F5 ASM ReCertified Technology Specialist

I don’t know if you have realised I’m writing a lot about F5 ASM lately. The aim of these last posts is studying for the recertification exam. I took the 303 – BIG-IP ASM Specialist exam last week which I passed successfully. I'm glad to say I've learnt a lot studying for this exam. Today, I’m going to write an overview with all the things I have been reading, writing and testing about F5 ASM such as labs, KB, Youtube videos and exams.

You will have already seen my last posts where I’ve written about some labs I’ve recorded. For instance, I wanted to know how Compact Mode works, and I recorded a video. I’ve also recorded labs about Bot Defense, Fundamental Security Policy and blocking some attacks such as XSS attack. In addition, I wrote about F5 Advanced WAF and BIG-IP ASM, which is a question most customers ask me.

You will have also read posts about Good Protection, Elevated Protection, High Protection and Maximum Protection. I think these are three interesting posts which help us to start small, but most of all, start. We should start with Good Protection where a Rapid Deployment Policy with IP Intelligence and Threat Campaign are enough for a good security level. However, If you want to improve the security level, the maximum protection will help you with Data Guard, DAST integration and advanced security features.

Understanding how to build web application security policies with entities is also very important to pass the ASM specialist exam. Firstly, we have to know what is an entity. File types, URLs, Parameters, Cookies and Redirection domains are the entities we are going to protect. Finally, we are going to use a learning strategy to learn these entities. We can choose learning with Always (Add All Entities), Selective, Never (Wildcard Only) or the new learning setting of Compact Mode.

Reading the BIG-IP ASM operation guide is mandatory to pass the exam. There are 9 chapters that you should read. You will learn from the benefits of WAF protection to how to collect BIG-IP ASM data for troubleshooting. Although I had already read it two years ago, I’ve read it again to remember concepts and tips. In addition to know how ASM works, it’s also important to know how BIG-IP works. For instance, we should know how data and control plane tasks use separate logical cores when the BIG-IP system CPU uses the HTSplit feature.

Finally, what is also really useful are the Youtube videos of F5 Networks WW Field Enablement channel where there is a playlist with more than 40 videos of ASM and Advanced WAF. What’s more, you can take practice exams from Exam Studio where they contain the same number of items, time constraints, and difficulty and simulate the proctored, production exam experience.

Thanks and luck!

F5 ASM - Comprehensive Security Policy

The comprehensive security policy help us to provide the maximum security with all violations, features and learning suggestions to a website. This is a security policy recommended for expert users because it required deep knowledge of security and F5 ASM. In addition, a comprehensive security policy required much more administrative effort than other security policy such as fundamental security policy. Therefore, If you are a beginner, I will recommend the Fundamental Security Policy

Overview of BIG-IP ASM security policy templates

I’ve recorded a video while I was testing with a comprehensive security policy. Firstly, I’ve adjusted the learning options for file types, URLs and parameters to the Always mode. This is the best way to learn all entities. Secondly, I’ve generated traffic and I’ve seen there were entities on the whitelists. Thirdly, I’ve adjusted the learning speed to stabilize the security policy. It was stabilized when most entities were no longer in Staging and wildcards were removed from the whitelists. Finally, I’ve configured the learning mode to Manual instead of Automatic. Therefore, once the security policy was stabilized and it was in manual learning mode, attacks were detected and blocked.

Thanks, have a nice day!

F5 ASM – Compact Mode

I’ve already written about learning with Add All Entities, learning with Never (Wildcard Only) and learning with Selective in the F5 BIG-IP ASM – Positive Security Policy Building post two years ago. However, updates to Policy Builder in BIG-IP 13.0 include a new learning mode, which is the Compact mode. I would like to highlight how this new mode works which is between Never (wildcard only) mode and Selective mode for maintenance efforts and granular protection. Therefore, Compact mode is used to reduce policy complexity and simplify maintenance.

You can watch in the video I’ve recorded how Compact mode works. Firstly, I’ve created a fundamental security policy which I’ve modified manually the learning new parameters to Compact mode. In addition, I’ve added my IP address as a trusted IP address because this is the best way the score becomes 100% in the learning process. Secondly, I’ve configured the wildcard parameter with a maximum length of 10 bytes. This is a requirement to trigger security violations and it’s the best option for learning suggestions. In fact, we can watch, finally, a new parameter is learnt and there is no longer new learning suggestions for parameters.

Thanks, drop me a line with the first thing you are thinking!!

F5 ASM – Bot Defense

I wrote about F5 BIG-IP ASM – Bot Protection two years ago when I was studying for the F5 BIG-IP ASM Certified Technology Specialist exam. It was great because I passed the exam. Today, I’m studying again for the recertification exam. Therefore, I’ve recorded two new videos about Bot Defense but, this time, with the BIG-IP version 14.1.2. You can watch two videos. The first one for blocking bot requests, and the second one for whitelisting bot requests.

The first video is about blocking bot requests. We can watch firstly how to create a bot logging profile and a bot defense profile. Secondly, we run the curl tool against a web service where we can watch the curl tool is identified as an Untrusted Bot, which is alarmed, and the Nikto vulnerability scanner is identified as Malicious Bot, which is blocked. Thirdly, we have configured the mitigation setting CAPTCHA for malicious bot where we can watch there is a challenge when we run the curl tool with the Nikto user agent. Finally, we have configured the TCP Reset mitigation setting for Nikto.

The second video is about whitelisting bot requests. We can watch firstly how to create a bot logging profile and a bot defense profile. Secondly, we run the curl tool against a web service where we can watch the curl tool is identified as an Untrusted Bot, which is alarmed. Thirdly, we have configured an exception for curl where we can watch traffic is not alarmed. Finally, we have configured rate limiting for Unknown Bot and we can watch that even though we have whitelisted the curl bot we can still ensure that it is rate-limited to prevent stress on the application.

Thanks, it’s your turn!