Nokron
WAF F5
NokronGitLabELK stackWAF F5
WAF F5
NokronGitLabELK stackWAF F5
  • BIG-IP Application Security Manager
    • HTTP Protocol
      • Deep Dive to “HTTP Request” on ASM Module
      • ASM Example: Detecting a Malicious HTTP Request
    • Introduction to OWASP Top-10 Security Risks
    • Application Security Policy Templates in F5 ASM
      • Security Policy Levels
      • Explicit Entities Learning
      • Policy Modification
      • Gradual / Modular Blocking
      • Application Security Policy Lifecycle
      • Security Policy Enforcement Modes
      • Security Policy Violation Flags
      • How to Increase Learning Score / Deployment Speed
      • Comparison: Enforcement Mode, Learning Mode, and Violation Flags
    • Security Entities in Application Security Policy
      • Enforcement Readiness Summary
      • HTTP / HTTPS / WS / WSS URLs
      • Allowed Parameters in Security Policies
      • Allowed File Types in Security Policies
    • Tuning Security Policies: Analyzing and Categorizing Violations
      • Learning Suggestions in Security Policy Tuning
      • Policy Diff: Comparing and Auditing Security Policies
    • IP Address Exception Properties in ASM/AWAF
    • Cross-Site Request Forgery (CSRF) Protection in F5 ASM/AWAF
    • Sensitive Data Masking / Scrubbing (Data Guard) in F5 ASM/AWAF
    • Anti-virus Protection through an ICAP Server in F5 ASM/AWAF
    • Cookies in F5 ASM/AWAF Security
    • Session Tracking and Session Awareness in F5 ASM/AWAF
    • Evasion Technique Detection in F5 ASM/AWAF
    • Important Tips about Security Policy in F5 ASM/AWAF
    • L7 DDoS Attack Protection Configuration
    • TPS-based Attack Vectors and Stress-based Attack Vectors
    • Mitigation Techniques for DoS and Bot Protection
    • Important Tips about Events Logging
    • High-Speed Logging (HSL) Configuration
    • Web Threat Campaigns (v14.0+)
    • IP Intelligence (IPI) Subscription-Based License
    • Geo-IP Database Functionality
    • General Security Standards and WAF Support
    • ASM - Virtual Edition (VE) Tips
    • How to Bypass ASM Module
    • ASM Traffic Processing Daemon (bd)
    • ASM and AAM Integration
  • BIG-IP LTM Technology
    • Source IP Address and PORT Translation in BIG-IP
    • Packet Filters
    • Traffic / Service Profiles in BIG-IP
    • Virtual Servers and Their Behavior with Different Profiles in BIG-IP
      • Detailed Overview of Profiles in BIG-IP LTM
      • Optimizing for Mobile Clients in BIG-IP LTM
      • Connection Mirroring in BIG-IP LTM
      • AVR (Analytics) Profile in BIG-IP LTM
      • Health Monitoring in BIG-IP LTM
      • SSL Profile in BIG-IP LTM
      • Load-balancing Methods in BIG-IP LTM
      • Persistence Profile in BIG-IP
      • CMP vs. SMP in BIG-IP Systems
      • OneConnect Profile in BIG-IP
Powered by GitBook
On this page
  1. BIG-IP Application Security Manager

Anti-virus Protection through an ICAP Server in F5 ASM/AWAF

F5 ASM/AWAF can integrate with external ICAP servers (Internet Content Adaptation Protocol) to provide anti-virus protection by inspecting HTTP file uploads for viruses before releasing them to the web server. This feature helps ensure that potentially malicious files are detected and blocked early in the web application security process, preventing them from reaching the backend systems.

Key Features of Anti-virus Protection via ICAP:

  1. Integration with ICAP Servers: F5 ASM can be configured to work as an ICAP client. This setup allows the system to send files for virus scanning to an external ICAP server, where popular anti-virus solutions (like McAfee, Symantec, Kaspersky, or Trend Micro) can inspect them for malicious content.

  2. File Types Processed:

    • Multipart and Binary Data: F5 ASM only sends multipart content with binary data to the ICAP server for virus scanning.

    • Non-Binary/Non-Multipart Data: For other content types (e.g., plain text or JSON), Attack Signatures (rather than virus scanning) are applied for security inspection.

  3. ICAP Server Setup:

    • To configure the ICAP server, navigate to Security > Options > Application Security > Integrated Services > Anti-Virus Protection in the F5 ASM management interface.

    • F5 ASM can be configured to work with various popular anti-virus programs that support ICAP, such as:

      • McAfee

      • Symantec

      • Kaspersky

      • Trend Micro

  4. Guarantee Enforcement:

    • The "Guarantee Enforcement" setting ensures that virus checking is always performed, even under performance conditions where resources are limited. This is crucial for maintaining the integrity of the security checks.

  5. Blocking Settings (Virus Detected Violation):

    • F5 ASM allows you to configure what happens when a virus is detected in a file upload. You can choose to either block or alarm the violation.

    • Navigate to Security > Application Security > Learning and Blocking Settings > Policy General Features to set these options.

  6. System Variables for ICAP Configuration:

    • For integration with the ICAP server, system variables such as icap_uri (ICAP server address) and virus_header_name (header name indicating virus detection) must be set up.

    • Navigate to Security > Options > Application Security > Advanced Configuration > System Variables to configure these variables.

    • By default, the Virus_Header_Name is set to "X-Virus-Name" and "X-Infection-Found", which are typical for McAfee anti-virus programs, but this can be adjusted for other anti-virus solutions.

Steps to Set Up ICAP Server for Anti-virus Protection:

  1. Configure ICAP Server Integration:

    • Go to Security > Options > Application Security > Integrated Services > Anti-Virus Protection.

    • Set the ICAP server URI and configure the virus header name as required (e.g., "X-Virus-Name" for McAfee).

  2. Enable Guarantee Enforcement:

    • In the Anti-virus Protection settings, enable the "Guarantee Enforcement" option to ensure virus scanning is always performed.

  3. Configure Blocking or Alarm for Virus Detection:

    • Go to Security > Application Security > Learning and Blocking Settings > Policy General Features to set the actions for when a virus is detected in a file. You can select to either block the request or trigger an alarm.

  4. Set System Variables for ICAP:

    • Navigate to Security > Options > Application Security > Advanced Configuration > System Variables.

    • Set the icap_uri (ICAP server address) and the virus_header_name for virus detection (default: "X-Virus-Name").

Considerations:

  • Performance: Enabling the Guarantee Enforcement setting ensures that even during high load conditions, the anti-virus checks will still be enforced, but it may impact performance, so ensure that your system can handle this load.

  • Supported Anti-virus Solutions: F5 ASM supports integration with popular anti-virus programs (McAfee, Symantec, Kaspersky, and Trend Micro) that support the ICAP protocol. Verify compatibility with your ICAP server and configure it accordingly.

  • Blocking vs. Alarming: You can choose whether the system should block file uploads containing viruses or just raise an alarm. For higher security, blocking is recommended, but for monitoring purposes, alarming might be more appropriate.

PreviousSensitive Data Masking / Scrubbing (Data Guard) in F5 ASM/AWAFNextCookies in F5 ASM/AWAF Security

Last updated 3 months ago