F5 Networks Training BIG-IP® Application Security Manager” V10 Student Guide CE ATTN ONS BIG1P* ASM Student Guide ~ © 2008 FS Network, Inc 12612008Table Of Contents Module 1: Installation & ital Access. BIG-IPASM Overview, ‘ewan nde Seup Ut. Provisioning. Instaliaio nd Sep Labs. Lab nsallan Sep Labs Lab Licensing Syste Lab... Lab Sep ily Lab {Lab ~ConiuronUsiy Lab {ab - ConiguntonBscksp Lab Lab Poisoning Lab. Module 2: Web Application Concept. Web Application Buses Overview Web Page Comporens, HTTP Concepts. HTTP Request Corponens HTTP Hee nn Using Filer Lab ide Lab. Module 3: Web Application Vulnerabilities ‘Web Application Vueetilies Overview isk Miigaton and ASM. Lab HTTP Valeriy 1b Module 4: ASM Appcation Configuration... ‘Configuration Components Enabag ASM HTTP Cie. aaa Vial Serves SSL Tena 0800 nen HTTP Reqs Flow Lab ASM Applicaton Coniguation Lab BBIGP® ASM Student Guide - © 2009 FS Networks, 2a mer) 28 310 31 ine.‘Modile 5: Security Policy Overview. ‘Secu Poly Propet on Poly Eaforcer = e ‘Sevunty Pay Coagucion. a - ‘Sect Poiey Compe nn = Lab Flow Access Lab = eu Lab Ato Signoues La oe 528 at Daa Gur ab maaan no 533 Acmaly Dee t00 oe Module 6 Teac Learing ‘Leaning Cones. Vineet Reporting Concept eo aoe ear ‘Lab — Trac Leaniag Lab ~ 8 Lab Regie La oo 625 Module 7: Parameters. a 14 Panter Sane - coat Parmeter Types os eae ga Panter Levels ~ acaani 2 Learn Parnes 720 Lab Parameter Lab... a ra Module 8: Security Policy Builder. Paley Bul. Wilder Enis Policy Bung Methodiogy Module &: Security Policy Building Tools. Deployent Wind Cone. {ab ASM Deploment Wiad ab Poy Wie = Poiy Building Usiag Naonl Process {Lab ASM Poiy Wiad Lab. Module 10: Application Ready Security Policy Anplcin Ready Sess Paey nm [Lab ArpisnonReay Seiny Pokey Lab. 109, BBIGP® ASM Student Gude - © 2009 FS Networks, Inc.Module 11: XML and Web Services. XML Conce Web Senet nn Implement oe Secuity Foye We Senvies Lab XO and Web Serie Lab... Module 12: Protocol Security Manager. Protocol Sect Mansger Over ei Protea Secuty Manager fr FTP Tre Protea Security Manager SMTP TB nnn Protea eeurty Manage fr HTTP Trio Protea Secu Manager Ste nn Contguing Prtco Security Manage {Lab PoacolSecrty Manager FTP Lab ieee Module 13: Logs and Logging Profiles Loa Fes ape ete ab Remote Sytem Log Sere Lab es Module 14: Administering ASM ser Manageme. Syncing Confguons ASM aie Upgrading 0 VI.n-nnneennn i us Lab Adminition LABS Sees: Module 18: Configuration Lab Project ‘Coaigustion Lb Pj. ‘Appendix A ~BIGHP Installation Topics. ‘Appendix B ~ New Features and Enhancement New Fates for ASM v0 1 New Feats fr ASM 9X wn ‘Appendix C - Additional Topics. ‘Tae Coping sing HTTPWaleh one Regular Expres : ce Weling ales frUer-fiedAtac Signe = or) ‘Appendix D ~ Configuration Lab Project (Helpful Hin). PowerPoint Slides Printout BIG-IP® ASM Student Guide - © 2000 F5 Networks, In.Module 1 - Installation & Initial Access BIG-IP ASM Application Security Manager Overview Lesson Objective: Diag this lesson, you wil eam the base fantonality ofthe BIG-IP Application Security Manager (ASM System and how it operates inthe network. You will also lar some of the diferent Platforms and service levels ofthe BIG-IP ASM System. Overview of the BIG-IP ASM System ‘The BIG-IP ASM isan application switch platform tat provides Web aplication and Web services| protection against a variety of security threats, The Application Security Manager protects Web {plications fom both genaaised an aged pplication ayer atacks such es buffer overflow, SOL injection, crosste scripting, an parameter tampering. The Application Security Manager also validates WSDL and XML schema files within a Web service and deploys atack sigatucs for XML = = : Internet > aaa Gan DIG AS BIG-1P* ASM v10 Sudent Gude ~© 2008 FS Networks, nc.Features: ‘Manipulation of cookies or hidden fields Insertions of SQL commands or HTP strictures into wer input fel inorder to expose ‘confidential information oto deface content. Malicious explitations ofthe application memory buffer to stop services, to get sell access and te propagate wom. Unautboried changes to server content sing HTTP Delete and Put commands. Attempts aimed at causing the web aplication to be unavailable orto respond slowly to legidmate users Forceful browsing Unknown threats, also known as zero-day heats. [Bute force and Denial-of Service (DoS) stacks Integrated platform guaranteeing the delivery of secure application traf ‘Built on F5 Networks" award-winsing TMOS architecture, the ICSA-cerified, positive security Applicaton Security Manager i ull integrated with the BIGP Local Traffic ‘Manage. tack Signatures ‘Atak signatures ae rules and pater that identify stacks or cases fatcks on webs pplication and web service. Atack signatures are the basis of aegate security and ean be applied to requests and responses (sly web applications). Positive Security Model ‘The Application Security Manager rests a robust postive security pi to completely profee web applications fom argeed web application layer threat. The positive Sceurity model's based on a combination of Valid use session conex abd valid ser input, aswell asa valid pplication response. Real-Time Trafl Polly Buller ‘rere are vacious ways to build security policy using ASM. The Deployment Wizard sutomates several essential configuration tasks and allows yout bulla security policy used on your environment, whee its production or QA scenris. The Security Policy Wizard llows fr eeation of security policy manill using wildcard eis or sutomascally, sing live taffic or system generated tf Pre-defined security poley templates ‘ASM contains pre-defined policy templates that address Security need of a pectic web ‘pplication and web service. ASM automatically populates the seeuriy policy with ‘Stes and optimizations tat are specific to the corespooding web application. ASM ‘supports pre-defined templates for Microsoft OWA, SharePoint, PeogeSof, Lots Domine, Orel, and SAP NetWeaver platforms BIC-IP*ASM v10 Student Guide -© 2000 FS Netware, no.‘Module 1 — Instalouon and intial Access ot Configurable security levels “The Applicaton Secrty Manage offers varying levels of security, fram general protection of website elemeats such as le types and characters, 1 tired highly ‘ranula, aplcationspeciti security policies. This lexibility provides enterprises the Stiliy to ehooe the ovlof security they ned, and redoce management costs based on {he level of protection and risks accepabe to heir DusinessexvDREN BIG-IP ASM Hardware Platforms BIG-IPASM Systems provide application security wii the framework of BIG.IP TMOS. ASM. ‘an be deployed as a standalone or a module within the BIGTP trafic management sys. The ‘Apoliction Security Module is available onthe 6400 or higher platforms. The Appiesion Secu "undalonepeoduct i avaiable onthe $900, 3600 and 4100 platforms. ‘The BIGIP 360), 890, and £6800 pntfonns supports bth standalone and modular capabilites, NOTE: For curent information, go te itp: 5.coml BIG.IP ASM 8900 Series ‘The BIG-IP 8900 can run the standalone snd mauler version of ASM. The BIG-IP ASH* 3900 Platform i high aveablyitligent ai management product. The £900 comes with two ‘Gua ceeprocetor, 16 10/100/1000 Ether! por, 2 SFP! wanieivers and 8 TO-Giybit ber ‘ors. Additionally, it provides hardware compression, integrated SSL (bth key and blk ‘encryption and at LCD panel for management. The 6900 i 2-U chassis BIG.IP ASM 8800 Series ‘The BIGIP 860 can run the modular version of ASM, The BIG-IP ASM* 8800 platforms high avalabilty, iteligentwafic management product. The $800 comes with symmetical multiprocessing across four processor cores, an advanced Packet Velocity ASIC (PVA 0), 12 CCopperar Fite gigabit Eeret ports and 2 10-Gigabit er por. Additionally, it basboth & ‘Compact Flash anda Hard Drive integrate SSL. (bth key and bulk encryption) and an1.CD panel formazagement. The 890054 7-U chassis ‘BIGIP ASM? 8400 Series “The BIG-TP 840 can run the modular version of ASM. The BIG-IP ASM® 8400 platforn is high valblty, itligent rafie management product. The $400 comes with al 22 GH procestors, fn advanced Packet Velocity ASIC, 16 10/0/1000 Copper Etheret ports and two 10 gigabit er ports Additionally, it has bh a Compact Fash and Hard Drive, integrated SSL (bah key sod bulk ‘soerypton) and an LCD panel for management. The 8400 is 22-U chassis. ‘BIG-IP ASM® 6900 Series ‘The BIGP 6900 can ru the standalone and modular version of ASM. The BIG-IP ASH 6900 platform is high availabilty, intelligent traffic management product. The 6900 comes with vo ‘quad-cre processors, 16 10/10/1000 tere! pots, and 8 10-Gigsbit ber pors. Additonal, t ‘Provides hardware compression, integrated SSL (bth key and balk encryption) and an LCD paoel for ‘management. The 6900 is 27-U chassis. [BIGP* ASM v10 Student Gude ~© 2008 F5 Networs, Ie.i444 = intallaton and intial Access 1G.1P ASM® 6800 Series ‘The BIG-IP #00 can nthe modular version of ASM. The BIG-IP ASM" 6800 plato is high availabilty, inteligentiraffic management product. The 6800 comes wit dal 2 GHz processors, an advanced Packet Vdocity ASIC, 16 10/100/1000 Copper Edberet ports and up to 4 gigabit ber ‘ports, Additionally its both a Compact Flsh anda Tard Drive, integrated SL both key aod bulk ‘Secryption) and an LCD panel for management. The 6800 is a2-U chasis IG-IP ASM 6400 Series “The BIG-IP 6400 can run the modula version of ASM. The BIG-IP ASM* 6400 platform isa his availability, iteligentafic management product. The 640 comes wih dal 16 Giz processors, ‘an advanced Packet Vdoety ASIC, 16 10/100/1000 Copper Etheme: ports and up o 4 gigabit ber ‘pons. Additionally, it ns both a CompactFlash and a Hard Drive, iatgrted SSL (both key an ble ‘Soeryption) and an LCD panel for management. The 400 is a2-U chassis, .BIG-P ASM* 4100 Series ‘The BIO-IP 4100 runs the standalone version of ASM, The BIGAIP ASM 4100 offers dual proctor, integrated SSL, anda Hard Drie. The 410 switchboard camponcess consist or he ‘SCC, an advanced Packet Velocity ASIC 2, and Broadcom switch chips. Not the 410¢ doesnot ‘suppor: CompactFlash The 4100 comes equipped with 410/1001000 Copper Eernet ports and 2 ‘igniter ports, Por managemeat ofthe 4100, the management port, consol interface or LCD ‘nel canbe used, Tie 100 also comes equipped with a USB por. The 410 isa 2-U Chasis, .BIG-P ASM? 3600 Series “The BIG-IP 3600 cae mun he standalone or modular version of ASM, The BIG-IP ASM® 3600, plufor ia bighavlbiity, inlligent tafe management product, The 3600 coms wit 2.13 ‘Ges Deal Core proceson, Pacist Velocity ASIC, 8 10/00/1000 Copper Ethernet port tnd gigabit ‘er pors. Additionally, cas both an 8 OB Compact Flash and a 160 GB bard driv, integratea ‘SSL (bth key and bulk encryption) and an LCD panel for management. The 36000 1-U chassis. BIGP VIPRION® ‘VIPRION is the ist aplication delivery controler that scales on demand. It provides the highest levels of throughput and wansactons per second availble using the FS TMOS™ platform to deliver massive performance and salsbilty for BIG-IP* Application Security Manager” This single, powerful controler uses modular performance blades you can add or remove without disrupting your pplication. Instead of adding mere devices in the network and segmenting applications, you ean Simply add more power o your existing infasttur as needed A fully leaded VIPRION system ‘with fur blades delivers performance that is oder of magnitidegrester tan anything else you {ind on the market. Each ofthe blades inludes 2 dual-core procestor, 8 GB RAMS gigabit copper ors 12 gigabit fiber ports, and upto 2 10-gignit fer pots. BIGPPASM 10 Student Guide ~© 2009 FS Networks, ne.Module {Installation and Inlial Access Licensing and the Setup Utility Lesson Objecti During hs eson, you wil eam the purpose and function ofthe various tools to provide initial access easing, and om going configuration of your BIG-IP System. At the end ofthis module, you willhave licensed BIG-TP System wit the Application Security Manager enabled. Additionally, {ou wilhave secure accesso both the Command Lite Interface (CLI) ad the Web based Configuation uty of the BIGTP System. Intl setup tools “Thera sls youcan we stupa BIG System 1. Cots ty CLL Wty tnt alos te nitro cag ii ‘ay ona sd stb el gaa Manage por oe IC yen Come tegen cent eae oe se 2. Lisesing~GUI procs to ese fra pained on fol GMS > 2. Sp ly - GUT poco at rel Aditi aces nd Network stings rte Brows Port Layouts forthe 6100 Chasis GB ieee imac Oo a Ge we Management Port IP Address oF4. myx > ito ‘The system's management port wll havea fatory-st IP addres (of 192. 168.1.248724), bu itis likely tat you wl aed to change the adres to an adress appropriate to your network, The default TP adress onthe administrative ntrface and has deta out. The TP address canbe changed ora default route aed either through a commandline tool o the LCD pan CMM thon got ger MA 6 ye Lote lpm poo fk srl fob ui OR weet (A fol A ci doe BIGPPASM v10 Student Guide -© 2008 F5 Networs, ne.‘Changing default IP address via the Config Utility Although tis not equr, the IP aes on the management port canbe changed prior to licensing ‘system. This can be accomplished either via an SSH sesion a the serial console, When tis tol isan, the IP adress, neinask, an default route can be et so that the sytem licensing canbe more casily performed, Ith bo sot up, loeasing ean be perfomed vi the manual process. nial CLI access i usualy established through srial console session. Torun theo, logon ashe oot user; the default passwords defaalt, After loging in, type config a the command ine. You tll be asked to enter a sytem IP address, neta and default out, and then to confi the oes Changing detaute P adcress via tho LCD ‘You can also change the IP adress va the LCD pane. Pressing the ed X buton acess the system. menus; through which theTP adress, mask and default route are st, Once BIG-IP has acess to the etwork, a icense canbe sbaied License Administration (Once you instal the BIG-IP ASM System software and connect tothe network, you noe a valid Ticens certificate to activate he software. To gain aHeense certificate, you need to provide two items to the license sever: a registration key and adosslr. The dossier isles unique characteris of ‘your system st well asthe registration Key associated wih your purchase 1 The registration ke for version 10.0 ea 2T-character sting, Customers with exting ‘hardware and maintenance wil ceive the key by ema New hardware i shipped with that customer's registration key inthe file /eonfig/RegKey license. Thc ‘eginration ky let thelicenge server know whic FS pradts you ae ened to Tense 1 The doers obtained fom the software, sd isan encrped list of key characterise sed io identify the platform. Multiple systems stings ae sored inthe dossier including the system time. Ifneede, sete system cles to the curent local te ad time pir to creating the dossier. In geoera, these are the steps to obtain the cease: ‘Acces the BIG-P System, ter the Registration Key, Access the Dossier. Send the Registration Key and Dossier to the Hisense server. Insta the big. icense 6. Reboot the BIG-P. 'NOTE: The registration license Key willbe lost when you upgrade to new versions of BIG-P software. You should save tis fle to a separate locaton before upgrading. You can also ‘quite registration keys from F5 suppor if you supply the appropriate serial number. ON bee by © tempat & gaat my bio ia IGP ASM v10 Student Gide - © 2008 FS Networks, nc. tavern SRA wre wpowetion ce parry es asses eee gee ly 0 bine’Module 1 installation and Initial Access A Use ne ofthe flowing metho to obtain 2 ‘Automatic eense activation via the Configuration Utility ‘This method automatically eieves and submis the desir tothe FS license server a5 well as Ingalls tbe siguod license ceria. In omer fr you use this method, the BIG-F System must have an appropriate Padres and defslt route and be on a network wih Taterat cess. The Setup ‘Uy maybe se to configure the network seins on the system, Once the adres i set Connect to htps:! Login as “edi” witha password of “admin Step though the License proses. Enter the Registration Key. (Click the Manu ink (Copy the Dossier to the client machine ‘Connect he clint machine tothe Inteet and connect to hipsetivaef.com, Cony the dosier and enter he Registration Key when prompted, toreceive the BIG-IP System cease 9. Connect the clint machine tothe BIGIP System network and conrect othe BIG-IP System. 10, tas the license fein the contig retry 11, Reboot the system Conse afitli cme sears Loy, bars eae BIGAPPASM v10 Student Guide © 2000 FS Networs, ncInstallation an In ‘What the Setup utiliy doos ‘The Setup tity helps you quickly define basic system settings, such sa rot password and the IP adresse forthe interfaces tat connect the BIG-IP System tothe network. The Sep wily also bois you congue access othe BIGAIP Web sever, which hosts the Web-based F5 Configuration ‘aly. Some ofthe stems that wil be eatered during the Setup lity include the folowing: * ScletP Addresses and Netasks for VLANs ‘© Asigninterics to VLANs 1 address ofthe defo route "+ Root passwort forthe BIGIP System Command Line Interface (CLI) + Adminsvative Username and Password forthe BIG-TP Configuration Uiity 1+ address (range of IP adresses for SSH. “The Sewp tty creates many files ht sore basic BIG-P system configuration stings incuding: + ethoetsallow + Jeonighiupdconthpd.cont 1 lnterfae and Configuration files + ontghigincont + ontghiip_tase.cont + fconfgyBigDB dat Accessing the Setup utlty ‘The Setup uty canbe seested once the sytem is Hicensed. Ica bern vs the management ort’ deft dress, ran terse adres added withthe onion rhe 1) One Sep ie ‘Somplete, the BIG-IP Sytem will use the addresses specified trough the Sep Uilty ‘The Web Configuration Utility ( GUI) ‘The Web Configuaticn lity is browsr based terface that uses SSL and ecess conte isso provide secure res-tinecoofigurton, This secure interfaces provided bythe BIGAIP running the [Apache OpenSSL web server. Vou should use his uly to change te BIG-IP System's configuration forthe flowing reasons The leaning cure is smaller because it easier to use and mare intuitive. + eminimises the chances of configaration ear. Tnput is checked and errs ae report immediately. Changes re effective immediatly (0 restarting of proceses or e-zeding of ‘confguraon fs) and the changes ae refeced immediately inthe configurations. [BIGAPP ASM v10 Student Guide -© 2009 F5 Networks, neCm AT ee Jet to ‘Tis ee to acess — more people have browsers installed on thei systems than SSH clint ‘Accessing the Web Configuration Utility ln he BIG-IP Coafguation uty, you can configure many Local Traffic Manager festre, such ‘vital servers, pols, NATs, and Secure NATs, These ae discussed in great deal inthe BIG-IP {UTM Esseatals eure. With ASM installed and lensed, you cn configure ASM's aplication and polices. Note th ASM's GUI is PHP-based as opposed othe BIG-IP web interface Which is ‘writen ia JSP. The BIG-P Configuration wilt requires Neseape Navigate vason 4.7 o later, or ‘Microsoft Internet Explorer version 50 o ate. ‘Stops to Access the Web Configuration Utility: 1. Enter the pe address (htps/) ina wsb browser, This ‘ress could be the administrative address or oe of the BIO-TP ASM si TP srests 2. When youconnect othe FS Configuration Uilty fr the fist time durisg ay browser sessioa, the Web browser wil alert you tt the SSL connection will usa security certificate ‘hat was not autorized by aceriicuc authority company. This is normal bebavir, since the ‘BGP Sytem creates a self-signed certificate as art ofthe Setup uty. Selet Yes at the prompt “Do you want to proceed?” 3. You are next prompted fora username and password, Ente the usemane and password you configured during the Setup uty. This wil open the BIG-IP Configunton utility's home age ‘The following sen should appr: Spt 08 by ote) BIGAPPASM v10 Student Gude ~© 2000 F5 Netors, ne.4t9__ Module 1 = Instalation and inal Access, ‘The Welcome page ofthe BIG-IP Configuration lly consins a varity of wet ifort. You ‘am enter the BIG-1P Conf guration uty to configure and monitor your BIG-P System, acess ‘additonal ecup opsions, download the BIG-P MIB, or lnk to FS Network's olive iformaton atbase, Ask ‘Command Line Access through Serial Console ‘AIIBIGP platfonms haveseril console access. For switches, the default seting N81 at 19,200, ‘bps. Priorso the Seep uty, only the “rot” usr has acess afer the scp uly the rot” user will ave acess and “ama can be added by selecting the console access option. The "supper™ ‘eer wll ave acres it vas added during setup ‘Command Line Access through SSH ‘The BIG-P System software ship with an SSH server that provides users with secure login connections, ile transfer, end TCP MP connections over the network. Te server uses eypeographic ‘utbeatcation, automatic session encryption, and integrity protection forall wansfered att ‘As part of the Setup uiliy the administrator could choose to disable SSH acces or init SSH ‘acces to specified IP addres, While “oot” has SSH access by defo, “admin” ca be configured to bave SSH aces Backing Up the BIG-P ASM Configuration ‘BIG. Systems canbe backed upto“ ues fle. The extension san aronym for “User Configuration St". This le s composed ofa series of files combined into a single compressed file that can be stored on the BIGIP ASM or copied to another sytem. When backing up ASM, 068 files created. Note that Requests dais pet backed up oa the cs He Stakes da Cael bey foes gut genet 2s Af no Pe, ee yet he ° BIG.P* ASMv10 Student Guide © 2000 F5 Networs, he.Module 1 ~ instalation andi Provisioning Lesson Objective: During this lesson, you will eam the purpose and function ofthe provisioning. At the od ofthis ‘module, you wil hve verified thatthe BIG-IP system is provisioned forall ceased modes that you wast se. Overview Provisioning is new management feature to help suppor the installation and configuration ofthe ‘any modules avalible with BIG-IP- Provsioiag gies you some contol over he rescurces, bth (CPU and RAM, which are allocated to cach licensed module. You may want, for exam minimize the resources aval to ASM ona system licensed for LTM and ASM. Provisioning i new process. Since all modules have some reliance on both managemert (Linx) and local afi eats, they wil elways be provisioned. Other modules must be manually provisioned prior oconfigurton. aa 00) eure) oy ome eserePotsoneg ware eran Lecomte o5 soon ey 8) =) Sine ll modules bave some reiance on bot management (Linx) and lca afc features, they will always be provisioned, Other modules must be manually provisioned. Whea you provision the ‘modules, you chose beeen four levels of esourees: Dedicated, Nomi, Minimum and Nove. 1 Dedicated is designed for situations where only one modules functional on he eytem, sich s OTM. G1" AS v0 Student Gude ~© 2008 FS Nemort, ne.4:12 __Modiule 1=Insalation and intial Access ' Nominal gves the module ie minimum funcional resoures and distibutes additional resources fo the module if thy ae avilable. Its designed to give modules good ‘mount othe system resources, ‘+ Minimum gives the module its minimum functional resources and distributes aia resources footer modules. Is designe to slow the maximum anous of modules to co-existon a system. ‘+ None is designed fr snations where another mul neds deste access to ‘When inslling ASM as standalone system, ASM provisioning will easigned as Deda [Deen though tha ie ease, some memory and CPU resources wil be llocated to LTML Mat. bn A peer FS etgel tn. eage 42 hago raat Alar bes pics PS re Lkigce AC nme ae Bncry lggre BIGsP* ASM vi0 Student Guide ©2009 F5 Networks, neModule + — installaon and inal Access 443, installation and Setup Labs Objective: Configure management cees fo the BIG-P System License the BIGAP System Acces the configuration tools of he BIG-P System ‘+ Add an adiinal wer onthe BIG-IP System + Bstimated Time: 30 mites Changing Initial IP Address Objective: Set the management port's IP adress fr intial network access, Estimated time fr completion: 30 minutes Lab Requirements: ‘System dftlt userid and password (rot / default) Sei console accesso phil acess if using the LCD. * Your sation uber NOTE: For all labs, when an "X"is listed, enter your station number. For station 1, the IP ‘aderose 10.10.%.40 would be entered 88 10:10.4.10 ond a password of rootX would be 1d a8 root CGesrally, the IP adres of the management port must be ests the sytom can access the network to obtain eens. This ean be acomplshed through the config oo or the LCD. Both set of steps arent bere, butte lab assumes use ofthe config too. (Changing default IP address via the Command Line (Primary Method) 1. For the purpose of wing the CLI o change the administrative IP addes, the following tops 2 Connet nll: modem cable between the BIG-IP sytem and system running 8-100 ‘emulator. The serial stings shouldbe Set to N-8- at 19,20 bps. 3. fed be, boot the BIG-P system, and when prompted, logon asthe root user using the pashword default. 4 Enter the cong command to sat sing the to 5. When prompted, press Enter o choose < OK >. 5. When prompted, change the IP addres. BIGIP* ASM vio Student Guide ©2009 F5 Networks ne.4 Module 1= instalation and intial Access 9. 0 Lab Note: Enter 192.168X.10 where X is your station number [Next press Tab and Enter to choose < OK > ‘Wen prompted, change the Netmask, Lab Note: Ester 25525500 [Next press Tab and Ente o choose < OK >. “The next step sets the default route for the management por. When romped, press Enter to choose < Yes > ‘When prompted, change the default route, Lb noe: enter 192.168.2041 "Next, ress Tab and Enter to choose < OK > ‘A Gn confirmation screen appears; your stings shouldbe as follows TP Adiress | 102108.%10 Netmasic 255.255.0.0 Defaut Route —| 192.168.20.1 fall ens are comet, press Enter to choose < Yes > ‘Changing default i address via the LCD ~ Lab (Optional) 10. Press the red "X” button 0 the display. [Navigate tothe System menu aad press the cesk mark buon. Navite to IP Adds menu and pres check mark baton, [Navigate to the IP Address ld and press the check mark baton, ‘Using the up and down arrow keys, enter the IP adress 192.168X.10 and pres the check ‘mark baton, Navigate othe Netmaskfeld and press the eck mark baton Enter the netmask 85 255.00, and reste check mark button. [Navigt othe Def Route men, and press the check mark button, (optional a Default Route isnt required) ‘Using the up and dewa arrow keys, eter a default route for 192.168 20.1 and pes the check. ‘mark baton [Navigate tothe Corsnit menu, and press the check mark bun, When you see the OK menu blinking ress the check mark button. IG: ASM vi0 Student Guide ©2009 F5 Networks ne.Module 4 ~ instalation and intial Access 45 en) Objective: "+ osre the system has a proper ices ‘+ Estimated time fr completion: 10 minutes Secu Lab Requirements: Access tothe system's regisation key 1 Access tothe ntemet or acces tothe system's Hens fle 1 Neqwork aces othe BIG-IP ASM System, Note: Your BIG-P ASM System may te licensed already. To termine i you bave a BIG-IP ASM. Hisense ile on your bax, check for the existence of /eantig/sinip-2scense . View itby ping Goma console sein more /contig/bigip. License you steady have the comet license file, then you ca skip tote Setup Ut lb oa the next ‘age. Otherwise, you can retrieve your liens wih the following steps, ‘Specific Licensing Steps For this ab, we wil use the manual press. 1 Consett intps://192.168 X10 and login wit userid of “admin” and password of “admin”. The Weleome sreen within the Overview sean should appear. Under the Sep section 0 the right, sero down and click the Run the Setup Ui Link 2. Ifthe system is unlicensed, proceed by clicking Activate. Its licensed, you can proceed to ‘the net section, 3. Find your system's Registation Key. The instructor should beable to verity wher its ‘stored for thi Ib, Generally, it willbe none of thee loeatons: The file RepKey licese om the desktop or within nse older, * Of, inthe license ile tef toward the botom The lisnse shoud e a the desktop or vita liens folder 4 Within the frst Genera Properties section, tthe following values: Base Registration Key rior oF Copy your Registration kK ‘Aas-On Registration Key List Leave Blank ‘Activation Method ‘Select Manual IP ASM v10 Student Gide ~ © 2009 FS Networks Inc.5. When complete, clck Net. 6. Within he second General Properties section, st the fellowing vals Rogisvation Ke Registration Key (Read Onl) ‘Ads.On Registration Kay Uist | Ado-On Kays (Read Only) ‘Manual Method ‘Select Download/Upload Fis ‘Slep 1: Dossier Click the “Cick Here ." button and save the dossier tothe desktop, ‘Slap Ueensing Server i your classroom has ntemet ‘access, you may regenerate the license” Altemately, move to step 3 ‘Slap 3 License ‘Brows for your ean, ether on the desktop aicenses folder, or a location specified by the instuctr. 11. When complet, click Next. When the system’ license i activate, you can continue wth the Setup Uilty. You should see the flowing message once the license as seivated: 9. Aner icensing, 2 reboots egured and tls can be dose tom the commandline interface, by ‘yping reboot and presing Enter IGP" ASM VIO Student Guide ~ 6 2008 FS NetWorS, ncModule 4 Installation and nial Access 4a? + Run the Seup Us. + Estimated ime for completion: 30 minutes Lab Requirements: ‘+ Reachable TP address20 the manegement poet Vali License forthe BIG-IP ASM System, "Administration syst with an IP address on the BIG-IP ASM's network, Current Settings Atthis point, your system should e licensed andthe management port adresse to 192,168 X:10/16. The system shold havea vali icense Before poceeing. Access the BIG-IP ASM System 1 Open a browser oBxp:/192.168.X.10 ‘When prompted, scp the SSL certificate ‘When prompted, login a “admin” with» password of “admin” Click o the Login button Depending on your clasrom environment, acesing the Setup Uslity canbe performed vis the Overview -> Welcome lnk. Inthe mele of his serea, click onthe Run the Setup Us nk ia the Seu Uility sein, 6. Click Nextt proceed to the Setup Uti ‘Sotup Utty 1. Within the General Propenies section, specify the fllowing: Tp Asiess) FOL I6B XI Network Maske 7255.255.00 Marit Route 492 168.2 Host Name: asmx Staining com Host iP Address Use Mami Port I AdGrass High Avaiabily Single Device Time Zone your current time one BIG-1P* ASM v10 Student Guide @ 2009 FS Networks Inc.418 Moe += Instaltion and intl Access. 2, Within the User Adminstration section, specif the follwing: ool Password Foot Root Aczount Conf: Foot ‘Ain, Password drink ‘Ain Account Conf ‘adrinX. ‘Support Account Enabled ‘Support Account Password ‘supportX ‘Support Account Gonfim: ‘supportX SSH Acres: Enabied 'SSH IP Alo FAIL AS NOTE: The lab suggests you change the admin password from “admin” to“adminX’. When you do so, you wl be requed to 1 boc te the system since the password has boen changed. 3. CliskNext 4, Click Finished under Advanced Network Configuration. (Once administrative acest the management port ba been configured, you cn srt to congue ‘he ei addresses and YLANS. ‘Theres only one VLAN configured this nb. Is the VLAN called Lab. The Lat VLAN's dmiistraive IP addres Sel TP, the netmask, and the Pot Lockdows seing arechosea fst. Port Lockdown allows thc administrator o limit the acess wvaiable to the SCP. Uf the system is 2 redundant pair, “Allow Default” shoul be selected to ensure the systems will be abso synchronize ‘heir configurations. In ation, the VLAN tag can be specified and the interices, bth tagged and ‘untagged, canbe associated withthe VLAN. Also ifthe system is conigured as a edundat par, the administrator wil alse be prompied for & Moai IP adres (one that shared between the stems and used by the stem tat is curently active), Port Lockdown for tbe Foting IP, nd the Failover Peer IP an adress ofthe pater system. Generally, the Failover Per TP shouldbe an dress on the Interaal VLAN to minimize security concers ‘IGsP* ASM v10 Student Gude © 2009 FS Newors, ne.Jaton and Iniial Access Creating 2 VLAN 1. From the Navigation Pane, expand the Network section. 2. Select VLAN, then Crete 3. Within the General Properties section specify the following: Nam Tap Te | Leave as blank Within te Resouces section, specify the following: Trter2525 Tpgove 4.1 from Available to Untagged 4. When complete, cick Fished. Creating the Self IP 1, Select Self Ps within the Nework section and lick Create 2, Within the Configuration section, specify the following WadsressT40.10.x.10 Neimask 255.255.0.0 a Lab Port Lockdown | alow Defaut Girt L- aage deveine Se Cimninn> a = 3. Woeneanpee cee Fated AGE chemn Hembylajrginese eon (Once the Advanced Network Configuration is complete, you can navigatstothe Overview section snd click onthe Weleomelsk. The administrator can choose change many presentation options, ‘uable SNMP including downloading the MIB, access F5'skncwledge database (Ask F) ot run ‘he setup lity to change adresses or access methods be byppe b phitherm 4 ant, O00, marche... b version b vhs shew olf BIGPFASM v10 Student Gude ~© 2008 FS Natwors,e.=D Objective: ‘Access both the Web Configuration uty nd Command Line (SSH) uly for BIG-IP ‘ASM system snd gt fii withthe tere ‘+ Estimated time for completion: 10 minutes, Lab Requirements: ‘+ Exemal IP addres ofthe BIG-IP ASM sytem ‘+ Ussi and password ofthe BIG-P ASM system's Web Configuration ‘User and pasowont ofthe BIG-P ASM system's Command Line Interface The Web Configuration Utility 1, Open new browser window ohtps/10,10.X.10, where Xis your student station number, tw conacc tothe Web Configuation Ui 2. ter the admin userid and password that you configured during Setup. [Note options available onthe Welcome age 4, Click onthe Network menu, hen ne wha ie fo the Interfaces, Sel IP, options ‘Command Line access (SSH) |. Open anSSH client window, enter the extemal IP Address of you BIG-IP ASM System (1010310), Some examples of SSH Clients are Paty, Teraterm, and SecureCet. 2. You sould be able osuccessilly use SSH to attach fo your BIG-P ASM, You may be prompt to accep the SSH Ke, do so. Whe the logo appears, ener he rot asthe userid Sod the seword that you added ding Setup rootX was suggested), ‘When prmpted for emninal type select 100, ter he command “b van show", What information is listed hee? ter he command “b self show, What infomation sisted here? ater he command “bigstart status asm, Ensure he asm process is runing, BIG:1P* ASM vi0 Student Guide -© 2000 FS Networks, ne.Configuration Backup Lab ‘Saving a configuration 1. From the Navigation pane, cick System men, Select Archives. Click Create Enter the ile ame trainX_base. Leave Enerypion disabled and Private Keys included. Press Finished ‘When the bacup is complete, press OK. (Click on the taka you just rete, Click onthe talaX_basenes ink nthe Archives List ostion, Click on the Download {rain bateaes buon i the Archive File field. Save a copy of the leo your desktp ‘There ate now tv backup; ne on he BIG-IP ASM inthe wales. directory and one con the destog. This “base” configuration willbe used several mes later inthis cours, 10. Ie desire, the files contents ean be viewed ftom the command line of your BIG-IPSysiem. From a consol or SSH system, perform the following NOTE: The diectoy created in sepa may already exist. a Makea new directory fortis ab: mkdir /var/tmp/test/ 1b. Chayeto the new dietory: ca /var/tmp/test/ & Copy he backup othe new directory cp /var/locai /uce/tvaink_base.ucs traink_base.ucs Deconpressthe fileand exact the fie: tar -xvef trainx_base.ues Thereuting files show the cretory structure and al ile stored i the *ues Te Indiv ile ean be viewed with cat, al, more and othe tls. BIGLP* ASM v10 Student Guide © 2000 FS Networks, neace fie Objective: * Access the provisioning sreen and verify that ASM has bees provisioned Estimated ime for complotion: 2 miaus Lab Requirements: External Padres ofthe BIG-IP ASM system * UserID and password ofthe BIG-IP ASM system's Web Configuration Uy Verifying Provisioning 1. From the Navigation pane tick the Sytem menu 2, Seleet Resource Provisioning In the Module Resource Provisioning section, in the Application Security (ASM), ensue the option is sett Dedicated Note: fhe lasroom environment uss BIG-IP 3600 platform, select Nominal athe Module Resoure Provisioning section, 4. Click Update BIG-P* ASM v10 Student Gude ~© 2009 F5 Networs, ne.Module 2 - Web Application Concepts Web Application Basics Overview Lesson Objective: During this lesson, you wll lear the anatomy of web application and how it opats in he network, You willalso lar about te pupose ofa web aplication and how HTTP and HTML Interoperatewihina web application, Anatomy of a Web Application ‘A Web Application i anything that aks par in proving a user with an answer ta request Web ‘spplieaons are bighly complex envzonments that have many level and companents. Some of te ‘components are developed ty the organization, external sources, and some ae shelf ware Web applications are complex entities hat involve many components + Majority of e-commerce applications consist oft east 3 main components: Webserver, Applicaton server and Database The diagram blow displays the iteration that potentially exists between user nd database The browser interacts with the web application by sending HTTP requests, gets an LHIML page over the HTTP reply BIG-P* ASM vt0 Stunt Guide © 2009 F5 Networs, ne.22 Mate 2 = Wb Anotication Conceis ‘This diagram shows bow information lows fom end-use tothe database and ths showing the ‘conection between user ard database being sent fom the browser, acceped bythe webserver, [Proceed bythe CO arp andthe aplication server and thn seit ote chen eres and the database server tobe checked against te daa in the database. Applications dir greatly in fustionality. Some applications are based on asp, jp, or ep. Some ‘spplications run on Apache, Linux, or Windows. While web application fer in what bey do, they [Tr relatively similar the way tay do ie, Web browess provide the mean by which ues interact, ‘with web applications. HTTP she protocol tat govems communication between browsers and web servers. HTML isthe language used to formate pages browsers can display. ‘Web application logic says that ivi inp cums in then the application knows how to deal with it and valid outpt will come out, Using the sume logic, i iva input goes invalid outpt may ‘ome out Now thee ae los of ystems withnthe web epplicton and some might know how to eal with such invalid iat but some may not Each prt of te web application ca potently be vulnerable to attacks, While it seems ‘unimaginable to any TF manager tat x genraluser fom the outside will have direct acces to the ‘atbese, tats notte way web applistions work. An example would bea usemame and password ‘request fom the application. Wha the user ces this information, it is seat from the browse, accepted by the webserver, processed by Cl rips and the application sever ad then sent othe backend server and database serve tobe cheched against data nthe database and you have ita ser input processed by the database. The atacks at use hs behavior ae ealled SQL nection stems, BIO." AOM v0 Student uise -© 2009 FGNetwoksMocule 2 Web Anplication Concepts ‘When an orgaization deploys a web aplication, they invite the werd to send them HTTP requ Altcks buried in these requests sil pat firewalls, fiers, platform hardening, and intrusion detection ‘ystems without ace because they ae inside legal HTTP requcss. There is lays ced to inspect the ATTP request before sending tht trafic to web application components. Ifthe HTTP request ‘maths a legal policy, that requests allowed. Ifthe HTTP reqest does not math legal polis, ‘iliton wil be issued and that request canbe Blocked BIG:P* ASM v10 Student Guide ~ © 2009 F5 Networks, he.24 Module 2 Web Applicaton Concents Web Page Components Lesson Objecti Dring his eson, you wil eam the genera format and contents of HTML pags. HTML Overview Web pages are bul om many types of data ncn formatting informatio, images, and mul ‘media les. Most pages include links to otber objects and pages. The great power ofthe web is fom these links that allow connections betweea muliple sites and their objets. Those same links are the Toundstion ofthe way individual pages are constructed. In ffs, most HTML pages are he ouline fora pag; the objets and ther inks are embeded in the HTML and often are the bulk ofthe rom the BIG-IP ASM'ssandpint, the significance of te links is that each one represents another objet, may represent another TCP connection ad each ink represents another HTTP regs nd ‘sponse. Addtonaly each lk and object becomes an opportunity to aus fe HTML Page, © ‘ache content, to compres content ~ all designed o optimize te ers experience, ‘A Day in the Life of a Web Page (diagram on following page) ‘Given all tis content, itis worth while ooking all the processes that occur when single page it oveloaded by alent. Whether the ser types ina URL or clicks ona link, te next step ia he process is ypcally a DNS lookup. Te list mst resolve the hostname nto an TP addres. Once the client as an IP adres, the cient an inte a TCP connection. Nex, the client sends sn HTTP Request ~ requesting some objet, mast ofen an HTML page. The server may respond with erors ot redirection, but wil pieally respond wih the et the client equeted, Once the cient processes ‘hat fist ITML page, most often th cient mus then snd HTTP Request or each ofthe embedded ‘bject in the HTL page Those object my be requried Kusthe same server over the same TCP ‘conection the sane Server over new TCP coanecuons, or completely diferent servers. Once al he ‘coniponeas are ceived, the process is complete and the cient hs downloaded the page. ‘As he use othe Internet has grown, so asthe sophistication and size of webpages. For example in 1997, F5'seorpnite web page consisted of 34 KB of data, Today, its 200 KB of compressed date ‘The content is ike, but performance can ses, 'BIG:P® ASM 0 Student Gude ~ © 2009 FS Networks, IneModule 2=Web Anplcatin Concepis Journey of a Web Pa: BIG-P* ASM vi0 Student GuidHTTP Concepts Lesson Objective: ‘Dring this lesson, you wil ean more detail about the communication beoween «web cient anda ‘web server. You wil eam web applicaon conceps, HTTP and HTML concepts, abi various ‘components ofan HTTP request, such as HTTP method, en body, tats codes anc query sing ‘The purpose ad types of cokies are also covered. ‘Overview of Web Communication ‘When a web client wisest get content, TCP connections opened to the server ani an object is requested, Often, the nial documents ile named “index hm". Nomally, the eet asks for ‘objects with HTTP requests andthe server responds with HTTP responses. Each of ese messages ‘an contin a myriad of options and setings concerning the transfer ofthe das. Those options ate ‘ypiealy set in HTTP headers HTTP Concepts Overview HTTP isa stateless, make a request, geta response protocol. Because HTTP uss rele dat transmission protocol, guarntes that data will ot be damaged or semble in wast. Web ‘server speak the HTTP protocol and these servers store the Interets data and prove the data when it requested by HTTP clients or browsers. The clients send HTTP requests o Serve, and Severs, ‘etur the requested dma in HTTP responses. LHTTP dos nt define how th network conneton is made or managed. This procesis done by implementing lower-level protocol such ar TCPMP. HTTPS ia protocol used fr encrypting dat HTTPS is HTTP encapsulated by SSL/TLS protocol. SSL primanly prevents eaveséopping onthe ‘communiaton between the server andthe client Some administrators ey on SSL. fer secur ond leave their web application open to atacks. Just because dala user sends i encrypted doesn't mean the application i secure BIG-P* ASIA v10 Student Gide © 2008 FS Networs, heModule 2 Web Acpicaion Concepts RT HTTP Request Components Lesson Objective: During this lesson, you wil ara more details about the communication between a web cent anda webserver. You wl also lean about the various components of an HTTP request, HTTP Requests ‘The HTTP Request has he following soucture: Request ine, Headers, ad Body, The Request Line cots ofthe method wie forthe equa, the URI being requested, and he HTP version. The “Headers consists of multiple headers, most notable Hosts, Accept-Encoding, Cookies, and Connection. The Body section consists of parameters sent using s POST method. This soften called ‘heey body ‘The Method, which must be one ofa set of legal action as defined inthe application ‘The three most common methods ate © or + Post + HEAD The Universal Resource tier (URN, which denies he requested resource The HTTP protocol version (0.9, 1.00r 11) Request HTT Headers (old variety of ditions infomation) POST data if POST method is used ‘The fist ine of an HTTP request will include he method, the URI, and ke version of HTTP the tient support. ‘The URI ypiclly includes the path and ile name desired by be cen, but may only bea single last (. Most servers wil send thi index hin! page when the URI is only aslash, Fall, te ebeat ‘illinclode the version of HTTP supported er LD or LL BIG-IP* ASM v10 Student Guide ~ © 2009 F5 Network, IoModule oer / urre/1.1 Accept: */* Accept-Language: en-us Accept-Encoding: grip, deflate User-Agent: Mozilla/4.0| (compatible; MSIE 6.0; windows NT Sey sva7. NET CLR 1-1-4322; -NET CLR 2,0.50727; Tatorath-1) Host: ww.cnn.com connection: Keep-Alive cache-Conteal: no-eache Inthe example above, the browser seta GET forthe“ le and suppors HTTP version 1.1. The ramp eet cle dina bear information. Many ofthe header options wil he ‘dscursed in subeoquent sections, \HTTP Methods “The HTTP method is supplied inthe request line and species the operation that the cleat has sequssed,Intemet browses will geaeally use two methods to acess and interact with we sts. 1 ‘ees GET for queries tat es be repesied and POST to submit data for processing, An example ofa ‘POST is clicking s but that causes aancal wansacton GET Method ‘The GET mahod isthe most common HTTP method, The GET method is usd reieve information from 3 spected URI andi not secre. Is asumed tobe arelabe, repeatable ‘operation by browsers cices and oer HTTP aware components, The GET ues a Query sting Which s inthe URL and therefore hasan empty entity body. When a

a specifies the met "GET", key-value pis representing the input fom the fom are appended to be URL following ‘question mark. Pairs ar separated by an ampersand POST Method "TPOST mot wedging a. Tin amy ony wig luc inthe body. POST salso wed to upload files to sever. tis wed the most when {Coding arg amount of ats ote server, See POST ca oot be sen inh bromers URL, iit ‘incomes assumed that itis moe secure than GET. 1BIC-P* AOM 10 Gtudont Guido - ©2000 FE Network ne.‘Module 2—Web Application Concept you ty to eftess a page in Internet Explorer that resulted fom a POST, it days the folowing messge ‘roc carea oreum's Before ft pu ware vy ven Gale) HEAD Method “The HEAD method is dential to GET excep thatthe server must aot eur a message-ody in the ‘sponse, The information contined inthe HTTP bender in response toa HEAD request hou be ‘dential othe information sen in response to aGET request. This method can be wed for obtaining information without transfering the body el, This method is ofen used for esting hypertext inks for vay, accessibility and recent modification. ‘There ar other HTTP methods, sch as PUT, TRACE, and DELETE, that will ot be discussed in this seeuon. Universal Resource Identifier (URI) [URIs HTTP canbe represented in absolute form or relative to sme known base URI (11) numbers incremented when the changes made tthe protecel ad feures which donot change the general message parsing slgrithm, but which may ato the message semants od Imply additonal capabilites of the sender. The number i incremented when the format of & esse within the protects changed: See RFC 2145 [36] a ful eaplaation 5IG-P* ASM v10 Student Gude © 2000 F5 Networts, Ie240 “Mole 2 = Web Application Concent, HTTP Headers Headers are namelvalue prs hat appear in bot eguest and response messages. Te name of the bead is separated fom the valu by a singe colon. More information oa Heades will be covered Ine. HTTP Responss Similar, the fst line ofan HTTP response ncdes the servers version of HTTP aswell as 2 sams ‘code forthe erent request. The response wil begin with HTTP beades and shoud ave octet if “the response i toa GET. By def BIGIP ASM removes the Server header infomation athe HTTP response and geoeatss a 200 enor conden wien violations are produced HOTP/1.1 200 OK Date: Wed, 12 dul 2006 15:36:35 wr Server: apache Vary: Accept-Bncoding, User-agent, content-Encoding: grip cache-Contvol: max-age-60, private Expires: Wed, 12 Jul 2006 15:27:31 GNT Content-Length: 20735 Content-Type: text /ntm Keep-Alive: timeoute5, maxei024 Connection: Keep-Alive Response Status Codes HTTP response code re 3 digit umber that el he clint wheter the request was flied or nt. “The chart below contains brie deseription ofeach clas of respons. Status Code Range Meaning 1008 Informational (nt supported by HTTP 4.0) 20's ‘Successful to some degroe 00's Redirection needed 40's Error seems tobe in the cent 50's Error seems tobe in the server ‘GAP As vi0 Sudent Gude © 2000 FS Newer, he.‘Module 2= Web Aopication Congepty et HTTP Headers Lesson Objective: During his lesson, you will ar the purpose and function of Selected HTTP headers bth in client requests and sever esponses, HTTP Header Overview TP headers allow web cicts and servers to negotiate mile options concerning the transfer of dua. Generally, the clients reques includes what he lien ean do or would ike to do andthe server's espone includes what the sve as chosen fod, It isnot an erative process Cache Control Headers Caching sa process tht allows devices that are “loser” othe end user to sore conten for reuse ‘athe! than having every request retura othe origin serve. This might bean itermediary device oF SMmight be the client's browsers cache. Ether way, cache convo Beaders can define which contest ‘scaceable, bow long the content i going to god for, and bow liens can determine wheter old contests stil valid ‘Wher client includes a cache-contol header in a equest the client saying to ensure that stale dat ‘suck given by an inkermediny coc: When ssrves dese cvke- soil Inada 8 ape, ‘he saver is inleating how long the content may be presenta by a cache. Public vs Private ‘Cash control headers can nce parameter indicating whether ve contents viable for multiple tes or only a single user. A “privat” scing indicates that he ojet should not be cached by 8 shared cache bu that a user's browser may cathe the eootet. On the cotary, a setng of “public” Incieates the content canbe cached on shared cache for se by many ses. Tn either case tbe ‘coven should als include infomation indicating when the covte: wil expire No-Cache and No-Store ‘Cache conto headers can include iter “nocache” ora “no-store”setig. rica, “o-cache” doesnt preclae caching, Rate, indicates that he ent should not be served fom cache without ‘rst verifying that th eny has not been updated, The “n0-stre” sting indicates thatthe content should never be ached. BIG P* ASM v10 Student Gude ~ © 2008 FS Networks, Io19 Concet Expiration Indicators “tthe contents cached, he cache needs some mechanism to eventual time out the content “Others, content ay be delivered fro a cache thats stale. The ble below describes parameters ‘used to age content, Header | Meaning {Lest Modified | Gives the Gent anoton of how often the contontis ‘changed and also allows the client to make subsequent ‘equess induding tho“ modifed since” option Cache. Enoures contant is removed from the cache afor@ Contot__| speced period Expres | Ensures contents removed fom the cache at pected time, Erase Lets cients inow whether the content has boon updated. Content Duration ‘Much ofthe content rceved from web sess static: it doesnot change over lng prods of ine. ‘This pe of content is cern prime candidat for caching. However, dynamic content can ‘fequenly be cached aswell. Often, contest tat is seen as “you” changes every few mites or ‘every few hours, Fora busy ste redisuiutng the same documents increases te loed onthe servers land reduces the response time ote este. Also, many "éynamie™ pages are primarily state; ‘only small portion vary between customers. HTTP Headers LITTP headers ad aia information to request aod sesponse message. They lit namesvalve prs. Headers are broken down into five ypes: Geaeral, Request, Response, and Fay General headers are generic and wed by both lia and servers. Header Meaning ‘Connection | Options ma cosa or Knap alse Ia HTTP 40, you ‘always ha to use close option, thereby closing the Connection after every transaction. In HTTP 1.1, kKeopalves allow the TCPIIP connection to remain open. Date Date and imestamp of when the HTTP message was crated “Transfer ris the receiver what encoding was perormed on Encoding _| the HTTP message in ordar fort to be transported safely Vis ‘Means thal this HTTP response went through a header Via 11 BIG-P* ASM vi0 Sud 3 Gude ~ © 2009 F5 Networks, ne‘Module 2— Web Anpication Gonmepis Request headers provide infomation to servers, uch as wha dat type the clint is willing to rseve. Header Weaning Roterer ‘Where you are coming fom. The URL of the request that contains the URI Host Provides the hostname and por of the server receiving the raquest. The Host headers the only required parameter to transfer between browsersto the web User-Agent | Tels the requested server the browser type making the roquest Aeon Defines the Kind of encoding the browser can recoWve. Encoding _| Simplifies the work between the web server and the clents browser. Response headers provide information abou the servers response. Header [Meaning Age. How old the response is Puble ‘Allows the requested server to ella let what methods It-suppors. These methods can be used in future Fequests bythe client. ‘Server | The ype of server sending the response back to the client. By default, ASM removes the Server header. Ently benders provide information about the payload of the HTTP message, Header Meaning Content- | Describes the datatypes being sentin the message. Type CContent- | Provides the length ofthe eniy body Length Expires | Gives adate and Uma at which the response ie inva ‘This allows the browser to cache the requested object. [Lastodiied | Date and Ume ofthe last changed tothe entiy body, BIG.AP” ASM vi0 Student Gulde~© 2009 FS Networks, In.Par Module 2 - Web Application Concent Using Fiddler Lesson Objectives Ar competing tis leson, you willbe able to sea roeware tri cating too called Fiddler, Introduction Fiddler is a waffccapurng tool that logs all HTTP trafic between a clint ad server. Fide allows yout inspec al HTTP Trafic, set breakpoints, and "idle" wit incoming or outgoing data. Fiddler Includes a seriting subsystem aswell Fiddler is freeware and can debug tfc fom virally any application, incoding Internet Explorer snd Mozilla Fitefon. Installation 1. Follow these steps to download and install Filer: 2. Ensure that you have the NET Framework version 1.1 installed, Ifyou don't have it yet, you can vst Windows Update to dowload it 3. Neat, download Fidler fom htplvww fidderool com, 4. Wheo instalation sucessfully completes, youl ind the Fale icon Fon the Internet Explorer toler 5. Ifthe toolbar icon s missing, right-click the Internet Explorer lolbar and click Customize, ‘You can alo launch File from the Str menu IGP ASU v10 Shitent Gud = 7008 FS Naor, teUsing Fiddler Views idles user interfice contains list of HTTP sessions and thre tabs that allow yout view iffent aspect of the selected sessions. The thee tabs, or views, ae Performance Statistics, Screen Inspector and Request Bulle. The lnpacor ab soe you view snd Requests ae Response. BIG. ASM v10 Student Guide ~© 2009 FS Networks, Ingap Mole 2 = We Anolon Concepts Fiddler's Session Inspector Fidler is helpful in two Ways. Fist, requests ar instantly logged and displayed in summary. Second, the Session Inspector lets you see the deta of whats happening with each equest ‘Session Inspector ‘Chose a procest onthe le and then the Session Inspector oo the ight and you cn see the contents ‘fe request Ta headers button is pressed dwn by default so youl see al ofthe headers in the Fequst The figure below shows the detail of oe request made wo Developer com. “The style sheet as a lot of information tt is wef fr several reasons, ot he least of which she Cookies that are being uensmited, This i reliable way to ensue hatte browser i transiting bck the cookies your web ite may need Te the botiom haf ofthe righthand side isthe response. Tiss te entire response beng sent back to {he client browser By clicking the Headers bution you wil see the headers tansmited with tbe ‘response. Ths important beease it ncdes cache directives, cookies, and ain infomation “bout the response” You can ook at he raw oat rte page si would csp IG 1 ASM v10 Student Guide 2.2000 FS Natworts, nc.‘Transforming Data Fide xn decompress response withthe Transformer tool onthe Session Inspector tb inves IP Choke nen loconoreesee escng © our eacina tick the No Compression radio bution to decompress the respons inside Fidler. You can use Fiddler simulate HTTP compression by checking "Sinulute GZIP Compression" onthe Fidler Role mec {1G-1P* ASM v10 Stunt Gude © 2000 F5 Netw IeJcstion Concepts ieee) Objective: + View HTTP request and eponse ta Capa dt when sng GET metho Cape da when sing POST method. + ota ine fr completion: 20 minutes Lab Requirements: Cent machine has aces tothe vil seer van nteret Epler browse. + Ciem machine has Fiddler sotware inset Viewing HTTP traffic using Fiddler ‘Activate and begin recording traffic using Fiddler 1. Within the tteret Explorer's to! bar, lick onthe Fidler icon. Fiddler will appear with an LTTP Sessions section othe let and tothe right you will se the ollowing tbs Performance Statistics, Sesion Inspector, AutoRespooir, and Request Builder. NOTE: If your workstation doesnt have Fidler installed sek the Intrucor where to copy it ‘rom, or download from wr fi 2. Connect hitp:/10,10200.10 (classroom web applica) from your browser and view the LHITTP sessions. How many HTTP sessions are opened when you connect the virual server? Ho can you determine the URL and Content-Type foreach session? View the Request end Respoase information using the diferent mats tht we avalable 3. View the Request and Response headers foreach esi. How can you view images using Fiddler? How can you determine fan objet hasbeen ached? 4. Forall of the HTTP sessios recorded by Fidler, detemine the numberof bytes sent end ceived the number of requests andthe cumber of sponse byes by eoateat ype 5. Scan various HTTP headers ncn the User-Agent. 6. Close Fidler. Optional (workstations with Internet Access) 1. View request and response headers fom sts you browse normally. IC 1P* ASM vi0 Student Guide © 2000 FS Notwore ne.Module 3 - Web Application Vulnerabilities Web Application Vulnerabilities Overview Lesson Objective: Daring thi lesson, you wil lar the vulerabiis of web spplicatons that he BIG-IP ASM System protects aginst. Web Application Vulnerabilities ‘Though a browser, backer can use evn the smallest bug or becedoor to change, or perve, the {nteat ofthe operation. Any application tat interacts with end seri prone wo being expo. ‘These kinds of atacks canbe categorize nto two aeas. One being atacks oa the infastrucare ‘ser attacks onthe aplication cade. There ae aso various ways to eategorie the security problems associated withthe web aplication. They are by the systems affected by the tack, by the ‘ypeof aac, by Maw i the web applistion that allows the atic, oa combination of them ‘Mary ofthe mos dangerous security holes in corporate IT nfastrctare ae based not on worms or Viruses, and ot on ova vulnerbiies in Application Serves, but on valaerbiites in the ‘pplications themselves. These vulnerabilities leave companies Web inastacurs expose! sacks such as crosssit scripting SQL injections, and cookie poisoning. It is often these aplication ‘vulnerabilities which hackers exploito exact seaive data om corporate databases Companies today ae moving more of their misionericl applications and data into web brewses. ‘As eresl, hackers are able to use web-based applications to penetrate corporate systems andaccess ‘rvte customer databases, The resulting iden tet has become s major concem to corporations Sd soosumer alike, ‘Thefollowing i ist ofthe mast critical web application valerie: ‘+ Hidden Field Manipulation Cookie poisoning + Butter Overiow Cros Site Serpting (X85) Cros Site Request Forgery (CSRF) 1 Sid Party Misconfiguration + Parameter Tampering Injection Ancks 1 Forceful Browsing * Improper Exor Handling ‘We wil now faker discuss web application vlnerabilies in deta ‘G4 ag vio Student Guide - © 2009 FS Netwonks, InModule 3— Web Hidden Field Manipulation many applications, hidden HTML form fede ae used to hold system pasword or mercandine pricing. The orga inten of hidden fils isto kep tack of sessions ~ hidden elds and cookics {eth two mechanisms available to save state of the wer. These attack are sucess becate ost ‘Spplications donot validate the turing Web page. ‘A bidden felds a type of dynamic Held thats placed in the HME. fom, but hidden using a ‘yword "hidden". Fr instance inthe form where you putin yur creditcard number to purchase book, there might be hidden felde tat contin book iaventory index and price Hidden Helse sed my most e-commerce applications to old authorization and transaction related data. Despite their names, thse Feld re not very hidden and canbe sen by performing a View Source om the Web page Web applicatons simply bave no consol over what a user ca send toi A user does ‘ot reguie a browser to send dats to the web application and hence i not bound to any of its ‘estes. This change canbe doe onthe fy using a prony ora oo sch s Nett to seod any request ‘This typeof stack hs proven toe succesful agsinst many commercial web application. Hidden [elds ae not just ued by ret applications; common to se them to pas the allowing types of| ate “Access Conta Information (changing to Manager, Administrator, External User, ete) ‘Account Information (username, account umber, aes) ‘+ Steps ofthe Wizard (in some cases you never gett stp five unless you filed important ets instep four. Manipulating hin data this ease would enable you to ‘Sroumvent the designed flow), ‘Consider the example where a price parameter appears inthe iden field in the source HTML, The ‘se canbe modified inthe request of cient side and set othe web server. By changing the price Within the source code of HTML, the user can modify the price ofa purckase. When modifying he pice oa the clint side, te user can thea snd this modification tothe web application. idea eld searches canbe found easily by acessng google.com. Simply type the serch wort “hidden” nto Google's search engine and it wil identi wet ses hat use hidden Nels. This alows, the user to manipulate the hides field data, oa... : pn ceTIpadding=" Com) oan Ce) mtn Ob Ole fete sexy te mate Se et rc wl 000 Se Se a ate BBs nea BIG: ASM v10 Student Guide © 2000 FS Newer, ne.Moco 3 Web Anpltion Vunerablties 23 Cookie Poisoning Conk ae sag ofa he FTP bee se by Web serves in cpa ote equ oe ‘webbrowser The cookies then sent back unchanged bythe browser each time it accesses that server. The main purposes of cokies are + Ditiereatnng bere users = Autencaing ‘Maintaining personalized infomation about users + Tracking Cocks ae heavily used by most web applications to simulate a stateil experince forth en wer. ‘Cockes ae used a identity forthe server-side component fan application, With ay respons & ‘webserver can senda "Set Cookie" command and provide a sring (tals, 2 cookie). Cookies ae ‘Stored 00a users computer and area standard way of recognizing wes, om the "welcome baci” message on Amazon othe page-by-page sense of tate in webappieatons, Once # cookie seal, ‘ubwoquent requests wil send that cone fo the we server. Cookies ca be analyzed, modified ad ‘marpulated by any client sie ogc Cocke poisoning i an attck which ars the vale of cookie onthe cet side prio to equa fo the ever, By eding the request, the attacker enters the users cookie into their own request. TI take en ow login a vad user by stealing the valid user's session cookie. Attackers tbat ‘compromise the session cookie can defeat authentication restitons and assume the eter user's ‘eet. ‘Matcious users could also change cookies by citer using an itrcepsion proxy or drelly modiving ‘file ona hard ive to falsify identity, bypassing authentcation/athorizaton mecbanisms. Thisis ‘alla cookie poisoing ack BIG-P* ASM vi0 Student Guide ~© 2000 FS Netw, Ie.a4. Mola 3 = Wa Anlicaton Vulnerabilities Butfer Overflow ‘ues Overflow isan atack that overs the memory allocated to interpret given parameter in an pplication. The two kinds of buffer overflow target either the infastrcture or peific aplication. Sending & URL wih 10k characters would tage th web server whereas Sead 8 characters toa spec Hc tht expose 25g zip code would target» specifi application, uleroveriows ray ease a proces trash o produce icorectresuls. Buffer overflows can execute malicious ‘ode or make a program operate in an unintended way. Buffer overflows can alo go through the server and be passed on deeper into he infarct, ‘compromising application server or dusbars, Even more tating «backer who dbl the ‘pplication inthis way could upload code tobe executed bythe server Vises such ss Code Red, Slammer and odes are results of buffer ovefow atack. Browsers are easy to manipulte. The source ofthe cient side aplication is available to anyone cessing the web pope, and easy to change. (Users ean simply goto "View Source” under the Source ‘menu of, change the code, and tha oad the page) To improve server pecformance, reduce traffic onthe network and enhance the user experince client-server aplieaios perform alot of Aaa validation onthe elint ide. Web servers try to tilze the browser’ capbities (HTML and SavaSeript) to perform deta validation onthe clon. To avoid buffer overflow, developers ypcally| uke HTML and JavaScript lat how many characters coud be submited as input. However, ab ‘acker can change HTML tnd tum off JavaScript and then submit buffer overflow atack of Simply not use a browser ‘ise ASW vi0 Student Gule — 6 2008 5 NetwoRS, Ine