Ads 468x60px

Featured Posts

21 de mayo de 2018

F5 BIG-IP ASM – Positive Security Policy



I wrote about Policy Tuning and Violations last week where I created a Negative Security Policy, named Rapid Deployment Policy (RDP), to protect web applications from attacks. This kind of policies are useful to protect web applications from known attacks. However, I want to write about Positive Security Policy this week where I’m going to create a security policy manually to customize and accept what file types, URLs and parameters will be used by my web application. This kind of policies are more difficult and complex to configure than Negative Security Policies but they are able to defeat sophisticated and complex threats better than Negative Security Policies.

When we configure a security policy manually, we can choose Never (Wildcard Only), Selective and Add All Entities for file types, URLs and parameters. For instance, if we choose Add All Entities, we’ll have a comprehensive whitelist policy that includes ALL of the website entities. Add All Entities will form a large set of security policy entities, which will produce a granular object-level configuration and high security level. However, it may take more time to maintain such a policy.


On the other hand, the Never (Wildcard Only) option is the most easy security policy to manage because many application objects will share the same security settings driven from the global or wildcard level. In addition, when false positives occur the system will suggest to relax the settings of the wildcard entity. Therefore, it may result in overall relaxed application security. From my point of view, this is a good option for URLs entities because most applications usually have lots of URLs which are difficult to manage from a security policy.


The third learning option is Selective which offers intermediate protection between Never (Wildcard Only) and Add All Entities. This is an option that when false positives occur, the system will add/suggest to add an explicit entity with relaxed settings that avoid the false positive. In other words, Selective mode is suitable for applications containing entities which use similar or identical attributes. However, if some the entities need special handling, the policy can be expanded to include exceptional explicit entities just for those outliers. Therefore, this option serves as a good balance between security, policy size, and ease of maintenance.


To sum up, if we want a comprehensive security policy to defeat sophisticated and complex threats, we’ll have to configure a positive security policy, along with a negative security policy as well, with the Add All Entities, Selective and Never (Wildcard Only) option for file types, URLs and parameters. However, we always have to take into account that the Add All Entities mode is time-consuming but offers high granular protection of entities while the Never (Wildcard Only) mode is easy to manage but offers low protection of entities.


Regards my friends. Keep reading and keep studying!!

14 de mayo de 2018

F5 BIG-IP ASM – Policy Tuning and Violations



Web Application Firewalls (WAF) should be configured properly to understand web applications logic because if it’s not well-configured, intruders will be able to get access to applications. This is the main reason why developers should take part into WAF deployment projects. However, developers sometimes want to add lots of security codes into applications or even worse, they don’t want to know anything about security. From my point of view, developers should take part into WAF deployment projects but security should be managed by security engineers. I mean, developers should improve applications with new features and enhancements while security engineers should protect applications.

Organizations don’t take advantage of lots of security tools like Antivirus, network firewalls, Web Application Firewalls (WAF), Security Information and Event Management (SIEM) systems, Network Access Control (NAC) systems or Vulnerability Assessment Tools because these tools are time-consuming, companies don’t have security staff and IT engineers never have enough time to configure properly these tools. Therefore, security tools tuning such as firewall policies tuning is most of the time difficult to accomplish.

When I talk about Policy Tuning and Violation, for instance, for a WAF deployment, I’m talking about choosing the right learning mode, defining learning suggestions, defining the Learn, Alarm and Block settings or defining the Enforcement Readiness Period. Next, we can watch how I create a negative security policy based on Rapid Deployment Policy (RDP) and I accept learning suggestions for false positive as well as I block XSS attacks. A negative security policy configuration like this should be the first phase in a WAF deployment.


Once we are protecting web applications with a negative security policy, we should take the plunge to a positive security policy. This will be more difficult because we need the developers participation. What’s mean, developers have to know what entities are used by applications. For instance, we have to know about file types, URLs redirections, cookies, static and dynamic parameters, etc, etc. Therefore, negative security policy along with positive security policy will be a real protection for your web services.

Regards my friends. Drop a line with the first thing you are thinking.
Related Posts Plugin for WordPress, Blogger...

Entradas populares