passo 3 - f5 virtual environment hands-on exercise guide - asm (latam)

8/18/2019 Passo 3 - F5 Virtual Environment Hands-On Exercise Guide - ASM (LatAm)

1/25

F5 Virtual Environment

Hands-On Exercise Guide

ASM Exercises


2/25

F5 Virtual Environment Hands-On Exercise Guide – Exercise 1 – Enable ASM Protection

ASM HANDS-ON EXERCISES

EXERCISE 1 – ENABLE ASM PROTECTION Your customer is running a vulnerable Web site and would like to use F5’s Application Security Manager to

protect the Web site from malicious attacks.

Estimated completion time: 20 minutes

TASK 1 – Create a Pool and a Virtual Server

Use the configuration utility to create both a pool to support the customer’s action Web site, and then create a

new virtual server that uses the new pool.

1. In VMware Workstation, power on the phpauction image.

2. Connect and log in to your BIG-IP.

3. Verify that you have restored using archive_After_1D (you should have only the http_vs virtual

4.

server).

Create a new pool using the following information:

5.

Name

auction_pool

Health Monitors http

Members 172.16.20.150:80

Create a new virtual server object using the following information:

Name

auction_vs

Destination Address 10.10.20.110

Service Port 443

HTTP Profile http

SSL Profile (Client) clientssl

SNAT Pool Auto Map

Default Pool auction_pool


3/25


TASK 2 – Verify Web Site Vulnerabilities Use a Web browser to access the auction virtual server IP address and attempt various well-known attacks

against the Auction Web site to determine its current security state.

1. Open a new Web browser window and access https://10.10.20.110 .

2. Verify that the Hack-it-yourself auction Web site displays.

3. Use the Register now link at the top to create a user account.

4.

o All fields are required

o For the Address, enter your actual social security number (if you do not have a social security

number, enter 123-45-6789)

o For the Credit Card Number, type 4111111111111111

Click Submit Query. (→NOTE: It may take up to three minutes for the request to complete.)

5. Click on the Home link.

6. In the User login section, enter the username and password you submitted in step 3.

7.

Click Go.

8. Click the Your control panel link in the Logged in section on the right-side of the page. (NOT the link

on the top menu bar.)

Questions:

a) Are you able to view your personal information? _________________

b) Was your credit card number sent in HTML plain text? _________________


4/25


9. Edit the end of the URI to read: ?nick=bobsmith.

10.

Question:

c)

Are you able to view another user’s personal information?

_________________

Edit the end of the URI to read: ?nick=*.

11.

Questions:

d) What information were you presented with? _____________________________

__________________________________________________________________

e) What type of Web site vulnerability is this? ______________________________

Click Logout, and then log back in as the username you submitted in step 3.

12. Select the Sell an item link.

13. Sell an item using the following information:

Item title Bad item

Item description

alert ("Don’t use this site - go to

http://mysite.com");

14.

Auction starts with $10

Country

United States of America

Zip Code 98119

Payment methods MasterCard or Visa

Choose a category Toys and Games

NOTE: Leave all other fields set to their default values.

Click Submit Query.

15.

When prompted, enter your Password, and click Submit Query again.

16.

Select the Home link. (→NOTE: It may take up to three minutes for the request to complete.)

17. From the Last created auctions list, select Bad item.


5/25

18.


Questions:

f) What happens when users select this item? _ _____________________________

__________________________________________________________________

g)

What type of Web site vulnerability is this?

______________________________

Click Logout.

19.

In the User login section, in the Username field type:

20.

' or 1=1#

Click Go.

21. Click the Your control panel link in the Logged in section on the right-side of the page.

22.

Questions:

h)

What information was presented?

______________________________________

i) What type of Web site vulnerability is this? _______________________________

Click Logout, and then close the auction Web site browser window.

TASK 3 – Create an HTTP Class Profile Create an HTTP class profile, and then view the security policy that is automatically generated by ASM.

1. In the BIG-IP configuration utility, access the Local Traffic > Profiles > Protocol > HTTP Class page.

2. Create an HTTP class profile named secure_profile.

3. From the Application Security list box, select Enabled.

4. Click Finished.

5. Access the Application Security > Security Policies > Policies List > Active Policies page.

6.

There is now an active security policy.

Access the Application Security > Policy > Policy > Properties page.

ASM notifies that the security policy application language is not defined.


6/25


TASK 4 – Update the Virtual Server Update the virtual server by selecting the new HTTP class profile.

1. Update the auction_vs virtual server by selecting the secure_profile HTTP class profile.

2. Click Finished.

TASK 5 – Reconfigure the HTTP Class Profile Experiment with the different options available within an HTTP class profile.

1.

Open a new Web browser window and access https://10.10.20.110 .

2. Verify that the auction Web site displays.

3.

Close the Web browser window.

4. In the configuration utility, edit the secure_profile HTTP class profile.

5. In the Actions section, from the Send To list, select Redirect to…

6. In the Redirect to Location box, type http://www.f5.com.

7. Click Update.


9.

Question:

a)

What Web site displayed in the browser?

_______________________________

Close the Web browser.

10. In the Configuration section, from the Hosts list select Match only…

11.

Add the following host: 20.20.20.20 (leave the Entry Type list set to Pattern String), and then click

12.

Update.


Questions:

b) What Web site displayed in the browser? _______________________________

c) Why did this request go to the Auction site and not the F5.com Web site?

_________________________________________________________________


7/25

13.


d)

Was this access to the Web site protected by ASM? _______________


14. Clear the Custom check boxes for both Hosts and Send To (be sure to leave the check box for

15.

Application Security selected.)

Click Update.

16.

Create an archive file named archive_After_5A .


8/25

F5 Virtual Environment Hands-On Exercise Guide – Exercise 2 – Updating and Applying a Security Policy

EXERCISE 2 – UPDATING AND APPLYING A SECURITY POLICY Your customer has installed ASM and needs to begin configuring a security policy to prevent malicious activity.

This exercise builds on the previous exercise; therefore you must complete the previous exercise prior to

starting this exercise.


TASK 1 – Configure the Security Policy using Rapid Deployment Update the security policy that ASM created in the previous lab using the Rapid Deployment security policy, and

then apply the updated policy.

1.

Access and log into your BIG-IP system.

2. Access the Application Security > Security Policies > Policies List > Active Policies page.

3. Select Configure Security Policy.

4. Select the Create a policy manually or use templates (advanced) option.

5. Click Next.

6.

On the Configure Security Policy Properties page, in the Application Language list box, select

7.

Unicode (utf-8).

In the Application-Ready Security Policy list box, select Rapid Deployment security policy.

8. Click Next.

9.

On the Configure Attack Signatures page, from the Available Systems list box, move to following to

the Assigned Systems list box.

o

Operating Systems > Unix/Linux

o Web Servers > Apache and Apache Tomcat

o Languages, Frameworks and Applications > PHP

o Database Servers > MySQL


9/25


10. Leave Signature Staging enabled and click Next.

11. Click Finish.

12.

The new policy is placed in Transparent mode.

From the Logging Profile list, select Log all requests.

13. Click Save.

14. Click Apply Policy.

15. Click OK.

TASK 2 – Verify That Requests are Passing Through ASM Use the Reporting page in ASM to verify that requests for the auction Web site are passing through ASM.

1.

Access the Application Security > Reporting > Requests page.

2. Select All Requests.


4.

View the last five most recent items in the Last created auctions list.


10/25


5. In the User login section, login using the username and password you created in Exercise 5A, task 2,

6.

step 3.

Select the Edit data link in the Logged in section on the right-side of the page.

7.

Questions:

a)

What value is in the Address field?

________________________

b) Why is this value displaying? ________________________________________________

Go to the home page, and then buy the Canon Digital Camera.

8. Click Logout.

9.

Edit the URL tohttps://10.10.20.110/comment.txt

.

10.

Close the auction Web site browser window.

11. On the Reporting > Requests page, click Go.

12. Verify that requests for several files are displayed.

Questions:

c)

Are requests for most .php pages Legal, Illegal, or Blocked?

____________________

d)

Are requests for .txt pages Legal, Illegal, or Blocked?

____________________


11/25


e)

Why aren’t requests for .txt pages being blocked through ASM?

_____________

_________________________________________________________________

13. Select the buy2.php link.

14.

Select Data Guard: Information leakage detected.

15.

Question:

f)

What caused this illegal entry?

___________________________________

Close the View Full Request Information window.

16. Select the edit_data.php link.

17. Select Data Guard: Information leakage detected.

18.

Question:

g)

What caused this illegal entry?

___________________________________


19. Select all of the items in the Requests List, and then click Clear All.

20. Create an archive file named archive_After_5B .

TASK 3 – View the PCI Compliance Report Use the PCI Compliance report to determine where the Web application is missing required security for

compliancy.

1.

Access the Application Security > Reporting > PCI Compliance page.

2.

Question:

a) Which requirements are automatically compliant using the Rapid Deployment policy?

______________________________________________________________________

Select Do not use vendor-supplied defaults for system passwords and other security parameters.

3.

Question:

b)

Why is this entry not yet in compliance?

_______________________________________

Click Printable Version.

4. View the PDF report.

5. Close the PDF report and the configuration utility Web browser.


12/25

F5 Virtual Environment Hands-On Exercise Guide – Exercise 3 – Tightening a Security Policy

EXERCISE 3 – TIGHTENING A SECURITY POLICY Your customer would like to use ASM to only allowed access to authorized pages, based on the file type. The

auction Web site only needs to support access to php, and gif files.

This exercise builds on the previous exercise; therefore you must complete the previous exercise prior to starting this exercise.

Estimated completion time: 20 minutes.

TASK 1 – Configure a Security Policy to Learn About File Types

Update the Web application’s security policy that to learn about potential illegal file types.

1.

Access and log into your BIG-IP system.

2. Access the Application Security > Policy Building > Manual > Traffic Learning page.

3.

There are no learned entries other than the Data Guard information leakage detected entries.

Edit the secure_profile security policy.

4. Select the Blocking > Settings page.

5. In the Access Violations section, in the Illegal file type row, note that the Block check box is currently

6.

grayed out.

Question:

a) Why can’t you enable the Block option? ________________________________

_________________________________________________________________

Place the policy in Blocking mode.

7. In the Illegal file type row, select the Learn, Alarm, and Block check boxes.


13/25


8. Note that in the Negative Security Violations section, Data Guard: Information leakage detected is

9.

already set to both Learn and Alarm.

Question:

b) Why were these options already set? __________________________________

_________________________________________________________________

Click Save.

10. Place the policy back in Transparent mode.

11.

Notice that the Block option for Illegal file types is once again grayed out; however the check box

remains selected.

Click Save.

TASK 2 – Enable Tightening for File Types

Configure ASM to perform tightening for the secure_profile security policy for file types.

1.

Access the Application Security > File Types > Allowed File Types page.

2. In the Allowed File Types List section, select the * link.

3. Select the Perform Tightening check box.

4. Click Update.

5. Apply the updated policy.


14/25


TASK 3 – Generate Entries for the Security Policy Access the Web site to generate learning suggestions for the security policy.


2. View the last five most recent items in the Last created auctions list.

3. Log into the Web site.

4. Sell an item using the following information:

Item title Another bad item

Item description



5.


Country United States of America

Zip Code 98119


Choose a category Arts & Antiques

Click Submit Query.

6. When prompted, enter your Password, and click Submit Query again.

7. Click on the Home link, and then click the Your control panel link in the Logged in section.


9.

Edit the end of the URI to read: ?nick=*.

10. Click Logout.

11. In the User login section, in the Username field type:

12.

' or 1=1#

Click Go.

13.

Click the Your control panel link in the Logged in section.

14.

Click Logout.

15. Edit the URL to https://10.10.20.110/comment.txt .

16.



15/25


TASK 4 – Fine Tune the Security Policy Select the file types that are allowed for the Web site and accept them into the security policy.

1. Access the Application Security > Policy Building > Manual > Traffic Learning page.

2. Select the Attack signature detected link.

3. Select the Recent Incidents link for the SQL-INJ entry.

4.

Questions:

a)

Which URLs are vulnerable for SQL injection?

_______________________________

Select the login.php link.

5. Select the HTTP Request tab.

6.

Questions:

b)

Which parameter needs to be protected against SQL injection?

___________________


7.

Return to the Manual Traffic Learning page.

8.

Select the Illegal file type link.

9.

Questions:

c) Why is there an entry for no_ext? ____________________________________

________________________________________________________________

d)

Should we allow or block access to pages without an extension, and why?

_________________________________________________________________

Select the check boxes for the gif , jpg, no_ext, and php file types, and then click Accept.

10.

This will allow these file types for this policy.

Select the check box for the txt file type, and then click Clear.

11. In the Confirm Delete window, click OK ( NOTE: Do not move txt files to ignored entities).


16/25


12. Access the Application Security > File Types > Allowed File Types page.

13.

The security policy has been updated to allow requests for gif, jpg, and .php file types, in addition to

requests with no extension.

In the Allowed File Types List section, select the * check box, and then click Delete.

14. Select the gif , jpg, no_ext, and php checkboxes, and then click Enforce.

15.

This removes these entries from staging.

Apply the updated policy.


17.

Select links to navigate through the auction Web site.


19.

Questions:

e) Were you able to access the comment.txt page? _________________________

f)

Why is ASM still allowing access to txt file types?

_______________________

_________________________________________________________________


20. Access the Traffic Learning page.

21. Select the Illegal file type link.

22.

Traffic learning still suggests the txt file type; however the other types are no longer considered illegal

file types, as they have already been added to the policy.


Questions:

g)

Are requests for .txt files Legal, Illegal, or Blocked?

____________________

h)

What do you need to configure in ASM to block access to .txt files?

_______________________________________________________________


17/25


TASK 5 – Modify the Security Policy’s Enforcement Mode Modify the security policy, currently configured in Transparent mode, to Blocking mode.

1. Edit the secure_profile security policy.

2. Change the Enforcement Mode to Blocking.

3. Click Save, and then apply the updated policy.

4.



6. Close the Web browser.

7.


8.

Questions:

a) Were you able to access the comment.txt page? _________________________

b) Are requests for .txt files Legal, Illegal, or Blocked? ________________________

Create an archive file named archive_After_5C .

TASK 6 – If Time Permits

If you have extra time, edit the security policy so that the error message displayed when accessing .txt file types reads “For security purposes, you are not allowed to access .txt file types on this Web site. Your support ID

is: (the support ID variable)”


18/25

F5 Virtual Environment Hands-On Exercise Guide – Exercise 4 – Using Automatic Policy Building

EXERCISE 4 – USING AUTOMATIC POLICY BUILDING You would like to experiment with methods to save your customer time when building a security policy for the

auction Web site.

This exercise builds on the previous exercise; therefore you must complete the previous exercise prior to

starting this exercise.

Estimated completion time: 20 minutes.

TASK 1 – Create a New Security Policy Using Automatic Policy Building You will create a new security policy for the Web application using Automatic Policy Building.

1. Access and log into your BIG-IP system.

2.

Create a new HTTP Class profile named policy_builder_profile with Application Security Enabled.

3. Associate the new HTTP Class profile with the auction_vs virtual server. Ensure that

4.

policy_builder_profile is above secure_profile.

Access the Active Policies page.

5.

For the policy_builder_profile policy, select Configure Security Policy.

6.

→NOTE: If you get an error message that the Deployment Wizard is already running, click Cancel,

then select the policy_builder_profile [v1], then click Reconfigure, then click Run Deployment Wizard.

Leave the Create a policy automatically (recommended) option selected, and then click Next.

7. From the Security Policy Language list box, select Unicode (utf-8), and then click Next.

8.

On the Configure Attack Signatures page, from the Available Systems list box, move to following to

9.

the Assigned Systems list box.

o Operating Systems > Unix/Linux

o

Web Servers > Apache and Apache Tomcat

o Languages, Frameworks and Applications > PHP

o Database Servers > MySQL

Click Next.

10.

From the Policy Type list, select Comprehensive.


19/25


11. Slide the Policy Builder learning speed control to Fast.

12.

Note that this changes the chances to adding false positives to the policy to High.

From the Trusted IP Addresses list, select Address List.

13.

In the IP Address box, enter 10.10.20.1.

14.

In the Netmask box, enter 255.255.255.255, and then click Add.

15.

Click Next.

16. Click Finish.

17.

The Policy Building: Automatic: Status page displays.

Apply the new policy.

This places the policy in blocking mode.

TASK 2 – Create Learning Suggestions for Automatic Policy Building

Generate learning suggestions for automatic policy building for the Web application.

1.


2. View the last six most recent items in the Last created auctions list.


4.

step 3.




20/25


6. Edit the end of the URI to read: ?nick=*.

7.

Click Logout.

8.

In the User login section, in the Username field type:

9.

' or 1=1#

Click Go.

Edit the URL to https://10.10.20.110/comment.txt .


12.

Question:

a)

Why are you now able to access txt file types?

_______________________

_____________________________________________________________

b) Is Data Guard currently enabled? _________________

The policy builder begins to analyze the traffic.

After several seconds, the policy builder begins learning file types, URLs, parameters, and cookies.

In the Detail section, select File Types > Staging.

13. For the gif , jpg, no_ext, and php entries, click the corresponding Enforce button.

14. Select Parameters > Staging.

15.

Multiple parameters are currently in staging.

Access the Application Security > Policy Building > Automatic > Log page.

16.

The log includes an entry for each event or action that the Policy Builder makes to the policy.

Access the Application Security > Policy Building >Automatic > Configuration page.


21/25


17. Disable the Real Traffic Policy Builder.

18.

Click Save, and then apply the updated policy.

TASK 3 – View and Update the Security Policy

Reset the Web application by selecting the security policy that you created in the previous labs.

1. View the Allowed File Types page, and then delete the wildcard entry.

2.

Questions:

a) Is there another entry that should be deleted? _______________________

b) Why was the txt file type added to the policy? __________________________

_________________________________________________________________

Delete the txt file type entry.

3.

→NOTE: If there are any other entries on this page, delete them as well.

View the Parameters List page, and then delete the wildcard entry.

4. Select the checkboxes for the nick and username entries, and then click the Enforce button.

5.

Select the nick parameter entry.

6.

From the Parameter Value Type list box, select Dynamic content value, and then click Update.

7.

In the Message from webpage dialog box, click OK.

8.

Select the File Types checkbox, then select php from the list box, and then click Add.

9. Select the URLs checkbox, then select HTTP from the list box, then enter index.php in the text field,

10.

and then click Add.

Click Create, and then click Update.

11. Select the Application Security > Attack Signatures > Attack Signatures Configuration page.

12. Disable Signature Staging.


TASK 4 – Test the Updated Policy

Access the Auction Web site and make attempts that violate the policy.

1.



3.

step 3.




22/25


5. Click the Back button.

6.

Select the Sell an item link.

7.

Sell an item using the following information:

Item title Not this item

Item description



8.


Country United States of America

Zip Code 98119


Click Submit Query.

9.

Click the Back button.

10. Click Logout.

11. In the User login section, in the Username field type:

12.

' or 1=1#

Click Go.



15.

Questions:

a)

Is the Web site protected against unacceptable file types (.txt files)?

______________

b)

Is the Web site protected against data leakage?

_______________

c) Is the Web site protected against cross-site scripting? _______________

d) Is the Web site protected against SQL injection? _________________

e)

Is the Web site protected against parameter tampering?

________________

Access the Application Security > Data Guard page.

16.

→NOTE: Ensure the current edited policy is policy_builder_profile.

Enable Data Guard for credit card numbers, social security numbers, and ensure that you mask data

17.

being sent back to users.



23/25



19.

In the User login section, login using the username and password you created in Exercise 5A, task 2,

20.

step 3.


21.

Questions:

f)

What response did you receive?

_______________________________________

g) Why did you receive this response? ______________________________________

____________________________________________________________________


22. Adjust the blocking settings so that data is indeed scrubbed, but that the page itself isn’t blocked.

23.

Apply the policy and test again.

24. Once the page displays with credit cards and social security numbers being scrubbed, create an

archive file named archive_After_5D.


24/25

F5 Virtual Environment Hands-On Exercise Guide – Exercise 5 – Protecting Against Web Scraping

EXERCISE 5 – PROTECTING AGAINST WEB SCRAPING Your customer is concerned about malicious Web scraping attacks and would like to configure the policy on

ASM to prevent potential attacks.

This exercise builds on the previous exercise; therefore you must complete the previous exercise prior to starting this exercise.


TASK 1 – Use iMacros to Record and Play a Lengthy Visit to the Auction Web Site

Use iMacros for Firefox to record and play back a series of requests to the auction Web site.

1.

Open Mozilla Firefox and access https://10.10.20.110 .

2. In the iMacros pane, select the Rec tab, and then click Record.

3. Select links to navigate through the auction Web site (be sure to record a lengthy visit to the Web

4.

site, at least 20 clicks, however don’t log in or purchase an item).

Click Stop.

5. Save the iMacro as webscraping_example.

6. In the iMacros pane, select the Play tab.

7. Select webscraping_example.iim.

8. In the Max box, type 10 , and then click Play (Loop).

Question:

a)

Is ASM protecting against potential Web scraping attacks?

________________

TASK 2 – Configure Web Scraping Detection and Protection Configure ASM to detect and protect against potential Web scraping attacks, and then update the policy to learn

and alarm about possible Web scraping attacks.

1. Access and log into your BIG-IP system.

2. Access the Application Security > Anomaly Detection > Web Scraping page.

3. Ensure that the Current edited policy is policy_builder_profile.

4.

Select the Enable Web Scraping Detection check box.

5. Edit the Web Scraping Detection Configuration settings as follows:

6.

Grace Interval 5 requests

Unsafe Interval 10 requests

Safe Interval 20 requests

Click Save.


25/25

F5 Virtual Environment Hands-On Exercise Guide – Exercise 5 – Protecting Against Web Scraping

7. Verify that the blocking settings for the policy_builder_profile policy for Web scraping detected

8.

include Learn and, Alarm.


9. Use Firefox to play the webscraping_example.iim macro 10 times.

10.

In the BIG-IP configuration utility, access the Traffic Learning page.

11. Select the Web scraping detected link.

12.

Note that all occurrences came from your client IP address.

Questions:

a) How many total entries were reported to ASM? ________________

b)

Why didn’t ASM block this user after detecting Web scraping?

_________________________________________________________________

Select the Reporting > Requests page.

Question:

c) Are recent requests for pages Legal, Illegal, or Blocked? _____________________

TASK 3 – Update the Policy to Block Web Scraping

Update the policy to block detected Web scraping attacks.

1.

Edit the policy_builder_profile blocking settings to block detected Web scraping.


3. Use Firefox to play the webscraping_example macro 10 times.

4.

Questions:

a) Was the Web scraping attack successful? ________________

Close Firefox.

TASK 4 – Resetting the BIG-IP Reset the BIG-IP system by restoring your archive file.

1. Create an archive file named archive_After_5E.

2. Once the archive is complete, restore using the archive_After_1D archive file.

passo 3 - f5 virtual environment hands-on exercise guide - asm (latam)

Documents