Web Application Firewall
The Web Application Firewall (WAF) is the tool used to detect and block malicious HTTP traffic going across the HTTP(S) farms. WAF works by searching and analyzing patterns to apply advanced security policies. Those rules are grouped in set rules and they have to be applied to HTTP farms. The WAF rules will be checked after decrypting SSL packets, then, it will be possible to apply patterns again to the HTTP body in an SSL traffic.
SKUDONET IPDS packages use the OWASP ModSecurity rules, but you can create your ruleset to protect your system against any kind of attack. If you want to read more about OWASP rules, please refer to OWASP Modsecurity Project.
Those rules are ordered by preferences. If you decide to use them, please consider them and apply them as follows:
REQUEST-90-CONFIGURATION REQUEST-901-INITIALIZATION Apply any other OWASP ruleset based on what you want to protect REQUEST-949-BLOCKING-EVALUATION RESPONSE-959-BLOCKING-EVALUATION RESPONSE-980-CORRELATION *for logging purposes, enable this only for troubleshooting.
By default, this OWASP ruleset uses a scoring system called paranoia levels, and the default is 1. If you want to read more about those levels, please refer to the following faqs OWASP Modsecurity ruleset FAQ.
In case you want to increase the paranoia level, please do the following:
Go to ruleset REQUEST-901-INITIALIZATION Rules Tab, then Edit in raw mode the rule number 901120, and change:
by the desired paranoia level.
The WAF rulesets view shows an overview of the available rulesets:
Name. A descriptive name to identify a ruleset. Click on it to enter the editing form.
Farms. The Farms to which the rule is applied. You may expand the farm list using an upward arrow placed adjacent to the FARM’s column header on its right. By default is limited to 20 characters.
STATUS. Ruleset status is represented by the following status colour codes:
- Green. Means ENABLED. The ruleset is being checked for the farms that are using it.
- Red. Means DISABLED. The ruleset is not enabled, thus it is not having any effect on the farm.
Actions. Allowed actions for the status of the WAF rules:
- Edit. Modify the ruleset settings or assign a farm service if needed.
- Restart. Reinitialize a WAF rule.
- Start. Apply the WAF ruleset.
- Delete. Remove a ruleset.