ASL WAF

From Atomicorp Wiki
Revision as of 13:15, 20 August 2012 by Mshinn (Talk | contribs)

Jump to: navigation, search

Contents

Introduction

The ASL WAF has two non-exclusive modes operation:

1) Embedded mode

2) Transparent/Proxy mode (T-WAF)

Embedded mode

Embedded mode works with Apache 2.x. ASL will install a special module in Apache to give it native WAF protection capabilities. This installation will occur when ASL is installed.

Proxy mode (T-WAF)

Proxy mode or the Transparent WAF (T-WAF) system allows ASL to protect any HTTP and/or HTTPS service, either a local server (such as when using a web server that does not support embedded mode) or a remove server.

Configuration

The ASL WAF is initially configured during the install of ASL. If Apache is installed on the system, ASL will attempt to install the embedded WAF module. If Apache is installed on the system via package management, then this will occur automatically and you will not need to configure the WAF further to protect an installed Apache instance.

Once ASL is installed, if you need to do so, you can configure the WAF through three parts of the ASL GUI:

WAF Tab

This tab is used to setup the WAF. There are three types of WAF you can configure:

embedded

The embedded WAF is an apache module that is installed on any local Apache installations. This should be setup by default, if you are running apache on the system.

local

This type of WAF is used to protect any local HTTP and/or HTTPS services that may be running on the system itself, where the embedded WAF module can not be used. For example, if the system was running a tomcat or litespeed, which do not support the embedded WAF module, or a control panel that uses it own web server (such as Plesk, Cpanel, Webmin, and others). You can configure a WAF to protect these services.

To setup a local WAF simply follow these steps:

Step 1) Log into the ASL GUI

Step 2) Click the WAF tab

Step 3) Select WAF Config

This will pull up the WAF Config window, which will show the existing WAFs.

Step 4) Click "Enable T-WAF". If you see "Disable T-WAF" this option has already been enabled.

Step 5) Click "Add"

This will will pull up the "Add WAF Config" window.

Step 6) Click on the "Add protection for" drop down. Select "local"

This will present you with two options:

Local Port: Type in the local port you wish to protect.

Note: Check if you have any embedded WAFs installed on the system before you do this. If you have an embedded WAF already installed on port 80, as should occur if you have Apache installed (and its package managed), then enabling the T-WAF in front of Apache would create a loop. Its not necessary to put a WAF in front of a service that is protected via embedded mode.

SSL: Select this if the service you wish to protect is SSL based.

If you select SSL, then you will see this additional options:

Path to SSL Certificate: Provide the filesystem path to the SSL certificate for this service.

Path to SSL Key file: Provide the filesystem path to the SSL key file for this service.

Step 7) Then click Save

remote

This type of WAF is used to protect any remote HTTP and/or HTTPS services that are not running on the system itself. For example, if you have a remote webserver you wish to protect, you can configure a WAF to protect these services. The remote WAF can support two proxy modes: domain based and IP based.

name based remote

Domain based or name nased WAFs allow you to use a single IP address on the WAF, and to direct WAF requests to different backend servers depending on their domain or full qualified domain name, or even to specific URL.

IP based remote

IP based WAFs allow you to redirect all traffic to an IP address on WAF to a specific destination host or URL.

Setting up a remote WAF

To setup a remote WAF simply follow these steps:

Step 1) Log into the ASL GUI

Step 2) Click the WAF tab

Step 3) Select WAF Config

This will pull up the WAF Config window, which will show the existing WAFs.

Step 4) Click "Enable T-WAF". If you see "Disable T-WAF" this option has already been enabled.

Step 5) Click "Add"

This will will pull up the "Add WAF Config" window.

Step 6) Click on the "Add protection for" drop down. Select "remote"

This will present you with a dropdown options to setup the WAF as either domain based or IP based.

Step 7) If you select name based you will be presented with these options:

Domain Name: Enter the domain name or full qualified domain you wish to use. For example, if you want the WAF to handle traffic for intranet.example.com enter that FQDN in this box.

Local Url: Enter the local URL, if any, that the WAF should expect from the client to direct this connection to the remote host. The default of / is usually correct if you are forwarding all traffic for an FQDN or domain. If you only want the WAF to pass on specific requests for specific URLs, enter them here.

Destination: Enter the full URL you want the WAF to use as the destination server. Make sure you have DNS or /etc/hosts entries for this, otherwise the WAF will not be able to find the destination. This should also not be the same thing as "Domain Name:". You can also use https:// URLs here.

Remote Port: Type in the remote port for the backend server the WAF will be sending requests to.

SSL: Select SSL if you wish to accept SSL connections to the WAF. If you select this you will be presented with these additional options:

Path to SSL Certificate: Provide the filesystem path to the SSL certificate for this service.

Path to SSL Key file: Provide the filesystem path to the SSL key file for this service.

Skip to step 8

Step 7) If you select IP based you will be presented with these options

IP Address: Enter the IP address you want the WAF to listen on (you can set multiple IPs by adding additional remote WAFs). For example, if you want the WAF to redirect all traffic on IP address 1.2.3.4 to internal.example.com, type in 1.2.3.4.

Local Url: Enter the local URL, if any, that the WAF should expect from the client to direct this connection to the remote host. The default of / is usually correct if you are forwarding all traffic for an FQDN or domain. If you only want the WAF to pass on specific requests for specific URLs, enter them here.

Destination: Enter the full URL you want the WAF to use as the destination server. Make sure you have DNS or /etc/hosts entries for this, otherwise the WAF will not be able to find the destination. This should also not be the same thing as "Domain Name:". You can also use https:// here.

Remote Port: Type in the remote port for the backend server the WAF will be sending requests to.

SSL: Select SSL if you wish to accept SSL connections to the WAF. If you select this you will be presented with these additional options:

Path to SSL Certificate: Provide the filesystem path to the SSL certificate for this service.

Path to SSL Key file: Provide the filesystem path to the SSL key file for this service.

Step 8) Then click Save

SSL/TLS

If you select SSL for either the local or remote WAF options, your SSL certificates and keys must be in an Apache compatible format to be imported by the T-WAF.

ASL Configuration Settings

The WAFs settings are contained under the Configuration tab. To Configure the WAF follow this process:

Step 1) Log into the ASL GUI

Step 2) Click on the Configuration Tab

Step 3) Select the "ASL Configuration" sub menu

Step 4) Scroll down to the Mod_security configuration section. The following options are available:

MODSEC_ENABLED

Enable/Disable the entire WAF system

WAF_ENGINE

Set the WAF engine mode, there are three modes:

On - this tells the WAF to detect and block attacks.

DetectOnly - this tells the WAF to only detect and report attacks, but not to block them.

Off - Disables the WAF.


WAF_ENABLED

Enable/Disable Tortix WAF proxy. The tortix waf module, this module can process local or remote services through the Tortix Web Application Firewall (T-WAF) . (Default: Off)

WAF_CHROOTDIR

Configures the directory path that will be used to jail the web server process. (For the embedded WAF modules only). This lets you put the local apache instance into a chroot jail.

WAF_READSTATELIMIT

Sets the limit of the number of connections that can be in the Read state for the WAF. This helps to prevent DOS attacks. The default is generally good for most sites.

WAF_SECREQUESTBODYNOFILESLIMIT

(Default: 1048576) Configures the maximum request body size the WAF modules will accept for buffering. There is a hard limit of 1GB. This is not a limit on file sizes sent through the WAF, just request body sizes.

WAF_SECREQUESTBODYINMEMORYLIMIT

(Default: 131072) Configures the maximum request body size the WAF modules will store in memory. The is a hard limit of 1GB. The default is generally sufficient for any site.

WAF_DEFAULT_ACTION

Configures the block policy, deny the request or redirect the client to a landing page.

WAF_REDIRECT_URL

Used for WAF_DEFAULT_ACTION of "redirect". This is the URL to redirect blocked pages. This must include http:// or https:// in the URL.

Example:

https://%{server_name}:30000/blocked.php?eventid=%{eventid}

You can use variables in the URL. They must be represented in this format:

%{variable_name}

Currently supported variables are listed below. As new variables are supported, we will add them to the documentation here.

server_name

This is the value the client sent in the Host: header.

eventid

The unique eventid from the WAF.

remote_addr

The client IP address.

ruleid

The WAF ruleid.

MODSEC_SERVERSIG

Field returned when a remote host queries what kind of web server this is. This can be used to hide what kind of server is running on the system, or what the WAFs are protecting.

MODSEC_UPLOADDIR

Configures the directory where intercepted files will be stored. If the WAF is configured to scan uploads, and this is set to On, then any malicious files the WAF detects will be stored in this directory on the server.

MODSEC_KEEPFILES

Configures whether or not the intercepted files will be kept after transaction is processed. It is recommended you set to this off.

MODSEC_LOGTYPE

Configures the type of audit logging mechanism to be used. Concurrent - audit log entries will be stored in separate files, one for each transaction. Serial - all audit log entries will be stored in the main audit logging file. The default is Concurrent, which is both faster and more reliable and works with ASL Gui. Serial logging is for legacy purposes and should not be enabled.

MODSEC_LOGFILE

The name of the log file that is used to store audit record headers. Do not change this unless you know what you are doing. It is generally not necessary to change this setting.

MODSEC_LOGELEMENT

Defines which part of each transaction are going to be recorded in audit log. Do not change the defaults unless you know what you are doing, this may break the GUI and active response systems.

Available audit log parts:

   A: Audit log header (mandatory).
   B: Request headers.
   C: Request body (present only if the request body exists and ModSecurity is configured to intercept it).
   D: Reserved for intermediary response headers; not implemented yet.
   E: Intermediary response body (present only if ModSecurity is configured to intercept response bodies, and if the audit log engine is configured to record it). Intermediary response body is the same as the actual response body unless ModSecurity intercepts the intermediary response body, in which case the actual response body will contain the error message (either the Apache default error message, or the ErrorDocument page).
   F: Final response headers (excluding the Date and Server headers, which are always added by Apache in the late stage of content delivery).
   G: Reserved for the actual response body; not implemented yet.
   H: Audit log trailer.
   I: This part is a replacement for part C. It will log the same data as C in all cases except when multipart/form-data encoding in used. In this case, it will log a fake application/x-www-form-urlencoded body that contains the information about parameters but not about the files. This is handy if you don’t want to have (often large) files stored in your audit logs.
   J: This part contains information about the files uploaded using multipart/form-data encoding.
   K: This part contains a full list of every rule that matched (one per line) in the order they were matched. The rules are fully qualified and will thus show inherited actions and default operators. 
   Z: Final boundary, signifies the end of the entry (mandatory). 

MODSEC_REQMEMLIMIT

Configures the maximum request body size ModSecurity will store in memory. The default are adequate for most sites, you should not change this unless you know what you are doing.

MODSEC_DEBUGLOG

Enable/Disable the ModSecurity debug log file. The debug log is located in /var/log/httpd/modsec_debug.log Enabling this will incur a substantial performance penalty on the system. You should not enable this on a production system, and only if you are debugging modsecurity rules.

Most users will want to leave this disabled.

MODSEC_CLEAN_ALERT

Number of days to retain mod_security alert data. The WAF will store the actual full requests of any intercepted attacks, to make it possible for you to investigate them and to report these to us, either for further investigation, false positives or for other forensics needs. The default is to keep these for 30 days.

MODSEC_DATADIR

Path where persistent data (e.g. IP address data, session data, etc) is to be stored.

MODSEC_AUDITDIR

Defines the path to the audit log files. Used only when Concurrent mode is configured.

MODSEC_TMPDIR

Configures the directory where temporary files will be created.

MODSEC_RESPONSEBODYLIMIT

Configures the maximum response body size that will be accepted for buffering.

MODSEC_RESPONSEBODYLIMITACTION

Controls what happens once a response body limit, configured with SecResponseBodyLimit, is encountered. There are two options:

ProcessPartial: Scan the response up to the limit and stop scanning when the limit is reached, but send the rest of the response.

Reject: If the response is greater than the Limit, reject the response entirely.

MODSEC_REQUESTBODYLIMIT

This sets the maximum size for a request body in bytes. The default is 134217728 bytes.

Anything over the limit will be rejected with status code 413 (Request Entity Too Large). There is a hard limit of 1 GB.

Ruleset Settings

These allow you to enable/disable entire Rulesets and classes of rules. If you want to configure a specific rule, use the Rule Manager.

MODSEC_00_WHITELIST

Enable/Disable whitelist rule class. Note enabling this will bypass *ALL* security checks for hosts on the whitelist. It is a truly terrifying option. Enabling this will void your support, just kidding. But seriously, enabling this will in fact tell the WAF to totally ignore everything from the source, it wont even alert. We dont recommend you you use this.

MODSEC_00_ANTIEVASION

Enable/Disable the antievasion rule class. This ruleset prevents attacks that try to bypass the WAF itself.

MODSEC_00_STRICT

Enable/Disable the strict multiform checks rule class. This ruleset enforces strict adherence RFCs for multiform messages. This prevents advanced attacks that may try to bypass the WAF. Note: Broken applications and clients that do not adhere to RFCs will not be able to send multiform to the system if you enable this. This not a false positive, these clients and applications are broken. If you are unfortunately stuck with these, you will have to disable this.

MODSEC_00_RBL

Enable/Disable Real-time Black List (RBL) rule class. You should only use this if the ASL server has a really fast local DNS server. This ruleset will look up every request in the DNS to see if its on a blacklist, and will not finish serving the request until the DNS server responds. This can slow down requests if the DNS server is slow. Basically, web requests will move at the speed of the DNS servers replies.

MODSEC_00_AE_RULES

Enable/Disable the antievasion rule class. This ruleset prevents attacks that try to bypass the WAF itself.

MODSEC_01_RULES

Enable/Disable the Bypass protection rule class. This ruleset prevents attacks that try to bypass the WAF itself or can be used to trick applications into parsing data in ways that may compromise the application.

MODSEC_10_ANTIMALWARE

Enable/Disable the anti-malware rule class. This will look at any requests to the system for known malware domains and indicators of malware injection requests (this does not do the same thing as the MODSEC_99_SCANNER class, which will inspect uploads for malware).

MODSEC_10_RULES

Enable/Disable the core rule class. This class contains the core generic rules, which will look for things like SQLi, XSS, CSRF, recursion, code injection, command injection, XML attacks and other generic attack patterns. You should always leave this class enabled.

MODSEC_11_ADV_RULES

Enable/Disable the advanced protection rule class. This class contains advanced rules.

MODSEC_11_DLP

Enable/Disable the data loss protection rule class. This will detect certain Data Loss events, such as credit card information being sent or errors messages from applications that may reveal sensitive information or that the system or application is vulnerable to particular attack.

MODSEC_12_BRUTE

Enable/Disable the brute force attack protection rule class. Detects attempts to brute force web applications authentication mechanisms.

MODSEC_20_USERAGENTS

Enable/Disable the useragents rule class. Detects known malicious or suspicious user agents.

MODSEC_30_ANTISPAM

Enable/Disable the anti-spam rule class. This class contains tuned antispam rules, designed to work with all known blogs, forums, guestbooks, CMS' and other web content management systems that allow users to post content.

MODSEC_31_ANTISPAM_URI

Enable/Disable the anti-spam URI rule class. Looks up all URIs in a post against RBLs to see if its a known spam domain. As with the MODSEC_00_RBL rules, these should only be used if the server has a local fast DNS server. This ruleset will look up every request in the DNS to see if its on a blacklist, and will not finish serving the request until the DNS server responds. This can slow down requests if the DNS server is slow. Basically, web requests will move at the speed of the DNS servers replies.

MODSEC_50_ROOTKITS

Enable/Disable the rootkit rule class. This class detects and blocks known rootkits, PHP/ASP/PERL shells, spam tools and other malicious web applications from running on the system. (These rules exist for cases where malicious software may already be installed on the system, this is a defense in depth rule set)

MODSEC_60_RECONS

Enable/Disable the recon rule class. This class blocks known "google hacks" or webserver probes that look for vulnerable applications and signs of compromised systems running unauthorized shells, or unprotected applications that allow uploads which would give an attacker access to the system.

MODSEC_61_DLP

Enable/Disable the data loss protection class. These rules detect Data Loss Search engine "hacks". These are search engine probes for sensitive files, often used by malicious parties to find sensitive information accidentally exposed on web servers.

MODSEC_99_JITP

Enable/Disable the Just In Time Patches(JITP) rule class. Just in Time Patches. We publish JITPs daily if there is a new web application vulnerability that the 10_asl_rules.conf do not protect the system against. These are tuned rules for specific vulnerabilities in a web application.

MODSEC_99_REDACTOR

Enable/Disable the automatic malicious/hidden iframe and malware removal rule class. Automatically removes malicious code from web pages, such as hidden iframes, encoded javascript and other malicious code.

MODSEC_99_MALWARE_OUTPUT

Enable/Disable the malware output rule class.

MODSEC_99_SCANNER

Enable/Disable PHP check enforcement mode. Note setting this to no will still test for vulnerabilitites.

Rule Manager

The Rule manager can be used to configure individual WAF rules, such as what response the system such take for that rule, if an email or GUI alert should be presented, and so on. To access the rule manager please follow this process:

Step 1) Log into the ASL GUI

Step 2) Click the "Configuration" tab.

Step 3) Select "Rule Management"

This will bring up the rule management screen. There are two tabs on this screen:

Global: This sets global features for all the rules

Rules: This presents all the individual rules, and options to configure that rule specifically.

Global Options

If you change a setting on this screen, you must click the "Update" button for the setting changes to take effect.

The follow settings are available in the Global setting screen:

Email to

This sets the email address to send alerts to. The default is $EMAIL which inherits the global email address set in the ASL Configuration screen. If you want to use the same email address you set when you configured when you install ASL leave this setting as "$EMAIL". Otherwise, change this to the email address you want rule alerts sent to.

Email From

Set this to the From: line you want to use for the emailed alerts. Available variables are $HOSTNAME is is populated by the servers fully qualified hostname, and $EMAIL which is set in the ASL Configuration screen. The default is usually effective for most users.

Max Emails per hour

This sets a limit on the maximum number of emails the system will sent to the Email to: address. This basically "queues up" alerts. If events occur after the Max Emails per hour limit has been reached, then those alerts will be held until the next hour and will be grouped together in a single email sent the next hour.

If you want alerts to be sent as they occur, and not to be queued up, set this to 9999.

Active Response

This sets whether of not ASL will block the source of the attack, by implementing a firewall rule for the source of the attack. (Which may be a temporary shun, or a permanent shun depending on the setting below "Shun Timeout")

Shun Timeout

This tells ASL if the firewall block, or "shun", should be temporary or permanent. Once the Shun Time (described below) has been reached the source IP address will be allowed to connect again. The ASL Configuration settings also allow for advanced options for this, such as multiplers that cause sources to be shunned for longer periods of time as more attacks are detected from the source.

Shun Time

Timeout period is in seconds. This sets the maximum amount of time a source address will be blocked by ASL/

If Shun Timeout is set to no, the "shun" is permanent and this option is ignored.

Rules

The Rules Manager has two tabs:

HIDS

This contains all the Rules for HIDS. For documentation on the HIDS please see the ASL HIDS documentation page.

WAF

This contains all the Rules for the WAF. There are two columns on this tab, the left column contains the current rule sub classes, and the screen on the right shows all rules that match your current filter selections. The window on the right is populated by selecting either a subclass of rules, or by typing in search criteria in the boxes at the top of the screen.

If you select a rule sub class, for example "adult-spam" that will pull up all the rules in the class on the right hand side of the screen.

Or you can search for specific rules by using the filter bar at the top of the screen. The filter options are:

Category: This is another way to select a rule subclass, this is optional, you do not have to select a rule class. If you leave this in either the default, or you set this to (any) your filter will apply to all the WAF rules.

Level: Rules have different levels, depending on severity. Some rules are only informational, some indicate suspicious activity and others are full blown attacks. A higher number is a high severity or importance, and a lower number is a lower severity or importance. This filter is optional, you do not need to select a level if you do not want to filter by level. If you leave the default your filter will apply to all levels.

Search: This allows you to search by any thing in the rule, its name, ID, etc. If you hit enter in this field it will start the search.

When you have finished with your filter criteria, just click the "filter button" or hit enter in the search field.

Configuring specific rules

Once you have the rule manager open, and have pulled up a rule you want to modify just click on the down arrow next to the rules ID to open the rules options.

Rule Options

For WAF rules the following options are available:


Disabled

Setting this "yes" globally disables the rule. If you want to disable a rule for a specific domain or FQDN see the Vhost option below.

Severity

This sets the severity level for the event. This allows you to set rules to be lower or higher priority which will effect:

1. How they are displayed in the GUI

2. Whether they are shunned or not (a minimum severity level can be set in ASL to control if an event is important enough to block the source IP address, please see the ASL Configuration documentation for these settings.

3. If an email alert is sent. A minimum severity level can be set in ASL to control if an event is important enough to send an email alert, please see the ASL Configuration documentation for these settings.

Active Response

This sets if the system should perform any active response actions against the source IP address. This option is ignored if Active Response is disabled in the Global options.

Email

This sets if the event will generate an email alert. Keep in mind that the event must also be above the minimum level set in the ASL Configuration.

Logging

This sets if the event will be displayed, at all, in the ASL GUI. Setting this to off "silences" the event in the ASL GUI. It does not prevent the event from being logged to the systems logs.

Vhost settings

This subpanel allows you to set domain or FQDN specific settings for a rule. For example, if you want a rule to other behave per its defaults, but want to change its behavior for a specific domain you can set that domain here.

Currently this is limited to disabling the rule for the domain. In the future this will be expanded to allow other options for the rule as with the global settings.

Simply type in the domain name in the text box on the right, select "yes" and click add.

Rule Tuning

Please see the Mod_security page.

Events

WAF events are displayed in the ASL Events window. Please see the ASL Events page for usage information.

Configuring web servers to use the T-WAF

This section provides courtesy instructions about how to configure a remote web server to work with the T-WAF, so that the remote web server reports the correct client IP address and not the IP address for the T-WAF server.

This can also be used with local web services. For local apache servers, we do not recommend you use the T-WAF. Instead, make sure you are using the embedded mode explained at the beginning of this article. The WAF will integrate natively with Apache 2.x, and is highly recommended for that platform.

Apache

Note: If you are using embedded mode (which is the default) you do not need to do this. You will only need to do this if you are using the T-WAF to proxy traffic to a remote apache server. If you have a local apache server that ASL is installed on, install modsecurity locally.

For remote apache servers, to setup Apache to report the clients IP when using the T-WAF follow this process:

Step 1) Install mod_rpaf

http://stderr.net/apache/rpaf/

Step 2) Add this to your remote servers apache configuration

LoadModule rpaf_module path/to/mod_rpaf-2.0.so
RPAFenable On
RPAFsethostname On
RPAFproxy_ips <IP FOR THE ASL SERVER>
RPAFheader X-Forwarded-For

Change the IP in this line:

RPAFproxy_ips <IP FOR THE ASL SERVER>

To the IP for your ASL server. For example, if the ASL servers IP address is 1.2.3.4 this line will look like this:

RPAFproxy_ips 1.2.3.4

Step 3) Restart the remote apache server

Litespeed

To setup Litespeed to report the correct IP address of the client when using the T-WAF follow these instructions:

Step 1) Log into the LiteSpeed Web Admin Console

Step 2) Under Configuration, enable the option "Use Client IP in Header".

Step 3) Restart Litespeed

Nginx

Step 1) Edit your nginx.conf file and add the following to your http section:

http {
set_real_ip_from   127.0.0.1/32;
set_real_ip_from   <YOUR SERVERS IP>/32;
set_real_ip_from   <YOUR SERVERS OTHER IPS>/32;
real_ip_header     CF-Connecting-IP;

Replace <YOUR SERVERS IP> with your servers IP(s). For example, if your server had the IPs 1.2.3.4, 1.2.3.5 and 1.2.3.6 your configuration would look like this:

set_real_ip_from   127.0.0.1/32;
set_real_ip_from   1.2.3.4/32;
set_real_ip_from   1.2.3.5/32;
set_real_ip_from   1.2.3.6/32;
real_ip_header     CF-Connecting-IP;


Step 2) Restart nginx.

Personal tools