Data Guard

Overview

Data Guard is a security feature that can be used to prevent the leakage of sensitive information from an application. This could be credit card numbers or Social Security numbers (CCN, SSN, etc.). Once this feature is enabled, sensitive data is either blocked or masked, depending on the configuration. Therefore, enabling Data Guard helps meet the GDPR and PCI DSS requirements for securing personal and credit card data. support ID to identify the request when making inquiries.

How Data Guard protects sensitive data

In some web applications, a response may contain sensitive user information, such as credit card numbers or U.S. Social Security numbers. The Data Guard feature can prevent responses from exposing sensitive information by masking the data (this is also known as response scrubbing). Data Guard scans the text in responses looking for the types of sensitive information that you specify.

When you mask the data, the system replaces the sensitive data with asterisks (****). F5 Networks recommends that you enable this setting, otherwise, when the system returns a response, sensitive data could be exposed to the client.

Using Data Guard, you can configure custom patterns using PCRE regular expressions to protect other forms of sensitive information, and indicate exception patterns not to consider sensitive. You can also specify which URLs you want the system to examine for sensitive data. The system can also examine the content of responses for specific types of files that you do not want to be returned to users, such as Microsoft Office documents, PDFs, ELF binary files, Mach object files, or Windows portable executables. File content checking causes the system to examine responses for the file content types you select. You can configure the system to block sensitive file content (according to the blocking setting of the DataGuard: Information Leakage Detected violation).

Response headers that Data Guard inspects

Data Guard examines responses that have the following content-type headers:

  • “text/…”

  • “application/x-shockwave-flash”

  • “application/sgml”

  • “application/x-javascript”

  • “application/xml”

  • “application/x-asp”

  • “application/x-aspx”

  • “application/xhtml+xml”

You can configure one additional user-defined response content-type using the system variable user_defined_accum_type.

Prerequisites

  • Verify any attached application services to ensure proper security after changes are deployed.

  • You need to have a user role of Security Manager or Administrator to manage a WAF policy.

How to configure data guard

Enable and manage Data Guard settings

Enable and manage which information requires data masking in your protected application’s response.

  1. Click the workspace icon next to the F5 icon, and click Security.

  2. From the left menu click Policies under WAF.

  3. Select the name of the policy.

    A panel for the General Settings opens.

  4. From the panel menu, click Data Guard.

    By default, Data Guard is disabled.

  5. To enable Data Guard, toggle the Enabled button.

    The settings are displayed.

  6. For Credit Card Numbers select Detect is you want to consider this information as sensitive data.

    1. Enter the number of digits that will be exposed in the request in Expose last characters.

  7. For U.S. Social Security Numbers select Detect is you want to consider this information as sensitive data.

    1. Enter the number of digits that will be exposed in the request in Expose last characters.

  8. To specify additional sensitive data patterns that occur in the application:

    1. For Custom Patterns select Detect.

    2. In the Custom Pattern Syntax field, type a PCRE regular expression to specify the sensitive data pattern.

      For example: 999-[/d][/d]-[/d][/d][/d][/d].

    3. Click + Add to add more custom patterns.

  9. Click Save.

  10. If you have completed your changes to the policy, click Save & Deploy to update associated BIG-IP Next instance(s).

  11. To confirm the deployment, click Deploy.

Manage Data Guard violations

For details about default template settings for violations, see Data Guard violations

  1. Click the workspace icon next to the F5 icon, and click Security.

  2. From the left menu click Policies under WAF.

  3. Select the name of the policy.

    A panel for the General Settings opens.

  4. From the panel menu, click Data Guard.

  5. Click Violations.

    The Data Guard Violations panel opens.

  6. Select the policy action when the WAF policy detects information leakage included in the responses:

    1. Select one of the following protection settings:

      1. Alarm - Sends an alert to the event log that certain traffic is associated with data leakage.

      2. Alarm & Block - Sends an alert to the event log and blocks traffic associated with data leakage.

      3. Disabled - The policy does not detect or enforce information leakage.

  7. Click Save.

The Data Guard’s detected information leakage protection is updated, but policy changes are not yet deployed. You can click Deploy to deploy changes to the BIG-IP Next instances.

Resources

Data guard management using the policy Editor

Edit the WAF policy JSON declaration directly through the WAF policy editor.