Forum Discussion

Nik_67256's avatar
Nik_67256
Icon for Nimbostratus rankNimbostratus
Aug 07, 2012

Data Guard - End users perspective

 

Hello All,

 

 

Im trying to understand data guard better fro man end user perspective. The queries are:-

 

 

 

1) What effect does checking the SSN checkbox and not checking mask checkbox have ?

 

 

2) Will checking the mask data as well completely mask (****) the SSN . If so how are legitimate end users who need to work with the SSN work

 

 

3) I believe if in transparent mode and mask data and SSN is enabled , then SSN gets displayed as "*****" - is this understanding correct ?

 

 

 

4) I believe if in Block mode and mask data and SSN is enabled , then SSN gets Blocked ot the end user - is this understanding correct ?

 

 

5) If we do need to allo SSN data to be displayed to some end users while mask SSN data data to others , how do we do it ?

 

 

 

I know theres a lot of documentation on these , but getting these specific info is what im looking for - thanks..

 

 

regards

 

config
design

1 Reply

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Aug 08, 2012
    Hi Nik,

     

     

    1) What effect does checking the SSN checkbox and not checking mask checkbox have ?

     

     

    No effect:

     

     

    From the online help:

     

    If the security policy’s enforcement mode is Transparent and the Mask Data check box is checked, the system encodes the sensitive data by returning asterisks to the client instead of the sensitive data. (The system also returns asterisks if the enforcement mode is Blocking, the Data Guard: Information leakage detected violation Block check box is cleared, and the Alarm check box is checked.)

     

    If the security policy’s enforcement mode is Blocking, and the Block check box for the Data Guard: Information leakage detected violation is checked, the system blocks the response.

     

     

     

    You can check SOL8363 for details on Data Guard:

     

     

     

    sol8363: Using the Mask Data setting to encode sensitive data returned by the BIG-IP ASM

     

    https://support.f5.com/kb/en-us/solutions/public/8000/300/sol8363.html

     

     

    When the security policy is in Transparent mode and the Mask Data setting is selected, the BIG-IP ASM encodes sensitive data returned by the web server by returning asterisk ( * ) characters to the client instead of the sensitive data.

     

     

    When the security policy is in Blocking mode and the Mask Data setting is selected, and Information leakage detected blocking is disabled, the BIG-IP ASM encodes sensitive data by returning asterisks to the client instead of the sensitive data.

     

     

     

    2) Will checking the mask data as well completely mask (****) the SSN . If so how are legitimate end users who need to work with the SSN work

     

     

    Yes. They couldn't. How do you want ASM to differentiate between legitimate end users and those that should not be able to retrieve content containing SSNs? If you can differentiate between legitimate and illegitimate users you could send them to separate ASM policies with the check disabled.

     

     

    3) I believe if in transparent mode and mask data and SSN is enabled , then SSN gets displayed as "*****" - is this understanding correct ?

     

    Yes, see 1)

     

     

    4) I believe if in Block mode and mask data and SSN is enabled , then SSN gets Blocked ot the end user - is this understanding correct ?

     

    Yes, see 1)

     

     

    5) If we do need to allo SSN data to be displayed to some end users while mask SSN data data to others , how do we do it ?

     

    See 2)

     

     

    Aaron