E XERCISE 6.2 – C REATING A S ECURITY P OLICY
Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4.
Estimated completion time: 45 minutes
TASK 1 – Create a Security Policy using Rapid Deployment
Create a security policy for dvwa_virtual using the Rapid Deployment security policy, and then apply the updated policy.
In the VMware library, power on both the BIGIP_A_v11.5.1 and LAMP_3.4 images.
Access and log in to BIGIP_A_v11.5.1.
Verify that you have restored using bc_6.1_asm_vulnerabilities_v11.5.1 (there should be a virtual server named dvwa_virtual).
Open the Security > Application Security > Security Policies > Active Policies page, and then click Create.
Leave the Existing Virtual Server option selected and click Next.
On the Configure Local Traffic Settings page:
o In the protocol list, select HTTPS.
o In the HTTPS Virtual Server list box, leave dvwa_virtual selected and click Next.
Select the Create a policy manually or use templates (advanced) option and click Next.
On the Configure Security Policy Properties page:
o In the Application Language list box, leave Unicode (utf-8) selected.
o In the Application-Ready Security Policy list, select Rapid Deployment security policy, and then click Next.
Exercise 6.2 – Creating a Security Policy
On the Configure Attack Signatures page:
o From the Available Systems list, move the following to the Assigned Systems list.
Operating Systems > Unix/Linux
Web Servers > Apache and Apache Tomcat
Languages, Frameworks and Applications > PHP
Database Servers > MySQL
Question:
How many signatures will be assigned to this policy? ________________________
o Click Next.
Click Finish.
The new policy is placed in Transparent mode.
Click Apply Policy, and then click OK.
Exercise 6.2 – Creating a Security Policy
Open the Security > Policies page.
Application Security Policy is Enabled using the dvwa_virtual policy.
Remove the Log illegal requests and add the Log all requests profile to the Selected list, and then click Update.
We will log all requests while we’re in development of the security policy. When the policy is ready to move to production we would return the configuration to log only illegal requests.
Open the Local Traffic > Policies > Policy List page, and then click asm_auto_l7_policy__dvwa_virtual.
The BIG-IP system automatically creates a traffic policy that directs all HTTP requests through the BIG-IP ASM security policy.
TASK 2 – Verify That Requests are Passing Through ASM
Use the Event Logs to verify that requests for dvwa_virtual are being processed by BIG-IP ASM.
Use a new tab to access https://dvwa.vlab.f5demo.com.
Log into DVWA using the following credentials:
Username: admin Password: password
→NOTE: If you are automatically logged in, click Logout, and then log in using the above credentials.
On the navigation menu, click Command Execution.
Type lamp.f5demo.com into the field and then click submit.
On the navigation menu, click SQL Injection.
Type 3 into the field, and then click Submit.
On the navigation menu, click XSS stored.
Create an entry, and then click Sign Guestbook:
Name: Test 1
Message: My credit card: 4111-1111-1111-1111.
Create another entry, and then click Sign Guestbook:
Name: Test 2
Message: My SSN: 123-45-6789.
Exercise 6.2 – Creating a Security Policy
Questions:
What information is displaying? ____________________________________________
Why are these values displaying? ________________________________________________
Change the URL to https://dvwa.vlab.f5demo.com/private.txt.
Click the Back button until you return the DVWA page.
On the navigation menu, click Setup.
Click Create / Reset Database, then click Logout, and then close the DVWA Web site browser tab.
In the Configuration Utility, open the Security > Event Logs > Application > Requests page.
Select All Requests from the list box.
Questions:
Are requests for .php pages Legal, Illegal, or Blocked? ____________________
Are requests for .txt pages Legal, Illegal, or Blocked? ____________________
Why aren’t requests for .txt pages being blocked by ASM? _________________
_________________________________________________________________
Click the most recent illegal /vulnerabilities/xss_s/ link to view the information in a new window.
Click Data Guard: Information leakage detected.
Question:
What caused this illegal entry? __________________________________________
Exercise 6.2 – Creating a Security Policy
TASK 3 – View the PCI Compliance Report
Use the PCI Compliance report to determine where the Web application is missing required security for compliancy.
Open the Security > Reporting > Application > PCI Compliance page.
Question:
Which requirements are compliant? ________________________________________
______________________________________________________________________
Select Do not use vendor-supplied defaults for system passwords and other security parameters.
Question:
Why is this entry not yet in compliance? _______________________________________
To fix this compliance issue, in the Default Users section, click on the root username.
o Update the root password to rdp
o Update the admin password to rdp, then click Update, and then click OK.
Log back into the BIG-IP system using the new password.
Open the Security > Reporting > Application > PCI Compliance page.
You are now one step closer to meeting PCI compliance.
Click Assign a unique ID to each person with computer access.
In order to meet PCI compliance, we need to have unique user IDs for all BIG-IP system administrators.
Open the System > Users > User List page, and then click Create.
Create a new user account using the following information, and then click Finished.
User Name your first name
Password your last name (all lowercase)
Role Administrator
Terminal Access Advanced shell
Open the Security > Reporting > Application > PCI Compliance page.
The final step for PCI compliance is to develop and maintain a secure Web application.
Create an archive file named bc_6.2_asm_rdp_v11.5.1.