--> Most of the web applications use login pages as a way to secure the application and authenticate the web application users.
--> Sometimes users can access some sensitive URLs of the web application without authentication or Login If the web application is not properly designed or it is broken.
--> For example, in an online banking application, account holders should be able to access their account information only by logging on through a login screen first.
--> ASM can help us to prevent such kind of scenario by using a feature known as login page enforcement.
--> Using Login Page Enforcement on ASM we can force the users to do login before accessing the other parts of the web application.
--> The Web URLs which need to be accessed after the login is known as authenticated URLs.
--> We can create login pages manually, or have the ASM to create the login pages automatically.
--> ASM can only detect login pages with HTML forms currently.
--> We can also create a login or logout pages manually by specifying the login or logout URLs used by the application.
--> We can use the same URL as both a login URL and a logout URL.
--> You need to define the following information in order to implement the login page:
1) Login URL: The Login URL page of the web application where the users need to authenticate before accessing the other URLs.
2) Authentication Method: This is the authentication method for the Login URL, Most of the web applications uses web form as an authentication method for the login page URL.
3) Username Parameter: This is the Parameter name where the user enters his own username
4) Password Parameter: This is the Parameter name where the user enters his own password
5) Access Validation: This is used by ASM to understand whether the provided user is successfully logged in or not.
--> You can optionally specify the Logout Page URL to tell to the ASM that the user is successfully logged out.
Login Page Enforcement:
--> ASM uses the TS Cookie to maintain information about the pre-requisite URL(Login URL) that was successfully accessed by the client or not.
--> By seeing the information in TS Cookie, The ASM can understand whether the client is successfully authenticated or not.
--> If the TS Cookie is expired or it is not sent by the client in the HTTP request to the ASM then the client needs to access the login page URL and authenticate before accessing the other URLs.
Step1: Configure Login Page:
--> Navigate to Security > Application Security > Sessions and Logins under your selected security policy.
Step2: Configure Login Page Enforcement:
--> Navigate to Security > Application Security > Sessions and Logins--> Login Page Enforcement under your selected security policy.
Step3: Enable the Login Enforcement under Learning and Blocking Settings
--> Navigate to Security > Application Security > Policy Building > Learning and Blocking Settings
--> Save the changes and Click on Apply Policy to implement the Login Enforcement on the security policy.
You have successfully enabled Brute Force Protection on the security policy of ASM.
Reference: F5.com,
Md.Kareemoddin,
CCIE # 54759, F5-CTS
0 comments:
Post a Comment