Lior rotkovitch ASM WAF unified learning – building policy with asm v12

BIG IP ASM V12
BUILDING ASM POLICY WITH
NEW UNIFIED LEARNING
Lior Rotkovitch, NPI ASM
lior@f5.com
Global Services Tech Summit
Dec 2015, Seattle

© F5 Networks, Inc 2
About this session
• This session will describe :
• The ASM learning concepts and considerations for v12 - learning revisit
• Steps needed for build security policy for web application
• How to build a policy with trusted / untrusted traffic
• New unified learning pages and working flows
• Deal with violations – automatic / manual
• Policy builder decisions making
• Finally: What is a good policy ? When is the policy ready ? What to do next ?
• This session is not
• Complete guide for building policy
• Aimed to make you an expert

• Vlan’s, Self IP’s , License – ASM is provisioned
• Virtual server :
• HTTP Profile
• Web server :Hackazon – new , php auction
BIG IP – config check list
• Modern app
• AJAX
• Plugins – twitter, FB
• some bugs – 503 for users
• Hacking list – appendix 1
• Old app – F5 IP
• Lots of vulnerabilities
• Well define labs for parameter
tampering , SQLi
• Login works and can be demo

Have your own apps ?
Site Per Day
• Build a policy (various options)
• Move to blocking
• Surf the site and verify:
• No false positive
• Attacks are being blocked
• Add more features

Pre requisite for policy building
Log all request – ASM display all
requests in the request log
To start the deployment wizard click the
plus sign under security polices

Deployment wizard

Deployment wizard
1. Automatic
2. Manual + Templates
3. XML – WSDL
4. VA – scanners

Deployment wizard – encoding
Challenge : build a policy for app that has other encoding

Deployment wizard – encoding
Tip: verify before selecting, it can’t be change later on.
Policy builder can detect the encoding, but setting
encoding manual will do the job faster

Deployment wizard
Should I add more or keep minimum signatures only ?

RDP
Enlarge it ?

Deployment wizard
Un Trusted
Adding trusted IP below is what makes it
trusted environment learning vs un trusted

Traffic types – Trusted (QA) / Un Trusted (production)
Lior
Trusted Traffic – “clean” traffic, not attacks are expected
add to policy on first occurrence
Untrusted Traffic – unknown traffic :
add to policy only if thresholds reached
App Admin
Policy
users
We start with un trusted
for this session

Deployment wizard
Policy base config - done
We now need traffic !
i.e. show me the traffic !!

• Parse traffic – HTTP , AJAX, XSL
• Add the element to the policy
• Check if the requests comply to policy
• If yes – pass
• If no – block / report
• BD is not Policy builder !
• Policy builder collect the thresholds
• Informs BD to update policy – add / remove
Before traffic – let’s see how ASM understand the traffic…
Enter: ASM Parser

ASM Parser – Security Policy example
When in learning: if a request arrive and it
doesn’t exists it will be create (also for updates)
When in blocking : If requests arrive and doesn’t
comply to the policy it will be blocked

Let’s run traffic – Un Trusted
• To simulate ‘real traffic’ surf the site:
• Cover the entire site ( wget, curl, must
have valid UA , ideas ? )
• Including – logins , buying ,etc
• At lease few users – sessions or
• Few IP’s source (xff , any other ideas ?)
• Traffic include attack payloads
• Traffic include false positives payloads
Q: Why false positive is so important ?

Policy builder notifications – the old style
Do not exit – hotel California

Enter ! Unified learning - aka - Traffic Learning page
Let's review the new traffic learning screen as it relates to the unified learning and policy building process.

Traffic Learning page

Traffic Learning page – Sections
The left pane is populated with a list of
suggestions according to their violation.
Clicking on a suggestion will display the
requests that triggered the suggestion, and
additional information and options for
handling the suggestion.
Each suggestion has a score based on 0-
100 percent scale. When a suggestion
reaches 100 percent, it is accepted.

Traffic Learning example – attack signature
False positive or an Attack ?

Traffic Learning example – attack signature
“deal with attack signature”
Attack signature – master xp – but no MS in the backend – can be disable
(or keep it for alerting ?)
If there is MS in the backend and signature is triggered – FP disable it ?

Traffic Learning example – illegal file type
What is illegal here ? Nothing. It is not in the policy..

Traffic Learning example – illegal file type – Accepted
What about file types attributes ?

Traffic Learning example – illegal file type • What is woff file type ?
• Should I accept it ?
• Delete it ?
• Let PB handle it ?

Traffic Learning example – host name
Note: add valid host name (no illegal and illegal are on the learning page)

Traffic Learning example – host name

Now let’s examine this page in more details

Traffic Learning - learning suggestions sorting
Violation rating will sort the list
by the severity of the violation
rating that each request has
been assigned.
First or last occurrence will sort
by a sample request that
triggered the suggestion
Matched entity will sort by the
entity name that is suggested.
The default sorting method is by
Learning Score which indicates
the percentage of 100 on the
right for each suggestion.

Traffic Learning - basic filters
The Reason option allows filtering
suggestions that have:
1. Violations on them
2. “policy refining” which will show
policy elements that do not have
violations, but still include
suggestions, such as the
classification of a parameter or URL.

Traffic Learning -
Advanced Filter Matched wild card
name which allows
you to choose which
of the wildcards
should be shown.
Matched attack
signature to filter
according to the
attack signature
name.
Matched meta
character allows
searching for a
specific meta
character in one of
the suggestions.

Traffic Learning - Status filter Pending suggestions have not yet been accepted or ignored. They
are waiting for action.
The Accepted/Accepted and Staged state indicates that certain
entities involved in the suggestion may or may not be in staging.
For example, an attack signature might be triggered on a
parameter. It is possible to accept the suggestion for the attack
signature and also enable staging on the parameter itself. This is
the default option.
If you Ignore a suggestion, it will not appear on the traffic learning
screen again-even if the violation which triggered it happens again.
Accepted: Accepted suggestions result in addition of entities to
the policy. Entities that are added/edited are not placed in staging.
Accepted and Staged: These suggestions have also been accepted
and new entities are placed in staging.

Additional info actions: Accept – Delete – Ignore

Textarea is what ?
Parameter is ?
Why disable it ?

Traffic Learning - additional information

Traffic Learning - samples info

Traffic Learning - samples info
Violation rating

Traffic Learning - additional information
Clicking on the link with IP
address information
displays the source of the
IP or session, and
indicates if it is a trusted or
untrusted IP address.
Clicking on the violation in
the general data request
tab will highlight the
reason for the violation.
In this case we see an
attack signature with the
script tag inside a
parameter.
Clicking on the right side of
the page will show related
suggestions that are
available.

Icons meaning
Legal – request with no
violation/s
Illegal – request that
includes violation/s (pass)
Blocking – request that
contains violation which is
define in blocking mode
(blocked)

Traffic Learning - request details and violation marking

Traffic Learning - much more information

Questions about the new unified learning page ?

ASM Blocking settings
Unified blocking !

learning and blocking
settings page
General settings
Policy Building Process
Policy Building Settings

General Settings

learning and blocking
settings page
General settings

Policy Building Settings – One place for the entire system

Blocking settings

Blocking settings - example

Blocking settings - example Never (wildcard only): Never learn
any new file types and never
suggest the addition of a specific
file type to the policy.
Selective: Learn only files types
that had a violation in the request
based on different attributes from
what is specified in the attributes
for the file type wildcard.
Add all entities: Learning all file
types is required and ASM will
suggest the addition of explicit file
types to the policy.

Blocking Settings – attack signature example
Since the blocking settings are
now in one place, the learn flags
and the option to enable or
disable to attack signatures is
now under Attack Signatures in
the policy building settings.

Blocking Settings –
choose attack signature
Clicking on change will open a
window that allows you to add
signature sets to the policy.

Policy builder settings
General settings

Loosen Policy

The 3 rules:
1. Loosening
2. Tightening
3. Track site changes
At the basic concept it:
• Search ‘similar’ requests
• From different IP’s / session
• Over period of time
Policy builder learning thresholds

i.e. response code configuration is
indifferent to the “illegal HTTP status
in response” page violation
Learning from response

• Loosen Policy
• The Loosen Policy option defines the number of different IP addresses and
sessions from which requests must be seen before and element can be added
to the policy. This is the first rule that Automatic Policy Builder will apply before
adding entities (and attributes) to the policy.
• For example, if requests for a file type meet the thresholds for Untrusted and
Traffic, ASM might add the file type and its specific attributes to the
policy. Each time an entity is added, the security policy is loosened in order to
accommodate the entity.

• Tighten Policy (stabilize)
• This is the second rule that Automatic Policy Builder will use to remove
wildcard entities and enforcing violations which were not triggered. For
example, if 1,000 attack signatures were not triggered during the policy
building process, they are now candidates for enforcement because any future
violations are likely to be actual threats. By enforcing these attack signatures,
the security policy is tightened because the next violation can result in a
blocked request. Attack signatures are not the only elements which can be
tightened—file types, parameters, and other entities can also be tightened
through enforcement.

• Track Site Changes
• The track site changes option can adjust the security policy as changes in traffic
are seen due to changes in the application. For example, if numerous attack
signatures are triggered due to false positives, ASM can automatically move them
in and out of staging.

Policy builder learning process concept

How policy builder build the policy ?

• Target_IPs = 10
• Min_Time_Period = 30 min.
• Max_Time_Period = 72 hours
• Time_slot = 30 / 10 = 3 min.
9:00 9:03 9:06 9:09 9:12 9:15 9:18 9:21 9:24 9:27 9:30
1.1.1.1
3.3.3.3
7.7.7.7
2.2.2.2
8.8.8.8
1.1.1.1
7.7.7.7
3.3.3.3
1.1.1.1 2.2.2.2 7.7.7.7
2.2.2.2
1.1.1.1
1.1.1.1
7.7.7.7
8.8.8.8
8.8.8.8
5.5.5.5
8.8.8.8
7.7.7.7
7.7.7.7
4.4.4.4
4.4.4.4
6.6.6.6
7.7.7.7
8.8.8.8
5.5.5.5
6.6.6.6
3.3.3.3
4.4.4.4
3.3.3.3
4.4.4.4
9.9.9.9
9.9.9.9
Suggestion
created
Suggestion
accepted!0 25 50 75 100
Score
10.1.1.1 11.9.9.9
10.1.1.1
9.9.9.9
11.9.9.9
9.9.9.9
9:33 9:36

Example - Selective learning for parameters

Example – parameters level for policy types

Fundamental policy - Wild card parameter
No parameters are define – attack signature is matched to wild card
Less secure – we want to have most of the parameters in the policy and match signature on them

Fundamental policy - Wild card parameter + Selective
Can you explain ?
Q: Why do we see global parameter for just 2 parameters ?

Example – full list of global parameter

URL parameter

Parameter classification – example

Parameters are
classified and can be
the following types
Parameter classification – types
Ignore value: Specifies that the system does not check the parameter’s values.
Static content value: Specifies that the parameter has a static, or pre-defined, value.

http://domain.com/user_menu.php?nick=bill_bill
Dynamic content value: Specifies that the parameter’s content changes dynamically.

User-input value: Specifies that the
parameter’s data is provided by user-input. If
you select this option, you must also select
the data type in the Change Data Type To
setting.
PB does it for you !

Enforce readiness

Enforcement Readiness Suggestions
The Enforcement Readiness
Summary screen shows how
many entities of each type
are not enforced or have
suggestions for enforcement.
At any point, users can manually implement suggestions. A user can manually add an entity to a policy, use the Enforce
button to remove a wildcard from the policy, or wait for the Enforcement Readiness Period to elapse and click on Enforce
Ready.

Enforcement Readiness Suggestions
When you select
Enforce Ready, it
enforces those entities
that have not had any
suggestions for a
duration equal to or
longer then the staging
period, and switches
off staging for the
entity.

• Period of time for the system to learn - Populate the policy
• Also to prevent false positive (it is always tight security vs false positive )
• Request is passing to the app (even if it doesn’t comply to the policy or triggers
an attack signature )
• Default is 7 days
Note: any violation that is triggered (attack signature, or missing file type in the
policy) will be blocked when the system will switch to blocking
Staging – general concept

Question for you :
Policy building – what is a good policy ?

© F5 Networks, Inc 82CONFIDENTIAL
What else ? Maybe google ?
Google it: “evaluate my security policy”
The good policy criteria
Concepts:
• No false positive
• Mitigate the attack vector
• Manageable
• Sustainable
GUI criteria
• No more items in enforce readiness
• PB is showing the policy is ready !
• No more learning suggestions
• Customer don’t call to compline

Trusted IP concept – homework
&
Recommended application for policy
building

What about traffic – Trusted
• Click as much of the app as you can.
• Including – logins , buying ,etc
• Do not send attacks (<script> etc)
• Q: What will happen if you so send
attacks ?
• Homework Q: when you go to learning
suggestion with trusted traffic, can
you tell why you don’t see learning
suggestions ?

Hacking ! Fun time
• Hackazon: Known vulnerabilities (September 1, 2015)
• XSS - Not stored
• /wishlist/view/
• Add Wish List Button
• Name Field: <script>alert('hello')</script>
• OSCommand Execution (1)
• /account/documents
• append ?page=delivery.html;ls /etc or any other linux
command
/account/documents?page=delivery.html;ls /etc
account/documents?page=delivery.html;more%20/etc/pass
wd
result will be at the bottom of the page
OSCommand Execution (2)
The vulnerability also exists in account/help_articles:
/account/help_articles?page=/etc/passwd%00
Remote File Include – requires a user to be logged in.
Change the query value to a command
/account/help_articles?page=/etc/passwd%00

• Auction web site
• Login page – multiple SQL injections ( ‘ or ‘1’=‘1 )
• Create new auction - Multiple XSS (<script> variant + more advance JS script
to steal cookies )
Hacking ! Fun time

• restart / reboot,
• installing hotfix or failover
• every 24 hours - Dump stats such as IP’s, sessions, and sample support IDs to /var/asm
• When Policy Builder is loading it loads the stored data.
• Also in: qkview, asmrepro script
Configurable :
• /etc/ts/pabnagd/pabnagd.cfg
• persistence_save_interval_in_hours
Policy Builder statistics persist after reboots

Done,
questions ?
If none,
start all over
Follow me Lior Rotkovitch
Email me: Lior@f5.com

Lior rotkovitch ASM WAF unified learning – building policy with asm v12

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Lior rotkovitch ASM WAF unified learning – building policy with asm v12

Similar to Lior rotkovitch ASM WAF unified learning – building policy with asm v12 (20)

More from Lior Rotkovitch

More from Lior Rotkovitch (16)

Recently uploaded

Recently uploaded (20)

Lior rotkovitch ASM WAF unified learning – building policy with asm v12