Job Description :
Position: F5 ASM Consultant-Reston ,VA
Backfill role
Location: Reston ,VA
MOI: Phone then F2F
Duration: 6 month
F5 ASM Consultant
The F5 ASM Consultant will provide day to day F5 ASM support as well as application onboarding configuration assistance during this project. These resources will primarily be interfacing with the application teams and the security teams to implement the F5 ASM onboarding procedures relevant to quickly adding applications behind the F5 ASM Web Application Firewall. The following is a list of activities the F5 ASM Consultant will be executing on:
Application Onboarding (General)
o Adjust logging profile within the F5 TMOS environment to log all requests and responses
o On board up to 77 applications:
Applications will be On-Boarded to the Prod environment residing within the 10 vCMP Guests built out in UTC-A and UTC-B datacenters:
5 vCMP Guests in UTC-A
5 vCMP Guests in UTC-B
The OOR and ACPT environments are out of scope for this project
F5 PS and Fannie Mae security engineering will be responsible for “rack and stack” work, as well as initial configuration of the F5 TMOS environment, and subsequent ASM licensing
Application OnBoarding (LTM Specific)
o Where needed and applicable:
Configure LTM pools for applications
Configure LTM VIPs to support applications
Configure SSL offloading where applicable
Configure iRules where applicable
implement already developed iRules and will not be creating new iRules to support functionality that is absent today
Configure standard Round Robin load balancing for each application VIP
Configure persistence methods that are compatible with each application,
Make use of templates in order to streamline work and reduce human error
Application OnBoarding (ASM Template Creation)
o Create two (2) Generic Application Security Policies Template
The templates will only differ on the Operating Systems that they protect
Application Security Policy Template names will conform to the following convention:
FM-TEMPLATE-ASM-[OS]-[INDEX]
Where [OS] is either a W for Windows or a U for Linux/Unix
Where [INDEX] is an integer starting at 00 and incrementing for each additional template created
Application Language will be set to UTF-8
Dynamic Session ID in URL is set to Disabled
Enforcement Readiness Period is set to 3 days
Security Policy is Case Sensitive is set to True
Differentiate between HTTP and HTTPS URLS is set to True
Attack Signatures will be assigned as follows:
General Database
System Independent
Various Systems
SSI
CGI
XML
Proxy Servers
The following attack signatures will also be added based upon the template type:
For the W or “Windows” template the following attack signatures will be added:
o Microsoft Windows
o IIS
o ASP
o ASP.NET
o Microsoft SQL Server
For the U or “Linux/Unix” template the following attack signatures will be added:
o Apache
o Apache Tomcat
o Java Servlets/JSP
o Oracle
Signature Staging will be set to Enabled
Apply Signatures to Responses will be set to Enabled
Explicit Entities Learning:
File Types will be set to Never (wildcard only)
URLs will be set to Never (wildcard only)
Parameters will be set to Selective
Application OnBoarding (ASM Security Policy Specific)
o Create one (1) ASM Security policy per application VIP
The Policy will NOT be applied to an existing Virtual Server
Where applicable use the output from a recent White Hat Sentinel Scan to build the initial policy
The “Create a security policy using a third-party vulnerability assessment tool” option will be used
If no recent White Hat Sentinel Scan is available the “Create a security policy manually or use templates (advanced)” option will be used
The Application Ready Security Policy will depend on the architecture of the application
o Windows based Applications will use the FM-ASM-W-[INDEX] template
o Linux/Unix based Applications will use the FM-ASM-U-[INDEX] template
ASM Security policy names for Applications will use the following naming convention:
FM-ASM-[VIP NAME]-[OS]-[INDEX]
Where [VIP NAME] is the name of the VIP that the policy will be protecting
Where [OS] is the Operating system the application as built on. W for Windows, U for Linux/Unix
Where [INDEX] is an integer that will increment as policies are created
Where applicable configure no more than two (2) login pages per Application
Login URL will be set to Explicit
Login page specifics to be provided
Where applicable internal QA testing IP addresses will be added to the IP Address Exceptions list
QA Machines will be set to the following:
o Policy Builder: Trust the IP
o Anomaly Detection: Ignore IP
o Learning Suggestions: Include IP
o Log Traffic: Allow Logging
o Block This IP: Never Block
o IP Intelligence: Include IP
o Description: A formal description of the network and it’s reason for being whitelisted
All other whitelisted ip addresses should be reviewed and configured at the direction of client
If Applicable Data Guard will be enabled for applications that may contain sensitive data:
Enable the standard protections for:
o Data Guard
o Credit Card Numbers
o Social Security Numbers
Custom Patterns and Exception Pattern development is out of scope for this project
Mask Data will be enabled
File Content Detection will remain un-checked
CSRF Protection will be enabled
SSL Only will remain unchecked
Expiration Time will be enabled with a time of 120 Seconds
Up to ten (10) urls will be entered for CSRF protection. Wildcards can be used to apply the protection to a more general grouping of URLs.
Brute Force protection will NOT be configured
Where Applicable Geo-Location Enforcement will be enabled
All Geolocations shall be removed from the Allowed Geolocations, and placed in the Disallowed Geolocations
Applicable Geolocations shall be moved from Disallowed Geolocations to the Allowed Geolocations box
DOS Profiles will not be setup
The On-Boarded Application will be placed into “Transparent” mode in which all violations will be logged but no enforcement action taken
The policy will be attached to the VIP and activated at the appropriate time,
The On-Boarded Application will be tested with the team to verify the ASM policy is not impacting the application in a negative manner