Security Entities in Application Security Policy

In the context of application security policy management (especially with tools like F5 ASM/AWAF), the term Security Entities refers to the distinct elements that the system monitors and correlates to build a robust security policy. These entities typically represent key components of web application traffic, and their attributes are crucial in defining and enforcing security rules. Here's a breakdown of the primary entity types and their associated attributes:

1. HTTP / HTTPS URLs

Attributes:

  • URL Path: The specific route or endpoint in the web application.

  • Query Parameters: Any data passed in the URL query string.

  • Domain: The hostname or subdomain from which the URL originates.

  • HTTP Method: The type of HTTP request (GET, POST, PUT, DELETE).

  • Protocol: HTTP vs. HTTPS to determine if the connection is encrypted.

Role in Security:

  • URLs are fundamental in identifying the target resources of a request.

  • The policy builder monitors the URL paths for unusual patterns or behaviors (e.g., SQL injection, path traversal).

  • Ensuring HTTPS usage helps in preventing man-in-the-middle (MITM) attacks.

2. WS / WSS URLs (WebSocket / Secure WebSocket)

Attributes:

  • Protocol: Whether the connection is WS (WebSocket) or WSS (Secure WebSocket).

  • URL Path: Similar to HTTP/HTTPS URLs, the path in a WebSocket request can be tracked for malicious behavior.

  • Origin: The source from where the WebSocket request is made.

Role in Security:

  • WebSocket connections often require different handling from standard HTTP requests since they involve persistent connections.

  • Monitoring WebSocket traffic helps detect attacks such as data exfiltration, DoS attacks, or Cross-Site WebSocket Hijacking (CSWH).

3. Parameters

Attributes:

  • Name and Value: The specific parameters and their values passed in the URL (for GET requests) or in the body (for POST requests).

  • Type: Query parameters, form parameters, and headers.

  • Length/Size: The size of parameter data can be an indication of suspicious activity (e.g., buffer overflow attempts).

Role in Security:

  • Parameters are frequently targeted for injection attacks (SQL, XSS, etc.).

  • The policy builder can inspect parameter values for known attack patterns (e.g., scripts or SQL code embedded in the parameters).

  • Ensuring proper validation of parameter input is essential to prevent exploits.

4. File Types

Attributes:

  • File Extension: The type of file being uploaded or downloaded (e.g., .exe, .jpg, .pdf).

  • Content-Type: The MIME type, which informs the system of the file’s structure.

  • File Size: Some files may be abnormally large and could be used for attacks like DoS (Denial of Service).

Role in Security:

  • File uploads are a common attack vector, especially when malicious files are uploaded to the server (e.g., executable files or scripts).

  • Monitoring file types helps detect attempts to upload harmful content, such as web shells, viruses, or malware.

5. Redirection Domains

Attributes:

  • Target Domain: The destination domain of a redirection URL.

  • Redirect Type: Whether it's a 301 (permanent) or 302 (temporary) redirect.

  • Redirect Chain: The number of hops or redirects before reaching the final destination.

Role in Security:

  • Attackers often use redirections to lead users to phishing sites or malicious content.

  • Monitoring redirection behavior helps in preventing unauthorized or malicious redirection to suspicious domains.

  • It's important to limit redirects to trusted domains only.

6. Cookies

Attributes:

  • Name and Value: The name and content of the cookie.

  • Domain: The domain for which the cookie is valid.

  • Expiration: Cookies that expire too soon or remain valid for too long can be signs of improper configuration.

  • Secure/HttpOnly Flags: Secure cookies (only sent over HTTPS) and HttpOnly cookies (not accessible via JavaScript) are more secure.

Role in Security:

  • Cookies often store sensitive information such as session tokens or authentication credentials.

  • Monitoring cookies for issues like session fixation or session hijacking is essential.

  • Proper cookie flags (e.g., Secure, HttpOnly) and expiration policies help prevent many cookie-based attacks.

7. Attack Signatures

Attributes:

  • Signature Type: Type of attack being detected (SQL Injection, XSS, CSRF, etc.).

  • Severity: The criticality or risk associated with the attack signature.

  • Matched Pattern: The specific pattern or behavior that triggered the attack signature.

Role in Security:

  • Attack signatures are patterns in traffic that correspond to known attack vectors.

  • The policy builder uses predefined and custom attack signatures to block malicious attempts, such as injection attacks, DoS attacks, and more.

  • Signature-based detection is a crucial part of defending against automated attacks and vulnerability exploits.

Summary of Security Entities

Security entities and their attributes are the foundation of a web application’s security policy. These entities, monitored by the BIG-IP ASM/AWAF system, provide detailed insights into incoming requests, enabling the system to:

  • Detect malicious activity.

  • Create detailed, customized security policies.

  • Block or allow traffic based on predefined security rules.

By identifying patterns in each entity type, the system can efficiently protect against a wide range of attacks and improve overall security posture.

PreviousComparison: Enforcement Mode, Learning Mode, and Violation FlagsNextEnforcement Readiness Summary

Last updated