Forum Discussion

Gregory_Gerard_'s avatar
Gregory_Gerard_
Icon for Nimbostratus rankNimbostratus
Jun 08, 2008

Enforcing Content-Length and other preventive security measures

I've been challenged with an audit. I know the tool in question to be used and have read the docs and whitepapers (sorry, cannot reveal).

 

 

Things mentioned within them include:

 

1. XSS attacks -- I think we're okay on this one

 

2. HTTP based attacks, mainly malformed HTTP requests in an effort to poison caching servers along the way

 

 

http smuggling, response splitting, double content-length headers, and more.

 

 

I'm wondering if there are any canned protection measures I can employ in my LTM to mitigate these types of browser hijacks.

 

 

Some attacks apply to tiers and systems I have no control over (ISP cache servers for instance), but I'd like to do what I can to detect and drop connections and raise an alert when traffic looks "funny".

 

 

What are your recommendations and thoughts?

 

 

Is the F5 the place to do this or another box? If another box, box recommendations?

 

 

Obviously, code is being audited statically as well and appserver patches applied when possible but I want to cover my bases.

 

 

Thanks!
application delivery
dev
devops
iRules

2 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jun 09, 2008
    You could potentially handle some HTTP protocol validation in an iRule, but you'd probably need to parse the raw TCP (as opposed to using HTTP::commands) as you're looking for invalid HTTP or corner cases in the use of the protocol. If it's an option for you, the Application Security Manager (ASM) would provide much better validation of HTTP and add a lot more flexibility and ease than you could ever get to with an iRule. You can check with an F5 salesperson to get more information on the functionality ASM offers. I think you'll find it meets or exceeds what you're trying to achieve.

     

     

    Aaron