General HowTo ASM guide...

Lets start with some concepts.

 

POSITIVE security model is deny all, allow only what is known to be good.

 

NEGATIVE security model allow all, deny only what is know to be bad.

 

ASM = NEGATIVE and POSITIVE models

 

NEGATIVE security model is essentially signature scanning engine with 2k+ signatures. Each signature is a known method of attacking an application by exploiting the underlying application, database or circumventing application logic.

 

POSITIVE security model is essentially ASM learning your application. Put it in the right learning mode and tell your app testing guys "What you don't test, wont work. So make sure you test everything." ASM will then pickup all URL's, filetypes, parameters and the data flowing through them. It build an application ruleset for whatever you are trying to secure.

 

Then you then refine what it has learnt into entry and exit points to provide page protection for those web pages that should only be accessed by authorised users. Pretty much everything except main and login page. There are may other things as well but thats the core of positive model.

 

With both together it is great combined model because it protects against many zero day threats by default. Security is top priority with ASM. There is a ton of L7 DOS protections, including load based attack protections. Cookies and dynamic parameters can all be protected with digital signatures. ASM is very strong in this area and its one of the reasons its a leading WAF product.

 

For clarification I have included a few URL's below to explain how ASM sees them... the following URL's

 

Learning mode

 

This is how ASM sees requests as they come in...

 

https://www.myasm.com/mojo/special.htm?myval=23&myname=24

 

Site using https

 

Application is www.myasm.com

 

Valid URL is /mojo/special.htm

 

Valid parameter is myval and myname

 

Valid Cookies may be sessionid

 

Valid characters permitted in myval,myname is alphanumeric

 

 

Site entry/exit points means only after these can you get to special.htm above.

 

https://www.myasm.com/login.aspx (entry)

 

https://www.myasm.com/logoff.aspx (exit)

 

Session tracking (session tracking)

 

Cookie: sessionid=randomstringrepresentinguser

 

Administrator defined session tracking

 

So some defaults that are useful to know..

 

Rapid deployment policies are pretty much just negative security logic, they are often used for compliance requirements.

 

Every object defined can be in staging. Think of this as a pre-policy state for any objects. Objects in staging cannot be used to block anything. ASM watches them to see if they need to be updated during the staging period based on application traffic and learning mode. If they do not need further modification, ASM will recommend you take them out of staging.

 

I hope that helps in your understanding of ASM. And yes 11.4.1 is a great deal better.

 

Kevin,

 

Thanks for taking the time to explain how ASM works. I am able to understand your explanation very clearly. I have been a firewall administrator for many years, so I understand the concept of positive and negative security models. In my training class, the instructor describes ASM as a positive security model, but your description is much more accurate. The signature database is static (pattern matching), as such depict a negative security model.

 

Do you know of any literature or examples on deploying a simple ASM policy? Here is what I do when I create a security policy. I go to Security --> application security --> security policies, click create and use the deployment wizard. I get information from my developers like the OS, web application type, database, scripts, etc and match the resources in the deployment wizard.

 

In version 11.4.1, it seems the wizard automatically puts the policy in "Blocking Mode", though according to the online manual, it does NOT really block anything until it has learnt enough traffic pattern. To give you an example, I create a new policy on Monday of last week. When I checked the general progress under Security --> Overview --> Application --> Action Items, the policy builder stayed at 5% progress for a couple of days.

 

I did see the policy detected some events. In the policy building status page, I click on each item in the detail section. It states it had detected some traffic (e.g 17/50), and "rule satisfied". I was trying to see what it was referencing, but could not get any details. I went ahead and click "enable" (I think!) or "accept". I can't really remember because the real traffic policy builder is now disabled, and it says the policy building process has stabilized. So in the six days the policy was created, it when from 5% General progress to "stabilized" in an instant.

 

So at this point, I am trying to figure out what I am suppose to do. Under Manual Traffic Learning, I see a couple of violations. When I click on the violations, it tells me how many times it has occured, and when I click on the occurances link, it tells me the source of the request and when it happened. But I don't see what triggered the event. I can check the violation to "accept" it. What does that do? Does it mean I have identified the violation as a false positive, and all such future occurrences is "acceptable", or does it look at other factors too (e.g source IP).

 

Then there are additional information under the Enforcement readiness. I see a bunch of parameters not enforced. when I click on the , I see the parameters, and most have staging=yes with the hour glass (waiting for additional traffic samples). Again, I could check the box and click enforce, but I am not sure what exactly it tells the ASM policy to do. Does it tell ASM those are expected parameters?

 

At this point, I had to go to the VIP and disable the security policy. I had a developer called stating one of the page on the site was getting blocked. Going to Security --> Event logs --> application, I could see the matching page that was blocked. How do I tell the policy the request was legitimate and it should be allowed?

 

I have not found a guideline on how to react to these type of responses. What I have described above is just a summary of the questions I have on enabling the ASM policy. Hopefully, you can give me a few more pointers to help me enable the policy.

 

Thanks again Kevin!

 

Vincent