Snapt WAF Manual. Version 1.2. February pg. 1

Transcription

1 Snapt WAF Manual Version 1.2 February 2018 pg. 1

2 Contents Chapter 1: Introduction... 3 Chapter 2: General Usage... 3 IP Blacklisting IP Groups... 4 IP Blacklisting IP Access Control... 5 IP Blacklisting Snapt Blacklist Control... 5 GeoIP Blacklisting Settings... 6 GeoIP Blacklisting GeoIP Groups... 7 GeoIP Blacklisting IP Whitelist... 8 GeoIP Blacklisting GeoIP Access Control... 8 Test Cookie Settings... Error! Bookmark not defined. Test Cookie Whitelist... Error! Bookmark not defined. Upstream Protection HotLinking... 9 Upstream Protection HTTP Methods WAF Management Rulesets WAF Management Rule Triggers WAF Management Rule Definitions WAF Management Counters Attack Mitigation Chapter 3: Implementation Chapter 4: Standard Operation Chapter 5: Reporting pg. 2

3 Chapter 1: Introduction The Snapt Web Application Firewall (WAF) is used to add a layer of security to your web applications. It has a variety of capabilities to prevent denial of service (DoS), SQL injection, crosssite scripting (XSS), and numerous other attack vectors. It does this by intelligently monitoring incoming requests and applying a range of checks to determine whether or not they are legitimate, and if not, whether to block it. In this way, the Snapt WAF protects your servers and ensures your application remains uncompromised and performs optimally. You are also able to block various IP addresses/ranges of known sources which should not have access to your web applications, as well as entire countries if necessary. In doing so, you can reduce the number of potential sources of attacks significantly, further reducing the risk to your environment. The WAF works closely with the Accelerator plugin, and if used in conjunction with the Balancer plugin, you are able to benefit from the full Application Delivery Controller (ADC). Your web applications will be more reliable, faster, and more secure. Chapter 2: General Usage This manual assumes you have already set up your Snapt install and enabled the WAF plugin. If you have not, please install it from the Modules & Plugins section under the Setup menu. Almost everything you will need to do regarding the WAF happens under the WAF menu item in the interface. This includes various configuration options, after which a few options need to be applied to your servers configured in the Accelerator in order to selectively enable the WAF. pg. 3

4 IP Blacklisting IP Groups This section facilitates the creation and management of IP groups within the WAF. IP Groups List This tab will list all IP Groups currently added to the WAF, and provide facilities to either Edit them to add/remove IP addresses, or Delete them altogether. Editing a group offers similar options to adding a new group, allowing you to add/remove IP addresses/ranges accordingly. Add New Group Adding a new group is a simple process. The first step is specifying a unique name. Thereafter, you need to specify the IP addresses/ranges that need to be added in CIDR format. For ease of use, the Subnet is also shown. The example below shows a group called test which was added, with a local IP range included: pg. 4

5 IP Blacklisting IP Access Control This section facilitates implementing global server blocks for any IP groups added to the system as opposed to default settings. This is useful to completely prohibit certain IP addresses/ranges from accessing the server. Note that this will only apply to servers in the Accelerator where the WAF Global Blocks function is enabled. IP Blacklisting Snapt Blacklist Control This section facilitates the use of the Snapt maintained RBLs (Realtime Black Lists) which includes various IP addresses/ranges which have been identified as sources of spam, HTTP vulnerability scans, and threats like botnets, amongst others. You are able to selectively enable the use of each of these sources of potential threats to your environment by toggling the relevant option. However, care should be taken with some settings as they may include legitimate users who would then be unable to access your web application. These are disabled/inactive by default. (Page Changed) pg. 5

6 GeoIP Blacklisting Settings This section specifies some basic settings for the GeoIP Blacklisting component of the Snapt WAF. GeoIP.dat This option specifies the path to the GeoIP.dat file which will be used to identify the location of any IP addresses connecting to your server. Snapt comes with a file included, but you are able to override this to use an alternative file. Return Code This option specifies the response the WAF will supply when a GeoIP-based block is applied, allowing you to either immediately close a connection (444) or send a forbidden response (403). pg. 6

7 GeoIP Blacklisting GeoIP Groups This section facilitates the creation of groups which may contain one or more countries, in order to block any connections from these regions as required. Groups This tab will list all GeoIP Groups currently added to the WAF, and provide facilities to either Edit them to add/remove countries, or Delete them altogether. Editing a group offers similar options to adding a new group, allowing you to add/remove countries accordingly. Add Group Adding a new group is a simple process. The first step is specifying a unique name. Thereafter, you use the dropdown list to specify the countries that need to be added. The example below shows a group called test which was added, with one country included: pg. 7

8 GeoIP Blacklisting IP Whitelist This section is used to add IP addresses/ranges in CIDR format to ensure they are always able to reach your server and are not subject to any other blocks which may be applied. IPs This tab provides a simple list of whitelisted IP addresses/ranges, and allows you to delete any entries as necessary. In the example below, the internal network range was whitelisted: Add IP This tab facilitates the addition of IP addresses/ranges in the noted CIDR format. Again, the Subnet is shown for ease of use. GeoIP Blacklisting GeoIP Access Control This section is identical to the IP Access Control section, except it is based on the GeoIP Groups created. It will block connections from these countries entirely. Note that this will only apply to servers in the Accelerator where the WAF Global Blocks function is enabled, as with the IP Access Control section. pg. 8

9 Upstream Protection HotLinking HotLinking is the process of linking various other content on your server from another, external website. This is sometimes problematic as it could lead to increased bandwidth usage, increased load on your servers, or even a copyright violation. This protection mechanism can prevent your content from being included on other sites. It also includes the ability to list safe domains where HotLinking is allowed. As with many other WAF settings, this needs to be enabled on a per server basis within the Accelerator once configured. Enable Protection This enables/disables the HotLink Protection facility. Protected Extensions This field is used to specify a comma separated list of extensions which may not be HotLinked. Safe Domains This field is used to specify a comma separated list of domains which may access the extensions specified in the Protected Extensions parameter. It also supports the use of wildcards like *.yourdomain.com. pg. 9

10 Upstream Protection HTTP Methods There are numerous HTTP request methods available. However, many infrequently used methods have been subject to vulnerabilities or disclosures of sensitive information. Therefore, Snapt includes a facility to block various HTTP methods from being passed to your web servers using this section. The Recommended Defaults button will set only GET, HEAD, POST and PUT to Allowed, as most other methods are not necessary in the majority of environments. This requires servers in the Accelerator to have Content Protection enabled. WAF Management Rulesets This section manages the rules in place on the WAF, and provides facilities to create your own ruleset or simply use the default ruleset in place maintained by Snapt. Rulesets This tab provides a list of the rulesets currently in place over and above the defaults, and provides the necessary functionality to Edit, Delete, or Enable/Disable any rulesets that have been manually created. For illustrative purposes below, a ruleset called test was created. pg. 10

11 Create Ruleset This tab facilitates the creation of new rulesets using either manually created rulesets or the defaults maintained by Snapt as a template for quicker creation. WAF Management Rule Triggers The Rule Triggers section is responsible for basing blocks based off scoring and is configurable here. Trigger Sets This tab is used to manage the trigger sets, and provides the facilities to either access the Internal Rules, Reset the default set, or Edit any set, and Delete manually created sets. pg. 11

12 Exception - Internal Rules Internal Rules have been moved to be enabled by default and can now be added as an exception to all your other rules. You can select the rule from the dropdown box and select your match zone and match value. You can also opt to make this a negative. Edit Trigger Set Editing any trigger set allows an editor providing the facilities to remove or add rules around the Score ID and a numerical value pertaining to each which needs to be exceeded in order to cause a block. The plus and minus buttons can be used to add/remove triggers as necessary. pg. 12

13 WAF Management Rule Definitions The Rule Definitions section manages all rules in place on the WAF, which is done using strings and regular expressions to match criteria and variables for blocking purposes. Rules This tab provides a list of all rules in place, including the default set, and any rules which have been created manually. For those rules which were created manually, you will be provided with the facility to Edit or Delete these accordingly. pg. 13

14 pg. 14

15 Add Rule This tab provides the necessary configuration options to add any new rules to the WAF. Negative This can be enabled to make the rule in question a negative matching rule. Pattern Type This option specifies whether a string or regular expression pattern type should be used. It is recommended to use string matches where possible as they are processed faster. All strings must be lower case and matches are case-sensitive. Rule ID The first 1,000 ID entries are reserved for internal rules such as protocol mismatch. Typically, rule IDs will start where the default rules listed on the Rules tab end i.e. higher than 1,500. Pattern This field is used to provide the actual pattern you would like to match. As an example, a regular expression pattern type with the pattern foo bar will match foo or bar, whereas a string pattern type with the same pattern will match only the actual string foo bar. pg. 15

16 Message This field is used to provide a string describing the pattern, and is used when doing whitelists. WAF Management Counters The WAF Score Counters are used to assign the relevant configuration options under the Rule Definitions and Rule Triggers sections. Counters This tab shows the Score Counters currently added, and will provide options to Edit and Delete any counters which were manually added in addition to the default counters. Add Counter This tab provides the facility to add additional counters for use in the other WAF configuration options as mentioned. Counter Name This needs to be added in the format $countername, such as the $SQL and other counters added by default. pg. 16

17 Attack Mitigation The Attack Mitigation mode is a last resort, applied to Accelerator servers in order to maintain application availability during an ongoing attack. It does this by applying stringent limits on the requests per second, and per minute, and active connections per IP address. Once activated, the following limits are applied: 5 requests per second per IP address, with bursts up to 120 requests 60 requests per minute, with bursts up to 300 requests A maximum of 10 active connections per IP address It is also advisable to disable the PageSpeed module on any servers under attack as it is very CPU-intensive. Chapter 3: Implementation In the introduction to Chapter 2, we explained how after configuring the WAF, the WAF on Accelerator servers needs to be selectively enabled. This is done via the Front-ends menu options under the Accelerator menu for HTTP and SSL servers. Once here, click Settings for any front-end server(s) to be prompted with the following configuration menu. A few additional WAF-related options will not be listed in the Accelerator Manual since they only become available once the WAF plugin is installed and configured. pg. 17

18 WAF Global Blocks This option facilitates enabling/disabling the Global Blocks for this server. This includes the IP blacklists, for example. WAF Content Protection This option facilitates enabling/disabling the content protection for this server. This includes the HotLink Protection, for example. WAF Ruleset This option facilitates selecting the rulesets which should apply to this server. The default ruleset and any manually created rulesets will be available for selection. pg. 18

19 Chapter 4: Standard Operation After the successful configuration of the WAF, the next step is the control and maintenance thereof. The majority of the functions are available on the WAF Dashboard. Here you will see several tabs as follows: Dashboard Various statistics and values are displayed, such as the overall status of the WAF. This includes packet and data rates, the number of connections to any servers, and an overview of the blocks occurring. pg. 19

20 Throughput The Throughput tab displays live graphs of inbound and outbound packets, data rates, and dropped packets, and is useful as a way to monitor sudden traffic spikes. Log Monitor The Log Monitor tab will display basic logging information at a glance, including blocks and limits. pg. 20

21 Modules The Modules tab shows the status of the WAF modules and whether any of them are potentially unavailable or not properly installed. Reference Lookup The Reference Lookup tab is your go-to place to investigate user issues. Any block that occurs during a request from a user will display a page which provides a reference code that can be used to identify the incident in your logs. Chapter 5: Reporting (in Reporting Menu) A key component of your Snapt WAF is the ability to generate reports from the Reports menu of the blocks caused. As other modules are necessary to use the WAF, the screenshot below represents a full ADC configuration with the WAF Report(s) available, along with the Balancer and Accelerator Reports. pg. 21

22 The WAF will add 1 report to this module as follows: WAF Block Report This provides an overview of the blocks occurring from the WAF. pg. 22