F5 Customer Demo

ASM – Stabilizing Security Policies

Document version 13.0.A
Written for: TMOS® Architecture v13.0
Virtual images:
BIGIP_ASM_v13.0
LAMP_6
Windows_7_External_v8

The purpose of this demo is to show how to stabilize a security policy with BIG-IP ASM. The stabilization process
encompasses both the learning and staging process. While entities (such as file types, URLs, and parameters) are
still in staging (not enforced), the security policy is not yet stabilized. You’ll first show an existing security policy
that includes a file type list, URL list, and parameter list. All entities are still in staging. You’ll then simulate a
large amount of user requests to the application, and then show how ASM automatically configures entity
attributes and entity enforcement. You’ll continue this process until the security policy is stabilized, meaning
that all entities are out of staging and enforced. You’ll then test the security policy by attempting malicious
requests that violate the file type and parameter lists, as well as file type and parameter attributes.

NOTE: The F5 vLab (virtual lab environment) is an F5-community supported tool.

Please DO NOT contact F5 Support for assistance with the vLab. For help with the setup of the vLab
or running a demonstration, you should contact your F5 Channel Account Manager (CAM).

F5 Worldwide Field Enablement Last Updated: 3/20/2018

Learn More, Sell More, Sell Faster

Contact Chris Manly (c.manly@f5.com) with any questions or feedback for this demo.
©2017 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in
certain other countries. Other F5 trademarks are identified at f5.com.

Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or
affiliation, express or implied, claimed by F5.

These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You
may not share these training materials and documentation with any third party without the express written permission of F5.

The F5 vLab (virtual lab environment) is an F5-community supported tool. Please DO NOT contact F5 Support for assistance with the vLab.
For help with the setup of the vLab or running a demonstration, you should contact your F5 Channel Account Manager (CAM).
 Part 2 – Delivering the Demo to a Customer

Part 2 – Delivering the Demo to a Customer

This demo does not include a “Part 1” setup; you can begin with the clean_install_BIGIP_ASM_v13.0.ucs
archive file.

• Required virtual images: BIGIP_ASM_v13.0, LAMP_6, Windows_7_External

• Required archive file: clean_install_BIGIP_ASM_v13.0.ucs
• Estimated completion time: Before the demo: 10 minutes, perform the demo: 15 ~ 20 minutes

Note from Chris Manly: I have found that this demo works as written about 90% of the time. Occasionally, the
file types, URLs, and parameters do not come out of staging as expected. I have tested this several times and
cannot identify a reason why it doesn’t always work properly. Just be prepared that if you find (during demo
task 2) that the file types aren’t automatically becoming enforced, you may need to delete the security policy
and recreate it (perform all the steps in the second BEFORE THE DEMO section). Please reach out to me with any
questions or feedback of your own. Thanks!

→NOTE: This demo uses a macro that is already created on the Windows_7_External_v8 image.
You should download that image before running this demo.

BEFORE THE DEMO 1 – Restore the BIG-IP Configuration

Restore the clean install archive file.

 In VMware, start up the BIGIP_ASM_v13.0, LAMP_6, and Windows_7_External images.

 On the Windows_7_External desktop, use putty to access and log into 10.1.1.245.
 At the CLI type:
tmsh
load sys ucs clean_install_BIGIP_ASM_v13.0.ucs no-license
y

→NOTE: If you use the Configuration Utility to restore the archive file it may damage an updated license.

If you do not have the BIGIP_ASM_v13.0 image or the clean_install_BIGIP_ASM_v13.0.ucs

archive file, complete the vLab Setup – ASM Demos and Exercises.

 On the Windows_7_External desktop, use a web browser to access and log in to https://10.1.1.245.

WWFE vLab Guides – Demo: ASM – Stabilizing Security Policies; v13.0.A Page | 3
 Part 2 – Delivering the Demo to a Customer

BEFORE THE DEMO 2 –Create and Configure a Security Policy

Create a security policy for dvwa_virtual.

 Open the Application Security > Security Policies > Policies List page, and then click Create New Policy.
 Select the Advanced options.

 Use the following information for the new policy, and then click Create Policy.
Policy Name stabilize_security_policy
Policy Template Comprehensive
Virtual Server dvwa_virtual
Application Language Unicode (utf-8)
Trusted IP Addresses 10.1.10.0 / 255.255.255.0 (Click Add)

 Once the policy is created, open the Application Security > Policy Building >
Learning and Blocking Settings page.
 From the list on the right-side of the page select Advanced.

 Expand File Types, and then from the Learn New File Types list select Always.
 Expand URLs, and then from the Learn New HTTP URLs list select Always.
 Expand Parameters, and then from the Learn New Parameters list select Always.
 For Parameter Level select the URL option, and then select the Learn Integer Parameters checkbox.

 At the bottom of the page from the list select Advanced.

WWFE vLab Guides – Demo: ASM – Stabilizing Security Policies; v13.0.A Page | 4
 Part 2 – Delivering the Demo to a Customer
 In the Loosen Policy section update the values as follows:

 In the Tighten Policy (stabilize) section update the values as follows:

 In the Minimize false positives (Track Site Changes) section update the values as follows:

 Click Save, then click Apply Policy, and then click OK.
 Use Firefox to open a New private window.

 Click the iMacros button, and in the iMacros pane select stabilize policy.iim, and then click Play (Loop).

 Once the macro has completed, close Firefox.

WWFE vLab Guides – Demo: ASM – Stabilizing Security Policies; v13.0.A Page | 5
 Part 2 – Delivering the Demo to a Customer
 In the Configuration Utility, verify the following:
o On the Application Security > File Types > Allowed File Types page, there should be 10 file types
plus the wildcard (*), and they should all be in staging.

o On the Application Security > Parameters > Parameters List page, there should be between 21 and
23 parameters with the Parameter Value Type of Ignore value, plus the wildcard (*), and they
should all be in staging.

 If you don’t have between 21 and 23 parameters, use Firefox to open a New private window. and in the
iMacros pane select stabilize policy.iim and click Play (Loop), and then close Firefox.
 Click Apply Policy and then OK.

WWFE vLab Guides – Demo: ASM – Stabilizing Security Policies; v13.0.A Page | 6
 Part 2 – Delivering the Demo to a Customer

Demo Task 1 – Examine the Existing Security Policy

Examine the settings of stabilize_security_policy.

 In the Configuration Utility, open the Virtual Server List page and click dvwa_virtual.
This is a standard HTTP virtual server that listens on 10.1.10.35. Note that this virtual server contains
the default http profile. An HTTP profile is required to protect against application layer attacks.
 Open the virtual server Security > Policies page.
This web application is already configured with an ASM security policy named
stabilize_security_policy. I created this security policy before beginning the demo.
 Open the Application Security > File Types > Allowed File Types page.
The security policy is configured with the nine 10 types needed for this web application (plus the
wildcard entry). Notice that each file type has four length limit values. In addition, all the file types are
in staging. While in staging, the length limit value for each file type will not be enforced.
 Open the Application Security > URLs > Allowed URLs page.
The security policy is also configured with every URL needed for this web application. All URLs are also
in staging.
 Open the Application Security > Parameters > Parameters List page.
There are (between 21 and 23) parameters used in this web application (plus the wildcard entry).
All parameters have a Parameter Value Type of Ignore value. This means that ASM won’t check the
values submitted into the web page form fields.

The ASM security policy has been created with all required file types, URLs, and parameters, but these
entities aren’t yet enforced. ASM needs more requests to complete the security policy, also known as
stabilizing the security policy.

Demo Task 2 – Use Learning Suggestions to Stabilize the Security Policy

Use a Firefox macro to simulate several requests over a period of time.

 Use Firefox to open a New private window.

 In the iMacros panel, select stabilize policy.iim, and then click Play (Loop).
This macro simulates several requests using different URLs and parameters by a user.
 Once the macro has completed close Firefox.
 In the Configuration Utility, open the Allowed File Types page.
Notice some file types has now been enforced, while the rest are still waiting for more traffic samples.

→NOTE: If no file types have changed, use Firefox to open a New private window and run the
stabilize policy.iim macro again.

 Open the Allowed URLs page.

Although no (or just a couple) URLs are enforced, several have learning suggestions available.

WWFE vLab Guides – Demo: ASM – Stabilizing Security Policies; v13.0.A Page | 7
 Part 2 – Delivering the Demo to a Customer
 Open the Parameters List page.
Many of the parameters now have a Parameter Value Type of User-input value, and some of the
parameters are now enforced.

While the different file types, URLs, and parameters are still in staging, the security policy is not yet
stabilized.
 IF the name parameter has a Parameter Value Type of User-input value, click the name parameter. If
this parameter is still set to Ignore value, use Firefox to open a New private window and run the
stabilize policy.iim macro again, and then click the name parameter again.
Notice that the name parameter’s Data Type has been changed to Alpha-Numeric. Also notice that
the Maximum Length is set to 10. This isn’t long enough for this parameter, so we’ll wait for more
traffic samples.
 Open the Value Meta Characters tab.
By default, only certain keyboard characters are allowed in user-input value parameters. Other
keyboard characters are expected to be input by users into this parameter. Currently there are no
additional value meta characters for this parameter, so we’ll wait for more traffic samples.
 Use Firefox to open a New private window (This ensures the requests will come from a new session),
then in the iMacros pane select stabilize policy.iim, and then click Play (Loop). Once the macro has
completed, close Firefox.
 Wait at least 20 seconds, then use Firefox to open a New private window and in the iMacros pane
select stabilize policy.iim and click Play (Loop). Once the macro has completed, close Firefox.

→NOTE: You need to wait around 20 seconds because of the values on the Learning and Blocking
Settings page. We set the values at .0001 days, which is roughly 9 seconds. That means
that ASM will only uses requests for policy building that come from different sessions
outside of the specified time value.

 Use a New incognito window (Chrome) window and click the DVWA favorite, and then log in
as manly / P@ssw0rd!
 On the home page, click the link for the PDF file, and then close the page.
 In the Configuration Utility, open the Allowed File Types page.
All (or nearly all) the file types are no longer in staging, which means they are enforced. The allowed
file types list is now stabilized. Any user requests that are above the configured length values will be
considered illegal.
 Open the Allowed URLs page.
Nearly all the URLs are now enforced.
 Open the Parameters List page.
Several more parameters have a Parameter Value Type of User-input value, and several more of the
parameters are now enforced. The parameters list isn’t yet stabilized while parameters are still in
staging.
 Use Firefox to open a New private window and in the iMacros pane select stabilize policy.iim and click
Play (Loop). Once the macro has completed, close Firefox.
 Wait at least 20 seconds, then use Firefox to open a New private window and in the iMacros pane select
stabilize policy.iim and click Play (Loop). Once the macro has completed, close Firefox.

WWFE vLab Guides – Demo: ASM – Stabilizing Security Policies; v13.0.A Page | 8
 Part 2 – Delivering the Demo to a Customer
 In the Configuration Utility, reload the Parameters List page.
Other than the page parameter, all other parameters are now set to User-input value and are
enforced. The list of parameters is now stabilized.
 Click the name parameter.
Notice that the name parameter is enforced (no longer in staging), and now has a Maximum Length
value of 500, which is a sufficient length for this parameter.
 Open the Value Meta Characters tab.
The question mark (?) and colon (:) characters have been added as allowed characters for this
parameter. This was based on the values that were submitted from the macro.
 Scroll down to view the characters in the Global Security Policy Settings list.

Notice that several characters are not allowed in the parameter, including “, $, %, &, and ‘. .
 Use an InPrivate Browsing (IE) window and click the DVWA favorite, and then log in
as manly / P@ssw0rd!
 Click XSS reflected.
The field on this page is the name parameter.
 Copy and paste the following into the field, and then click Submit.
Yamaha's GHS (“Graded Hammer Standard”) 100% weighted action has heavier touch in the low end &
lighter touch in the high end, just like the hammers inside an acoustic piano. Great for the aspiring
pianist, practicing on the GHS action builds the proper finger technique for when the time comes to
perform on an acoustic piano. AWM (Advanced Wave Memory) sampling uses digital technology to record
the sound of an acoustic piano. AWM Stereo Sampling creates a deeper, richer and more spacious sound
by using pairs of waveforms (L and R) captured with two microphones. The P71 uses AWM to play one
sample per key at varying levels of volume and timbre. Currently this product retails for $399.99.

This request is longer than 500 characters long, and it contains several meta characters that haven’t
been added to the allowed characters list.

→NOTE: The request may or may not be blocked.

IF THE REQUST IS BLOCKED: The request is blocked, because it violates the current attributes of the
name parameter.
IF THE REQUST IS NOT BLOCKED: This request, with a longer length and new meta characters, will
enable ASM to re-define the name parameter.
 Close the page.
 In the Configuration Utility, open the Parameters List page.
Notice that the name parameter is once again in staging and not being enforced. This is because ASM
has identified new attributes for this parameter and put it back into staging. While the parameter is in
staging ASM will allow requests that violate its current attributes.
 Use an InPrivate Browsing (IE) window and click the DVWA favorite, then log in
as gordonb / abc123, then click XSS reflected, then paste the value from above in the field, and then
click Submit, and the close the page.

WWFE vLab Guides – Demo: ASM – Stabilizing Security Policies; v13.0.A Page | 9
 Part 2 – Delivering the Demo to a Customer
 In the Configuration Utility, reload the Parameters List page.
Notice the name parameter is once again out of staging and enforced.

→NOTE: If the name parameter isn’t yet enforced, wait a few seconds, and then repeat the
process above of using an InPrivate Browsing (IE) window and pasting the long entry
into the field, and then reloading the Parameters List.

 Click the name parameter.

Notice that the name parameter now has a Maximum Length value of 1000.
 Open the Value Meta Characters tab.
Several additional meta characters have been added as allowed characters for this parameter.
 Return to the Parameters List page and click one of the id parameters.
Notice the Data Type for this field was set to Integer with a Maximum Value of 10. During the staging
process the policy builder determined that users were only submitting numbers into this parameter.
 Open the Learning and Blocking Settings page.
 From the Learning Mode list select Disabled and then OK, then click Save, and then click Apply Policy
and then OK.
Now that the security policy is stabilized, we can disable any new policy learning.

IF TIME PERMITS – Demo Task 3 – Test the Security Policy

Test the security policy by attempting several malicious requests against the web server and identifying the
results.

 Use an InPrivate Browsing (IE) window and click the DVWA favorite, and then log in
as hacker / hackyou.
 Change the URL to http://10.1.10.35/php.ini.
We are attempting to access a file type that isn’t on the allowed file types list. This is known as
forceful browsing and the malicious request is blocked by ASM.
 Click the DVWA bookmark, then click SQL Injection, then type 6 into the field, and then click Submit.
 Change the URL to http://10.1.10.35/vulnerabilities/sqli?id=6&Submit=Submit&hack=you.
The attempt at adding a parameter that isn’t on the allowed parameters list is blocked by ASM.
 Click the DVWA bookmark, then click SQL Injection, then type test into the field, and then click Submit:
This entry violates the data type for this parameter, which is set to Integer.

WWFE vLab Guides – Demo: ASM – Stabilizing Security Policies; v13.0.A Page | 10
 Part 2 – Delivering the Demo to a Customer
 Click the DVWA bookmark, then click XSS reflected, then copy and paste the following into the field,
then click Submit, and then close the page.
The [2nd generation] Echo has a 2.5” downward-firing woofer and 0.6” tweeter powered by
Dolby to deliver crisp vocals and dynamic bass throughout the room. You can play music
from Amazon Music, Spotify, Pandora, iHeartRadio, TuneIn, and more. With Amazon Music,
you can search by lyrics, time-period, or let Alexa pick the music for you. Set a music
alarm to wake up to your favorite song or playlist. You can also listen to audiobooks
from Audible, podcasts, radio stations, news briefs, and more. Want to play music on an
Echo in another room? Now with multi-room music, you can tell Alexa to play across your
compatible Echo devices. Tell Alexa to play jazz in the kitchen, top pop in the family
room, or play the same song throughout your whole home. Use Echo to switch on the lamp
before getting out of bed, turn on the coffee maker on your way to the kitchen, or dim
the lights from the couch to watch a movie—all without lifting a finger. Ask Alexa to
turn on the TV or turn up the volume.

This entry violates the maximum length for both the parameter, and the query string. It also contains
illegal meta characters.
 In the Configuration Utility, open the Application Security > Event Logs > Application > Requests page.
 Select the /php.ini log entry.
This request was blocked for requesting an illegal file type.
 Select the /vulnerabilities/sqli_i/ log entry above the /php.ini log entry.
This request was blocked because it included an illegal parameter. You can see the illegal parameter
highlighted in the Request section
 Select the next /vulnerabilities/sql_i/ log entry (higher in the list).
This request was blocked because it violated the parameter value type.
 Click Illegal parameter value type.
The id parameter expected an Integer data type and the request was for test.
 Select the /vulnerabilities/xss_r/ log entry above the /vulnerabilities/sqli_i/ log entry.
This request was blocked because it violated the query string length and included illegal meta
characters.
 Click Illegal parameter value length.
The parameter that was violated was name, this parameter expects a maximum length of 1000, and
this request was for 1002 characters.
 Click Illegal meta character in value.
The parameter that was violated was name, and the meta characters that violated the parameter
were [ and ].
 Click Illegal query string length.
The file type that was violated was no_ext, this file type expects a maximum query string length
of 1000, and this request was for 1007 bytes.

That concludes this demonstration on stabilizing a security policy with BIG-IP ASM.

WWFE vLab Guides – Demo: ASM – Stabilizing Security Policies; v13.0.A Page | 11