Application Security Policy Templates in F5 ASM

F5 ASM provides various methods to create and configure security policies tailored to different application types, traffic patterns, and security needs. Here's a breakdown of the approaches mentioned:

1. Create a Security Policy Automatically

• Options: Fundamental, Enhanced, Comprehensive.

• How It Works:

  • The Real Traffic Policy Builder automatically creates a security policy by analyzing live application traffic.

  • It evaluates:

    • Patterns in requests.

    • User behavior.

    • The structure and intended behavior of the application.

  • Timeframe: This process may take several days depending on:

    • The number of requests sent.

    • The complexity and size of the website.

• Limitations:

  • This method offers limited ability to fine-tune the resulting policies.

  • It’s intended for quick deployment without requiring detailed manual intervention.

2. Create a Security Policy Manually

• Methods:

  • Rapid Deployment Policy (RDP):

    • A simplified, manual setup method designed for faster implementation.

    • Focuses on immediate protection while allowing manual adjustments over time.

  • Pre-defined Templates:

    • Application-ready security policies tailored for specific platforms or applications (e.g., SharePoint, WordPress).

    • Templates are pre-configured with baseline rules and require less manual setup.

• Advantages:

  • Provides granular control for administrators to fine-tune the policy to the application’s needs.

  • Ideal for experienced users who need precise configurations.

3. Create a Security Policy for API-Based Applications

• Focus: Protection for APIs, including REST APIs and GraphQL.

• How It Works:

  • The system uses predefined configurations to create a security policy tailored to API behavior.

  • Protects against common API-specific threats such as:

    • Injection attacks.

    • Parameter tampering.

    • Schema or query violations (e.g., in GraphQL).

  • Additional Features:

    • Offers learning suggestions to refine security policies further.

    • Supports protection for XML/Web Services by validating schema, content types, and behaviors.

4. Create a Security Policy Using 3rd Party Vulnerability Assessment Tool Output

• Purpose:

  • Integrates results from external vulnerability scanning tools to build a targeted security policy.

• Supported Tools:

  • Examples include:

    • WhiteHat Sentinel

    • IBM Rational AppScan

    • Cenzic Hailstorm

    • QualysGuard

    • HP WebInspect

• How It Works:

  • The vulnerability scanner identifies weaknesses in the application.

  • The output is imported into ASM, which automatically adjusts the security policy to mitigate identified risks.

• Advantages:

  • Addresses known vulnerabilities effectively.

  • Ensures that policies are directly aligned with the specific risks present in the application.

Comparison of the Methods