Capítulo 2: Historicidad del Espacio Público Abierto en Ciudad Juárez: Plaza
2.7 Identificación de directrices enfocadas al Espacio Público Abierto
Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4.
Estimated completion time: 45 minutes.
TASK 1 – Configure a Security Policy to Learn About File Types
Update the security policy that to learn about illegal file types.
In the VMware library, power on both the BIGIP_A_v11.5.1 and LAMP_3.4 images.
Access and log in to BIGIP_A_v11.5.1.
Verify that you have restored using bc_6.2_asm_rdp_v11.5.1 (there should be an active security policy named dvwa_virtual).
Open the Security > Application Security > Policy Building > Manual Traffic Learning page.
The only learned entry is Data Guard information leakage detected.
Open the Security > Application Security > Blocking > Settings page.
In the Access Violations section, in the Illegal file type row, note that the Block checkbox is currently grayed out.
Question:
Why can’t you enable the Block option? _________________________________________
For Enforcement Mode, select the Blocking option.
In the Illegal file type row, select the Learn, Alarm, and Block checkboxes.
Scroll down the page to the Negative Security Violations section.
Exercise 6.3 – Tightening a Security Policy
Note that Data Guard: Information leakage detected is configured for both Learn and Alarm.
Question:
Why are these options already configured? _______________________________________
For Enforcement Mode, select the Transparent option.
Notice that the Block option for Illegal file types is once again grayed out; however the checkbox remains selected.
Click Save.
TASK 2 – Configure Learning Explicit Entities for File Types
Update the dvwa_virtual security policy to learn explicit entities for file types.
Open the Security > Application Security > File Types > Allowed File Types page.
Click the *.
For Learn Explicit Entities, click Never (wildcard only).
For Explicit Entities Learning, from the File Types list box, select Add All Entities, and then click Save.
Exercise 6.3 – Tightening a Security Policy
TASK 3 – Generate Learning Suggestions for the Security Policy
Open the DVWA site to generate learning suggestions for the security policy.
Use a new tab to access https://dvwa.vlab.f5demo.com.
Log into DVWA using the following credentials:
Username: admin Password: password
→NOTE: If you are automatically logged in, click Logout, and then log in using the above credentials.
On the navigation menu, click Command Execution.
Type lamp.f5demo.com; cat /etc/passwd into the field, and then click submit.
The Web application is vulnerable to command execution attacks.
On the navigation menu, click SQL Injection.
In the User ID field type the following and then click Submit:
%' or 1='1
The Web application is vulnerable to SQL injection attacks.
On the navigation menu, click XSS stored.
In the two fields enter the following, and then click Sign Guestbook:
Name: Test 1
Message: <script>alert("Your system is infected! Call 999-888-7777 for help.")</script>
The Web application is vulnerable to cross-site scripting attacks.
Change the URL to https://dvwa.vlab.f5demo.com/private.txt.
Change the URL to https://dvwa.vlab.f5demo.com/basic.css.
Change the URL to https://dvwa.vlab.f5demo.com/calc.exe.
Access to these confidential file types is still allowed through the virtual server.
Click the Back button until you return the DVWA page.
On the navigation menu, click Setup, and then click Create / Reset Database.
On the navigation menu, click Logout, and then close the DVWA Web site tab.
Exercise 6.3 – Tightening a Security Policy
TASK 4 – Fine Tune the Security Policy
Select the file types that are allowed for the Web site and accept them into the security policy.
In the Configuration Utility, open the Security > Application Security > Policy Building >
Manual Traffic Learning page.
Click Attack signature detected.
BIG-IP ASM detected the different attacks, including SQL Injection, command execution, and cross-site scripting.
For the SQL-INJ entry lowest on the list, click the Recent Incidents link.
Questions:
Which URL is vulnerable for a SQL injection attack? _______________________________
Close the Requests List window.
Return to the Manual Traffic Learning page, and then click Illegal file type.
Questions:
Why is there an entry for no_ext? ____________________________________
________________________________________________________________
Should you allow or block access to pages without an extension, and why?
_________________________________________________________________
Select the checkboxes for the css, js, no_ext, php, and png file types, and then click Accept.
Exercise 6.3 – Tightening a Security Policy
Open the Security > Application Security > File Types > Allowed File Types page.
Select the * checkbox, then click Delete, and then click OK.
Select the css, js, no_ext, php, and png checkboxes, then click Enforce, and then click OK.
This removes these file types from staging.
Click Apply Policy, and then click OK.
Use a new tab to access https://dvwa.vlab.f5demo.com.
Change the URL to https://dvwa.vlab.f5demo.com/private.txt.
Change the URL to https://dvwa.vlab.f5demo.com/basic.css.
Change the URL to https://dvwa.vlab.f5demo.com/calc.exe.
Questions:
Were you able to access these confidential files? _________________________
Why is BIG-IP ASM still allowing access to these file types? _______________________
_______________________________________________________________________
Close the DVWA Web site tab.
Exercise 6.3 – Tightening a Security Policy
In the Configuration Utility, open the Security > Application Security > Policy Building > Manual Traffic page, and then click Illegal file type.
Traffic learning continues to suggest these file types because the security policy is still configured to learn File Types on the Policy Building > Settings page.
Open the Security > Event Logs > Application > Requests page, and then from the Requests List list box, select All requests.
Questions:
Are requests for .txt files Legal, Illegal, or Blocked? ____________________
Are requests for .exe files Legal, Illegal, or Blocked? ___________________
What do you need to configure in BIG-IP ASM to block access to these file types?
_______________________________________________________________
TASK 5 – Modify the Security Policy’s Enforcement Mode
Modify the dvwa_virtual security policy to Blocking mode.
Open the Security > Application Security > Security Policies > Active Policies page and click dvwa_virtual.
For Enforcement Mode select the Blocking option, and then click Save.
Click Apply Policy, and then click OK.
Use a new tab to access https://dvwa.vlab.f5demo.com.
Change the URL to https://dvwa.vlab.f5demo.com/private.txt.
→NOTE: You may need to refresh the page.
Exercise 6.3 – Tightening a Security Policy
Change the URL to https://dvwa.vlab.f5demo.com/calc.exe.
Close the blocked page tab.
In the Configuration Utility, open the Security > Event Logs > Application > Requests page.
Questions:
Are requests for .txt files Legal, Illegal, or Blocked? ____________________
Are requests for .exe files Legal, Illegal, or Blocked? ___________________
Open the Security > Application Security > Blocking > Response Pages page.
From the Response Type list box, select Custom Response.
Edit the Response Body to the following, and then click Save.
<html><head><title>Illegal Request</title></head>
<body>For security purposes, Lorax Investments has blocked this illegal request.<br><br>
You can contact our technical support department and supply them with the following support ID: <%TS.request.ID()%></body></html>
Click Apply Policy, and then click OK.
Use a new tab to access https://dvwa.vlab.f5demo.com/calc.exe.
Close the blocked page tab.
TASK 6 – View the PCI Compliance Report
Use the PCI Compliance report to determine where the Web application is missing required security for compliancy.
In the Configuration Utility, open the Security > Reporting > Application > PCI Compliance page.
Question:
Why is the entry displaying the yellow icon? ___________________________________
______________________________________________________________________
Select Develop and maintain secure systems and applications.
Although the Web application security has begun, it still doesn’t meet PCI compliance requirements.
Create an archive file named bc_6.3_asm_policy_tuning_v11.5.1.