passo 3 - f5 virtual environment hands-on exercise guide - asm (latam)
TRANSCRIPT
-
8/18/2019 Passo 3 - F5 Virtual Environment Hands-On Exercise Guide - ASM (LatAm)
1/25
F5 Virtual Environment
Hands-On Exercise Guide
ASM Exercises
-
8/18/2019 Passo 3 - F5 Virtual Environment Hands-On Exercise Guide - ASM (LatAm)
2/25
F5 Virtual Environment Hands-On Exercise Guide – Exercise 1 – Enable ASM Protection
ASM HANDS-ON EXERCISES
EXERCISE 1 – ENABLE ASM PROTECTION Your customer is running a vulnerable Web site and would like to use F5’s Application Security Manager to
protect the Web site from malicious attacks.
Estimated completion time: 20 minutes
TASK 1 – Create a Pool and a Virtual Server
Use the configuration utility to create both a pool to support the customer’s action Web site, and then create a
new virtual server that uses the new pool.
1. In VMware Workstation, power on the phpauction image.
2. Connect and log in to your BIG-IP.
3. Verify that you have restored using archive_After_1D (you should have only the http_vs virtual
4.
server).
Create a new pool using the following information:
5.
Name
auction_pool
Health Monitors http
Members 172.16.20.150:80
Create a new virtual server object using the following information:
Name
auction_vs
Destination Address 10.10.20.110
Service Port 443
HTTP Profile http
SSL Profile (Client) clientssl
SNAT Pool Auto Map
Default Pool auction_pool
-
8/18/2019 Passo 3 - F5 Virtual Environment Hands-On Exercise Guide - ASM (LatAm)
3/25
F5 Virtual Environment Hands-On Exercise Guide – Exercise 1 – Enable ASM Protection
TASK 2 – Verify Web Site Vulnerabilities Use a Web browser to access the auction virtual server IP address and attempt various well-known attacks
against the Auction Web site to determine its current security state.
1. Open a new Web browser window and access https://10.10.20.110 .
2. Verify that the Hack-it-yourself auction Web site displays.
3. Use the Register now link at the top to create a user account.
4.
o All fields are required
o For the Address, enter your actual social security number (if you do not have a social security
number, enter 123-45-6789)
o For the Credit Card Number, type 4111111111111111
Click Submit Query. (→NOTE: It may take up to three minutes for the request to complete.)
5. Click on the Home link.
6. In the User login section, enter the username and password you submitted in step 3.
7.
Click Go.
8. Click the Your control panel link in the Logged in section on the right-side of the page. (NOT the link
on the top menu bar.)
Questions:
a) Are you able to view your personal information? _________________
b) Was your credit card number sent in HTML plain text? _________________
-
8/18/2019 Passo 3 - F5 Virtual Environment Hands-On Exercise Guide - ASM (LatAm)
4/25
F5 Virtual Environment Hands-On Exercise Guide – Exercise 1 – Enable ASM Protection
9. Edit the end of the URI to read: ?nick=bobsmith.
10.
Question:
c)
Are you able to view another user’s personal information?
_________________
Edit the end of the URI to read: ?nick=*.
11.
Questions:
d) What information were you presented with? _____________________________
__________________________________________________________________
e) What type of Web site vulnerability is this? ______________________________
Click Logout, and then log back in as the username you submitted in step 3.
12. Select the Sell an item link.
13. Sell an item using the following information:
Item title Bad item
Item description
alert ("Don’t use this site - go to
http://mysite.com");
14.
Auction starts with $10
Country
United States of America
Zip Code 98119
Payment methods MasterCard or Visa
Choose a category Toys and Games
NOTE: Leave all other fields set to their default values.
Click Submit Query.
15.
When prompted, enter your Password, and click Submit Query again.
16.
Select the Home link. (→NOTE: It may take up to three minutes for the request to complete.)
17. From the Last created auctions list, select Bad item.
-
8/18/2019 Passo 3 - F5 Virtual Environment Hands-On Exercise Guide - ASM (LatAm)
5/25
18.
F5 Virtual Environment Hands-On Exercise Guide – Exercise 1 – Enable ASM Protection
Questions:
f) What happens when users select this item? _ _____________________________
__________________________________________________________________
g)
What type of Web site vulnerability is this?
______________________________
Click Logout.
19.
In the User login section, in the Username field type:
20.
' or 1=1#
Click Go.
21. Click the Your control panel link in the Logged in section on the right-side of the page.
22.
Questions:
h)
What information was presented?
______________________________________
i) What type of Web site vulnerability is this? _______________________________
Click Logout, and then close the auction Web site browser window.
TASK 3 – Create an HTTP Class Profile Create an HTTP class profile, and then view the security policy that is automatically generated by ASM.
1. In the BIG-IP configuration utility, access the Local Traffic > Profiles > Protocol > HTTP Class page.
2. Create an HTTP class profile named secure_profile.
3. From the Application Security list box, select Enabled.
4. Click Finished.
5. Access the Application Security > Security Policies > Policies List > Active Policies page.
6.
There is now an active security policy.
Access the Application Security > Policy > Policy > Properties page.
ASM notifies that the security policy application language is not defined.
-
8/18/2019 Passo 3 - F5 Virtual Environment Hands-On Exercise Guide - ASM (LatAm)
6/25
F5 Virtual Environment Hands-On Exercise Guide – Exercise 1 – Enable ASM Protection
TASK 4 – Update the Virtual Server Update the virtual server by selecting the new HTTP class profile.
1. Update the auction_vs virtual server by selecting the secure_profile HTTP class profile.
2. Click Finished.
TASK 5 – Reconfigure the HTTP Class Profile Experiment with the different options available within an HTTP class profile.
1.
Open a new Web browser window and access https://10.10.20.110 .
2. Verify that the auction Web site displays.
3.
Close the Web browser window.
4. In the configuration utility, edit the secure_profile HTTP class profile.
5. In the Actions section, from the Send To list, select Redirect to…
6. In the Redirect to Location box, type http://www.f5.com.
7. Click Update.
8. Open a new Web browser window and access https://10.10.20.110 .
9.
Question:
a)
What Web site displayed in the browser?
_______________________________
Close the Web browser.
10. In the Configuration section, from the Hosts list select Match only…
11.
Add the following host: 20.20.20.20 (leave the Entry Type list set to Pattern String), and then click
12.
Update.
Open a new Web browser window and access https://10.10.20.110 .
Questions:
b) What Web site displayed in the browser? _______________________________
c) Why did this request go to the Auction site and not the F5.com Web site?
_________________________________________________________________
-
8/18/2019 Passo 3 - F5 Virtual Environment Hands-On Exercise Guide - ASM (LatAm)
7/25
13.
F5 Virtual Environment Hands-On Exercise Guide – Exercise 1 – Enable ASM Protection
d)
Was this access to the Web site protected by ASM? _______________
Close the Web browser.
14. Clear the Custom check boxes for both Hosts and Send To (be sure to leave the check box for
15.
Application Security selected.)
Click Update.
16.
Create an archive file named archive_After_5A .
-
8/18/2019 Passo 3 - F5 Virtual Environment Hands-On Exercise Guide - ASM (LatAm)
8/25
F5 Virtual Environment Hands-On Exercise Guide – Exercise 2 – Updating and Applying a Security Policy
EXERCISE 2 – UPDATING AND APPLYING A SECURITY POLICY Your customer has installed ASM and needs to begin configuring a security policy to prevent malicious activity.
This exercise builds on the previous exercise; therefore you must complete the previous exercise prior to
starting this exercise.
Estimated completion time: 10 minutes
TASK 1 – Configure the Security Policy using Rapid Deployment Update the security policy that ASM created in the previous lab using the Rapid Deployment security policy, and
then apply the updated policy.
1.
Access and log into your BIG-IP system.
2. Access the Application Security > Security Policies > Policies List > Active Policies page.
3. Select Configure Security Policy.
4. Select the Create a policy manually or use templates (advanced) option.
5. Click Next.
6.
On the Configure Security Policy Properties page, in the Application Language list box, select
7.
Unicode (utf-8).
In the Application-Ready Security Policy list box, select Rapid Deployment security policy.
8. Click Next.
9.
On the Configure Attack Signatures page, from the Available Systems list box, move to following to
the Assigned Systems list box.
o
Operating Systems > Unix/Linux
o Web Servers > Apache and Apache Tomcat
o Languages, Frameworks and Applications > PHP
o Database Servers > MySQL
-
8/18/2019 Passo 3 - F5 Virtual Environment Hands-On Exercise Guide - ASM (LatAm)
9/25
F5 Virtual Environment Hands-On Exercise Guide – Exercise 2 – Updating and Applying a Security Policy
10. Leave Signature Staging enabled and click Next.
11. Click Finish.
12.
The new policy is placed in Transparent mode.
From the Logging Profile list, select Log all requests.
13. Click Save.
14. Click Apply Policy.
15. Click OK.
TASK 2 – Verify That Requests are Passing Through ASM Use the Reporting page in ASM to verify that requests for the auction Web site are passing through ASM.
1.
Access the Application Security > Reporting > Requests page.
2. Select All Requests.
3. Open a new Web browser window and access https://10.10.20.110 .
4.
View the last five most recent items in the Last created auctions list.
-
8/18/2019 Passo 3 - F5 Virtual Environment Hands-On Exercise Guide - ASM (LatAm)
10/25
F5 Virtual Environment Hands-On Exercise Guide – Exercise 2 – Updating and Applying a Security Policy
5. In the User login section, login using the username and password you created in Exercise 5A, task 2,
6.
step 3.
Select the Edit data link in the Logged in section on the right-side of the page.
7.
Questions:
a)
What value is in the Address field?
________________________
b) Why is this value displaying? ________________________________________________
Go to the home page, and then buy the Canon Digital Camera.
8. Click Logout.
9.
Edit the URL tohttps://10.10.20.110/comment.txt
.
10.
Close the auction Web site browser window.
11. On the Reporting > Requests page, click Go.
12. Verify that requests for several files are displayed.
Questions:
c)
Are requests for most .php pages Legal, Illegal, or Blocked?
____________________
d)
Are requests for .txt pages Legal, Illegal, or Blocked?
____________________
-
8/18/2019 Passo 3 - F5 Virtual Environment Hands-On Exercise Guide - ASM (LatAm)
11/25
F5 Virtual Environment Hands-On Exercise Guide – Exercise 2 – Updating and Applying a Security Policy
e)
Why aren’t requests for .txt pages being blocked through ASM?
_____________
_________________________________________________________________
13. Select the buy2.php link.
14.
Select Data Guard: Information leakage detected.
15.
Question:
f)
What caused this illegal entry?
___________________________________
Close the View Full Request Information window.
16. Select the edit_data.php link.
17. Select Data Guard: Information leakage detected.
18.
Question:
g)
What caused this illegal entry?
___________________________________
Close the View Full Request Information window.
19. Select all of the items in the Requests List, and then click Clear All.
20. Create an archive file named archive_After_5B .
TASK 3 – View the PCI Compliance Report Use the PCI Compliance report to determine where the Web application is missing required security for
compliancy.
1.
Access the Application Security > Reporting > PCI Compliance page.
2.
Question:
a) Which requirements are automatically compliant using the Rapid Deployment policy?
______________________________________________________________________
Select Do not use vendor-supplied defaults for system passwords and other security parameters.
3.
Question:
b)
Why is this entry not yet in compliance?
_______________________________________
Click Printable Version.
4. View the PDF report.
5. Close the PDF report and the configuration utility Web browser.
-
8/18/2019 Passo 3 - F5 Virtual Environment Hands-On Exercise Guide - ASM (LatAm)
12/25
F5 Virtual Environment Hands-On Exercise Guide – Exercise 3 – Tightening a Security Policy
EXERCISE 3 – TIGHTENING A SECURITY POLICY Your customer would like to use ASM to only allowed access to authorized pages, based on the file type. The
auction Web site only needs to support access to php, and gif files.
This exercise builds on the previous exercise; therefore you must complete the previous exercise prior to starting this exercise.
Estimated completion time: 20 minutes.
TASK 1 – Configure a Security Policy to Learn About File Types
Update the Web application’s security policy that to learn about potential illegal file types.
1.
Access and log into your BIG-IP system.
2. Access the Application Security > Policy Building > Manual > Traffic Learning page.
3.
There are no learned entries other than the Data Guard information leakage detected entries.
Edit the secure_profile security policy.
4. Select the Blocking > Settings page.
5. In the Access Violations section, in the Illegal file type row, note that the Block check box is currently
6.
grayed out.
Question:
a) Why can’t you enable the Block option? ________________________________
_________________________________________________________________
Place the policy in Blocking mode.
7. In the Illegal file type row, select the Learn, Alarm, and Block check boxes.
-
8/18/2019 Passo 3 - F5 Virtual Environment Hands-On Exercise Guide - ASM (LatAm)
13/25
F5 Virtual Environment Hands-On Exercise Guide – Exercise 3 – Tightening a Security Policy
8. Note that in the Negative Security Violations section, Data Guard: Information leakage detected is
9.
already set to both Learn and Alarm.
Question:
b) Why were these options already set? __________________________________
_________________________________________________________________
Click Save.
10. Place the policy back in Transparent mode.
11.
Notice that the Block option for Illegal file types is once again grayed out; however the check box
remains selected.
Click Save.
TASK 2 – Enable Tightening for File Types
Configure ASM to perform tightening for the secure_profile security policy for file types.
1.
Access the Application Security > File Types > Allowed File Types page.
2. In the Allowed File Types List section, select the * link.
3. Select the Perform Tightening check box.
4. Click Update.
5. Apply the updated policy.
-
8/18/2019 Passo 3 - F5 Virtual Environment Hands-On Exercise Guide - ASM (LatAm)
14/25
F5 Virtual Environment Hands-On Exercise Guide – Exercise 3 – Tightening a Security Policy
TASK 3 – Generate Entries for the Security Policy Access the Web site to generate learning suggestions for the security policy.
1. Open a new Web browser window and access https://10.10.20.110 .
2. View the last five most recent items in the Last created auctions list.
3. Log into the Web site.
4. Sell an item using the following information:
Item title Another bad item
Item description
alert ("Don’t use this site - go to
http://mysite.com");
5.
Auction starts with $10
Country United States of America
Zip Code 98119
Payment methods MasterCard or Visa
Choose a category Arts & Antiques
Click Submit Query.
6. When prompted, enter your Password, and click Submit Query again.
7. Click on the Home link, and then click the Your control panel link in the Logged in section.
8. Edit the end of the URI to read: ?nick=bobsmith.
9.
Edit the end of the URI to read: ?nick=*.
10. Click Logout.
11. In the User login section, in the Username field type:
12.
' or 1=1#
Click Go.
13.
Click the Your control panel link in the Logged in section.
14.
Click Logout.
15. Edit the URL to https://10.10.20.110/comment.txt .
16.
Close the Web browser.
-
8/18/2019 Passo 3 - F5 Virtual Environment Hands-On Exercise Guide - ASM (LatAm)
15/25
F5 Virtual Environment Hands-On Exercise Guide – Exercise 3 – Tightening a Security Policy
TASK 4 – Fine Tune the Security Policy Select the file types that are allowed for the Web site and accept them into the security policy.
1. Access the Application Security > Policy Building > Manual > Traffic Learning page.
2. Select the Attack signature detected link.
3. Select the Recent Incidents link for the SQL-INJ entry.
4.
Questions:
a)
Which URLs are vulnerable for SQL injection?
_______________________________
Select the login.php link.
5. Select the HTTP Request tab.
6.
Questions:
b)
Which parameter needs to be protected against SQL injection?
___________________
Close the View Full Request Information window.
7.
Return to the Manual Traffic Learning page.
8.
Select the Illegal file type link.
9.
Questions:
c) Why is there an entry for no_ext? ____________________________________
________________________________________________________________
d)
Should we allow or block access to pages without an extension, and why?
_________________________________________________________________
Select the check boxes for the gif , jpg, no_ext, and php file types, and then click Accept.
10.
This will allow these file types for this policy.
Select the check box for the txt file type, and then click Clear.
11. In the Confirm Delete window, click OK ( NOTE: Do not move txt files to ignored entities).
-
8/18/2019 Passo 3 - F5 Virtual Environment Hands-On Exercise Guide - ASM (LatAm)
16/25
F5 Virtual Environment Hands-On Exercise Guide – Exercise 3 – Tightening a Security Policy
12. Access the Application Security > File Types > Allowed File Types page.
13.
The security policy has been updated to allow requests for gif, jpg, and .php file types, in addition to
requests with no extension.
In the Allowed File Types List section, select the * check box, and then click Delete.
14. Select the gif , jpg, no_ext, and php checkboxes, and then click Enforce.
15.
This removes these entries from staging.
Apply the updated policy.
16. Open a new Web browser window and access https://10.10.20.110 .
17.
Select links to navigate through the auction Web site.
18. Edit the URL to https://10.10.20.110/comment.txt .
19.
Questions:
e) Were you able to access the comment.txt page? _________________________
f)
Why is ASM still allowing access to txt file types?
_______________________
_________________________________________________________________
Close the Web browser.
20. Access the Traffic Learning page.
21. Select the Illegal file type link.
22.
Traffic learning still suggests the txt file type; however the other types are no longer considered illegal
file types, as they have already been added to the policy.
Access the Application Security > Reporting > Requests page.
Questions:
g)
Are requests for .txt files Legal, Illegal, or Blocked?
____________________
h)
What do you need to configure in ASM to block access to .txt files?
_______________________________________________________________
-
8/18/2019 Passo 3 - F5 Virtual Environment Hands-On Exercise Guide - ASM (LatAm)
17/25
F5 Virtual Environment Hands-On Exercise Guide – Exercise 3 – Tightening a Security Policy
TASK 5 – Modify the Security Policy’s Enforcement Mode Modify the security policy, currently configured in Transparent mode, to Blocking mode.
1. Edit the secure_profile security policy.
2. Change the Enforcement Mode to Blocking.
3. Click Save, and then apply the updated policy.
4.
Open a new Web browser window and access https://10.10.20.110 .
5. Edit the URL to https://10.10.20.110/comment.txt .
6. Close the Web browser.
7.
Access the Application Security > Reporting > Requests page.
8.
Questions:
a) Were you able to access the comment.txt page? _________________________
b) Are requests for .txt files Legal, Illegal, or Blocked? ________________________
Create an archive file named archive_After_5C .
TASK 6 – If Time Permits
If you have extra time, edit the security policy so that the error message displayed when accessing .txt file types reads “For security purposes, you are not allowed to access .txt file types on this Web site. Your support ID
is: (the support ID variable)”
-
8/18/2019 Passo 3 - F5 Virtual Environment Hands-On Exercise Guide - ASM (LatAm)
18/25
F5 Virtual Environment Hands-On Exercise Guide – Exercise 4 – Using Automatic Policy Building
EXERCISE 4 – USING AUTOMATIC POLICY BUILDING You would like to experiment with methods to save your customer time when building a security policy for the
auction Web site.
This exercise builds on the previous exercise; therefore you must complete the previous exercise prior to
starting this exercise.
Estimated completion time: 20 minutes.
TASK 1 – Create a New Security Policy Using Automatic Policy Building You will create a new security policy for the Web application using Automatic Policy Building.
1. Access and log into your BIG-IP system.
2.
Create a new HTTP Class profile named policy_builder_profile with Application Security Enabled.
3. Associate the new HTTP Class profile with the auction_vs virtual server. Ensure that
4.
policy_builder_profile is above secure_profile.
Access the Active Policies page.
5.
For the policy_builder_profile policy, select Configure Security Policy.
6.
→NOTE: If you get an error message that the Deployment Wizard is already running, click Cancel,
then select the policy_builder_profile [v1], then click Reconfigure, then click Run Deployment Wizard.
Leave the Create a policy automatically (recommended) option selected, and then click Next.
7. From the Security Policy Language list box, select Unicode (utf-8), and then click Next.
8.
On the Configure Attack Signatures page, from the Available Systems list box, move to following to
9.
the Assigned Systems list box.
o Operating Systems > Unix/Linux
o
Web Servers > Apache and Apache Tomcat
o Languages, Frameworks and Applications > PHP
o Database Servers > MySQL
Click Next.
10.
From the Policy Type list, select Comprehensive.
-
8/18/2019 Passo 3 - F5 Virtual Environment Hands-On Exercise Guide - ASM (LatAm)
19/25
F5 Virtual Environment Hands-On Exercise Guide – Exercise 4 – Using Automatic Policy Building
11. Slide the Policy Builder learning speed control to Fast.
12.
Note that this changes the chances to adding false positives to the policy to High.
From the Trusted IP Addresses list, select Address List.
13.
In the IP Address box, enter 10.10.20.1.
14.
In the Netmask box, enter 255.255.255.255, and then click Add.
15.
Click Next.
16. Click Finish.
17.
The Policy Building: Automatic: Status page displays.
Apply the new policy.
This places the policy in blocking mode.
TASK 2 – Create Learning Suggestions for Automatic Policy Building
Generate learning suggestions for automatic policy building for the Web application.
1.
Open a new Web browser window and access https://10.10.20.110 .
2. View the last six most recent items in the Last created auctions list.
3. In the User login section, login using the username and password you created in Exercise 5A, task 2,
4.
step 3.
Click the Your control panel link in the Logged in section.
5. Edit the end of the URI to read: ?nick=bobsmith.
-
8/18/2019 Passo 3 - F5 Virtual Environment Hands-On Exercise Guide - ASM (LatAm)
20/25
F5 Virtual Environment Hands-On Exercise Guide – Exercise 4 – Using Automatic Policy Building
6. Edit the end of the URI to read: ?nick=*.
7.
Click Logout.
8.
In the User login section, in the Username field type:
9.
' or 1=1#
Click Go.
Edit the URL to https://10.10.20.110/comment.txt .
11. Close the Web browser.
12.
Question:
a)
Why are you now able to access txt file types?
_______________________
_____________________________________________________________
b) Is Data Guard currently enabled? _________________
The policy builder begins to analyze the traffic.
After several seconds, the policy builder begins learning file types, URLs, parameters, and cookies.
In the Detail section, select File Types > Staging.
13. For the gif , jpg, no_ext, and php entries, click the corresponding Enforce button.
14. Select Parameters > Staging.
15.
Multiple parameters are currently in staging.
Access the Application Security > Policy Building > Automatic > Log page.
16.
The log includes an entry for each event or action that the Policy Builder makes to the policy.
Access the Application Security > Policy Building >Automatic > Configuration page.
-
8/18/2019 Passo 3 - F5 Virtual Environment Hands-On Exercise Guide - ASM (LatAm)
21/25
F5 Virtual Environment Hands-On Exercise Guide – Exercise 4 – Using Automatic Policy Building
17. Disable the Real Traffic Policy Builder.
18.
Click Save, and then apply the updated policy.
TASK 3 – View and Update the Security Policy
Reset the Web application by selecting the security policy that you created in the previous labs.
1. View the Allowed File Types page, and then delete the wildcard entry.
2.
Questions:
a) Is there another entry that should be deleted? _______________________
b) Why was the txt file type added to the policy? __________________________
_________________________________________________________________
Delete the txt file type entry.
3.
→NOTE: If there are any other entries on this page, delete them as well.
View the Parameters List page, and then delete the wildcard entry.
4. Select the checkboxes for the nick and username entries, and then click the Enforce button.
5.
Select the nick parameter entry.
6.
From the Parameter Value Type list box, select Dynamic content value, and then click Update.
7.
In the Message from webpage dialog box, click OK.
8.
Select the File Types checkbox, then select php from the list box, and then click Add.
9. Select the URLs checkbox, then select HTTP from the list box, then enter index.php in the text field,
10.
and then click Add.
Click Create, and then click Update.
11. Select the Application Security > Attack Signatures > Attack Signatures Configuration page.
12. Disable Signature Staging.
13. Click Save, and then apply the updated policy.
TASK 4 – Test the Updated Policy
Access the Auction Web site and make attempts that violate the policy.
1.
Open a new Web browser window and access https://10.10.20.110 .
2. In the User login section, login using the username and password you created in Exercise 5A, task 2,
3.
step 3.
Click the Your control panel link in the Logged in section.
4. Edit the end of the URI to read: ?nick=bobsmith.
-
8/18/2019 Passo 3 - F5 Virtual Environment Hands-On Exercise Guide - ASM (LatAm)
22/25
F5 Virtual Environment Hands-On Exercise Guide – Exercise 4 – Using Automatic Policy Building
5. Click the Back button.
6.
Select the Sell an item link.
7.
Sell an item using the following information:
Item title Not this item
Item description
alert ("Don’t use this site - go to
http://mysite.com");
8.
Auction starts with $10
Country United States of America
Zip Code 98119
Payment methods MasterCard or Visa
Click Submit Query.
9.
Click the Back button.
10. Click Logout.
11. In the User login section, in the Username field type:
12.
' or 1=1#
Click Go.
13. Edit the URL to https://10.10.20.110/comment.txt .
14. Close the Web browser.
15.
Questions:
a)
Is the Web site protected against unacceptable file types (.txt files)?
______________
b)
Is the Web site protected against data leakage?
_______________
c) Is the Web site protected against cross-site scripting? _______________
d) Is the Web site protected against SQL injection? _________________
e)
Is the Web site protected against parameter tampering?
________________
Access the Application Security > Data Guard page.
16.
→NOTE: Ensure the current edited policy is policy_builder_profile.
Enable Data Guard for credit card numbers, social security numbers, and ensure that you mask data
17.
being sent back to users.
Click Save, and then apply the updated policy.
-
8/18/2019 Passo 3 - F5 Virtual Environment Hands-On Exercise Guide - ASM (LatAm)
23/25
F5 Virtual Environment Hands-On Exercise Guide – Exercise 4 – Using Automatic Policy Building
18. Open a new Web browser window and access https://10.10.20.110 .
19.
In the User login section, login using the username and password you created in Exercise 5A, task 2,
20.
step 3.
Click the Your control panel link in the Logged in section.
21.
Questions:
f)
What response did you receive?
_______________________________________
g) Why did you receive this response? ______________________________________
____________________________________________________________________
Close the Web browser.
22. Adjust the blocking settings so that data is indeed scrubbed, but that the page itself isn’t blocked.
23.
Apply the policy and test again.
24. Once the page displays with credit cards and social security numbers being scrubbed, create an
archive file named archive_After_5D.
-
8/18/2019 Passo 3 - F5 Virtual Environment Hands-On Exercise Guide - ASM (LatAm)
24/25
F5 Virtual Environment Hands-On Exercise Guide – Exercise 5 – Protecting Against Web Scraping
EXERCISE 5 – PROTECTING AGAINST WEB SCRAPING Your customer is concerned about malicious Web scraping attacks and would like to configure the policy on
ASM to prevent potential attacks.
This exercise builds on the previous exercise; therefore you must complete the previous exercise prior to starting this exercise.
Estimated completion time: 15 minutes
TASK 1 – Use iMacros to Record and Play a Lengthy Visit to the Auction Web Site
Use iMacros for Firefox to record and play back a series of requests to the auction Web site.
1.
Open Mozilla Firefox and access https://10.10.20.110 .
2. In the iMacros pane, select the Rec tab, and then click Record.
3. Select links to navigate through the auction Web site (be sure to record a lengthy visit to the Web
4.
site, at least 20 clicks, however don’t log in or purchase an item).
Click Stop.
5. Save the iMacro as webscraping_example.
6. In the iMacros pane, select the Play tab.
7. Select webscraping_example.iim.
8. In the Max box, type 10 , and then click Play (Loop).
Question:
a)
Is ASM protecting against potential Web scraping attacks?
________________
TASK 2 – Configure Web Scraping Detection and Protection Configure ASM to detect and protect against potential Web scraping attacks, and then update the policy to learn
and alarm about possible Web scraping attacks.
1. Access and log into your BIG-IP system.
2. Access the Application Security > Anomaly Detection > Web Scraping page.
3. Ensure that the Current edited policy is policy_builder_profile.
4.
Select the Enable Web Scraping Detection check box.
5. Edit the Web Scraping Detection Configuration settings as follows:
6.
Grace Interval 5 requests
Unsafe Interval 10 requests
Safe Interval 20 requests
Click Save.
-
8/18/2019 Passo 3 - F5 Virtual Environment Hands-On Exercise Guide - ASM (LatAm)
25/25
F5 Virtual Environment Hands-On Exercise Guide – Exercise 5 – Protecting Against Web Scraping
7. Verify that the blocking settings for the policy_builder_profile policy for Web scraping detected
8.
include Learn and, Alarm.
Click Save, and then apply the updated policy.
9. Use Firefox to play the webscraping_example.iim macro 10 times.
10.
In the BIG-IP configuration utility, access the Traffic Learning page.
11. Select the Web scraping detected link.
12.
Note that all occurrences came from your client IP address.
Questions:
a) How many total entries were reported to ASM? ________________
b)
Why didn’t ASM block this user after detecting Web scraping?
_________________________________________________________________
Select the Reporting > Requests page.
Question:
c) Are recent requests for pages Legal, Illegal, or Blocked? _____________________
TASK 3 – Update the Policy to Block Web Scraping
Update the policy to block detected Web scraping attacks.
1.
Edit the policy_builder_profile blocking settings to block detected Web scraping.
2. Click Save, and then apply the updated policy.
3. Use Firefox to play the webscraping_example macro 10 times.
4.
Questions:
a) Was the Web scraping attack successful? ________________
Close Firefox.
TASK 4 – Resetting the BIG-IP Reset the BIG-IP system by restoring your archive file.
1. Create an archive file named archive_After_5E.
2. Once the archive is complete, restore using the archive_After_1D archive file.