Forum Discussion

Vincent_96223's avatar
Vincent_96223
Icon for Cirrus rankCirrus
Oct 21, 2013

Newbie ASM questions...

Greetings!

 

I've been using the LTM on F5 for awhile now, but my company is getting ready to commit to the use of ASM on our public facing servers. I am more of a network (L2/L3) kind of person, which is most probably why I understand the LTM a whole lot better than ASM. I have been to the ASM class, but I am having trouble connecting all the "logical" dots together. I hope someone can help me better understand the workings of ASM.

 

So, a few months ago, I created a VIP with 3 nodes LB in a defined pool. I created a HTTP Class profile, and associated it with this VIP. With the help of F5 support, they help me configure the class profile, and told me the policy would be in staging mode for 7 days. Little was explained to me about how and what the policy does, except it learns the traffic pattern during the staging stage. Afraid that the policy might block legitimate traffic, I left the policy in transparent mode since it was staged.

 

My management wants to deploy ASM, but they want to make sure we are not blocking legitimate traffic. With little experience I have with ASM, I do not have the confidence to assure them of that. Currently, I look at Traffic Learning under "Manual Policy Building". I see two types of violations -- File type length error and Attack signature staging. Discussing it with the developers, the length violations are false positive. Here are my questions:

 

-- If the violation are false positive, do I just check the box and select "disable violation" and apply the policy? -- or should I just increase the max length value and re-apply the policy? -- since the policy is over the 7 days staging mode, when I reapply the policy with the new changes, does it go back to staging again?

 

I know there are plenty of information out on the net, but I have not found a good source to help me get comfortable working with ASM. There are a couple of good info on the introduction to ASM like

 

https://devcentral.f5.com/articles/the-big-ip-application-security-manager-part-1-what-is-the-asm.UmV0UFO91X9

 

and

 

https://devcentral.f5.com/articles/the-big-ip-application-security-manager-part-2-policy-building.UmV0LVO91X9

 

but I have not found an article on how to work with ASM during the staging-mode, or how to work with the policy during blocking mode. I think there is only a handful of people with in-depth understanding of the complex inter-working of ASM, and I have yet to find someone/knowledgebase to help me truly understand how to work with ASM. Can you? :)

 

Any help or direction is much appreciated...

 

Thank you.

 

Vincent

 

deployment
management
microsoft
security

4 Replies

Sort By
  • Mike_Maher's avatar
    Mike_Maher
    Icon for Nimbostratus rankNimbostratus
    Oct 21, 2013
    Ok so the point of staging mode is to allow the ASM and its administrator to see what sort of traffic will pass through it. After the 7 days it will make suggestion and you will want to use those in conjuction with knowledge of the application behind the ASM to make the adjustments in the policy. Once you make a adjustment on a staged entity yes the staging period is restarted again to see if any other violations occur. The idea behind this is that after a while you should see no more suggestions. However if you have this deployed in a full production environment you may still see some due to people poking at your application from the outside looking for soft spots to attack. So you do need to have some knowledge of the application itself to know what is legitimate traffic and what is not if you are not in a "trusted" test environment. Are you using policy builder or it is just in Transparent mode and you are doing all manual learning? Mike
  • rob_carr's avatar
    rob_carr
    Icon for Cirrostratus rankCirrostratus
    Oct 21, 2013
    The ASM can make suggestions at any time, not just during the staging-tightening period. The staging-tightening period is used to suggest to the administrator that policy elements are 'safe', that is, they have had no false positives during the staging-tightening period, and it is safe to enforce them.
  • rob_carr's avatar
    rob_carr
    Icon for Cirrostratus rankCirrostratus
    Oct 21, 2013

    If you are seeing learning suggestions that you believe are false positives, then the correct action to take is to "Accept, Apply, or Allow...depending on the violation", not 'disable violation'. Selecting 'disable violation' will clear the Learn/Alarm/Block flags for a specific violation (that is, the type of violation, not the violation on a specific entity).

     

    To use your example, if you select 'disable violation', the ASM will no longer check file entities for length violations, which is probably not what you want. Accepting the violation, on the other hand will cause the policy to be altered such that the characteristic that triggered the violation is now allowed. Again, to look at your example, this means that the allowed lengths of the entities that the violations were recorded against will be increased. Accepting learning suggestions on Attack Signatures stops the ASM from comparing application traffic to the Attack Signature in question.

     

    Security policies may be in transparent or blocking mode; entities may have tightening or staging enabled, or may be enforced. Accepting a learning suggestion on a particular entity isn't going to affect the status of the policy, and isn't going to change the tightening or staging status of the entity. It will cause the staging-tightening timer to reset, but only for that element.

     

  • Praveen_Kumar_K's avatar
    Praveen_Kumar_K
    Icon for Nimbostratus rankNimbostratus
    Dec 27, 2013
    Hi, I am working on fine tuning security policy, if i accept learning suggestion for signature does this allows all traffic against the signature or only the url or payload which i accepted through learning suggestion?. Thank you.