Section 1: Assess Security Needs and Choose an Appropriate ASM Policy

Section 1: Assess security needs and choose an appropriate ASM policy

Objective 1.01 Explain the potential effects of common attacks on web applications.

Example: Summarize the OWASP Top Ten

Example: Describe how ASM addresses the OWASP Top Ten

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

https://devcentral.f5.com/tech-tips/articles/f5-security-on-owasp-top-10

Instructor Led Training: Configuring ASM: Module 3: Web Application Vulnerabilities.

Objective 1.02 Explain how specific security policies mitigate various web application attacks

Objective 1.03 Determine which ASM mitigation is appropriate for a particular vulnerability

Example: Explain the purpose of vulnerability assessment tools

http://www.f5.com/pdf/white-papers/vulnerability-assessment-asm-wp.pdf

http://www.f5.com/pdf/white-papers/big-ip-asm-ips-differences-wp.pdf

Instructor Led Training: Configuring ASM: Module 11: Vulnerability Assessment Tools and Application Templates

Objective 1.04 Choose the appropriate features and granularity

Example: Describe the relationship between security policy and application development

Example: Explain how specific security policies mitigate various web application attacks

Instructor Led Training: Configuring ASM: Module 5: Rapid Deployment and Attack Signatures

Instructor Led Training: Configuring ASM: Module 6: Positive Security Policy Building

Instructor Led Training: Configuring ASM: Module 11: Vulnerability Assessment Tools and Application Templates

https://devcentral.f5.com/blogs/us/why-developers-should-demand-web-app-firewalls

Objective 1.05 Determine the most appropriate deployment method for a given set of requirements

Example: Determine the appropriate deployment method when a “canned” deployment method is not applicable.

Example: Evaluate the implications of changes in the policy to the security and vulnerabilities of the application

Instructor Led Training: Configuring ASM: Module 5: Rapid Deployment and Attack Signatures

Instructor Led Training: Configuring ASM: Module 6: Positive Security Policy Building

http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-4-0.html

Objective 1.06 Evaluate the implications of changes in the policy to the security and vulnerabilities of the application (Same as Example 2?)

Example: Determine the rate of change of the application

Example: Explain the trade-offs between security, manageability, false positives, and performance

Instructor Led Training: Configuring ASM: Module 6: Positive Security Policy Building

Section 2: Create and customize policies.

Objective 2.01 Determine the appropriate criteria for initial policy definition based on application requirements (e.g. wildcards, violations, entities, signatures, user-defined signatures

Example: Define the policy based on application requirements

Instructor Led Training: Configuring ASM: Module 5: Rapid Deployment and Attack Signatures

Instructor Led Training: Configuring ASM: Module 6: Positive Security Policy Building

Instructor Led Training: Configuring ASM: Module 11: Vulnerability Assessment Tools and Application Templates

Objective 2.02 Explain the policy builder lifecycle

http://www.f5.com/pdf/deployment-guides/implementing-security-policy-dg.pdf

http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/bigipasm9_4/BIG_IP_9_4_ASM_Config_Gd-07-1.html#wp1031040

Instructor Led Training: Configuring ASM: Module 12: Real Traffic Policy Builder

Objective 2.03 Review and evaluate rules based on information gathered from ASM (e.g., attack signatures, DataGuard, parameters, entities)

http://www.f5.com/pdf/deployment-guides/implementing-security-policy-dg.pdf

http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-config-11-3-0/asm_parameters.html?sr=30303001

http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-config-11-3-0/asm_wildcard.html?sr=30303001

Instructor Led Training: Configuring ASM: Module 6: Positive Security Policy Building

Objective 2.04 Refine policy structure for policy elements (e.g., URLs, parameters, files types, headers, sessions and logins, content profiles, CSRF protection, anomaly protection)

Instructor Led Training: Configuring ASM: Module 6: Positive Security Policy Building

Instructor Led Training: Configuring ASM: Module 13: Advanced Topics

Objective 2.05 Explain the process to integrate and configure natively supported third-party vendors and generic formats with ASM (e.g., difference between scanning modes, iCAP)

Example: Upload scan results from a third-party vendor into the ASM GUI.

Instructor Led Training: Configuring ASM: Module 11: Vulnerability Assessment Tools and Application Templates

sol12984: BIG-IP ASM does not send requests to ICAP servers that exceed the maximum request size : http://support.f5.com/kb/en-us/solutions/public/12000/900/sol12984

sol12128: The URI of an Internet Content Adaptation Protocol server for antivirus protection is hard-coded: http://support.f5.com/kb/en-us/solutions/public/12000/100/sol12128.html

Objective 2.06 Determine whether the rules are being implemented effectively and appropriately to mitigate the violations

Example: Determine the appropriate violations to be enforced.

Instructor Led Training: Configuring ASM: Module 6: Positive Security Policy Building

Objective 2.07 Explain reporting and remote logging capabilities

Example: Determine whether the remote logger is accessible

Example: Determine the level of logging (i.e., all logs illegal requests, or responses)

http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-config-11-2-0/asm_monitoring.html#1046608

sol13238: The BIG-IP ASM bd process may crash when the remote logging profile server is unavailable: http://support.f5.com/kb/en-us/solutions/public/13000/200/sol13238.

sol6994: Configuring the BIG-IP ASM to send forensics data to a remote syslog server: http://support.f5.com/kb/en-us/solutions/public/6000/900/sol6994

sol10651: BIG-IP ASM syslog request format : http://support.f5.com/kb/en-us/solutions/public/10000/600/sol10651.html

sol14020: BIG-IP ASM daemons (11.x): http://support.f5.com/kb/en-us/solutions/public/14000/000/sol14020.html

http://www.thef5guy.com/blog/2009/05/big-ip-asm-4100-processes

Instructor Led Training: Configuring ASM: Module 4: ASM Configuration

Section 3: Maintain policy

Objective 3.01 Interpret log entries to identify opportunities to refine the policy

Example: Describe the various logs and formats

Example: Identify the current state of the policy (e.g., violation status, blocking mode)

http://www.thef5guy.com/blog/2009/05/big-ip-asm-4100-processes

https://devcentral.f5.com/tech-tips/articles/big-ip-logging-and-reporting-toolkit-part-one

sol14020: BIG-IP ASM daemons (11.x): http://support.f5.com/kb/en-us/solutions/public/14000/000/sol14020.html

http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-config-11-2-0/asm_apx_remote_logging_formats.html#1027259

Objective 3.02 Determine how a policy should be adjusted based upon available data (e.g., learning suggestions, log data, application changes, traffic type, user requirements)

Example: React to changes in the web application infrastructure

Example: Adjust the policy to address application changes

sol11914: Updating a BIG-IP ASM Security Policy when your website changes : http://support.f5.com/kb/en-us/solutions/public/11000/900/sol11914.html

Instructor Led Training: Configuring ASM: Module 6: Positive Security Policy Building

Section 4

Objective 4.01 Describe the lifecycle of attack signatures

sol8217: Updating the BIG-IP ASM attack signatures: http://support.f5.com/kb/en-us/solutions/public/8000/200/sol8217.html

sol11303: Updated signatures are automatically removed from blocking mode and placed into staging mode: http://support.f5.com/kb/en-us/solutions/public/11000/300/sol11303.html

http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/config_guide_asm_10_2_0.html

Objective 4.02 Evaluate the impact of new or updated attack signatures on existing security policies

sol8217: Updating the BIG-IP ASM attack signatures: http://support.f5.com/kb/en-us/solutions/public/8000/200/sol8217.html

sol11303: Updated signatures are automatically removed from blocking mode and placed into staging mode http://support.f5.com/kb/en-us/solutions/public/11000/300/sol11303.html

sol8517: Enabling attack signatures that were not triggered during the staging process: http://support.f5.com/kb/en-us/solutions/public/8000/500/sol8517.html

https://devcentral.f5.com/tech-tips/articles/asm-custom-signatures-oh-my#.UcsPGT5gau8

Objective 4.03 Identify key ASM performance metrics (e.g., CPU report, memory report, process requests, logging)

Example: Identify key ASM performance metrics

Example: Adjust the policy to address application changes

Example: Identify sources of resource consumption (e.g., large file uploads)

Objective 4.04 Interpret ASM performance metrics and draw conclusions

sol12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x): http://support.f5.com/kb/en-us/solutions/public/12000/800/sol12878.html

sol10227: BIG-IP ASM daemons (9.x - 10.x): http://support.f5.com/kb/en-us/solutions/public/10000/200/sol10227.html

Objective 4.05 Identify and gather information relevant to evaluating the activity of an ASM implementation

Objective 4.06 Interpret the activity of an ASM implementation to determine its effectiveness

Example: Demonstrate the understanding of growth trajectories for appropriate ongoing operations

Example: Appraise the ASM-specific system resources (e.g., box capacity)

Instructor Led Training: Configuring ASM: Module 6: Positive Security Policy Building

https://devcentral.f5.com/community/group/aft/2166089/asg/39#2274656

Objective 4.07 Differentiate between blocking and transparent features

Example: Recognize the components of a PCI compliance report

Instructor Led Training: Configuring ASM: Module 7: Application Visibility and Reporting

sol8363: Using the Mask Data setting to protect sensitive data returned by the BIG-IP ASM: http://support.f5.com/kb/en-us/solutions/public/8000/300/sol8363.html

Objective 4.08 Evaluate whether a security policy is performing per requirements (i.e., blocking, transparent, or other relevant security features)

Example: Solve issues that are illustrated in the PCI compliance report

Example: Recognize the importance of trends and communicate to the necessary stakeholders

Example: Explain risk management and the balance between availability and security

Instructor Led Training: Configuring ASM: Module 7: Application Visibility and Reporting

http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-3-0.pdf?sr=30303269

http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-config-11-4-0.html

Objective 4.09 Define the ASM policy management functions (e.g., auditing, merging, reverting, import, and export)

Example: Describe how to export/import policies

Example: Explain how to merge and differentiate between policies

Example: Describe how to revert policies

Example: Review the policy log

Instructor Led Training: Configuring ASM: Module 7: Application Visibility and Reporting

http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-3-0/5.html?sr=30303001

http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-3-0/4.html?sr=30303001

Objective 4.10 Explain the circumstances under which it is appropriate to use ASM bypass

Example: Recognize ASM specific user roles

Example: Recognize differences between user roles and permissions

Instructor Led Training: Module 8: ASM User, Role, and Policy Administration

https://devcentral.f5.com/tech-tips/articles/asm-bypass-v1120-muhahahahahahaha

https://devcentral.f5.com/community/group/aft/2163451/asg/50

http://support.f5.com/kb/en-us/solutions/public/9000/300/sol9372.html