Transcription
Administration ManualWeb Security Manager 4.4www.alertlogic.comsupport@alertlogic.comAugust, 2015Alert Logic, the Alert Logic logo, the Alert Logic logotype and Web Security Manager are trademarks of AlertLogic Inc. Products mentioned herein are for identification purposes only and may be registered trademarksof their respective companies. Specification subject to change without notice.Copyright 2005 - 2015 Alert Logic Inc.
Web Security Manager Web Application Firewallxi1. Getting started . 11. Connect to the Web Security Manager web management interface21.1. Navigating Web Security Manager web management interface22. Basic system configuration43. Website configuration54. Testing if it works84.1. Change / configure DNS for the website.84.2. Test connectivity85. View the website deny log96. Change default passwords106.1. admin user106.2. operator user107. Getting help112. Dashboards . 131. Deny Log141.1. Interactive graph141.2. Interactive list142. Learning183. System193.1. System status193.2. Interfaces193.3. Modules193.4. Disk I/O203.5. Disk203.6. Read-only monitor access203.6.1. As HTML203.6.2. XML format204. Traffic214.1. Interfaces214.2. Traffic by website213. Services . 231. Websites241.1. Websites list241.1.1. Defined websites241.2. Adding a website241.2.1. Virtual web server241.2.2. Real web servers251.2.3. Default Proxy261.2.4. Initial operating mode271.2.5. Removing a proxy271.3. Global271.3.1. Source based blocking271.3.2. Server ID281.3.3. HTTP request throttling281.3.4. HTTP connection limiting301.3.5. SSL311.3.6. HTTP global request limit331.3.7. HTTP error log level33
iv Administration Manual1.3.8. HTTP global access logging2. Network2.1. Blacklisted Source IPs2.2. Network blocking bypass2.2.1. Allowing an IP address to bypass network controls2.3. DoS mitigation2.4. Attack source Auto blocking2.5. Network routing4. Application Delivery Controller (ADC) .1. Virtual host1.1. Deployment1.1.1. Reverse Proxy1.1.2. Routing Proxy1.2. Virtual web server1.3. SSL Certificate1.3.1. Importing the SSL certificate1.3.2. Exporting certificate from web server1.4. Virtual host aliases1.4.1. Wildcards1.4.2. Default Proxy1.5. Timeouts1.6. HTTP Request and Connection Throttling1.6.1. HTTP request throttling1.6.2. HTTP connection throttling1.7. Client Source IP1.7.1. X-Forwarded-For1.7.2. Other X-headers1.7.3. Trusted proxy1.7.4. Transparent Proxy1.8. Redirects1.8.1. Match types1.8.2. Prefix match1.8.3. Regex match1.8.4. Vhost regex match1.8.5. Examples summary1.9. Lower button bar2. Load balancing2.1. Real web servers2.2. Timeouts2.3. Load balancing settings2.4. Health Checking2.5. Insert request headers2.5.1. Request header variables2.6. Advanced settings2.7. Lower button panel3. Caching3.1. Static Caching3.2. Dynamic caching3.3. Lower button barCopyright 2005 - 2015 Alert Logic 65
v4. Acceleration664.1. Compression664.1.1. Compression level664.1.2. Compress response content-types664.1.3. Exceptions664.2. TCP connection reuse675. Statistics695.1. Interval selection695.2. Summary section695.3. Compression and served from cache graph705.4. Requests total and served from cache graph705.5. Original data and data sent graph715.6. Lower button bar715. Web application firewall (WAF) . 731. Policy741.1. Validation order and scope741.2. Basic operation751.2.1. WAF operating mode definitions751.2.2. Request parsing771.2.3. Attack class criticality801.2.4. Source IP tracking and blocking801.2.5. External notification821.2.6. Deny log settings831.2.7. Access log settings861.2.8. Mirror proxy policy from master891.3. Protocol restrictions891.3.1. Allowed HTTP methods, protocol versions and web services891.3.2. Headers, restrict length and number911.3.3. Cookies, restrict length and number921.3.4. Request, restrict length and number931.3.5. File uploads, restrict size and number941.3.6. Request parameters, restrict size and number951.4. Website global policy971.4.1. Validate static requests separately971.4.2. URL path validation981.4.3. Denied URL paths991.4.4. Query and Cookie validation1001.4.5. Headers validation1021.4.6. Attack signatures usage1031.4.7. Session and CSRF protection1041.4.8. Trusted clients - IP whitelisting1071.4.9. Trusted domains1081.4.10. Evasion protection1091.4.11. Time restricted access1101.4.12. Input validation classes1111.5. Web applications1131.5.1. Web application settings1131.5.2. Global violation action override1141.5.3. Methods allowed114Administration Manual Web Security Manager 4.4
vi Administration Manual1.5.4. Session protection1.5.5. Parameters1.6. Output filter1.6.1. Backend server cloaking1.6.2. Output headers validation and rewriting1.6.3. Output body validation and rewriting1.7. Authentication1.7.1. SSL client authentication1.7.2. SSL client Certificate Revocation Lists (CRLs)1.7.3. SSL client authorization1.8. Regular expressions1.8.1. What are regular expressions1.8.2. Metacharacters1.8.3. Repetition1.8.4. Special notations with \1.8.5. Character sets [.]1.8.6. Lookaround1.8.7. Examples1.8.8. Further reading2. Deny and error handling2.1. Deny action2.2. Error messages2.2.1. Document not found (error 40x)2.2.2. Authentication required (error 403)2.2.3. Server error (error 50x)2.3. Lower button bar3. Learning3.1. Learning data3.1.1. Applications learned3.1.2. Global parameters learned3.1.3. Static content learned3.1.4. Tools3.1.5. Lower button bar3.2. Learning status3.2.1. Learning progress indicators3.2.2. Policy history3.2.3. Resulting policy3.2.4. Sample run information3.2.5. Lower button bar3.3. Learning settings3.3.1. Policy generation options3.3.2. Global parameters3.3.3. Policy verification3.3.4. Learning thresholds3.3.5. Learn data sampling3.3.6. Lower button bar4. Log4.1. Deny log4.1.1. Specifying filter criteriaCopyright 2005 - 2015 Alert Logic 8
vii4.1.2. Blocked and failed requests4.1.3. Lower button bar4.2. Access log4.3. Access log files5. Reports5.1. Reports5.2. Generated reports6. System reference .1. Clustering1.1. Cluster virtual IP configuration1.2. Synchronization configuration1.3. Cluster configuration examples1.3.1. Configuring a fail-over cluster1.4. VRRP Interfaces1.5. Fail-over status information2. Configuration2.1. Network2.2. Static routes2.3. Syslog - logging to external host2.3.1. Mapping of Web Security Manager System Logs to Syslog facilities2.4. SNMP2.5. Date and Time2.6. Admin contact2.7. Email system alerts2.8. Forward HTTP proxy2.9. Backup configuration2.9.1. FTP configuration2.9.2. SCP configuration2.10. Auto-backup2.11. Remote access2.12. Management GUI2.12.1. Password requirements2.12.2. Login and session restrictions2.12.3. SSL certificate2.13. FIPS 140-2 validated mode2.13.1. Validation of FIPS mode2.13.2. Enabling FIPS 140-2 validated mode3. Information3.1. System3.2. Web Security Manager3.3. Devices3.4. Disks3.5. Currently logged in users4. Interfaces4.1. IP configuration4.2. Role4.3. Media settings5. ministration Manual Web Security Manager 4.4
viii Administration Manual6. Maintenance6.1. Backup and restore6.1.1. Best effort - restoring to different platforms6.1.2. Local backup6.1.3. Restore6.2. Website templates list6.3. Databases6.4. Website access logs list7. Tools7.1. Network tools7.1.1. TCP connect test7.1.2. Network debug7.2. Reboot and Shutdown7.3. Technical information for support7.4. License information8. Updates8.1. Updates available for installation8.1.1. Installing updates8.2. Installed updates8.3. Configuring for updates9. Users9.1. User accounts9.1.1. Built in user accounts9.1.2. Additional accounts9.2. Current user9.3. System users7. The command line interface .1. Accessing CLI1.1. Console access1.2. SSH access2. Command reference2.1. show interfaces2.2. show interface2.3. show gateway2.4. show hostname2.5. show routes2.6. show version2.7. set gateway2.8. set interface2.9. set password2.10. set user2.11. system backup run2.12. system cache flush2.13. system ping2.14. system updates fetch2.15. system updates query pending2.16. system updates query installed2.17. system updates install2.18. system statusCopyright 2005 - 2015 Alert Logic 1
ix2.19. system restart2.20. system shutdown2.21. system reboot2.22. system remotesupport2.22.1. View remote support status2.22.2. Enable remote support2.22.3. Disable remote support2.23. quit8. Network deployment .1. Simple single-homed Web Security Manager implementation2. Firewalled single-homed Web Security Manager implementation3. Firewalled Web Security Manager implementation with a fail-over/backup Web Security Manager4. Dual-homed performance optimized Web Security Manager implementation9. Frequently Asked Questions .1. Deployment2. Client issues3. SSL Certificates4. Troubleshooting5. Clustering6. Accessing Web Security Manager management interfaces7. Learning8. 1222223224225226227228229Administration Manual Web Security Manager 4.4
Web Security Manager WebApplication FirewallWeb Security Manager Web Application Firewall is implemented in the network as a filteringgateway which validates all requests to the web systems.Web Security Manager defends against all OWASP Top Ten vulnerabilities, supports XML webservices and provides full PCI DSS Section 6.6 requirements compliance.The following modules are included providing acceleration, scalability and proactive protection ofweb systems:Load BalancerEnabling scalability and acceleration of even complex SSL-enabled stateful web applications.Web Accelerator and cacheReducing traffic cost, improving response time and off-loading web servers.Web Application FirewallProactive protection of web servers and web applications by employing a positive securitymodel providing defenses against all OWASP top ten vulnerabilities.Web Security Manager includes a hardened OS and installs on most standard hardware. The WebSecurity Manager software appliance installer turns a piece of general purpose application serverhardware into a dedicated application acceleration and security gateway within minutes - withminimal interaction.The Web Security Manager software appliance combines the flexibility and scalability advantagesof software with the security advantages and administrative simplicity from dedicated hardwareappliances.Automated application profiling, adaptive learning, positive and negative filtering and support forXML based web services allow for out of the box protection against attacks from malicious hackersand worms.As the website is learned Web Security Manager gradually turns towards a positive, white-listbased, policy providing protection against attacks targeting undisclosed vulnerabilities in standardsoftware and custom built applications.
Chapter 1Getting started
2 Chapter 1. Getting started1. Connect to the Web Security Manager web managementinterfaceAccess the Web Security Manager management interface by opening a web-browser and entering URLhttps://websecuritymanager ip address:4849 (noteHTTPS). The management address in the exampleinstallation is: https://192.168.3.20:4849.If you are accessing the management interface forthe first time, you will be asked for a license key.Enter the license key provided in your License key and support contract information letter (PDF)and click the "Activate" button. After successfully entering the license key, you are asked to agreeto the Web Security Manager license agreement. After you have read and agreed to the licenseagreement, you are redirected to the Web Security Manager management login screen.Log in using username “admin” and password [last nine characters of license key in reverse order].Please change the password after the initial login. Instructions for changing your password arefound below.1.1. Navigating Web Security Manager web management interfaceFigure 1.1. The management interfaceAfter successful login, you will be presented with the management interface website overviewpage. The management interface is divided into 4 main sections:Copyright 2005 - 2015 Alert Logic Inc.
Connect to the Web Security Manager web management interface 3DashboardsA quick overview of denied requests, traffic, system status and learning progression.ServicesConfiguration and management tool for all website proxies, including policy, caching, acceleration, load balancing, HTTP request throttling and DoS mitigation settings.To add a website or to select a website for management click Services WebsitesSystemConfiguration of system parameters like network interfaces, IP addresses, fail-over, networksettings (DNS, NTP, SMTP), viewing of system logs and status information, including administration of updates, backup and configuration restore.Main (vertical) menu system is on the left side of the screen. Content assigned to the menuitem is displayed on the right side of the screen. An additional horizontal menu system appearswhere applicable.HelpAccess to help and support related information including documentation, version informationand support links. The complete manual is available in HTML and PDF versions on the Documentation page.On any page, clicking on Help in the horizontal menu will display the manual reference sectionspecific for that page.Administration Manual Web Security Manager 4.4
4 Chapter 1. Getting started2. Basic system configurationTo make sure essential system configuration tasks are not forgotten, a to-do list basic systemconfiguration tasks is displayed. When an item is done it will disappear from the list. When thefirst website is added the "read Quick Start Guide" item will disappear.Enable inbound HTTP(s) trafficSelect which network interfaces you want to respond to inbound HTTP/HTTPS requests from clients.Configure Alert email Web Security Manager needs to know an SMTP server and an emailaddress it can send log warnings, update notifications, etc. to.SMTP server: Enter the address of an SMTP server that is reachableand accepts SMTP requests from Web Security Manager.Contact email: Enter the email address to send notifications to.This item can be skipped but it is recommended.Configure DNSIP address of one or more DNS servers.Valid inputIP addressesUse space to separate multiple hosts (only one required).Input example192.168.0.1Configure time synchronizationIP address or host name of an NTP server.Remember to set up at least one DNS server if you enter a host namehere.Valid inputIP address or fully qualified domain name.Use space to separate multiple hosts (only one required).Input exampletime.nist.govCopyright 2005 - 2015 Alert Logic Inc.
Website configuration 53. Website configurationNow configure a website.1. Select Services Websites in the left menu pane. This will take you to the websitesoverview page.2. Click on the Add Website button.The Services Add page is displayed.Figure 1.2. Add website pageIn the Virtual web server section you configure the part of the website proxy that the clientsconnect to.1. In Deployment select either Reverse proxy or Routing proxy.Both deployments terminate client requests and proxies requests to the backend realserver but while Reverse proxy requires an IP address to be configured on the WSM nodethe Routing proxy deployment routes traffic to the backend server but intercepts traffic forthe configured ports, processes it and proxies it to the backend.For routing proxy deployments make sure that IP forwarding us enabled in Services Network Network routing.2. In Web server protocol select either HTTP, HTTPS or Both. The latter will create a websiteproxy that responds to both HTTP and HTTPS requests.When selecting HTTPS or Both as the protocol a temporary certificate will be generated.When the new proxy is created the certificate can be replaced by importing the real certificateAdministration Manual Web Security Manager 4.4
6 Chapter 1. Getting startedin Services Websites ADC Virtual host. Click Help in that section to get instructions.3. In Web server domain name enter the address of the web server you want to protect. Theaddress is the one users enter in the browser to go to the website.In the example demosite.mydomain.com is entered.4. In Listen IP select the IP address(es) you want the web server to respond to. For HTTPwebsites All inbound can be selected. This will configure the website proxy to respond toall IP addresses that are configured to accept inbound requests. For HTTPS proxies it ismandatory to select a specific IP address.5. In HTTP(s) listen port select the port(s) you want the website to listen to. For HTTP proxiesthe default is 80 and for HTTPS proxies the default is 443. When creating a website proxythat serves both HTTP and HTTPS two input fields will appear.In the Real web servers section you configure how the website proxy communicates with thebackend web servers.1. In Real web server enter the address of the web server you want Web Security Managerto redirect allowed client requests to. This address is the address of the web server youwant to protect. In the example 192.168.0.103 is entered.2. In Real server protocol select the protocol you want Web Security Manager to use whenconnecting to the backend web servers. If you want the traffic to the backend web serversto be encrypted select HTTPS otherwise leave it at the default HTTP.Note that you should only select HTTPS if it is necessary. HTTPS puts an extra burden onthe backend web servers.3. Decide on real servers health checking. When Validate real servers and enable healthchecking is checked Web Security Manager will connect to the backend servers automatically find a suitable target page to use for health checking. If health checking is not enabledbackend server status will not be monitored by Web Security Manager.4. For each backend web server that is serving the website (demosite.mydomain.com in thisexample) enter the IP address and port in the real servers list.Real server IP and Port: the IP address / port combination the web server is listening on.Typically Address:80 for HTTP servers and Address:443 for HTTPS servers.Role: Select Active, Backup or Down. Active means that requests will be forwarded to theserver. When Backup is selected the server will only be used if no Active servers are inoperation. Down means that the server should not be used - for instance if it is down formaintenance.Finally, In the Initial configuration section, select the initial configuration template to apply to thewebsite proxy.Now click the Save Configuration button in the lower right corner of the page.This will save your configurations and take you back to the websites overview page.1. Click the blinking link apply changes that appears in the upper right corner of the page toapply those changes to your configuration of Web Security Manager.Copyright 2005 - 2015 Alert Logic Inc.
Website configuration 7Figure 1.3. Websites overview pageThe Web Security Manager Web Application Firewall is now protecting the configured website.Administration Manual Web Security Manager 4.4
8 Chapter 1. Getting started4. Testing if it worksNow test your newly configured website.4.1. Change / configure DNS for the website.For testing purposes, make the website domain name resolve to the Web Security Manager IPaddress for example by adding the IP address and domain name to the hosts file on your PC.Figure 1.4. Editing the hosts file4.2. Test connectivityIn a new browser page (or tab) enter the address of the website you configured.You should see the home page of the website and it should be served by Web Security Manager.To check that Web Security Manager is serving the content, enter an URL that will match an attacksignature. To match the path traversal signature (for instance) append the parameterprint ./././etc/somefile to a nt ./././etc/somefileIf the page is served through Web Security Manager you will get:Figure 1.5. Default deny pageIf the above is not displayed, please restart your browser and / or flush your DNS cache by runningcmd.exe (on your PC) and enter ipconfig /flushdns. Then try the request again.Copyright 2005 - 2015 Alert Logic Inc.
View the website deny log 95. View the website deny logFigure 1.6. Deny logIn the Web Security Manager management interface select Web Firewall Websites in the leftvertical tool bar . The websites overview page will be displayed. Select the website by clicking onit.When selecting a website the landing page is the Deny Log.To view details of a log entry click the Inspect icon in the right most column of the list as in theexample above.Administration Manual Web Security Manager 4.4
10 Chapter 1. Getting started6. Change default passwordsNow change the default passwords for the admin user (web based management interface) andthe operator user (the system console) by completing the following:6.1. admin userFigure 1.7. Password change pageChange the administrator password from the default value in:System UsersChange the password for the console user Operator in the console.6.2. operator user1. Log in to the console withuser name: operatorpassword: changeme2. Enter the command set passwordlogin: operatorPassword: changemeWeb Security Manager command-line management interfacepsh set passwordChanging local password for operator.Old password: changemeNew password: R0dsQAVgRetype new password: R0dsQAVgpsh quitWeb Security Manager/amd64 (ttyC0)login:Copyright 2005 - 2015 Alert Logic Inc.
Getting help 117. Getting helpFigure 1.8. Context specific helpBy clicking the green Help menu item in the horizontal menu the relevant section in the manual isopened in a new window.Administration Manual Web Security Manager 4.4
Chapter 2Dashboards
14 Chapter 2. Dashboards1. Deny LogIn Web Security Manager websites have separate security policies and deny logs. This allows forfine grained tuning of policies and makes it easy to provide detailed reporting to management andapplication/web site owners. For the security administrator it is necessary though to have theability monitor the deny log for all websites. The deny summary window provides such functionalityby summarizing log data for all configured websites. The window consists of two sections:1. An interactive graph with drill down functionality which summarizes all deny log events ina column graph.2. A more detailed interactive list with drill down functionality which shows deny log eventsfor all websites above a configured risk level (default medium).Both elements provide drill down functionality which will allow for narrowing in on events in thespecific websites deny log.1.1. Interactive graphThe interactive column allows for zooming in on log events through 3 levels.For all three levels the date selector allows for scrolling through historic log events and Hoveringthe pointer over a column will display the exact number of requests for that category.1. By date and risk.For each date in the selected period deny log events are shown divided into the 5 risk categories critical through none.Clicking one of the columns will zoom in on that date taking you to level 2.2. By website and risk.For each website/application deny log events are shown divided into the 5 risk categoriescritical through none.Clicking one of the columns will zoom in on log events for that website for the specific dateselected.3. Single website by attack class.The lowest level of the interactive graph shows log events for a specific website by attackclass, sql injection, XSS, etc. By default log entries are only shown for one day but the interval can be extended by selecting a different interval using the Show drop-down in thedate selector.Clicking on an attack class column will take you to the deny log of the website creating afilter that shows only log entries satisfying the selection in the interactive graph.1.2. Interactive listThe interactive list shows log entries above a configurable risk level for all websites.Blue column headings indicate that the result can be sorted by that column. Clicking the samecolumn will toggle sort direction (asc/desc).The top level of the list shows attacks summarized by either source IP or country. Clicking on arow will display a list showing the number of attacks showed in the attacks column. When the listis summarized by IP the list will show log records from all websites from that specific source IP.Copyright 2005 - 2015 Alert Logic Inc.
Deny Log 15When the list is summarized by country the list will display log records from all websites summarizedby source IP. Clicking on a row will show details from that specific IP.When showing IP details, clicking the details icon in the rightmost column of the list will displaydetails from that log event.The description of the columns below apply to all detail levels of the list. Some columns are specific for a level and will not be visible in other.By default the list shows all records for a maximum of 90 days. By checking Limit to Graph intervalthe list can be set to only display records for the interval specified in the graph above.Source IPSource IP the requests originated from.CountryCountry the requests originated from.AttacksTotal number of attacks recorded from country/IP.Click row to zoom in on attacks.Last seenDate and time the last request from IP/Country was logged.By default results are sorted by date.RiskRisk classification of the log entry. Options are: Critical High Medium Low NoneAttack ClassAttack classification of the log entry. Options are: SQL injection XPath injection SSI injection OS commanding XSS (Cross Site Scripting) Path traversal Enumeration Format string Buffer overflow DoS attempt Worm probe Access violation Malformed request Session invalid CSRF Session expiredAdministration Manual Web Security Manager 4.4
16 Chapter 2. Dashboards Broken robot Broken int. link Broken ext. link Other None False positive FriendlyViolationShows the general violation description as defined by Web SecurityManager. Options are: Generic violation Header unknown Header illegal Path unknown Query unknown - no policy rules match the name of the parameter. Query illegal - a policy rule is matching name of the parameterbut the parameter value does not match the corresponding regularexpression for validating the input value. Header length Missing hostname Invalid hostname Header failed Path denied Upload attempt Payload length Session validation failed Form validation failed Session expired Malformed XML Content type not enabled - Content type is supported but not enabled. Negative matchActionBlock action taken on the request. Options are:Showed only in IP de- Allowtails view.The request was allowed, either because the current mode andwhitelist configuration or because the requests was allowed according to policy. If the request was allowed by policy the reason for theCopyright 2005 - 2015 Alert Logic Inc.
Deny Log 17request being logged in the deny log is typically that the backendserver responded with an error. Expand the request to see details.BlockThe request was blocked by Web Security Manager.Block-IPThe request was blocked by Web Security Manager and the sourceIP was blacklisted resulting in further requests from that source beingblocked at the network level.StripThe offending part of the request was stripped before allowing therequest. Used for instance to remove session cookies for expiredsessions.TimeDate and time the request was logged.MethodOffending method (if any)Detail - click detailsicon to view.Resp. statusDetail - click detailsicon to view.Resp. timeDetail - click detailsicon to view.RefererDetail - click detailsicon to view.HeaderIf applicable shows the response status from the backend server like404 not found or 200 (OK).The time from Web Security Manager received the request and forwardedit to the backend server until the response is sent to the client from WebSecurity Manager.The refering source, internal or external, from which the request originated.Offending header fields and values (if any).Detail - click detailsicon to view.QueryOffending parameter names and values (if any).Detail - click detailsicon to view.RawDetail - click detailsicon to view.Shows the original request as send by the client. To view it, click on theView RAW request button.Administration Manual Web Security Manager 4.4
18 Chapter 2. Dashboards2. LearningKey learning indicators for each website are displayed in an overview table.WebsiteWebsite name as configured in Web Security Manager.SamplesThe
Alert Logic, the Aler t Logic logo , the Aler t Logic logotype and Web Secur ity Manager are tr ademar ks of Aler t Logic Inc. Products mentioned herein are f or identification pur poses only and may be registered trademarks
