Passo 3 - F5 Virtual Environment Hands-On Exercise Guide - ASM (LatAm)

F5 Virtual Environment
Hands-On Exercise Guide

ASM Exercises
F5 Virtual Environment Hands-On Exercise Guide Exercise 1 Enable ASM Protection
ASM HANDS-ON EXERCISES

EXERCISE 1 ENABLE ASM PROTECTION
Your customer is running a vulnerable Web site and would like to use F5s Application Security Manager to
protect the Web site from malicious attacks.
Estimated completion time: 20 minutes
TASK 1 Create a Pool and a Virtual Server

Use the configuration utility to create both a pool to support the customers action Web site, and then create a
new virtual server that uses the new pool.
1. In VMware Workstation, power on the phpauction image.
2. Connect and log in to your BIG-IP.
3. Verify that you have restored using archive_After_1D (you should have only the http_vs virtual
server).
4. Create a new pool using the following information:
Name
auction_pool
Health Monitors
http
Members
172.16.20.150:80
5. Create a new virtual server object using the following information:

Name
auction_vs
Destination Address
10.10.20.110
Service Port
443
HTTP Profile
http
SSL Profile (Client)
clientssl
SNAT Pool
Auto Map
Default Pool
auction_pool
TASK 2 Verify Web Site Vulnerabilities

Use a Web browser to access the auction virtual server IP address and attempt various well-known attacks
against the Auction Web site to determine its current security state.
1. Open a new Web browser window and access https://10.10.20.110.
2. Verify that the Hack-it-yourself auction Web site displays.

3. Use the Register now link at the top to create a user account.
o All fields are required
o For the Address, enter your actual social security number (if you do not have a social security
number, enter 123-45-6789)
o For the Credit Card Number, type 4111111111111111
4. Click Submit Query. (NOTE: It may take up to three minutes for the request to complete.)
5. Click on the Home link.
6. In the User login section, enter the username and password you submitted in step 3.
7. Click Go.
8. Click the Your control panel link in the Logged in section on the right-side of the page. (NOT the link
on the top menu bar.)
Questions:
a) Are you able to view your personal information? _________________
b) Was your credit card number sent in HTML plain text? _________________

9. Edit the end of the URI to read: ?nick=bobsmith.
Question:
c) Are you able to view another users personal information? _________________
10. Edit the end of the URI to read: ?nick=*.
Questions:
d) What information were you presented with? _____________________________
__________________________________________________________________
e) What type of Web site vulnerability is this? ______________________________
11. Click Logout, and then log back in as the username you submitted in step 3.
12. Select the Sell an item link.
13. Sell an item using the following information:
Item title
Item description
Bad item
<script>
alert ("Dont use this site - go to
http://mysite.com");
</script>
Auction starts with
$10
Country
United States of America
Zip Code
98119
Payment methods
MasterCard or Visa
Choose a category
Toys and Games
NOTE: Leave all other fields set to their default values.

14. Click Submit Query.
15. When prompted, enter your Password, and click Submit Query again.
16. Select the Home link. (NOTE: It may take up to three minutes for the request to complete.)
17. From the Last created auctions list, select Bad item.

Questions:
f) What happens when users select this item? _ _____________________________
__________________________________________________________________
g) What type of Web site vulnerability is this? ______________________________
18. Click Logout.
19. In the User login section, in the Username field type:
' or 1=1#
20. Click Go.
21. Click the Your control panel link in the Logged in section on the right-side of the page.
Questions:
h) What information was presented? ______________________________________
i)
What type of Web site vulnerability is this? _______________________________
22. Click Logout, and then close the auction Web site browser window.
TASK 3 Create an HTTP Class Profile

Create an HTTP class profile, and then view the security policy that is automatically generated by ASM.
1. In the BIG-IP configuration utility, access the Local Traffic > Profiles > Protocol > HTTP Class page.
2. Create an HTTP class profile named secure_profile.
3. From the Application Security list box, select Enabled.
4. Click Finished.
5. Access the Application Security > Security Policies > Policies List > Active Policies page.
There is now an active security policy.

6. Access the Application Security > Policy > Policy > Properties page.
ASM notifies that the security policy application language is not defined.
TASK 4 Update the Virtual Server

Update the virtual server by selecting the new HTTP class profile.
1. Update the auction_vs virtual server by selecting the secure_profile HTTP class profile.
2. Click Finished.
TASK 5 Reconfigure the HTTP Class Profile

Experiment with the different options available within an HTTP class profile.
2. Verify that the auction Web site displays.
3. Close the Web browser window.
4. In the configuration utility, edit the secure_profile HTTP class profile.
5. In the Actions section, from the Send To list, select Redirect to
6. In the Redirect to Location box, type http://www.f5.com.
7. Click Update.
Question:
a) What Web site displayed in the browser? _______________________________
9. Close the Web browser.
10. In the Configuration section, from the Hosts list select Match only
11. Add the following host: 20.20.20.20 (leave the Entry Type list set to Pattern String), and then click
Update.
Questions:
b) What Web site displayed in the browser? _______________________________
c) Why did this request go to the Auction site and not the F5.com Web site?
_________________________________________________________________

d) Was this access to the Web site protected by ASM? _______________
14. Clear the Custom check boxes for both Hosts and Send To (be sure to leave the check box for
Application Security selected.)
15. Click Update.
16. Create an archive file named archive_After_5A.
F5 Virtual Environment Hands-On Exercise Guide Exercise 2 Updating and Applying a Security Policy
EXERCISE 2 UPDATING AND APPLYING A SECURITY POLICY

Your customer has installed ASM and needs to begin configuring a security policy to prevent malicious activity.
This exercise builds on the previous exercise; therefore you must complete the previous exercise prior to
starting this exercise.
TASK 1 Configure the Security Policy using Rapid Deployment

Update the security policy that ASM created in the previous lab using the Rapid Deployment security policy, and
then apply the updated policy.
1. Access and log into your BIG-IP system.
2. Access the Application Security > Security Policies > Policies List > Active Policies page.
3. Select Configure Security Policy.
4. Select the Create a policy manually or use templates (advanced) option.
5. Click Next.
6. On the Configure Security Policy Properties page, in the Application Language list box, select
Unicode (utf-8).
7. In the Application-Ready Security Policy list box, select Rapid Deployment security policy.
8. Click Next.
9. On the Configure Attack Signatures page, from the Available Systems list box, move to following to
the Assigned Systems list box.
o
Operating Systems > Unix/Linux
Web Servers > Apache and Apache Tomcat
Languages, Frameworks and Applications > PHP
Database Servers > MySQL
10. Leave Signature Staging enabled and click Next.
11. Click Finish.
The new policy is placed in Transparent mode.

12. From the Logging Profile list, select Log all requests.
13. Click Save.
14. Click Apply Policy.
15. Click OK.
TASK 2 Verify That Requests are Passing Through ASM

Use the Reporting page in ASM to verify that requests for the auction Web site are passing through ASM.
1. Access the Application Security > Reporting > Requests page.
2. Select All Requests.

4. View the last five most recent items in the Last created auctions list.
5. In the User login section, login using the username and password you created in Exercise 5A, task 2,
step 3.
6. Select the Edit data link in the Logged in section on the right-side of the page.
Questions:
a) What value is in the Address field? ________________________
b) Why is this value displaying? ________________________________________________
7. Go to the home page, and then buy the Canon Digital Camera.
8. Click Logout.
9. Edit the URL to https://10.10.20.110/comment.txt.
10. Close the auction Web site browser window.

11. On the Reporting > Requests page, click Go.
12. Verify that requests for several files are displayed.

Questions:
c) Are requests for most .php pages Legal, Illegal, or Blocked? ____________________
d) Are requests for .txt pages Legal, Illegal, or Blocked? ____________________
e) Why arent requests for .txt pages being blocked through ASM? _____________
_________________________________________________________________
13. Select the buy2.php link.
14. Select Data Guard: Information leakage detected.
Question:
f) What caused this illegal entry? ___________________________________
15. Close the View Full Request Information window.
16. Select the edit_data.php link.
17. Select Data Guard: Information leakage detected.
Question:
g) What caused this illegal entry? ___________________________________
19. Select all of the items in the Requests List, and then click Clear All.
20. Create an archive file named archive_After_5B.
TASK 3 View the PCI Compliance Report

Use the PCI Compliance report to determine where the Web application is missing required security for
compliancy.
1. Access the Application Security > Reporting > PCI Compliance page.
Question:
a) Which requirements are automatically compliant using the Rapid Deployment policy?
______________________________________________________________________
2. Select Do not use vendor-supplied defaults for system passwords and other security parameters.
Question:
b) Why is this entry not yet in compliance? _______________________________________
3. Click Printable Version.
4. View the PDF report.
5. Close the PDF report and the configuration utility Web browser.
F5 Virtual Environment Hands-On Exercise Guide Exercise 3 Tightening a Security Policy
EXERCISE 3 TIGHTENING A SECURITY POLICY

Your customer would like to use ASM to only allowed access to authorized pages, based on the file type. The
auction Web site only needs to support access to php, and gif files.
Estimated completion time: 20 minutes.
TASK 1 Configure a Security Policy to Learn About File Types

Update the Web applications security policy that to learn about potential illegal file types.
2. Access the Application Security > Policy Building > Manual > Traffic Learning page.
There are no learned entries other than the Data Guard information leakage detected entries.
3. Edit the secure_profile security policy.
4. Select the Blocking > Settings page.
5. In the Access Violations section, in the Illegal file type row, note that the Block check box is currently
grayed out.
Question:
a) Why cant you enable the Block option? ________________________________
_________________________________________________________________
6. Place the policy in Blocking mode.
7. In the Illegal file type row, select the Learn, Alarm, and Block check boxes.

8. Note that in the Negative Security Violations section, Data Guard: Information leakage detected is
already set to both Learn and Alarm.
Question:
b) Why were these options already set? __________________________________
_________________________________________________________________
9. Click Save.
10. Place the policy back in Transparent mode.
Notice that the Block option for Illegal file types is once again grayed out; however the check box
remains selected.
11. Click Save.
TASK 2 Enable Tightening for File Types

Configure ASM to perform tightening for the secure_profile security policy for file types.
1. Access the Application Security > File Types > Allowed File Types page.
2. In the Allowed File Types List section, select the * link.

3. Select the Perform Tightening check box.
4. Click Update.
5. Apply the updated policy.
TASK 3 Generate Entries for the Security Policy

Access the Web site to generate learning suggestions for the security policy.
2. View the last five most recent items in the Last created auctions list.
3. Log into the Web site.
Item title
Item description
Another bad item

<script>
</script>
Auction starts with
$10
Country
Zip Code
98119
Payment methods
MasterCard or Visa
Choose a category
Arts & Antiques

6. When prompted, enter your Password, and click Submit Query again.
7. Click on the Home link, and then click the Your control panel link in the Logged in section.
10. Click Logout.
' or 1=1#
12. Click Go.
13. Click the Your control panel link in the Logged in section.
14. Click Logout.
TASK 4 Fine Tune the Security Policy

Select the file types that are allowed for the Web site and accept them into the security policy.
1. Access the Application Security > Policy Building > Manual > Traffic Learning page.
2. Select the Attack signature detected link.

3. Select the Recent Incidents link for the SQL-INJ entry.
Questions:
a) Which URLs are vulnerable for SQL injection? _______________________________
4. Select the login.php link.
5. Select the HTTP Request tab.
Questions:
b) Which parameter needs to be protected against SQL injection? ___________________
7. Return to the Manual Traffic Learning page.
8. Select the Illegal file type link.
Questions:
c) Why is there an entry for no_ext? ____________________________________
________________________________________________________________
d) Should we allow or block access to pages without an extension, and why?
_________________________________________________________________
9. Select the check boxes for the gif, jpg, no_ext, and php file types, and then click Accept.
This will allow these file types for this policy.
10. Select the check box for the txt file type, and then click Clear.
11. In the Confirm Delete window, click OK (NOTE: Do not move txt files to ignored entities).

12. Access the Application Security > File Types > Allowed File Types page.
The security policy has been updated to allow requests for gif, jpg, and .php file types, in addition to
requests with no extension.
13. In the Allowed File Types List section, select the * check box, and then click Delete.
14. Select the gif, jpg, no_ext, and php checkboxes, and then click Enforce.
This removes these entries from staging.
15. Apply the updated policy.
17. Select links to navigate through the auction Web site.
Questions:
e) Were you able to access the comment.txt page? _________________________
f)
Why is ASM still allowing access to txt file types? _______________________

_________________________________________________________________

20. Access the Traffic Learning page.
21. Select the Illegal file type link.
Traffic learning still suggests the txt file type; however the other types are no longer considered illegal
file types, as they have already been added to the policy.
Questions:
g) Are requests for .txt files Legal, Illegal, or Blocked? ____________________
h) What do you need to configure in ASM to block access to .txt files?
_______________________________________________________________
TASK 5 Modify the Security Policys Enforcement Mode

Modify the security policy, currently configured in Transparent mode, to Blocking mode.
1. Edit the secure_profile security policy.
2. Change the Enforcement Mode to Blocking.
3. Click Save, and then apply the updated policy.


Questions:
a) Were you able to access the comment.txt page? _________________________
b) Are requests for .txt files Legal, Illegal, or Blocked? ________________________
8. Create an archive file named archive_After_5C.
TASK 6 If Time Permits

If you have extra time, edit the security policy so that the error message displayed when accessing .txt file
types reads For security purposes, you are not allowed to access .txt file types on this Web site. Your support ID
is: (the support ID variable)
F5 Virtual Environment Hands-On Exercise Guide Exercise 4 Using Automatic Policy Building
EXERCISE 4 USING AUTOMATIC POLICY BUILDING

You would like to experiment with methods to save your customer time when building a security policy for the
auction Web site.
Estimated completion time: 20 minutes.
TASK 1 Create a New Security Policy Using Automatic Policy Building

You will create a new security policy for the Web application using Automatic Policy Building.
2. Create a new HTTP Class profile named policy_builder_profile with Application Security Enabled.
3. Associate the new HTTP Class profile with the auction_vs virtual server. Ensure that
policy_builder_profile is above secure_profile.
4. Access the Active Policies page.
5. For the policy_builder_profile policy, select Configure Security Policy.

NOTE: If you get an error message that the Deployment Wizard is already running, click Cancel,
then select the policy_builder_profile [v1], then click Reconfigure, then click Run Deployment Wizard.
6. Leave the Create a policy automatically (recommended) option selected, and then click Next.
7. From the Security Policy Language list box, select Unicode (utf-8), and then click Next.
8. On the Configure Attack Signatures page, from the Available Systems list box, move to following to
the Assigned Systems list box.
o
Operating Systems > Unix/Linux
Web Servers > Apache and Apache Tomcat
Languages, Frameworks and Applications > PHP
Database Servers > MySQL
9. Click Next.
10. From the Policy Type list, select Comprehensive.
11. Slide the Policy Builder learning speed control to Fast.
Note that this changes the chances to adding false positives to the policy to High.
12. From the Trusted IP Addresses list, select Address List.
13. In the IP Address box, enter 10.10.20.1.
14. In the Netmask box, enter 255.255.255.255, and then click Add.
15. Click Next.

16. Click Finish.
The Policy Building: Automatic: Status page displays.

17. Apply the new policy.
This places the policy in blocking mode.
TASK 2 Create Learning Suggestions for Automatic Policy Building

Generate learning suggestions for automatic policy building for the Web application.
2. View the last six most recent items in the Last created auctions list.
step 3.
7. Click Logout.
' or 1=1#
9. Click Go.
Edit the URL to https://10.10.20.110/comment.txt.
Question:
a) Why are you now able to access txt file types? _______________________
_____________________________________________________________
b) Is Data Guard currently enabled? _________________
The policy builder begins to analyze the traffic.
After several seconds, the policy builder begins learning file types, URLs, parameters, and cookies.
12. In the Detail section, select File Types > Staging.
13. For the gif, jpg, no_ext, and php entries, click the corresponding Enforce button.
14. Select Parameters > Staging.
Multiple parameters are currently in staging.
15. Access the Application Security > Policy Building > Automatic > Log page.
The log includes an entry for each event or action that the Policy Builder makes to the policy.
16. Access the Application Security > Policy Building >Automatic > Configuration page.
17. Disable the Real Traffic Policy Builder.
TASK 3 View and Update the Security Policy

Reset the Web application by selecting the security policy that you created in the previous labs.
1. View the Allowed File Types page, and then delete the wildcard entry.
Questions:
a) Is there another entry that should be deleted? _______________________
b) Why was the txt file type added to the policy? __________________________
_________________________________________________________________
2. Delete the txt file type entry.
NOTE: If there are any other entries on this page, delete them as well.
3. View the Parameters List page, and then delete the wildcard entry.
4. Select the checkboxes for the nick and username entries, and then click the Enforce button.
5. Select the nick parameter entry.
6. From the Parameter Value Type list box, select Dynamic content value, and then click Update.
7. In the Message from webpage dialog box, click OK.
8. Select the File Types checkbox, then select php from the list box, and then click Add.
9. Select the URLs checkbox, then select HTTP from the list box, then enter index.php in the text field,
and then click Add.
10. Click Create, and then click Update.
11. Select the Application Security > Attack Signatures > Attack Signatures Configuration page.
12. Disable Signature Staging.
TASK 4 Test the Updated Policy

Access the Auction Web site and make attempts that violate the policy.
step 3.
5. Click the Back button.
6. Select the Sell an item link.
Item title
Item description
Not this item

<script>
</script>
Auction starts with
$10
Country
Zip Code
98119
Payment methods
MasterCard or Visa

9. Click the Back button.
10. Click Logout.
' or 1=1#
12. Click Go.
Questions:
a) Is the Web site protected against unacceptable file types (.txt files)? ______________
b) Is the Web site protected against data leakage? _______________
c) Is the Web site protected against cross-site scripting? _______________
d) Is the Web site protected against SQL injection? _________________
e) Is the Web site protected against parameter tampering? ________________
15. Access the Application Security > Data Guard page.
NOTE: Ensure the current edited policy is policy_builder_profile.
16. Enable Data Guard for credit card numbers, social security numbers, and ensure that you mask data
being sent back to users.
step 3.
Questions:
f) What response did you receive? _______________________________________
g) Why did you receive this response? ______________________________________
____________________________________________________________________
22. Adjust the blocking settings so that data is indeed scrubbed, but that the page itself isnt blocked.
23. Apply the policy and test again.
24. Once the page displays with credit cards and social security numbers being scrubbed, create an
archive file named archive_After_5D.
F5 Virtual Environment Hands-On Exercise Guide Exercise 5 Protecting Against Web Scraping
EXERCISE 5 PROTECTING AGAINST WEB SCRAPING

Your customer is concerned about malicious Web scraping attacks and would like to configure the policy on
ASM to prevent potential attacks.
TASK 1 Use iMacros to Record and Play a Lengthy Visit to the Auction Web Site
Use iMacros for Firefox to record and play back a series of requests to the auction Web site.
1. Open Mozilla Firefox and access https://10.10.20.110.
2. In the iMacros pane, select the Rec tab, and then click Record.
3. Select links to navigate through the auction Web site (be sure to record a lengthy visit to the Web
site, at least 20 clicks, however dont log in or purchase an item).
4. Click Stop.
5. Save the iMacro as webscraping_example.
6. In the iMacros pane, select the Play tab.
7. Select webscraping_example.iim.
8. In the Max box, type 10, and then click Play (Loop).
Question:
a) Is ASM protecting against potential Web scraping attacks? ________________
TASK 2 Configure Web Scraping Detection and Protection

Configure ASM to detect and protect against potential Web scraping attacks, and then update the policy to learn
and alarm about possible Web scraping attacks.
2. Access the Application Security > Anomaly Detection > Web Scraping page.
3. Ensure that the Current edited policy is policy_builder_profile.
4. Select the Enable Web Scraping Detection check box.
5. Edit the Web Scraping Detection Configuration settings as follows:
Grace Interval
5 requests
Unsafe Interval
10 requests
Safe Interval
20 requests
6. Click Save.
F5 Virtual Environment Hands-On Exercise Guide Exercise 5 Protecting Against Web Scraping
7. Verify that the blocking settings for the policy_builder_profile policy for Web scraping detected
include Learn and, Alarm.
9. Use Firefox to play the webscraping_example.iim macro 10 times.
10. In the BIG-IP configuration utility, access the Traffic Learning page.
11. Select the Web scraping detected link.
Note that all occurrences came from your client IP address.

Questions:
a) How many total entries were reported to ASM? ________________
b) Why didnt ASM block this user after detecting Web scraping?
_________________________________________________________________
12. Select the Reporting > Requests page.
Question:
c) Are recent requests for pages Legal, Illegal, or Blocked? _____________________
TASK 3 Update the Policy to Block Web Scraping

Update the policy to block detected Web scraping attacks.
1. Edit the policy_builder_profile blocking settings to block detected Web scraping.
3. Use Firefox to play the webscraping_example macro 10 times.
Questions:
a) Was the Web scraping attack successful? ________________
4. Close Firefox.
TASK 4 Resetting the BIG-IP

Reset the BIG-IP system by restoring your archive file.
1. Create an archive file named archive_After_5E.
2. Once the archive is complete, restore using the archive_After_1D archive file.

Passo 3 - F5 Virtual Environment Hands-On Exercise Guide - ASM (LatAm)

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Passo 3 - F5 Virtual Environment Hands-On Exercise Guide - ASM (LatAm)

Загружено:

Авторское право:

Доступные форматы

F5 Virtual Environment

Hands-On Exercise Guide

F5 Virtual Environment Hands-On Exercise Guide Exercise 1 Enable ASM Protection

ASM HANDS-ON EXERCISES

TASK 1 Create a Pool and a Virtual Server

5. Create a new virtual server object using the following information:

SSL Profile (Client)

F5 Virtual Environment Hands-On Exercise Guide Exercise 1 Enable ASM Protection

TASK 2 Verify Web Site Vulnerabilities

2. Verify that the Hack-it-yourself auction Web site displays.

F5 Virtual Environment Hands-On Exercise Guide Exercise 1 Enable ASM Protection

Auction starts with

United States of America

Toys and Games

NOTE: Leave all other fields set to their default values.

F5 Virtual Environment Hands-On Exercise Guide Exercise 1 Enable ASM Protection

What type of Web site vulnerability is this? _______________________________

TASK 3 Create an HTTP Class Profile

There is now an active security policy.

F5 Virtual Environment Hands-On Exercise Guide Exercise 1 Enable ASM Protection

TASK 4 Update the Virtual Server

TASK 5 Reconfigure the HTTP Class Profile

F5 Virtual Environment Hands-On Exercise Guide Exercise 1 Enable ASM Protection

EXERCISE 2 UPDATING AND APPLYING A SECURITY POLICY

TASK 1 Configure the Security Policy using Rapid Deployment

Operating Systems > Unix/Linux

Web Servers > Apache and Apache Tomcat

Languages, Frameworks and Applications > PHP

Database Servers > MySQL

11. Click Finish.

The new policy is placed in Transparent mode.

15. Click OK.

TASK 2 Verify That Requests are Passing Through ASM

3. Open a new Web browser window and access https://10.10.20.110.

10. Close the auction Web site browser window.

12. Verify that requests for several files are displayed.

TASK 3 View the PCI Compliance Report

F5 Virtual Environment Hands-On Exercise Guide Exercise 3 Tightening a Security Policy

EXERCISE 3 TIGHTENING A SECURITY POLICY

TASK 1 Configure a Security Policy to Learn About File Types

F5 Virtual Environment Hands-On Exercise Guide Exercise 3 Tightening a Security Policy

11. Click Save.

TASK 2 Enable Tightening for File Types

2. In the Allowed File Types List section, select the * link.

5. Apply the updated policy.

F5 Virtual Environment Hands-On Exercise Guide Exercise 3 Tightening a Security Policy

TASK 3 Generate Entries for the Security Policy

Another bad item

Auction starts with

United States of America

Arts & Antiques

5. Click Submit Query.

F5 Virtual Environment Hands-On Exercise Guide Exercise 3 Tightening a Security Policy

TASK 4 Fine Tune the Security Policy

2. Select the Attack signature detected link.

F5 Virtual Environment Hands-On Exercise Guide Exercise 3 Tightening a Security Policy

Why is ASM still allowing access to txt file types? _______________________

19. Close the Web browser.

F5 Virtual Environment Hands-On Exercise Guide Exercise 3 Tightening a Security Policy

TASK 5 Modify the Security Policys Enforcement Mode

3. Click Save, and then apply the updated policy.

6. Close the Web browser.

TASK 6 If Time Permits

EXERCISE 4 USING AUTOMATIC POLICY BUILDING