Security Entities in Application Security Policy

In the context of application security policy management (especially with tools like F5 ASM/AWAF), the term Security Entities refers to the distinct elements that the system monitors and correlates to build a robust security policy. These entities typically represent key components of web application traffic, and their attributes are crucial in defining and enforcing security rules. Here's a breakdown of the primary entity types and their associated attributes:

1. HTTP / HTTPS URLs

Attributes:

URL Path: The specific route or endpoint in the web application.
Query Parameters: Any data passed in the URL query string.
Domain: The hostname or subdomain from which the URL originates.
HTTP Method: The type of HTTP request (GET, POST, PUT, DELETE).
Protocol: HTTP vs. HTTPS to determine if the connection is encrypted.

Role in Security:

URLs are fundamental in identifying the target resources of a request.
The policy builder monitors the URL paths for unusual patterns or behaviors (e.g., SQL injection, path traversal).
Ensuring HTTPS usage helps in preventing man-in-the-middle (MITM) attacks.

2. WS / WSS URLs (WebSocket / Secure WebSocket)

Attributes:

Protocol: Whether the connection is WS (WebSocket) or WSS (Secure WebSocket).
URL Path: Similar to HTTP/HTTPS URLs, the path in a WebSocket request can be tracked for malicious behavior.
Origin: The source from where the WebSocket request is made.

Role in Security:

WebSocket connections often require different handling from standard HTTP requests since they involve persistent connections.
Monitoring WebSocket traffic helps detect attacks such as data exfiltration, DoS attacks, or Cross-Site WebSocket Hijacking (CSWH).

3. Parameters

Attributes:

Name and Value: The specific parameters and their values passed in the URL (for GET requests) or in the body (for POST requests).
Type: Query parameters, form parameters, and headers.
Length/Size: The size of parameter data can be an indication of suspicious activity (e.g., buffer overflow attempts).

Role in Security:

Parameters are frequently targeted for injection attacks (SQL, XSS, etc.).
The policy builder can inspect parameter values for known attack patterns (e.g., scripts or SQL code embedded in the parameters).
Ensuring proper validation of parameter input is essential to prevent exploits.

4. File Types

Attributes:

File Extension: The type of file being uploaded or downloaded (e.g., .exe, .jpg, .pdf).
Content-Type: The MIME type, which informs the system of the file’s structure.
File Size: Some files may be abnormally large and could be used for attacks like DoS (Denial of Service).

Role in Security:

File uploads are a common attack vector, especially when malicious files are uploaded to the server (e.g., executable files or scripts).
Monitoring file types helps detect attempts to upload harmful content, such as web shells, viruses, or malware.

5. Redirection Domains

Attributes:

Target Domain: The destination domain of a redirection URL.
Redirect Type: Whether it's a 301 (permanent) or 302 (temporary) redirect.
Redirect Chain: The number of hops or redirects before reaching the final destination.

Role in Security:

Attackers often use redirections to lead users to phishing sites or malicious content.
Monitoring redirection behavior helps in preventing unauthorized or malicious redirection to suspicious domains.
It's important to limit redirects to trusted domains only.

6. Cookies

Attributes:

Name and Value: The name and content of the cookie.
Domain: The domain for which the cookie is valid.
Expiration: Cookies that expire too soon or remain valid for too long can be signs of improper configuration.
Secure/HttpOnly Flags: Secure cookies (only sent over HTTPS) and HttpOnly cookies (not accessible via JavaScript) are more secure.

Role in Security:

Cookies often store sensitive information such as session tokens or authentication credentials.
Monitoring cookies for issues like session fixation or session hijacking is essential.
Proper cookie flags (e.g., Secure, HttpOnly) and expiration policies help prevent many cookie-based attacks.

7. Attack Signatures

Attributes:

Signature Type: Type of attack being detected (SQL Injection, XSS, CSRF, etc.).
Severity: The criticality or risk associated with the attack signature.
Matched Pattern: The specific pattern or behavior that triggered the attack signature.

Role in Security:

Attack signatures are patterns in traffic that correspond to known attack vectors.
The policy builder uses predefined and custom attack signatures to block malicious attempts, such as injection attacks, DoS attacks, and more.
Signature-based detection is a crucial part of defending against automated attacks and vulnerability exploits.

Summary of Security Entities

Security entities and their attributes are the foundation of a web application’s security policy. These entities, monitored by the BIG-IP ASM/AWAF system, provide detailed insights into incoming requests, enabling the system to:

Detect malicious activity.
Create detailed, customized security policies.
Block or allow traffic based on predefined security rules.

By identifying patterns in each entity type, the system can efficiently protect against a wide range of attacks and improve overall security posture.

PreviousComparison: Enforcement Mode, Learning Mode, and Violation Flags NextEnforcement Readiness Summary

Last updated 3 months ago

Security Entities in Application Security Policy

1. HTTP / HTTPS URLs

Attributes:

URL Path: The specific route or endpoint in the web application.
Query Parameters: Any data passed in the URL query string.
Domain: The hostname or subdomain from which the URL originates.
HTTP Method: The type of HTTP request (GET, POST, PUT, DELETE).
Protocol: HTTP vs. HTTPS to determine if the connection is encrypted.

Role in Security:

URLs are fundamental in identifying the target resources of a request.
The policy builder monitors the URL paths for unusual patterns or behaviors (e.g., SQL injection, path traversal).
Ensuring HTTPS usage helps in preventing man-in-the-middle (MITM) attacks.

2. WS / WSS URLs (WebSocket / Secure WebSocket)

Attributes:

Protocol: Whether the connection is WS (WebSocket) or WSS (Secure WebSocket).
URL Path: Similar to HTTP/HTTPS URLs, the path in a WebSocket request can be tracked for malicious behavior.
Origin: The source from where the WebSocket request is made.

Role in Security:

WebSocket connections often require different handling from standard HTTP requests since they involve persistent connections.
Monitoring WebSocket traffic helps detect attacks such as data exfiltration, DoS attacks, or Cross-Site WebSocket Hijacking (CSWH).

3. Parameters

Attributes:

Name and Value: The specific parameters and their values passed in the URL (for GET requests) or in the body (for POST requests).
Type: Query parameters, form parameters, and headers.
Length/Size: The size of parameter data can be an indication of suspicious activity (e.g., buffer overflow attempts).

Role in Security:

Parameters are frequently targeted for injection attacks (SQL, XSS, etc.).
The policy builder can inspect parameter values for known attack patterns (e.g., scripts or SQL code embedded in the parameters).
Ensuring proper validation of parameter input is essential to prevent exploits.

4. File Types

Attributes:

File Extension: The type of file being uploaded or downloaded (e.g., .exe, .jpg, .pdf).
Content-Type: The MIME type, which informs the system of the file’s structure.
File Size: Some files may be abnormally large and could be used for attacks like DoS (Denial of Service).

Role in Security:

File uploads are a common attack vector, especially when malicious files are uploaded to the server (e.g., executable files or scripts).
Monitoring file types helps detect attempts to upload harmful content, such as web shells, viruses, or malware.

5. Redirection Domains

Attributes:

Target Domain: The destination domain of a redirection URL.
Redirect Type: Whether it's a 301 (permanent) or 302 (temporary) redirect.
Redirect Chain: The number of hops or redirects before reaching the final destination.

Role in Security:

Attackers often use redirections to lead users to phishing sites or malicious content.
Monitoring redirection behavior helps in preventing unauthorized or malicious redirection to suspicious domains.
It's important to limit redirects to trusted domains only.

6. Cookies

Attributes:

Name and Value: The name and content of the cookie.
Domain: The domain for which the cookie is valid.
Expiration: Cookies that expire too soon or remain valid for too long can be signs of improper configuration.
Secure/HttpOnly Flags: Secure cookies (only sent over HTTPS) and HttpOnly cookies (not accessible via JavaScript) are more secure.

Role in Security:

Cookies often store sensitive information such as session tokens or authentication credentials.
Monitoring cookies for issues like session fixation or session hijacking is essential.
Proper cookie flags (e.g., Secure, HttpOnly) and expiration policies help prevent many cookie-based attacks.

7. Attack Signatures

Attributes:

Signature Type: Type of attack being detected (SQL Injection, XSS, CSRF, etc.).
Severity: The criticality or risk associated with the attack signature.
Matched Pattern: The specific pattern or behavior that triggered the attack signature.

Role in Security:

Attack signatures are patterns in traffic that correspond to known attack vectors.
The policy builder uses predefined and custom attack signatures to block malicious attempts, such as injection attacks, DoS attacks, and more.
Signature-based detection is a crucial part of defending against automated attacks and vulnerability exploits.

Summary of Security Entities

Detect malicious activity.
Create detailed, customized security policies.
Block or allow traffic based on predefined security rules.

By identifying patterns in each entity type, the system can efficiently protect against a wide range of attacks and improve overall security posture.

PreviousComparison: Enforcement Mode, Learning Mode, and Violation Flags NextEnforcement Readiness Summary

Last updated 3 months ago