Nokron
WAF F5
NokronGitLabELK stackWAF F5
WAF F5
NokronGitLabELK stackWAF F5
  • BIG-IP Application Security Manager
    • HTTP Protocol
      • Deep Dive to “HTTP Request” on ASM Module
      • ASM Example: Detecting a Malicious HTTP Request
    • Introduction to OWASP Top-10 Security Risks
    • Application Security Policy Templates in F5 ASM
      • Security Policy Levels
      • Explicit Entities Learning
      • Policy Modification
      • Gradual / Modular Blocking
      • Application Security Policy Lifecycle
      • Security Policy Enforcement Modes
      • Security Policy Violation Flags
      • How to Increase Learning Score / Deployment Speed
      • Comparison: Enforcement Mode, Learning Mode, and Violation Flags
    • Security Entities in Application Security Policy
      • Enforcement Readiness Summary
      • HTTP / HTTPS / WS / WSS URLs
      • Allowed Parameters in Security Policies
      • Allowed File Types in Security Policies
    • Tuning Security Policies: Analyzing and Categorizing Violations
      • Learning Suggestions in Security Policy Tuning
      • Policy Diff: Comparing and Auditing Security Policies
    • IP Address Exception Properties in ASM/AWAF
    • Cross-Site Request Forgery (CSRF) Protection in F5 ASM/AWAF
    • Sensitive Data Masking / Scrubbing (Data Guard) in F5 ASM/AWAF
    • Anti-virus Protection through an ICAP Server in F5 ASM/AWAF
    • Cookies in F5 ASM/AWAF Security
    • Session Tracking and Session Awareness in F5 ASM/AWAF
    • Evasion Technique Detection in F5 ASM/AWAF
    • Important Tips about Security Policy in F5 ASM/AWAF
    • L7 DDoS Attack Protection Configuration
    • TPS-based Attack Vectors and Stress-based Attack Vectors
    • Mitigation Techniques for DoS and Bot Protection
    • Important Tips about Events Logging
    • High-Speed Logging (HSL) Configuration
    • Web Threat Campaigns (v14.0+)
    • IP Intelligence (IPI) Subscription-Based License
    • Geo-IP Database Functionality
    • General Security Standards and WAF Support
    • ASM - Virtual Edition (VE) Tips
    • How to Bypass ASM Module
    • ASM Traffic Processing Daemon (bd)
    • ASM and AAM Integration
  • BIG-IP LTM Technology
    • Source IP Address and PORT Translation in BIG-IP
    • Packet Filters
    • Traffic / Service Profiles in BIG-IP
    • Virtual Servers and Their Behavior with Different Profiles in BIG-IP
      • Detailed Overview of Profiles in BIG-IP LTM
      • Optimizing for Mobile Clients in BIG-IP LTM
      • Connection Mirroring in BIG-IP LTM
      • AVR (Analytics) Profile in BIG-IP LTM
      • Health Monitoring in BIG-IP LTM
      • SSL Profile in BIG-IP LTM
      • Load-balancing Methods in BIG-IP LTM
      • Persistence Profile in BIG-IP
      • CMP vs. SMP in BIG-IP Systems
      • OneConnect Profile in BIG-IP
Powered by GitBook
On this page
  1. BIG-IP Application Security Manager

Sensitive Data Masking / Scrubbing (Data Guard) in F5 ASM/AWAF

Sensitive Data Masking (Data Guard) is a security feature that protects sensitive information from being exposed in web application responses. It focuses on masking or blocking specific patterns (e.g., credit card numbers, Social Security numbers, custom patterns) in responses sent to the client, preventing sensitive data leakage.

Key Features of Data Guard (Sensitive Data Masking):

  1. Protects Sensitive Data in Responses

    • Purpose: Data Guard identifies sensitive information in responses, such as:

      • Credit Card Numbers

      • Social Security Numbers (SSNs)

      • Custom-defined Patterns using PCRE (Perl-Compatible Regular Expression)

    • Example: A regular expression like 9999-[1-5][1-5]-000-[0-9][0-9][5-9][5-9] can be used to match a pattern like a U.S. SSN or a credit card number.

  2. Masking vs. Blocking Sensitive Data:

    • Masking: If you don't want to block responses but simply want to mask sensitive data with asterisks (****), enable the "Mask Data" checkbox. This option will replace the sensitive data in the response without blocking the entire response.

    • Blocking: If a pattern match for sensitive data is found, and the Violation Flag is set to "BLOCK", the system will not send the response containing the sensitive data to the client.

  3. Violation Detection:

    • When sensitive data is detected in a response, F5 ASM/AWAF generates a "Data Guard: Information Leakage Detected" violation. This helps administrators quickly identify where data leakage might be happening.

  4. Sensitive Parameters and Masking in Logs:

    • The Sensitive Parameters option ensures that the values of parameters are masked in logs, but this only applies to parameters in requests and not to responses.

    • Data Guard, on the other hand, masks sensitive data in responses or can block entire responses that contain the sensitive data.

Configuring Sensitive Data Masking / Scrubbing:

  1. Regular Expression Patterns:

    • To mask or block sensitive data, you need to define patterns using PCRE (Perl-Compatible Regular Expressions). You can specify a custom regex for things like:

      • Credit Card Numbers

      • Social Security Numbers

      • Other custom patterns as needed.

  2. Masking Data in Responses:

    • If you want to mask the sensitive data but not block the response, enable the "Mask Data" checkbox in the configuration. This will replace detected sensitive information with asterisks (****).

    • If the "Policy Enforcement Mode" is set to BLOCKING, and the Violation Flag is set to BLOCK, the system will not send the violated response (containing sensitive patterns) to the client.

  3. Sensitive Parameters Masking:

    • Sensitive Parameters can be used to mask values in logs, but this is not the same as Data Guard.

    • Data Guard focuses on response data, ensuring sensitive information does not leak to the client or users.

    • The following types of data are masked in the listed conditions:

      • Positional Parameters: Mask URL segments (available in BIG-IP ASM v14.0+).

      • Sensitive Parameters: Masked when using standard content types.

      • HTTP Headers: Masked (BIG-IP ASM v14.0+).

      • Cookie Values: Masked (BIG-IP ASM v14.0+).

      • JSON/ XML Profiles: Masked accordingly.

Conditions Where Data Masking Does Not Apply:

Data Guard will not mask sensitive data in certain conditions. These include:

  • Response Log Header and Body: Sensitive data will not be masked in response log headers and response bodies.

  • Antivirus over ICAP: This applies to antivirus integrations (e.g., AV-Integration).

  • Database Security: Data values may not be masked in database security scenarios (e.g., DBF-Integration).

  • Policy Builder: When reviewing sampled requests in local databases used for correlation, sensitive data may not be masked.

Summary of Sensitive Data Masking Options:

Option

Description

Mask Data

Replace sensitive data in responses with asterisks (****).

Block Response

Block the entire response containing sensitive data (if violation flag is set to BLOCK).

Violation Generation

Generates a violation (e.g., "Data Guard: Information Leakage Detected") when sensitive data is detected.

Sensitive Parameters

Masks values of sensitive parameters in logs but does not affect responses.

Regular Expressions (PCRE)

Use custom regular expressions to define the sensitive patterns (e.g., credit card numbers, SSNs).

By implementing Sensitive Data Masking in F5 ASM/AWAF, organizations can significantly reduce the risk of exposing sensitive information to unauthorized users, ensuring that data privacy and security are maintained at all levels of interaction with web applications.

PreviousCross-Site Request Forgery (CSRF) Protection in F5 ASM/AWAFNextAnti-virus Protection through an ICAP Server in F5 ASM/AWAF

Last updated 3 months ago