ASM Bypass v11.2.0: Muhahahahahahaha
ASM Bypass… what you thinking Fool? I just spent all this time tuning my ASM, turning it into a lean, mean, securing machine… And now you want me to put in a bypass?? Initial response: WHY oh why do you do this to me? I’m just a poor security primate trying to make sure we don’t get pwn’d by every script kiddie and 1337 out there on the net. It’s hard enough to do that without having my own co-workers trying to open more holes in perimeter. I mean seriously guys, think about it, the word bypass, it’s just not good. Name a good bypass? Triple bypass: no thanks? Bypass the main reactor cooling system? Umm no. Gastric Bypass: Well … ok.. maybe. I have been eating one to many bananas lately….
Discussion: I’m a shocked monkey, but alright, tell me why you want to bypass my Security Masterpiece. What’s that? You want to be able to let me hit the application directly with the security scanners, so we can find issues in the code itself and try to fix it there… oooh. I like that. You want to be able to test things directly on the application server, before you blame every little failure on the WAF? oooh… That’s good too. You’ve got a load tester that you want to hit the application with, and see how it handles ramped up connections? Marry me.
So, the security monkey satisfied on the sanity of the reasons.. how do we do this safely? There are multiple ways to approach it now. In the past, THE way to do it was with a nice neat little iRule(10.0.1+): when HTTP_CLASS_SELECTED { ASM::enable if { [HTTP::uri] starts_with "/bypass" } { ASM::disable } } <all it says: When HTTP class is selected, turn on the ASM, if the URI is /bypass , turn off the asm path> or: when HTTP_CLASS_SELECTED { ASM::enable if { [class match [IP::client_addr] equals asm_whitelist] } { ASM::disable } } <same thing, except using an IP address whitelist> A nice blanket way to do it for anyone hitting /bypass or an IP whitelist. It sounds horrible, but it actually has a great application in the development environment. Imagine it this way: You have the ASM on in the dev environment, the developers hit it for testing. When they don’t want to hit it, they use the /bypass URI, and you expand your irule to remove the /bypass from the URI, so that the application sees a standard request. Voila, ASM bypass’d and testing continues.
11.2.0: NEW FEATURE OF AWESOMENESS! In 11.2.0, the ASM added a section in IP Addresses. The IP Address Exceptions list. It does just what it sounds like, allows you to add IP addresses that have varying degrees of security. Netmask: Want to do a range? Do so here Policy Builder trusted IP: All requests from this IP are considered safe AND data from it is used to build your policy. Tied to the policy builder. Ignore in Anomaly Detection: Don’t check this IP for DoS attacks, brute forcing, or webscraping. Why would you ever do this? Testing. I want to testing my site and have a scraper troll through it. Add the IP here and it can hit the site as fast and frequent as you want it to. Ignore in Learning Suggestions: Don’t learn from this traffic. Never block this IP Address: This IP is completely trusted and should never be blocked. Limited use case for testing systems or a trusted source dynamic web service. (please be sure you have full control of whats going across) Never log requests from this IP Address: Don’t log at all. Illegal, legal, special, monkey, do not log any of the traffic from this IP. Ignore IP Address Intelligence: Don’t ever block this IP based on it being black listed in the IP intelligence service.
In the end, next time someone comes to you and says “Security Bypass”, withhold beating them with the teaching Hammer, and hear out what they need. You might just make a new friend. |
- John_Alam_45640Historic F5 AccountCool article.
- jmanya_44531Nimbostratusoutstanding article... Even funny...
- NdlovummCirrus
Great article, thank you sir.