Nokron
WAF F5
NokronGitLabELK stackWAF F5
WAF F5
NokronGitLabELK stackWAF F5
  • BIG-IP Application Security Manager
    • HTTP Protocol
      • Deep Dive to “HTTP Request” on ASM Module
      • ASM Example: Detecting a Malicious HTTP Request
    • Introduction to OWASP Top-10 Security Risks
    • Application Security Policy Templates in F5 ASM
      • Security Policy Levels
      • Explicit Entities Learning
      • Policy Modification
      • Gradual / Modular Blocking
      • Application Security Policy Lifecycle
      • Security Policy Enforcement Modes
      • Security Policy Violation Flags
      • How to Increase Learning Score / Deployment Speed
      • Comparison: Enforcement Mode, Learning Mode, and Violation Flags
    • Security Entities in Application Security Policy
      • Enforcement Readiness Summary
      • HTTP / HTTPS / WS / WSS URLs
      • Allowed Parameters in Security Policies
      • Allowed File Types in Security Policies
    • Tuning Security Policies: Analyzing and Categorizing Violations
      • Learning Suggestions in Security Policy Tuning
      • Policy Diff: Comparing and Auditing Security Policies
    • IP Address Exception Properties in ASM/AWAF
    • Cross-Site Request Forgery (CSRF) Protection in F5 ASM/AWAF
    • Sensitive Data Masking / Scrubbing (Data Guard) in F5 ASM/AWAF
    • Anti-virus Protection through an ICAP Server in F5 ASM/AWAF
    • Cookies in F5 ASM/AWAF Security
    • Session Tracking and Session Awareness in F5 ASM/AWAF
    • Evasion Technique Detection in F5 ASM/AWAF
    • Important Tips about Security Policy in F5 ASM/AWAF
    • L7 DDoS Attack Protection Configuration
    • TPS-based Attack Vectors and Stress-based Attack Vectors
    • Mitigation Techniques for DoS and Bot Protection
    • Important Tips about Events Logging
    • High-Speed Logging (HSL) Configuration
    • Web Threat Campaigns (v14.0+)
    • IP Intelligence (IPI) Subscription-Based License
    • Geo-IP Database Functionality
    • General Security Standards and WAF Support
    • ASM - Virtual Edition (VE) Tips
    • How to Bypass ASM Module
    • ASM Traffic Processing Daemon (bd)
    • ASM and AAM Integration
  • BIG-IP LTM Technology
    • Source IP Address and PORT Translation in BIG-IP
    • Packet Filters
    • Traffic / Service Profiles in BIG-IP
    • Virtual Servers and Their Behavior with Different Profiles in BIG-IP
      • Detailed Overview of Profiles in BIG-IP LTM
      • Optimizing for Mobile Clients in BIG-IP LTM
      • Connection Mirroring in BIG-IP LTM
      • AVR (Analytics) Profile in BIG-IP LTM
      • Health Monitoring in BIG-IP LTM
      • SSL Profile in BIG-IP LTM
      • Load-balancing Methods in BIG-IP LTM
      • Persistence Profile in BIG-IP
      • CMP vs. SMP in BIG-IP Systems
      • OneConnect Profile in BIG-IP
Powered by GitBook
On this page
  1. BIG-IP Application Security Manager
  2. Application Security Policy Templates in F5 ASM

Policy Modification

Loosen Policy

  • Purpose:

    • Starts with a stricter security posture and gradually reduces restrictions as legitimate traffic patterns are identified.

    • Focused on reducing false positives by adjusting policy rules to match observed legitimate traffic.

  • Key Characteristics:

    1. Automatic Legitimate Traffic Recognition:

      • Traffic is automatically declared legitimate once it reaches a predefined threshold of safe behavior.

    2. Reduction in Violation Triggers:

      • Focuses on minimizing violations by adapting the policy to real-world traffic.

    3. Disabling Attack Signatures:

      • Temporarily disables attack signatures for certain types of traffic to avoid unnecessary blocking.

    4. Limited Restrictions During Early Policy Building:

      • Entities are placed in staging, where violations and blocking are disabled to allow observation and analysis of traffic patterns.

    5. Gradual Relaxation:

      • The security posture is adjusted based on observed traffic behavior to ensure a balance between security and usability.

  • Use Case:

    • Applications with a well-defined set of behaviors where initial traffic can be used to fine-tune the policy.

    • Organizations concerned about false positives impacting application availability.

Tighten Policy

  • Purpose:

    • Starts with minimal security enforcement and builds up over time as traffic behavior is analyzed.

    • Focused on strengthening security by gradually enforcing strict rules and removing generic allowances.

  • Key Characteristics:

    1. Starts with a Blank List:

      • The policy begins without predefined restrictions, allowing all traffic initially.

    2. Incremental Enforcement:

      • Gradually enforces rules for entities like file types, parameters, and URLs based on observed legitimate traffic.

    3. Attack Signature Enforcement:

      • Attack signatures not triggered during the Enforcement Readiness Period (staging phase) are enforced.

    4. Removal of Wildcards:

      • Wildcards are deleted, and specific entities are defined and enforced to create a stricter policy.

    5. Policy Stability:

      • Once traffic no longer includes new elements, and existing rules have been enforced, the policy is considered STABLE.

  • Use Case:

    • New or dynamic applications where traffic patterns are initially unpredictable.

    • Organizations requiring a robust and gradual security posture improvement.

Comparison Table

Aspect

Loosen Policy

Tighten Policy

Starting Point

Fully-enforced list with strict rules

Blank list with no initial restrictions

Objective

Reduce false positives and ease restrictions

Gradually strengthen security and enforce rules

Approach

Gradual relaxation based on observed traffic

Incremental enforcement as traffic patterns stabilize

Attack Signatures

Disabled during initial policy building

Enforced after staging period if not triggered

Entity Handling

Entities placed in staging to analyze behavior

Wildcards replaced with enforced entities over time

Policy Stability

Declared when traffic behavior matches relaxed rules

Declared when no new elements are observed

Use Case

Apps with predictable, well-defined traffic patterns

Apps with dynamic or evolving traffic patterns

Best Practices

  1. Monitor Closely During Transition:

    • Whether loosening or tightening, regular monitoring ensures the policy evolves correctly without compromising security or usability.

  2. Balance Security and Usability:

    • Adjust the pace of modification to match the application's criticality and traffic complexity.

  3. Leverage Automatic Learning:

    • Use the Policy Builder for intelligent recommendations to minimize manual effort.

  4. Plan for Staging:

    • Use the staging period to gather traffic insights without enforcing violations immediately.

By carefully choosing between Loosening and Tightening, organizations can align their security posture with operational goals while maintaining robust protection.

PreviousExplicit Entities LearningNextGradual / Modular Blocking

Last updated 3 months ago