Nokron
WAF F5
NokronGitLabELK stackWAF F5
WAF F5
NokronGitLabELK stackWAF F5
  • BIG-IP Application Security Manager
    • HTTP Protocol
      • Deep Dive to “HTTP Request” on ASM Module
      • ASM Example: Detecting a Malicious HTTP Request
    • Introduction to OWASP Top-10 Security Risks
    • Application Security Policy Templates in F5 ASM
      • Security Policy Levels
      • Explicit Entities Learning
      • Policy Modification
      • Gradual / Modular Blocking
      • Application Security Policy Lifecycle
      • Security Policy Enforcement Modes
      • Security Policy Violation Flags
      • How to Increase Learning Score / Deployment Speed
      • Comparison: Enforcement Mode, Learning Mode, and Violation Flags
    • Security Entities in Application Security Policy
      • Enforcement Readiness Summary
      • HTTP / HTTPS / WS / WSS URLs
      • Allowed Parameters in Security Policies
      • Allowed File Types in Security Policies
    • Tuning Security Policies: Analyzing and Categorizing Violations
      • Learning Suggestions in Security Policy Tuning
      • Policy Diff: Comparing and Auditing Security Policies
    • IP Address Exception Properties in ASM/AWAF
    • Cross-Site Request Forgery (CSRF) Protection in F5 ASM/AWAF
    • Sensitive Data Masking / Scrubbing (Data Guard) in F5 ASM/AWAF
    • Anti-virus Protection through an ICAP Server in F5 ASM/AWAF
    • Cookies in F5 ASM/AWAF Security
    • Session Tracking and Session Awareness in F5 ASM/AWAF
    • Evasion Technique Detection in F5 ASM/AWAF
    • Important Tips about Security Policy in F5 ASM/AWAF
    • L7 DDoS Attack Protection Configuration
    • TPS-based Attack Vectors and Stress-based Attack Vectors
    • Mitigation Techniques for DoS and Bot Protection
    • Important Tips about Events Logging
    • High-Speed Logging (HSL) Configuration
    • Web Threat Campaigns (v14.0+)
    • IP Intelligence (IPI) Subscription-Based License
    • Geo-IP Database Functionality
    • General Security Standards and WAF Support
    • ASM - Virtual Edition (VE) Tips
    • How to Bypass ASM Module
    • ASM Traffic Processing Daemon (bd)
    • ASM and AAM Integration
  • BIG-IP LTM Technology
    • Source IP Address and PORT Translation in BIG-IP
    • Packet Filters
    • Traffic / Service Profiles in BIG-IP
    • Virtual Servers and Their Behavior with Different Profiles in BIG-IP
      • Detailed Overview of Profiles in BIG-IP LTM
      • Optimizing for Mobile Clients in BIG-IP LTM
      • Connection Mirroring in BIG-IP LTM
      • AVR (Analytics) Profile in BIG-IP LTM
      • Health Monitoring in BIG-IP LTM
      • SSL Profile in BIG-IP LTM
      • Load-balancing Methods in BIG-IP LTM
      • Persistence Profile in BIG-IP
      • CMP vs. SMP in BIG-IP Systems
      • OneConnect Profile in BIG-IP
Powered by GitBook
On this page
  1. BIG-IP Application Security Manager

Tuning Security Policies: Analyzing and Categorizing Violations

When tuning security policies in an application firewall like BIG-IP ASM/AWAF, understanding and categorizing violations is crucial for creating a secure and effective security posture. These violations are indicative of different types of threats or misconfigurations in the application, and they help in refining the policy by indicating what should be allowed, denied, or further tuned.

Below is an analysis and categorization of various types of violations that can occur during the traffic inspection process:

1. RFC Violation

  • Definition: Violations in this category occur when the HTTP request format does not conform to the HTTP RFC (Request for Comments) standard.

  • Example: Missing or malformed headers, improper request syntax.

  • Action: Investigate whether the client application is sending requests that deviate from the standard or if this is an attempt to exploit non-standard behaviors.

2. Attack Signature Violation

  • Definition: This occurs when an attack pattern (often defined by regular expressions) is detected in the request. It typically involves malicious behavior like SQL injection, cross-site scripting (XSS), or other web-based attacks.

  • Example: An SQL injection attempt in a URL or POST request.

  • Action: Review and enforce stricter detection signatures, possibly applying more precise or updated attack signatures.

3. Evasion Violation

  • Definition: These violations occur when an attacker attempts to bypass the detection of attack signatures. Techniques like URL encoding, fragmented payloads, or other obfuscation methods may be used.

  • Example: A malicious script encoded in multiple forms to evade detection.

  • Action: Consider adjusting the level of inspection for evasive patterns, increasing depth or activating additional defenses like Multi-Phase Filtering.

4. File-Type Violation

  • Definition: Occurs when an unsupported or disallowed file type is attempted for upload or download.

  • Example: A user tries to upload a .php file when only .jpg and .pdf are allowed.

  • Action: Verify file type restrictions are properly enforced and that users are uploading files within acceptable formats.

5. URL Violation

  • Definition: This violation happens when requests are made to URLs that are not defined as allowed in the policy.

  • Example: A request is made to /admin when /admin is not allowed according to the policy.

  • Action: Review and tune the URL rules. Make sure only known and necessary URLs are allowed while others are blocked.

6. Parameter Violation

  • Definition: This violation occurs when parameters in the HTTP request are invalid or not part of the defined policy.

  • Example: A query string or POST body contains unexpected parameters.

  • Action: Define and enforce valid parameters for each URL or request. Restrict the use of unauthorized or unknown parameters.

7. Length Violation

  • Definition: Occurs when the length of the HTTP request (header, body, or total request size) exceeds or falls below the limits defined in the policy.

  • Example: A request with an overly long URL or request body size exceeding configured thresholds.

  • Action: Configure maximum and minimum length settings and monitor traffic that exceeds these limits.

8. Header Violation

  • Definition: Happens when there is a mismatch or misconfiguration in the HTTP request headers.

  • Example: A request missing required headers like User-Agent or with mismatched Content-Type.

  • Action: Ensure that headers are properly enforced and configured based on expected values for security purposes.

9. Cookie Violation

  • Definition: This violation occurs when there are differences in the pre-defined cookie names or values as specified in the security policy.

  • Example: A request attempts to access or modify a session cookie without proper validation.

  • Action: Ensure that cookies are set and validated consistently across the application, and apply additional protections like HTTPOnly or Secure flags.

10. Session Violation

  • Definition: Happens when there are access attempts from the same session within a time frame that violates the session policy (e.g., simultaneous requests from different IP addresses).

  • Example: A user logs in on one device and another request comes from a different IP address or location, which is flagged as a session violation.

  • Action: Enforce stricter session management policies to track and validate session continuity.

11. Login Violation

  • Definition: This violation occurs when there are too many failed login attempts in a short time span, suggesting a brute-force attack.

  • Example: A user attempts multiple logins with incorrect credentials within minutes.

  • Action: Enforce rate-limiting or CAPTCHA during login attempts and block accounts after a defined number of failed login attempts.

12. CSRF Violation (Cross-Site Request Forgery)

  • Definition: Detects attempts to trick an authenticated user into making unintended actions on a web application where the user is already authenticated.

  • Example: A malicious website sending a forged request to a web application with the user’s credentials.

  • Action: Ensure anti-CSRF tokens are in place and validated for all state-changing requests.

13. IP Address/Geo-location Violation

  • Definition: This occurs when a request comes from an untrusted IP address or a geo-location that is not allowed based on the security policy.

  • Example: A request from an IP address flagged for previous malicious activity or a country that is geo-blocked.

  • Action: Use geo-blocking or IP reputation-based blocking to limit access from risky regions or known bad IPs.

14. Redirection Protection Violation

  • Definition: Detects when an attacker tries to use a redirect to move users to a malicious or untrusted location.

  • Example: A redirect from a valid URL to a phishing site.

  • Action: Enforce strict rules to allow only predefined redirection URLs and block any unknown or risky redirections.

15. Bot Detection Violation

  • Definition: Identifies automated bot activity that lacks common human characteristics, such as the ability to render JavaScript, generate proper session cookies, or perform mouse movements.

  • Example: A bot attempting to scrape data or submit forms automatically without proper CAPTCHA validation.

  • Action: Use bot detection algorithms and employ CAPTCHA or JavaScript-based challenges to differentiate between bots and legitimate users.

16. Data Guard Violation

  • Definition: This occurs when sensitive or classified data (such as passwords, social security numbers, or credit card information) is attempted to be transferred in ways that violate the security policy (e.g., through an insecure channel or unencrypted).

  • Example: A credit card number transmitted over HTTP instead of HTTPS.

  • Action: Use data encryption and secure channels (such as HTTPS) and enforce rules around data classification.

Tuning Violations for Improved Security

  • Understand the Severity: Categorize violations by severity (e.g., false positives, high-risk, low-risk) to prioritize tuning efforts.

  • Review Logs and Reports: Continuously analyze violation logs to detect trends, anomalies, and areas where the policy might be overly strict or too lenient.

  • Refine Attack Signatures: Periodically update attack signatures and evasion techniques to stay ahead of new threats.

  • Enforce the Principle of Least Privilege: Only allow necessary access to resources based on validated, trusted entities and methods.

By categorizing and analyzing these violations, you can continuously improve and fine-tune your security policies, ensuring that the application remains protected against both known and emerging threats.

PreviousAllowed File Types in Security PoliciesNextLearning Suggestions in Security Policy Tuning

Last updated 3 months ago