Appxcel Waf Ug

258
AppXcel Web Application Firewall January 2008
  • date post

    28-Nov-2015
  • Category

    Documents

  • view

    189
  • download

    9

Transcript of Appxcel Waf Ug

Page 1: Appxcel Waf Ug

AppXcelWeb Application Firewall

January 2008

Page 2: Appxcel Waf Ug
Page 3: Appxcel Waf Ug

Table of Contents

Table of Contents

Chapter 1 - Web Application Firewall Overview................................ 1-1Protection Layers .................................................................................... 1-2

Web Application on AppXcel ....................................................................... 1-2Signature-Based Intrusion Prevention ......................................................... 1-4Web Protocol Violations and Web Worms .................................................. 1-6Profile Violations .......................................................................................... 1-7

The Blocking Process ........................................................................... 1-10Source Blocking versus Immediate Blocking ............................................ 1-10IP Blocking versus Application Session Blocking ...................................... 1-11The Process of Blocking Traffic ................................................................. 1-11

AppXcel WAF Management ................................................................. 1-13AppXcel WAF Components ....................................................................... 1-13

Chapter 2 - Getting Started ................................................................. 2-1Configuration Flow .................................................................................. 2-2

Introduction .................................................................................................. 2-2AppXcel WAF Add-on license ..................................................................... 2-2Launching AppXcel WAF Management Interface from APSolute Insite ...... 2-3AppXcel WAF Protection Flow .................................................................... 2-5

Touring the AppXcel WAF User Interface ............................................... 2-7Introduction .................................................................................................. 2-7On-Line Help ............................................................................................. 2-10

Initial Configuration ............................................................................... 2-11Introduction ................................................................................................ 2-11Defining Server Groups ............................................................................. 2-12Defining Network Firewall Rules ............................................................... 2-18Services ..................................................................................................... 2-22Special Server Configuration ..................................................................... 2-25Active Profile Settings ............................................................................... 2-30

DefensePro User Guide 1

SamLin
鉛筆
SamLin
鉛筆
SamLin
鉛筆
SamLin
鉛筆
SamLin
鉛筆
SamLin
鉛筆
Page 4: Appxcel Waf Ug

Table of Contents

Chapter 3 - Setting the Operation Mode ............................................ 3-1Operation Modes .................................................................................... 3-2

Operation Modes - Introduction ................................................................... 3-2IP Restrictions ......................................................................................... 3-3

Restrict Monitoring to only this Source IP Group ........................................ 3-3Ignore this Source IP Group (except for firewall violations) ........................ 3-4

URL Restrictions ..................................................................................... 3-5Restrict Learning and Protection to only these URLs/Directories ............... 3-5Ignore the following URLs/Directories ......................................................... 3-7Ignore Static Files ........................................................................................ 3-8Ignore Parameters ....................................................................................... 3-9Ignore XML Elements .................................................................................. 3-9

Automatic Profile Updates .................................................................... 3-10Automatic Profile Updates - Introduction ................................................... 3-10

Chapter 4 - Configuring Actions........................................................ 4-1Action Interfaces ..................................................................................... 4-2

Introduction .................................................................................................. 4-2Defining Action Interfaces ........................................................................... 4-2

Configuring Action Policies ..................................................................... 4-4Configuring Action Policies - Introduction .................................................... 4-4

Configuring Server Group‘s Security Rules ............................................ 4-7Security Rules - Introduction ....................................................................... 4-7Firewall Rules ............................................................................................ 4-10Signature Rules ......................................................................................... 4-12Protocol Violation Rules ............................................................................ 4-13Web Worms Defender Rules ..................................................................... 4-19Profile Violation Rules ............................................................................... 4-22Custom Policy Rules ................................................................................. 4-26Correlation Rules ....................................................................................... 4-32

Preventing Blocking of Specific IP Addresses ...................................... 4-36

Chapter 5 - Monitoring......................................................................... 5-1Activity Console ...................................................................................... 5-2

Introduction .................................................................................................. 5-2Alerts ....................................................................................................... 5-3

Reading Alerts ............................................................................................. 5-3

2 DefensePro User Guide

Page 5: Appxcel Waf Ug

Table of Contents

Browsing Monitored Events ....................................................................... 5-10Operations on Alerts .................................................................................. 5-11Additional View options ............................................................................. 5-12Browsing Alerts ......................................................................................... 5-13Sorting Alerts ............................................................................................. 5-13Filtering Alerts ........................................................................................... 5-15Clearing the Alerts List .............................................................................. 5-16Clearing All Alerts that Match a Filter ........................................................ 5-16Alert Aggregation ....................................................................................... 5-17

Gateways .............................................................................................. 5-21Gateways - Introduction ............................................................................ 5-21

Blocked Sources ................................................................................... 5-24Blocked Sources - Introduction ................................................................. 5-24

Reports ................................................................................................. 5-26Reports - Introduction ................................................................................ 5-26Alert Analysis Reports ............................................................................... 5-30Top 20/100 Reports ................................................................................... 5-31Profile Reports ........................................................................................... 5-32Assessment Reports ................................................................................. 5-33

System Log ........................................................................................... 5-35System Log - Introduction ......................................................................... 5-35

Notifications .......................................................................................... 5-37Notifications - Introduction ......................................................................... 5-37

Chapter 6 - Web Profiles ..................................................................... 6-1Dynamic Profiling .................................................................................... 6-2

Dynamic Profiling - Introduction .................................................................. 6-2Web Server Group Profiles ......................................................................... 6-2 URLs Profile ............................................................................................... 6-3URL Patterns ............................................................................................. 6-32Cookie Profiles .......................................................................................... 6-38

Chapter 7 - Configuring Signatures ................................................... 7-1Application Defense Center Window ...................................................... 7-2

Configuring Signatures - Introduction .......................................................... 7-2Dictionary Types .......................................................................................... 7-4 Viewing Dictionaries ................................................................................... 7-5

DefensePro User Guide 3

Page 6: Appxcel Waf Ug

Table of Contents

Viewing Signatures Window ........................................................................ 7-6Updating the Signatures Database ........................................................... 7-13Creating Dictionaries ................................................................................. 7-17Viewing and Modifying Signatures in a Dictionary .................................... 7-24Viewing and Modifying a Dictionary's Filters ............................................. 7-28Deleting Dictionaries ................................................................................. 7-29

Appendix A - Defining IP Groups ....................................................... A-1Configuring IP Groups ................................................................................. A-1

Appendix B - Action Interfaces........................................................... B-1Action Interfaces .......................................................................................... B-1

Appendix C - Back-end SSL Encryption............................................ C-1Configuring Back-end SSL Encryption ........................................................ C-1Uploading Keys ........................................................................................... C-3

Appendix D - AppXcel WAF CLI Commands..................................... D-1

Appendix E - Database Overflow Protection..................................... E-1The Overflow Mechanism ............................................................................ E-1

Appendix F - HTTP Methods............................................................... F-1Standard Methods ....................................................................................... F-1WebDAV Methods ....................................................................................... F-3Microsoft IIS WebDAV Extensions .............................................................. F-4

Appendix G - HTTP Response Codes............................................... G-1

Appendix H - Parameter Value Types ................................................ H-1Main Types .................................................................................................. H-1Extended Value Types ................................................................................ H-2

Appendix I - Writing Signatures .......................................................... I-1Single Part Signatures .................................................................................. I-1Multi Part Signatures .................................................................................... I-2Adding Absolute Modifiers ............................................................................ I-2Regular Expression Parts ............................................................................. I-3

4 DefensePro User Guide

Page 7: Appxcel Waf Ug

Table of Contents

Regular Expression Syntax .......................................................................... I-4

DefensePro User Guide 5

Page 8: Appxcel Waf Ug

Table of Contents

6 DefensePro User Guide

Page 9: Appxcel Waf Ug

Table of Figures

Figure 2-1 AppXcel WAF Device Upgrades......................................... 2-3Figure 2-2 APSolute Insite WAF Launch Window................................ 2-4Figure 2-3 Web Application Firewall Protection System Flow.............. 2-5Figure 2-4 Web Application Firewall Interface Window........................ 2-8Figure 2-5 Tree Menu .......................................................................... 2-9Figure 2-6 On-Line Help Window....................................................... 2-10Figure 2-7 Server Groups Overview Window..................................... 2-12Figure 2-8 Default Group Server Definitions Window ........................ 2-13Figure 2-9 Add IP to Default Server Group Window .......................... 2-13Figure 2-10 Creating a New Server Group ........................................ 2-14Figure 2-11 Web Server Group Icon .................................................. 2-15Figure 2-12 New Web Server Group Window.................................... 2-16Figure 2-13 New Web Server Group: Add IP..................................... 2-18Figure 2-14 Firewall Rules Window ................................................... 2-20Figure 2-15 Add Firewall Rule Window.............................................. 2-21Figure 2-16 Edit Firewall Rule Window.............................................. 2-22Figure 2-17 Service to Port Mapping Window.................................... 2-23Figure 2-18 Add Service Window....................................................... 2-24Figure 2-19 Error Page Window......................................................... 2-26Figure 2-20 Session Tracking Window .............................................. 2-28Figure 3-1 Restrict Learning and Protection ........................................ 3-6Figure 3-2 Ignored URLs / Directories Dialog ...................................... 3-7

AppXcel Web Application Firewall User Guide 1

Page 10: Appxcel Waf Ug

Table of Figures

Figure 3-3 Static File Extensions Window............................................ 3-8Figure 3-4 Automatic Profiles Updates Window................................. 3-12Figure 4-1 Action Policy ....................................................................... 4-6Figure 4-2 Firewall Rules Window ....................................................... 4-8Figure 4-3 Copy Action Policy From Window....................................... 4-9Figure 4-4 Restore Defaults Window ................................................... 4-9Figure 4-5 Firewall Actions Window................................................... 4-10Figure 4-6 Signature Rules Window .................................................. 4-12Figure 4-7 Protocol Violation Rules Window...................................... 4-14Figure 4-8 Web Worm Defender Rules Window ................................ 4-19Figure 4-9 Worm Protected Directories.............................................. 4-21Figure 4-10 Profile Violation Rules Window....................................... 4-22Figure 4-11 Custom Policy Rules....................................................... 4-28Figure 4-12 Correlation Rules Window .............................................. 4-33Figure 4-13 Non-Blockable IP Addresses ......................................... 4-36Figure 5-1 Alerts Window..................................................................... 5-4Figure 5-2 Knowledge Base Window................................................... 5-9Figure 5-3 Link to Monitored Events Window .................................... 5-10Figure 5-4 Monitored Events Window................................................ 5-11Figure 5-5 Advanced Sort Window Box ............................................. 5-14Figure 5-6 Filter Window.................................................................... 5-15Figure 5-7 Gateways Window............................................................ 5-21Figure 5-8 Currently Blocked Sources Window ................................. 5-25Figure 5-9 Reports Window ............................................................... 5-27Figure 5-10 Top 20 Attacking IPs Report Window ............................. 5-29Figure 5-11 System Log..................................................................... 5-35Figure 5-12 Notifications .................................................................... 5-38

2 AppXcel Web Application Firewall User Guide

Page 11: Appxcel Waf Ug

Table of Figures

Figure 6-1 URLs Window(Tree View) .................................................. 6-5Figure 6-2 Learned URLs Window (List View) ..................................... 6-8Figure 6-3 Filter URLs Window Box................................................... 6-10Figure 6-4 Advanced Sort Window Box ............................................. 6-12Figure 6-5 Add URL Window Box ...................................................... 6-13Figure 6-6 Edit Methods Window...................................................... 6-14Figure 6-7 Delete URL Confirmation Window.................................... 6-15Figure 6-8 Add Prefix Window ........................................................... 6-18Figure 6-9 Configure Value Type Window ......................................... 6-19Figure 6-10 Delete URL Prefix Confirmation Window........................ 6-20Figure 6-11 URL Parameters Table ................................................... 6-21Figure 6-12 Add Parameter Window.................................................. 6-22Figure 6-13 Delete Parameter Confirmation Window ........................ 6-23Figure 6-14 Copy Parameters............................................................ 6-24Figure 6-15 Save As Pattern Window................................................ 6-25Figure 6-16 Host Mapping Window.................................................... 6-27Figure 6-17 Add Host Window ........................................................... 6-28Figure 6-18 Edit Host Groups Window............................................... 6-29Figure 6-19 SOAP URL - Tree View .................................................. 6-30Figure 6-20 SOAP URL - List View .................................................... 6-32Figure 6-21 URL Patterns Window .................................................... 6-34Figure 6-22 Add Pattern Window....................................................... 6-35Figure 6-23 Edit URL Pattern Window............................................... 6-36Figure 6-24 Add Parameter Window.................................................. 6-37Figure 6-25 Delete Parameter Confirmation Window ........................ 6-38Figure 6-26 Cookies Window............................................................. 6-40Figure 7-1 ADC Preferences Window.................................................. 7-3

AppXcel Web Application Firewall User Guide 3

Page 12: Appxcel Waf Ug

Table of Figures

Figure 7-2 Dictionaries List .................................................................. 7-4Figure 7-3 Manual Dictionary Window ................................................. 7-5Figure 7-4 View All Signatures Window............................................... 7-6Figure 7-5 Filter Signatures Window.................................................... 7-8Figure 7-6 Signature Info Window........................................................ 7-9Figure 7-7 Attack Info Tab.................................................................. 7-10Figure 7-8 Affected Systems Window................................................ 7-11Figure 7-9 References Window.......................................................... 7-11Figure 7-10 Accuracy Window ........................................................... 7-12Figure 7-11 Scheduler Window.......................................................... 7-14Figure 7-12 Edit Task window............................................................ 7-15Figure 7-13 Upload AppXcel WAF Signatures File Window .............. 7-16Figure 7-14 Create a Dictionary Window ........................................... 7-18Figure 7-15 Create Manual Dictionary ............................................... 7-18Figure 7-16 Create Filter Dictionary - Step 1 ..................................... 7-19Figure 7-17 Create Filter Dictionary - Step 2 Window........................ 7-20Figure 7-18 Create Filter Dictionary Step 3 Window.......................... 7-22Figure 7-19 Create "Dictionary Name" Step 4 Filter Parameters Window 7-23Figure 7-20 Add New Signature........................................................ 7-25Figure 7-21 Edit Signature: General Window..................................... 7-27Figure A-1 Create New IP Group Window .......................................... A-2Figure A-2 Define IP Addresses Window............................................ A-3Figure B-1 Add Action Interface Window ............................................ B-2Figure B-2 New Syslog Action Interfaces Window.............................. B-3Figure B-3 New SNMP Trap Action Interface Window........................ B-5Figure B-4 New Email Action Interface Window ................................. B-6Figure E-1 Database Overflow Protection Window............................. E-2

4 AppXcel Web Application Firewall User Guide

Page 13: Appxcel Waf Ug

Important Notice

This guide is delivered subject to the following conditions and restrictions: Copyright Radware Ltd. 2007-8. All rights reserved. The copyright and all other intellectual property rights and trade secrets included in this guide are owned by Radware Ltd. The guide is provided to Radware customers for the sole purpose of obtaining information with respect to the installation and use of the AppXcel™ Web Application Firewall, known from here on as AppXcel™ WAF, and may not be used for any other purpose. The information contained in this guide is proprietary to Radware and must be kept in strict confidence. It is strictly forbidden to copy, duplicate, reproduce or disclose this guide or any part thereof without the prior written consent of Radware. Refer to the Specifications for information about the correct power rating for the device.

SPECIFICATION CHANGES Specifications are subject to change without notice.

TRADEMARKS AppXcel™WAF, is a trade name of Radware Ltd. This document contains trademarks registered by their respective companies. The following notice refers to content provided by Imperva®, Inc. and incorporated in this guide:

AppXcel User Guide 1-I

Page 14: Appxcel Waf Ug

AppXcel User Guide

This document contains proprietary and confidential material of Imperva®, Inc. Any unauthorized reproduction, use, distribution or disclosure of this material, or any part thereof, is strictly prohibited. This document is solely for the use of Radware customers.The material furnished in this document is believed to be accurate and reliable. However, no responsibility is assumed by Radware Ltd. or Imperva® Inc. for the use or inaccuracy of this material. Nothing in this material shall be construed as a warranty with respect any products or services offered by Radware Ltd. or Imperva®, Inc. All information in this document is provided as-is, and without warranty of any kind (whether expressed or implied).Radware Ltd. reserves the right to make changes to the material at any time and without notice.©Copyright Imperva®, Inc. 2006 – Confidential and ProprietaryImperva® and SecureSphere® are registered trademarks; dynamic profiling, transparent inspection, and application defense center are trademarks of Imperva®, Inc.

1-II AppXcel User Guide

Page 15: Appxcel Waf Ug

AppXcel User Guide

About This Guide

• Chapter 1 -, Web Application Firewall Overview, explains how AppXcel™ WAF adds protection from attacks on Web Applications to Radware's Application Front End (AFE).The solution is part of AFE deployment.

• Chapter 2 -, Getting Started,explains how to access the AppXcel™ WAF user interface and perform the initial configuration. The AppXcel™ WAF implements a Web-based user interface that provides security administrators convenient and easy access to the software functions.

• Chapter 3 -, Setting the Operation Mode, describes how to set the operation mode for the server groups.

• Chapter 4 -, Configuring Actions,describes how to configure AppXcel™ WAF to invoke actions upon security events.

• Chapter 5 -, Monitoring, describes how to monitor alerts, logs and Gateways in the AppXcel™ WAF Activity Console.

• Chapter 6 -, Web Profiles, describes how to configure Dynamic Profiling for AppXcel™ WAF.

• Chapter 7 -, Configuring Signatures, describes the Application Defense Center, and how to configure signatures and dictionaries.

• Appendix A -, Defining IP Groups, describes how to define IP Groups, which are used in various places on the AppXcel™ WAF GUI. Use this feature to define the IP groups throughout the AFI, as often as required. Each IP group contains a collection of single IP addresses, IP ranges or IP subnets.

• Appendix B -, Action Interfaces, describes configuration of action interfaces. AppXcel™ WAF uses various devices in its operation. Some settings in AppXcel™ WAF refer to these devices, therefore requiring them to be defined in advance.

• Appendix C -, Back-end SSL Encryption, describes how to configure Back-end SSL Encryption, by first configuring AppXcel™ Tunnel and AppXcel™ WAF.

• Appendix D -, AppXcel WAF CLI Commands, lists the range of CLI Commands that are necessary to launch AppXcel™ WAF management and update the Signatures Database.

• Appendix E -, Database Overflow Protection, explains how to configure the AppXcel™ WAF database overflow protection.

• Appendix F -, HTTP Methods, describes the different HTTP methods used by Web servers.

AppXcel User Guide 1-III

Page 16: Appxcel Waf Ug

AppXcel User Guide

• Appendix G -, HTTP Response Codes,lists the various HTTP response codes returned by Web servers including a lists of the different response codes returned by a Web server.

• Appendix H -, Parameter Value Types,describes the different parameter value types, which define the group of characters allowed in the value of parameter.

• Appendix I -, Writing Signatures,describes the AppXcel™ WAF signature language.

1-IV AppXcel User Guide

Page 17: Appxcel Waf Ug

AppXcel User Guide

Document Conventions

This guide uses the following documentation conventions:• Command paths in the GUI are presented as: File > Save As. • Windows systems use a two-button mouse. To drag and drop an object, click and

hold the left mouse button on the object, drag the object to the target location, then release the button.

• Screen displays can differ slightly from those included in this guide, depending on the system you use. For example, Microsoft Windows screens are different from X-Windows screens.

• Various icons are used through the document to indicate the following:

Note:

Note: Important information that requires additional attention.

Tip: A recommendation, or an optimum way to perform an action.

Configuration Guidelines: General description of the configuration process.

To Statement: Detailed operating instructions that explain the step by step configuration process.

Example: An example configuration of an actual scenario.

AppXcel User Guide 1-V

Page 18: Appxcel Waf Ug

AppXcel User Guide

1-VI AppXcel User Guide

Page 19: Appxcel Waf Ug

C H A P T E R 1Web Application Firewall

OverviewThis chapter describes how AppXcel™ WAF provides comprehensive protection against attacks on Web Application. This chapter includes the following sections:• Protection Layers, page 1-2• The Blocking Process, page 1-10• AppXcel WAF Management, page 1-13

AppXcel User Guide 1-1

Page 20: Appxcel Waf Ug

AppXcel User Guide

Section 1-1 Protection LayersAppXcel WAF includes several protection layers that provide a comprehensive protection against attacks. This section contains the following topics:• Web Application on AppXcel, page 1-2• Signature-Based Intrusion Prevention, page 1-4• Web Protocol Violations and Web Worms, page 1-6• Profile Violations, page 1-7

Web Application on AppXcelAppXcel™ Web Application Firewall (WAF) provides the best protection in the market for Web applications and Web Servers. The WAF comes as an add-on service to Radware’s Application Front End (AFE) solution and is integrated into AppXcel.Radware’s open service architecture provides a set of add-ons that suit the customers need for scalability, security and acceleration while accommodating any performance or capacity requirements.This is achieved by having a separate platform for AppXcel with add-on services and the possibility to scale in number of AppXcels in a single AFE solution.Integrated into AppXcel, the WAF add-on serves as a scalable, comprehensive solution to protect the customer’s web servers and web applications by scanning all HTTP/S traffic going to and from them.AppXcel integrated WAF is based on Imperva®’s SecureSphere award winning Web Application Firewall licensed to Radware by an OEM agreement. Its Dynamic Profiling technology builds a model of legitimate application behavior by automatically learning from users’ normal traffic at the customer site. As customers’ Web Applications change over time, it automatically updates its profiles.This keeps AppXcel WAF’s application protection up to date and accurate without the need of manual analysis of applications and with no changes to the data centre infrastracture.This ability makes it more accurate and easier to deploy and maintain than other solutions.

1-2 AppXcel User Guide

Page 21: Appxcel Waf Ug

AppXcel User Guide

PlatformsIn order to enjoy the benefits of the Web Application Firewall add-on you should order AppXcel™ with a Web Application Firewall add-on or upgrade your existing AppXcel by installing version 1.11.03 and adding a license for WAF.WAF can run only on platform XS2v2 (i.e only AppXcel 4000 or 8000), with a minimum of 3 GB RAM. If your platform has less memory, order a memory extension for WAF from Radware.

AppXcel User Guide 1-3

Page 22: Appxcel Waf Ug

AppXcel User Guide

Deployment Being an Application Front End, Radware’s solution enables the customer to benefit from virtualizing his applications. This means he can provide his applications’ logic to users while ensuring service availability, scaling up performance and providing strong security by filtering traffic and hiding his application servers. In AFE, AppXcel operates as a Reverse Proxy and is used to accelerate and protect the applications behind it. A Reverse Proxy software design is the web equivalent of being a front end, terminating HTTP connections from users and initiating new ones to backend servers.The WAF is an AFE service and as such it is designed to provide security only while running in AppXcel’s Proxy mode. The WAF functionality is not supported in AppXcel’s other modes of deployment e.g. Bridge mode (in-line deployment), Passive (out of path deployment) and Sniffing.

Traffic Processing flowAll traffic destined to a Tunnel’s IP address will first be handled by the AppXcel Tunnel which is the Application Acceleration entity and then processed by the WAF add-on before being sent to the backend server.Responses from the backend server will be handled first by the WAF and then by the Tunnel before being sent to the client.All AppXcel’s Application Acceleration features are supported. They are performed on the traffic packets going to and from the client. In this way SSL traffic is unencrypted by AppXcel before it is inspected by the WAF.

Signature-Based Intrusion PreventionAppXcel WAF provides full Snort™-based signature detection to protect applications from worms (and other attacks) that target known vulnerabilities in commercial infrastructure software (Apache, IIS etc.). The Snort database is enhanced by Imperva's Application Defense Center (ADC) with new signatures and content such as affected systems, risk, accuracy, frequency, and background information. Using this content and AppXcel WAF's ADC wizards, users can quickly isolate the most reliable signature dictionaries for their specific environment. Signatures are continuously and automatically updated via the Internet.

1-4 AppXcel User Guide

SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
鉛筆
Page 23: Appxcel Waf Ug

AppXcel User Guide

The AppXcel WAF signature updates are hosted on the Radware Web site and are updated on daily basis. The administrator can use the console to update signatures, and also use APSolute Insite to configure automatic daily updates of AppXcel WAF with the latest signatures from Radware’s web site or from the console. You can also perform this process manually by downloading the latest signature database from the Radware Web site and then uploading it to the AppXcel WAF.To easily use the signature database, AppXcel WAF includes the concept of Signatures Dictionaries. A dictionary is a collection of signatures generated by applying a filter on the AppXcel WAF signature database. For example, you can easily define a filter of all high-risk, highly accurate, IIS 6 signatures. To do that, you follow a simple wizard and select high risk, high accuracy and IIS 6. AppXcel WAF instantly and automatically generates the dictionary for you. You can define as many dictionaries as you like. When a new signature is added to the AppXcel WAF signature database, it's automatically added to all relevant dictionaries. For example, if a new signature of a high risk attack for IIS 6 is added and the signature's accuracy attribute is set to high, the signature is automatically added to the previously described dictionary.AppXcel WAF comes with a predefined set of dictionaries. These dictionaries provide most customers with a quick start on the product without having to define dictionaries.You can select whether or not to use each dictionary with each one of the protected server groups. For example, you can select to use a specific dictionary only with specific server groups. When a certain dictionary is selected for a specific server group, AppXcel WAF detects the signatures in the dictionary if they appear in a communication to the protected server group.

AppXcel User Guide 1-5

Page 24: Appxcel Waf Ug

AppXcel User Guide

Web Protocol Violations and Web Worms

Web Protocol ViolationsAppXcel WAF protocol compliance checks ensure that HTTP protocols meet RFC and expected usage requirements. By ensuring that the HTTP protocol meets guidelines, protocol compliance prevents attacks on both known and unknown vulnerabilities in commercial Web server implementations.AppXcel WAF includes conclusions of a comprehensive research that collected a group of protocol violations that usually indicate attack attempts. You can enable or disable each of these violations for each group of protected Web servers.

Web WormsThis type of protection is only provided for Web servers.A Web worm utilizes a Web server vulnerability to spread to a large amount of Web servers in a short period of time. Some Web worms utilize well-known vulnerabilities. These worms can be easily stopped using the signatures layer, as a signature for that attack probably already exists. The real problem is with worms that utilize unknown vulnerabilities, i.e. vulnerabilities that were not published prior to the worm outbreak and thus no signature exists at the time of outbreak. The AppXcel WAF Web Worms protection layer was implemented for this type of worm.The Web Worms mechanism relies on AppXcel WAF's ability to build a profile of allowed URLs on each Web server. The assumption is that Web worms spread by sending a single URL, and the worm must be identifiable by that single URL only. The vulnerabilities used by the worm exists on a large number of Web servers, for example in all IIS 6 servers, in order for the worm to spread massively. Thus the worm must use a URL which exists on many Web servers. Only default URLs (URLs which exist by default when you install a Web server or a common application on a Web server) stand to that criteria.Using its learning and profiling capabilities, AppXcel WAF automatically learns the names of all default files which are actually being accessed by users on the protected Web server. A preconfigured list of directories (e.g. /, /scripts/, /cgi-bin/) instructs AppXcel WAF where default files are usually located. Once the profile is ready, AppXcel WAF blocks any attempt to access a non-profiled URL

1-6 AppXcel User Guide

SamLin
鉛筆
SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
Page 25: Appxcel Waf Ug

AppXcel User Guide

on a default directory. This way, if for example, a new worm uses an unknown vulnerability by sending a URL to /scripts/page.aspx and this URL is not part of the learned profile, AppXcel WAF blocks the request, thus blocking the worm itself.The rate of false positives (i.e. blocking legitimate URLs which are part of the application) is very low as this feature only works on default directories. Default directories are rarely used by Web applications to store files and the chances are that AppXcel WAF quickly learns all files which are really used in default directories.

Profile ViolationsAppXcel WAF's Web profiles represent a comprehensive model of all "allowed" interactions between users and Web applications. The Web Profile includes legitimate URLs, HTTP methods, parameters, cookies, SOAP actions, XML structures and more. The profiles are built automatically through a learning process and adapt to changes in the application environment over time by observing live traffic and applying AppXcel WAF's Persistent Learning technologies. The profiles, therefore, require no manual configuration or tuning.The Web profiles are the key to blocking sophisticated attack methodologies that target unknown vulnerabilities in custom or internally developed application code. By comparing these profiles of "allowed behavior" to actual traffic, AppXcel WAF is able to identify and block potentially malicious behavior of any kind. The following sections explain exactly what AppXcel WAF learns and which profile violations it generates for Web Applications.

AppXcel User Guide 1-7

SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
鉛筆
Page 26: Appxcel Waf Ug

AppXcel User Guide

Web ViolationsTable 1-1 details the different characteristics included within a Web profile, and the violations AppXcel WAF detects in real-time based on each characteristic.

Table 1-1 Web Violations

Profile Includes Violations Detected

All the URLs used by the application Attempts to access an unprofiled URL in a locked directory.

Access methods for each URL (GET,POST)

Attempts to access URL using an unauthorized method.

URL parameters names. If the attacker tries to manually add or remove parameters or change the size or content of parameters.

The minimum and maximum size of each URL parameter.

If the attacker tries to manually add or remove parameters or change the size or content of parameters.

The type (e.g. numbers only, Latin characters, foreign language characters) allowed in the value that each parameter accepts.

Attackers trying to exploit type mismatch vulnerabilities.

Hidden fields, embedded links and fields whose value was set by the Web application.

Attackers trying to manually alter parameter values.

Cookies sent to the client by the Web application.

Any unauthorized attempt to change the values inside cookies

HTTP The attacker, as a result of abnormal activity, receives too many abnormal response codes, such as HTTP 500- - Internal Server Error.

1-8 AppXcel User Guide

Page 27: Appxcel Waf Ug

AppXcel User Guide

XML and Web Services ViolationsTable 1-2 details the different characteristics included within a Web profile, and the XML violations AppXcel WAF detects.

Table 1-2 XML and Web Services Violations

Profile Includes Violations Detected

All the URLs used by web services or URLs containing XML content.

Attempts to access an unprofiled URL in a locked directory.

Whether a URL is accessed as SOAP-only or as a SOAP and regular URL.

Attempt to exploit SOAP-enabled URLs with various vulnerabilities.

All SOAP actions in a URL Attempts to access URL using an unauthorized method.

XML Elements and Attributes If the attacker tries to manually add or remove elements and attributes.

The minimum and maximum size of each XML Element/Attribute value.

If the attacker tries to manually change the size or content of values.

The type (e.g. numbers only, Latin characters, foreign language characters) allowed in the value of each XML Element/Attribute.

If the attacker tries to exploit type mismatch vulnerabilities.

AppXcel User Guide 1-9

Page 28: Appxcel Waf Ug

AppXcel User Guide

Section 1-2 The Blocking ProcessAppXcel WAF implements Source Blocking and Immediate Blocking with an option to block the IP address or the application session. This section contains the following topics:• Source Blocking versus Immediate Blocking, page 1-10• IP Blocking versus Application Session Blocking, page 1-11• The Process of Blocking Traffic, page 1-11

Source Blocking versus Immediate BlockingAppXcel WAF implements two types of blocking scenarios. The first, source blocking, blocks the attacking source for a specified period of time. In this scenario the security event triggers a blocking action. From that moment, any communication coming from that source is blocked, for a specified period of time. Note that with source blocking, the request or packet that triggers the block gets to the attacked server. Any communication from this source that follows is blocked.The second scenario, immediate blocking, blocks the specific connection that triggered the security event. In this scenario, when the security event occurs,AppXcel WAF drops the packet that triggered the security event. Note that with this scenario, the attacker can continue communicating with the protected server by establishing a new connection to the protected server.The two scenarios can be used in parallel, i.e. immediately dropping the connection and also blocking the source for a specific period of time.

1-10 AppXcel User Guide

SamLin
螢光標示
Page 29: Appxcel Waf Ug

AppXcel User Guide

IP Blocking versus Application Session Blocking

When selecting to block a source for a certain period of time, you can choose between blocking the source IP address and blocking the application session identifier. Blocking the source IP address may be a problem when the attacked server is a Web server. Many users, especially attackers, use publicly available proxies to access Web applications. In such cases, all users who access through a particular proxy have the same IP address, the proxy's IP address. Blocking that particular IP address results in blocking all the users who access through that specific proxy. This is the reason that, for protected Web servers, AppXcel WAF implements an Application Session Tracking mechanism. AppXcel WAF can track user activity by tracking the session identifier that the Web application attaches to user sessions. Web applications automatically create session identifiers for each browser that accesses the application. Session identifiers are stored either within session cookies or in the HTTP parameters. Configuring AppXcel WAF to identify parameters and/or cookies that hold session identifiers enables AppXcel WAF to accurately track down user activity over time. Session tracking provides accurate alerts for specific malicious users, enabling you to block specific users, and not IP addresses, from accessing the Web application.

The Process of Blocking TrafficWhen blocking, AppXcel WAF consults the relevant action policy. If the policy includes source blocking, AppXcel WAF adds the IP address of the malicious source to the Blocked IPs and Sessions list.Traffic first enters the Blocked IPs and Sessions engine. This engine checks the source of the communication against a dynamic list of IP addresses and Session Identifiers that are blocked at that specific time. If the source matches an entry on that list, then communication is blocked.Web traffic that passed the Blocked IPs and Sessions engine enters the Signature engine. This engine looks for signatures in the traffic according to the list of signatures selected. If a match is found, and immediate connection blocking is enabled, the gateway drops the packet that triggered the signature.

AppXcel User Guide 1-11

SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
鉛筆
Page 30: Appxcel Waf Ug

AppXcel User Guide

AppXcel WAF also consults the relevant action policy. If the policy includes source blocking, AppXcel WAF adds the IP address and/or the Application Session Identifier of the malicious source to the Blocked IPs and Sessions list.Web traffic is examined next by the Web Worms Defender engine. If a suspected worm is found, and immediate connection blocking is enabled, the gateway drops the packet that triggered the worm. AppXcel WAF also consults the relevant action policy. If the policy includes source blocking, AppXcel WAF adds the IP address of the malicious source to the Blocked IPs and Sessions list.Web traffic is next examined by the Protocol Violations layer. If a violation is found, and immediate connection blocking is enabled, the gateway drops the packet that triggered the worm. AppXcel WAF also consults the relevant action policy. If the policy includes source blocking, AppXcel WAFadds the IP address of the malicious source to the Blocked IPs and Sessions list.Web traffic is next examined by the Profile Violations engine. If a violation is found, and immediate connection blocking is enabled the gateway drops the packet that triggered the worm. AppXcel WAF also consuls the relevant action policy. If the policy includes source blocking, AppXcel WA adds the IP address of the malicious source to the Blocked IPs and Sessions list. Web traffic is next examined by the Correlated Attack Validation engine. When a correlation is found, AppXcel WAF consults the relevant action policy. If the policy includes source blocking, AppXcel WAF adds the IP address and/or the Application Session Identifier of the malicious source to the Blocked IPs and Sessions list.

1-12 AppXcel User Guide

Page 31: Appxcel Waf Ug

AppXcel User Guide

Section 1-3 AppXcel WAF ManagementA Web GUI manages AppXcel WAF. Servers and server groups need to be defined in the AppXcel WAF configuration. AppXcel WAF also includes a three-tier action architecture. This section contains the following topics:• : AppXcel WAF Components, page 1-13

AppXcel WAF Components

Server GroupsTo protect a certain server, you must define it in AppXcel WAF configuration. Before defining the specific server, you define a server group to which you can add servers. A server group is a group of servers that share the same profiles and the same security policy. Each server group presents a list of security violations which are relevant to it. To each violation on the list you can attach an action policy which is executed in case the specific event occurs on one of the servers in the group.

Action Interfaces and PoliciesAppXcel WAF includes a three-tier action architecture. You first define your action interfaces. For example, you can define an interface to a specific Syslog server or a specific SMTP server. AppXcel WAF supports the following action interfaces: Syslog, SNMP, SMTP, operating system commands.Once your interfaces are defined, you can start defining action policies. An action policy is a group of actions executed together following a security event. In each action policy you can use one or more action interface. For example, you can define an action policy that blocks the attacking IP address for 5 minutes and sends an email alert to a specific group of recipients. You can name this policy as you wish. You can then define another action policy that blocks the attacking IP for 2 hours and sends email alert to two different groups of recipients and sends SNMP traps as well as syslog alerts to various devices. You can name this policy differently.

AppXcel User Guide 1-13

Page 32: Appxcel Waf Ug

AppXcel User Guide

When you are done defining action policies, you can use them with all server groups. For example, for a specific security violation in a specific server group you can attach one policy while for another security event you can attach a different policy.

Application Defense CenterThe ADC part of the AppXCel WAF allows you to view signatures with their attributes and documentation. It also allows you to review pre-configured dictionaries as well as define new dictionaries. For information about signatures.

AlertsAlerts are organized according to the type of violation (signature, profile, etc) and contain detailed forensic information ranging from IP address to session ID. Advanced sorting and filtering technologies accelerate forensic investigation efforts.

ReportingAppXcel WAF has a graphical report engine that enables trend analysis of a wide range of security events. A wide range of preconfigured reports can be used to identify the most common vulnerabilities in application code, contribute to security audit initiatives, and support executive-level decision making.

Other Monitoring InterfacesIn addition to the Alerts view, AppXcel WAF provides some additional monitor interfaces. The Blocked Sources monitor presents all IP addresses and Session Identifiers which are and were blocked during the last 72 hours. You can manually unblock blocked sources.

1-14 AppXcel User Guide

Page 33: Appxcel Waf Ug

C H A P T E R 2Getting Started

This chapter describes how to access the AppXcel™ WAF user interface and perform the initial configuration. The AppXcel WAF implements a Web-based user interface that provides security administrators convenient and easy access to the software functions. This chapter includes the following sections:• Section 2-1: Configuration Flow, page 2-2• Section 2-2: Touring the AppXcel WAF User Interface, page 2-7• Section 2-3: Initial Configuration, page 2-11

AppXcel User Guide 2-1

Page 34: Appxcel Waf Ug

AppXcel User Guide

Section 2-1 Configuration FlowThis section explains the AppXcel WAF configuration flow and outlines the required configuration steps.

Introduction

To configure the AppXcel WAF the following steps are required:

1. Set AppXcel mode to Active and Proxy (See AppXcel User Guide - AppXcel Operation Modes)

2. Configure AppXcel WAF Add on License, (See page 2-2)3. Configure a Basic Application Tunnel, (See AppXcel User Guide, Tunnels

Chapter 5).4. Launch the AppXcel WAF User Management Interface, (See page 2-3) 5. Configure AppXcel WAF Protection, (See page 2-5)

AppXcel WAF Add-on licenseTo upgrade your device to a software version that includes WAF add-on, you are required to enter a license to activate the WAF.

To configure an add-on license for AppXcel WAF

1. From the main APSolute Insite window, right click on the AppXcel device icon and go to Set-Up > Device Upgrades button > License Upgrade.

2. Enter license into the AppXcel WAF field.The license is obtained from Radware on request.

3. Click OK. Allow up to 20 minutes until WAF starts as entering the license activates the WAF for the first time and initialization process is long

System Configuration Flow configuration guidelines

2-2 AppXcel User Guide

Page 35: Appxcel Waf Ug

AppXcel User Guide

Figure 2-1 AppXcel WAF Device Upgrades

Alternatively configure an add-on license for AppXcel WAF by using the following CLI commands:• system license web-application-firewall set <license

string>• To view the license system license web-application-firewall

getAllow up to 20 minutes until WAF starts as entering the license activates the WAF for the first time and initialization process is long.

Launching AppXcel WAF Management Interface from APSolute Insite

To Launch AppXcel WAF management from APSolute Insite

1. Right click on the AppXcel device icon you are connected to and go to Application Security > Web Application Firewall > Manage.

AppXcel User Guide 2-3

Page 36: Appxcel Waf Ug

AppXcel User Guide

Figure 2-2 APSolute Insite WAF Launch Window

2-4 AppXcel User Guide

Page 37: Appxcel Waf Ug

AppXcel User Guide

AppXcel WAF Protection FlowEach block in Figure 2-3 below describes a major step in the flow. The flow takes you from the first step after installing the system to the point where you reach full Enterprise Application Sphere protection.

Figure 2-3 Web Application Firewall Protection System Flow

AppXcel User Guide 2-5

Page 38: Appxcel Waf Ug

AppXcel User Guide

Table 2-1 AppXcel WAF System Flow

Step Description

Define Server Groups and Default Server Group

Define the Web,and Server Groups. These are the servers protected by AppXcel WAF. Define the Default Server Group, used when traffic doesn't match any of the defined server groups.(See Defining Server Groups, page 2-12).

Define Action Interfaces and Action Policies

Define required action interfaces such as email, syslog, and operating system commands. Define action policies, which are groups of actions executed together upon security events. This step is optional. The system can operate without action interfaces and policies (See Configuring Actions, page 4-1)

Configure Security Rules for each Server Group

Configure the actions, for each Server Group, that are taken on different security events. This step is optional; the system comes with default security rules (See Security Rules - Introduction, page 4-7).

Configure the Operation Page

Set the operation mode: active, simulation or disabled and configure IP and URL exceptions (See Operation Modes - Introduction, page 3-2

Activate Settings Instruct the SecureSphere Management Server to send the new configuration to all gateways and start protection and learning (See Active Profile Settings, page 2-30).

Monitor Alerts and Status

Continuously monitor alerts to detect attacks and intrusions. Monitor SecureSphere to make sure it is operational (See Reading Alerts, page 5-3).

Fine-tune profiles. Review and modify the dynamic profile, if necessary. This step is optional. (See Dynamic Profiling - Introduction, page 6-2

Switch Between Simulation and Active Modes

Switch server groups to active mode after you fine-tune the system and make sure there are no false positives and all attacks are being blocked (See Operation Modes - Introduction, page 3-2).

2-6 AppXcel User Guide

Page 39: Appxcel Waf Ug

AppXcel User Guide

Section 2-2 Touring the AppXcel WAF User Interface

This section explains how to view and configure the AppXcel™ WAF Interface (AFI).

IntroductionBrowsing through the AppXcel WAF Interface (AFI) is as simple as browsing through an Internet site, once you understand how the system works. AppXcel WAF is configured using a dedicated Internet Explorer 6 window that is launched from the AppXcel Web Based Management interface. See Chapter 1, Overview, for a full explanation of the AppXcel WAF system.The AFI user interface consists of three components:• "The Top Tab Bar includes four tabs that access the AppXcel WAF suite

main functions. The tab bar appears in every window in the AFI, and enables quick and easy navigation between the various options.

• "The Left Tree Menu, located along the left edge of the browser window, is dependent on the selected tab. The left tree menu changes according to the tab selected in the tab bar, and displays all the items associated with that tab.

• "The Data Window displays the actual data for the item that is selected in the left tree menu. Note that you can double click on items in a data Window, such as parameter names and alerts, to open an edit Window.

AppXcel User Guide 2-7

Page 40: Appxcel Waf Ug

AppXcel User Guide

Figure 2-4 Web Application Firewall Interface Window

The Top Tab BarThe tab bar, located at the top of the Web Application Firewall Interface window, includes four tabs:

Tab Description

Server Groups Define and manage Web servers, and generic servers protected by the AppXcel WAF. A group of servers that share the same profile and the same security policy is called a server group.

ADC (Application Defense Center)

Configure dictionaries and manage signatures.

Global Settings Configure various system objects: Action Interfaces, Action Policies, IP Groups, Non-blocked IPs, and Expert Window.

2-8 AppXcel User Guide

Page 41: Appxcel Waf Ug

AppXcel User Guide

The Left Tree MenuNavigating the left tree menu is similar to navigating a tree menu in Windows Explorer. AppXcel WAF uses a simple tree topology that is up to three levels deep, as displayed in Figure 2-5.

Figure 2-5 Tree MenuEach tree node can expand or collapse to display its sub-nodes. Click the plus sign (+) to the left of a menu item to expand it. When expanding a node, the plus sign becomes a minus sign and all the sub-nodes (branches) under the expanded node appear. Click the minus sign (-) to the left of an expanded menu item to collapse it. When collapsing a node, the minus sign becomes a plus sign and all the branches disappear. Node names without a plus or minus sign beside them do not have any sub-nodes and cannot be expanded.

Activity Console Displays Alerts, Reports, Gateways and provides various status indicators.

Two additional buttons are located towards the top-right corner of the window, next to the Tab BarButton Description? Opens the AppXcel WAF on-line help.X Ends the session and logs the user out of

the system.

AppXcel User Guide 2-9

Page 42: Appxcel Waf Ug

AppXcel User Guide

The Bottom ToolbarThe Bottom Toolbar includes the Active Settings button.

On-Line HelpAppXcel WAF includes integrated on-line help.On-line help presents context-sensitive information relevant to the location in the WAF user interface. For example, if you click Help while creating a new Server Group, the on-line help displays information on how to define a new Server Group.

To use the On-line Help

1. Click Help (?), located at the upper right corner of the Application Firewall Interface (AFI). The on-line help window appears in a separate window, as displayed in Figure 2-6.

Figure 2-6 On-Line Help Window2. Click the Windows Close button (X) that appears at the upper right corner

of the window to close the on-line help.

2-10 AppXcel User Guide

Page 43: Appxcel Waf Ug

AppXcel User Guide

Section 2-3 Initial ConfigurationThis section explains how to configure and use the AFI for the first time.This section contains the following topics:• Introduction, page 2-11• Defining Server Groups, page 2-12• Defining Network Firewall Rules, page 2-18• Services, page 2-22• Special Server Configuration, page 2-25• Active Profile Settings, page 2-30

IntroductionUpon installation, the AppXcel WAF system requires initial configuration and definition of the Server Groups - the servers that are to be protected by the AppXcel WAF.The AppXcel WAF is configured using the Firewall Configuration Tool.

Checking Firewall StatusAppXcel WAF includes a Firewall status monitor for verifying the following: • The installed Gateway is in contact with the Management Server

component.• All Firewall processes are operational

AppXcel User Guide 2-11

Page 44: Appxcel Waf Ug

AppXcel User Guide

Defining Server GroupsServer Groups are the servers that AppXcel WAF protects. AppXcel WAF provides different levels of protection for different types of servers. All servers are protected by AppXcel WAF's firewall and signature detection mechanism. Web servers are further protected by AppXcel WAF's Dynamic Profiling mechanism. Dynamic Profiling protection is available for any type of Web server (including Web services and XML).Server Groups are defined in two categories:• The default server group, which serves two purposes: it defines the entire

IP range of the protected network, as IP groups; and it defines the default security policy for servers that are not included in any other server group.

• The Web, server groups, which define security policies for a specific type of server, and a specific list of IP addresses.

Configuring and Enabling the Default Server GroupThe default server group must be defined to include the entire protected network.

To configure and enable the default server Group:

1. Click Server Groups. The Overview Window appears as displayed in Figure 2-7.

Figure 2-7 Server Groups Overview Window2. In the Overview Window expand the Default Server Group entry on the

left tree menu.3. Expand the Server Group Settings entry and click Definitions.The Default

Server Group definitions window appears, as displayed in Figure 2-8.

Note: An IP address that is not defined either in the default server group, or one of the other server groups is not protected

2-12 AppXcel User Guide

Page 45: Appxcel Waf Ug

AppXcel User Guide

Figure 2-8 Default Group Server Definitions Window4. In the Default Server Group definitions Window click Add. The Add

window appears, as displayed in Figure 2-9.

Figure 2-9 Add IP to Default Server Group Window 5. In the Add window select an IP group that defines part of or the entire

protected network. (To define IP Groups, see Appendix A- Defining IP Groups.)

6. Click Save.

AppXcel User Guide 2-13

Page 46: Appxcel Waf Ug

AppXcel User Guide

7. Repeat steps 4, 5, and 6, until the entire protected network is defined. When you add IP Groups to the Default Server Group, the Default Server Group is automatically enabled.

8. Click Save.

Creating a Web Server GroupWeb Server Grouping including Web servers that provide Web services and accept XML-based content.

To create a server group:

1. Click Server Group.2. Click Create Server Group on the tree menu.Figure 2-10.

Figure 2-10 Creating a New Server GroupContinue to the following sections, which describe the rest of the process for creating a Server Group.

Web ServerThis section describes how to define a Web Server Group (including Web servers that provide Web services and accept XML-based content).

Note: Each unique IP address/ AppXcel pair can be defined in one server group only. If your network includes two Web applications on the same IP address on different ports, use the HTTP port and SSL port text boxes to enter a list of ports (e.g. 80,81,82). This allows you to define a group of servers with a group of ports on them.

2-14 AppXcel User Guide

Page 47: Appxcel Waf Ug

AppXcel User Guide

To define a Web Server Group:

1. Click the Web Server icon (Figure 2-11) in the Select a Server Group to create a window.

Figure 2-11 Web Server Group Icon

AppXcel User Guide 2-15

Page 48: Appxcel Waf Ug

AppXcel User Guide

The New Web Server Group Window appears, as displayed in Figure 2-12

Figure 2-12 New Web Server Group Window

The New Web Server Group Window displays the following:

Field DescriptionName Unique name for the Web server group.Character Set If your Web server is not using the

English character set to parse incoming requests' parameters, select the character set used by your Web server from the drop-down list.

2-16 AppXcel User Guide

Page 49: Appxcel Waf Ug

AppXcel User Guide

2. Type the Server Group's name in the Name field. 3. Fill in the fields as described above.4. Click Create.

HTTP Support Check this check box if your Web server listens to HTTP traffic.

HTTP Port The port used by the Web server to accept HTTP communication.Port number 80 is set as the default port number. Change the port number only if the Web server connects through a different port.

SSL Support Select this check box if the communications to the Web server being defined is encrypted using SSL

SSL Port The SSL port number of the back end web server.The default SSL port number is 443.

SSL Private Keys Required for WAF to protect tunnels created with back-end SSL.The traffic between the Tunnel and back-end server is encrypted. WAF therefore requires a private key for traffic decryption.

HSM Implemented in this versionIP Addresses The IP address(es)) of the Web server(s)

belonging to the Server Group. Enter more than one IP address only if these are totally identical servers (i.e. mirrored or clustered).

Gateway The AppXcel WAF monitors the back-end server only.

AppXcel User Guide 2-17

Page 50: Appxcel Waf Ug

AppXcel User Guide

5. To define the IP address(es) of the Web server(s) belonging to this Server Group, click Add.The Add window appears, as displayed in Figure 2-13

Figure 2-13 New Web Server Group: Add IP6. Type in the IP address of the Web server (i.e The back-end server from

the Tunnel), and If the Web server has more than one NIC, enter the IP address of the card that is attached to the same network segment as the Firewall.

7. Select the Firewall that monitors this server from the drop-down list of Firewall.

8. Click Save.9. If this is a mirrored or clustered configuration, repeat steps 5 through 8 for

the additional servers. Note that these servers must have the same ports, the same profile and share the same security policy.

Defining Network Firewall RulesAppXcel WAF operates as a reverse proxy. Therefore only services configured in its Tunnel configuration (see AppXcel user guide section 5-1), are handled and forwarded to the back end servers.Configure the Network Firewall Rules when back end servers use AppXcel as their default gateway and there is no need to control their outbound connections.You can configure Network Firewall rules, per Server Group.

2-18 AppXcel User Guide

Page 51: Appxcel Waf Ug

AppXcel User Guide

The Server Group-specific rules can be one of the following:• White list: Blocks all services except the specified service/source(/

destination) combination• Black list: Allows all services except the specified service/source(/

destination) combinationThe Firewall Rules Window is divided into two sections: Inbound and Outbound.Use the Outbound section to configure policy for traffic originating from the server group.

To define Firewall Rules:

1. Click Server Groups. 2. Expand the Server Group. 3. Expand the Security Rules folder.4. Click Firewall Rules > Unauthorized Access to Service.

Note: Inbound policy is redundant as service control is configured in the tunnel policy.

AppXcel User Guide 2-19

Page 52: Appxcel Waf Ug

AppXcel User Guide

5. Click the click here link at the bottom of the window.The Firewall Rules window appears, as displayed in Figure 2-14

Figure 2-14 Firewall Rules WindowThe parameters in the Firewall Window include:

Parameter Description

Permit the following services

Select this option to define an inbound/ outbound black list.

Block the following Services

Select this option to define an inbound/ outbound white list.

Service The service that is blocked or permitted.Source / Destination An IP group or ANY (for any IP).

2-20 AppXcel User Guide

Page 53: Appxcel Waf Ug

AppXcel User Guide

6. To add a new Rule:a. Click Add in the Inbound or Outbound section.b. The Add Firewall Rule window appears, as displayed in Figure 2-15. c. Select a service name from the drop-down list of services.

Figure 2-15 Add Firewall Rule Windowd. Select an IP group from the drop-down list of IP group. Select ANY for

any source/destination.Click Save. The rule is saved and the window closes.

7. To edit a Rule:a. Click the rule you want to editb. Click Edit. The Edit Firewall Rule window appears, as displayed in

Figure 2-16. c. Select a different source from the drop down list of IP groups.a. Click Save

Services A link to a table that maps services to port numbers. You can add, delete or modify services here.

Allow Ambiguous TCP Packets

Select this option to allow the Server Group to accept ambiguous TCP packets. Ambiguous packets are part of TCP segments that make it virtually impossible for AppXcel WAF to determine whether or not the Server Group accepts them. If the Server Group does accept them, it is impossible for AppXcel WAF to determine which portion of the segments it uses. Ambiguous packets are used in various evasion techniques.

AppXcel User Guide 2-21

Page 54: Appxcel Waf Ug

AppXcel User Guide

Figure 2-16 Edit Firewall Rule Window8. To delete a rule(s):

a. Select the rule(s) to delete.b. Click Delete.

ServicesThe Services window maps Service names such as FTP, SMTP and Telnet to actual port numbers such as 21, 25 and 23. When you select a specific Service name to be used in a firewall rule or when AppXcel WAF checks for signatures on a specific service, the service's ports numbers are extracted from the Service to Port Mapping Window.Each server group has its own mapping. For example, you can have a Telnet service running on port 23 (default) on one server group and on port 2300 on another server group. If for example, you choose to block Telnet on both server groups, AppXcel WAF blocks access to port 23 on the first server group and to port 2300 on the second server group. Similarly, if you have a dictionary that checks for Telnet signatures and you use this dictionary on both server groups, AppXcel WAF check for these signatures on port 23 on the first server group and on port 2300 on the second server group.For each server group that you create, AppXcel WAF automatically generates a default list of services. You cannot delete these services but you can change their ports. For example, you can change the default port of the Telnet service from 23 to any number you choose. You can also add ports to these services. For example you can change the Telnet port to 23,2300 which means that Telnet is available both on port 23 and 2300 in this server group. When you change a port of a default service, AppXcel WAF asks you whether you want to

2-22 AppXcel User Guide

Page 55: Appxcel Waf Ug

AppXcel User Guide

apply this change on all server groups. If you select Yes then the same change is applied on all server groups. Otherwise, this change is applied only on the specific server group.In addition to editing default services, you can add your own services. If you have a new service which is not listed in the default services list, you can manually add it to the list.Services which were manually added can also be deleted.

To configure the Service to Port Mirroring:

1. Click Services in the Firewall Rules Window. The Services to Port Mapping Window appears, as displayed in Figure 2-17.

Figure 2-17 Service to Port Mapping Window

Note: Use this feature in conjunction with Tunnel configuration (see AppXcel user guide section 5 - 1).To configure non standard ports for protocols, first configure Tunnel Service Type: HTTP, SMTP, FTP or Other, including the port and then configure changes in the section.UDP support is not implemented. Always select TCP.

AppXcel User Guide 2-23

Page 56: Appxcel Waf Ug

AppXcel User Guide

The parameters in the Window include the following:

2. To create a new Service:a. Click Add. The Add Service window appears, as displayed in Figure

2-18

Figure 2-18 Add Service Windowb. Type a name for the new service.c. Select the protocol from the drop-down menu.d. Type the port number or a list of port numbers separated by commas.e. Click Save.

3. To add/remove ports to/from a default service:a. Select the Service and click Edit or double-click on the Service row.b. Edit the port numbers, or add ports separated by commas, or delete

port numbers.c. Click Save.

4. To delete a service: a. Select the service.b. Click Delete. You cannot delete default services. Only services that

were manually added can be deleted

Name The name of the services. For example, FTP, SMTP or

DNS. The icon indicates a default service. The icon

indicates a manually added service. Protocol Each service can use one of the following level-3 protocols:

TCP and UDP, which is not implemented here.Ports The port number on which the server listens to incoming

requests for this service. Multiple control ports can be defined. Use a comma as the delimiter.

2-24 AppXcel User Guide

Page 57: Appxcel Waf Ug

AppXcel User Guide

Special Server ConfigurationAppXcel WAF is designed to accommodate specialized server configurations, such as:• Mirroring and redundancy of Web servers.

MirroringWhen an Enterprise Application Sphere is heavily used or operates mission critical applications, a single Web application is often not enough. In such cases, the servers operate in a mirrored, clustered, redundant, or load sharing configuration.In mirrored and redundant configurations, a group of servers are configured to operate identically, performing exactly the same tasks. In such configurations, normal user behavior, data and URL access, and the security requirements are all identical among the servers. The behavior learning process and protection are also identical.AppXcel WAF supports mirroring by allowing multiple IP addresses per Server Group. A group of mirrored servers are defined as a single Server Group with multiple IP addresses. This way, AppXcel WAF applies the exact same configuration and profile on all the mirrored servers of the Server Group.

Configuring Error Window for Web Server GroupsWhen AppXcel WAF blocks a connection it can display an error Window to the blocked user. AppXcel WAF can either redirect the blocked user's browser to an error Window that is available on a certain Web server or present a simple HTML Window that was uploaded to the AppXcel™ WAF management component. If AppXcel WAF is blocking an IP, the error Window does not display.

To configure an error page for a web server group:

1. Click Server Group.2. Expand the Server group.3. Expand the Server Group Settings.4. Click Error Pages.The Error Pages window appears.5. To redirect the blocked user's browser to an error page:

a. Select the radio button near "Error Page for Blocked Requests"

AppXcel User Guide 2-25

Page 58: Appxcel Waf Ug

AppXcel User Guide

b. In the Error Window For Blocked Requests field, type a URL for the error Window (e.g. http://www.myweb.com/error.html).

c. Click Test Link (optional) to test this link6. To present a simple HTML file

a. Select the radio button near "Error text for blocked requests"b. Type the HTML text in the text area below (note that AppXcel™ WAF

comes with a predefined HTML text).7. Click Save.

Figure 2-19 Error Page WindowNote: If the error Window is not configured, AppXcel™ WAF blocks the user without presenting any error Window. This is the default when you create a new Web Server Group.

2-26 AppXcel User Guide

Page 59: Appxcel Waf Ug

AppXcel User Guide

Configuring AppXcel WAF to Work with Session Identifiers

What is a Session Identifier?Web servers are stateless. When the user connects to a certain Web server and requests a certain Window, the Web server or the user's browser may close the connection after the response is sent. The next time the same user connects to that Web server, a new network connection is opened and the Web server has no way of knowing if the same user is connecting.This is a major problem with Web applications that are required to maintain a state for the user. If the user is required to authenticate when accessing the Web application, for example, the Web application maintains the state of each authenticated user. The application must know to whom each request belongs.Session Identifiers were introduced to solve this. The idea behind Session Identifiers is very simple. Whenever a user first accesses or authenticates with a Web application, the Web application or server generates a session identifier (usually a long random number or string). The Web application associates the Session identifier with a specific user. The session identifier is then forwarded to the user's browser, as explained below, and the browser is requested to present the session identifier with each request it sends to the Web application.Session identifiers can be exchanged between browsers and Web applications using two primary methods:• HTTP Parameter: The Web application injects the session identifier as an

HTTP parameter. Whenever the browser sends a request to the server, the request includes the appropriate parameter with the session identifier value.

• HTTP Cookie: The Web application sets a cookie that contains the session identifier value. Once the cookie is set, the browser automatically submits the cookie to the Web server with each request it sends.

The Web application is responsible for managing session identifiers. This includes generating and revoking session identifiers. Most Web applications and servers include a session expiration period. A session expires when it exists or is idle for too long. The Web application and servers do not accept the expired session identifier and the user has to re-authenticate (if authentication is required) to receive a new session identifier.

AppXcel User Guide 2-27

Page 60: Appxcel Waf Ug

AppXcel User Guide

Why Configure AppXcel WAF to Support Session Identifiers?AppXcel WAF can trace users' activity more accurately by tracing session identifiers. Without session identifiers, AppXcel WAF traces users according to IP address. If two users, for example, use the same IP address (highly probable when users are routed through a proxy server) AppXcel WAF does not differentiate between the two users and regards them as a single user. Configuring AppXcel WAF to work with session identifiers allows tracing each user separately, even when different users use the same IP address.

tracking support is enabled by default.

To configure AppXcel WAF to work with Session Identifiers

1. Click Server Groups.2. Click the plus (+) sign next to the Web server's name.3. Click the Web Server Group Settings > Session Tracking. The Session

Tracking Window appears, as displayed in Figure 2-20.

Figure 2-20 Session Tracking WindowThe Session Tracking window includes fields to enter the names of cookies and/or parameters that contain the session identifier for the specific Web server or Web application.

4. Enter the parameter, cookie or cookie prefix name in the Token Name field under Add New.

5. Select the type of token (Parameter, Cookie, or Cookie Prefix) form the Token Type drop-down list next to the token name:

2-28 AppXcel User Guide

Page 61: Appxcel Waf Ug

AppXcel User Guide

• Parameter refers to a URL parameter that is included in every HTTP request sent by the user to the Web application or Web server.

• Cookie refers to a session cookie that is set by the Web application or Web server and is stored by the user, to be presented with every HTTP request.

AppXcel WAF Operation and Session IdentifiersTo better understand how AppXcel WAF uses session identifiers, assume that AppXcel WAF is configured with two tokens; Token A and Token B. Token A is a parameter and Token B is a cookie.When AppXcel WAF encounters an HTTP request, it looks for Token A in the list of parameters associated with that request and for Token B in the list of cookies associated with that request. Assume that Token A is found. AppXcel WAF examines the content of Token A. If the content is new to AppXcel WAF, it assumes that this is a new user. It then associates the specific token content with the new user. Every new request that comes and contains Token A and the specific content is associated with the same user.Now assume that a new HTTP request arrives and it contains Token A, but with a different value. AppXcel WAF then assumes that this is a new user, and adds the content of Token A to the list of monitored users.If a new HTTP request arrives that does not include Token A but includes Token B, with a specific value, AppXcel WAF assumes again that this is a new user and add the token's value to the list of monitored users.Now assume another scenario: A new HTTP request arrives and that HTTP request includes both Token A and Token B. Assume that the value of Token A is Value A and the value of Token B is Value B. In this case AppXcel WAF assumes that Value A and Value B together indicate the same user. Any request that arrives with Token A and Value A or Token B with Value B is regarded as the same user. This process is called a merge.

Note: AppXcel WAF is pre configured with the most common session identifiers. Usually no additional configuration is required. You are to consult your application developers as to where the session information is kept

AppXcel User Guide 2-29

Page 62: Appxcel Waf Ug

AppXcel User Guide

Active Profile SettingsThe Activate Settings process activates the settings configured in the user interface. There is a difference between the configuration displayed in the user interface and the configuration that the system is actually using. Any configuration change only takes effect after the Activate Settings button is clicked. You can change alerts configuration, for example, close the user interface and open it the next day. The changes you made are displayed in the user interface but have not become active yet. You can continue making as many changes as you want, closing and opening the user interface. Click Activate Settings when you are finished and satisfied with the settings, then all the changes are activated.Two indicators in the AppXcel WAF Interface show that the settings in the user interface are different from the settings the system uses:• A message at the bottom of your browser explains that the settings are

different.• The Activate Settings button becomes enabled (it is disabled if the settings

match)

The Next StepAfter defining the AppXcel WAF and Server Groups, the AppXcel WAF can start working.

Note: Profile changes (manual and automatic) take effect immediately and do not require an activate setting process

2-30 AppXcel User Guide

Page 63: Appxcel Waf Ug

C H A P T E R 3Setting the Operation

ModeThis chapter describes how to set the operation mode for the server groups. It includes the following sections:• Section 3-1: Operation Modes, page 3-2• Section 3-2: IP Restrictions, page 3-3• Section 3-3: URL Restrictions, page 3-5• Section 3-4: Automatic Profile Updates, page 3-10

AppXcel User Guide 3-1

Page 64: Appxcel Waf Ug

AppXcel User Guide

Section 3-1 Operation ModesThis section explains the various operation modes for AppXcel WAF.This section includes the following topics:• Operation Modes - Introduction, page 3-2

Operation Modes - Introduction Server groups have three operation modes: active, simulation, and disabled. By default, newly created server groups are placed into simulation mode. When the server group is in active or simulation mode, there are some restrictions and exclusions you can enforce on the learning and protection processes. This chapter describes how to switch a server group from one operation mode to another and how to configure these restrictions and exclusions.A server group can be in one of the following operation modes:• Active: The server group is fully active and behaves as expected.• Simulation: The server group is fully active. However, if you defined block

actions of any type, AppXcel WAF does not block the traffic. This mode is called Simulation mode because AppXcel WAF behaves as if it has blocked the traffic - the alert view and the alert details indicates that the traffic was blocked. To distinguish between an actual block and a simulated block, the alert includes an indication that this is a simulated block. This is the default mode when you create a new server group. It is recommended to leave the server group in simulation mode until you feel confident enough to switch it into active mode. Server groups in simulation mode have the following icon:

• Disabled: The server group is totally disabled. It does not generate violations or alerts; does not block traffic and does not learn new behaviors. You can switch the server group back to simulation or active mode at any time. Disabled server groups have the following icon:

To switch a server group from one mode to another, select the desired mode and click Save.

3-2 AppXcel User Guide

Page 65: Appxcel Waf Ug

AppXcel User Guide

Section 3-2 IP RestrictionsThis section explains how you can restrict monitoring to specific source IP groups.This section contains the following topics:• Restrict Monitoring to only this Source IP Group, page 3-3• Ignore this Source IP Group (except for firewall violations), page 3-4.

Restrict Monitoring to only this Source IP GroupThis feature instructs AppXcel WAF to only inspect certain IP addresses and not to inspect all other IP addresses. Attacks originating from IP addresses that do not appear in this list are not detected. Behaviors such as new URLs originating from IP addresses that do not appear in this list are not learned.You use this feature only if most of your traffic's sources are trusted and you need to monitor and protect from selective channels that go into your server group.Provided below is an example using this feature:• If you have a reverse proxy in front of your Web application (e.g. Squid or

NetCache) and all Internet traffic originates from the reverse proxy's IP address, you may want to consider using this feature. This way, all the activity of trusted internal users that does not originate from the reverse proxy is not monitored.

To enable this feature:

1. Select the Restrict monitoring to only this source IP group check box.2. Select a defined IP group from the drop-down list.

See Appendix A, for instructions on how to define a group of IP addresses.3. Click Save.

AppXcel User Guide 3-3

Page 66: Appxcel Waf Ug

AppXcel User Guide

Ignore this Source IP Group (except for firewall violations)

This feature allows defining a group of IP addresses that AppXcel WAF ignores, except for firewall violations. AppXcel WAF does not generate any violations or alerts for IP addresses from this group, except for firewall violations. AppXcel WAF does not learn any behavior, such as new URLs or new queries from IP addresses in this group.Use this feature to allow administrators access to the server group. By definition, System Administrators have escalated privileges and even full control over applications and servers. Consider excluding the source IP addresses of administrators that AppXcel WAF monitors.

To enable this feature:

1. Select the option Ignore this source IP group (except for firewall violations).

2. Select a defined IP group from the drop-down list.See Appendix A for instructions on how to define a group of IP addresses.

3. Click Save.

3-4 AppXcel User Guide

Page 67: Appxcel Waf Ug

AppXcel User Guide

Section 3-3 URL RestrictionsThis section explains how to configure URL restrictions for Web server groups.This section contains the following topics:• Restrict Monitoring to only this Source IP Group, page 3-3• Ignore the following URLs/Directories, page 3-7• Ignore Static Files, page 3-8• Ignore Parameters, page 3-9• Ignore XML Elements, page 3-9

Restrict Learning and Protection to only these URLs/Directories

AppXcel WAF only learns and protects URLs and directories that appear on this list and ignores all other URLs and directories in this server group.Use this feature if you have a sub-application that you wish to protect and you wish to ignore all other URLs in this server group.

To enable this feature:

1. Select the Restrict Learning and Protection to only these URLs/Directories check box.

2. Click on the linked word these in that row.The Restrict Learning and Protection window appears, as displayed in Figure 3-1.

AppXcel User Guide 3-5

Page 68: Appxcel Waf Ug

AppXcel User Guide

Figure 3-1 Restrict Learning and Protection3. To add a URL or Directory:

a. Enter a URL or Directory (for example /public/protectme.asp or /public/protectus/) under Add a new URL/Directory.

b. Click Add.c. Repeat steps A and B above to add more URLs and Directories to the

list.4. To remove a URL/Directory from the list, select it and click Delete.5. Click Close.

Note: When you add a directory to this list, all sub-directories and sub-URLs are learned and protected.

3-6 AppXcel User Guide

Page 69: Appxcel Waf Ug

AppXcel User Guide

Ignore the following URLs/DirectoriesAppXcel WAF includes several mechanisms for ignoring URLs. The most important is the Ignore Static Files feature. In addition, the Ignore URLs/Directories feature is used if for some reason you want to completely ignore URLs/Directories, or if a certain URL cannot be learned properly for some technical reason. You can also use this feature if you want to avoid getting security alerts on these URLs/Directories.

To add ignored URLs/Directories:

1. Select the Ignore the following URLs/Directories checkbox.2. Click on the linked word following. The Ignored URLs/Directories window

appears, as displayed in Figure 3-2.

Figure 3-2 Ignored URLs / Directories Dialog3. Type in a URL or a Directory (for example /private/ignoreme.asp or /

private/ignoreus)4. Click Add.5. Repeat steps 4 and 5 until all URL/directories are added.6. To delete a URLs/Directories, select them and click Delete.7. Click Close.

Note: When you add a directory to this list, all sub-directories and sub-URLs are ignored

AppXcel User Guide 3-7

Page 70: Appxcel Waf Ug

AppXcel User Guide

Ignore Static FilesStatic files, such as image files, Microsoft Office files and PDF files cannot usually be used to attack a Web application. However, much of the traffic to Web applications consists of static files. Hence, by not learning and protecting static files it is possible to increase the performance of AppXcel WAF by about 50%.Use this feature to select the types of static files you wish to ignore. Selected static files are not learned and do not appear in the specific Server Group profile. These file types are not protected either.

To Ignore Static Files:

1. Select the Ignore Static Files checkbox. Click on the linked word static in this row.The Static File Extensions window appears, as displayed in Figure 3-3.The list is pre-configured with common static file extensions.

Figure 3-3 Static File Extensions Window2. To add a static file extension:

3-8 AppXcel User Guide

Page 71: Appxcel Waf Ug

AppXcel User Guide

a. Enter a static file extension, for example.pps under Insert a new extension.

b. Click Add.c. Repeat steps A and B above to add more extensions to the list

3. To remove a static file extension from the list, select it and click Delete.4. Click Close.

Ignore ParametersUse this feature to select parameter names that you wish to ignore. These parameters are not examined by the gateway and the following violations are not invoked for these parameters: Parameter Read-Only Violations, Parameter Type Violation, Parameter Unknown, Parameter Value Length Violation, Required Parameter Not Found.

Ignore XML ElementsUse this feature to select XML Elements and Attributes you wish to ignore. These elements and attributes are not examined by the gateway and the following violations are not invoked for these parameters: XML Value Type Violation, Unknown XML Element/Attribute, XML Value Length Violation, Required XML Element/Attribute Not Found.

AppXcel User Guide 3-9

Page 72: Appxcel Waf Ug

AppXcel User Guide

Section 3-4 Automatic Profile UpdatesThis section explains how the automatic profile update feature ensures that the profile remains up-to-date even if some of the content and code on the Web site has changed.This section contains the following topics:• Automatic Profile Updates - Introduction, page 3-10

Automatic Profile Updates - IntroductionWeb sites are very dynamic and tend to change on a regular basis as developers keep updating source code and content. The automatic profile update feature ensures that the profile remains up-to-date even if some of the content and code on the Web site have changed. It defines rules for handling profile violations such that profile violations, for example, that occur at a high frequency from a number of IP addresses are added automatically to the profile, saving the administrator valuable time. Without this feature the administrator would need to regularly go over profile violation alerts, locate false positives and manually update the profiles accordingly. The automatic profile update rules check that if a specific violation occurred many times, over a relatively long period of time and originated from multiple sources. If this is the case, then AppXcel WAF automatically updates the profile according to the anomalous information. Changes to the profile take effect immediately (i.e. there is no need to activate this setting.)

Web Profile ViolationsThe Web profile violations covered by this feature are:• Cookie Tampering: This rule moves the cookie from the protected list to

the ignored list.

Note: Until the relevant Automatic Profile Update rule is triggered and the relevant part of the profile is updated, profile violations and alerts are still being generated and any defined action immediate or delayed, is executed. You can control the thresholds that cause different APU rules to be executed by modifying the rule, as explained below.

3-10 AppXcel User Guide

SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
鉛筆
Page 73: Appxcel Waf Ug

AppXcel User Guide

• Cookie Injection: This rule moves the cookie from the protected list to the ignored list.

• Missing Parameter: This rule removes the Required attribute from the parameter.

• Missing XML Element/Attribute: This rule removes the Required attribute from the XML Element/Attribute.

• Parameter Length Exceeds Constraints: This rule changes the minimum or maximum length of a parameter.

• XML Element/Attribute Length Exceeds Constraints: This rule changes the minimum or maximum length of an XML Element/Attribute.

• Unknown Parameter: This rule adds the parameter to the URL.• Unknown XML Element/Attribute: This rule adds the XML Element/

Attribute to the SOAP Action.• Parameter Read-Only: this rule removes the Read-Only attribute from the

parameter.• Parameter Type: This rule changes the value type of a parameter.• XML Element/Attribute Type: This rule changes the value type of an

XML Element/Attribute.• Unauthorized Method: This rule adds the HTTP method to this URL.• Unauthorized SOAP Action: This rule adds the SOAP action to this URL.

To configure, enable and modify the Automatic Profile Updates rules:

1. Select the option Automatic profile updates.2. Click Updates. The Automatic Profile Updates window appears, as

displayed in Figure 3-4.

AppXcel User Guide 3-11

Page 74: Appxcel Waf Ug

AppXcel User Guide

.

Figure 3-4 Automatic Profiles Updates Window3. To enable a rule, select its Use check box. Only rules that are selected are

used during any automatic profile update process.4. To change a rule's properties, select a rule name.

The rule's properties appear in the lower pane.5. Modify values in the rule and click Save.6. Repeat for additional violations.

3-12 AppXcel User Guide

Page 75: Appxcel Waf Ug

C H A P T E R 4 Configuring Actions

This chapter describes how to configure AppXcel™ WAF to invoke actions upon security events.This chapter contains the following sections:• Section 4-1: Action Interfaces, page 4-2• Section 4-2: Configuring Action Policies, page 4-4• Section 4-3: Configuring Server Group‘s Security Rules, page 4-7• Section 4-4: Preventing Blocking of Specific IP Addresses, page 4-36

AppXcel User Guide 4-1

Page 76: Appxcel Waf Ug

AppXcel User Guide

Section 4-1 Action InterfacesThis section explains how to define Action Interfaces.This section contains the following topics:• Introduction, page 4-2• Defining Action Interfaces, page 4-2

IntroductionAppXcel WAF can take various types of actions when a security event occurs. The action configuration process includes three steps:• Defining Action Interfaces: an action interface allows AppXcel WAF to

communicate with external devices. For example, you can define an action interface to a specific Syslog server, or an action interface to a specific SMTP server.

• Defining Action Policies: An action policy is a list of actions executed upon a security event. You can define various action policies and then use a different action policy or the same action policy for each security event. Action policies use Action Interfaces.

• Defining Security Rules per Server Group: For each server group, you can view the list of associated security events. You can then select the action policy to be executed when this event occurs.

Defining Action InterfacesThe first step in the process of defining actions is to define action interfaces. The following types of interfaces are available for AppXcel WAF:• SNMP Traps: An interface that sends SNMP traps to an external SNMP

manager.

4-2 AppXcel User Guide

Page 77: Appxcel Waf Ug

AppXcel User Guide

• Operating System Command: An interface to the AppXcel WAF Management Server component operation system. This interface allows execution of an operation system command or a specific file.

• Email: An interface to a specific SMTP server. This interface allows sending an email alert to a specific group of email addresses.

• Syslog: An interface to a specific Syslog server. This interface allows sending an email alert through a specific syslog server.

You can define multiple interfaces of each type. For example, you can configure two different syslog servers and two groups of email recipients.See Appendix B for information on how to define the various action interfaces.

Note: Under the Global Settings tab, Actions ' Action Interfaces ' Create Action Interface, we have the option to execute an Operating System Command.

AppXcel User Guide 4-3

Page 78: Appxcel Waf Ug

AppXcel User Guide

Section 4-2 Configuring Action PoliciesThis section explains how to define an action policy.This section includes the following topics:• Configuring Action Policies - Introduction, page 4-4

Configuring Action Policies - IntroductionAn Action Policy defines a set of actions and operations that are executed immediately upon occurrence of a security event. The administrator can define different action policies and use them for different eventsThe action policy window includes the following fields:

Start Blocking Attacking IP

An Action Policy defines a set of actions and operations that are executed immediately upon occurrence of a security event. The administrator can define different action policies and use them for different events

Block Duration (sec.)

The time period, in seconds, for which the attacking IP is blocked.

Start Blocking Attacking Session

Blocks the attacking session by dropping the packet each time this source session tries to connect the protected servers.

Block Duration (sec.)

The time period in seconds for which the attacking session is blocked.

Start Monitoring Attacking IP

Records all requests/responses from the IP

Monitor Duration (sec.)

The time period, in seconds, for which the attacking IP is monitored

Start Monitoring Session

Records all requests/responses from the Web application session.

Monitor Duration (sec.)

The time period in seconds for which the session is monitored

4-4 AppXcel User Guide

Page 79: Appxcel Waf Ug

AppXcel User Guide

The Action Policy window includes the various available actions. You can select one or more actions. Any combination of actions are allowed.

To configure an action Policy:

1. Click Global Settings.2. Expand the Actions tree entry.3. Expand the Action Policies tree entry.4. Click Create Action Policy.5. Type in the name of the policy in the Policy Name field. This name is used

to identify the specific policy.6. If you wish to block the attacker's IP address for a specific period of time

then select the "Start Blocking Attacking IP" checkbox. Otherwise continue with step 8.

7. Enter the duration (in seconds) for which this IP is blocked.8. If you wish to block the attacker's Session Identifier (for Web protected

servers only) for a specific period of time then select the Start Blocking Attacking Session checkbox. Otherwise continue with step 10.

9. Enter the duration (in seconds) for which this Session is blocked.10. Upon a security event, AppXcel WAF can start monitoring the attacking IP

by recording all requests this IP sends to the protected servers and all responses it receives. The monitored events are available for viewing from the Alert viewer. Select the Start Monitoring IP checkbox to monitor the violating IP address.

11. If you selected Start Monitoring IP then type in the monitor duration in the Duration field.

12. Upon a security event, AppXcel WAF can start monitoring the attacking session (for protected Web servers only) by recording all requests this session sends to the protected servers and all responses it receives. The monitored events are available for viewing from the Alert viewer.

13. Select the Start Monitoring Session checkbox to monitor the violating session.

14. If you selected Start Monitoring Session then type in the monitor duration in the Duration field.

15. All alerts are logged in the AppXcel WAF Alert viewer. If you want to send the alert to external devices, select the Send Alert Using checkbox. Otherwise continue with step 19.

Execute an Operating System Command

A list of all action interfaces of type Operating System Command.

AppXcel User Guide 4-5

Page 80: Appxcel Waf Ug

AppXcel User Guide

16. The list below Send Alert Using includes all Email and Syslog action interfaces you defined. If no such interfaces exist, the option does not appear. Select the Email and Syslog interfaces you want to use in order to dispatch this alert by selecting the checkbox near the interface names.

17. Select the Execute Operating System Commands checkbox if you want AppXcel WAF to execute specific operating system commands as part of this policy.

18. The list below Execute Operating System Commands includes all the operating system command interfaces you defined. If you didn't define any interface then this option does not appear. Select the operating system commands you want to execute by checking the checkbox near the name of the interface.

19. Click Create.

Figure 4-1 Action Policy

4-6 AppXcel User Guide

Page 81: Appxcel Waf Ug

AppXcel User Guide

Section 4-3 Configuring Server Group‘s Security Rules

This section explains how to configure the Server Groups Security Rules.This section contains the following topics:• Security Rules - Introduction, page 4-7• Firewall Rules, page 4-10• Signature Rules, page 4-12• To update the signatures database refer to Updating the Signatures

Database, page 7-13., page 4-13• Web Worms Defender Rules, page 4-19• Profile Violation Rules, page 4-22• Custom Policy Rules, page 4-26• Correlation Rules, page 4-32

Security Rules - IntroductionSecurity Rules are defined per Server Group. There are six categories defined by the type of security layer that generated the Alert:• Network Firewall Rules • Signature Rules• Protocol Violation Rules• Web Worm Defender Rules• Profile Violation Rules• Correlation RulesAppXcel WAF defines default security rules for each Server Group type, (and default action policies). When a Server Group is defined, it automatically receives the default security rules definitions. You can modify these and restore the default rules. You can also copy the rules configured for another Server Group. Note that when you restore default rules, the Server Group-specific configuration is irreversibly erased.There are two types of actions that you can attach to each rule:• Immediate Actions: Actions taken as an immediate response to an attack

(i.e. blocking the packet that generated the security event). • Followed Actions: Follow-up actions taken by the system to continue

blocking the attacker's source and further observe / analyze the violations

AppXcel User Guide 4-7

Page 82: Appxcel Waf Ug

AppXcel User Guide

To define actions for security rules:

1. Click Server Groups.2. Expand the Server Group's submenu.3. Expand Security Rules.4. Click the required security rules category. The Security Rules Window

appears as displayed in Figure 4-2

Figure 4-2 Firewall Rules Window5. Configure the actions.6. To copy the configuration from another Server Group:

a. Click Copy From.The Copy From window appears, as displayed in Figure 4-3.

4-8 AppXcel User Guide

Page 83: Appxcel Waf Ug

AppXcel User Guide

Figure 4-3 Copy Action Policy From Windowb. Select the Server Group.c. Select either: Copy policy only for this action category; or Copy policy

for all action categories.d. Click OK.The configuration is copied from the selected Server Group

to the displayed Server Group.7. To restore the default Server Group actions:

a. Click Restore Defaults.The Window displayed in Figure 4-4

Figure 4-4 Restore Defaults Windowb. Click Ok.The default configuration is restored.c. Click Save.

Note: Warning: The Server Group-specific configuration is irreversibly erased when you restore the defaults

AppXcel User Guide 4-9

Page 84: Appxcel Waf Ug

AppXcel User Guide

Firewall RulesFirewall Rules define the actions taken when AppXcel WAF detects unauthorized access to the service, fragmented packets, or non-compliant TCP/IP packets.

Figure 4-5 Firewall Actions WindowThis window presents the following fields:

Firewall Rules The Firewall Rule to be used.Enable Enables the action.Alert Choose the alert severity generated by the

security event: Informative / Low / Medium / HighImmediate Action None: Access is not blocked. Use this option if you

only want to log unauthorized access attempts.Block Access: AppXcel WAF gateway drops the packet that violates the firewall rule.

4-10 AppXcel User Guide

Page 85: Appxcel Waf Ug

AppXcel User Guide

The supported firewall violations are:• Fragmented Packet: This violation is invoked whenever the gateway

encounters a fragmented packet.• Non Compliant Packet: The IP, TCP, or UDP packet is non protocol-

compliant. This includes issues such as incorrect checksum, invalid IP address, invalid flags, unknown options, and incorrect SYN usage.

• Unauthorized Access to Service: AppXcel WAF allows firewall access rules to be defined for each server group. These access rules include a list of services and sources allowed on the server group.

Followed Actions Drop-down list of Action Policies (see Section 4-2, Configuring Action Policies,) If no action policies are defined, the list is empty.

AppXcel User Guide 4-11

Page 86: Appxcel Waf Ug

AppXcel User Guide

Signature RulesSignature rules are activated when a signature is detected. Signature rules are defined for each dictionary defined in the system. The upper pane lists the dictionaries and their actions; the lower pane presents information on the selected dictionary: the description of the dictionary; the services on which it operates, and whether this is a filtered or manual dictionary.

Figure 4-6 Signature Rules Window

4-12 AppXcel User Guide

Page 87: Appxcel Waf Ug

AppXcel User Guide

This window presents the following fields:

To update the signatures database refer to Updating the Signatures Database, page 7-13.

Protocol Violation RulesProtocol Violation rules are activated when the attacker sends an HTTP request that doesn't fully comply with the HTTP specification. You can configure the actions to be taken for all protocol violations defined in the system. The upper pane presents a list of the violations and their actions; the lower pane presents a description of the selected violation.

Signature Dictionary A list of all dictionaries. The icons next to the name indicates the type of dictionary:Manually generated dictionary.Dictionary generated using a filter.Each dictionary name is also a link to the dictionary. Click the dictionary name to display the dictionary.

Enable Enables the action.Alert Choose the alert severity generated by

the security event: Informative / Low / Medium / High.

Immediate Action None: No immediate action is taken.Block: The AppXcel WAF immediately drops the packet that contains the signature.

Followed Actions Drop-down list of Action Policies (see Section 4-2, Configuring Action Policies,) If no action policies are defined, the list is empty.

AppXcel User Guide 4-13

Page 88: Appxcel Waf Ug

AppXcel User Guide

Figure 4-7 Protocol Violation Rules WindowThe Protocol Violations Action Window presents the following fields:

The supported protocol violations are:

Protocol Violation List of protocol violations. See below for the complete list and a description of each violation.

Enable Enables the action.Alert Choose the alert severity generated by

the security event: Informative / Low / Medium / High.

Immediate Action None: No immediate action is taken.Block: The AppXcel WAF immediately drops the packet that contains the violating HTTP message.

Followed Actions Drop-down list of Action Policies (see Section 4-2, Configuring Action Policies,) If no action policies are defined, the list is empty.

4-14 AppXcel User Guide

Page 89: Appxcel Waf Ug

AppXcel User Guide

• Abnormally long header line: The length of either the HTTP request Header name (e.g. Content-Type, Accept, etc.) or value exceeds the maximum threshold. Although the HTTP specification does not define a specific length limitation, when Header lines exceed this length it usually indicates a buffer overflow attempt. You can manually configure the thresholds.

• Abnormally long request: The length of one of the following parts within an HTTP request, exceeds the allowed threshold: HTTP Method, URL, Query String, HTTP Version. Although the HTTP specification does not define a specific length limitation, a URL that exceeds this length usually indicates a buffer overflow attempt. Violation of this length limitation may also indicate other types of attacks, such as partial validation by servers (the web server validates only the first part of a long string while the operating system or other backend service regards the entire string). You can manually configure the thresholds.

• Double URL encoding: URL encoding is a standard based format for embedding non-printable, or special characters within HTTP request fields (such as the URL). The character is represented by a percentile symbol ('%') followed by the hexadecimal representation of its value (e.g. the TAB character whose ASCII value is 9 can be represented as '%09'). Double URL encoding is an evasion technique used by attackers to bypass access control, authorization and detection mechanisms applying URL encoding multiple times to the attack URL. For example, a '/' character in a directory traversal attack is encoded as%252F which is the result of applying URL encoding twice.

• Extremely Long URL Parameter: The length of a URL parameter exceeds 4096 characters (the maximum allowed length of both the parameter's name and value are configurable). Although the HTTP specification does not define a specific length limitation, a parameter that exceeds this length usually indicates a buffer overflow attempt. Violation of this length limitation may also indicate other types of attacks, such as partial validation by servers (the web server validates only the first part of a long string while the operating system or other backend service regards the entire string). You can manually edit the threshold. Note that this violation only applies to HTTP requests that use the POST method. HTTP requests that use the GET method does not invoke this violation

• Illegal Byte Code Character in Request: A non-printable ASCII character (ASCII 1 - 31, 127) is embedded in an HTTP request Header field's name or value (e.g. Content-Type, Accept). This behavior is banned by the HTTP standard and is indicative of an attacks involving injection of malicious code or attacks aimed at the request parsing mechanism.

AppXcel User Guide 4-15

Page 90: Appxcel Waf Ug

AppXcel User Guide

• Illegal Byte Code Character in Request Content: A non-printable ASCII character (ASCII 1 - 31, 127) is embedded in the content of an HTTP request containing an HTML form data. This behavior is indicative of an attacks involving injection of malicious code or attacks aimed at the request parsing mechanism.

• Illegal Host Name: The name of the target host within an HTTP request contains non-printable (ASCII 1 - 31, 127) or extended (ASCII 128 - 255) ASCII characters. This behavior is banned by the HTTP standard and is indicative of an attacks involving injection of malicious code or attacks aimed at the request parsing mechanism.

• Illegal HTTP Version: Each HTTP request must contain the version of the protocol used by the client, in the form of HTTP/v where v is replaced by the actual version number (one of 0.9, 1.0, 1.1). This anomaly indicates a malformed request not sent from a normal browser.

• Illegal Response Code: An HTTP response does not include a legal HTTP response code. The HTTP standard specifies that the code is a 3 digit number. A non-compliant code indicates an ill-formed response which is usually the consequence of a severe failure.

• Illegal Parameter Encoding: URL encoding is a standard based format for embedding non-printable, or special characters within HTTP request fields (such as the values of parameters). The character is represented by a percentile symbol ('%') followed by the hexadecimal representation of its value (e.g. the TAB character whose ASCII value is 9 can be represented as '%09'). Illegal encoding within parameter values is a technique used by malicious individuals both for evasion and attack by embedding ill-crafted sequences preceded by the percentile symbol. These sequences (e.g.%vv,%t0, etc.) are banned by the standard and are usually decoded in an unexpected manner by different web servers.

• Illegal URL Path Encoding: URL encoding is a standard based format for embedding non-printable, or special characters within HTTP request fields (such as the URL). The character is represented by a percentile symbol ('%') followed by the hexadecimal representation of its value (e.g. the TAB character whose ASCII value is 9 can be represented as '%09'). Illegal encoding within the URL is a technique used by malicious individuals both for evasion and attack by embedding ill-crafted sequences preceded by the percentile symbol. These sequences (e.g.%vv,%t0, etc.) are banned by the standard and are usually decoded in an unexpected manner by different web servers.

• Malformed HTTP Header Line: An HTTP Header field is comprised of a name (e.g. Content-type, Content-length, etc.) and a value separated by a Colon (':') character. A malformed header line does not include the Colon character making it impossible to correctly parse the content of the line. This is an indication of an attack on the server's parsing mechanism.

4-16 AppXcel User Guide

Page 91: Appxcel Waf Ug

AppXcel User Guide

• Malformed URL: The URL in a request must begin with a '/' character and may include a protocol and host prefix (e.g. http://myserver.com/default.asp). Omission of the '/' character or a protocol prefix other than http are usually an indication of a malicious attempt to tunnel other protocols (e.g. SMTP) using the web server.

• Malformed XML/SOAP Message: If the HTTP request includes an XML message which cannot be parsed, AppXcel WAF invokes this violation.

• NULL Character in Header Line: The use of a NULL (0 valued) character within the name or value of an HTTP request Header field is banned by the standard. An attacker embeds NULL characters within the Header field in order to evade detection mechanisms.

• NULL character in Request Content: The use of a NULL (0 valued) character within the content of an HTTP request containing form data is banned by the standard. An attacker embeds NULL characters within the Header field in order to evade detection mechanisms.

• Redundant HTTP Headers: An HTTP request contains protocol information and processing hints in header fields. Some of the fields have a crucial role in the interpretation of the message by the server and a significant effect on the processing of the request by the server. Those fields are required to appear only once in any request. The "Redundant HTTP Headers" anomaly is invoked if an HTTP request contains multiple instances of such headers. The default list of headers that are affected by this anomaly includes the "Content-length" header field (which affects the number of bytes from the network stream that are associated with the message), the "Content-type" header field (which affects the parsing of the message content), the "Host" header fields and others.

• Redundant UTF-8 Encoding: UTF-8 is a popular character encoding scheme for representing Unicode characters in using variable length byte sequences. Promiscuous interpretation of UTF-8 strings by web servers results in the translation of multiple sequences into the same ASCII character (e.g. '/' or '.'). This technique known as "Redundant UTF-8 Encoding" is used by attackers to evade access control, authorization and detection mechanisms.

• Too Many Cookies in a Request: AppXcel WAF invokes this request if an HTTP request includes too many cookies. The number of allowed requests appears in the bottom pane. Change the number, as required, and then click Save.

• Too Many Headers per Request: An HTTP request contains more than 15 Header fields. This is an indication of a buffer overflow attack or an attempt to evade detection mechanisms. Change the number as required and then click Save.

AppXcel User Guide 4-17

Page 92: Appxcel Waf Ug

AppXcel User Guide

• Too Many Headers per Response: An HTTP reply contains more than 20 Header fields. This is an indication of information leakage (e.g. credit card numbers, user identifiers, etc.) through the Header fields rather than through the response body. Change the number as required and then click Save.

• Too Many URL Parameters: The number of parameters in the URL exceeds the threshold. Change the number as required and then click Save. Note that this violation only applies to HTTP requests that use the POST method. HTTP requests that use the GET method does not invoke this violation

• Unauthorized Request Content Type: This anomaly occurs for a variety of HTTP requests in which the content-type cannot be correctly established according to the RFC, or in which the content-type is identified as an unauthorized type. Click the "click here" link to add and remove content types.

• Unknown HTTP Request Method: Each HTTP request must start with a field called HTTP method or HTTP verb (e.g. GET or POST). The list of methods is defined by various standards. Some of the methods have a potentially dangerous effect on the web server and hence only a partial list of the methods are allowed by most web servers. This anomaly detects a method that is not one of the following: GET, POST, HEAD, PUT, OPTIONS, TRACE, CONNECT, DELETE, LOCK, UNLOCK, PROPPATCH, PROPFIND, COPY, MOVE, MKCOL, SEARCH, RMDIR, INDEX, MKDIR, BCOPY, BDELETE, BMOVE, BPROPFIND, BPROPPATCH, NOTIFY, POLL, SEARCH, SUBSCRIBE, UNSUBSCRIBE, indicating an attempt to execute a dangerous and illegal operation on the web server. (See Appendix G.)

• URL is Above Root Directory: URL points to a file residing outside of the Web server's root directory. This usually indicates a directory traversal attack in which the attacker tries to access files outside of the root directory. In some poorly written applications some embedded links may point outside of the Web server's root directory.Note: Protocol violations also participate in several correlation rules (Malformed HTTP attacks). If you want to avoid receiving alerts that involve certain protocol violations, you need to disable them from the relevant correlation rules as well.

4-18 AppXcel User Guide

Page 93: Appxcel Waf Ug

AppXcel User Guide

Web Worms Defender RulesThis section is only available for Web Server Groups. To defend against Worm attacks, AppXcel WAF blocks Unknown HTTP Requests on specific directories which are usually targeted by worms. Before blocking, AppXcel WAF verifies that the request has no legitimate host value and no legitimate session ID. You can add and remove directories on which this feature operates. Note that worm-protected directories must go through a learning period before AppXcel WAF starts protecting them, as explained below.

Figure 4-8 Web Worm Defender Rules Window

AppXcel User Guide 4-19

Page 94: Appxcel Waf Ug

AppXcel User Guide

This window presents the following fields:

When you create a new Web server group, it is created with a list of preconfigured worm-protected directories. This list includes worm-susceptible directories such as default IIS and Apache directories. You can add and remove directories from this list as required. Note that the list mostly contains directories which are not part of your application. This is normal as one the main purposes of this feature is to block access to default directories that exist on the protected Web server and were created during the Web server's installation process or the installation process of add-on components.In order to protect worm-susceptible directories AppXcel WAF must first learn whether the protected application uses any URLs in these directories, as URLs which are legitimately used by the Web application are not be blocked by the worm defender. Thus when you create a new Web server group all the worm-protected directories enter a learning period. During this period AppXcel WAF learns which URLs belong to the directories that are used by the application. The learning period is different for each directory and different directories can enter protect mode at different times, based on various factors such as how much traffic AppXcel WAF has recorded for a specific directory. When a directory enters protect mode, AppXcel WAF starts generating Worm violations for it. AppXcel WAF automatically transfers directories from learn to protect mode, however you can also manually switch directories between learn and protect mode.

Web Worm Defender Rules

The name of the violation that the Worm Defender engine generates.

Enable Enables the violationAlert Choose the alert severity generated by the

violation: Informative / Low / Medium / High.Immediate Action None: Worm is not blocked. Use this option for

a log only policy.Block: The AppXcel WAF immediately drops the packet that contains the suspected worm.

Followed Actions Drop-down list of Action Policies (see Section Configuring Action Policies, page 4-4). If no action policies are defined, the list is empty.

Save Saves the changes to the directories.

4-20 AppXcel User Guide

Page 95: Appxcel Waf Ug

AppXcel User Guide

To manage the list of worm-protected directories:

1. Click the clicking here link on the bottom panel.The Worm Protected Directories window appears as presented in Figure 4-9

2. To add a new directory:a. Enter the directory name in the Directory field.b. Click Add. The directory is added in learn mode.

3. To delete directories:a. Select the check boxes to the left of the directories you wish to delete.b. Click Delete.

4. To switch directories between learn and protect mode:a. Select directories in learn mode or select directories in protect

mode.b. Click Switch to Learn/Protect.c. Click Close to close this window.

Figure 4-9 Worm Protected Directories

AppXcel User Guide 4-21

Page 96: Appxcel Waf Ug

AppXcel User Guide

Profile Violation RulesWeb AppXcel WAF builds Dynamic Profile traffic and compares incoming and outgoing HTTP against the learned profile. Any deviation from the profile generates a Profile Violation. This section allows you to enable and take actions on profile violations.The upper pane presents a list of the violations and their actions; the lower pane presents a description of the violation and the configuration parameters for those violations that can be configured.

Figure 4-10 Profile Violation Rules Window

This window presents the following fields:

Profile Violation Rules List of available violations. See below for a description of available violations.

Enable Enables the action.Alert Choose the alert severity generated by the

security event: Informative / Low / Medium / High.

4-22 AppXcel User Guide

Page 97: Appxcel Waf Ug

AppXcel User Guide

The following profile violations are supported for Web server groups:• Cookie Tampering:AppXcel WAF learns which cookies are protected and

which are ignored (see Section Error! Reference source not found. for more information on learning and profiling cookies). A protected cookie is a cookie where AppXcel WAF can always trace the value that the Web application assigns to it. The value of a protected cookie must remain fixed and not altered by the user's browser. For protected cookies AppXcel WAF traces them and stores the values assigned to them by the Web application during the entire user session. If a browser sends a protected cookie to the Web application with a different value than what was assigned by the Web application, then AppXcel WAF invokes the Cookie Tampering violation.

• Cookie Injection:AppXcel WAF learns which cookies are protected and which are ignored. A protected cookie is a cookie where AppXcel WAF can always trace the value that the Web application assigns to it. The value of a protected cookie must remain fixed and not altered by the user's browser. AppXcel WAF traces and remembers all protected cookies assigned by the Web application to each session. If a browser sends to the Web application a protected cookie which is not assigned to it by the Web application, then AppXcel WAF invokes the Cookie Injection violation.

• Custom Policy Rules: Custom policy rules allow you to generate alerts and optionally block traffic based on specific attributes of the HTTP request.

• Reuse of Expired Sessions’ Cookies: When the user sends an HTTP request with an expired session, the Web server forces the user's browser to accept a new session identifier. This is a rather common scenario: for example, when the user leaves the browser open on a specific site for a few hours and after returning continues to browse the same site, it is likely that the original session was expired and the Web application forces the browser to accept a new session identifier. This violation is invoked if after receiving the new session identifier the user's browser continues to send protected cookies and protected cookies' values that were assigned to the expired session. This is a security event as neither AppXcel WAF nor the

Immediate Action None: No immediate action is taken.Block: The AppXcel WAF immediately drops the packet that contains the violating HTTP message.

Followed Actions Drop-down list of Action Policies (see Configuring Action Policies, page 4-4) If no action policies are defined, the list is empty.

AppXcel User Guide 4-23

Page 98: Appxcel Waf Ug

AppXcel User Guide

application can tell whether these protected cookies were actually assigned to the browser by the Web application or were maliciously injected by user, as the session was expired together with all the relevant information. Note that as some applications allow this type of behavior, enabling this violation may lead to false positives. These false positives indicate a bad coding practice and most likely a security breach which needs to be fixed.

• Parameter Value Length Violation: For each parameter AppXcel WAF learns, using statistical algorithms, the minimum and maximum length of the parameter. During Protect Mode, AppXcel WAF checks all parameter values against the learned profile. If the parameter length exceeds the learned lengths, AppXcel WAF invokes this violation.

• Parameter Unknown: AppXcel WAF learns the names of all parameters used by each URL. During Protect Mode, AppXcel WAF checks that each URL includes only the learned parameter names. If a URL includes a parameter name which is not part of the profile, AppXcel WAF invokes this violation.

• Required Parameter Not Found: AppXcel WAF learns the names of all parameters used by each URL. For each parameter, AppXcel WAF learns whether it's required or not (i.e. must be included or optional). During Protect Mode, if a required parameter is missing, AppXcel WAF invokes this violation.

• Parameter Type Violation: For each parameter AppXcel WAF learns the type of the parameter. For example, AppXcel WAF can learn that a certain parameter's values consist only of numbers. During protect mode, if a certain parameter value doesn't match the learned types, AppXcel WAF invokes this violation.

• Parameter Read Only Violation: AppXcel WAF learns which parameters are hidden parameters or embedded links whose values are set by the Web server and not changed manually by the user. During Protect Mode, AppXcel WAF traces the values that were set by the Web server and if the user manually altered a value, AppXcel WAF invokes this violation.Note: The Parameter Read Only Violation must be enabled during learn mode in order for AppXcel WAF to learn which parameters are read-only. Currently this is the only violation that needs to be enabled during learn mode in order for AppXcel WAF to learn its behavior

4-24 AppXcel User Guide

Page 99: Appxcel Waf Ug

AppXcel User Guide

• Unauthorized URL Access: It is possible for the AppXcel WAF administrator to lock directories in the Web profile (see Error! Reference source not found.). AppXcel WAF invokes this violation when someone tries to access a URL which is not listed in the profile and is part of a locked directory. Note that when someone tries to access a URL which is not listed in the profile and is not part of a locked directory, AppXcel WAF either ignores this request (in-case the URL doesn't really exist on the Web application) or start learning it (in-case this URL does exist on the Web application).

• Unauthorized Method for Known URL: AppXcel WAF builds a profile of all allowed URLs. For each allowed URL the profile includes the allowed methods with that URL (e.g. GET, POST, HEAD). AppXcel WAF invokes this violation if, during Protect Mode, a known URL is sent with an unknown method.

• Too Many of the Same Response Code: During Protect Mode, AppXcel WAF counts the number of HTTP responses with a 200, 302, 304, 500, 400, 404, and 403 response codes. AppXcel WAF counts these responses for each session identifier and for each IP address that accesses the Web application. AppXcel WAF also counts these responses for all sources (i.e. all IP addresses) that access the Web application. If the number of responses for any of these sources exceeds the policy limit AppXcel WAF generates this violation. You can control the policy limit by editing the table on the lower panel. The numbers in the table represent the maximum number of allowed responses of a specific code per five minutes. If for example, you place 100 in the Session/500 cell it means that AppXcel WAF generates this violation for each session identifier that generates more than 100 HTTP 500 response codes. Click Save after editing the table.

The following profile violations are available for Web servers that provide XML-based or SOAP services:• Unauthorized SOAP Action: AppXcel WAF learns and builds a profile of

all allowed SOAP actions for each URL. AppXcel WAF invokes this violation if the URL is accessed with a SOAP action not listed in the profile.

• XML Element/Attribute Value Length Violation: For each XML-based URL, AppXcel WAF learns and builds a profile of XML elements and XML attributes that have values in them. For each value AppXcel WAF learns, using statistical algorithms, the minimum and maximum length of the value. During Protect mode, AppXcel WAF checks all XML values against the learned profile. If the value length exceeds the learned lengths, AppXcel WAF invokes this violation.

AppXcel User Guide 4-25

Page 100: Appxcel Waf Ug

AppXcel User Guide

• XML Element/Attribute Value Type Violation: For each XML-based URL, AppXcel WAF learns and builds a profile of XML elements and XML attributes that have values in them. For each value AppXcel WAF learns the type of the value. For example, AppXcel WAF can learn that a certain XML value consists of numbers only. During Protect mode, if a certain XML value does not match the learned types, AppXcel WAF invokes this violation.

• Required XML Element/Attribute Not Found: For each XML-based URL, AppXcel WAF learns and builds a profile of XML elements and XML attributes that have values in them. For each XML element or attribute, AppXcel WAF learns whether it is mandatory or optional. During Protect mode, if a mandatory XML element or attribute is missing, AppXcel WAF invokes this violation.

• Unknown XML Element/Attribute: For each XML-based URL, AppXcel WAF learns and builds a profile of XML elements and XML attributes that have values in them. During Protect mode, AppXcel WAF checks that each URL includes only the learned XML value names. If a URL includes a value name which is not part of the profile, AppXcel WAF invokes this violation.

• SOAP Access to a Non-SOAP URL: If an HTTP request includes a SOAP message but the URL was not profiled as a SOAP-enabled URL, AppXcel WAF invokes this violation.

• Non-SOAP Access to a SOAP-Only URL: If an HTTP request does not include a SOAP message but the URL was profiled as only being accessed through SOAP, AppXcel WAF invokes.

Custom Policy RulesCustom policy rules allow you to generate alerts and optionally block traffic based on specific attributes of the HTTP request. Custom policy rules are manually configured and provide the power to perform operations that are not available through profile and protocol violation rules. For example, using custom policy rules you can limit access to specific URLs and directories based on the source IP address. You can also restrict the permitted HTTP headers, user agents (browsers), and more.You can define as many custom policy rules as you want. However, each rule you define influences performance. Thus it is recommended to perform most operations using profile and protocol violations and use custom profile rules

4-26 AppXcel User Guide

Page 101: Appxcel Waf Ug

AppXcel User Guide

only for operations that are impossible to perform using the profile or protocol violations.When the HTTP request/response matches a certain custom policy rule AppXcel WAF invokes the "Custom Policy Rule" violation. Note that the same violation is invoked for all custom policy rules. The Custom Policy Rule violation appears in the list of profile violations. Note that it appears there although it is not really a profile violation.

You configure the Custom Policy Rules violation the way you configure any other profile violation, by setting enable, alert level, immediate action, and followed action fields. Note that these fields are common to all the custom profile violations that you define.

To define a new custom policy rule, edit or delete an existing rule:

1. Access the Custom Policy Rules violation in the Profile violations section.2. Click the click here link in the bottom panel of the Custom Policy Rules

violation.The custom policy rules popup appears as displayed in Figure 4-11.

AppXcel User Guide 4-27

Page 102: Appxcel Waf Ug

AppXcel User Guide

Figure 4-11 Custom Policy Rules3. To define a new custom policy rule:

a. Click Addb. Enter the rule's name (a description of the rule)c. Select or un-select the Do not block checkbox. This checkbox

overrides the Immediate action field of the Custom Policy Rules violation. If the Immediate Action field is set to block, all custom policy rules invoke the immediate block action except for those with the Do not block checkbox selected.

d. Click Save. The rule is now created and you can edit its attributes to define the checks to perform.

4. To delete an existing rule:

4-28 AppXcel User Guide

Page 103: Appxcel Waf Ug

AppXcel User Guide

a. Select the rule by checking the checkbox to the left of the rule's name.b. Click Delete.

5. To edit an existing rule's attributes:a. Enter values for attributes you want to be included in this rule.For each required attribute, select one of the available operations: =, <>, = (All), = (Any), <> (All), <> (Any).b. Click Save.

Available attributes for Web server groups:• Source IP: the HTTP request source IP. Select one of the available IP

groups (see Appendix A for information about IP groups). To invoke this rule on HTTP requests that originate from this IP group select the "=" operator. To invoke this rule on HTTP requests that do not originate form this IP group select the "<>" operator. To ignore this attribute select "None".

• Host Name: The HTTP request host name. Enter a single host name or a list of host names separated by commas. To invoke this rule on HTTP requests that target one of the host names on the list select the "= (Any)" operator. To invoke this rule on HTTP requests that do not target any of the host names on this list select the "<> (Any)" operator. To ignore this attribute leave this field empty.

• URL Prefix: The HTTP request's exact URL or prefix. Enter a single URL prefix or a list of prefixes separated by commas. To invoke this rule on HTTP requests that target any of the prefixes in the list select the "= (Any)" operator. To invoke this rule on HTTP requests that do not target any of the prefixes in this list select the "<> (Any)" operator. To ignore this attribute leave this field empty.

• Methods: The HTTP methods (for example GET or POST). Enter a single method or a list of methods separated by commas. To invoke this rule on HTTP requests that include any of the methods in the list select the "= (Any)" operator. To invoke this rule on HTTP requests that do not include any of the methods in the list select the "<> (Any)" operator. To ignore this attribute leave this field empty.

• Services: The service used for this connection. Select HTTP, HTTPS, or both. To invoke this rule on requests that include one of the selected services select the "= (Any)" operator. To invoke this rule on requests that do not include any of the selected services select the "<> (Any)" operator. To ignore this attribute leave this field empty.

AppXcel User Guide 4-29

Page 104: Appxcel Waf Ug

AppXcel User Guide

• Session: Whether AppXcel™ WAF identified a session identifier on this request, and whether this session was validated by AppXcel WAF or not. A validated session is a session where AppXcel WAF noted the application being assigned. Select one of the three options, or None to ignore this attribute. For HTTP requests that match your selection, select the "=" operator. For HTTP requests that do not match you selection, select the "<>" operator.

• Request Headers: The HTTP header names on the request. Enter a single header name or a list of headers separated by commas. To invoke this rule on HTTP requests that include any of the headers on the list select the "= (Any)" operator. To invoke this rule on HTTP requests that do not include any of the headers in the list, select the "<> (Any)" operator. To ignore this attribute leave this field empty.

• Response Headers: This is the same as "Request Headers" though it is for the HTTP response only.

• Parameters: The URL parameter names in this request. Enter a single parameter name or a list of names separated by commas. To invoke this rule on HTTP requests that include any of the parameter names in the list select the "= (Any)" operator. To invoke this rule on HTTP requests that do not include any of the parameter names in the list select the "<> (Any)" operator. To ignore this attribute leave this field empty.

• File Types: The URL file type (for example.asp). Enter a single file type or a list of file types separated by commas. To invoke this rule on HTTP requests that include any of the file types in the list select the "= (Any)" operator. To invoke this rule on HTTP requests that do not include any of the file types in the list select the "<> (Any)" operator. To ignore this attribute leave this field empty.

• User-Agent: The value of the User-Agent HTTP header. The User-Agent header identifies the type of browser used. Enter a single agent name or a list of agents separated by commas. To invoke this rule on HTTP requests that include any of the agents in the list select the "= (Any)" operator. To invoke this rule on HTTP requests that do not include any of the agents in the list select the "<> (Any)" operator. To ignore this attribute leave this field empty.

• Content Types: The value of the Content-Type HTTP header. Enter a single content type (for example "text/plain") or a list of types separated by commas. To invoke this rule on HTTP requests that include any of the types in the list select the "= (Any)" operator. To invoke this rule on HTTP requests that do not include any of the types in the list select the "<> (Any)" operator. To ignore this attribute leave this field empty.

4-30 AppXcel User Guide

Page 105: Appxcel Waf Ug

AppXcel User Guide

• Accept Language: The value of the Accept-Language HTTP header. Enter a single accepted language or a list of accepted languages separated by commas. To invoke this rule on HTTP requests that include any of the accepted languages in the list select the "= (Any)" operator. To invoke this rule on HTTP requests that do not include any of the accepted languages in the list select the "<> (Any)" operator. To ignore this attribute leave this field empty.

• Referrer Hostname: The hostname in the value of the Referrer HTTP header (for example www.radware.com). Enter a single hostname or a list of host names separated by commas. To invoke this rule on HTTP requests that include any of the host names in the list select the "= (Any)" operator. To invoke this rule on HTTP requests that do not include any of the host names in the list select the "<> (Any)" operator. To ignore this attribute leave this field empty.

• Referrer Hostname (profiled): The hostname in the value of the Referrer HTTP header (for example www.radware.com). Select "Profiled Hostnames" for all hostnames that are part of this server group's profile. To invoke this rule on HTTP requests that include any of the profiled host names select the "= (Any)" operator. To invoke this rule on HTTP requests that do not include any of the profiled host names select the "<> (Any)" operator. To ignore this attribute leave this field empty.

• Referrer URL Prefix: The URL prefix value of the Referrer HTTP header (for example www.radware.com/home/dynamic). Enter a single prefix or a list of prefixes separated by commas. To invoke this rule on HTTP requests that include any of the prefixes in the list select the "= (Any)" operator. To invoke this rule on HTTP requests that do not include any of the prefixes in the list select the "<> (Any)" operator. To ignore this attribute leave this field empty.

• Violations: Profile, protocol, firewall, and signature violations that were invoked on this HTTP request or response. Select one or more violations from the available list of violations. To invoke this rule on HTTP requests that include all of the violations you chose, select the "= (All)" operator. To invoke this rule on HTTP requests that include any of the violations you chose, select the "= (Any)" operator. To invoke this rule on HTTP requests that do not include any of the selected violations, select the "<> (Any) operator. To ignore this attribute leave this field empty.Note: When selecting multiple attributes in a single rule, the AND operator is used between the selected attributes. For example, if you enter a specific URL prefix and then a list of HTTP headers the rule is invoked, if both the URL prefix and the headers match the values in the rule.

AppXcel User Guide 4-31

Page 106: Appxcel Waf Ug

AppXcel User Guide

Correlation RulesAppXcel™ WAF includes a correlation engine that correlates different types of security events over time. Correlation rules come as part of the AppXcel WAF software. Each correlation rule correlates different types of events and variables to detect different types of attacks. Correlation rules allow accurate detection and low false positive rate as they rely on a sequence of security events and not a single event. You can enable and disable correlation rules and set the action policy to follow this event.The upper pane of the Correlation Rules Window presents a list of the rules and their actions; the lower pane presents a description of the rule and its configuration, as relevant.

4-32 AppXcel User Guide

Page 107: Appxcel Waf Ug

AppXcel User Guide

Figure 4-12 Correlation Rules Window

This window presents the following fields:

Correlation Rule List of correlation rules. See below for a description of available rules.

Enable Enables the action.Alert Choose the alert severity generated by this

security event: Informative / Low / Medium / High. Followed Actions

Drop-down list of Action Policies (see Configuring Action Policies, page 4-4) If no action policies are defined, the list is empty.

AppXcel User Guide 4-33

Page 108: Appxcel Waf Ug

AppXcel User Guide

The following correlation rules are available:• Suspected Buffer Overflow Attack (Long Parameter Invokes Bad

Reply): A correlation rule that detects buffer overflow attacks. This rule examines HTTP requests that invoked a Parameter Value Length profile violation. This rule is invoked if the length of the exceeding parameter value is longer than 512 bytes and the HTTP response either indicates an HTTP error code or generates a signature violation.

• Suspected Parameter Tampering Attack (Repeated Required Parameter Not Found Violation): A correlation rule that detects parameter tampering attacks. This rule is invoked if a sequence of at least five Required Parameter Not Found protocol violations for the same URL were invoked during a five minute time period. Each event occurs within one minute of the proceeding event. All violations are associated with the same source IP address.

• Suspected Parameter Tampering Attack (Repeated Parameter Unknown): A correlation rule that detects parameter tampering attacks. This rule is invoked if a sequence of at least five Parameter Unknown protocol violations for the same URL were invoked during a five minute time period. Each event occurs within one minute of the proceeding event. All violations are associated with the same source IP address.

• Suspected Parameter Tampering Attack (Repeated Parameter Value Length Violations): A correlation rule that detects parameter tampering attacks. This rule is invoked if a sequence of at least five Parameter Value Length Violation protocol violations for the same URL were invoked during a five minute time period. Each event occurs within one minute of the proceeding event. All violations are associated with the same source IP address.

• Suspected Parameter Tampering Attack (Parameter Violation Generates Error Code): A correlation rule that detects parameter tampering attacks. This rule is invoked if an HTTP request generates a parameter profile violation (Required Parameter Not Found or Parameter Unknown or Parameter Type or Parameter Length) and the corresponding HTTP response indicates an HTTP error code.

• Suspected Source Code Leakage (Code in Response Follows a Request Violation): A correlation rule that detects a source code leakage from the Web site. This rule is invoked if an HTTP request includes a Source Code Leakage signature or is not part of the profile the corresponding HTTP response includes a Source Code Leakage signature.

4-34 AppXcel User Guide

Page 109: Appxcel Waf Ug

AppXcel User Guide

• Suspected Scanning Attack (Unprofiled URLs and Signatures): This rule detects scanning attacks, mainly automatic scanning tools. These tools generate a large amount of unprofiled URLs and signature violations. This rule is invoked if more than five unprofiled URLs combined with more than two HTTP signatures arrive from a common source IP address within three minutes.

• Suspected Scanning Attack (Signatures and Parameter Value Length Violations): This rule detects scanning attacks, mainly automatic scanning tools. This rule is invoked if more than two Parameter Value Length profile violations combined with more than two HTTP signature violations, arrive from a common source IP address within three minutes.

• Malformed HTTP Attack (Non compatible HTTP): This rule detects protocol compliance attacks. This rule is invoked if a sequence of more than four HTTP requests within three minutes generates an HTTP protocol violation. The requests must have the same source IP address. The time between each consecutive request must be no more than one minute. When you click on this rule the lower panel presents a list of the protocol violations that participate in this rule. You can enable and disable these protocol violations by checking or unchecking the checkbox and clicking Save.

• Malformed HTTP Attack (Non compatible HTTP Results Error code): This rule detects protocol compliance attacks. This rule is invoked if an HTTP request generates a protocol violation and the matching HTTP response indicates an HTTP error code. When you click on this rule the lower panel presents a list of the protocol violations that participate in this rule. You can enable and disable these protocol violations by checking or unchecking the checkbox and clicking Save.

• Malformed HTTP Attack (Non compatible HTTP With Signature): This rule detects protocol compliance attacks. This rule is invoked if a single HTTP request generates a protocol violation together with a signature violation. When you click on this rule the lower panel presents a list of protocol violations that participate in this rule. You can enable and disable these protocol violations by checking or unchecking the checkbox and clicking Save.

• Suspected Cookie Poisoning (Consecutive Cookie Tampering/Cookie Injection): This rule detects cookie brute force attacks in which the attacker alters cookie values that were set by the Web application. This rule is invoked if a sequence of at least two Cookie Injection or Cookie Tampering violations (according to either IP address or session) are generated within three minutes, from the same IP address and associated with the same URL.

AppXcel User Guide 4-35

Page 110: Appxcel Waf Ug

AppXcel User Guide

Section 4-4 Preventing Blocking of Specific IP Addresses

This section explains how to prevent blocking of specific IP Addresses.Some IP addresses are never blocked, for example the IP address of your Firewall or the IP address of your proxy server. AppXcel WAF allows you to configure a list of IP addresses that are never blocked, even if these IP addresses generate violations and alerts.It is recommended to add the IP address of your Firewall and any reverse proxy you have in front of your Web applications into this list. Another common scenario for using this feature is when large portions of the access to your Web application is going through specific proxy servers. In this case consider adding the IP addresses of these proxy servers to the list to prevent AppXcel WAF from blocking the entire proxy communication when one of the users generates alerts.In order to configure this feature you first define a new IP group and add all required IP addresses to this group. For more information on configuring IP groups see Appendix A.Once the IP group is defined you instruct AppXcel WAF to use this IP group in this feature.

To prevent blocking of an IP group:

1. Click Global Settings.2. Select Non-Blockable IP Addresses on the left tree menu.The Non-

Blockable IP Addresses Window appears, as displayed in Figure 4-13..

Figure 4-13 Non-Blockable IP Addresses3. In the Non-Blockable IP Addresses window, Select the Do not block this

IP group checkbox.4. Select the IP group from the drop-down list.5. Click Save.

4-36 AppXcel User Guide

Page 111: Appxcel Waf Ug

AppXcel User Guide

To remove this option:

1. Click Global Settings.2. Select Non-Blockable IP Addresses on the left tree menu.The Non-

Blockable IP Addresses Window appears, as displayed in Figure 17 above.

3. Clear the Do not block this IP group check box.4. Click Save.

To change the list of Unblocked IP addresses edit the appropriate IP group, see Defining IP Groups.

AppXcel User Guide 4-37

Page 112: Appxcel Waf Ug

AppXcel User Guide

4-38 AppXcel User Guide

Page 113: Appxcel Waf Ug

C H A P T E R 5Monitoring

This chapter describes how to monitor alerts, logs and Gateways in the AppXcel™ WAF Activity Console.This chapter includes the following sections: • Section 5-1: Activity Console, page 5-2• Section 5-2: Alerts, page 5-3• Section 5-3: Gateways, page 5-21• Section 5-4: Blocked Sources, page 5-24• Section 5-5: Reports, page 5-26• Section 5-6: System Log, page 5-35• Section 5-7: Notifications, page 5-37

AppXcel User Guide 5-1

Page 114: Appxcel Waf Ug

AppXcel User Guide

Section 5-1 Activity ConsoleThis section explains how the AppXcel WAF Activity Console enables you to monitor intrusion attempts (in the form of Alerts), and system and progress status (to make sure the system is working as expected). The Activity Console has its own section in the AppXcel WAF Interface; and is accessed by its tab in the top tab bar

IntroductionThe AppXcel WAF Activity Console collects and displays the system's recorded activity, including the following information:• Alerts: AppXcel WAF saves the content of every alert generated. • Gateways: Basic information on Firewall status and statistics.• Blocked Sources: A list of all IP addresses and session IDs that are

currently blocked. You can manually release currently blocked IPs and session IDs. The Currently Blocked Users Window includes a link to the Blocked Log. The Blocked Log is a list of all IP addresses and session IDs that were blocked during the last 72 hours.

• Reports: AppXcel WAF has extensive report capabilities covering alert, violations, attacking IPs, etc.

• System Log: The AppXcel WAF Management Server log consists of information on each change to the product configuration, and important system events.

5-2 AppXcel User Guide

Page 115: Appxcel Waf Ug

AppXcel User Guide

Section 5-2 AlertsAppXcel™ WAF generates Alerts using the six detection engines: firewall, signature, protocol violation, Web worm, profile violation, and correlations. This section includes the following topics:• Reading Alerts, page 5-3• Browsing Monitored Events, page 5-10• Operations on Alerts, page 5-11• Additional View options, page 5-12• Browsing Alerts, page 5-13• Sorting Alerts, page 5-13• Filtering Alerts, page 5-15• Clearing the Alerts List, page 5-16• Clearing All Alerts that Match a Filter, page 5-16• Alert Aggregation, page 5-17

Reading AlertsThis describes how to read the various Alerts which include those that can assist you in acknowledging automated profile updates and system violations.

To read alerts:

1. Click Activity Console.2. Click Alerts in the left tree menu.The Alerts Window appears, as displayed

in Figure 5-1.

AppXcel User Guide 5-3

Page 116: Appxcel Waf Ug

AppXcel User Guide

Figure 5-1 Alerts Window

Note: Alerts in red are those that generated a block command. Block commands can be immediate or as a result of an action policy that includes an IP or session block

5-4 AppXcel User Guide

Page 117: Appxcel Waf Ug

AppXcel User Guide

The following information is presented for each alert:

Field Icon Description

Alert Severity

Information

Low Severity

Medium Severity

High Severity

This field is manually set and allows you to mark specific alerts according to the following:! Important Alert: Use it to mark important alerts that require further inspection.

Acknowledged Alert: Acknowledging an alert is useful for automated profile updates (see Section Error! Reference source not found.). If a certain alert is acknowledged, the Automated Profile Updates does not use it to update the profile. For example, if a certain new URL appears in a large group of URLs, the Automated Profile Update feature may add it to the profile. To avoid that, mark one of the alerts as acknowledged and the feature does not update the URL.X Dismissed Alert: A dismissed alert is an alert that was reviewed and identified as false positive by the operator.

AppXcel User Guide 5-5

Page 118: Appxcel Waf Ug

AppXcel User Guide

No Alert number: A unique number automatically assigned to each Alert.

Time Date and time the Alert was generated.Type Alert type. One of the following options:

Firewall

Signature

HTTP Worm

Protocol Violation

Profile Violation

Correlation

In addition, next to each of these icon types one or more of the following icons can appear.

This security event generated an immediate block command.

This is an aggregated alert.

Source IP The Source IP address that generated the alert.

Server Group The name of the destination server group.

5-6 AppXcel User Guide

Page 119: Appxcel Waf Ug

AppXcel User Guide

Select an Alert to display its details in the bottom panel. The details depend on the type of alert:• All types:

• Immediate Action: Blocked/None. Provides information on whether an immediate action was taken to block the connection. • Information regarding alert aggregation: Whether this alert

aggregates several alerts, the time aggregation started, the time it ended and the aggregation rule.

• Followed Action policy name.• If the Action Policy includes a Monitor action then a link "View

Monitored Events" appears near the Action Policy's name. • Firewall Events:

• Service name• Source Port• Destination Port• Protocol (TCP/UDP/ICMP)

• Signature Events:• Full dump of the packet (for Snort-based dictionaries)• Full request and response code for HTTP signatures in Radware Web

dictionaries• Protocol Violations:• Full HTTP request and response code

• Profile Violations:• Full HTTP request and response code for HTTP violations

• Worms:

Description Alert description. Includes different information for different types of alerts:• Firewall: Blocked service name or

port number• Signature: Signature name• Protocol violation: Violation name• Profile Violations: Violation name• Worms: URL accessed• Correlation rules: Correlation rule

name

Note: You can click the button to hide informative alerts. To show

informative alerts click

AppXcel User Guide 5-7

Page 120: Appxcel Waf Ug

AppXcel User Guide

• URL and Method (e.g. GET, POST)• Correlation Rules:

• Rule and description• The violations and information associated with each violation • For HTTP - The Full HTTP Requests and the response codes (URL,

headers, parameters, cookies)Three buttons may appear near each violation:

• Add to Profile button: This button appears near Unknown URL and Untreatable Cookie profile violations. By clicking this button you can add the URL or the cookie to the profile. Use this button in case of false positives to immediately add the URL or cookie to the profile.

• Knowledge Base button: This button appears near each violation description. By clicking the button you invoke the knowledge base. The knowledge base provides detailed information about the violation, the attacks associated with it, and false positives scenarios. The knowledge base is a great tool for learning more about application security and the suspected attack.

• Show Signature button: This link appears near each Signature violation. It opens the signature Window, displaying the signature that caused the violation. (This button represents both Show Signature and View Profile, depending on the violation.)

• View Profile button: This button appears near each Profile violation. It opens the Server Group > Profiles > Learned URLs window for viewing details on the selected Alert's URL.

5-8 AppXcel User Guide

Page 121: Appxcel Waf Ug

AppXcel User Guide

Figure 5-2 Knowledge Base Window

AppXcel User Guide 5-9

Page 122: Appxcel Waf Ug

AppXcel User Guide

Browsing Monitored EventsAn Action Policy may include a monitor command. In this case a "Click to view monitored events" link appears near the policy name in the bottom panel, as displayed in Figure 5-3.

Figure 5-3 Link to Monitored Events Window

5-10 AppXcel User Guide

Page 123: Appxcel Waf Ug

AppXcel User Guide

Click the link to view monitored events, as displayed in Figure 5-4.

Figure 5-4 Monitored Events WindowThe window presents the first monitored event. Use the buttons on the top-right corner to browse monitored events.

Operations on AlertsThe following operations may be performed on a single Alert or a group of Alerts. Select the check box to the left of each Alert row to select an Alert or a group of Alerts.

Mark selected alerts as Acknowledged

Mark selected alerts as Dismissed.

Mark selected alerts as Important.

AppXcel User Guide 5-11

Page 124: Appxcel Waf Ug

AppXcel User Guide

Additional View optionsThe following options of modifying the view appear on the Alert View Window:

Clear the field for the selected alerts.

Deletes all alerts. If a filter is applied the button reads "Clear Filtered Alerts" and deletes only filtered alerts.Deletes the selected alerts.

Open the Alert viewer in a separate window.Refresh the display

Show informative alerts

Hide informative alerts

Open the Filter window

Remove the Filter.

Open the Sort window.

5-12 AppXcel User Guide

Page 125: Appxcel Waf Ug

AppXcel User Guide

Browsing AlertsAppXcel WAF displays up to 200 alerts per page. You can browse the pages using the following options:

Sorting Alerts The advanced sort enables you to sort by parameters that do not appear in the Alert View: Type, Number, Severity and IP Address.

To perform advanced sorting on the alert view:

1. Click on the sort button.The Advanced Sort window appears, as displayed in Figure 5-5

Go to the first page

present a list of the previous 5 pages.

Present a list of the next five pages.

Go to a specific page out of 5 presented. Click the relevant page number.Set a number of alerts displayed on each page. Select the number from the drop-down list.

AppXcel User Guide 5-13

Page 126: Appxcel Waf Ug

AppXcel User Guide

Figure 5-5 Advanced Sort Window Box2. To add a sort parameter:

a. Select the field name from the drop-down list.b. Select the field's sort order, ascending or descending, from the drop-

down list.c. Click Add.d. Repeat steps A to C to add all the fields according to which you want

to sort. Add fields according to the sort order priority.3. To remove a field from the list, click on the field's name and then click

Remove.4. Click Save to close the Window and execute the sort.

5-14 AppXcel User Guide

Page 127: Appxcel Waf Ug

AppXcel User Guide

Filtering AlertsAppXcel WAF enables the alert viewer to filter alerts according to their characteristics.

To filter Alerts:

1. Click the filter button. The filter window appears, as displayed in Figure 5-6

Figure 5-6 Filter WindowThe Filter window displays all the fields according to which you can filter alerts. Fill in the values for the fields according to which alerts are filtered. The viewer uses the AND operator between the fields if more than one field is filled. For example, if the Source IP is set to 200.200.200.100 and Alert type to Signatures, the viewer displays all signature alerts that originated from 200.200.200.100.

AppXcel User Guide 5-15

Page 128: Appxcel Waf Ug

AppXcel User Guide

2. Enter a date either in the following format; MMM DD, YYYY (e.g. Jun. 11,

2003), or click the (calendar) button and pick a date from a calendar window.

3. Click OK to execute the filter or Cancel to cancel.

A filter can be removed by clicking the Clear Filter button

Clearing the Alerts ListThe following steps describe how to clear the entire Alerts List.

To delete the entire Alerts List:

1. Ensure no alert filter is applied.2. Click Clear All Alerts.The Clear All Alerts window appears requesting

confirmation.3. Click OK to clear all alerts.

Clearing All Alerts that Match a FilterThe following steps describe how to clear all the alerts that match a particular filter.

Note: That you can select either = or <> for most fields. The viewer filters all alerts that are equal to the value entered when = is selected. The viewer filters all alerts that are not equal to the value entered when <> is selected.

Note: Clearing the Alerts list is irreversible.

Note: Clearing the Alerts list is irreversible

5-16 AppXcel User Guide

Page 129: Appxcel Waf Ug

AppXcel User Guide

To delete all alerts that match a certain filter:

1. In the Filter window, Apply a filter.2. In the Filter window, click Clear All Filtered Alerts.The Clear All Filtered

Alerts window appears requesting confirmation.3. Click OK to clear all alerts.

Alert AggregationTo avoid alert storms, AppXcel WAF aggregates similar alerts into a single alert. An alert storm can occur when your servers are being attacked constantly by the same type of attack, or when there is a false positive. An example of a false positive is when the firewall feature has been used to block a service that users require and many computers are trying to access that service. The alert aggregation mechanism handles multiple alerts in order to prevent thousands of similar alerts from being generated. Alert aggregation is enabled for all layers.Aggregation occurs according to the following rules:• Network Firewall Aggregation Rules:

a. All Firewall alerts with the same source IP, destination server group, destination port and protocol are aggregated into a single alert. As these alerts are all similar, only the content of the first alert is presented.

b. All Firewall alerts with the same source IP, protocol (i.e. TCP, UDP) and destination server group are aggregated into a single alert. This rule aggregates Firewall alerts with different destination ports (for example a port scan). The first 100 accessed ports that are different are presented in the aggregated alert.

c. All Firewall alerts with the same destination server group, protocol (i.e. TCP, UDP), and destination port are aggregated into a single alert. This rule aggregates Firewall alerts that are generated when the sources are different but the destination port is the same. The first 20 source IP addresses that are different are presented in the alert.

• Signature Aggregation Rulesa. All Signature alerts with the same session or source IP, the same

destination server group, protocol and attack type are aggregated into

AppXcel User Guide 5-17

Page 130: Appxcel Waf Ug

AppXcel User Guide

a single alert. As these alerts are all very similar, only the content of the first alert is presented.

b. All Signature alerts with the same session or source IP and the same destination server group and protocol are aggregated into a single alert. This rule aggregates Signature alerts when different signatures originate from the same source (e.g. scanner). The first 100 signatures that are different are presented in the alert.

c. All Signature alerts with the same destination server group, protocol and attack type are aggregated into a single alert. This rule aggregates similar Signature alerts generated by different sources. This type of aggregation could indicate a false positive or a widespread worm. The first 20 sources that are different are presented in the alert.

• Worm Aggregation Rulesa. All Web Worm alerts with the same source IP, destination server

group, HTTP host name, URL and HTTP method are aggregated into a single alert. As these alerts are all similar, only the content of the first alert is presented.

b. All Web Worm alerts with the same source IP and destination server group are aggregated into a single alert. This rule aggregates Worm alerts with different URLs that all originate from the same source (e.g. a URL guessing attack). The first 100 URLs that are different are presented in the alert.

c. All Web Worm alerts with the same destination server group and destination host name, URL and method are aggregated into a single alert. This rule aggregates Worm alerts that are generated by different sources yet they all target the same URL. This could indicate a false positive (i.e. the URL exists but is not part of the profile) or a widespread worm. The first 20 sources that are different are presented in the alert.

• Protocol Violation Alert Aggregation Rulesa. All protocol violation alerts with the same source IP or source session,

the same destination server group, and the same violation type are aggregated into a single alert. As these alerts are all similar, only the content of the first alert is presented.

b. All protocol violation alerts with the same destination server group and the same violation type are aggregated into a single alert. This rule aggregates protocol violation alerts generated by different sources. The first 20 sources that are different are presented in the alert.

• Cookie-related Profile Violation Alert Aggregation Rulesa. All cookie-related profile violation alerts with the same source IP or

source session, the same destination server group, and the same

5-18 AppXcel User Guide

Page 131: Appxcel Waf Ug

AppXcel User Guide

cookie name are aggregated into a single alert. As these alerts are all similar, only the content of the first alert is presented.

b. All cookie-related profile violation alerts with the same destination server group, and the same cookie name are aggregated into a single alert. This rule aggregates profile violation alerts generated by different sources but on the same cookie name. This could indicate a false positive (i.e. the cookie is not traceable) or a widespread attack. The first 20 sources that are different are presented.

• Parameter-related Profile Violation Aggregation Rulesa. All parameter-related profile violation alerts with the same source IP or

source session, the same destination server group, and the same HTTP host name, URL, method and parameter name are aggregated into a single alert. As these are all similar alerts, only the content of the first alert is presented.

b. All parameter-related profile violation alerts with the same destination server group, and the same HTTP host name, URL, method and parameter name are aggregated into a single alert. This rule aggregates profile violation alerts generated by different sources but on the same parameter name. This could indicate a false positive (i.e. the parameter's actual behavior is different than the profiled behavior) or a widespread attack. The first 20 sources that are different are presented.

• Response Code Profile Violation Aggregation Rulesa. All response code profile violation alerts with the same source IP or

source session, the same destination server group, and the same response code are aggregated into a single alert. As these are all similar alerts only the content of the first alert is presented.

b. All response code profile violation alerts with the same destination server group, and the same response code are aggregated into a single alert. This rule aggregates profile violation alerts generated by different sources but on the same response code. The first 20 sources that are different are presented.

• URL-related Profile Violation Aggregation Rulesa. All URL-related profile violation alerts with the same source IP or

source session, the same destination server group, and the same HTTP host name, URL, and method are aggregated into a single alert. As these are all similar alerts, only the content of the first alert is presented.

b. All URL-related profile violation alerts with the same destination server group, and the same HTTP host name, URL, and method are aggregated into a single alert. This rule aggregates profile violation alerts generated by different sources but on the same URL. This could

AppXcel User Guide 5-19

Page 132: Appxcel Waf Ug

AppXcel User Guide

indicate a false positive (i.e. the URL exists but is not part of the profile) or a widespread attack. The first 20 sources that are different are presented.

c. All URL-related profile violation alerts with the same destination server group, and the same source IP or source session are aggregated into a single alert. This rule aggregates profile violation alerts generated by the same source but on different URLs. This could indicate a false positive or a widespread attack. The first 100 URLs that are different are presented.

• Correlation Rule Aggregation Rulesa. All Correlation alerts with the same source IP or source session and

the same destination server group are aggregated into a single alert. As these are all similar alerts, only the content of the first alert is presented below.

When aggregating alerts, AppXcel WAF only presents a single alert row in the alert viewer. The folder icon is presented near the alert type icon to indicate that this alert is aggregated. If the rule aggregates different sources (i.e. IP addresses/Sessions) then another folder icon appears next to the IP address field to indicate that the presented IP addresses in the first out of possibly multiple IP addresses. If the rule aggregates different event properties (for example different signatures, different services, different URLs, or different cookies) then another folder icon appears next to the Description filed to indicate that the presented description belongs to the first aggregated alert.When selecting the alert and viewing the bottom panel, AppXcel WAF presents the time at which aggregation started and the time at which it ended. If the aggregation has not ended, the time of the last alert in this sequence is presented.Aggregation of the same alert continues until an hour passes without the alert being generated. If after an hour the alert is generated again, it is aggregated into a new alert. Thus if an alert storm occurs, a large number of aggregated alerts can be generated on a particular day. A single alert aggregation ends after six hours, and if the same alert is still being generated after six hours, a new alert aggregation starts.

5-20 AppXcel User Guide

Page 133: Appxcel Waf Ug

AppXcel User Guide

Section 5-3 Gateways This section explains the functionality of the Gateways Window.This section contains the following topics:• Gateways - Introduction, page 5-21

Gateways - IntroductionThe status and load of the AppXcel™ WAF is monitored constantly.

To view the Gateways Window:

1. Click Activity Console.2. Select Gateways on the tree menu.The Gateways window appears.

The Gateways window displays status, errors and load, for the Eb AppXcel WAF as displayed in Figure 5-7.

Figure 5-7 Gateways Window

AppXcel User Guide 5-21

Page 134: Appxcel Waf Ug

AppXcel User Guide

3. Click the Gateway name.The statistics of the selected Gateway are displayed:

Gateway Name The name of the Gateway.

Inline gateways are identified by the iconStatus Running: The gateway is up and running.

Loading: The gateway is loading a new configuration after Activate Settings has been selected.Down: The gateway is down.Disconnected: The management server cannot connect to the gateway.Gateway Failure: The gateway is down due to a failure.Internal Error: The gateway is up but one or more of its modules failed.Connection Stalled: The connection between the gateway and the management server has stalled due to memory problems on the management server. The gateway is running.Connecting: The management server tries to establish connection with the gateway.

Mbit / sec Indicates the current throughput on the gateway in Mbit/sec

Events / sec The total number of HTTP requests currently passing through the gateway.

CPU Utilization Indicates the current CPU utilization under which the gateway's kernel is operating.

Topology Gateway TopologyIP Address The gateway's Management NIC IP address.Fail Mode See Warnings belowWarnings A list of warnings generated by the Gateway.Up Since Last time the gateway rebootedConnections / sec

The number of new TCP connections/sec passing through the gateway

5-22 AppXcel User Guide

Page 135: Appxcel Waf Ug

AppXcel User Guide

HTTP events / sec

The total number of HTTP requests currently passing through the gateway

View Histrogram

Opens a Microsoft Excel file (CSV format) with the gateway's statistics from the last 72 hours.

Blocked Ambiguous Packets/Min.

The total number of ambiguous packets blocked recently.

Overload Policy The action taken by the gateway when it is overloaded with traffic:Pass - the gateway passes queued packets without inspection when it is overloadedBlock - the gateway postpones or blocks packets when it is overloaded with traffic.To change the mode click the Change Policy link and select the checkbox if you don't want the gateway to postpone or block packets when the gateway is overloaded with traffic.

List of Server Groups Protected by this Gateway

Lists the Server Groups being monitored by the Gateway and their status.Name of the Server GroupWhether the gateway monitors this server group (running) or not.

AppXcel User Guide 5-23

Page 136: Appxcel Waf Ug

AppXcel User Guide

Section 5-4 Blocked SourcesThis section explains how to view and manually release blocked sources.This section contains the following topics:• Blocked Sources - Introduction, page 5-24

Blocked Sources - IntroductionThere are two blocked sources views: Currently Blocked Sources; and a log of those that were blocked in the last 72 hours. In the currently blocked sources view, you can manually release blocked IP addresses and sessions.

To view all currently blocked IP addresses and sessions:

1. Click Activity Console.2. Select Currently Blocked Sources in the left tree menu.

The Currently Blocked Sources window appears, as displayed in Currently Blocked Sources Window, page 5-25

All columns can be sorted alphanumerically by clicking the sort button: The highlighted icon indicates the sorted column and the sort direction.

5-24 AppXcel User Guide

Page 137: Appxcel Waf Ug

AppXcel User Guide

Figure 5-8 Currently Blocked Sources Window

This window displays blocked IPs and sessions as described below:

To release blocked sessions / IPs:

1. Select the session(s)/IP(s).2. Click Release.

To view a log of all blocked sources in the last 72 hours, click the View Log link. This window presents the same details as the Blocked Sources Window.

Blocked By The context of blocking - either IP address or Session. When you select a certain row to be released, the context determines what is released. If the context is IP Address then the blocked IP address is released. If the context is Session then the blocked session is released.

Session ID The session ID associated with this block.IP Address The IP address associated with this block.Time The time at which the block duration began.Release Time The time at which the source is released.Alert No The alert number associated with this block. Click the

number to view the alert.

AppXcel User Guide 5-25

Page 138: Appxcel Waf Ug

AppXcel User Guide

Section 5-5 ReportsThis section explains how to view and produce reports.This section contains the following topics:• Reports - Introduction, page 5-26• Alert Analysis Reports, page 5-30• Top 20/100 Reports, page 5-31• Profile Reports, page 5-32• Assessment Reports, page 5-33

Reports - IntroductionAppXcel WAF provides a wide range of reports. To generate a report the user assigns values to the report's input parameters. This following is a general description of creating reports. The following sub-sections describe each report in detail.

To generate a report1. Click Activity Console.2. Expand the Reports folder. 3. Click a report category.The Reports window appears, as displayed in

Figure 5-9

5-26 AppXcel User Guide

Page 139: Appxcel Waf Ug

AppXcel User Guide

Figure 5-9 Reports Window4. Click a report name. The Selected Report Parameters Window appears.5. Enter / select values for the report parameters, as described in the

following table (most reports include a subset of the parameters below):

Report Period The time interval during which the alerts or violations were generated.

Source IP Attacker's source IP. Leave blank to include all IPs.Server Group List of targeted Server Groups. You can select

multiple Server Groups by holding down the Ctrl key while clicking the Server Group names. You must select at least one Server Group.

Severity Alert severity to be included in the report:• Informative• High• Medium• LowYou can select multiple entries by holding down <Ctrl> while clicking the severity levels.

AppXcel User Guide 5-27

SamLin
鉛筆
SamLin
鉛筆
SamLin
鉛筆
SamLin
鉛筆
SamLin
鉛筆
SamLin
鉛筆
Page 140: Appxcel Waf Ug

AppXcel User Guide

6. Click OK. The report appears presenting a typical Top 20 Attacking IPs.

Type The alert type to be included in the report: • Firewall• Signature• Worm• Protocol Violations• Profile Violations• CorrelatedYou can select multiple entries by holding down <Ctrl> while clicking the types.

Time Frame The time frame during which the alerts or violations were generated. Select a time frame from the combo box.

Date A specific day during which the alerts were generated.

5-28 AppXcel User Guide

Page 141: Appxcel Waf Ug

AppXcel User Guide

Figure 5-10 Top 20 Attacking IPs Report WindowYou can browse the report by using the following buttons:

Button Description

Go to the first page

Go to the previous page

Go to the next page

AppXcel User Guide 5-29

Page 142: Appxcel Waf Ug

AppXcel User Guide

7. To export a report or open it in another format: click the Export. button and select a format from the drop down list: Crystal Reports (RPT), Acrobat Format (PDF), MS Word, MS Excel 97-2000, MS Excel 97-2000 (Data only), Rich Text Format.

8. To print a report, click the Print button.9. To change the size of the report, select a zoom size from the drop-down

list, ranging from 25% to 400%.

Alert Analysis ReportsThis category includes reports that either print subsets of the alerts database or the results of an analysis of the alert database. Available reports in this category are:• Alerts by Severity Type Report: This report presents a pie graph of

informative, high, medium and low severity alerts for one or more Server Groups. The input parameter window allows you to select a report period and server groups.

• List of Alerts Report: This report presents a list of all alerts and the alert details. Each alert is presented in one line, and includes: the alert number, arrival time, severity, alert type, Source IP address, Server Group, and description. The alert details are presented below each summary line. If the alert is an aggregated alert, you can open a window that contains detailed information on all the alerts which were aggregated. The input parameter window allows you to select a report period, source IP (leave blank to include any IP), server groups, and alert severities.

Go to the last page

Search for text

Go to a specific page

5-30 AppXcel User Guide

Page 143: Appxcel Waf Ug

AppXcel User Guide

• List of Alerts Summary Report: This report presents a list of all alerts. The summary of each alert is presented in one line, and includes: the alert number, arrival time, severity, alert type, IP address, session ID and Server Group. The input parameter window allows you to select a report period, source IP (leave blank to include any IP), server groups, and alert severities.

• Number of Alerts per Day Report: This report presents a graph with the number of alerts generated each day. Each column is divided into four color coded sections: informative, high, medium and low severity. The input parameter window allows you to select a report period and server groups.

• Number of Alerts per IP - Daily: This report presents a graph with the number of alerts generated by the selected IP, as distributed over the selected time period. The input parameter window allows you to select a time frame (either the last 5 or 10 days) and a source IP.

• Number of Alerts per IP - Hourly: This report presents a graph with the number of alerts generated per hour during the selected day, by the selected IP. The input parameter window allows you to select a specific day and a specific source IP.

• Number of Alerts per Server Group Report: This report presents a graph with the number of alerts for each Server Group defined in the system. Each column is divided into four color coded sections: informative, high, medium and low severity. The input parameter window allows you to select a report period.

• Distribution of HTTP Protocol Alerts Report: This report presents a graph with the number of instances of each HTTP Protocol violation type. The input parameter window allows you to select a report period and server groups.

Top 20/100 ReportsThis category includes management and fine-tuning of reports in a top 20/100 graphical and textual format.• Top 20 Attacking IPs Report: This report presents a graph of the 20 IP

addresses perpetrating the highest number of attacks on the system. The report presents a list of all the attacking IP addresses sorted by the number of alerts per IP address. The input parameter window allows you to select the report period.

AppXcel User Guide 5-31

SamLin
螢光標示
Page 144: Appxcel Waf Ug

AppXcel User Guide

• Top 20 Signatures Report: This report presents a graph of the 20 signatures that generated violations with the most length. The report presents a list of all alerted signatures sorted by the number of alerts per signature. The input parameter window allows you to select a report period and server groups.

• Top 100 Unauthorized URLs Report: This report presents a list of the 100 URLs that produced the most Unauthorized URL violations for the selected Server Group(s). For each URL it lists: the server group, the occurrence, method, host, and URL. The input parameter window allows you to select a report period and server groups.

• Top 20 Suspected Worms Report: This report presents a graph of the 20 URLs that produced the most Worm violations for the selected Server Group(s). The report presents a list of all the URLs that produced Worm violations. IP addresses sorted by the number of alerts per IP address. The input parameter window allows you to select a report period and server groups.

• Top 20 Alerted Firewall Services Report: This report presents a graph of the 20 services that were alerted most often by the firewall layer. The report presents a list of all the alerted services sorted by the number of alerts per service. The input parameter page allows you to select a report period and server groups.

• Top 20 Alerted Signature Services Report: This report presents a graph of the 20 services that were alerted most often by the signatures layer.The report presents a list of all alerted services sorted by the number of alerts per service. The input parameter window allows you to select a report period and server groups.

Profile ReportsThis category includes reports on the learning progress of the profile layer.• In Learning vs. Protected URL Groups: This report presents a pie chart

with URL groups in learning vs. URL groups in protection.• Distribution of HTTP Profile Violation Report: This report presents a

graph with the number of instances of each HTTP Profile violation type. The input parameter window allows you to select a report period and server groups.

Note: Other reports listed in the management interface, including those for SQL are not implemented.

5-32 AppXcel User Guide

SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
Page 145: Appxcel Waf Ug

AppXcel User Guide

• Number of URLs that Entered Protection per Day: This report presents a graph with the number of unique URLs that were switched from learn to protect mode during each day. The input parameter window allows you to select a report period and server groups.

• Number of URLs Added to the Profile per Day: This report presents a graph with the number of unique URLs that entered the profile during each day. The input parameter window allows you to select a report period and server groups.

Assessment ReportsThis category includes a set of assessment reports that analyze Web profiles.• Top Accessed URLs Assessment: This report presents all URLs in the

profile. It doesn't present URLs that are pending. For each URL it presents: the Host Group, URL, Method, Occurrence (how many times this URL was observed during "Learn" mode. The URLs are ordered by occurrence (descending). For each URL it also presents a list of parameters. For each parameter it presents the following information: the name, minimum size, maximum size, required, read only and prefix. The input parameter window allows you to select server groups.

• Least Accessed URLs Assessment: This report presents all URLs that are pending. It doesn't present URLs in the profile. For each URL it presents: the Host Group, URL, Method, Occurrence (how many times this URL was observed during "Learn" mode. The URLs are ordered by occurrence (ascending). For each URL the report also presents a list of parameters. For each parameter it presents: the name, minimum size, maximum size, required, read only and prefix. The input parameter window allows you to select server groups.

• Broken Links Report: This report presents all broken links in the selected web server groups. For each link the report presents the referrer fields used to access the URL.

• Broken References Reports: This report presents all broken references in the selected web server groups. A broken reference is a link to a URL that doesn't exist. The link is not located on the protected web application but rather on a different web application (for example Google). For each link the report presents the referrer fields used to access the URL.

AppXcel User Guide 5-33

SamLin
螢光標示
SamLin
鉛筆
SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
Page 146: Appxcel Waf Ug

AppXcel User Guide

Note: The following parameters are not implemented in this version: Database IP Sources Assessment, User Access Assessment, Database Default Packages And Stored Procedures Assessment, Database System Objects Access Assessment, Database Users Assessment, Large Queries Assessment, Least Accessed Queries Assessment, Top Accessed Queries Assessment and User Privilege Assessment.

5-34 AppXcel User Guide

Page 147: Appxcel Waf Ug

AppXcel User Guide

Section 5-6 System Log This section explains how to view and configure the system log.This section contains the following topics:• System Log - Introduction, page 5-35

System Log - IntroductionThe system log includes activities related to signature updates, changes to configuration, activation of settings, building profiles, automatic profile updates, rebuilding database indexes, server start/stop, etc.

To view the system log:

1. Click Activity.2. Click System Log in the left tree menu. The System Log window appears,

as displayed in Figure 5-11.

Figure 5-11 System Log

AppXcel User Guide 5-35

Page 148: Appxcel Waf Ug

AppXcel User Guide

The fields listed in this window are:

Type Event generated by an ADC user

Event generated by the AppXcel WAF system.

Failed eventThe username that generated this event. If the event was generated by the AppXcel WAF system, the username is System.

Time The time of the event.Message A description of the event.

5-36 AppXcel User Guide

Page 149: Appxcel Waf Ug

AppXcel User Guide

Section 5-7 NotificationsThis section explains the Notifications Window, which allows you to get email notification on important system eventsThis section includes the following topics:• Notifications - Introduction, page 5-37

Notifications - IntroductionThe notifications window allows you to get email notification on important system events.The events supported in this version are:When the Automated Profile Update engine changes the profile: Each time the Automated Profile Update engine updates one of the profiles an email notification is sent to the list of recipients. The notification includes details about the change.When gateway goes up: When a certain gateway which was down went up an email notification is sent to the list of recipients. The notification includes details about the gateway.When gateway goes down: When a certain gateway which was up went down an email notification is sent to the list of recipients. The notification includes details about the gateway.When AppXcel WAF internal database approaches or passes its limit: See appendix E - database overflow protection.When the number of ambiguous packets blocked by a gateway passes a configured threshold.

To set email notification:

1. Click Activity Console.2. Click Notification in the left tree menu.The Notifications Window appears,

as displayed in Figure 5-12.

AppXcel User Guide 5-37

Page 150: Appxcel Waf Ug

AppXcel User Guide

Figure 5-12 Notifications3. Check the Send email notification using the following email interface

checkbox to enable this feature.4. Select an Email Interface from the combo box. 5. Select the notifications you would like to receive.6. Click Save.

5-38 AppXcel User Guide

Page 151: Appxcel Waf Ug

C H A P T E R 6Web Profiles

This chapter describes how to configure Dynamic Profiling for AppXcel™ WAF and includes the following sections:• Section 6-1: Dynamic Profiling, page 6-2

AppXcel User Guide 6-1

Page 152: Appxcel Waf Ug

AppXcel User Guide

Section 6-1 Dynamic ProfilingThis section describes monitoring all interactions between users and Web servers. This section contains the following topics:• Dynamic Profiling - Introduction, page 6-2• Web Server Group Profiles, page 6-2• URLs Profile, page 6-3• URL Patterns, page 6-32

Dynamic Profiling - IntroductionImmediately after you create a new Web server group, Dynamic Profiling begins monitoring all interactions between users and Web servers to automatically build a profile of the application's normal structure and dynamics. Then, by comparing profiles to actual traffic, AppXcel WAF can identify and block potentially malicious activity of any kind. The dynamic profiles can be manually changed, and information can be added and removed.This layer allows AppXcel WAF to detect and protect against threats which are specific to the custom code of the Web application such as unauthorized values to a specific Web page. These types of attacks cannot be detected by signature or firewall mechanisms. They require a learning phase in which the product learns the structure of each protected URL. AppXcel WAF automatically builds these profiles and uses them to detect deviations (or violations) and block attacks on the custom code of the application.

Web Server Group ProfilesA Server Group of the Web Server type includes three configurable profiles:• URLs • URL Patterns • Cookie Profiles

6-2 AppXcel User Guide

SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
鉛筆
SamLin
鉛筆
SamLin
鉛筆
SamLin
鉛筆
Page 153: Appxcel Waf Ug

AppXcel User Guide

To view these profiles:

1. Expand the Server Group's submenu.2. Expand Profiles under the Server Group's name. 3. Click the profile name to display the profile in the data page.

URLs ProfileThe URLs profile is the baseline from which AppXcel WAF detects deviations and generates violations on URLs that users request from protected Web servers. The URLs profile includes the following information:• A list of host names used by this server group.• A list of URLs used by this server group.• HTTP methods used by each URL.• A list of parameters included in each URL.• A set of attributes for each parameter: value type, minimum length,

maximum length, whether or not it is required, whether or not it is a read-only parameter, and whether or not it is a parameter prefix.

AppXcel WAF automatically builds the URLs profile based on actual traffic to the protected Web servers. The profile is built gradually and each URL starts in learn mode and can be put into protected mode when enough information is gathered.When you create a new Web server group, AppXcel WAF monitors HTTP and HTTPS traffic to this server group. AppXcel WAF identifies all the host names (for example www.radware.com) used by this server group and lists them in the host groups page. AppXcel WAF automatically adds all host names to a single host group and treats them as if they belong to the same application. You can manually extract hosts from the default host group and instruct AppXcel WAF to learn these hosts separately as if they are different applications.For each host group AppXcel WAF learns its entire set of URLs. Each URL that AppXcel WAF sees for the first time is added to the profile in learn mode. After a period of time, when AppXcel WAF gathers enough observations of this URL, it switches its mode from learn to protect and starts generating violations and actions whenever a deviation from its profile occurs.Note that AppXcel WAF avoids learning URLs which do not actually exist on the protected Web servers. When AppXcel WAF sees a request for a URL

AppXcel User Guide 6-3

SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
鉛筆
Page 154: Appxcel Waf Ug

AppXcel User Guide

which is not part of the profile, it first checks the response code before adding this URL to profile. If the response indicates that this URL does not exist (for example an HTTP 404 Not Found response), AppXcel WAF ignores this URL and does not add it to the profile. Otherwise, AppXcel WAF adds this URL to the profile and starts learning it.The profile view presents all URLs and their mode (i.e. Learn, Protect). AppXcel WAF automatically switches URLs from learn mode to protect mode. The URL mode is changed when AppXcel WAF gathers enough information on the specific URL, so at any given time the list of URLs can contain groups in any of the two modes. When a URL is in protect mode, AppXcel WAF starts generating violations and actions whenever a deviation from the profile occurs (see Error! Reference source not found. for a complete list of deviations).For each URL AppXcel WAF learns the following information:• HTTP Methods: a list of HTTP methods (for example GET, POST,

OPTIONS, or HEAD) used with this URL.• Parameters: a list of parameters used with this URL. For each parameter

AppXcel WAF learns the following information:a. Whether this parameter is required (i.e. must appear with each

request of this URL) or not.b. Minimum and maximum parameter length.c. Allowed value types.d. Whether or not this parameter is Read-Only (i.e. either a hidden field

or part of an embedded link).The following actions can be performed on learned URLs:• Add URLs manually • Edit URL • Delete URLs • Manually switch URLs between learn mode and protect mode • Lock and release URLs• Lock and release Directories • Define parameter prefixes • Delete parameter prefixes • Add Parameters to URLs • Remove Parameters from URLs • Determine minimum and maximum number of characters in parameter.• Determine if the parameter is required • Define the parameter value type • Release read-only parameters • Define URL patterns • Define host mapping • Define host groups

6-4 AppXcel User Guide

Page 155: Appxcel Waf Ug

AppXcel User Guide

The URLs that the system learned are displayed in both tree and list views. The tree view is the default. It gives an overall system view of the URLs according to their paths. The list view is more convenient as a working mode. It also provides a sort function.

To switch between tree and list view:

• Select the Tree / List option near Display.

Browsing the Tree ViewBrowsing The Tree View appears in the window's top panel.To view the URL path tree:

1. Follow the procedure in section Web Server Group Profiles, page 6-2 to display the Server Group's profiles.

2. Click URLs under URL Profiles.The URLs window appears, as displayed in Figure 6-1.

Figure 6-1 URLs Window(Tree View)The Tree View appears in the window's top panel. Only the root is visible when the window first appears.3. Expand the root icon.

AppXcel User Guide 6-5

SamLin
鉛筆
SamLin
鉛筆
SamLin
螢光標示
Page 156: Appxcel Waf Ug

AppXcel User Guide

The tree appears and displays directory and URL (file) icons.4. Expand the directory icon.

The tree displays another layer in the tree.5. Continue opening the directories until the desired parts of the tree are

visible.6. Click on one of the URL icons.

The URL's properties appear in a table below the Tree View, as displayed in Figure 6-1.

Each URL can have one of the following icons:

A broken link is a link on one of the site's window that points to a non-existing URL. Users that click this link get a 404 Not Found reply. Broken links can occur for a variety of reasons. For example, the page could have been deliberately removed but some links to it have been left. Another reason could be an attacker that tries to delete pages from the site or pages that were mistakenly deleted during maintenance jobs. AppXcel WAF automatically identifies broken links and presents them in the profile. A broken reference is a web link to one of the pages on the protected Web site. Unlike broken links, broken references are presented on external web sites (for example directories and search engines) and not on the protected web site itself. Users that click on broken references generate a request for a non-existing URL on the protected Web site and get a 404 Not Found reply in response. AppXcel WAF automatically identifies broken references and presents them in the profile.

Regular URL in Learn Mode

Regular URL in Protect Mode

Broken Link in Learn Mode

Broken Link in Protect Mode

Broken Reference in Learn Mode

Broken Reference in Protect Mode

6-6 AppXcel User Guide

Page 157: Appxcel Waf Ug

AppXcel User Guide

When selecting a broken link or a broken reference, it's possible to view its referrals (i.e. the URLs that point to this link) by clicking the Referrals … button below the profile window.

The following icon indicates that this URL is locked. A locked URL is not updated by the automated profile update engine.

The following icon indicates that this directory is locked. Access to URLs in this directory that are not specifically listed in the profile generates an Unauthorized URL Access violation.

Browsing the List ViewThe following section describes how to browse the List View. To view the URL pate tree:

1. Follow the procedure in Section Web Server Group Profiles, page 6-2 to display the Server Group's profiles.

2. Click URLs under URL Profiles.The URLs page appears, as displayed in Figure 6-1.

3. Click List near Display.a. The list view appears, as displayed in Figure 6-2.

AppXcel User Guide 6-7

Page 158: Appxcel Waf Ug

AppXcel User Guide

Figure 6-2 Learned URLs Window (List View)

6-8 AppXcel User Guide

Page 159: Appxcel Waf Ug

AppXcel User Guide

b. The list view includes five columns:

URLs are presented in Windows. AppXcel WAF displays up to 200 URLs per page. You can browse the pages using the following options:

To view a URL‘S parameters and Statistics:

• Click on the URL. The URL's properties are presented below the list view.

Host Group The host group name to which the URL belongs.

URL The actual URLHTTP Methods he methods by which this URL is called

(e.g. GET, POST).Average response time during learning. During Learn mode AppXcel WAF learns the average response time of each URL (the time that elapses between sending the HTTP request to the web server and receiving a response from the web server)

Occurrence The exact number of times this URL was seen during Learn Mode.The number of parameters defined for the UR

Set the number of URLs displayed on each page. Select the number from the drop-down list

Go to the first page

Go to the last page

Go to the previous page

Go to the next page

Go to a specific page. Select the page number from the drop-down list.

AppXcel User Guide 6-9

Page 160: Appxcel Waf Ug

AppXcel User Guide

Filtering URLsAppXcel WAF enables the profile viewer to filter the URLs displayed according to their characteristics.

To filter URL‘s:

1. Click the filter button. The Filter Window appears, as displayed in Figure 6-3.

Figure 6-3 Filter URLs Window Box The Window displays all the fields by which queries can be filtered. Fill in the values of the fields to define the filter. The viewer uses the AND operator between the fields if more than one field is filled. For example, if the Host field is set to myhost and HTTP Method is GET, the viewer displays all the URLs that belong to myhost and use the GET method.

Note that you can select either equal to (=) or not equal to (<>) for all fields. For the Occurrence field you can also use less than (<) and greater than (>). The viewer displays all the URLs that are equal to the value entered when = is selected. The viewer displays all URLs that are not equal to the value entered when <> is selected. The viewer displays all URLs whose occurrence is greater then the value entered when > is selected. The viewer displays all URLs whose occurrence is less then the value entered when < is selected.

6-10 AppXcel User Guide

Page 161: Appxcel Waf Ug

AppXcel User Guide

For the URL field you can also select the LIKE option. For example: home/ab returns all the URLs that include the text "home/ab".

2. Click OK to execute the filter or Cancel to cancel.

A filter can be removed by clicking the remove button in the Learned URLs Window.

Sorting URLsSorting URLs according to a specific field.

This feature is only available in List view.URLs can be sorted by Host, URL, HTTP Method, Occurrence, and Average Response Time. Click the down arrow icon in the header to sort URLs according to the specific field. The icon turns yellow when clicked, indicating that URLs are sorted according to this field.The profile viewer also includes an advanced sorting option to sort URLs according to multiple fields and according to fields that do not appear in the URL line.

Note: The filter option is a presentation option, modifying the display to include the filtered URLs only. It does not filter any URLs from the profiling process

Note: This feature is only available in List view.

AppXcel User Guide 6-11

Page 162: Appxcel Waf Ug

AppXcel User Guide

To perform advanced sorting

1. Click on the Sort button for advanced sorting.The Advanced Sort Window appears, as displayed in Figure 6-4.In this window you can define the fields and their order. Notice that the current sort order already appears in the window.

Figure 6-4 Advanced Sort Window Box2. To add a field:

a. Select the field name from the field name drop-down list.b. Select the field's sort order, ascending or descending, from the sort

drop-down list.c. Click Add.

3. Repeat step 2. until all the fields according to which you want to sort are added to the list. Add fields according to the desired sort order.

4. To remove a field from the list, select the field name and click Remove.5. Click Save to execute the sort, or Cancel to cancel.

Adding URLs to the URLs ListURLs may be manually added to the URLs list.

To add a URL

1. Follow the procedures in to display a tree view of the learned URLs.2. Click Add URL.

The Add URL Window appears, as displayed in

6-12 AppXcel User Guide

Page 163: Appxcel Waf Ug

AppXcel User Guide

Figure 6-5 Add URL Window Box3. Select the host group to which this URL belongs.4. Enter the URL relative to the root.5. Select the HTTP Methods from the checkboxes. See Appendix G for

further explanation on HTTP methods.6. Select the SOAP checkbox if this URL contains SOAP messages:

a. Enter a SOAP action name and click addb. Repeat step A until all actions are added.c. Click Save.

Editing URLsThe URLs' attributes can be edited and changed.

Note: It is not recommended to manually add URLs as AppXcel™ WAF automatically detects new URLs and adds them to learning

AppXcel User Guide 6-13

Page 164: Appxcel Waf Ug

AppXcel User Guide

To edit the URL‘s attributes

1. Follow the procedures in Sections Browsing the Tree View, page 6-5 and Browsing the List View, page 6-7 to display a tree or list view of the learned URLs.

2. Select one of the URLs in the tree/list view.3. Click the Edit button below the tree/list view.The Edit URL Methods

Window appears, as displayed in Figure 6-6.

Figure 6-6 Edit Methods Window 4. Make the required changes.5. Click Save to save the changed settings or Cancel to cancel.

Deleting URLs from the URLs ListDeleting a URL deletes that URL completely from the Profiles.

6-14 AppXcel User Guide

Page 165: Appxcel Waf Ug

AppXcel User Guide

To delete a URL from the URL‘s list:

1. Follow the procedures in Browsing the Tree View, page 6-5 and Browsing the List View, page 6-7 to display a tree or list view of the learned URLs.

2. Select a URL in the tree/list view.3. Click Delete URL below the tree/list view.

A delete confirmation Window appears, as displayed inFigure 6-7

Figure 6-7 Delete URL Confirmation Window 4. Click OK to delete the URL or Cancel to cancel.

Switching between Learn and Protect ModeYou can manually switch a URL from learn mode to protect mode. There is no real reason to do so as AppXcel WAF automatically switches URLs from learn mode to protect mode when enough observations are gathered. However, the administrator can review the URL and reach a decision that it's ready for protect mode, before AppXcel WAF automatically reaches the same decision.You cannot edit URLs and URLs' parameters when these URLs are in learn mode. You must first switch the URL to protect mode or wait for it to be switched automatically and then edit it.To switch a URL to protect mode, select the URL (in tree view) or check the URLs you want to switch (in list view) and click "Switch to Protect Mode"You can also manually switch a URL from protect mode to learn mode. You do that if you know the URL has changed and you want AppXcel WAF to immediately start learning the changes or if you reached a decision that AppXcel WAF hasn't learned properly certain URLs.To switch a URL to learn mode, select the URL (in tree view) or check the URLs you want to switch (in list view) and click "Switch to Learn Mode".

Note: Deleting a URL deletes that URL completely from the Profiles. The URL reappears if AppXcel WAF continues to see requests to this URL

AppXcel User Guide 6-15

Page 166: Appxcel Waf Ug

AppXcel User Guide

URLs which are switch to learn mode automatically returns to protect mode after a grace period of time.

Locking and Unlocking URLsURLs in protect mode can be updated by the automatic profile updates (APU) mechanism (see Error! Reference source not found.). The APU can update things such as allowed methods, list of parameters, parameter lengths, allowed values for parameters and more. You can prevent the APU from updating specific URLs by locking them. By default all URLs are unlocked thus if you wish to prevent the APU from updating certain files, you must manually lock them.To lock a URL, click the URL (in tree view) or check the URLs you wish to lock (in list view) and click the Lock URL button. Locked URLs have a key on their icon.To unlock a URL, click the URL (in tree view) or check the URLs you whish to unlock (in list view) and click the Unlock URL button. Unlocked URLs are updated by the APU.

Locking and Unlocking DirectoriesWhen AppXcel WAF sees a request for URL that is not listed in the profile, AppXcel WAF immediately starts learning this URL. For some directories you might want to prevent this type of behavior. Consider for example a directory that consists of administrative pages which you do not want to be part of the profile as you do not want to allow users to access them, although they exist. In this scenario, you can ensure the pages are not part of the profile, or delete them if they are, and lock the directories they belong to so they do not appear again.When AppXcel WAF sees a request for URL that is not listed in the profile and belongs to a locked directory, AppXcel WAF does not learn this URL and instead generates the Unauthorized URL Access violation.You can only lock directories from the tree view. To lock a directory, click the directory and then click the Lock button. Locked directories have a key image

on their icon: .To unlock a directory, click the directory and then click the Unlock button.

6-16 AppXcel User Guide

Page 167: Appxcel Waf Ug

AppXcel User Guide

Setting Methods for All URLs Under a Specific DirectoryYou can manually set the HTTP methods of all URLs under a specific directory, including all of its sub-directories.

To do so:

1. Select the directory and click the Edit button.2. Select the methods you want to allow for all URLs under this directory and

its sub-directories.3. Click Save.The configuration you chose is copied to all the existing URLs in this directory, whether they are in Learn or Protect mode.Note that this is a copy operation. AppXcel WAF copies the methods you selected to all existing URLs under this directory. A new URL that arrives in this directory does not have these methods but learns the methods seen during the learning period. APU rules can change your setting, unless the URLs are locked. You can also manually change the methods of each URL individually after you used this copy operation.

Configuring Parameter Name PrefixesParameter names can be dynamic, for example param1, param2, param3, etc. AppXcel WAF learns all parameter names for each URL, therefore it never stops learning URLs with dynamic parameter names since the number of combinations is extremely large or even unlimited. To overcome this problem AppXcel WAF introduces the concept of parameter name prefixes. You can mark a certain parameter name as a prefix. Each parameter name that matches the prefix is allowed. For example, if the URL sample.asp you set the parameter name prefix to "param", then parameter names such as param1, param2, param5000 and paramabc is allowed.AppXcel WAF automatically identifies and configures prefixes. However, in some cases there is a need for manual intervention, as the automatic prefix mechanism didn't identify the prefix.To easily find parameters which could be dynamic you can sort the URL profile according to the number of parameters per URL. This way you get the URLs with a large number of parameters first, and are able to easily and quickly review them, find dynamic parameters with a prefix and configure the prefix. In order to keep the number of parameters manageable for a URL during Learn Mode, AppXcel WAF limits the number of parameters learned for each URL to 200. If you reach 200 parameters, look for prefixes, and define them.

AppXcel User Guide 6-17

Page 168: Appxcel Waf Ug

AppXcel User Guide

To identify and configure a parameter name prefix:

1. Follow the procedures in Sections Browsing the Tree View, page 6-5 and Browsing the List View, page 6-7 to display a tree or list view of the URLs profile.

2. Select a URL and then locate and check the check box near a dynamic parameter.

3. Click Make Prefix.A message appears: "Creating a prefix deletes all regular parameters that begin with that prefix".

4. Click OK.The Add Prefix Window appears, as displayed in Figure 6-8.

Figure 6-8 Add Prefix Window5. Edit the parameter prefix name, the minimum and maximum length of the

parameter value, the main value type, and whether it's required or not.6. Click Save.

AppXcel WAF automatically removes all the parameters for this URL that match the new prefix. For example, if the URL included the parameters param1, param2, param3, param4, param5, and abparam by adding the parameter prefix “param” AppXcel WAF automatically removes the parameter names param1, param2, param3, param4 and param5, leaving

Note: You can sort the profile according to the number of parameters per URL, to identify URLs with a large number of parameters. These URLs are more likely to include dynamic parameters

6-18 AppXcel User Guide

Page 169: Appxcel Waf Ug

AppXcel User Guide

only one prefix and the parameter abparam which does not match the parameter prefix "param".

7. Once the prefix is defined you can define extended value types. Click Save. The Configure Value Type window appears.

8. In the Configure Value Type window,select the primary value types from the drop-down list, then select the additional value types and click Save.

Figure 6-9 Configure Value Type Window

Deleting a URL Parameter Prefix NameParameter prefix names can be deleted, however the parameter names that were absorbed into the prefix name cannot be automatically regenerated as individual names. The URL must be returned to Learn Mode, and the parameters relearned. In general, there is no reason to delete a prefix, unless it was defined incorrectly.

To delete a URL parameter prefix name:

1. Select the URL prefix name and click Delete.A delete confirmation Window appears, as displayed in Figure 6-10.

AppXcel User Guide 6-19

Page 170: Appxcel Waf Ug

AppXcel User Guide

Figure 6-10 Delete URL Prefix Confirmation Window 2.Click OK to delete the prefix or Cancel to cancel.

Changing URL ParametersEach parameter has the following settings:

Name The name of the parameterMin The minimum length (in characters) of the

parameter.Max The maximum length (in characters) of the

parameter.Re If the parameter is required or not (i.e. AppXcel

WAF invokes a Profile Violation if the parameter is missing)

Value Type The main value type of the parameter. See Appendix I for more information on each value type.Opens a window with additional allowed types of this parameter. See Appendix I for more information on each value type

6-20 AppXcel User Guide

Page 171: Appxcel Waf Ug

AppXcel User Guide

To configure URL Parameters:

1. Follow the procedure in Sections Browsing the Tree View, page 6-5 and Browsing the List View, page 6-7 to display a tree or list view of the learned URLs.

2. Select one of the URLs from the tree/list view.The parameter settings for each URL are displayed in a table below the tree/list view, as displayed in Figure 6-11.

Figure 6-11 URL Parameters Table

Read Only A checkbox whether this parameter is read-only or not. A read-only parameter is a parameter whose value is set by the Web application (hidden fields and embedded links) and the user is not allowed to manually alter it. The Web application receives from the browser the exact same value as it sent. The attacks associated with read-only parameters are parameter tampering and hidden field manipulation. AppXcel WAF automatically learns which parameters are read-only and enforces that in real time. It is not recommended to manually set a parameter to read-only. You allow AppXcel WAF to learn that this is a read-only parameter. By manually setting a parameter as read-only you might generate false positives. You can however, release a read-only parameter in case of a false positive, by clearing this checkbox.

AppXcel User Guide 6-21

Page 172: Appxcel Waf Ug

AppXcel User Guide

3. To change a parameter's settings:a. To make a non-required parameter required, or a required parameter

non-required, select the check box in the Re column.b. To change the main value type, select the value type from the drop-

down list. (See Appendix I for more information on value types.)c. To add or remove additional value types click to open the Configure

Value Type Window, select or clear the required types and click Save. (See Appendix I for more information on value types).

4. To release a read-only parameter, clear the read-only checkbox.a. Click Save below the Parameters table.

5. To add a new parameter to the URL:a. Click Add below the Parameters table.The Add Parameter Window

appears, as displayed in Figure 6-12.

Figure 6-12 Add Parameter Window b. Enter the new parameter's name in the Name field.c. Enter the parameter's minimum number of characters in the Min field.d. Enter the parameter's maximum number of characters in the Max

field.e. Select the Req check box if the new parameter is required.f. Select the main value type from the drop-down list.

Note: AppXcel WAF utilizes statistical algorithms to automatically determine the minimum and maximum length of parameters. For some parameters you might notice that the minimum length is 0 and the maximum is 1000. This means that AppXcel WAF has not collected enough statistical data on the specific parameter during Learn Mode to accurately determine its minimum and maximum lengths. Therefore AppXcel WAF uses a low minimum and a high maximum to avoid false positive scenarios

6-22 AppXcel User Guide

Page 173: Appxcel Waf Ug

AppXcel User Guide

g. Click Save to save the new parameter or Cancel to cancel.6. To delete an existing parameter:

a. Select the parameter name.b. Click Delete below the Parameters table. A delete confirmation

window appears, as displayed in Figure 6-13

Figure 6-13 Delete Parameter Confirmation Window c. Click OK to delete the parameter or Cancel to cancel.

Copying a ParameterThe Copy parameter operation allows you to copy the settings for a specific parameter to other parameters in other URLs in the profile. You can copy the settings of a parameter to all parameters that have a specific name or those where the name starts with a specific prefix. You can also copy the parameter's settings to all parameters that are located under a specific directory. You can also combine the two options: i.e. copy the parameter's settings to all parameters located under a specific directory where the name starts with a specific prefix.

To copy parameters settings:

1. Click the parameter you want to copy.2. Click the Copy button.3. Enter the parameter prefix to which you want to copy the settings.4. Enter the URL prefix to which you want to copy the settings.5. Click Save.

Note: That this is a copy operation. If you change the setting of one of the destination parameters or the copied parameter it does not affect the other settings.

AppXcel User Guide 6-23

Page 174: Appxcel Waf Ug

AppXcel User Guide

Figure 6-14 Copy Parameters

Saving a URL as a PatternYou can select a URL in the tree or list view and save it as a URL pattern. It is easier to track down possible URL patterns when reviewing the URL profile.

To save a URL as a pattern:

1. Follow the procedure in Sections Browsing the Tree View, page 6-5 and Browsing the List View, page 6-7 to display a tree or list view of the learned URLs.

2. Select the URL.

3. Click Save as Pattern . The Save as Pattern Window appears, as displayed in Figure 6-15

6-24 AppXcel User Guide

Page 175: Appxcel Waf Ug

AppXcel User Guide

Figure 6-15 Save As Pattern Window 4. Change the Host Group and the HTTP Methods if required.5. Edit the URL to reflect the pattern. 6. Select the pattern type - either Prefix or Suffix.7. Click Save to create the pattern or Cancel to cancel. Once created, the

new pattern appears in the URL patterns section .

Host MappingEach HTTP request that a browser generates includes a special header called HOST. For example, if the user accesses http://www.Radware.com/contact.html, the browser sends a request for the page contact.html. The request contains a special HTTP header called HOST with the value Radwarewww.Radware.com.

Note: All URLs that match the newly defined pattern is deleted from the profile. AppXcel WAF is not added to the profile URLs that match one of the existing patterns

AppXcel User Guide 6-25

Page 176: Appxcel Waf Ug

AppXcel User Guide

Requests to a single application can be seen with by different hosts. Consider for example users accessing the Radware web site. They can use the URL http://www.radware.com which generates the host name www.radware.com. They can also use http://radware.com which generates the host name radware.com. Alternatively they can access http://209.218.228.121 which is the Radware web site's IP address. This access generates the host name 209.218.228.121.Due to the fact that a single application may include different host names, AppXcel WAF introduces the concept of host groups. A host group can include one or more host name. AppXcel WAF considers all hosts in the group as the same application and creates a single profile for these hosts. When you define a new Web server group AppXcel WAF automatically creates a default host group with the same name of the server group. All host names that AppXcel WAF sees on requests to this server group is added to the default host group. At any time you can view the list of hosts in the default host group and decide that one or more hosts are separated into different host groups.Why is it necessary sometimes to separate host groups from the default host group? Consider for example a scenario in which the same physical server hosts both the applications www.radware.com and support.radware.com. As these are two different applications, AppXcel WAF presents two different profiles - one for www.radware.com and the other for support.radware.com. However, since AppXcel WAF adds all host names to the default host groups, then both www.radware.com and support.radware.com is part of the default host group. You need to manually create a new host group for the support application and move the support.radware.com host from the default host group to the newly created support host group.When you create a new host group and move to it hosts from the default host group, AppXcel WAF restarts learning the hosts you moved. Radware therefore recommends looking at the default host group's host list after creating this server group. If you identify host names that belong to a different host group then create new host groups and move the relevant host to these groups so that AppXcel WAF is able to properly learn the different applications.

To view Host Mapping:

1. Expand the Web Server Group submenu.2. Expand the Profiles submenu.3. Select URL Profile.The URL Profile window appears and displays the

URLs the system learned from the activity of the Server Group.

4. Click the Host Mapping button located in the top of the Window.The Host Mapping window appears, as displayed in Figure 6-16.

6-26 AppXcel User Guide

Page 177: Appxcel Waf Ug

AppXcel User Guide

Figure 6-16 Host Mapping Window This Window displays the defined hosts and their associated groups. (By default all hosts are associated with the default host group that has the same name as the server group).

To reassign a host to a different group:

1. From the main window select Host Mapping.The Host Mapping window appears.

2. In the Host Mapping window, click the down arrow next to the host's group name in the Group column.A drop-down list of defined Host Groups appears.

3. Select a Host Group name from the drop-down list.4. Click Save.

Notice that only the default host group is listed the first time this Window is opened. Host groups must be configured manually.

5. Click Add below the hosts list.The Add Host Window appears, as displayed in Figure 6-17.

Note: If the host name does not appear in the list then add it manually

AppXcel User Guide 6-27

Page 178: Appxcel Waf Ug

AppXcel User Guide

Figure 6-17 Add Host Window 6. In the Add Host window, enter the new host name in the Host field.7. Click Save to save the new host or Cancel to cancel.

Configuring Host GroupsThis section describes how to configure the Host Groups from the Host Mapping window.To define a Host Group:

1. From the main window click Edit Groups.The Edit Host Groups Window appears, as displayed in Figure 6-18.

.

Figure 6-18 Edit Host Groups Window

6-28 AppXcel User Guide

Page 179: Appxcel Waf Ug

AppXcel User Guide

2. To add a new Host Group:a. Enter the group name in the Group field under Add New.b. Click Add.The new Host Group is added to the list in the table above.

3. To delete an existing Host Group:a. Select the group.b. Click Delete.The defined host group is deleted from the list.

4. Click Close.

SOAP and XML RepresentationAppXcel WAF automatically identifies URLs consisting of XML and SOAP

content. These URLs have a special icon in the profile for URLs in

learning and for URLs in protection.For each SOAP/XML URL, AppXcel WAF presents all the SOAP actions that have been learned for this URL. If the URL doesn't include any SOAP actions but does contain XML., AppXcel WAF presents the "Default SOAP action". SOAP actions are presented differently in tree view and list view. In the tree view the actions are presented under the relevant URL. You can click on a specific action and see its attributes. In list view there are two links next to the URL: Parameters and Actions. The Parameters link presents the list of parameters associated with this URL and the Actions link presents a list of actions associated with this URL. The list of actions is presented in the bottom-left frame. You can select an action from the list and view its attributes in the bottom-right frame.When the URL is switched to protect mode AppXcel WAF invokes the "Unauthorized SOAP Action" violation whenever someone attempts to access the URL with an unauthorized SOAP action.

Note: Requests that arrive with an unlisted host name are mapped to the Default Web Application host group and the host name is added to that group.

AppXcel User Guide 6-29

Page 180: Appxcel Waf Ug

AppXcel User Guide

Figure 6-19 SOAP URL - Tree ViewTo manually add or remove SOAP actions from a URL, click the Edit URL button. In the popup window select actions to delete and click Delete, or enter the name of the action you wish to add and click Add.AppXcel WAF breaks the XML file into structures. Each structure represents a value. Structures are created using the full hierarchy of nested tags containing each value. For example, an XML file based on the following schema:<schema> <complexType name="purchaseOrder"> <element name="comment" type="string"/> <element name="item" minOccurs="0"> <complexType> <element name="productName" type="string"/> <element name="quantity" /> <element name="Price" type="decimal"/> <attribute name="partNum" type="SKU"/> </complexType> </element> </complexType>

6-30 AppXcel User Guide

Page 181: Appxcel Waf Ug

AppXcel User Guide

</schema>Is represented using the following structures:XML/purchase Order/commentXML/purchase Order/item/protactiniumXML/purchase Order/item/quantityXML/purchase Order/item/PriceThese structures are learned automatically and added to the Parameters section of the SOAP action. For each of these structures AppXcel WAF learns its minimal and maximal size, its value type and whether or not it's required exactly the same way as it learns regular URL parameters. AppXcel WAF invokes the XML Value Length, XML Value Type, and Required XML Attribute/Element Not Found violations when a request that doesn't match the profile arrives.For each URL AppXcel WAF also learns whether this URL can be accessed as a regular URL in addition to being accessed as a SOAP URL. This depends on whether the URL has HTTP Methods associated with it. You can edit this in the Edit URL popup window. If the URL has no methods it means that this URL can only be accessed as a SOAP URL and AppXcel WAF invokes the "Non-SOAP Access to a SOAP-Only URL" violation whenever someone tries to access this URL as a non-SOAP URL.URLs which are not learned or configured as SOAP invoke the "SOAP Access to a Non-SOAP URL" violation whenever someone tries to access them as SOAP. To configure this manually open the Edit URL popup and select or unselect the SOAP checkbox.

AppXcel User Guide 6-31

Page 182: Appxcel Waf Ug

AppXcel User Guide

Figure 6-20 SOAP URL - List View

URL PatternsURL Patterns enable the administrator to define patterns within URL paths and thus avoid some of the problems that are often encountered with very large or dynamic sites. Consider, for example, a site that has a different folder for each user but the folder includes the same files. For example, the folders /mickey/ and /dave/ both include the files show.asp and order.asp. For each user the site introduces two new URLs, so AppXcel WAF would never stop learning new URLs. URL Patterns solves this problem. URL patterns allows the administrator to define a URL prefix or a URL suffix and treats that pattern as a group of learned URLs. Every new URL that matches this pattern is recognized as legitimate and does not invoke an Unknown URL Violation. In the example above it is possible to define both "show.asp" and "order.asp" as URL suffix patterns. This ensures these files are properly protected no matter where they are located.

6-32 AppXcel User Guide

SamLin
螢光標示
SamLin
鉛筆
Page 183: Appxcel Waf Ug

AppXcel User Guide

Note that you can define suffix patterns for file types (for example ".aspx"); for specific files (for example "order.asp"); for a file name and part of its path (for example "/public/print.asp" matches both "/scripts/public/print.asp" and "/home/public/print.asp").Consider prefix patterns when you have folders that contain a large number of files of the same type. For example, if the folder "/public/calculators/" contains hundreds of files all with the same parameters and the same behavior, you can define "/public/calculators/" as a URL prefix and any file that matches this pattern is protected by it.

To use URL Patterns:

1. Expand the Server Group's Submenu.2. Expand the Profiles submenu.3. Click URL Patterns.

The URL Patterns Window appears, as displayed in Figure 6-21.

Figure 6-21 URL Patterns WindowThis window displays a list of URL patterns that AppXcel WAF recognizes when encountering a matching URL.

Note: In case of static files (e.g. images, Office files) consider not learning or protecting these types of files. See Section Error! Reference source not found. for more information on avoiding learning and protecting static files

AppXcel User Guide 6-33

Page 184: Appxcel Waf Ug

AppXcel User Guide

Creating a New URL PatternAppXcel WAF allows the administrator to manually define new URL Patterns. This is useful when, for example, a group of legitimate URLs is stored within a particular directory.

To manually create a new URL pattern

1. From the main window select URL Patterns. The URL Patterns window appears.

2. In the URL Patterns window, click Add Pattern.The Add Pattern Window appears, as displayed in Figure 6-22.

Figure 6-22 Add Pattern Window 3. Select the host group to which this pattern applies. If no host name is

specified then this pattern matches any host.

Note: The recommended way to add a URL pattern is to save a profiled URL as a pattern and not using the process below. When you save a profiled URL as pattern you save all its methods and parameters as well and you do not need to manually add them as with the process below

6-34 AppXcel User Guide

Page 185: Appxcel Waf Ug

AppXcel User Guide

4. Enter the pattern in the URL Pattern field.

5. Select the pattern type, Suffix or Prefix, from the Pattern Type combo box.6. Select the HTTP methods from the HTTP Method checkboxes list.7. Click Save to save the new URL pattern or Cancel to cancel.

Editing an Existing URL PatternExisting URL patterns may be changed and edited.

To change an existing URL pattern:

To change an existing URL pattern:1. From the main window select URL Pattern. The URL pattern window

appears.2. In the URL pattern window, click Edit Pattern.The Edit Pattern window

appears, as displayed in Figure 6-23.

Note: The pattern is a simple text string. No escape characters are needed

Note: All URLs that match the newly defined pattern are deleted from the profile. AppXcel WAF does not add URLs to the profile that match one of the existing patterns.

AppXcel User Guide 6-35

Page 186: Appxcel Waf Ug

AppXcel User Guide

Figure 6-23 Edit URL Pattern Window3. Change one or more of the pattern settings.4. Click Save to save the changes or Cancel to cancel.

In addition to changing the pattern itself, the parameters in the URL pattern may also be changed.

To change the URL pattern‘s parameter:

1. From the main window select URL Patterns.The URL Patterns window appears.

2. In the URL Patterns window select Parameters.The Parameters table appears.

3. In the Parameters Table to change a parameter's settings:a. Select the parameter.b. Change one or more of the parameter settings.c. To make a non-required parameter required, or a required parameter

non-required, click the check box in the Req column.d. Click Save.

4. To add a new parameter to the URL:a. Click Add below the Parameters table.The Add Parameter Window

appears, as displayed in Figure 6-24.

6-36 AppXcel User Guide

Page 187: Appxcel Waf Ug

AppXcel User Guide

Figure 6-24 Add Parameter Window b. In the Add Parameter window enter the new parameter's name in the

Name field.c. Enter the parameter's minimum number of digits in the Min field.d. Enter the parameter's maximum number of digits in the Max field.e. Click the Req check box if the new parameter is required.f. Select the value type: None, Numeric, Latin characters, Foreign

language characters (UTF-8).g. Click Save.

5. To delete an existing parameter:a. Select the parameter.b. Click Delete below the Parameters table.A delete confirmation Window appears, as displayed in Figure 6-25

Figure 6-25 Delete Parameter Confirmation Window c. Click OK.Your preferences are recorded.

AppXcel User Guide 6-37

Page 188: Appxcel Waf Ug

AppXcel User Guide

Cookie ProfilesAppXcel™ WAF traces cookies and verifies (1) that users do not alter the content of cookies set by the Web applications and (2) that they do not attempt to inject cookies that were not sent to them by the Web application. When creating a new Web server group, AppXcel WAF starts learning which cookies belong to the server group. The learning period differs for each cookie. During the learning period the cookie appears in the Cookies Learning Window. At the end of the learning period AppXcel WAF either protects the cookie or ignores it and the cookie are either appear in the Protected Cookies Window or the Ignored Cookies Window. Protected and ignored cookies are explained below.Ignored cookies are cookies that their value is being changed during the session and AppXcel WAF is unable to validate the change. For example, when cookies can be changed by the browser using client-side code, such as JavaScript the cookie is irrelevant as the browser may change it to a completely different value. Another example is when a Web server which is not monitored by AppXcel WAF changes cookie values during the session. In this scenario AppXcel WAF may see different values for the same cookie but since AppXcel WAF doesn't monitor the Web server's SET commands it cannot validate the cookie's value.Protected cookies are cookies that do not change during the session or that AppXcel WAF can trace and validate the change.AppXcel WAF provides two levels of protection for protected cookies. The first level includes protection against cookie tampering. The second level includes protection against both cookie tampering and cookie injection. AppXcel WAF automatically decides what the proper protection level for each cookie is. This decision is based on the cookie's behavior. Some cookies can only be protected from cookie tampering while others can be protected from both cookie tampering and cookie poisoning.A full protection (i.e. against cookie injection and cookie tampering) is provided for cookies for which AppXcel WAF can always see the SET command that was issued by the Web application. The SET command is used by Web applications to send Web browsers new cookies or new values for existing cookies. When AppXcel WAF intercepts the cookie's SET command, it records the cookie's name and value and associates them with the specific user session. The next time that cookie arrives from the same user session, AppXcel WAF verifies that the name and value match what it recorded during the previous SET command. If the user manually altered the cookie's value and it does not match, AppXcel WAF

6-38 AppXcel User Guide

SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
SamLin
鉛筆
SamLin
鉛筆
Page 189: Appxcel Waf Ug

AppXcel User Guide

invokes a Cookie Tampering violation. If the cookie is not stored in AppXcel WAF (i.e. AppXcel WAF has not seen the SET command) it invokes a Cookie Injection violation, which means that the user is trying to inject a cookie to the Web server without first receiving this cookie from the Web server.Partial protection (i.e. against cookie tampering only) is provided for cookies for which AppXcel WAF cannot always see the SET command. This usually occurs for permanent cookies where the Web application sends the cookie once and it can remain in the user's browser for a number of months. AppXcel WAF usually has a much shorter time-out for cookies. So, if a user accessed a Web application and received a permanent cookie for three months, for example, and then after a month returns to the site, the user's browser sends that cookie to the Web site, but AppXcel WAF is unable to trace the SET command for that cookie, since it happened a month ago. For these cookies AppXcel WAF does not generate the Cookie Injection violation. When AppXcel WAF first sees an HTTP request consisting of a partially protected cookie, it records the cookie's name and value and associates them with the specific user session. The next time that cookie arrives from the same user session, AppXcel WAF verifies that the value matches what it recorded. If the user manually altered the cookie's value during the session, it does not match and AppXcel WAF invokes a Cookie Tampering violation.The server group's cookie profile window presents three different lists: a list of cookies that are being learned, a list of protected cookies and a list of ignored cookies.

To view the cookies profiles window:

1. Expand the Server Group's name in the left tree menu.A submenu appears below the Server Group's name.

2. Expand the Profiles folder.3. Expand the Cookies folder4. Click one of the cookie pages: Protected Cookies, Ignored Cookies or

Cookies in Learning.The relevant Cookies Window appears, as displayed in Figure 6-26

AppXcel User Guide 6-39

Page 190: Appxcel Waf Ug

AppXcel User Guide

Figure 6-26 Cookies Window5. To add a new cookie to this list:

a. In the Add New section at the bottom of the window, enter the cookie name in the Cookie Name field.Some cookies have dynamic names, for example, the Microsoft IIS ASPSESSION cookie. These cookies usually have some kind of fixed prefix followed by a dynamic suffix (for example ASPSESSIONIDFFEDSSE). For such cookies, select the Prefix check box and enter only the fixed prefix in the Cookie Name field. Note that AppXcel WAF deletes all cookies that match this prefix from the cookie list.

b. Click Add. The cookie appears in the relevant Cookie list.

6. To delete cookies from the list: a. Select the cookies.b. Click Delete.

Note: You cannot add cookies to the learning list directly. This is because AppXcel WAF automatically adds cookies to the learning list as soon as it detects a cookie which is not in one of the three lists. However, if for some reason you wish to add a cookie to the learning list, you can add it either to the protected list or to the ignored list and then move it to the learning list

6-40 AppXcel User Guide

Page 191: Appxcel Waf Ug

AppXcel User Guide

7. To move cookies to the ignored list:a. Select the cookies.b. Click the relevant Move to Ignored button.

8. The Protected Cookies Window includes an additional cookie attribute called Injection. If this checkbox is checked the cookie is fully protected (from both cookie injection and cookie tampering). If the checkbox is unchecked the cookie is not protected from cookie injection and is only protected from cookie tampering. To manually change the cookie's status:a. Check or uncheck the Injection checkboxb. Click Save

AppXcel User Guide 6-41

Page 192: Appxcel Waf Ug

AppXcel User Guide

6-42 AppXcel User Guide

Page 193: Appxcel Waf Ug

C H A P T E R 7Configuring Signatures

This chapter describes the Application Defense Center, and how to configure signatures and dictionaries and includes the following section:• Section 7-1: Application Defense Center Window, page 7-2

AppXcel User Guide 7-1

Page 194: Appxcel Waf Ug

AppXcel User Guide

Section 7-1 Application Defense Center Window

This section contains the following topics:• Configuring Signatures - Introduction, page 7-2• Dictionary Types, page 7-4• Viewing Dictionaries, page 7-5• Viewing Signatures Window, page 7-6• Updating the Signatures Database, page 7-13• Creating Dictionaries, page 7-16• Viewing and Modifying Signatures in a Dictionary, page 7-23

Configuring Signatures - IntroductionPart of the protection provided by AppXcel WAF uses signatures. The signatures are text strings that match known server vulnerabilities and attack patterns. AppXcel WAF maintains a list of over 2500 signatures based on the Snort database and Radware's Application Defense Center (ADC). The ADC tests each new Snort signature and makes sure it's valid. It then classifies the signature according to different attributes such as the severity of the attack described by the signature, the accuracy of the signature (sensitivity to false positive scenarios), the systems that are affected by this attack (e.g. IIS Web server, Apache Web Server), and more. In addition to classifying the signature, ADC also documents it. Once the signature is verified, classified and documented, it is added to the Radware Signature Database on the Radware Web site from which it can be downloaded either automatically (if your AppXcel WAF Management Server is connected to the Internet) or manually.The Radware signature database also consists of signatures which were carefully crafted by the ADC to detect sophisticated application-level attacks. To make the usage of signatures easier, signatures are collected into dictionaries. You can then use different dictionaries in different server groups. Each server group can use multiple dictionaries. A dictionary is actually a filter on the signature database. Dictionaries can be created, modified and deleted. When you create a dictionary you define the filter. For example, you can define a dictionary that includes all highly accurate, medium severity signatures for IIS 5 and 6. Once you define a filter dictionary

7-2 AppXcel User Guide

SamLin
螢光標示
SamLin
螢光標示
SamLin
螢光標示
Page 195: Appxcel Waf Ug

AppXcel User Guide

new signatures that are added to the signature database are automatically added to the relevant dictionaries according to their classified attributes.AppXcel WAF includes a set of pre-defined dictionaries. These dictionaries are filters defined by Radware. These dictionaries are adequate for most networking environments and allow you to avoid defining new dictionaries.The following procedures describe how to create, enable and delete dictionaries; how to add, remove, and edit the signatures in the dictionaries; and how to update the signature database.

Application Defense Center Preferences WindowThe Check for Updates and Upload buttons open Windows for managing the database signatures.The figure below illustrates the Application Center Preferences window;

Figure 7-1 ADC Preferences Window

AppXcel User Guide 7-3

SamLin
鉛筆
SamLin
鉛筆
SamLin
鉛筆
SamLin
鉛筆
Page 196: Appxcel Waf Ug

AppXcel User Guide

Dictionary TypesTwo attributes define each dictionary:• Whether this is a Filtered or Manual dictionary. A filtered dictionary is

created by applying a filter on the signature database. Once the filter is defined, all signatures in the database that match the filter are part of this dictionary. You can change the filter at any time, thus determining which signatures are included in the dictionary. When a new signature is added by Radware to the signature database, AppXcel WAF automatically adds it to all relevant dictionaries based on the filter. You can manually delete a signature from a filtered dictionary. However, you cannot add your own signatures to a filtered dictionary or edit existing signatures. For that you need to define a Manual dictionary. A manual dictionary is created empty and allows you to add your own signatures to it. A manual dictionary only includes your own signatures. You cannot add signatures from the Radware signature database to a manual dictionary.

• Whether it's a Predefined or User-Defined dictionary. A predefined dictionary was created by Radware and comes as part of the AppXcel WAF installation. A user-defined dictionary is defined by the user. You cannot delete or edit the filter of a predefined dictionary.

Dictionaries are listed in the menu of tree of the ADC tab in two categories: Predefined Dictionaries and My Dictionaries (user-defined dictionaries), as displayed in Figure 7-2.

Figure 7-2 Dictionaries List

7-4 AppXcel User Guide

Page 197: Appxcel Waf Ug

AppXcel User Guide

Dictionary types are indicted by the following icons:

Viewing DictionariesThe following steps describe how to access and view a dictionary.To view a dictionary:

1. Expand the Application Defense Center item in the left tree menu.2. Expand the Predefined Dictionaries / My dictionaries item.3. Click the dictionary name.The Dictionary window appears, as displayed in

Figure 7-3.

Figure 7-3 Manual Dictionary Window

Manually generated dictionary

A filtered dictionary

AppXcel User Guide 7-5

SamLin
鉛筆
Page 198: Appxcel Waf Ug

AppXcel User Guide

Viewing Signatures WindowThe Signatures Window presents a list of all signatures defined in the AppXcel WAF system. You can browse the signatures and their properties; disable them or restore them.Note that when you view a dictionary violation in the Alert view, you can click the violation to view a popup of the relevant signature. You can view all the attributes associated with this signature and can disable the signature.

To view and modify signatures:

• Click View All Signatures in the ADC page. The Signatures window appears, as displayed in Figure 7-4

Figure 7-4 View All Signatures WindowThe Signatures Window presents a list of all signatures in the database. Each signature entry includes the signature name, the signature itself, and its status. You can click the sort arrows to sort the signatures and the signature names alphabetically.The signature status can be one of the following:

Signature disabled in all dictionaries

7-6 AppXcel User Guide

Page 199: Appxcel Waf Ug

AppXcel User Guide

AppXcel WAF displays up to 50 Signatures per page. You can browse the pages using the following options:

Filtering SignaturesAppXcel WAF enables the signature viewer to filter signatures according to their characteristics.

Signature disabled in currently displayed dictionary

Enabled (predefined) signature

Enabled, user-created signature

Set the number of signatures displayed on each page. Select the number from the drop-down list

Go to the first page.

Go to the previous page

Go to the next page.

Go to a specific page. Click on page number

Go to the last page.

Note: The filter option is a presentation option, modifying the display of signatures only. It does not filter any signatures from the dictionaries.

AppXcel User Guide 7-7

Page 200: Appxcel Waf Ug

AppXcel User Guide

To filter signatures:

1. Click the filter button. The Filter window appears, as displayed in Figure 7-5

Figure 7-5 Filter Signatures WindowThis filter returns all signatures containing the search string in either the signature itself or the signature description field. If you check "Show only disabled signatures" then only disabled signatures that match the text string are returned. To return all disabled signatures leave the 'Search String' empty.

2. Click OK to execute the filter.

3. A filter can be removed by clicking the remove button

Viewing Signature PropertiesThe signature properties are displayed in the five tabs at the bottom of the Window.

Signature InfoThe Signature Info window is displayed in Figure 7-6.

7-8 AppXcel User Guide

Page 201: Appxcel Waf Ug

AppXcel User Guide

Figure 7-6 Signature Info WindowThe Signature Info window presents the following information:

Signature was created/updated after

Limits signatures to those created or updated after the specified date. Select

the option and click to choose a date from the calendar

Services The service(s) to which this signature applies

Apply to • Server to Client: The filter includes signatures that are relevant for traffic that goes from the server to the client.

• Client to Server: The filter includes signatures that are relevant for traffic that goes from the client to the server

• Both Directions: The filter includes signatures that are relevant for traffic that goes from the server to the client, and from the client to the server.

AppXcel User Guide 7-9

Page 202: Appxcel Waf Ug

AppXcel User Guide

Attack InfoThe Attack Info window is displayed in Figure 7-7.

Figure 7-7 Attack Info TabThe Attack Info window presents the following information:

URL Decoded Stream For HTTP/S Signatures which are searched in the TCP stream, AppXcel WAF can either URL decode the stream prior to searching the signature or leave the stream encoded. If this field is set to "True", AppXcel WAF decodes the stream before searching the signature

Search Signature in • URL: Searches URLs only.• HTTP Parameters: Searches HTTP

parameters.• HTTP Headers: Searches HTTP

headers.• Stream: Searches the entire TCP

stream. Note: Query and Parsed Query are not implemented.

Summary Attack Summary

Attack Class Class (type of attack) as defined in the knowledge base.

Attack Complexity

Complexity of the attack type. Simple refers to attacks that are relatively easy to perpetrate; complex refers to attacks that are difficult to perpetrate

7-10 AppXcel User Guide

Page 203: Appxcel Waf Ug

AppXcel User Guide

Affected SystemsThe affected systems window is displayed in Figure 7-8.

Figure 7-8 Affected Systems WindowThe affected systems window lists the systems that are affected by this signature, in the format <system name> <optional Boolean value><optional version>.

ReferencesThe References table is displayed in Figure 67.

Figure 7-9 References WindowThe References tab presents the following information:

Risk The relative damage that an attack using this signature causes:Informative, Low, Medium, High

Attack Frequency

Frequency of attack: Values are: Low/ Medium/High. High refers to common attacks while Low refers to rare attacks

Detail Detailed overview of the attack.

Cert Vulnerability Cert ID as it appears on the cert.org Web site

CVE Vulnerability CVE ID as appears on the CVE Web siteBug Traq Bug Traq is another archive of vulnerabilities. This field

is the number of the specific vulnerability on the Bug Traq Web site.

AppXcel User Guide 7-11

Page 204: Appxcel Waf Ug

AppXcel User Guide

Accuracy The Accuracy window is displayed in Figure 7-10.

Figure 7-10 Accuracy WindowThis window presents information on the accuracy of the attack, and the false scenarios:

Snort ID For signatures that are extracted from the Snort database, this field presents the ID as appears in the Snort database.

Exploit Value This is a free text field that links to a description of how the attack is perpetrated

Notes Free text field with signature-specific notes

Signature Accuracy Probability that the occurrence of the signature indicates an attack, and not a false positive. Values are: Low/Medium/High. High refers to a very accurate signature, which rarely generates false positives. Low refers to inaccurate signatures that probably generate false positives as well.

False Positives Information about false positive scenarios related to this signature.

False Negatives Information about false negative scenarios related to this signature

Additional Info Any other additional information regarding this signature

7-12 AppXcel User Guide

Page 205: Appxcel Waf Ug

AppXcel User Guide

Updating the Signatures DatabaseThe user needs to order a subscription from Radware for the service when buying the AppXcel WAF add-on or when renewing the subscription.Updating the Signatures Database, is performed by first selecting the relevant window from the Scheduler engine.

Defining a Frequency and Task using the Scheduler EngineAPSolute Insite's built-in scheduler engine allows you to perform tasks according to a predefined schedule.

To view the Scheduler and define a frequency and a task:1. From the main window, select Tools > Scheduler. The Scheduler window

appears.

Figure 7-11 Scheduler Window2. In the Scheduler window select Add.The Edit Task window appears.

AppXcel User Guide 7-13

Page 206: Appxcel Waf Ug

AppXcel User Guide

Figure 7-12 Edit Task window3. In the Edit Task window, from the Task Selection drop down list, select

AppXcel WAF Signatures.4. Set the Frequency to daily and select an hour for update in Start Hour. 5. The End Hour is not applicable here and is grayed out.6. Click Next.Your preferences are recorded.

The following information describes additional parameters to be set in the Edit Task table

Select: Select the required action from the drop-down list. The possibilities are:• Download and Install: Download

the Attacks DB file and install it on the device.

• Download: Downloads the Attacks DB file.

• Ignore: Ignores the Attacks DB file (does nothing).

Behind the Proxy (checkbox):

Check this box if you are connecting to the Radware web site through a proxy to download attack updates.

7-14 AppXcel User Guide

Page 207: Appxcel Waf Ug

AppXcel User Guide

To schedule the update of the Signatures Data base:

1. From the APSolute OS menu, select Security Updates > Upload AppXcel WAF Signature Updates. The Upload AppXcel WAF Signature Updates window appears.

Figure 7-13 Upload AppXcel WAF Signatures File Window2. In the Upload AppXcel WAF Signature Updates window check the

checkboxes for the AppXcel device you intend to update.

IP: The IP address of the proxy server (enabled only when Behind the Proxy is selected).

Port: The TCP port of the proxy (enabled only when Behind the Proxy is selected).

Proxy Authentication(checkbox):

Check this box if you are connecting to the Radware web site through a proxy, and the proxy requires user name and password authentication.

User Name: The user name for authentication on the proxy.

Password: The password for authentication on the proxy.

External TFTP Server IP Address (checkbox):

If an external server is used to download the Attacks DB file to the device, enter the external server's IP address here.

AppXcel User Guide 7-15

Page 208: Appxcel Waf Ug

AppXcel User Guide

3. If Insite has access to the Internet click Check Now.4. Otherwise go to http://www.radware.com/content/security/

web_application_firewall/default.asp and download the signatures file and copy it manually to the Insite server.

5. Click Browse and find the signature file.6. Click Upload Signature File to Selected devices.7. Click OK. Your preferences are recorded.

To Upload the Signature File Database with CLI :

1. Upload the Signatures File from Radware support and save it locally. The file format is: time_in_second_AppXcel_MAC

2. Copy the Signature File to the AppXcel via scp into A temporary directory on the device: scp /tmp/signature_file radware@<device ip>:/tmp

3. Run the command: appxcel web-application-firewall signatures-importWait to view the message: Signature file import succeed

4. To verify that the signature file is updated run: appxcel web-application-firewall signatures-get

Creating Dictionaries The following procedures describe how to create various dictionaries.To create a dictionary:

1. Click ADC. 2. Expand the My Dictionaries submenu. 3. Click Create a Dictionary. The Create a Dictionary window appears, as

displayed in Figure 7-14

Figure 7-14 Create a Dictionary Window

7-16 AppXcel User Guide

Page 209: Appxcel Waf Ug

AppXcel User Guide

4. In the Dictionary Creation options drop-down list, select whether this is a Filter or Manual dictionary.

5. Click Create.A wizard guides you through the rest of this process. A different wizard appears for Filter and Manual dictionaries.

6. To create a Manual Dictionary:a. The Create Manual Dictionary window appears, as displayed in Figure

7-15.

Figure 7-15 Create Manual Dictionary b. Type in a name and description of the dictionary.c. Click Save.

7. To create a Filter Dictionary:a. The Create Filter Dictionary Step 1 window appears, as displayed in

Figure 7-16.

AppXcel User Guide 7-17

Page 210: Appxcel Waf Ug

AppXcel User Guide

Figure 7-16 Create Filter Dictionary - Step 1b. Type in a name and description of the dictionary.c. If you want to filter signatures which are attached to specific services

then select the Services check box and select the specific services from the list box. Otherwise, this dictionary may contain signatures of any service.

d. Click Next. The Create Filter Dictionary - Step 2 window appears, as displayed in Figure 7-17.

7-18 AppXcel User Guide

Page 211: Appxcel Waf Ug

AppXcel User Guide

Figure 7-17 Create Filter Dictionary - Step 2 Windowe. Select as many options as required, as described in the following

table. First select the category to enable it, then the option(s) within the category. To select more than one option in a category, hold down <Ctrl> while you select the options. The operator AND is used between the options in a category.

Include only signatures that were created/updated after

Limits signatures to those created or updated after the specified date. Select

the option and click to choose a date from the calendar.

AppXcel User Guide 7-19

Page 212: Appxcel Waf Ug

AppXcel User Guide

f. Click Next. The Create Filter Dictionary Step 3 Window appears, as displayed in Figure 7-18.

Apply Direction • Server to Client: The filter includes signatures that are relevant for traffic that goes from the server to the client.

• Client to Server: The filter includes signatures that are relevant for traffic that goes from the client to the server.

• Both Directions: The filter includes signatures that are relevant for traffic that goes from the server to the client, and from the client to the server.

Signature Accuracy Probability that the occurrence of the signature indicates an attack, and not a false positive. Values are: Low; Medium; High. High refers to a very accurate signature, which rarely generates false positives. Low refers to inaccurate signatures that probably generate false positives as well.

Note: Each category has an enable check box. The check box is located left of the category name. You must select this check box to enable the category's parameters. If you do not specify any parameters, the filter assumes the value "any" for the category.

7-20 AppXcel User Guide

Page 213: Appxcel Waf Ug

AppXcel User Guide

Figure 7-18 Create Filter Dictionary Step 3 Window g. Select as many options as required, (described in the following table).

First select the category, then the options within the category. To select more than one option in a category, hold down <Ctrl> while you select the options. The operator AND is used between the options in a category.

h. Click Next. The Create Filter Dictionary Step 4 window appears, as displayed in Figure 7-19.

Attack Class Class (type of attack) as defined in the knowledge base.

Attack Complexity Complexity of the attack type. Simple refers to attacks that are relatively easy to perpetrate; complex refers to attacks that are difficult to perpetrate.

Risk The relative damage that an attack using this signature causes:Informative, Low, Medium, High

Attack Frequency Frequency of attack: Values are: Low; Medium; High. High refers to common attacks while Low refers to rare attacks

AppXcel User Guide 7-21

Page 214: Appxcel Waf Ug

AppXcel User Guide

Figure 7-19 Create "Dictionary Name" Step 4 Filter Parameters Windowi. Define the system types to be included in the filter by filling in the

fields as described in the following table:

j. Click Add. k. Repeat steps I and J until all systems have been added. l. Click Finish.

Affected Systems Select this to enable the Affected Systems option.

System Name Drop-down list of system types that the signature attacks, e.g. Apache, Windows 2000.

Boolean Value This field, together with the next field, defines the Version (optional).

Version Version of the system that is included in the filter. (If no version is defined, all versions are included in the filter.)

7-22 AppXcel User Guide

Page 215: Appxcel Waf Ug

AppXcel User Guide

Viewing and Modifying Signatures in a Dictionary

This section describes viewing, adding, editing and disabling signatures. Note that when you view a dictionary violation in the Alert viewer, you can click the violation to view a popup of the relevant signature. You can view all the attributes associated with this signature and can disable and edit the signature.

Viewing Signatures in a Filter DictionarySignatures in filter dictionaries are presented in the same format as View All Signatures in the Preferences window.You can disable and enable signatures.

To view signatures in a dictionary:

1. Click on the dictionary name in the tree view. The Dictionary window appears.

Adding Signatures

A manually added signature only applies for the dictionary in which it is added.

To add a signature:

1. In the Dictionary page, click Add Signature. The Add New Signature Step 1 General Details window appears, as displayed in Figure 7-20.

Note: This procedure is relevant for Manual dictionaries only

AppXcel User Guide 7-23

Page 216: Appxcel Waf Ug

AppXcel User Guide

Figure 7-20 Add New Signature 2. Type in the signature name. 3. Enter the signature itself (see appendix F for more information on writing

signatures). 4. Define the signature parameters, as described in the following table:

Services Select a service to which this signature applies

Apply to • Server to Client: The signature is relevant for traffic that goes from the server to the client.

• Client to Server: The signature is relevant for traffic that goes from the client to the server.

• Both Directions: The signature is relevant for both directions.

Search Signature In • URL: Searches URLs only.• HTTP Parameters: Searches HTTP

parameters• HTTP Headers: Searches HTTP

headers• Stream: Searches the entire TCP

stream or the UDP packet

7-24 AppXcel User Guide

Page 217: Appxcel Waf Ug

AppXcel User Guide

5. Click Save. The signature is added to the dictionary.

Editing SignaturesThe following procedures describe how to edit a signature.

To edit a signature:

1. Select a signature in the Dictionary window.2. Click Edit Signature.The Edit Signature window appears, as displayed in

Figure 7-21.

Figure 7-21 Edit Signature: General Window

Search this Signature in URL Decoded Stream

For HTTP/S signatures which are searched in the TCP stream, AppXcel WAF can either URL decode the stream prior to searching the signature or leave the stream encoded. If this field is checked, AppXcel WAF decodes the stream before searching the signature.

Note: This procedure is relevant for Manual dictionaries only

AppXcel User Guide 7-25

Page 218: Appxcel Waf Ug

AppXcel User Guide

3. Edit the details as required. Refer to Viewing Signature Properties, page 7-8 for an explanation of the fields.

4. Click Save.

Disabling and Enabling SignaturesSignatures in a predefined or user-defined filtered dictionary can be disabled or enabled per dictionary, or for all dictionaries. A signature that is disabled in all dictionaries is also disabled in any new dictionary that is created. A signature that is disabled in all dictionaries still appears in the dictionary's list of signatures but it is marked as disabled. Note that disabled signatures are updated when a signature update is provided from Radware but they remain disabled.Enabling a signature reverses the disable action that you performed previously. If you disabled a signature in one dictionary and then enable it, it is enabled in that dictionary only. If you disabled a signature in all dictionaries and then enable it, it is enabled in all dictionaries.

To disable a signature:

1. Select the signature and click Disable. The system responds with the message "Click Yes to disable the signature/s? from all dictionaries; click No to disable the signature/s? from this dictionary only".

2. Click Yes or No, depending on the action you wish to perform, or Cancel to cancel the action.

To enable a signature:

1. Select the signature(s) and click Enable. The system responds "Are you sure you want to enable the signatures(s)?".

2. Click Yes.

Note: For manual dictionaries, the Disable function is replaced with Delete. If you delete a manually added signature, the signature is removed from the dictionary

Note: You cannot enable manually added signatures. Deleting signatures from a manual dictionary is irreversible

7-26 AppXcel User Guide

Page 219: Appxcel Waf Ug

AppXcel User Guide

Viewing and Modifying a Dictionary's FiltersThe following procedure describes how to view and modify a Dictionary’s Filters.

To view and modify a dictionary‘s filters:

1. Expand the ADC tree and click on the dictionary name in the tree view. The Dictionary window appears.

2. Click Edit. The dictionary details are presented in four tabs. 3. In each tab: perform modifications as required and click Save.

Deleting DictionariesThe following procedures describe how to delete a

Dictionary’s Filters.

To delete a dictionary:

1. Expand the ADC tree and click on the dictionary name in the tree view. The Dictionary window appears, as displayed in Figure 60 above.

2. Click Delete This Dictionary. The message "Are you sure you want to delete the dictionary?" appears.

3. Click OK.

Note: This procedure is relevant for Filter Dictionaries only.

Note: You cannot delete predefined dictionaries. If you attempt to delete a dictionary that is currently in use, a warning message appears. You can then delete the dictionary

AppXcel User Guide 7-27

Page 220: Appxcel Waf Ug

AppXcel User Guide

7-28 AppXcel User Guide

Page 221: Appxcel Waf Ug

A P P E N D I XADefining IP Groups

This Appendix describes how to define IP Groups, which are used in various places on the AppXcel WAFGUI. Use this feature to define the IP groups throughout the AFI, as often as required. Each IP group contains a collection of single IP addresses, IP ranges or IP subnets.

Configuring IP GroupsThe following steps describe how to configure an IP Group from the Create an IP Group window.

To configure an IP Group:

1. Click the Global Settings tab on the tab bar.2. Expand IP Groups in the tree menu and click Create an IP Group; or click

IP Groups in the Overview page.The Create an IP Group Window appears, as displayed in Figure A-1.

DefensePro User Guide A-1

Page 222: Appxcel Waf Ug

Figure A-1 Create New IP Group Window3. In the Create an IP Group Window, enter a unique name for the IP group

in the Name field.4. Click Create Group.The IP Group Window appears and displays fields to

enter the IP group's IP addresses and subnet mask, as displayed in Figure A-2.This Window allows defining individual and groups of IP addresses.

Figure A-2 Define IP Addresses Window

A-2 DefensePro User Guide

Page 223: Appxcel Waf Ug

Appendix A - Defining IP Groups

5. To enter a single IP address, leave the Type drop-down list set to Single, and enter the address under Start IP.

6. To enter a range of IP addresses:a. Select Range in the Type drop-down list.b. Enter the first address in the range under Start IP.c. Enter the last address in the range under End IP.

7. Alternately, the range of IP addresses can be set according to the subnet:a. Select Network in the Type drop-down list.b. Enter the first address in the range under Start IP.c. Enter subnet mask under Subnet Mask.

8. Click Add to save the IP addresses and open a new row for entering more addresses.

9. To delete a range of IP addresses, select the checkbox to the left of the definition and then click Delete.

10. To edit a range, edit the relevant row and click Save.11. To delete the entire IP group, click Delete this IP Group located at the

bottom of the Window.

DefensePro User Guide A-3

Page 224: Appxcel Waf Ug

A-4 DefensePro User Guide

Page 225: Appxcel Waf Ug

A P P E N D I XBAction Interfaces

This Appendix describes the configuration of action interfaces. AppXcel WAF uses various objects in its operation. Some settings in AppXcel WAF refer to these objects, thus requiring them to be defined in advance.

Action Interfaces AppXcel WAF can execute certain actions upon detection of a security event, such as blocking attackers using various blocking mechanisms, and sending email alerts. Appropriate action interfaces must first be configured, as explained in this appendix, then implemented as part of an Action Policy (Section Error! Reference source not found.). You can define multiple action interfaces of each type. Then you can choose which action interface to use with each action policy.AppXcel WAF supports the following action interfaces:

Syslog AppXcel WAF can send alerts using the Syslog protocol to an external syslog host

Email AppXcel WAF can send alerts using the Simple Mail Transfer Protocol (SMTP) to an external SMTP server.

AppXcel User Guide B-1

Page 226: Appxcel Waf Ug

AppXcel User Guide

Configuring the AppXcel WAF Syslog Action InterfaceThe AppXcel WAF Syslog action interface allows you to send alerts to a central syslog server.

To enable/modify the Syslog action driver:

1. Click the Global Settings tab on the tab bar.2. Expand the Actions item in the left tree menu3. Expand the Action Interfaces item in the left tree menu.4. Click Create New Action Interface. The Add Action Interface Window

appears as displayed in Figure B-1.

Figure B-1 Add Action Interface Window5. Click Syslog.The New Syslog Action Interfaces Window appears, as

displayed in Figure B-2.

Operating System Command

AppXcel WAF calls an operating system command or any program that is installed on the AppXcel WAF Management Server.

SNMP AppXcel WAF can send alerts via SNMP traps to external SNMP management devices

Note: This configuration change does not take effect until setting changes are activated by clicking the Activate Settings button at the bottom-right corner of the AppXcel WAF Interface window

B-2 AppXcel User Guide

Page 227: Appxcel Waf Ug

AppXcel User Guide

Figure B-2 New Syslog Action Interfaces Window6. Type a name for the interface in the Display Name field.7. Type in the IP address of the syslog host in the Syslog host IP Address

field.8. Select the syslog level from the drop-down list.9. Define the message. The message consists of text and place holders that

the define the message that is written to the log. You can define the message with arguments containing values specific to the alert that occurred (e.g. offending IP…). For this purpose several placeholders have been characterized; these are replaced by the actual values when the action occurs. (The rest of the argument string is used as is). The window opens with the default message. You can modify it with the placeholders listed below.

The available placeholders are:{action.ip}The attacker IP address• {action.session}The session value of the request• {alert.severity}informative, low, medium, high• {alert.id}The ID of the alert• {alert.type}firewall, worm, signature, protocol, profile, correlation• {alert.server_group_ip}The destination IP address• (alert.server_group}The name of the server group

Note: Note that if you define a message longer than the log allows, it is truncated in the log display.

AppXcel User Guide B-3

Page 228: Appxcel Waf Ug

AppXcel User Guide

• {alert.time}The last update time of the alert in the form: dow mon dd hh:mm:ss zzz yyyy (zzz is the time zone)

• {alert.description}The description of the alert (as shown in the alert view)• {alert.rule.name}The name of the correlation rule (relevant only in case

correlations) • {alert.rule.description}The correlation rule description (relevant only in

case correlations)10. Click Save.

Configuring the AppXcel™ WAF SNMP Action InterfaceThe AppXcel WAF SNMP action interface send alerts via SNMP traps to external SNMP management devices.

To enable/modify the SNMP action interface:

1. Click Global Settings on the tab bar.2. Expand the Actions item in the left tree menu3. Expand the Action Interfaces item in the left tree menu.4. Click Create New Action Interface.

The Add Action Interface window appears as displayed in Figure B-1.5. Click SNMP Trap.

The New SNMP Trap Action Interface window appears, as displayed in

Note: This configuration change does not take effect until the setting changes are activated by clicking the Activate Settings button at the bottom-right corner of the AppXcel WAF Interface window.

B-4 AppXcel User Guide

Page 229: Appxcel Waf Ug

AppXcel User Guide

Figure B-3 New SNMP Trap Action Interface Window6. Type a name for the action interface in the Display name field.7. Type in the SNMP server IP address, the SNMP server port, and the

SNMP community string.8. Click Save.

Configuring the Email Alerts Action InterfaceAn email interface includes a remote SMTP server and a list of one or more email addresses.

To configure an email interface:

1. Click Global Settings on the tab bar.2. Expand the Actions item in the left tree menu.3. Expand the Action Interfaces item in the left tree menu.4. Click Create New Action Interface.

The Add Action Interface Window appears as displayed in Figure B-1.5. Click Email.

The New Email Action Interface window appears, as displayed in Figure B-4.

AppXcel User Guide B-5

Page 230: Appxcel Waf Ug

AppXcel User Guide

Figure B-4 New Email Action Interface Window6. Enter the email address of the AppXcel WAF's email account in the

Source Email field.7. This address identifies the message's sender.8. Enter the destination email address to which to send alerts in the

Destination Email field (you can use multiple email addresses separated with a comma).

9. Enter the DNS name or IP address of the SMTP email server into the SMTP Server field.The email server (SMTP Gateway) routes the Emails.Check with your network administrator how Emails are sent within the organization.

10. Select Text or HTML for email type. Use Text only if your email servers block HTML email or your email client does not support HTML.

11. Enter the text of the email message in the Remarks text box.12. Click Save.

Note: Ensure that the AppXcel WAF Management Server is authorized to connect to port 25 in the email server (SMTP Server)

B-6 AppXcel User Guide

Page 231: Appxcel Waf Ug

A P P E N D I XCBack-end SSL

EncryptionThis appendix describes how to configure Back-end SSL Encryption, by first configuring AppXcel Tunnel and AppXcel WAF. Procedures are also included on how to upload SSL Keys.

Configuring Back-end SSL EncryptionAppXcel supports Back-end SSL Encryption. To configure this to work with the WAF you need to configure AppXcel Tunnel to enable backend SSL first.

To configure AppXcel Tunnel:

1. First, Configure a Tunnel (see AppXcel user guide section 5-1, Tunnels).2. In the Tunnel configuration page select Tunnel > Backend SSL.3. Select the relevant Tunnel. 4. Change status to on.5. Select Backend SSL Cipher strength - Low, Medium or High.

DefensePro User Guide C-1

Page 232: Appxcel Waf Ug

Using CLI to configure AppXcel Tunnel:• AppXcel tunnel backendssl set <TunnelID/all> [-b <on/off>]• Tunnel ID/all - the relevant Tunnel to perform Back-end SSL or all Tunnels.• <On/Off> - turns the encryption On or Off.• <Low/Medium/High> - determines the cipher's strength.• p <TCP port> - sets the destination TCP port to be used to exchange L7

information with the WSD when backend encryption is enabled. This flag is available only for HTTP tunnels."

To configure AppXcel WAF:

1. In AppXcel™ WAFselect Server Groups.2. Create a web server group (select an existing one from the server groups

in the left navigation tree).3. In the right pane select SSL Support.4. Configure the ports that the backend server listens on for SSL in the SSL

ports text box. If there is more than one port use a comma separated list.5. Click the SSL Private Key button to upload the server private keys or

delete old keys from AppXcel WAF.

Note: WAF with backend-SSL is not supported when the backend cipher is DH.

Note: Although these are the same server private keys as configured in the Tunnel, it is necessary to upload them here as the second stage of this procedure.

C-2 DefensePro User Guide

Page 233: Appxcel Waf Ug

Appendix C - Back-end SSL Encryption

Uploading KeysApplication Firewall protects Web servers that communicate using SSL encrypted HTTP protocol (HTTPS). SSL (Secure Socket Layer) encryption decrypts encrypted messages with certificates containing strings of 128 digits. Application Firewall also supports the Transport Layer Security (TLS) which is actually SSL version 3.1. A Application Firewall Gateway that monitors a Web server requires the same SSL Private Key in order to decrypt its communications.You can define multiple SSL Key files for one Server Group that uses multiple SSL keys. The group of SSL Key files will be associated with the Server Group. Each Key must have a unique name.

To upload an SSL Key:

1. In AppXcel™ WAF select Web Server Group > Entity Settings > Definitions > SSL Private Key.In this dialog box you can copy the SSL Private Key file(s) from the protected Web server(s) to the Application Firewall server.

2. Locate the SSL private key or export it from the Web server. If you are using a Microsoft IIS web server export the keys to .pfx file. If you are using any other web server, export the keys to a .pem file.

3. Copy the file to the client machine which you use to access the Application Firewall Management Server.

4. If you have a .pem file, locate the SSL certificate or export it from the browser. To export the certificate from Internet Explorer:a. Browse to an SSL protected page on the site.b. Double click the locker icon on the bottom panel of the browser.c. Switch to the Details tab.d. Click Copy to File.e. Click Next.f. Select Base-64 Encoded X.509 and save the file.

5. Open the Application Firewall interface and log on to the server.6. Expand the Web Server Group submenu.7. Expand the Server Group Settings submenu and click Definitions.8. The data page displays the Server Group's basic settings. 9. Select the SSL Support check box.

Note: For non-IIS web servers you must load both the SSL private key and the SSL certificate that matches the key.

DefensePro User Guide C-3

Page 234: Appxcel Waf Ug

10. Enter the port number used for SSL communications in the text box next to SSL Port.The default port for SSL communications is 443. The default port for combined HTTP and HTTPS communications is 8433.

11. Click SSL Private Keys.12. Select the file format you wish to upload. 13. Enter a name for the specific key14. If you are uploading a .pfx file you should also provide the password for

the file.15. Browse to the location of each file16. Click Add .17. To add another private key, repeat step10.18. Click Close. The Edit SSL Private Key dialog closes

C-4 DefensePro User Guide

Page 235: Appxcel Waf Ug

A P P E N D I XDAppXcel WAF CLI

CommandsThis appendix lists the range of CLI Commands that are necessary to launch AppXcel WAF management and update the Signatures Database.

DefensePro User Guide D-1

Page 236: Appxcel Waf Ug

A List of CLI Commands in the AppXcel WAF User Guide• system license web-application-firewall get

Web application firewall license exists• system license web-application-firewall set <license

string/none>The pin code is generated by Radware.Sets the Web Application Firewall license.

• system config web-application-firewall importNote: Once the Zmodem has been launched, the operation cannot be aborted.1) Zmodem2) SSH3) QuitPlease select import protocol [1-3]: 2Please send (via scp) the waf configuration and ENTER to continue09/04/2007 13:40:27 info User radware has logged in via SSH.Import Web Application Firewall configuration. It may take several minutes......OKConfiguration Import completed.

• system device dbg web-application-firewall internal-logs exportUsed to extract the internal logs from the device via SCP.copy /tmp/waf_logs.rdwr via scp:scp radware@<device ip>:/tmp/waf_logs.rdwrWARNING: the file will be deleted after the command ends.

• system config web-application-firewall import Note: Once the Zmodem has been launched, the operation cannot be aborted.1) Zmodem2) SSH3) QuitPlease select import protocol [1-3]: 1Send the file. (file name is not important)Import Web Application Firewall configuration. It may take several minutes.Configuration Import completed.

• system config web-application-firewall eraseThe Web Application Firewall configuration is erased. Are you sure you want to continue? (Y/N) y

D-2 DefensePro User Guide

Page 237: Appxcel Waf Ug

Appendix D - AppXcel WAF CLI Commands

• appxcel web-application-firewall enableEnables the WAF. When enabling WAF, allow several minutes wait until WAF is started.

• appxcel web-application-firewall disableWhen WAF is disabled WAF protection is not available for any traffic going through AppXcel.Stopping Web Application Firewall ......... OK.

• appxcel web-application-firewall signatures get?Usage: appxcel web-application-firewall signatures get Shows the version of the Web Application Firewall signature file. Current Web Application Firewall Signature file version is the date, day-month-year.The Customer is required to contact Radware support to obtain the signature update and send it to the updated file.Press enter. Wait for the prompt.

• appxcel web-application-firewall signatures importImports signature file into the Web Application Firewall module.

DefensePro User Guide D-3

Page 238: Appxcel Waf Ug

D-4 DefensePro User Guide

Page 239: Appxcel Waf Ug

A P P E N D I XEDatabase Overflow

ProtectionThis appendix describes how to configure the AppXcel™ WAF database overflow protection.Alert information accumulates in the AppXcel™ WAF database. You can configure the action taken when the database approaches its capacity.

The Overflow MechanismThere are two options for handling new alerts when the database is full:• Old alerts are deleted as required to free up storage space for new alerts

(Delete old alerts (cyclic)).• New alerts are not stored due to unavailable space (Stop storing alerts).AppXcel™ WAF sends an email alert when the database capacity reaches 80%. If configured for cyclic deletion of alerts, it also sends an email when old alerts are deleted.

DefensePro User Guide E-1

Page 240: Appxcel Waf Ug

Viewing and Modifying the Database Overflow ProtectionThe following procedures describe how to view and modify the Database Overflow Protection.

To view/modify the database overflow protection:

1. Click Global Settings.2. Click Database Overflow Protection in the left tree menu.The Database

Overflow Protection window appears, as displayed in Figure E-1.

Figure E-1 Database Overflow Protection Window3. Modify the storage option as required.4. Modify the email interface as required.5. Click Save.

E-2 DefensePro User Guide

Page 241: Appxcel Waf Ug

A P P E N D I XFHTTP Methods

This appendix describes the different HTTP methods used by Web servers.The HTTP method used with the URL is required every time a new URL is manually added to the AppXcel WAF profiles. The method is set by the Web server and the application. This appendix describes the HTTP methods that AppXcel WAF supports. This HTTP method information is also very useful when an Unknown URL violation occurs with an Unknown Method attribute. It means that the user or attacker tried to access that URL using the wrong method. This appendix enables you to better understand the meaning of each method and when is it used.HTTP methods can be added or removed by editing the bootstrap.xml file, located in the directory {Gateway_installation}\agentdata\. This file includes the entire set of HTTP methods that AppXcel WAF 4.2 supports.

Standard Methods These methods are part of the HTTP 1.1 Standard (RFC 2616).

Method Meaning

DefensePro User Guide F-1

Page 242: Appxcel Waf Ug

GET This method means retrieve whatever data is identified by the URI, so where the URI refers to a data-producing process, or a script which can be run by such a process, it is this data which is returned, and not the source text of the script or process.

HEAD This method is the same as GET but returns only HTTP headers and no document body.

PUT This method specifies that the data in the body?1 is to be stored under the supplied URL. The URL must already exist. The new content of the document are the data part of the request.

POST This method is used to request that the origin server accept the entity enclosed in the request as a new subordinate of the resource identified by the Request-URI in the Request-Line.

TRACE This method is used to invoke a remote, application-layer loop- back of the request message.

CONNECT This method is for use with a proxy that can dynamically switch to being a tunnel.

OPTIONS The OPTIONS method represents a request for information about the communication options available on the request/response chain identified by the Request-URI

DELETE This method deletes a resource at the specified Uniform Resource Identifier (URI).

F-2 DefensePro User Guide

Page 243: Appxcel Waf Ug

Appendix F - HTTP Methods

WebDAV MethodsWebDAV stands for Web-based Distributed Authoring and Versioning. It is a set of extensions to the HTTP protocol set that allows users to collaboratively edit and manage files on remote Web servers. See http://www.Webdav.org/ and RFC 2518 for more information on WebDAV.

Method Meaning

COPY This method creates a duplicate of the source resource identified by the Request-Uniform Resource Identifier (URI), in the destination resource identified by the Destination Header.

LOCK This method is used to take out a lock of any access type on a resource so that another principal does not modify the resource while it is being edited.

MOVE This method is used to move a resource to the location specified by a request Uniform Resource Identifier (URI).

PROPPATCH This method sets properties for the resource at the specified destination Uniform Resource Identifier (URI)

PORPFIND This method retrieves properties for a resource identified by the request Uniform Resource Identifier (URI).

UNLOCK This method is used to remove the lock on the resource at the request Uniform Resource Identifier (URI).

MKCOL This method creates a new collection at the location specified by the Request-Uniform Resource Identifier (URI).

DefensePro User Guide F-3

Page 244: Appxcel Waf Ug

Microsoft IIS WebDAV Extensions

BCOPY This Method is similar to the COPY Method but it is used to copy one or more target resources to a destination.

BDELETE The WebDAV BDELETE Method is similar to the DELETE Method but it is used to delete one or more target resources.

BMOVE The WebDAV BMOVE Method is similar to the MOVE Method but it is used to move one or more target resources to a destination.

BPROPFIND The WebDAV BPROPFIND Method is similar to the PROPFIND Method but it is used to retrieve the properties of one or more target resources.

BPROPPATCH The WebDAV BPROPPATCH Method is similar to the PROPPATCH Method but it is used to set properties on one or more target resources.

NOTIFY This method is called by the server whenever an event that the client has subscribed to fires. The NOTIFY method sends User Datagram Protocol (UDP) packets to the client until the subscription has timed out.

POLL This method is used to either acknowledge that the client has received and responded to a particular event, or to query the server for any events that may have fired.

SEARCH This method is used to search an Exchange store for resources.

SUBSCRIBE This method is used to create a subscription to a resource.

UNSUBSCRIBE This method is used to end a subscription to a resource.

F-4 DefensePro User Guide

Page 245: Appxcel Waf Ug

A P P E N D I XGHTTP Response Codes

This appendix lists the various HTTP response codes returned by Web servers including a lists of the different response codes returned by a Web server. This information is useful when analyzing alerts.

Code Meaning

100 Continue101 Switching Protocols200 OK201 Created202 Accepted203 Non-Authoritative Information204 No Content205 Reset Content206 Partial Content300 Multiple Choices301 Moved Permanently302 Found303 See Other

DefensePro User Guide G-1

Page 246: Appxcel Waf Ug

304 Not Modified305 Use Proxy307 Temporary Redirect400 Bad Request401 Unauthorized402 Payment Required403 Forbidden404 Not Found405 Method Not Allowed406 Not Acceptable407 Proxy Authentication Required408 Request Time-Out409 Conflict410 Gone411 Length Required412 Pre conditional Failed413 Request Entity Too Large414 Request-URI Too Large415 Unsupported Media Type416 Requested Range Not Satisfied417 Expectation Failed500 Internal Server Error501 Not Implemented502 Bad Gateway503 Service Unavailable504 Gateway Time-Out505 HTTP Version Not Supported

G-2 DefensePro User Guide

Page 247: Appxcel Waf Ug

A P P E N D I XHParameter Value Types

This appendix describes the different parameter value types, which define the group of characters allowed in the value of parameter.AppXcel WAF automatically profiles the allowed value types for each learned parameter. If during protect mode the value of a certain parameter doesn't match the profiled value type, AppXcel WAF generates a Value Type Violation.Each parameter has a main value type and extended value types. The main value type together with the list of extended value types define the group of characters allowed in the value of parameter.Although AppXcel WAF automatically profiles value types, you can manually change them by accessing the profile.

Main TypesThe main types of a parameter's value define the set of regular characters allowed in a value. You can only select a single main type for each parameter.

DefensePro User Guide H-1

Page 248: Appxcel Waf Ug

Extended Value TypesIn addition to the main value type AppXcel WAF defines extended value types. These are mutually exclusive groups of characters not included in either of the main character sets. For each parameter you can select a list of extended value types allowed for its value.

Foreign Language Characters (Extended ASCII)48-57 30-39 0 1 2 3 4 5 6 7 8 965-90 41-5A A B C D E F G H I J K L M N O P Q R S

T U V W X Y Z97-122 61-7A a b c d e f g h i j k l m n o p q r s t u z w x

y z193-223 C1-DF UTF-8 two byte combinations, first byte225-239 E1-EF UTF-8 three byte combinations, first byte241-247 F1-F7 UTF-8 four byte combinations, first byte249-251 F9-FB UTF-8 five byte combinations, first byte253 FD UTF-8 six byte combinations, first byte129-191 81-BF UTF-8 non-first byte128-192 80-C0224 E0240 F0248 F8252 FC254-255 FE-FF

DEC Hex CharactersWhite Spaces9 09 TAB32 20 SpaceLine Breaks

H-2 DefensePro User Guide

Page 249: Appxcel Waf Ug

Appendix H - Parameter Value Types

10 0A LF13 0D CRSlash47 2F /92 5C \Quote39 27 ‘Angled Brackets50 3C <52 3E >ASCII Control Characters1 01 SQH

2 02 STX

3 03 ETX

4 04 EQT

5 05 ENQ

6 06 ACK

7 07 BEL

8 08 BS

11 09 VT

12 QA FF

14 0B SO

15 0C SI

16 0D DLE

17 11 DC1

18 12 DC2

19 13 DC3

20 14 DC4

21 15 NAK22 16 SYN

DefensePro User Guide H-3

Page 250: Appxcel Waf Ug

23 17 ETB24 18 CAN25 19 EM26 1A SUB27 1B ESC28 1C FS29 1D GS30 1E RS31 1F US127 7F DELPercent Sign37 25 %HTTP Query String Separators38 26 &61 3D =63 3F ?Parenthesis40 28 (41 29 )Brackets91 5B [93 5D ]113 7B {115 7D }OS Related Separators33 21 !96 60 ‘126 7E ~Double Quote34 22 “Asterix42 2A *

H-4 DefensePro User Guide

Page 251: Appxcel Waf Ug

Appendix H - Parameter Value Types

Plus Sign43 2B +PeriodConcatenation124 7C lNull0 00 NUL

Others35 23 #36 24 $58 3A :64 40 @94 5E ^95 5F -

DefensePro User Guide H-5

Page 252: Appxcel Waf Ug

H-6 DefensePro User Guide

Page 253: Appxcel Waf Ug

A P P E N D I XIWriting Signatures

This appendix describes the AppXcel WAF signature language.AppXcel WAF includes a signature detection and prevention layer. For more information on the AppXcel WAF signature detection and prevention engine. AppXcel WAF comes with a pre configured database of more than 2500 signatures. This database is updated automatically from the Radware web sites on a regular basis. In addition to these pre configured and automatically downloaded signatures, users can write their own signatures to detect and block communication consisting of specific information. This appendix explains the language in which such signatures are written. The language resembles a Snort™ signature language, although there are some notable differences.

Single Part SignaturesThe basic signature unit is part, which contains the actual signature text. The following signature searches for the term "hello world":part="hello world"

DefensePro User Guide I-1

Page 254: Appxcel Waf Ug

Use \x<hex value> to add binary characters to the signature. In the following signature the white space is replaced with \x20 which is the hexa representation of a white space. part="hello\x20world"To look for the back slash character, you must enter a double back slash. The following signature looks for the term "hello\world"part="hello\\world"

Multi Part Signatures You can include as many parts as required in a signature to search for a sequence of terms. For example, the following signature can match either of the following strings:• abcdRadwareApplication Firewall• abcdRadwareabcdApplication Firewall• abcdRadwareabcdSecure---Spherepart="Radware", part="Secure", part="Sphere"Different parts are separated by a comma. White spaces are allowed before and after the comma.

Adding Absolute ModifiersAbsolute modifiers limit the part to be matched to a specific area of a stream.The absolute modifiers that are supported are:• amin: The absolute position in the stream to start matching this part.• amax: The absolute position in the stream to stop matching this part.For example, the following signature has one part with absolute modifiers. The string "cmd.exe" is searched only from position 10 to position 20 in the stream.

part="cmd.exe", amin="10", amax="20"You can include absolute modifiers after any part using commas. You can either add a single modifier or both modifiers for each part.

I-2 DefensePro User Guide

Page 255: Appxcel Waf Ug

Appendix I - Writing Signatures

Adding Relative ModifiersRelative modifiers limit the part to a specific area after the previous part.

The supported relative modifiers are:• rmin: The position, relative to the previous part to start searching for this

part.• rmax: The position, relative to the previous part to stop searching for this

part.For example, the following signature includes two parts. The second part is searched for in a range of 10 characters from the first part.

part="cmd", part=".exe", rmax="10"The string cmd12345.exe matches this signature. However the string cmd12345678.exe does not, as the ".exe" part ends 12 characters after the "cmd" part.You can include relative modifiers after any part using commas. You can either add a single modifier or both modifiers for each part. You can also include both relative and absolute modifiers for the same part.Relative modifiers are ignored for the first part, as the part must be relative to the previous part, which in this case doesn't exist.

Regular Expression PartsThe use of a regular expression part is optional and only applies to non-stream signatures (i.e. URL, parameters, and headers). You can only include one regular expression part per signature. The regular expression part must be the last part in the signature. Any number of non regular-expression parts can precede the regular expression part. The regular expression is searched only if all preceding parts were found. The regular expression is searched on the entire object (for example URL), and not on the text following the last part.For example, the following signature searches the term "cmd" and then searches the following ".exe" term. If both terms are found, the signature searches the regular expression "cmd\s*\.\s*exe" on the entire URL. This regular expression makes sure that between the term "cmd" and ".exe" only white spaces appear.

part="cmd", part=".exe", rmax="10" rgxp="cmd\s*\.\s*exe"

DefensePro User Guide I-3

Page 256: Appxcel Waf Ug

Regular Expression SyntaxAppXcel™ WAF supports a simplified form of standard regular expressions. Supported constructs are:Character classes • '\s' - Matches white space (tabs, spaces, etc).• '\d' - Matches decimals (0-9)• '.' - Matches any character• '\w' - Matches alphanumeric characters and the underscore symbol ('_').• '\W' - Matches non-alphanumeric characters.

Sets A set is a set of characters that can match any single character that is a member of the set. Sets are delimited by "[" and "]" and can contain literals, character ranges, character classes, collating elements and equivalence classes. For example '[abc]' matches any of the three letters a, b and c.

The Negation OperatorThe negation operator '^' is not supported.

Repeats A repeat is an expression that is repeated an arbitrary number of times. An expression followed by "*" can be repeated any number of times including zero. An expression followed by "+" can be repeated any number of times, but at least once. An expression followed by "?" may be repeated zero or one times only. When it is necessary to specify the minimum and maximum number of repeats explicitly, the bounds operator "{}" may be used, thus "a{2}" is the letter "a" repeated exactly twice, "a{2,4}" represents the letter "a" repeated between 2 and 4 times, and "a{2,}" represents the letter "a" repeated at least twice with no upper limit. Note that there must be no white space inside the {}, and there is no upper limit on the values of the lower and upper bounds. All repeat expressions refer to the shortest possible previous sub-expression: a single character; a character set, or a sub-expression grouped with "()" for example. Examples:

I-4 DefensePro User Guide

Page 257: Appxcel Waf Ug

Appendix I - Writing Signatures

• "ba*" matches all of "b", "ba", "baaa" etc. • "ba+" matches "ba" or "baaaa" for example but not "b". • "ba?" matches "b" or "ba". • "ba{2,4}" matches "baa", "baaa" and "baaaa".

Parentheses Parentheses serve two purposes: to group items together into a sub-expression, and to mark what generated the match. For example the expression "(ab)*" matches all of the string "ababab".

Alternatives Alternatives occur when the expression can match either one sub-expression or another, each alternative is separated by "|", or "\|". Each alternative is the largest possible previous sub-expression; this is the opposite behavior from repetition operators. Examples: • "a(b|c)" could match "ab" or "ac". • "abc|def" could match "abc" or "def".

EscapingAll "special characters" are matched by prefixing the escape character (\). Binary characters (\x) are also supported, as they are in the basic signature.

Line Anchors An anchor is something that matches the null string at the start or end of a line: "^" matches the null string at the start of a line, "$" matches the null string at the end of a line.

DefensePro User Guide I-5

Page 258: Appxcel Waf Ug

I-6 DefensePro User Guide