Web Application Firewall

Web Application Firewall Getting Started Guide August 3, 2015

Copyright 2014-2015 by Qualys, Inc. All Rights Reserved. Qualys and the Qualys logo are registered trademarks of Qualys, Inc. All other trademarks are the property of their respective owners. Qualys, Inc. 1600 Bridge Parkway Redwood Shores, CA 94065 1 (650) 801 6100

Contents Why Use a Web Application Firewall... 4 The Qualys Advantage... 5 Get Started... 6 Create a Security Policy... 6 Create a New WAF Cluster... 8 Configure a WAF Appliance... 9 Define Your Web Application... 10 Configure Your Web Environment... 13 We re Now Monitoring Your Web Application!... 13 Configure Your WAF Appliance - Amazon EC2... 15 Launch a New EC2 Instance... 15 1) Go to your Amazon EC2 Dashboard and launch an instance... 15 2) Choose the WAF AMI... 16 3) Choose Instance Type... 16 4) Configure Instance... 17 5) Additional steps (optional)... 17 6) Click Review and Launch... 17 Add Your WAF AMI to the Load Balancer... 18 1) Create an HTTP Load Balancer Instance... 18 2) Set up your Health Checks... 18 3) Add Your WAF Instance in the Cluster... 19 4) Redirect Your Traffic to the Load Balancer Hostname... 19 Configure Your WAF Appliance - VMware... 20 Tell me the steps... 20 Using the CLI... 20 CLI Reference... 23 Commands... 23 Variables... 23 Using vcenter... 24 Using vsphere Client... 24 Contact Support... 27 3

Why Use a Web Application Firewall HTTP(S) is the foundation of data communication for the World Wide Web, and functions as a request-response protocol for communications. Mobile apps, cloud computing, API communications, Intranet applications and webmail are common tools we use every day. These applications are all communicating over HTTP(S). Qualys provides applications that allow you to scan and identify vulnerabilities - Qualys Vulnerability Management (VM) and Qualys Web Application Scanning (WAS). Experience shows that patching web site source code can take longer than expected, depending on the affected component, development resources, and how agile the company is in applying and validating software updates. That s why Qualys is now introducing a new application - Web Application Firewall (WAF). This is an immediate remediation tool that is able to protect your web applications against attacks and gives your development team time to fix important security issues. Using the WAF application users can deploy multiple web application firewall instances. Each firewall consists of a virtual appliance that is configured to reverse proxy your HTTP(S) traffic. This appliance will be located in your virtualization platform (Amazon EC2 or VMware) and will be instantiated from a Qualys machine image. We ll walk you thru the steps in this user guide. 4

The Qualys Advantage Qualys offers a powerful, next generation web application firewall that uses an always up to date security ruleset to secure your web applications. This modern firewall uses a cloud-based approach and provides a classic mode of operation and deployment. All security events are routed through the Qualys Cloud Platform. They are continuously monitored and analyzed by our security researchers in order to compute the best ruleset for blocking the latest attacks and zero-day vulnerabilities. Qualys WAF users set up security policies based on rules to filter, monitor, block and report on events. 5

Get Started Start protecting your web applications and blocking attacks now! We ll help you do this quickly. First log in to Qualys and choose WAF. You ll see our Quick Start Guide the first time you log in - just follow the links to get started quickly. Tip - You can return to this anytime - just select it from the user name menu. Create a Security Policy The security policy determines the WAF responses to certain types of incoming traffic and the handling of outgoing traffic - this impacts what security events we'll report for your web application and whether or not we ll block malicious traffic. Customize the various policy options and assign the policy to your web application. You can create multiple policies and assign them to your various web applications (one to each web app). 6

Get Started Go to Configuration > Policies and click the New Policy button. Our wizard will help you with the settings. Control Rules Set the rules for responding to traffic based on criteria - country, URL path, date/time, content type. HTTP Protocol Configure HTTP protocol analysis for the policy. Application Security Configure a sensitivity rating for the various detection categories. This impacts what inspection will be performed by filtering potentially noisy events. Information Leakage Choose options for server cloaking, sensitive header suppression, error messages and sensitive file requests. Declarative Security Configure responses to cookies, content-type sniffing and browser cross-site scripting. Policy Controls Set threat level thresholds (1 to 100) for logging and blocking. This impacts what events we will log and block. Tip - Turn on help tips (in the title bar) and we ll help you while you re completing the steps. As you hover over each setting we ll show you useful tips. 7

Get Started Create a New WAF Cluster It s easy to create a WAF cluster - just give it a name. Go to Assets > WAF Clusters and click the New WAF Cluster button. Enter an arbitrary name and click Finish. You ll see your new WAF cluster in the list. The status means the cluster does not have any WAF appliances assigned to it. Notice the registration token. You ll use this to register your WAF cluster when you configure a WAF appliance using Amazon EC2 or VMware (vcenter). 8

Get Started Configure a WAF Appliance You ll add a WAF virtual appliance and configure it for your WAF cluster, within your environment - Amazon EC2 or VMware (with vcenter). Good to know A WAF cluster can be assigned as many WAF appliances as your subscription allows to guarantee high availability and redundancy in your firewalling operations. Tell me the steps 1) Add a new WAF Appliance for your WAF cluster. Just go to Assets > WAF Appliances, click New WAF Appliance, and we ll walk you through the steps. 2) Configure the WAF appliance for your environment. See our step by step instructions: Configure Your WAF Appliance - Amazon EC2 Configure Your WAF Appliance - VMware Firewall rules / EC2 security groups - Allow web traffic into the WAF appliance from the public Internet. - Allow SSH into the WAF appliance if needed. You should only allow that from a trusted management network. - Allow minimum access to the origin infrastructure. Web traffic from the public Internet should come only from the WAF appliance, any internal traffic should be limited to the management of the web server infrastructure. Load balancer considerations - Load balancers should be configured to hand off to WAF cluster nodes so we can appropriately configure redundancy within the infrastructure. - The WAF appliance functions as a reverse proxy. It is important that any DNS configurations or load balancer configurations are set to direct traffic to the WAF appliance. It will then inspect traffic and based on your account configuration hand it off to the appropriate origin infrastructure. 9

Get Started Define Your Web Application Tell us about the web application you want to monitor. Go to Assets > Web Applications and click New Web Application. Choose Blank and we ll help you build the web asset from scratch (see below). Tip - Use Existing Asset to create from an asset in your subscription. This saves you time! Skip entering name, URL, tags, and just enter the WAF specific settings. 10

Get Started 1) Asset Details - give your web asset a name, tell us the URL, assign tags (optional) 2) Network - set origin server (required) and secondary URL (optional) For Proxied Hostnames select Use Client Hostname (the default) and we'll use the client's given host header, or Use Origin Hostname and we'll use the hostname configured in the Origin Server URL in the HTTP host header. (Tip - Click http:// to switch to https://) 3) SSL Support - upload your SSL certificate in PEM format, if applicable Upload your certificate from the file system or just drag and drop it into the wizard. If necessary, upload your private key in PEM format and enter a passphrase. 11

Get Started 4) Policies - select a security policy Select Do not allow policy to block if you want to only monitor events for this web application. If the security policy has blocking settings they will not be enforced. 5) Access Control - choose rules for responding to traffic based on date/time or origin Define access control rules for responding to traffic based on date/time or origin - country, IP, URL path, etc. Rules can be defined to block, allow, or treat as more suspicious or more trusted. 6) WAF clusters - select a cluster to deploy your web app in It s possible for multiple WAF clusters to monitor the same web application. 12

Get Started Configure Your Web Environment Be sure to get traffic to your WAF appliance - configure load balancers and/or DNS as needed to direct traffic to your WAF cluster for inspection. We recommend you check to be sure your WAF cluster has an active status. Go to Assets > WAF Clusters. The status means the cluster does not have any WAF appliances assigned to it. The status means the cluster has appliances registered, none are inactive, and the cluster protects at least one site. We re Now Monitoring Your Web Application! Check out the security events (violations) we ve found on your web application. To discover more about an event, hover over it and choose View Event Details from the menu. 13

Get Started Review event details on the Event Details tab and take actions from the menu, i.e. mark the event as Flagged, False Positive, Not Applicable. 14

Configure Your WAF Appliance - Amazon EC2 Follow the steps below to deploy your WAF firewall cluster in Amazon EC2 and configure your DNS. You ll need to funnel traffic through the WAF cluster by changing your DNS. Once you complete these steps, we ll start monitoring your web application for security violations. Also your WAF cluster will start making outbound connections to the Qualys Cloud Platform for regular health checks - these confirm the cluster is properly configured and has the latest software. Launch a New EC2 Instance 1) Go to your Amazon EC2 Dashboard and launch an instance 15

Configure Your WAF Appliance - Amazon EC2 2) Choose the WAF AMI Click My AMIs (1) and then select the QualysGuard WAF AMI (2). Tip - Use the search box to find this quickly. Just enter WAF and click Enter. Don t see the WAF AMI? Please contact your Technical Account Manager or our Support Team for assistance. 3) Choose Instance Type You ll choose from a wide variety of instance types. Select an instance type and then click Next: Configure Instance Details. 16

Configure Your WAF Appliance - Amazon EC2 4) Configure Instance Open Advanced Details. In the User Data field, enter your WAF registration token and other properties as appropriate. RNS_TOKEN (Required) Enter the WAF registration token in this format: RNS_TOKEN=your_token. You can find this token by going to the WAF clusters list (Assets > WAF Clusters). RNS_URL This is the URL of the Qualys Cloud Platform hosting your Qualys account. Enter the URL in this format: RNS_URL=https://rns.qualys.com PROXY_URL If the WAF needs to connect to the Qualys Cloud Platform through an HTTP proxy, please input the URL of the proxy. Enter the proxy URL in this format: PROXY_URL=proxy_url WAF_SSL_PASSPHRASE If your web application s primary or secondary base URL uses the HTTPS protocol and your private key requires a passphrase, please input your passphrase. Enter the passphrase in this format: WAF_SSL_PASSPHRASE=passphrase 5) Additional steps (optional) You might want to add storage, tag the instance and configure security groups. 6) Click Review and Launch Be sure to wait until the WAF AMI status is green (this means it s running). Then you re ready to add the AMI instance to the EC2 load balancer (see the next section). 17

Configure Your WAF Appliance - Amazon EC2 Add Your WAF AMI to the Load Balancer 1) Create an HTTP Load Balancer Instance 2) Set up your Health Checks Choose the TCP Ping Protocol option. Later, when your web application is online, you can choose a URL for a comprehensive health check. 18

Configure Your WAF Appliance - Amazon EC2 3) Add Your WAF Instance in the Cluster Click the Select check box beside your WAF instance to add it to the load balancer. Your load balancer is now created and will soon be able to handle requests. 4) Redirect Your Traffic to the Load Balancer Hostname Test the availability of your web application through the load balancer. Once confirmed, you ll need to alias your DNS entries to the Amazon EC2 load balancer you just created. 19

Configure Your WAF Appliance - VMware Follow the steps below to deploy your WAF firewall cluster in VMware (vcenter) and configure your DNS. You ll need to funnel traffic through the WAF cluster by changing your DNS. Once you complete these steps, we ll start monitoring your web application for security violations. Also your WAF cluster will start making outbound connections to the Qualys Cloud Platform for regular health checks - these confirm the cluster is properly configured and has the latest software. Tell me the steps 1) Download the OVA image. You ll get the image when you add a new WAF appliance (go to Assets > WAF Clusters, click the New Appliance button). 2) Import the OVA into VMware (or VirtualBox). 3) Set up the virtual appliance using vsphere Client or the CLI (Command Line Interface). You ll want to login to the CLI to change your password even if you do not want to use the CLI for setup. See below for details. 4) Verify the registration of the appliance. 5) Test availability of your web application through Qualys WAF. Once confirmed, you ll need to alias DNS entries to direct traffic at your origin infrastructure. Using the CLI 1) Log in as waf-user via SSH or system console: The first login forces you to change your password. $ ssh waf-user@10.1.1.5 You are required to change your password immediately (root enforced) WARNING: Your password has expired. You must change your password now and login again! Changing password for user waf-user. New password: C-om34EhbTz.6aiMU4C Retype new password: C-om34EhbTz.6aiMU4C passwd: all authentication tokens updated successfully. Connection to 10.1.1.5 closed. 20

Configure Your WAF Appliance - VMware 2) Set properties: You must set the WAF cluster registration token (rns_token). Other properties are optional. See CLI Reference for details. $ ssh waf-user@10.1.1.5 qualys waf # help Commands (type help <command>): =============================== help ifconfig quit reboot routes save set show status unset viewlog qualys waf # help set Syntax: set KEY=VALUE Valid keys: rns_url proxy_url sem_syslog_addr rns_token waf_ssl_passphrase qualys waf # set rns_token=a30bc162-785a-4baf-a5d5-1a2de9c6da3a qualys waf # save Saved Successfully 3) Reboot may be required if you are changing the token (e.g. re-registration). qualys waf # reboot Are you sure you want to reboot? <y/n> y Rebooting Broadcast message from waf-user@dhcp-10-1-1-5 (/dev/pts/0) at 18:05... The system is going down for reboot NOW! Connection to 10.1.1.5 closed. 21

Configure Your WAF Appliance - VMware 4) Verify registration: You can do this using the CLI as shown below, or the WAF user interface (go to Assets > WAF Clusters). qualys waf # show Current settings: rns_token=a30bc162-785a-4baf-a5d5-1a2de9c6da3a qualys waf # status Connectivity to Qualys: OK Registration status: OK Sensor Id: B02b1088-77ed-4862-a067-dc41bbd97233 Registration token: A30BC162-785A-4BAF-A5D5-1A2DE9C6DA3A qualys waf # quit Connection to 10.1.1.5 closed. 22

Configure Your WAF Appliance - VMware CLI Reference Commands Command help ifconfig quit reboot routes save set variable={value} show [details] status unset variable viewlog [n] Description List all commands or give detailed help for a specific command. Show the current interface configuration. Exit the CLI. The user will be prompted If there are unsaved changes. Reboot the WAF cluster. Show network routing. Save the current configuration. Set a variable - see below for details. Show the current saved and unsaved settings. Show details will include settings from the virtualization platform (i.e. VMware user data). Display the registration status of the WAF cluster. Clear the value for a variable - see below for details. View the last N lines of the WAF cluster log. Variables Variable rns_url rns_token proxy_url sem_syslog_addr Description The URL of the Qualys Cloud Platform. By default this is set to https://rns.qualys.com:443 The registration token assigned to your WAF cluster. You can find this token by going to the WAF clusters list (Assets > WAF Clusters). If a proxy is required for the WAF cluster to access the Qualys Cloud Platform this must have the URL for the proxy. The Security Event Manager to send transaction logs via syslog to. The syslog messages will be formatted as described in RFC5424. The address should be in the form: PROTOCOL:HOSTNAME:PORT PROTOCOL should be either tcp or udp If PORT is omitted the standard syslog port 514 will be used. waf_ssl_passphrase For example: TCP:sysloghost.example.com:514 If SSL is enabled (primary and/or secondary URL) this is the passphrase for the key uploaded to Qualys WAF. 23

Configure Your WAF Appliance - VMware Using vcenter If you choose to configure the WAF appliance using vcenter vsphere Client we recommend this first step. Recommended: Log in to the CLI as waf-user and change your password. This lets you log in to the CLI at a later time. Using vsphere Client Choose Deploy OVF File. This starts the OVA Template wizard. OVF Template Details: Browse to the downloaded OVA and select it (or enter the URL where the OVA can be downloaded). Verify the virtual appliance details: 24

Configure Your WAF Appliance - VMware Name and Location: A default name for your WAF instance is provided by the WAF image file. You have the option to provide your own arbitrary name. Disk Format, Mapping: Select settings appropriate for your environment. Properties: Enter your WAF registration token and other properties. Application RNS_TOKEN RNS_URL PROXY_URL WAF_SSL_PASSPHRASE WAF_USER_DATA (Required) The WAF cluster registration token. You can find this token by going to the WAF clusters list (Assets > WAF Clusters). The URL of the Qualys Cloud Platform. Please enter https://rns.qualys.com If a proxy is required for the WAF cluster to access the Qualys Cloud Platform this must have the URL for the proxy. If SSL is enabled (primary and/or secondary URL) this is the passphrase for the key uploaded to the WAF application. This property is currently unused. Networking Leave these blank if you want a local DHCP server to assign an IP address, netmask, gateway and DNS servers to the WAF instance. Otherwise, supply appropriate values for your environment. 25

Configure Your WAF Appliance - VMware Ready to Complete: Verify your virtual appliance settings then click Finish. 26

Contact Support Qualys is committed to providing you with the most thorough support. Through online documentation, telephone help, and direct email support, Qualys ensures that your questions will be answered in the fastest time possible. We support you 7 days a week, 24 hours a day. Access online support information at www.qualys.com/support/. 27