F5 Configuring BIG - IP ASM: Application Security Manager (ASM)

Duration: 4 Days

Overview

The BIG-IP Application Security Manager course gives participants a functional understanding of how to deploy, tune, and operate BIG-IP Application Security Manager (ASM) to protect their web applications from HTTP-based attacks.
The course includes lecture, hands-on labs, and discussion about different ASM components for detecting and mitigating threats from multiple attack vectors such web scraping, Layer 7 Denial of Service, brute force, bots, code injection, and zero day.

Audience

This course is intended for security and network administrators who will be responsible for the installation, deployment, tuning, and day-to-day maintenance of the Application Security Manager.

Prerequisites

There are no required F5 technology-specific prerequisites for this course. However, completing one the following before attending would be very helpful for students unfamiliar with BIG-IP:
* Administering BIG-IP instructor-led course
* F5 Certified BIG-IP Administrator

The following web-based courses, although optional, will be very helpful for any student with limited BIG-IP administration and configuration experience:
* Getting Started with BIG-IP web-based training
* Getting Started with BIG-IP Local Traffic Manager (LTM) web-based training
* Getting Started with BIG-IP Application Security Manager (ASM) web-based training

The following general network technology knowledge and experience are recommended before attending any F5 Global Training Services instructor-led course:
* Web application delivery concepts
* HTTP and HTTPS protocols General awareness of web application vulnerabilities such as those defined in the OWASP Top Ten

Topics Covered:

  • Setting up the BIG-IP system
  • Traffic processing with BIG-IP LTM
  • Web application concepts
  • Web application vulnerabilities
  • Security policy deployment
  • Security policy tuning
  • Attack signature
  • Positive security building
  • Security cookies and other headers
  • Reporting and logging
  • User roles
  • Policy modification, merging and exporting
  • Advanced parameter handling
  • Using application templates
  • Using Automatic Policy Builder
  • Integrating with web vulnerability scanners
  • Login enforcement and session tracking
  • Web scraping detection and mitigation
  • Layer 7 DoS protection
  • ASM and iRules
  • XML and web services protection
  • AJAX/JSON support