F5 BIG-IP ASM – Positive Security Policy

I wrote about Policy Tuning and Violations last week where I created a Negative Security Policy, named Rapid Deployment Policy (RDP), to protect web applications from attacks. This kind of policies are useful to protect web applications from known attacks. However, I want to write about Positive Security Policy this week where I’m going to create a security policy manually to customize and accept what file types, URLs and parameters will be used by my web application. This kind of policies are more difficult and complex to configure than Negative Security Policies but they are able to defeat sophisticated and complex threats better than Negative Security Policies.

When we configure a security policy manually, we can choose Never (Wildcard Only), Selective and Add All Entities for file types, URLs and parameters. For instance, if we choose Add All Entities, we’ll have a comprehensive whitelist policy that includes ALL of the website entities. Add All Entities will form a large set of security policy entities, which will produce a granular object-level configuration and high security level. However, it may take more time to maintain such a policy.

On the other hand, the Never (Wildcard Only) option is the most easy security policy to manage because many application objects will share the same security settings driven from the global or wildcard level. In addition, when false positives occur the system will suggest to relax the settings of the wildcard entity. Therefore, it may result in overall relaxed application security. From my point of view, this is a good option for URLs entities because most applications usually have lots of URLs which are difficult to manage from a security policy.

The third learning option is Selective which offers intermediate protection between Never (Wildcard Only) and Add All Entities. This is an option that when false positives occur, the system will add/suggest to add an explicit entity with relaxed settings that avoid the false positive. In other words, Selective mode is suitable for applications containing entities which use similar or identical attributes. However, if some the entities need special handling, the policy can be expanded to include exceptional explicit entities just for those outliers. Therefore, this option serves as a good balance between security, policy size, and ease of maintenance.

To sum up, if we want a comprehensive security policy to defeat sophisticated and complex threats, we’ll have to configure a positive security policy, along with a negative security policy as well, with the Add All Entities, Selective and Never (Wildcard Only) option for file types, URLs and parameters. However, we always have to take into account that the Add All Entities mode is time-consuming but offers high granular protection of entities while the Never (Wildcard Only) mode is easy to manage but offers low protection of entities.

Regards my friends. Keep reading and keep studying!!