Data Gurad - Mask Data checkbox

Question

Hello, &nbsp;
&nbsp;Wanted to confirm my understanding on Data guard (for ease one may answer in "Yes/No") &nbsp;&nbsp;
&nbsp;1) Does enabling "Masking Data" prevent the end users to view the cc/ssn data (i.e encodes it so they will see *****). &nbsp;
&nbsp;2) If i want none of my users to view the ssn/cc data (as there is a business justification/need), then do i allways ensure that the "Mask data" checkbox is enabled.
&nbsp; 
&nbsp;3) If i want some of my users(still to be identified) to view the ssn/cc data (as there is a business justification/need), then do i do the following steps: &nbsp;
&nbsp;   a) Initially ensure mask data check box is switched off 
&nbsp;   b) Let the traffic policy builder learn on whats legitimate and whats not (based on a
&nbsp;      continious   traffic or a one-off traffic) / or manually accept or clear learnings 
&nbsp;   c) Accept traffic as legitimate, and clear the illegitimate ones on the learning screen
&nbsp;   d) Once im sure of the traffic , Enable back the "Mask Data" - as it will now be applied to
&nbsp;     traffic identified as illegitimate only. &nbsp;

hooleylist · Answer

Hi Nik 
&nbsp;  
&nbsp; 1) Does enabling "Masking Data" prevent the end users to view the cc/ssn data (i.e encodes it so they will see *****).  
&nbsp;  
&nbsp; ASM can either block the response or mask the data.  Here's more detail from the online help: 
&nbsp;  
&nbsp;     * If the security policy’s enforcement mode is Transparent and the Mask Data check box is checked, the system encodes the sensitive data by returning asterisks to the client instead of the sensitive data. (The system also returns asterisks if the enforcement mode is Blocking, the Data Guard: Information leakage detected violation Block check box is cleared, and the Alarm check box is checked.) 
&nbsp;     * If the security policy’s enforcement mode is Blocking, and the Block check box for the Data Guard: Information leakage detected violation is checked, the system blocks the response. 
&nbsp;  
&nbsp; 2) If i want none of my users to view the ssn/cc data (as there is a business justification/need), then do i allways ensure that the "Mask data" checkbox is enabled. 
&nbsp;  
&nbsp; Yes, you'd want to either block the full response or mask the data. 
&nbsp;  
&nbsp; 3)    d) Once im sure of the traffic , Enable back the "Mask Data" - as it will now be applied to traffic identified as illegitimate only.  
&nbsp;  
&nbsp; I don't think ASM masks or blocks responses with content that matches a data guard pattern based on other violations.  If the response matches a pattern it will be masked or blocked, depending on the blocking settings for data guard. 
&nbsp;  
&nbsp; The default GUI based config options for this don't allow you to make decisions on masking or blocking based on who the user is.  If the application restricts access to specific URIs to allow only some users, you could define those URIs in the data guard list to not check.   
&nbsp;  
&nbsp; Aaron

Forum Discussion

Data Gurad - Mask Data checkbox

1 Reply

Recent Discussions

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Related Content

Intermediate iRules: Data-Groups

Implementing Data Guard

BIG-IP Orchestrate in private Data Center using Terraform Cloud Agent

F5 Distributed Cloud Network Connect and NetApp BlueXP - Data Disaster Recovery Across Hybrid Cloud

Units of AVR basic data?