Forum Discussion

erol_dogan_1164's avatar
erol_dogan_1164
Icon for Nimbostratus rankNimbostratus
Aug 27, 2013

ASM transparent bridge mode detect capabilities

I am evaluating a standalone ASM appliance. There a lot of web applications in my network which I don't know their IP addresses or host names (or even their existence). This is because my network is a university network in which instructors have privilidge to host their own web sites through the corporate firewall.

 

Does ASM have capability to detect those all websites and disclose/block their vulnerabilities?

 

I tried to use F5 appliance between Metro ethernet switch and firewall in order to let the appliance to detect the applications, I used transparent bridge mode. Unfortunately, I failed on my goal.

 

ASM Advanced WAF
deployment
design
security
transparent bridge

3 Replies

Sort By
  • Sam_Richman_263's avatar
    Sam_Richman_263
    Historic F5 Account
    Aug 27, 2013

    Unfortunately, the "discovery and detection of web applications" is not a function of ASM.

     

    In transparent bridge mode, an ASM BIG-IP device can secure application traffic, but to some extent, you will need to know something about those applications in order to protect them. The deployment strategy is for multiple ASM policies to be assigned to the forwarding virtual server, each specific to one of the applications being secure.

     

    You could create a network forwarding virtual server to intercept all inbound HTTP traffic and assign a single ASM policy to it, which would provide some level of protection, based on the attack signatures you choose, as well as protocol compliancy checks. This protection would be quite generic, of course, though would have some value.

     

    However, I would caution that this extremely general approach can potentially break your applications, since you are imposing restrictions on applications you do not understand, or even know about. Tread carefully with this idea.

     

    A more deliberate, albeit time consuming strategy would be to write an iRule to perform some reconnaissance on your network. Again, I am assuming the BIG-IP is able to see all inbound port 80 traffic. This iRule could log destination IPs, URIs, and other details which would give you a better idea of your environment.

     

    Armed with this information, you could begin to investigate the applications and query the owners for information about how to create ASM policies appropriate for the applications (server type, application architecture, etc..).

     

  • erol_dogan_1164's avatar
    erol_dogan_1164
    Icon for Nimbostratus rankNimbostratus
    Aug 27, 2013

    Sam, thanks for the quickest response.

     

    I am planning to use below irule since forwarding VS doesn't understand HTTP which means I can't use HTTP events. Do you think it is appropriate? On the other hand, my concern is this will log all traffic including non-web.

     

    Thanks

     

    when CLIENT_ACCEPTED {

     

    set vip [IP::local_addr]:[TCP::local_port] }

     

    when SERVER_CONNECTED {

     

    set client "[IP::client_addr]:[TCP::client_port]" set node "[IP::server_addr]:[TCP::server_port]" }

     

    when CLIENT_CLOSED {

     

    log connection info log local0.info "Client $client -> VIP: $vip -> Node: $node"

     

    }

     

    • Sam_Richman_263's avatar
      Sam_Richman_263
      Historic F5 Account
      Aug 28, 2013
      This is a good start, yes. You could also use an if statement to limit logging to connections destined for port 80 or 443 to log just web traffic. You may be able to get away with using an all addresses network virtual server of standard type with a pool comprised of your firewall or gateway. Just be sure to turn off address and port translation. You should then be able to assign an HTTP profile to this virtual server and use HTTP iRule events. I have not labbed out this particular configuration, so I am not sure it will work, but it might be worth a try. If you need to use the network forwarding virtual server, you could write a complex iRule to parse the TCP payload for HTTP content, but this would take some doing, and will cause some latency, I imagine.