Objective 3.01 Explain how to configure a combination of features and functionality necessary to mitigate accessibility risks within an application architecture.* (e.g., APM, LTM, AFM, ASM, IPI, iRules)

 

Objective 3.02 Explain how to configure a combination of features and functionality necessary to mitigate availability risks within an application architecture. *(e.g., LTM, GTM, ASM, AFM, IPI, iRules)

  • Mirroring recommendations
    • Layer 7 mirroring over a low throughput HA ink may not function as desired
    • Layer 4 mirroring over a high latency link may cause connection hangs
    • BIG-IP APM and ASM systems require frequent synchronization of session information between failover peers
    • Configure a dedicated VLAN and dedicated interfaces to process mirroring traffic
    • Directly cable mirroring interfaces
    • Do not use a VLAN group for network mirroring traffic
    • Configure both primary and alternate mirroring addresses
  • Availability recommendations
    • Use DDoS mitigation services designed to block attacks at the edge of the network. In the event of an attack, such a system can actually save money as the traffic will not cause additional charges due to spikes in cloud use.
    • Implement a process for change management
    • Use WAF or DDoS protection appliance to prevent layer 7 attacks
  • AFM availability features
    • Network DDoS protection
    • IP intelligence
    • iRules to trigger DDoS protection (anti-DDoS)
    • IP shunning (accelerated blacklisting)
  • ASM availability features
    • DDoS for Layer 7
    • WAF
  • GTM availability features
    • DNS DDoS attack mitigation
    • Application health monitoring
    • Disaster recovery/business continuity planning

Objective 3.03 Explain how to configure a combination of features and functionality necessary to mitigate confidentiality and privacy risks within an application architecture. *(e.g., LTM, APM)

  • Confidentiality recommendations
    • Enable TLS/SSL by default
    • Strongly encrypt critical data at rest, especially back-end credentials stores. At a minimum, a hash plus salt should be implemented, or any stronger encryption mechanism
    • To cover vulnerabilities between patch deployments, the virtual patching capabilities of a WAF are highly recommended
  • Web Scraping
    • Data scraping used for extracting data from websites

Objective 3.04 Explain how to configure a combination of features and functionality necessary to mitigate integrity risks within an application architecture.*(e.g., iRules, ASM, FPS)

  • Integrity recommendations
    • Implementing tools like WebSafe and a WAF limit the ability for nefarious actors to inject bad data into the application, protecting against a full range of threats to help reduce loss and exposure
    • Application controls that check for completeness of data are also a great way to monitor if one of your upstream controls failed
    • Automated testing of the application can quickly alert operations when defective changes are implemented
    • DNS wide area persistence
    • DNSSEC
    • APM strong encryption security

Objective 3.05 Explain how to configure a solution for third-party integration to leverage extended capabilities

  • APM integrations
    • Web Interface Sites (Citrix)
    • XML brokers (Citrix)
    • Oracle Access Manager (SSO)
    • SAML
    • Windows Credential Manager
    • RSA SecurID
    • Splunk (centralized advanced reporting)
  • ASM integrations
    • Antivirus protection (ICAP)
      • HTTP uploads
      • SOAP attachments
      • SMTP email attachments
    • Vulnerability scanners
      • IBM Rational AppScan
      • Cenzic HailStorm
      • QualysGuard
      • WhiteHat Sentinel

Objective 3.06 Determine appropriate testing strategies for a multi-module solution

 

Objective 3.07 Leverage effectiveness tool (e.g., vulnerability scanner, load tester) and testing outputs (reporting) to determine whether associated features and functionalities are being implemented effectively and appropriately to mitigate risk