    Policy mod : Comprehensive

     

    When I uncheck "signature stagging" on manual policy, the script is blocked right away but when i do it with the automatic policy, it doesn't block it and i can't figure out what prevent me to block it. My guess is the policy builder but when i disable it, it still doesnt block my script request so someone can explain to me the behaviour of a automatic policy, the policy builder and the policy mod. this is the kind of log i have with automatic policy:

     

    https://puu.sh/vMtRL/0ba67eb302.png

     

    Also where do you decide if this specific request is a false positive?

     

    If I understand it correctly, this is where you decide if a signature is a false positive (screenshot below) but where do you precise request and request coming from a specific IP is safe?

     

    https://puu.sh/vMu3R/aa50bc2da4.png

     

    Another "strange" behaviour i have, as you can see i have signature stagging enabled and my policy in blocking mod. Doesnt the security policy suppose to not block the traffic that triggered some signature and just report them where i decide afterward if i block them or not? I'm asking you that because my policy still keep blocking the traffic that triggers the signature :

     

    https://puu.sh/vMubP/996be50a7e.png

     

    • Leonardo_Souza's avatar
      Leonardo_Souza
      Icon for Cirrocumulus rankCirrocumulus

      Answering the first question, you have to enforce the entities learned by the policy builder. Answering the second question, you can decide what to do with the learn suggestions, include ignoring. Answering the third question, in the ip address exceptions. Answering the last question, blocking mode in the policy is the general behavior, a signature can still been in staging or have been removed already from staging. That setting is just to say if you do stage signatures or not, but does not tell if a signature still in stage or not.

       

    • BlackBolt_22590's avatar
      BlackBolt_22590
      Icon for Nimbostratus rankNimbostratus

      Thanks Leonardo for your answer. One more thing (maybe the last :)), it's about ressources and deployement. I have about 400 VS to protect with ASM. Some Nodes and pools that are used multiple times. I am planning to deploy a policy by pool (if Pool A is used in VS 1,2,3 & 4 i'm going to deploy a policy for VS 1 to 4), do you think the ressources are enough to deploy this way knowing i'll create about 20-30 policies?

       

      Regards,

       

    • Leonardo_Souza's avatar
      Leonardo_Souza
      Icon for Cirrocumulus rankCirrocumulus

      You can assign the same policy to more than one virtual server. The main reason people normally have one policy per virtual server, is because a policy is basically a mapping of the application. If the applications are different that requires a different virtual server per application, they should have a policy for each virtual server.

       

      That said, if they share the same application in the backend server, they could have the same policy, but in that case why you have multiple virtual servers for the same application?

       

      About sizing, I can't tell you if you will break the box with that ASM configuration. There are many things to check on that, as I think it will be difficult for you to calculate that, I suggest that you add one policy each time and check the resources for a couple days. Don't forget that there is a lot of work that occur initially to map the application, but after is just analyzing traffic and blocking things.