Security Policy Levels

The security policy levels in F5 ASM—Fundamental, Enhanced, and Comprehensive—offer progressively greater granularity and control over application security. These levels cater to organizations based on their security requirements, resources, and expertise. Here's a detailed breakdown:

1. Fundamental Policy

Overview: The default security policy setting that balances ease of use and adequate protection for most organizations.
Features:
- Granularity: Provides sufficient granularity for typical use cases.
- Ease of Maintenance: Designed to be simple to configure and maintain.
- Core Protections:
  - HTTP Protocol Compliance: Ensures incoming requests adhere to HTTP standards.
  - Evasion Techniques: Detects and blocks attempts to bypass security measures (e.g., URL encoding attacks).
  - File Types and Lengths: Restricts access based on allowed file extensions and file sizes.
  - Attack Signatures: Detects known attack patterns using predefined or custom signatures.
  - Request Length Limit: Prevents excessively large requests, with a default buffer size of 10 MB.
Use Case:
- Best suited for organizations looking for general, low-maintenance protection.
- Works well for applications with relatively simple traffic patterns.

2. Enhanced Policy

(Available in older versions like BIG-IP ASM v13.0 and earlier)

Overview: Builds on the Fundamental policy by adding more granular controls for application-specific elements.
Features:
- Includes all Fundamental features.
- Adds protection for:
  - Parameters and Lengths:
    Monitors and validates parameter values and lengths globally (not at individual parameter levels).
  - Cookies:
    Detects cookie tampering and enforces cookie integrity.
  - HTTP Methods:
    Controls which HTTP methods (e.g., GET, POST, DELETE) are allowed.
Use Case:
- Suitable for organizations needing more specific controls without the complexity of the Comprehensive policy.
- A step-up for applications requiring additional protections like cookie validation or method restrictions.

3. Comprehensive Policy

Overview: The most detailed and customizable security policy, offering advanced controls for organizations with strict security requirements.
Features:
- Includes all Enhanced features.
- Adds extensive granularity for advanced application protection:
  - URLs and Meta Characters:
    Specifies and validates allowable URLs and character sets.
  - Parameters (Meta Characters):
    Enforces specific parameter rules, including allowable characters.
  - Dynamic Parameters:
    Learns and adapts to application-specific parameters using statistical analysis, providing more precise protection.
- Deployment Considerations:
  - Requires careful planning and takes longer to deploy due to its complexity.
  - Needs expertise to configure and maintain.
Use Case:
- Ideal for advanced users or environments with heightened security needs.
- Best suited for applications handling sensitive data or facing persistent, sophisticated threats.

Comparison Table

Feature

Fundamental

Enhanced

Comprehensive

Ease of Use

High

Moderate

Low

Granularity

Moderate

High

Maximum

HTTP Compliance

✅

Attack Signatures

✅

File Types/Lengths

✅

Request Lengths

✅ (10 MB default buffer)

✅

Parameters

❌

Global-level

Full Parameter and Meta Character Controls

Cookies

❌

✅

HTTP Methods

❌

✅

URLs/Meta Characters

❌

✅

Dynamic Parameters

❌

✅

Key Considerations for Choosing a Policy

Fundamental: For quick deployment and general protection with minimal maintenance.
Enhanced: For environments requiring intermediate customization, especially for parameters and cookies.
Comprehensive: For advanced environments needing the highest level of security and fine-grained control.

Each policy level can be tailored to meet the specific requirements of the application being protected, ensuring a balance between security, performance, and ease of maintenance.

PreviousApplication Security Policy Templates in F5 ASM NextExplicit Entities Learning

Last updated 3 months ago

Security Policy Levels

1. Fundamental Policy

Overview: The default security policy setting that balances ease of use and adequate protection for most organizations.
Features:
- Granularity: Provides sufficient granularity for typical use cases.
- Ease of Maintenance: Designed to be simple to configure and maintain.
- Core Protections:
  - HTTP Protocol Compliance: Ensures incoming requests adhere to HTTP standards.
  - Evasion Techniques: Detects and blocks attempts to bypass security measures (e.g., URL encoding attacks).
  - File Types and Lengths: Restricts access based on allowed file extensions and file sizes.
  - Attack Signatures: Detects known attack patterns using predefined or custom signatures.
  - Request Length Limit: Prevents excessively large requests, with a default buffer size of 10 MB.
Use Case:
- Best suited for organizations looking for general, low-maintenance protection.
- Works well for applications with relatively simple traffic patterns.

2. Enhanced Policy

(Available in older versions like BIG-IP ASM v13.0 and earlier)

Overview: Builds on the Fundamental policy by adding more granular controls for application-specific elements.
Features:
- Includes all Fundamental features.
- Adds protection for:
  - Parameters and Lengths:
    Monitors and validates parameter values and lengths globally (not at individual parameter levels).
  - Cookies:
    Detects cookie tampering and enforces cookie integrity.
  - HTTP Methods:
    Controls which HTTP methods (e.g., GET, POST, DELETE) are allowed.
Use Case:
- Suitable for organizations needing more specific controls without the complexity of the Comprehensive policy.
- A step-up for applications requiring additional protections like cookie validation or method restrictions.

3. Comprehensive Policy

Overview: The most detailed and customizable security policy, offering advanced controls for organizations with strict security requirements.
Features:
- Includes all Enhanced features.
- Adds extensive granularity for advanced application protection:
  - URLs and Meta Characters:
    Specifies and validates allowable URLs and character sets.
  - Parameters (Meta Characters):
    Enforces specific parameter rules, including allowable characters.
  - Dynamic Parameters:
    Learns and adapts to application-specific parameters using statistical analysis, providing more precise protection.
- Deployment Considerations:
  - Requires careful planning and takes longer to deploy due to its complexity.
  - Needs expertise to configure and maintain.
Use Case:
- Ideal for advanced users or environments with heightened security needs.
- Best suited for applications handling sensitive data or facing persistent, sophisticated threats.

Comparison Table

Feature

Fundamental

Enhanced

Comprehensive

Ease of Use

High

Moderate

Low

Granularity

Moderate

High

Maximum

HTTP Compliance

✅

Attack Signatures

✅

File Types/Lengths

✅

Request Lengths

✅ (10 MB default buffer)

✅

Parameters

❌

Global-level

Full Parameter and Meta Character Controls

Cookies

❌

✅

HTTP Methods

❌

✅

URLs/Meta Characters

❌

✅

Dynamic Parameters

❌

✅

Key Considerations for Choosing a Policy

Fundamental: For quick deployment and general protection with minimal maintenance.
Enhanced: For environments requiring intermediate customization, especially for parameters and cookies.
Comprehensive: For advanced environments needing the highest level of security and fine-grained control.

Each policy level can be tailored to meet the specific requirements of the application being protected, ensuring a balance between security, performance, and ease of maintenance.

PreviousApplication Security Policy Templates in F5 ASM NextExplicit Entities Learning

Last updated 3 months ago