Nokron
WAF F5
NokronGitLabELK stackWAF F5
WAF F5
NokronGitLabELK stackWAF F5
  • BIG-IP Application Security Manager
    • HTTP Protocol
      • Deep Dive to “HTTP Request” on ASM Module
      • ASM Example: Detecting a Malicious HTTP Request
    • Introduction to OWASP Top-10 Security Risks
    • Application Security Policy Templates in F5 ASM
      • Security Policy Levels
      • Explicit Entities Learning
      • Policy Modification
      • Gradual / Modular Blocking
      • Application Security Policy Lifecycle
      • Security Policy Enforcement Modes
      • Security Policy Violation Flags
      • How to Increase Learning Score / Deployment Speed
      • Comparison: Enforcement Mode, Learning Mode, and Violation Flags
    • Security Entities in Application Security Policy
      • Enforcement Readiness Summary
      • HTTP / HTTPS / WS / WSS URLs
      • Allowed Parameters in Security Policies
      • Allowed File Types in Security Policies
    • Tuning Security Policies: Analyzing and Categorizing Violations
      • Learning Suggestions in Security Policy Tuning
      • Policy Diff: Comparing and Auditing Security Policies
    • IP Address Exception Properties in ASM/AWAF
    • Cross-Site Request Forgery (CSRF) Protection in F5 ASM/AWAF
    • Sensitive Data Masking / Scrubbing (Data Guard) in F5 ASM/AWAF
    • Anti-virus Protection through an ICAP Server in F5 ASM/AWAF
    • Cookies in F5 ASM/AWAF Security
    • Session Tracking and Session Awareness in F5 ASM/AWAF
    • Evasion Technique Detection in F5 ASM/AWAF
    • Important Tips about Security Policy in F5 ASM/AWAF
    • L7 DDoS Attack Protection Configuration
    • TPS-based Attack Vectors and Stress-based Attack Vectors
    • Mitigation Techniques for DoS and Bot Protection
    • Important Tips about Events Logging
    • High-Speed Logging (HSL) Configuration
    • Web Threat Campaigns (v14.0+)
    • IP Intelligence (IPI) Subscription-Based License
    • Geo-IP Database Functionality
    • General Security Standards and WAF Support
    • ASM - Virtual Edition (VE) Tips
    • How to Bypass ASM Module
    • ASM Traffic Processing Daemon (bd)
    • ASM and AAM Integration
  • BIG-IP LTM Technology
    • Source IP Address and PORT Translation in BIG-IP
    • Packet Filters
    • Traffic / Service Profiles in BIG-IP
    • Virtual Servers and Their Behavior with Different Profiles in BIG-IP
      • Detailed Overview of Profiles in BIG-IP LTM
      • Optimizing for Mobile Clients in BIG-IP LTM
      • Connection Mirroring in BIG-IP LTM
      • AVR (Analytics) Profile in BIG-IP LTM
      • Health Monitoring in BIG-IP LTM
      • SSL Profile in BIG-IP LTM
      • Load-balancing Methods in BIG-IP LTM
      • Persistence Profile in BIG-IP
      • CMP vs. SMP in BIG-IP Systems
      • OneConnect Profile in BIG-IP
Powered by GitBook
On this page
  1. BIG-IP Application Security Manager

Session Tracking and Session Awareness in F5 ASM/AWAF

F5 ASM/AWAF offers session tracking as part of its security suite, allowing the system to monitor and manage user sessions more effectively. Instead of relying solely on IP addresses (which can be unreliable due to the dynamic nature of IP assignments), session tracking identifies users based on their authenticated session. This is crucial in preventing attacks like session hijacking, brute-force logins, and maintaining the integrity of the user's interaction with the application.

Key Features of Session Tracking:

  1. Session Tracking Based on Authenticated Sessions:

    • Rather than using IP addresses, which can change or be masked, ASM/AWAF tracks users based on their authenticated session. This provides more reliable tracking of user activity and allows better management of potential threats, especially in environments where IP addresses can be dynamic or spoofed.

  2. Suspicious Session Detection and Management:

    • Suspicious sessions can be flagged and blocked temporarily or permanently based on defined thresholds for user behavior, such as exceeding a specific number of failed login attempts, high frequency of requests, or other anomaly patterns.

    • Actions upon violation can include:

      • Blocking the session entirely.

      • Logging requests from the suspicious session or IP address for further analysis.

    • Flexibility in how these violations are handled enables security teams to adjust enforcement actions based on the severity of the situation.

Enabling and Configuring Session Tracking:

To monitor and track user sessions, Session Awareness must be enabled in the security policy. This is done by navigating to:

  • Application Security > Sessions and Logins > Session Tracking

Once session tracking is enabled, several configurations can be made to manage how suspicious sessions are handled:

  1. Violation Detection Actions:

    • Block All: If thresholds are exceeded (such as too many failed login attempts or too many requests), all traffic from the violated session or user can be blocked.

    • Log All Requests: If you prefer not to block the traffic but need to monitor suspicious sessions, you can enable logging for all requests associated with that session or IP. This requires configuring a Logging Profile for the involved Virtual Server (VS).

    • Delay Blocking: This option allows you to introduce a delay before blocking the suspicious session. This can help in preventing false positives by giving more time to assess the situation.

Session Hijacking Protection:

Session hijacking occurs when an attacker steals an authenticated session (usually via a cookie) to impersonate a legitimate user. F5 ASM/AWAF mitigates this risk by using session fingerprinting.

  1. Session Fingerprinting:

    • How it works: ASM/AWAF collects information about the client’s environment (such as device type, browser settings, and IP address) using JavaScript. When a legitimate user accesses the application, a unique Device ID is assigned based on these environmental factors.

    • Session Continuity: On subsequent requests, the system checks the Device ID associated with the session. If the device (or the environment) changes unexpectedly (e.g., a new browser, device, or IP address), the session is flagged as potentially hijacked.

  2. Response Handling:

    • If an unexpected request (such as one from a different device or browser) is detected, the system may respond with JavaScript that includes a new Device ID, thereby breaking the potential hijacked session and forcing re-authentication or additional verification.

  3. Mitigation of Session Hijacking:

    • Cookie-based session tracking is crucial in protecting against hijacking, and by using fingerprinting techniques, F5 ASM/AWAF ensures that only the rightful user can continue their session, even if the session cookie is intercepted.

Best Practices for Session Management and Hijacking Protection:

  1. Enable Session Awareness: Ensure that session tracking is enabled and configured properly to detect any unusual or suspicious behavior within user sessions.

  2. Implement Violation Detection Actions: Define appropriate actions like blocking, logging, or delaying blocking based on the severity of session anomalies. Fine-tune the thresholds to minimize false positives while ensuring security.

  3. Monitor Session Patterns: Watch for patterns such as repeated failed login attempts or unusual access times that might indicate a session hijacking attempt.

  4. Session Fingerprinting: Use device fingerprinting to track legitimate users and detect anomalies that could signify session hijacking or bot attacks.

  5. Protect Cookies: Ensure cookies used for session management are set with HttpOnly, Secure, and SameSite flags to prevent them from being accessed or sent in unsafe scenarios.

  6. Re-authentication on Major Changes: Whenever there is a drastic change in session characteristics (e.g., IP address or device change), require re-authentication or additional verification steps to mitigate hijacking risks.

PreviousCookies in F5 ASM/AWAF SecurityNextEvasion Technique Detection in F5 ASM/AWAF

Last updated 3 months ago