BIG-IP Application Security Manager (ASM) : F5 Partner Technical Boot Camp
BIG-IP Application Security Manager (ASM) : F5 Partner Technical Boot Camp
BIG-IP Application Security Manager (ASM) : F5 Partner Technical Boot Camp
Manager (ASM)
F5 Partner Technical Boot Camp
Written for TMOS v13.0
• Lesson 1: Application Security Manager (ASM) Overview
HTTP request
HTTP response
Server hardening
practices are applied
Application attacks
take place at layer 7
SSL only protects
L7
confidentiality and integrity
L6 of data in transit
L5
L4
L3
L2 Network firewalls are
“blind” to SSL traffic
Network firewalls only
L1
protect through layer 4 Hardening, patching, and secure
SSL actually helps to
coding does not protect against
ensure malicious requests
zero-day attacks
make to the web server
Forceful browsing
File/directory enumerations
Buffer overflow
Cross-site scripting
SQL/OS injection
Cookie poisoning
Hidden-field manipulation
Parameter tampering
MAJORITY of MAJORITY of
security investment attacks are focused
goes here here
• Compliance requirements
• PCI DSS
• SOX
• OWASP
© 2017 F5 Networks 14
F5 Networks Positioned as a
Leader in 2017 Gartner Magic
Quadrant for Web Application
Firewalls*
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon
request from F5 Networks. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors
with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact.
Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
© 2016 F5 Networks 15
OWASP Top 10 Which can be mitigated
with BIG-IP ASM?
• 1: Injection
• 2: Broken Authentication and Session Management
• 3: Cross-Site Scripting (XSS)
• 4: Insecure Direct Object References
• 5: Security Misconfiguration
• 6: Sensitive Data Exposure
• 7: Missing Function Level Access Control
• 8: Cross-Site Request Forgery (CSRF)
• 9: Using Components with Known Vulnerabilities
• 10: Unvalidated Requests and Forwards
Injection
Retrieves database
records
SQL injection
SQL injection
Deletes entire
Web server CGI/JavaScript App server Database server Data
databases
Cross-Site Scripting (XSS)
Accounts for roughly 84% of
all security vulnerabilities
Cross-site script
Non-persistent: Can
expose web server files
Non-persistent:
pa
1. Request line
POST http://www.f5demo.com/index.php HTTP/1.1
2. Headers
HTTP
Accept: text/html, application/xhtml+xml, */* version
Accept-Encoding: gzip, deflate supported by theURI (universal
HTTP method, i.e. GET, HEAD, client’s browser
Accept-Language: resource identifier)
POST, PUT,en-US
and DELETE
Connection: Keep-Alive
Cookie: JSESSIONID=rhnjej8nodk1e1bvf8k64ato61; security=low
Host: www.vlab.f5demo.com
Referer: https://dvwa.vlab.f5demo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
POST https://www.facebook.com/login.php
email=bobsmith@gmail.com&pass=*****************
ASM Checks RFC Compliance
POST /login.php HTTP/1.1
Host: dvwa.vlab.f5demo.com\r\n
Connection: keep-alive\r\n
Content-Length: 44\r\n
Cache-Control: max-age=0\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9\r\n
Origin: https://dvwa.vlab.f5demo.com\r\n
Upgrade-Insecure-Requests: 1\r\n
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36\r\n
Content-Type:
like Gecko) Chrome/47.0.2526.106
application/x-www-form-urlencoded\r\n
Safari/537.36\r\n
Referer: https://dvwa.vlab.f5demo.com/login.php\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Accept-Encoding:
Referer: https://dvwa.vlab.f5demo.com/login.php\r\n
gzip, deflate\r\n
Accept-Language:gzip,
Accept-Encoding: en-US,en;q=0.8\r\n
deflate\r\n
Accept-Language: en-US,en;q=0.8\r\n
username=admin&password=P@ssw0rd!&Login=Login
username=admin&password=P@ssw0rd!&Login=Login
ASM Checks for Length Limits
POST /login.php HTTP/1.1
Host: dvwa.vlab.f5demo.com\r\n
Connection: keep-alive\r\n
Content-Length: 44\r\n
Cache-Control: max-age=0\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9\r\n
Origin: https://dvwa.vlab.f5demo.com\r\n
Upgrade-Insecure-Requests: 1\r\n
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Referer: https://dvwa.vlab.f5demo.com/login.php\r\n
Accept-Encoding: gzip, deflate\r\n
Accept-Language: en-US,en;q=0.8\r\n
username=admin&password=P@ssw0rd!&Login=Login
ASM Can Enforce Specific File Types
GET /index.php
/dvwa/images/logo.png
//dvwa/js/dvwaPage.js
HTTP/1.1 HTTP/1.1 HTTP/1.1
HTTP/1.1
Host: dvwa.vlab.f5demo.com\r\n
Connection: keep-alive\r\n
Content-Length: 44\r\n
Cache-Control: max-age=0\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9\r\n
Origin: https://dvwa.vlab.f5demo.com\r\n
Upgrade-Insecure-Requests: 1\r\n
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Referer: https://dvwa.vlab.f5demo.com/login.php\r\n
Accept-Encoding: gzip, deflate\r\n
Accept-Language: en-US,en;q=0.8\r\n
ASM Can Enforce Specific URLs
GET /login.php
/index.phpHTTP/1.1
/instructions.php
/dvwa/sqli/sqlform.php
HTTP/1.1
HTTP/1.1
HTTP/1.1
Host: dvwa.vlab.f5demo.com\r\n
Connection: keep-alive\r\n
Content-Length: 44\r\n
Cache-Control: max-age=0\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9\r\n
Origin: https://dvwa.vlab.f5demo.com\r\n
Upgrade-Insecure-Requests: 1\r\n
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106
Safari/537.36\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Referer: https://dvwa.vlab.f5demo.com/login.php\r\n
Accept-Encoding: gzip, deflate\r\n
Accept-Language: en-US,en;q=0.8\r\n
ASM Can Allow Only Specific Parameters
POST /login.php HTTP/1.1
Host: dvwa.vlab.f5demo.com\r\n
Connection: keep-alive\r\n
Content-Length: 44\r\n
Cache-Control: max-age=0\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9\r\n
Origin: https://dvwa.vlab.f5demo.com\r\n
Upgrade-Insecure-Requests: 1\r\n
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106
Safari/537.36\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Referer: https://dvwa.vlab.f5demo.com/login.php\r\n
Accept-Encoding: gzip, deflate\r\n
Accept-Language: en-US,en;q=0.8\r\n
username=admin&password=P@ssw0rd!&Login=Login
ASM Can Check Each Parameter for Specific Criteria
POST /login.php HTTP/1.1
Host: dvwa.vlab.f5demo.com\r\n
Connection: keep-alive\r\n
Content-Length: 44\r\n
Cache-Control: max-age=0\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9\r\n
Origin: https://dvwa.vlab.f5demo.com\r\n
Upgrade-Insecure-Requests: 1\r\n
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106
Safari/537.36\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Referer: https://dvwa.vlab.f5demo.com/login.php\r\n
Accept-Encoding: gzip, deflate\r\n
Accept-Language: en-US,en;q=0.8\r\n
username=admin&password=P@ssw0rd!&Login=Login
ASM Can Scan For Attack Signatures
POST /login.php HTTP/1.1
Host: dvwa.vlab.f5demo.com\r\n
Connection: keep-alive\r\n
Content-Length: 44\r\n
Cache-Control: max-age=0\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9\r\n
Origin: https://dvwa.vlab.f5demo.com\r\n
Upgrade-Insecure-Requests: 1\r\n
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106
Safari/537.36\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Referer: https://dvwa.vlab.f5demo.com/login.php\r\n
Accept-Encoding: gzip, deflate\r\n
Accept-Language: en-US,en;q=0.8\r\n
username=admin&password=P@ssw0rd!&Login=Login
ASM Verifies the Server Response
• In this exercise:
• Use the DVWA application to identify security
vulnerabilities
• Configure a new security policy using Rapid
Deployment
• Examine the ASM log file
• Launch layer 7 attacks against the web application
• Create a layer 7 DoS profile
• Estimated completion time: 45 minutes
• Lesson 1: Application Security Manager (ASM) Overview
Switch to
Blocking mode You can now switch back
to Transparent mode
Web server
View Traffic Learning Suggestions
• In this exercise:
• Configure the security policy to learn about file types
• Generate traffic to create learning suggestions
• Accept valid suggestions to the security policy
• Modify the security policy enforcement mode
• Add additional signatures to the security policy
• Estimated completion time: 50 minutes