firewall advanced protections (security checks) are a set of filters designed to catch
complex or unknown attacks on your protected web sites and web services. The
security checks use heuristics, positive security, and other techniques to
detect attacks that may not be detected by signatures alone. You configure the
security checks by creating and configuring an application firewall
which is a collection of user-defined settings that tell the application
firewall which security checks to use and how to handle a request or response
that fails a security check. A profile is associated with a
object and with a
to create a security configuration.
firewall provides twenty security checks, which differ widely in the types of
attacks that they target and how complex they are to configure. The security
checks are organized into the following categories:
- Common security checks.
Checks that apply to any aspect of web security that either does not involve
content or is equally applicable to all types of content.
- HTML security checks.
Checks that examine HTML requests and responses. These checks apply to
HTML-based web sites and to the HTML portions of Web 2.0 sites, which contain
mixed HTML and XML content.
- XML security checks.
Checks that examine XML requests and responses. These checks apply to XML-based
web services and to the XML portions of Web 2.0 sites.
The security checks
protect against a wide range of types of attack, including attacks on operation
system and web server software vulnerabilities, SQL database vulnerabilities,
errors in the design and coding of web sites and web services, and failures to
secure sites that host or can access sensitive information.
All security checks
have a set of configuration options, the check actions, which control how the
application firewall handles a connection that matches a check. Three check
actions are available for all security checks. They are:
- Block. Block
connections that match the signature. Disabled by default.
- Log. Log connections
that match the signature, for later analysis. Enabled by default.
- Stats. Maintain
statistics, for each signature, that show how many connections it matched and
provide certain other information about the types of connections that were
blocked. Disabled by default.
A fourth check
available for more than half of the check actions. It observes traffic to a
protected Web site or web service and uses connections that repeatedly violate
the security check to generate recommended exceptions (relaxations) to the
check, or new rules for the check. In addition to the check actions, certain
security checks have parameters that control the rules that the check uses to
determine which connections violate that check, or that configure the
application firewall's response to connections that violate the check. These
parameters are different for each check, and they are described in the
documentation for each check.
security checks, you can use the application firewall wizard, as described in
"The Application Firewall
Wizard," or you can configure the security checks manually, as described
in "Manual Configuration By
Using the Configuration Utility." Some tasks, such as manually entering
relaxations or rules or reviewing learned data, can be done only by using the
configuration utility, not the command line. Using the wizard is usually best
configuration method, but in some cases manual configuration might be easier if
you are thoroughly familiar with it and simply want to adjust the configuration
for a single security check.
Regardless of which
method you use to configure the security checks, each security check requires
that certain tasks be performed. Many checks require that you specify
exceptions (relaxations) to prevent blocking of legitimate traffic
before you enable blocking for that security check. You can do this manually,
by observing the log entries after a certain amount of traffic has been
filtered and then creating the necessary exceptions. However, it is usually
much easier to enable the learning feature and let it observe the traffic and
recommend the necessary exceptions.
Application Firewall uses packet engines (PE) during processing the transactions. Each packet engine has a limit of 100K sessions which is sufficient for most deployment scenarios. However, when Application Firewall is processing heavy traffic and the session timeout is configured at a higher value, the sessions might get accumulated. If the number of alive Application Firewall sessions exceed the 100K per PE limit, the Application Firewall security check violations might not be sent to the Security Insight appliance. Lowering the session timeout to a smaller value, or using sessionless mode for the security checks with sessionless URL closure or sessionless field consistency might help in preventing the sessions getting accumulated. If this is not a viable option in scenarios where transactions might require longer sessions, upgrading to a higher-end platform with more packet engine is recommended.
Support for cached AppFirewall is added, and the max session setting through the CLI per core is set to 50K sessions.