BIG-IP Application Security

Manager (ASM)
F5 Partner Technical Boot Camp
Written for TMOS v13.0
• Lesson 1: Application Security Manager (ASM) Overview

• Lesson 2: File Type Enforcement / Using Attack Signatures

Anatomy of Web Application

HTTP request

In the early days of

Today’s web applications are
the Internet…
much more sophisticated

HTTP response

Web server CGI/JavaScript App server Database server Data

2017 State of Application Security

30% Of total reported breaches involved

attacks against web applications
Of total reported breaches
62% featured hacking that exploits
vulnerabilities

93% Web application attacks that

are financially motivated

32% Web application attacks that exploited

SQL injection errors

32% Tested websites that were found to

have at least one serious vulnerability

WhiteHat App Security Report 2017

 SQL injection and
cross-site scripting remain
the most critical web
application vulnerabilities

WhiteHat App Security Report 2017

Common Application Security Measures

Network firewalls are

SSLused at the is
encryption
datacenter perimeter
used to protect
data in transit

Developers add security

into the applications Server patching is
routinely maintained

Server hardening
practices are applied

Web server CGI/JavaScript App server Database server Data

Application
developers
Limitations with Common Application Security Measures

Application attacks
take place at layer 7
SSL only protects
L7
confidentiality and integrity
L6 of data in transit
L5
L4
L3
L2 Network firewalls are
“blind” to SSL traffic
Network firewalls only
L1
protect through layer 4 Hardening, patching, and secure
SSL actually helps to
coding does not protect against
ensure malicious requests
zero-day attacks
make to the web server

Web server CGI/JavaScript App server Database server Data

Application
developers
Let’s review the benefit of a BIG-IP system
Application Attack Threats
Application attacks can
access sensitive user data

Application attacks can expose

confidential server files

These attacks must be

prevented from reaching Application attacks can
the web application delete database data and
Application attacksentire
can databases
take servers offline
rd
wo
ss
pa

Web server CGI/JavaScript App server Database server Data

 Using BIG-IP ASM to Protect Web Applications
 Buffer overflow
 OWASP top 10
HTTP
 Cross site scripting
Fullrequest ASM verifies request
layer 3 through  SQL Injection
against a security policy
layer 7 protection  Cross site request forgery
 Layer 7 DoS
 Web scraping
AFMASM  Parameter tampering
 Forceful browsing
 Geolocation enforcement
 Cookie poisoning
 Brute force attacks
 Botnet detection
 Proactive web bot identification
ASM verifies response
HTTP
against a security policy
response

Web server CGI/JavaScript App server Database server Data

ASM vs. Traditional Security Devices
Network Firewall IPS ASM
Known web worms

Unknown web worms

Known web vulnerabilities

Unknown web vulnerabilities

Illegal access to web server files

Forceful browsing

File/directory enumerations

Buffer overflow

Cross-site scripting

SQL/OS injection

Cookie poisoning

Hidden-field manipulation

Parameter tampering

Layer 7 DoS attacks

Brute force login attacks

Application security and acceleration

Network Threats vs. Application Threats
NETWORK THREATS APPLICATION THREATS

MAJORITY of MAJORITY of
security investment attacks are focused
goes here here

Attack Vectors Attack Vectors

TCP SYN Flood HTTP Slowloris
TCP Conn Flood SQL Injection
DNS Flood Cross Site Scripting
HTTP GET Flood DNS Cache Poison
What’s Driving Web Application Firewall Sales
• LONG history of high profile breaches and exploits

• Compliance requirements
• PCI DSS
• SOX

• OWASP
© 2017 F5 Networks 14
 F5 Networks Positioned as a
Leader in 2017 Gartner Magic
Quadrant for Web Application
Firewalls*

F5 is highest in execution within the Leaders Quadrant.

* Gartner, Magic Quadrant for Web Application Firewalls,

Jeremy D’Hoinne, Adam Hils, Claudio Neiva, 7 August 2017

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon
request from F5 Networks. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors
with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact.
Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
© 2016 F5 Networks 15
OWASP Top 10 Which can be mitigated
with BIG-IP ASM?
• 1: Injection
• 2: Broken Authentication and Session Management
• 3: Cross-Site Scripting (XSS)
• 4: Insecure Direct Object References
• 5: Security Misconfiguration
• 6: Sensitive Data Exposure
• 7: Missing Function Level Access Control
• 8: Cross-Site Request Forgery (CSRF)
• 9: Using Components with Known Vulnerabilities
• 10: Unvalidated Requests and Forwards
Injection
Retrieves database
records

SQL injection

Exploits a security vulnerability

in a website's software
Deletes database
records

SQL injection

Deletes entire
Web server CGI/JavaScript App server Database server Data
databases
Cross-Site Scripting (XSS)
Accounts for roughly 84% of
all security vulnerabilities

Cross-site script

Non-persistent: Can
expose web server files

Enables hackers to inject

client-side script into requests
Persistent: Insert script
into the database

Cross site script

Cross site script

dr
wo
ss

Non-persistent:
pa

Web server Can cause a server App server

CGI/JavaScript Database server Data
to go offline
Examine an HTTP Request

1. Request line
POST http://www.f5demo.com/index.php HTTP/1.1
2. Headers
HTTP
Accept: text/html, application/xhtml+xml, */* version
Accept-Encoding: gzip, deflate supported by theURI (universal
HTTP method, i.e. GET, HEAD, client’s browser
Accept-Language: resource identifier)
POST, PUT,en-US
and DELETE
Connection: Keep-Alive
Cookie: JSESSIONID=rhnjej8nodk1e1bvf8k64ato61; security=low
Host: www.vlab.f5demo.com
Referer: https://dvwa.vlab.f5demo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

3. Body data (optional)

Parameters
Values
username=bob&password=smith&login=Login
HTTP Request – Query String with Parameters and Values

GET https://www.bing.com/search?q=F5+networks HTTP/1.1

HTTP Request – POST Data with Parameters and Values

POST https://www.facebook.com/login.php

[email protected]&pass=*****************
ASM Checks RFC Compliance
POST /login.php HTTP/1.1
Host: dvwa.vlab.f5demo.com\r\n
Connection: keep-alive\r\n
Content-Length: 44\r\n
Cache-Control: max-age=0\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9\r\n
Origin: https://dvwa.vlab.f5demo.com\r\n
Upgrade-Insecure-Requests: 1\r\n
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36\r\n
Content-Type:
like Gecko) Chrome/47.0.2526.106
application/x-www-form-urlencoded\r\n
Safari/537.36\r\n
Referer: https://dvwa.vlab.f5demo.com/login.php\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Accept-Encoding:
Referer: https://dvwa.vlab.f5demo.com/login.php\r\n
gzip, deflate\r\n
Accept-Language:gzip,
Accept-Encoding: en-US,en;q=0.8\r\n
deflate\r\n
Accept-Language: en-US,en;q=0.8\r\n
username=admin&password=P@ssw0rd!&Login=Login
username=admin&password=P@ssw0rd!&Login=Login
ASM Checks for Length Limits
POST /login.php HTTP/1.1
Host: dvwa.vlab.f5demo.com\r\n
Connection: keep-alive\r\n
Content-Length: 44\r\n
Cache-Control: max-age=0\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9\r\n
Origin: https://dvwa.vlab.f5demo.com\r\n
Upgrade-Insecure-Requests: 1\r\n
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Referer: https://dvwa.vlab.f5demo.com/login.php\r\n
Accept-Encoding: gzip, deflate\r\n
Accept-Language: en-US,en;q=0.8\r\n

username=admin&password=P@ssw0rd!&Login=Login
ASM Can Enforce Specific File Types

GET /index.php
/dvwa/images/logo.png
//dvwa/js/dvwaPage.js
HTTP/1.1 HTTP/1.1 HTTP/1.1
HTTP/1.1
Host: dvwa.vlab.f5demo.com\r\n
Connection: keep-alive\r\n
Content-Length: 44\r\n
Cache-Control: max-age=0\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9\r\n
Origin: https://dvwa.vlab.f5demo.com\r\n
Upgrade-Insecure-Requests: 1\r\n
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Referer: https://dvwa.vlab.f5demo.com/login.php\r\n
Accept-Encoding: gzip, deflate\r\n
Accept-Language: en-US,en;q=0.8\r\n
ASM Can Enforce Specific URLs

GET /login.php
/index.phpHTTP/1.1
/instructions.php
/dvwa/sqli/sqlform.php
HTTP/1.1
HTTP/1.1
HTTP/1.1
Host: dvwa.vlab.f5demo.com\r\n
Connection: keep-alive\r\n
Content-Length: 44\r\n
Cache-Control: max-age=0\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9\r\n
Origin: https://dvwa.vlab.f5demo.com\r\n
Upgrade-Insecure-Requests: 1\r\n
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106
Safari/537.36\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Referer: https://dvwa.vlab.f5demo.com/login.php\r\n
Accept-Encoding: gzip, deflate\r\n
Accept-Language: en-US,en;q=0.8\r\n
ASM Can Allow Only Specific Parameters
POST /login.php HTTP/1.1
Host: dvwa.vlab.f5demo.com\r\n
Connection: keep-alive\r\n
Content-Length: 44\r\n
Cache-Control: max-age=0\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9\r\n
Origin: https://dvwa.vlab.f5demo.com\r\n
Upgrade-Insecure-Requests: 1\r\n
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106
Safari/537.36\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Referer: https://dvwa.vlab.f5demo.com/login.php\r\n
Accept-Encoding: gzip, deflate\r\n
Accept-Language: en-US,en;q=0.8\r\n

username=admin&password=P@ssw0rd!&Login=Login
ASM Can Check Each Parameter for Specific Criteria
POST /login.php HTTP/1.1
Host: dvwa.vlab.f5demo.com\r\n
Connection: keep-alive\r\n
Content-Length: 44\r\n
Cache-Control: max-age=0\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9\r\n
Origin: https://dvwa.vlab.f5demo.com\r\n
Upgrade-Insecure-Requests: 1\r\n
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106
Safari/537.36\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Referer: https://dvwa.vlab.f5demo.com/login.php\r\n
Accept-Encoding: gzip, deflate\r\n
Accept-Language: en-US,en;q=0.8\r\n

username=admin&password=P@ssw0rd!&Login=Login
ASM Can Scan For Attack Signatures
POST /login.php HTTP/1.1
Host: dvwa.vlab.f5demo.com\r\n
Connection: keep-alive\r\n
Content-Length: 44\r\n
Cache-Control: max-age=0\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9\r\n
Origin: https://dvwa.vlab.f5demo.com\r\n
Upgrade-Insecure-Requests: 1\r\n
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106
Safari/537.36\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Referer: https://dvwa.vlab.f5demo.com/login.php\r\n
Accept-Encoding: gzip, deflate\r\n
Accept-Language: en-US,en;q=0.8\r\n

username=admin&password=P@ssw0rd!&Login=Login
ASM Verifies the Server Response

• Checks for malicious patterns in the response

• Verifies valid response codes
• Hides the server header
• Performs content scrubbing
Create an ASM Security Policy

Minimizes false positives

Decreases time from Transparent to Blocking

Protects against OWASP attacks

Includes thousands of detection signatures

Includes all required

policy items, URLs,
parameters, cookies, etc.
Create an ASM DoS Profile
ASM Exercise 1 – Create an ASM Security Policy and DoS Profile

• In this exercise:
• Use the DVWA application to identify security
vulnerabilities
• Configure a new security policy using Rapid
Deployment
• Examine the ASM log file
• Launch layer 7 attacks against the web application
• Create a layer 7 DoS profile
• Estimated completion time: 45 minutes
• Lesson 1: Application Security Manager (ASM) Overview

• Lesson 2: File Type Enforcement / Using Attack Signatures

File Type Enforcement

Wildcard entry must Most

be .NET applications use
a small list of file types
deleted to complete the policy

Default “Allowed File Types”

after Rapid Deployment

Defined list of file types blocks

many application attacks
(code red made request for default.ida)
Let’s discuss a huge ASM benefit
Create the List of Allowed File Types
Use the Learning and Blocking Settings Page

Requests that trigger this violation

Requests
log entrythat trigger this violation
Displayare illegal that
requests and generate a
(in Transparent are blocked and generate
mode) a log enabled using
Options
trigger this violation on the
entry (in Blocking mode)the Rapid Deployment
Traffic Learning page
Security Policy
Adjust Learning and Blocking Settings

Switch to
Blocking mode You can now switch back
to Transparent mode

The Block can

now be selected
Define Specific File Types Step 2: Generate Learning Suggestions

Remember, blocking Valid file types

www.lorax.com/schedule.asp (2xx and 3xx response codes) are
may not be taking place
www.lorax.com/images/icon.jpg
www.lorax.com/default.asp
www.lorax.com/instructions.pdf added to the list of suggestions
www.lorax.com/style.css
www.lorax.com/config.conf
www.lorax.com/images/logo.gif
ASM
 .asp (2)
 .gif
 .pdf Some suggestions may be
Learning suggestions can be  .jpg malicious requests that should not
generated in production or a be added to the security policy
 .css
development environment
 .conf

Web server
View Traffic Learning Suggestions

These are all of the

generated suggestions
View a Specific Traffic Suggestion

You can view general details

of the request, in addition to
the entire HTTP request
Add a File Type to the Security Policy

What type of file did Add the file type to the

the user request? policy and remove it
from staging

What type of file

is “no_ext”?
The file type is no longer in the
list (and will no longer appear
The Action is
as a new suggestion) Add the file type to the policy
Add File Type and leave it in staging
Add Multiple File Types to the Security Policy

The remaining file types can

remain in the list, or can be
deleted or ignored
Remove the Wildcard Entry

As long as the wildcard character

is on the Allowed File List page,

ASM allows all file types

Don’t forget to apply
the updated policy

Without the wildcard,

these are the only file
types that ASM will allow

Note that all file types

are in staging
ASM Attack Signatures

• Attack signatures are the basis of negative security logic

• ASM attack signatures inspect:
• The request URI
• The value content of query strings, POST requests, and cookies
• HTTP headers and values
• The entire HTTP request
Server Technologies
Add Additional Attack Signatures to a Security Policy

Signatures adding while

creating the policy and
adding server technologies
View Attack Signatures Per Security Policy

Note that all signatures

are in staging
Update Attack Signatures

Updates due to zero day attacks

F5 releases signatures
are typically released 12 – 48
roughly every six weeks
hours after a pervasive attack Update mode is
Manual by default
ASM Exercise 2 – Use File Type Enforcement

• In this exercise:
• Configure the security policy to learn about file types
• Generate traffic to create learning suggestions
• Accept valid suggestions to the security policy
• Modify the security policy enforcement mode
• Add additional signatures to the security policy
• Estimated completion time: 50 minutes