Forum Discussion

marek1_119131's avatar
marek1_119131
Icon for Nimbostratus rankNimbostratus
Mar 11, 2013

BIG-IP ASM security model

Hello!

 

I have been testing trial of virtual edition of big ip asm and I'm little confused while configuring it. I made a policy manually and enabled attack signatures too. It is now using positive security model - because it seems to be learning things and negative security model - because I enabled attacks signatures. Am I right?

 

If answer is yes, can it be tested just using attack signature database and disable learning? I know it sounds crazy but I just would like to test it out that way too.

 

Thanks!

 

APM
app sec
security

2 Replies

Sort By
  • Mike_Maher's avatar
    Mike_Maher
    Icon for Nimbostratus rankNimbostratus
    Mar 11, 2013
    Yes....... kind of..... Personally I wouldn't say you are using either the positive or negative security model until you have refined your policy and have them in blocking not learning mode.

     

     

    I would say you are in policy building mode right now as you are not enforcing anything yet, but yes essentially building a policy that tracks file types, URLs, parameters, parameter values and so on would be a positive security model, and the attack signatures, anomaly detection and such would be negative security.

     

     

    Or another way of thinking of it

     

    Positive Security = White Listing

     

    Negative Security = Black Listing

     

     

    If you want to test just using Attack Signatures then go into your policy blocking settings (Application Security > Policy > Blocking > Settings) and turn off Learn, Alarm, and Block for all violation, except Attack Signatures.
Related Content