Positive Security

Overview

Positive Security rules define allowed application behaviour. These rules can be created by the Learning Engine, scanner import or manually. A Positive Security rule will match when the request (or parts of the request) matches the behaviour defined in the rules. This is in contrast to Signatures, which describe attack patterns and will match when an attack pattern is found.

Both Positive Security and Signatures allow similar concepts for rules.

  • Enable / Disable
  • Mode (Detection / Enforcement) by rule
  • Paranoia levels of rules

Reasons for Using the Positive Security Model

  • As Positive Security is defining application behaviour it can reduce the attack surface by only allowing known good traffic.
  • A Positive Security can result in better performance.
    Instead of checking a value against a long list of known attacks, the validation is against a single expression.

Configure Positive Security Group

To create a Positive Security group,

  1. From the Avi UI, navigate to Templates > WAF > WAF Policy and click on Create.
    or
    Edit an existing WAF Policy.
  2. Enter the required details under the Settings tab.
  3. Click on the Positive Security tab. Create Positive Security
  4. Click on Add Group to create the New Positive Security Group.
    In the New Positive Security Group screen, enter the details as shown below:
    Field Description Additional Information
    Name Enter a relevant name for the policy.
    Description Enter a description to identify the group
    Learning Group Select this option to enable the group for learning
    Hit Action Select either Allow parameter or No operation from the drop down. The selected action gets implemented if a rule in this group matches a match type.
    Miss Action Select either Block or No Operation from the drop down. The selected action gets implemented if a rule in this group does not match a match type.
    Location Click on Add Location to create a new location Rules are created in locations. Locations are derived from URLs.
  5. Click on Save.

Creating a Location

Enter details in the New Location: screen as shown below:

  1. Enter a unique Name to identify the location.
  2. Enter the Description.
  3. Select a Match Type, for example, Path.
  4. In the field Criteria, select the criterion to use for matching the HTTP request in the URI.
  5. Enter the String Value.
  6. Select Match Case to enable case sensitivity.
    Match Type
  7. To add another match type, select one from the Add Match Type drop down list.
  8. Click on Add Rule to create a new rule. The New Location screen is as below:
    Match Type
  9. Click on Save.

Consolidation of Learning Data

Prior to Avi Vantage release 20.1.4, Avi Vantage evaluates the full URI name for the PSM location. For example, if the URI is /product/view, the location name will be /product/view. But, if there are a lot of similar URIs, the number of locations increases significantly. Starting with Avi Vantage release 20.1.4, the prefix evaluation for the similar URIs are supported for the PSM learning location. Evaluating the common part of the similar URIs reduces the programmed PSM location number.

The following image shows the behaviour prior to Avi Vantage release 20.1.4. As shown below, many similar URIs are programmed as Locations (category/view_detail/item1-4) and the prefix is not selected for the similar URIs.

learning

As seen above, each of them have a strict match of Location (as path is considered equivalent to equals).

The following example shows the details of a location when the prefix is considered for the similar URIs instead of the full URIs. Similar URI’s are consolidated into one Location using prefix (for example, /category/view_detail) and accordingly the path is matched as Begins with (instead of equals).

uris-with-prefix.png

Creating an Argument Rule

In the New Argument Rule: screen,

  1. Click the Rule Enabled toggle button to enable/disable the rule. The rule is enabled by default.
  2. Enter a unique Rule ID.
  3. Enter the rule Name.
  4. Enter a Description for the rule.
  5. Select a mode:
    • Use Policy Mode: When Detection or Enforcement can not be applied, the policy mode is used. For the policy mode to take effect, the WAF policy should allow delegation.
    • Detection: WAF rules will be processed but HTTP transactions will not be intercepted. Any rule configured to intercept HTTP transactions will be bypassed.
    • Enforcement Mode: WAF rules are processed and HTTP transactions intercepted, as per the rules configured.
  6. Select a WAF Ruleset paranoia mode. The rules will be determine based on the Filter Rule Paranoia Level selected. The Paranoia mode set for a WAF Policy defines its rigidity.
  7. Define the Match Elements as shown below:
    i) Enter the Value Max Length to define the maximum length of the match value.
    ii) Enter a Match Value Pattern to identify the expression which describes the expected value.
    iii) Enable Arguments Case Sensitive, if required. This will ensure the match value has the same case as specified in the match value pattern.
    Note: Starting with Avi Vantage release 20.1.3, string groups are also supported for in addition to the math value pattern.
  8. Click Add Match Element and define the match elements as shown below:
    i) In the field Name, select the variable specification.
    ii) Enter a Sub Element.
    iii) Click Excluded, if given parameter should not be processed by Positive Security Model, for example:
    • Add ARGS without specifying sub-elements.
    • Add ARGS, sub-element password, mark as excluded.

    Such a configuration indicates that the Positive Security Model rule should be applied to all request parameters (ARGS) except for the parameter password.
    Arguement
    iv) Choose the method for locating Match Element. Equals indicates that the provided Sub Element must be equal to the corresponding request parameter.
    Note: Starting with Avi Vantage release 21.1.3, you can choose other methods. For example, the regular expression match interprets the Sub Element as a regular expression.
    The New Argument Rule screen is as below:
    Arguement

  9. Click Save.

Selecting a Paranoia Mode

The available paranoia modes are:

  • 1- Low
  • 2- Medium
  • 3- High
  • 4- Extreme

Two aspects that should be considered while setting the paranoia mode are:

  • Risk level of an application.
  • Resources available for policy tuning.

The following table maps paranoia modes to different risks levels and resource availability.

High application risk level High paranoia mode
Low application risk level Low paranoia mode
Resources available for tuning Higher paranoia mode
Limited resources available for tuning Lower paranoia mode

For more information on paranoia mode, refer to OWASP CRS Paranoia Mode.

String Groups Support

Starting with Avi Vantage release 20.1.3, string groups are supported in addition to the match value pattern as mentioned in the previous section. The string group consists of the followings:

  • String Group – UUID of the string group containing key used in the match element.
  • Key – PCRE-supported regular expression.

Navigate to Templates > WAF > Positive Security. The option to use string groups is available under Match Elements while creating a new argument rule, as shown below.

string-group For the string group, select the default System-PSMGroup-Types from the drop-down or create a new string group. For the default System-PSMGroup-Types, select one of the KEY NAMES, as shown below.

create-rule default-key

To create a new string group, select create from the drop-down, as shown below. create-rule

Provide the name, enable to checkbox for Key Value Pair. key-value-pair

Provide the name of new key, and enter a PCRE supported expression under the Value field, and click on the Add Map option, as shown below. add-map

Provide the name of the key created in the previous step, as shown below. new-key

Note:
The maximum value of string groups that Avi Vantage supports is 100. A string group supports a maximum of 1000 key values.