Forum Discussion

mm_pen_242283's avatar
mm_pen_242283
Icon for Nimbostratus rankNimbostratus
Aug 29, 2016

ASM - security policy per Name-based Virtual Host

Hi experts.

 

We have a production F5 implementation with ASM provisioned (v 11.6.0), securing numerous DMZ sites behind. All sites are homed behind a single F5 virtual server (IP address), having different DNS records pointing to the same public IP address (F5 virtual server IP address).

 

Example: www.site1.com, www1.site1.com, www3.site1.com, www.site2.com >>> DNS A record == F5 VS

 

Consequentially all HTTP requests are targeting F5 VS and from there being forwarded to member servers (behind F5), regardless the targeting URI (may be www. or www1. ... etc). The delivery decision (where to forward certain HTTP traffic) is carried out based on "Name-based Virtual Host" header within each HTTP request. IMPORTANT: this decision is left to member servers (running Apache reverse proxy or similar solution) and not F5 ADC.

 

Questions: 1. Can unique ASM security policies be bound to different name-based virtual hosts? 2. If yes, can separate learning / staging processes (e.g. Real Traffic Policy Builder or RDP) apply for each name-based virtual host, similar to building security policy that is unique (and applied to VS)?

 

  1. Referencing to previous 2 questions, can classification based on matching rules (e.g. matching HTTP Host header) be used within Local Traffic Policies in order to build such policies.

It's important to emphasize that all of the hosted DMZ sites have: - similar configurations (same platform, same CMS, ...), - common (while autonomous) scripts with common naming (e.g. search.asp, logon.asp, ...)

 

It is required that ASM interprets each site (www., www1., ...) autonomously and so that it learn elements / violations per "named-base virtual host". Also reporting (violations, top visited URIs) should be classified according to "named-based" hosts (and not VS, to which ASM policies are generally bound to).

 

I am kindly asking for your assistance.

 

1 Reply

  • You would need to configure local traffic policies to activate different ASM policies base on the hostname, but yes it's doable. Since each site would have it's own policy, learning, etc would be separate for each site.