BIG-IP Application Security Manager v11 (ASM) Table of Contents Module 1: Installation & Initial Access... 1-1 BIG-IP ASM Overview... 1-1 ASM Feature Set Summary... 1-2 ASM Protection Summary... 1-3 BIG-IP ASM Deployment Types... 1-6 BIG-IP ASM Standalone... 1-6 BIG-IP ASM in-line with BIG-IP LTM... 1-6 Multiple BIG-IP ASM devices behind a BIG-IP LTM... 1-6 BIG-IP ASM module on BIG-IP LTM... 1-6 BIG-IP ASM Device Group... 1-7 BIG-IP ASM Virtual Edition (VE)... 1-7 Licensing and the Setup Utility... 1-8 Configuration Process... 1-8 Accessing the Web Configuration Utility... 1-14 Command Line Access... 1-15 Provisioning... 1-16 Installation and Setup Labs...1-18 Lab Installation and Setup... 1-18 Lab System Licensing... 1-20 Lab Setup Utility... 1-22 Lab Configuration Backup... 1-24 Module 2: Web Application Concepts... 2-1 Anatomy of a Web Application... 2-1 Secure Socket Layer... 2-3 Server Hardening... 2-4 Network Firewalls and Application Security... 2-4 Web Application Firewalls... 2-4 HTTP & HTML Web Page Components... 2-5 HTTP Concepts Overview... 2-5 HTTP Request Components... 2-5
HTTP Methods... 2-6 Uniform Resource Identifier... 2-7 HTTP Version... 2-8 HTTP Headers... 2-8 HTTP Responses... 2-8 Response Status Codes... 2-8 HTML Concepts Overview... 2-9 HTTP Header Overview... 2-10 Public vs. Private... 2-10 No-Cache and No Store... 2-10 HTML Concepts Overview... 2-10 Expiration Indicators... 2-10 Content Duration... 2-11 Header Types... 2-11 User Input Forms... 2-11 Using Fiddler2... 2-12 Lab Fiddler2... 2-15 Module 3: Web Application Vulnerabilities... 3-1 Web Application Vulnerabilities Overview... 3-1 Injection attacks... 3-2 Cross Site Scripting... 3-2 Broken Authentication and Sessions Management... 3-3 Insecure Direct Object references... 3-3 Forceful Browsing... 3-3 Cross Site Request Forgery... 3-4 Hidden Field Manipulation... 3-5 Cookie Poisoning... 3-7 Unvalidated Redirects and Forwards... 3-8 Risk Mitigation and ASM... 3-9 Lab HTTP Vulnerabilities... 3-10 Module 4: Web Application Configuration... 4-1 Pool Members and Pools... 4-1 Nodes... 4-2 Virtual Servers... 4-2 Network Packet Flow... 4-3 HTTP Classes... 4-4 Application Security Class... 4-4 HTTP Class Filters... 4-7
Virtual Server Configuration... 4-11 SSL Termination/Initiation... 4-13 HTTP Request Flow... 4-15 Lab Web Application Configuration... 4-16 Module 5: Security Policy Overview... 5-1 Positive Security Model... 5-1 Negative Security Model... 5-2 Security Policy Properties... 5-2 Security Policy Configuration... 5-3 Security Policy Components... 5-3 File Types... 5-3 URLs... 5-5 Parameters... 5-6 Wildcard Entities... 5-8 Violations and Traffic Learning... 5-10 Tightening... 5-11 Staging... 5-11 Methods... 5-13 Headers... 5-13 Cookie Processing in ASM... 5-14 Requests... 5-16 Traffic Learning... 5-18 Policy Blocking... 5-18 Lab Security Policy... 5-21 Attack Signatures... 5-24 Attack Signature Pools and Sets... 5-26 Lab Attack Signatures... 5-30 Module 6: Security Policy Building Tool... 6-1 Deployment Wizard... 6-1 Rapid Deployment Scenarios... 6-1 Data Guard... 6-3 Rapid Deployment Methodology... 6-4 Lab Rapid Deployment... 6-5 Lab Data Guard... 6-9 Lab Attack Signatures... 6-11 WhiteHat Sentinel... 6-13 Lab WhiteHat Sentinel... 6-14
Module 7: Application-Ready Security Policy... 7-1 Overview... 7-1 Lab Application-Ready Security Policy Lab... 7-9 Module 8 Configuration Lab Project 1... 8-1 Module 9: Reporting... 9-1 Dashboard... 9-1 Reporting Overview... 9-1 Charts... 9-2 PCI Compliance Reports... 9-4 Lab Reporting... 9-5 Logs... 9-6 Logging Profiles... 9-8 Lab Logging messages locally and remotely... 9-14 Module 10 Administering ASM... 10-1 ASM User Management... 10-1 Lab Partitions and User Roles... 10-5 Modifying Security Policies... 10-8 Lab Modifying a Security Policy... 10-9 ASM Synchronization... 10-11 Device Groups... 10-11 qkview... 10-12 Module 11: Traffic Learning... 11-1 Learning Concepts Overview... 11-1 Learning Process Resources... 11-2 Length Learning... 11-3 Pattern Learning... 11-4 Meta-Character Learning... 11-4 Violations... 11-5 Lab Traffic Learning... 11-14 Module 12: Parameters... 12-1 Parameter Overview... 12-1 Parameter Types... 12-2 User Input Parameter Value Types... 12-3 Static Parameter Value Types... 12-5 Dynamic Parameter Value Types... 12-6 Extractions... 12-7
XML Value Types... 12-10 JSON Value Types... 12-11 Parameter Character Sets... 12-12 Parameter Levels... 12-13 Global Parameters... 12-13 URL Parameters... 12-14 Flow Parameters... 12-14 Parameter Logic... 12-15 Lab Protecting Dynamic Parameters... 12-16 Lab Protecting Static Parameters... 12-19 Module 13: Security Policy Builder...13-1 Policy Builder Introduction... 13-1 Policy Builder Configuration... 13-2 Policy Builder Policy Types... 13-5 Policy Builder Rules... 13-6 Lab Security Policy Builder... 13-7 Module 14: Advanced Topics...14-1 irules... 14-1 irule Syntax... 14-2 ASM irule Events... 14-2 ASM irule Commands... 14-3 TcL Commands... 14-4 irule Configuration... 14-5 Lab irule creation and configuration... 14-6 Login Pages... 14-8 Lab Login Page Protection... 14-10 Anomaly Detection... 14-12 Denial of Service Attacks... 14-12 Brute Force Attacks... 14-13 IP Enforcer... 14-15 Web Scraping... 14-15 Lab Web Scraping... 14-17 Anti-Virus Protection... 14-19 Configurable ICAP servers... 14-19 Cross-site Request Forgery Protection... 14-20
Module 15: XML and Web Services... 15-1 XML Concepts... 15-1 XML Profile... 15-1 Web Services Protection... 15-2 Validation Enforcement Configuration... 15-3 Securing XML content... 15-4 XML Attack Signatures... 15-4 Web Services Security... 15-5 Defense Configuration... 15-6 Defense Formatting Settings... 15-9 Associating and XML Profile with an URL... 15-10 Lab XML and Web Services... 15-12 Module 16: AJAX and JSON Concepts... 16-1 AJAX Overview... 16-1 JSON Overview... 16-2 ASM Support of AJAX/JSON... 16-3 JSON Profile... 16-3 Associating a JSON Profile with a URL... 16-5 Associating a JSON Profile with a Parameter... 16-6 Lab JSON Parsing... 16-7 Module 17: Protocol Security Manager... 17-1 Protocol Security Manager Overview... 17-1 FTP Protection... 17-2 Active Mode... 17-2 Passive Mode... 17-3 FTP Security Profile Configuration... 17-4 SMTP Protection... 17-5 SMTP Security Profile Configuration... 17-6 HTTP Security Profile Overview... 17-8 HTTP Security Profile Configuration... 17-9 Protocol Security Manager Statistics... 17-13 Configuring Protocol Security Manager... 17-17 Lab Protocol Security Manager FTP... 17-18 Module 18: Configuration Lab Project 2... 18-1 Review Questions... 18-1 Configuration Lab Project 2... 18-3
Appendix A Pre-installation checklist... A-1 Configuration Worksheet... A-4 Appendix B New Features for ASM v11... B-1 Appendix C Additional Topics... C-1 Traffic Capturing using HTTPWatch... C-1 Lab HttpWatch Lab... C-4 Regular Expressions... C-6 Writing Rules for User-Defined Attack... C-16 Appendix D Configuration Lab Project 2 (Helpful Hints)... D-1 Appendix E Protecting a Production Environment (Lab Project)... E-1 PowerPoint Slides Printout...