WebApp Secure 5.5. Published: Copyright 2014, Juniper Networks, Inc.

Transcription

1 WebApp Secure 5.5 Published:

2 Juniper Networks, Inc North Mathilda Avenue Sunnyvale, California USA All rights reserved. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. WebApp Secure 5.5 All rights reserved. The information in this document is current as of the date on the title page. YEAR 2000 NOTICE Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year However, the NTP application is known to have some difficulty in the year END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement ( EULA ) posted at By downloading, installing or using such software, you agree to the terms and conditions of that EULA. ii

3 Table of Contents About the Documentation xvii Documentation and Release Notes xvii Documentation Conventions xvii Documentation Feedback xix Requesting Technical Support xx Self-Help Online Tools and Resources xx Opening a Case with JTAC xx Part 1 Overview Chapter 1 WebApp Secure WebApp Secure Overview Methodology Features and Benefits Key Components Anatomy and Flow of an HTTP Request / Response Limitations Chapter 2 Deployment Appliance Deployment Overview Placement Between Firewall and Web Servers Options for Load-Balanced Environments SSL Traffic Considerations EC2 Deployment Deploying Using the Command Line Deploying Using the Web Interface Assigning the Instance and IP Using the CLI Assigning the Instance and IP Using the Web Interface Verify the Instance is Running Clustering Overview High Availability Overview Chapter 3 Installation and Setup WebApp Secure Appliance Terminology First Time Configuration Initial Appliance Configuration Changing the Password Resetting the Password Configure Network Interfaces Set the Hostname iii

4 WebApp Secure 5.5 Set DNS Initializing the System Verify Connectivity Install the License Configuring High Availability High Availability Settings Configuring Clustering Performing Initial Updates Updating the Cluster About the Configuration Wizard Using the Configuration Wizard Using WebApp Secure with Third-Party Load Balancer Verify the Installation Part 2 Configuration Chapter 4 Configuration Options Web Interface Configuration Overview Edit Web UI User Preferences View Online Help and Product Documentation from the Web UI Basic Configuration Mode Expert Configuration Mode Import/Export (Web UI) Security Engine Configuration Configure Support for Akamai Dynamic Site Accelerator Security Engine Incident Monitoring Security Engine Server Identity and Cloaking Security Engine Traffic Security Engine Whitelist Settings Proxy/Backends Applications Overview Create a New Application Edit Applications Application Patterns Application Backend Overrides Enable SSL to the Client Pages NTP Service Alert Service Integration with SRX Series Overview Filters and Terms Configuration Summary for SRX Series Integration Creating SRX Series Filters and Terms Configure the SRX Series Integration Testing the SRX Series Integration Configuration Chapter 5 Managing the Appliance Overview Navigating the CLI The CLI: The Set Command The CLI: General and Base Commands iv

5 Table of Contents The CLI: Configuration Level Commands The CLI: System Level Commands CLI: Config Example CLI: Config: Setting a Configuration Parameter CLI: Config: Initializing the Configuration CLI: Config: Import/Export CLI: Config: Configure a Proxy Exclusion System Updates Statistics High Availability Network Failure Detection, Actions, and Monitoring Unblock Web UI Login Ban Health Check URL Self-Monitoring Self-Monitoring Configuration Variables Managing and Viewing Logs Log File Destination Backup and Recovery Overview Database Backup and Restore Chapter 6 Security Intelligence About Security Intelligence Enable the Spotlight Connector Service Spotlight Connector Session Cookies and Locations About Spotlight Secure Enable Spotlight Secure Chapter 7 Response Rule Configuration Response Overview Using the Editor List Of Incident Methods Chapter 8 Reports Reporting Overview Information for Report Types Scheduling a Report Overview Schedule a Report Report History Report Details Report Types Part 3 Administration Chapter 9 General Tasks Changing the Password Resetting the Password Chapter 10 Configuration Modes and Roles Role-Based Administrator Access Control Configuring Role-Based Access Control RBAC Groups and Roles Edit Web UI User Preferences v

6 WebApp Secure 5.5 Chapter 11 The Web UI Web UI Overview The Dashboard Attackers Attacker Profile Page Incidents Incident Details Counter Responses Sessions Session Details Search Reports Configuration System Status Updates Part 4 Monitoring Chapter 12 The Processors Processors Overview Complexity Rating Definitions Security Engine Incident Monitoring Session Cookie Spoofing Session Cookie Tampering Hostname Spoofing Attempt Security Processors Chapter 13 Honeypot Processors Honeypot Processors: Access Policy Processor Honeypot Processors: Access Policy Processor: Incidents - Malicious Service Call Honeypot Processors: Access Policy Processor: Incidents - Service Directory Indexing Honeypot Processors: Access Policy Processor: Incidents - Service Directory Spider Honeypot Processors: AJAX Processor Honeypot Processors: AJAX Processor: Incidents - Malicious Script Execution Honeypot Processors: AJAX Processor: Incidents - Malicious Script Introspection Honeypot Processors: Basic Authentication Processor Honeypot Processors: Basic Authentication Processor: Incidents - Apache Configuration Requested Honeypot Processors: Basic Authentication Processor: Incidents - Apache Password File Requested Honeypot Processors: Basic Authentication Processor: Incidents - Invalid Credentials Honeypot Processors: Basic Authentication Processor: Incidents - Protected Resource Requested vi

7 Table of Contents Honeypot Processors: Basic Authentication Processor: Incidents - Password Cracked Honeypot Processors: Basic Authentication Processor: Incidents - Basic Authentication Brute Force Honeypot Processors: Cookie Processor Honeypot Processors: Cookie Processor: Incident - Cookie Parameter Manipulation Honeypot Processors: File Processor Honeypot Processors: File Processor: Incident - Suspicious Filename Honeypot Processors: File Processor: Incident - Suspicious File Exposed Honeypot Processors: File Processor: Incident - Suspicious Resource Enumeration Honeypot Processors: Hidden Input Form Processor Honeypot Processors: Hidden Input Form Processor: Incident - Parameter Type Manipulation Honeypot Processors: Hidden Input Form Processor: Incident - Hidden Parameter Manipulation Honeypot Processors: Hidden Link Processor Honeypot Processors: Hidden Link Processor: Incident - Link Directory Indexing Honeypot Processors: Hidden Link Processor: Incident - Link Directory Spidering Honeypot Processors: Hidden Link Processor: Incident - Malicious Resource Request Honeypot Processors: Query String Processor Honeypot Processors: Query String Processor: Incident - Query Parameter Manipulation Honeypot Processors: Robots Processor Honeypot Processors: Robot Processor: Incident - Malicious Spider Activity Chapter 14 Activity Processors Activity Processors Activity Processors: Custom Authentication Processor: Incident - Auth Input Parameter Tampering Activity Processors: Custom Authentication Processor: Incident - Auth Query Parameter Tampering Activity Processors: Custom Authentication Processor: Incident - Auth Cookie Tampering Activity Processors: Custom Authentication Processor: Incident - Authentication Brute Force Activity Processors: Custom Authentication Processor: Incident - Auth Invalid Login Activity Processors: Cookie Protection Processor Activity Processors: Cookie Protection Processor: Incident - Application Cookie Manipulation Activity Processors: Error Processor Activity Processors: Error Processor: Incident - Illegal Response Status Activity Processors: Error Processor: Incident - Suspicious Response Status Activity Processors: Error Processor: Incident - Unexpected Response Status vii

8 WebApp Secure 5.5 Activity Processors: Error Processor: Incident - Unknown Common Directory Requested Activity Processors: Error Processor: Incident - Unknown User Directory Requested Activity Processors: Error Processor: Incident - Common Directory Enumeration Activity Processors: Error Processor: Incident - User Directory Enumeration Activity Processors: Error Processor: Incident - Resource Enumeration Activity Processors: Header Processor Activity Processors: Header Processor: Incident - Duplicate Request Header Activity Processors: Header Processor: Incident - Duplicate Response Header Activity Processors: Header Processor: Incident - Illegal Request Header Activity Processors: Header Processor: Incident - Illegal Response Header Activity Processors: Header Processor: Incident - Missing All Headers Activity Processors: Header Processor: Incident - Missing Host Header Activity Processors: Header Processor: Incident - Missing Request Header Activity Processors: Header Processor: Incident - Missing Response Header Activity Processors: Header Processor: Incident - Missing User Agent Header Activity Processors: Header Processor: Incident - Request Header Overflow Activity Processors: Header Processor: Incident - Unexpected Request Header Activity Processors: Method Processor Activity Processors: Method Processor: Incident - Illegal Method Requested Activity Processors: Method Processor: Incident - Unexpected Method Requested Activity Processors: Method Processor: Incident - Missing HTTP Protocol Activity Processors: Method Processor: Incident - Unknown HTTP Protocol Chapter 15 Tracking Processors Tracking Processors: Etag Beacon Processor Tracking Processors: Etag Beacon Processor: Incident - Session Etag Spoofing Tracking Processors: Client Beacon Processor Tracking Processors: Client Beacon Processor: Incident - Beacon Parameter Tampering Tracking Processors: Client Beacon Processor: Incident - Beacon Session Tampering Tracking Processors: Client Fingerprint Processor Tracking Processors: Client Fingerprint Processor: Incident - Fingerprint Directory Indexing Tracking Processors: Client Fingerprint Processor: Incident - Fingerprint Directory Probing Tracking Processors: Client Fingerprint Processor: Incident - Fingerprint Manipulation Tracking Processors: Client Classification Processor Chapter 16 Response Processors Response Processors Response Processors: Block Processor viii

9 Table of Contents Response Processors: Request Captcha Processor Response Processors: Request Captcha Processor: Incident - Captcha Answer Automation Response Processors: Request Captcha Processor: Incident - No Captcha Answer Provided Response Processors: Request Captcha Processor: Incident - Multiple Captcha Request Overflow Response Processors: Request Captcha Processor: Incident - Unsupported Audio Captcha Requested Response Processors: Request Captcha Processor: Incident - Bad Captcha Answer Response Processors: Request Captcha Processor: Incident - Mismatched Captcha Session Response Processors: Request Captcha Processor: Incident - Expired Captcha Request Response Processors: Request Captcha Processor: Incident - Captcha Request Tampering Response Processors: Request Captcha Processor: Incident - Captcha Signature Tampering Response Processors: Request Captcha Processor: Incident - Captcha Signature Spoofing Response Processors: Request Captcha Processor: Incident - Captcha Cookie Manipulation Response Processors: Request Captcha Processor: Incident - Captcha Image Probing Response Processors: Request Captcha Processor: Incident - Captcha Request Size Limit Exceeded Response Processors: Request Captcha Processor: Incident - Captcha Disallowed MultiPart Response Processors: Request Captcha Processor: Incident - Captcha Directory Indexing Response Processors: Request Captcha Processor: Incident - Captcha Directory Probing Response Processors: Request Captcha Processor: Incident - Captcha Parameter Manipulation Response Processors: Request Captcha Processor: Incident - Captcha Request Replay Attack Response Processors: Request Captcha Processor: Incident - Multiple Captcha Replays Response Processors: Request Captcha Processor: Incident - Multiple Captcha Disallow Multipart Response Processors: Request Captcha Processor: Incident - Multiple Captcha Parameter Manipulation Response Processors: CSRF Processor Response Processors: CSRF Processor: Incident - CSRF Parameter Tampering Response Processors: CSRF Processor: Incident - Multiple CSRF Parameter Tampering ix

10 WebApp Secure 5.5 Response Processors: CSRF Processor: Incident - CSRF Remote Script Inclusion Response Processors: CSRF Processor: Incident - HTTP Referers Disabled Response Processors: Header Injection Processor Response Processors: Force Logout Processor Response Processors: Strip Inputs Processor Response Processors: Slow Connection Processor Response Processors: Warning Processor Response Processors: Warning Processor: Incident - Warning Code Tampering Response Processors: Application Vulnerability Processor Response Processors: Application Vulnerability Processor: Incident - App Vulnerability Detected Response Processors: Support Processor Response Processors: Cloppy Processor Response Processors: Login Processor Response Processors: Login Processor: Incident - Site Login Invalid Response Processors: Login Processor: Incident - Site Login Multiple IP Response Processors: Login Processor: Incident - Site Login Multiple Usernames Response Processors: Login Processor: Incident - Site Login User Sharing Response Processors: Login Processor: Incident - Site Login User Pooling Response Processors: Login Processor: Incident - Site Login User Brute Force Response Processors: Login Processor: Incident - Site Login Brute Force Response Processors: Login Processor: Incident - Site Login Username Scan Response Processors: Google Map Processor Chapter 17 Captcha Template CAPTCHA Template Chapter 18 Log Format Access Log Format Security Log Format Audit Log Format Firewall Log Format Postgres Log Format mws Log Format Part 5 Index Index x

11 List of Figures Part 1 Overview Chapter 1 WebApp Secure Figure 1: HTTP Request/Response Flow Chapter 2 Deployment Figure 2: WebApp Secure Placement in the Network - Between Firewall and Web Servers Figure 3: WebApp Secure Deployment - Connected to Load Balancer Figure 4: AWS management console Figure 5: Instance Type Figure 6: Configure Instance continued Figure 7: Instance, Configure Name Figure 8: Instance, Create Key Pair Figure 9: Instance Create Security Group Figure 10: Instance, Review and Launch Figure 11: Allocate New Address Chapter 3 Installation and Setup Figure 12: Boot Menu Figure 13: Reset Password Figure 14: Appliance Login Screen Figure 15: License Terms Figure 16: HA Pair Status Figure 17: Wizard, Configure SMTP Settings, Step Figure 18: Wizard, Configure Alert Service, Step Figure 19: Wizard, Configure Alert Service, Step Figure 20: Wizard, Configure Alert Service, SNMP, Step Figure 21: Wizard, Configure Alert Service, Contacts, Step Figure 22: Wizard, Configure Backup Service Figure 23: Wizard, Confirmation Page Part 2 Configuration Chapter 4 Configuration Options Figure 24: User Preferences Figure 25: View Online Help Figure 26: View Product Guides Figure 27: Edit Parameter Figure 28: Whitelists Figure 29: Configured Applications Figure 30: Application Wizard xi

12 WebApp Secure 5.5 Figure 31: Application Dashboard Figure 32: URL Pattern Figure 33: Application Patterns Figure 34: Servers Figure 35: Proxy / Backends Figure 36: Add New Page Figure 37: Initialize Filter Figure 38: Create Filter Term Figure 39: Bind Filter to Interface Chapter 5 Managing the Appliance Figure 40: Dashboard, Updates Figure 41: Downloading Update Figure 42: Update Description Figure 43: Updating the Application Figure 44: CPU Utilization Figure 45: CPU Load Average Figure 46: Memory Utilization Figure 47: Network Traffic Figure 48: Proxy Connections Figure 49: Proxy Requests Figure 50: Blocked Login Figure 51: Restore Backup Chapter 6 Security Intelligence Figure 52: WebApp Secure-Spotlight Connector Data Flow Figure 53: Spotlight Connector Confguration Figure 54: Spotlight Connector Session Cookies Figure 55: Spotlight Connector Locations Figure 56: Recent Attackers: Global and Local Names Figure 57: Recent Attackers: Global Names Figure 58: User Preferences: Select Spotlight Name Preference Chapter 7 Response Rule Configuration Figure 59: Responses Figure 60: Edit Response Chapter 8 Reports Figure 61: Reporting Interface Figure 62: Scheduled Reports Figure 63: Schedule Report - Scorecard Figure 64: Schedule Report - Country Comparison Over Time Figure 65: Report History Figure 66: Report Details Figure 67: Report Details, View Figure 68: Incident List Figure 69: Executive Summary Figure 70: Incident Types Figure 71: Incident Volume by Hacker Figure 72: Incident Source Countries xii

13 List of Figures Figure 73: Last Week s Incident Activity Figure 74: Weekly Report Figure 75: Top Incident Types Figure 76: Top Locations Figure 77: Country Counts Over Time Part 3 Administration Chapter 9 General Tasks Figure 78: Boot Menu Figure 79: Reset Password Chapter 10 Configuration Modes and Roles Figure 80: Users and Groups, Add User Figure 81: Assigned Roles Figure 82: User Preferences Chapter 11 The Web UI Figure 83: Date filter widget Figure 84: Uesr widget Figure 85: Search widget Figure 86: Web UI Dashboard Figure 87: Dashboard - Filter By tab Figure 88: User Preferences Figure 89: Recent Attackers Figure 90: Attacker Profile Figure 91: Responses tab - Deactivate Figure 92: Incidents Table Figure 93: Sessions Figure 94: System Status, System Alerts Tab Figure 95: System Status, RRD: localhost Figure 96: Raid Status Figure 97: RAID Status-Missing Figure 98: Updates xiii

14 WebApp Secure 5.5 xiv

15 List of Tables About the Documentation xvii Table 1: Notice Icons xviii Table 2: Text and Syntax Conventions xviii Part 2 Configuration Chapter 4 Configuration Options Table 3: Luna Control Center Configuration Changes Table 4: WebApp Secure Configuration Settings for Akamai Support Table 5: External Counter Response Service Configuration Parameters Chapter 5 Managing the Appliance Table 6: General CLI Commands Table 7: Base Level CLI Commands Table 8: Configuration Level CLI Commands Table 9: System Level CLI Commands Table 10: Failure Scenarios Table 11: Health Check responses and corresponding meanings Chapter 7 Response Rule Configuration Table 12: Response Descriptions Table 13: Response Editor Fields Table 14: Incident Methods Part 3 Administration Chapter 10 Configuration Modes and Roles Table 15: RBAC Groups and Roles Chapter 11 The Web UI Table 16: Web UI Dashboard Panes Part 4 Monitoring Chapter 13 Honeypot Processors Table 17: Access Policy Processor Configuration Parameters Table 18: AJAX Processor Configuration Parameters Table 19: Basic Authentication Processor Configuration Parameters Table 20: Cookie Processor Configuration Parameters Table 21: File Processor Configuration Parameters Table 22: Hidden Input Form Processor Configuration Parameters Table 23: Hidden Link Processor Configuration Parameters xv

16 WebApp Secure 5.5 Table 24: Query String Processor Configuration Parameters Parameter Type Default Value Description Table 25: Robots Processor Configuration Parameters Chapter 14 Activity Processors Table 26: Custom Authentication Processor Configuration Parameters Table 27: Cookie Protection Processor Configuration Parameters Table 28: Error Processor Configuration Parameters Table 29: Header Processor Configuration Parameters Table 30: Method Processor Configuration Parameters Chapter 15 Tracking Processors Table 31: Etag Beacon Processor Configuration Parameters Table 32: Client Beacon Processor Configuration Parameters Table 33: Client Fingerprint Configuration Parameters Table 34: Client Classification Configuration Parameters Chapter 16 Response Processors Table 35: Block Processor Configuration Parameters Table 36: Request Captcha Processor Configuration Parameters Table 37: CSRF Processor Configuration Parameters Table 38: Header Injection Processor Configuration Parameters Table 39: Force Logout Processor Configuration Parameters Table 40: Strip Inputs Processor Configuration Parameters Table 41: Slow Connection Processor Configuration Parameters Table 42: Warning Processor Configuration Parameters Table 43: Application Vulnerability Processor Configuration Parameters Table 44: Support Processor Configuration Parameters Table 45: Cloppy Processor Configuration Parameters Table 46: Login Processor Configuration Parameters Table 47: Google Map Processor Configuration Parameters xvi

17 About the Documentation Documentation and Release Notes Documentation and Release Notes on page xvii Documentation Conventions on page xvii Documentation Feedback on page xix Requesting Technical Support on page xx Documentation Conventions To obtain the most current version of all Juniper Networks technical documentation, see the product documentation page on the Juniper Networks website at If the information in the latest release notes differs from the information in the documentation, follow the product Release Notes. Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration. The current list can be viewed at Table 1 on page xviii defines notice icons used in this guide. xvii

18 WebApp Secure 5.5 Table 1: Notice Icons Icon Meaning Description Informational note Indicates important features or instructions. Caution Indicates a situation that might result in loss of data or hardware damage. Warning Alerts you to the risk of personal injury or death. Laser warning Alerts you to the risk of personal injury from a laser. Tip Indicates helpful information. Best practice Alerts you to a recommended use or implementation. Table 2: Text and Syntax Conventions Table 2 on page xviii defines the text and syntax conventions used in this guide. Convention Description Examples Bold text like this Represents text that you type. To enter configuration mode, type the configure command: user@host> configure Fixed-width text like this Italic text like this Represents output that appears on the terminal screen. Introduces or emphasizes important new terms. Identifies guide names. Identifies RFC and Internet draft titles. user@host> show chassis alarms No alarms currently active A policy term is a named structure that defines match conditions and actions. Junos OS CLI User Guide RFC 1997, BGP Communities Attribute Italic text like this Represents variables (options for which you substitute a value) in commands or configuration statements. Configure the machine s domain name: [edit] root@# set system domain-name domain-name xviii

19 About the Documentation Table 2: Text and Syntax Conventions (continued) Convention Description Examples Text like this Represents names of configuration statements, commands, files, and directories; configuration hierarchy levels; or labels on routing platform components. To configure a stub area, include the stub statement at the [edit protocols ospf area area-id] hierarchy level. The console port is labeled CONSOLE. < > (angle brackets) Encloses optional keywords or variables. stub <default-metric metric>; (pipe symbol) Indicates a choice between the mutually exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity. broadcast multicast (string1 string2 string3) # (pound sign) Indicates a comment specified on the same line as the configuration statement to which it applies. rsvp { # Required for dynamic MPLS only [ ] (square brackets) Encloses a variable for which you can substitute one or more values. community name members [ community-ids ] Indention and braces ( { } ) ; (semicolon) Identifies a level in the configuration hierarchy. Identifies a leaf statement at a configuration hierarchy level. [edit] routing-options { static { route default { nexthop address; retain; } } } GUI Conventions Bold text like this Represents graphical user interface (GUI) items you click or select. In the Logical Interfaces box, select All Interfaces. To cancel the configuration, click Cancel. > (bold right angle bracket) Separates levels in a hierarchy of menu selections. In the configuration editor hierarchy, select Protocols>Ospf. Documentation Feedback We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can provide feedback by using either of the following methods: Online feedback rating system On any page at the Juniper Networks Technical Documentation site at simply click the stars to rate the content, and use the pop-up form to provide us with information about your experience. Alternately, you can use the online feedback form at xix

20 WebApp Secure 5.5 Send your comments to Include the document or topic name, URL or page number, and software version (if applicable). Requesting Technical Support Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC. JTAC policies For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at Product warranties For product warranty information, visit JTAC hours of operation The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: Search for known bugs: Find product documentation: Find solutions and answer questions using our Knowledge Base: Download the latest versions of software and review release notes: Search technical bulletins for relevant hardware and software notifications: Join and participate in the Juniper Networks Community Forum: Open a case online in the CSC Case Management tool: To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone. Use the Case Management tool in the CSC at Call JTAC ( toll-free in the USA, Canada, and Mexico). xx

21 About the Documentation For international or direct-dial options in countries without toll-free numbers, see xxi

22 WebApp Secure 5.5 xxii

23 PART 1 Overview WebApp Secure on page 3 Deployment on page 11 Installation and Setup on page 23 1

24 WebApp Secure 5.5 2

25 CHAPTER 1 WebApp Secure WebApp Secure Overview WebApp Secure Overview on page 3 Methodology on page 4 Features and Benefits on page 4 Key Components on page 6 Anatomy and Flow of an HTTP Request / Response on page 8 Limitations on page 10 WebApp Secure protects websites from would-be attackers, fraud, and theft. Its Web intrusion prevention system uses deception to detect, track, profile, and block attackers in real time by inserting detection points into your webserver's output to identify attackers before they do damage. WebApp Secure then tracks detected attackers, profiling their behavior and deploying countermeasures. WebApp Secure sits between your webservers and the outside world. It inspects HTTP and HTTPS traffic and functions as a reverse proxy. WebApp Secure seeks out potential attack attempts or probes by adding detection points to outbound web traffic and removing detection points from inbound Web traffic. These detection points are transparent to common, legitimate users. It then monitors and strips these points from the requests coming back from the user's browser. Any change to a detection point is an indicator of an attempted attack. The system logs incidents to a database of attacker profiles, and exposes them to the security administrators through a web-based interface. System administrators can then apply automated abuse-prevention policies, or respond manually. Related Documentation Methodology on page 4 Features and Benefits on page 4 Key Components on page 6 Anatomy and Flow of an HTTP Request / Response on page 8 3

26 WebApp Secure 5.5 Methodology WebApp Secure protects web sites from attackers using a proprietary blend of intrusion deception techniques. Its real-time protection system detects, tracks, profiles, and defends against hackers. By dynamically inserting detection points, honeypots, and honeytokens into the code of your web application traffic, WebApp Secure identifies and stops attackers before they can do damage. WebApp Secure protects and defends using the following methodology: Detect Detection points are inserted into web application code, creating a virtual minefield that detects hackers when they manipulate these detection points during pre-attack reconnaissance. Track WebApp Secure goes beyond the IP address and tracks attackers based on client fingerprinting techniques. Profile WebApp Secure s tracking techniques enable attacker profiling. Every attacker is assigned a name and each incident is recorded, along with a threat level based on the attacker s intent and skill. Respond and Understand Once an attacker is detected, an appropriate response can be deployed manually or automatically in real-time. Related Documentation WebApp Secure Overview on page 3 Features and Benefits on page 4 Key Components on page 6 Anatomy and Flow of an HTTP Request / Response on page 8 Features and Benefits WebApp Secure detects attackers before they have the chance to successfully establish an attack vector, and blocks them with client-level tracking that does not impact legitimate users. It works out-of-the-box, so there are no rules to write, and no signatures to update. It continually profiles attackers as they come onto the scene, and it maintains a profile of known application abusers and all of their malicious activity. Ease-of-use deployment Acts as a reverse proxy with load balancing Available as a hardware appliance with high availability Available as a VMware or Amazon Machine Image Support for alternate ports (other than 80 and 443) Secure management 4