SWAF User Manual
Contents
1. Login Date 2010 04 28 12 45 29 0 2010 04 27 14 57 26 0 2010 04 27 14 45 58 0 2010 04 27 14 45 16 0 2010 04 27 14 44 59 0 2010 04 27 14 24 51 0 Logout Date 2010 04 28 13 05 26 0 2010 04 27 15 00 39 0 2010 04 27 14 47 14 0 2010 04 27 14 45 51 0 2010 04 27 14 45 12 0 2010 04 27 14 44 53 0 T H SWAF Ultimate Security Audit Log admin 2010 04 28 13 05 41 0 admin 2010 04 28 12 54 37 0 admin 2010 04 28 12 59 59 0 admin 2010 04 27 14 23 45 0 admin 2010 04 28 12 59 55 0 admin 2010 04 28 13 00 56 0 admin 2010 04 28 13 00 57 0 admin 2010 04 28 13 01 38 0 Copyright 2010 DTS JAPAN f Figure 38 User Log Figure presents the user log information provided to the user The user log contains User Id Specifying the user id of user who logged into the system Login Date Specifying the login date along with time and Logout Date Giving the logout date and time 2 1 7 2 Audit Log Screen Figure 41 presents the maximized view of the audit log screen To view the audit logs the user needs to specify the period for which he she intends to view the audit log entries saved on the server On pressing the submit button the audit log for the given period can be viewed by the user SWAF V 1 5 beta Dated 2010 04 OTT SWAF Ultimate Security A E Semantic based 2 Ww Web Application Firewall dts 1 com SWAF Uttimate Security ADMINISTRATIVE System Monitor Audit Log Traffic An2. ADMINISTRATIVE C Top Infected Traffic Originators Top Infected Traffic Originators Ratio Current Infected Traffic Detail System Monitor Top Infected Traffic Originator s Traffic Analyzer Access Traffic 10 3 18 254 Copyright 2010 DTS JAPAN C Figure 10 Top Infected Traffic Originators 2 1 3 2 2 Top Infected Traffic Originators Ratio Screen This figure shows the ratio of Top Infected Traffic Originators SWAF V 1 5 beta Dated 2010 04 be SW AF Ultimate Security A Semantic based SWAF Web Application Firewall Utimate Security ADMINISTRATIVE C Top Infected Traffic Originators Top Infected Traffic Originators Ratio Current Infected Traffic Detail System Monitor Top Infected Traffic Originator s Ratio RR Traffic Analyzer Access Traffic Infected Traffic Search Statistics Configuration User Management Audit Log BR 10 3 18 144 J 10 3 18 108 10 3 18 100 D 10 3 18 254 10 3 18 119 BR 10 3 126 131 Figure 11 Top Infected Traffic Originators Ratio 2 1 3 2 3 Current Infected Traffic Detail Screen This screen shows the whole detail of current infected Traffic A Semantic based SWAF Web Application Firewall Uttimate Security ADMINISTRATIVE neng Top Infected Traffic Originators Top Infected Traffic Originators Ratio Current Infecte ffic Detail System Monitor Current Infected Traffic Detail Traffic Analyzer Originator IP Host IP Address Resour
3. DG 10 3 18 254 D 10 3 18 144 Copyright 2010 DTS JAPAN t Figure 16 Access Traffic Ratio 2 1 4 1 3 Access Traffic Detail This figure shows the details of normal traffic which is being accessed by different IPs Originator IP Address The IP address of the client machine Originator s Country Name The country name of the client Host IP Address The Application Server for which the requests are generated Resource Accessed The resource for which the request is generated Access Time The time at which the request arrived Reserved in Country name means that a public IP address is accessing the system SWAF V 1 5 beta Dated 2010 04 A SW AF Ultimate Security A Semantic based SW AF Web Application Firewall Ufimate Security ADMINISTRATIVE System Monitor Access Traffic Detail Traffic Analyzer From Date 2010 04 27 P To Date 2010 04 29 BE Last Hrs ER e Submit Print Originator IP Originator s Country Host IP Address Resource Accessed Access Time Statistics A Traffi EE E 10 3 18 254 Reserved 10 3 18 150 attack Screen 169 amp menu 900 amp st 2010 04 28 16 05 36 0 Infected Traffic 10 3 18 254 Reserved 10 3 18 150 webgoat css 2010 04 28 16 05 38 0 kA i ee 10 3 18 254 Reserved 10 3 18 150 layers css 2010 04 28 16 05 43 0 EES 10 3 18 254 Reserved 10 3 18 150 hintLeft jpg 2010 04 28 16 05 44 0 10 3 18 254 Reserved 10 3 18 150 HowToUse_1 jpg 2010 04 28 16 05 44 0 10 3 18
4. System Summary D we 10 3 18 254 10 3 18 119 10 3 18 144 10 3 18 108 Access Traffic H Infected Traffic Figure 3 Traffic Comparison 2 1 2 4 Application Monitor Screen Figure shows the application monitor Application Name IP address of application Host IP address IP address of Host Traffic Count count of generated traffic from different IPs Infected Traffic Count count of infected traffic generated from users 2 1 2 5 Application Monitor Screen SWAF V 1 5 beta Dated 2010 04 OTT SWAF Ultimate Security TY Semantic based SWAF web Application Firewall Ulimate Security ADMINISTRATIVE System Monitor Application Monitor CPU Load System Load Application Name Host IP Address Infected Traffic Count Traffic Comparision 10 323 18 150 10 3 18 150 2178 Server Monitor 10 3 18 150 10 3 18 150 2178 Application Monitor gt System Summary Figure 4 Application M onitor 2 1 2 6 System Summary Menu The system summary menu facilitates the administrator to monitor system state and view system information 2 1 2 6 1 System State screen This figure shows the current state of system SWAF V 1 5 beta Dated 2010 04 AM SW AF Ultimate Security A RK Semantic based SWAEF7 Web Application Firewall Utimate Security ADMINISTRATIVE C Ml Syst System Monitor System State CPU Load DW System Load System Used Total D i isi l Traf
5. Update Default Settings Figure 25 Proxy Configurations 2 1 5 1 3 Email Configuration Screen The email configuration screen provides the options to configure the e mail server by specifying the SM TP server Address SM TP user email and password A check box Is available to specify if the facility needs to be enabled or disabled Following is the screenshot of the e mail configuration screen Following are the explanation of each option SM TP Server Address It is the Address of the mailing server to receive M ails SMTP user email To enter the username SM TP user password To enter the password Confirm password To confirm the password SWAF V 1 5 beta Dated 2010 04 OTT SWAF Ultimate Security Send to This is the address of the person or administrator who will receive the Alerts when any kind of attacks detected by SWAF TAE emantic SWAF web Application Firewall Ulimate Security ADMINISTRATIVE System Monitor Traffic Analyzer Email Configuration Statistics Enable Disable Sending v Configuration Email SMTP Server Address smtp gmail com gt FireWall Configuration Attack Configuration SMTP User Email swaf server gmail com Web Application Configuration SMTP User Password sw fserver gt Backup Send To gt Update Rules Add Delete swaf server gmail com Update Default Settings Figure 26 Email Configuration 2 1 5 2 Attack Configuration Menu
6. 2 1 3 1 1 Top Traffic Originators Screen This figure shows the traffic which is originated from different IPs A a Semantic based SW AF Web Application Firewall Ufimate Security ADMINISTRATIVE CE System Monitor Top Traffic Originator s Configuration User Management Audit Log Figure 7 Top Traffic Originators 2 1 3 1 2 Top Traffic Originators Ratio Screen This figure shows the ratio of Top Traffic Originators SWAF V 1 5 beta Dated 2010 04 be SW AF Ultimate Security A Semantic based SW AF Web Application Firewall Utlimate Security ADMINISTRATIVE System Monitor Top Traffic Originator s Ratio Traffic Analyzer Access Traffic Infected Traffic 10 3 18 100 59 2 1013 o Search Statistics Configuration User Management Audit Log BH 10 3 18 100 ff 10 3 18 119 RB 10 3 138 108 D 10 3 18 254 ff 10 3 18 144 Copyright 20101 Figure 8 Top Traffic Originators Ratio 2 1 3 1 3 Current Traffic Screen This screen shows the current traffic Party Semantic based WAF Web Application Firewall Uimate Security ADMINISTRATIVE C Top Traffic Originators Top Traffic Originators Ratio Current Traffic System Monitor Current Traffic Detail Traffic Analyzer 3 Originator IP Host IP Address Resource Accessed Access Time Access Traffic i 10 3 18 100 10 3 18 150 layers css 2010 04 29 10 28 37 0 Infected Traffic rs h 10 3 18 100 10
7. perations and User Manual Document Version 1 0 OTT SW AF Ultimate Security Table of Contents 1 1 WAF EE 4 2 Operations and User M anual OUR 7 2 1 SWAF Administrator FANG E 8 2 1 1 System Monitor Menu 9 Cf MR en en KEENER nS 15 2 1 3 Statistics M enU oo eeccesesteecesesneeeeeesseeeesesseeeeeeeneeeeesesaeeesesneeeeesasaaeeesessaeeesssnaesessaaaeeneanas 21 LALA ge uge IIe Lu E 28 2 1 5 User Management 41 A ae elef Ee Led E EE 43 3 Case TT se ssscsnssnsticusedensenssacesaduesvadscsunesiuetetansvinvesecadvasssdssumetiastsdensiseteissaisanes tO 3 1 Sal EE E EE 47 3 2 Configuring a Web Application with NA 47 3 3 Example scenario BJ 48 3 3 1 Creating a NEW User 48 3 3 2 Aeeigonmgroletoalleer AANEREN 50 3 3 3 reatingaUs r E auinseniarnnanai ARENA 51 GSIGSS OTT SWAF V 1 5 beta Dated 2010 04 cn SW AF Ultimate Security List of Figures Ure ei Eet E 8 PIGUIC 2 CPU LOGO EE 10 Figure 3 Access Traffic Loan 11 Figure 4 Infected Traffic Load cccccccccccceescscceessesssssceeeeeeeeeeeseeseeseeeeesesesceueeeeeeeeesseeesseeeessnasaaaaannnnneegs 11 Figure 5 Traffic Comparteon RR 12 Figure 6 Application Monitor 13 Figure 7 System State Green 14 Figure g Sytem N sananaeseseasatasssasanatanasceniaaasaeasasasanasesacanenanasdmmianasaeasasasanasasasaananasanalasasaeasasasatasasaeananasan 14 Foure att neg gl de Ee 15 Figure 10 Top Traffic Originators e E 16 aE OEE eee et ee 16
8. OTT SW AF Ultimate Security Application Configuration Access log pool size It is number of threads that SWAF use to store the access traffic Access log batch size It shows the capacity of each thread When it fulls the data is transfer to the DB Infected log pool size It is number of threads that SWAF use to store the infected traffic Infected log batch size It shows the capacity of each thread When it fulls the data is transfer to the DB Access log flush Sec Time This timer is used to automatically Save data into DB from Access log Batch Infected log flush sec Time This timer is used to automatically save data into DB from Infected log Batch DB connection pool size This shows the number of DB Connections that SWAF use to log the data Access or Infected traffic Page 30 OTT SWAF Ultimate Security A Semantic based SWAF7 Web Application Firewall Ulimate Security ADMINISTRATIVE System Monitor Proxy Configuration DB Configuration Traffic Analyzer Connection String jdbc mysql 10 3 18 254 3306 swafloggingdb Statistics iver com mysql jdbc Driver Configuration FireWall Configuration Attack Configuration Web Application Configuration Application Configuration Access Log Pool Size 250 Access Log Batch Size 100 Infected Log Pool Size 50 Infected Log Batch Size 5 Access Log Flush Time 10000 Infected Log Flush Time 10000 DB Connection Pool Size 200
9. The check boxes provide the options to state if the state needs to be maintained and to specify the type of attack for which the state needs to be maintained Additionally incase of CSRF protection the token that needs to be provided to authenticate request and its properties can also be configured using this screen Manage State It manages the user session state Protect CSRF If this option is checked SWAF will protect the web server from CSRF attack Protect hidden If this option is checked SWAF will protect the web server from hidden field attack SWAF V 1 5 beta Dated 2010 04 OTT SWAF Ultimate Security Token Name It isthe name of the token through which client is identified Expiration Time in minutes The session maintain for how much time and after this time the session will ended automatically Cookies life in days After how much days the cookies will remove Pat Semantic based SWAF Web Application Firewall Ulimate Security ADMINISTRATIVE C Protocol Validation Configuration DOS Attack Configuration Stateful Attacks Configuration System Monitor Stateful Attacks Configuration Traffic Analyzer Manage State Statistics V Protect CSRF Configuration 9 Protect Hidden FireWall Configuration swaftokenid Attack Configuration 5 t Web Application Configuration Backup gt Update Rules Update Default Settings Figure 29 Stateful Attacks Configuration 2 1 5 3 Web Applicati
10. Ultimate Security a A Semantic based SWAF Web Application Firewall Ulimate Security ADMINISTRATIVE System Monitor Traffic Analyzer e newrole Statistics ie m System Monitor Configuration gt L Traffic Analyzer gt E Statistics e _ Configuration User Management gt L Rights User Management Update Create New Role Figure 36 Group Rights 2 1 7 Audit Log M enu Audit log menu provide information related to log present in the database Figure 7 shows the screenshot of the audit log menu Audit log menu comprises of two further screens the User log and the Audit log as shown in Figure 39 SWAF V 1 5 beta Dated 2010 04 CTT SWAF Ultimate Security A k Semantic based SWAF web Application Firewall Utimate Security ADMINISTRATIVE Figure 37 Audit Log 2 1 7 1 User Log Screen Figure 40 provide the maximized view of User log screen To view the user logs the user needs to specify the period for which he she intends to view the log entries saved on the server On pressing the submit button the user log for the given period can be viewed by the user SWAF V 1 5 beta Dated 2010 04 Ae SW ifimate 3 AF Security mantic based Web Application Firewall ADMINISTRATIVE Audit Log gt User Log User Log From Date User Id admin admin faisa admin faisa admin 2010 04 25 SS To Date 2010 04 28 E Last Hrs Is SN Submit
11. 10 3 18 100 10 3 18 150 hintRightOver jpg 2010 04 29 10 29 19 0 10 3 18 100 10 3 18 150 hintLeftOver jpg 2010 04 29 10 29 19 0 10 3 18 100 10 3 18 150 plansOver jpg 2010 04 29 10 29 19 0 10 3 18 100 10 3 18 150 htmlOver jpg 2010 04 29 10 29 19 0 Figure 13 Access Log Search SWAF V 1 5 beta Dated 2010 04 OTT SW AF Ultimate Security 2 1 3 3 2 Infected Log Search Screen This screen shows infected log search which provides search on the following Protocol HTTP Method Get Post Originator IP the IP address of client Host IP address which is Application Server Resource Accessed Tells how many hits Attack Type shows the type of attack i e XSS DOS From Date shows the infected log from this date To Date shows the infected log till this date SWAF V 1 5 beta Dated 2010 04 Page 20 OTT SWAF Ultimate Security lt Ces hitp 10 3 18 150 8080 swaf swaf swaf html app 4594 amp 27e0 selectedIndex 1 gt Gr E A RI Semantic based SW AF Web Application Firewall timate Security l ADMINISTRATIVE Method Host IP Attack Type To Date PE e 10 3 18 150 Submit Method Originator IP Host IP Address Resource Accessed Access Time Attack Type POST 10 3 18 244 10 3 18 150 creen er 2010 04 29 16 13 06 0 title Hidden Fie POST 10 3 18 244 10 3 18 150 creen er 2010 04 29 16 13 03 0 title Hidden Fie POST 10 3 18 244 10 3 18 150 creen er 2010 04 29 16 13 01 0 title Hidd
12. 18 254 10 3 18 108 10 3 18 119 10 3 18 100 10 3 126 131 Clients Copyright 2010 DTS JAPAN Figure 18 Infected Traffic 2 1 4 2 2 Infected Traffic Ratio Screen It is another representation of above Figure A Semantic based SW AF Web Application Firewall Ulimate Security ADMINISTRATIVE CD WEE e System Monitor miei Traffic Analyzer Staite From Date 2010 04 22 9 To Date 2010 04 29 fq Last Hrs geg Se Access Traffic gt Infected Traffic Attacks Ratio gt CPU Statistics 10 3 18 144 96 7 1053 Configuration User Management Audit Log BR 10 3 18 144 10 3 18 108 J 10 3 18 100 D 10 3 18 254 BR 10 3 18 119 D 10 3 126 131 Copyright 2010 DTS JAPAN Figure 19 Infected Traffic Ratio SWAF V 1 5 beta Dated 2010 04 fA SW AF Ultimate Security 2 1 4 2 3 Infected Traffic Details Screen Figure 22 shows the details of normal traffic Originator IP Address The IP address of the client machine Originator s Country Name The country name of the client Host IP Address The Application Server for which the requests are generated Resource Accessed The resource for which the request is generated Access Time The time at which the request arrived Reserved in Country name means that a public IP address is accessing the system A KI Semantic based SW AF Web Application Firewall Ufimate Security ADMINISTRATIVE Pre Itt et System Mon
13. 254 Reserved 10 3 18 150 hintRightOver jpg 2010 04 28 16 05 45 0 10 3 18 254 Reserved 10 3 18 150 owasp jpg 2010 04 28 16 05 38 0 10 3 18 254 Reserved 10 3 18 150 header jpg 2010 04 28 16 05 39 0 Configuration 10 3 18 254 Reserved 10 3 18 150 ounce jpg 2010 04 28 16 05 38 0 10 3 18 254 Reserved 10 3 18 150 menu_system js 2010 04 28 16 05 43 0 User Management 10 3 18 254 Reserved 10 3 18 150 1x1 gif 2010 04 28 16 05 44 0 Audit Log 10 3 18 254 Reserved 10 3 18 150 plans jpg 2010 04 28 16 05 44 0 10 3 18 254 Reserved 10 3 18 150 htmlOver jpg 2010 04 28 16 05 45 0 10 3 18 254 Reserved 10 3 18 150 aspect jpg 2010 04 28 16 05 38 0 Copyright 2010 DTS JAPAN Figure 17 Access Traffic Details 2 1 4 2 Infected Traffic Menu Infected traffic menu facilitates the administrator to view statistics related to infected log 2 1 4 2 1 Infected traffic Figure shows the infected traffic generated by different IP addresses during the start and end date specified by the user SWAF V 1 5 beta Dated 2010 04 AM SW AF Ultimate Security A Semantic based SWAF7 Web Application Firewall Ulimate Security ADMINISTRATIVE Salem Montor Infected Traffic Traffic Analyzer From Date 2010 04 21 P To Date 2010 04 29 P Last Hrs e Print 1200 Statistics Access Traffic Infected Traffic Attacks Ratio gt CPU Statistics SS jo ON Configuration User Management Audit Log eg 10 3 18 144 10 3
14. 3 18 150 cookies jpg 2010 04 29 10 28 37 0 ear 10 3 18 100 10 3 18 150 hint jpg 2010 04 29 10 28 37 0 10 3 18 100 10 3 18 150 hintLeft jpg 2010 04 29 10 28 37 0 10 3 18 100 10 3 18 150 javaOver jpg 2010 04 29 10 28 38 0 10 3 18 100 10 3 18 150 header jpg 2010 04 29 10 28 38 0 10 3 18 100 10 3 18 150 helpOver jpa 2010 04 29 10 28 38 0 10 3 18 100 10 3 18 150 htmlOver jpg 2010 04 29 10 28 38 0 Statistics 10 3 18 100 10 3 18 150 menu_system js 2010 04 29 10 28 39 0 Configuration 10 3 18 100 10 3 18 150 logout jpg 2010 04 29 10 28 40 0 10 3 18 100 10 3 18 150 lessonComplete jpg 2010 04 29 10 28 40 0 a meng 10 3 18 100 10 3 18 150 hint jpg 2010 04 29 10 28 40 0 Audit Log 10 3 18 100 10 3 18 150 java jpg 2010 04 29 10 28 41 0 10 3 18 100 10 3 18 150 solutions jpg 2010 04 29 10 28 41 0 10 3 18 100 10 3 18 150 hintOver jpg 2010 04 29 10 28 41 0 gt 2010 DTS JAPAN s Figure 9 Current Traffic SWAF V 1 5 beta Dated 2010 04 OTT SWAF Ultimate Security 2 1 3 2 Infected Traffic M enu Infected traffic menu gives the administrator the option to view statistics related to infected log This information includes details of top infected traffic originators and their ratio and the current infected traffic details 2 1 3 2 1 Top Infected Traffic Originators Screen This figure shows the infected traffic which is originated from different IPs A KI Semantic based SW AF Web Application Firewall Ulimate Security
15. Utilization SWAF V 1 5 beta Dated 2010 04 OTT SW AF Ultimate Security 2 1 5 Configurations Figure 25 shows the configuration menu can be used by administrator to set the configuration of SWAF This menu can be used to set firewall attack web application backup and rules configuration A E Semantic based SWAF Web Application Firewall Ulimate Security ADMINISTRATIVE System Monitor Log Configuration Traffic Analyzer Log Configuration Statistics v Access Log Configuration Configuration _ Infected Log Configuration FireWall Configuration wl Infected Header Log Configuration Attack Configuration i 9 9 gt Web Application Configuration v Infected Content Log Configuration Deg Log Flush Configuration Update Rules Access Log Flush Time in days 1 e Infected Log Flush Time in days 13 e i Update jl Default Settings Copyright 2010 DTS JAPAN Ge Figure 23 Configuration 2 1 5 1 Firewall Configuration M enu Log configuration Proxy Configuration and email configuration menus come under the firewall configuration menu Following is the description of each sub menu 2 1 5 1 1 Log Configuration Screen Figure 26 shows different log configurations tab The first four choices show that these details of how SWAF will be store log Log Configuration Access log Configuration It is use to log the normal traffic Infected log Configuration It is use to log the malicious tra
16. the application 9 IP filtering SWAF has IP filtering capability 10 Rate Control SWAF optimizes rate of access to Web applications from different networks to mitigate DoS attack 11 Easy Management Provide ease of management by producing integrated reports 12 Availability SWAF V 1 5 beta Dated 2010 04 OTT SW AF Ultimate Security The system is built to be highly available SWAF is designed to be available 24 hours throughout the week 13 No Change in Target Application SWAF works as a security envelope for the web application and does not require any modifications to the target application 2 Operations and User Manual The Operations and User M anual is designed to facilitate the user in understanding SWAF as a system The document Is divided into two sections the SWAF Administrator Panel and the case study The first section gives a thorough guideline to understand the purpose of the menu and screens and all the field that reside inside a screen The second section presents the SWAF usage scenario providing stepwise description of how to manage users and configure web applications in SWAF Login Screen To run SWAF it needs first to click the Register button and browse the license key Then one can be able to login in SWAF V 1 5 beta Dated 2010 04 Semantic based Web Application Firewall ke A al VY FGF SWAF CTT SW AF Ultimate Security LOGIN Figure 1 login sc
17. 7 User Management ANN 42 Figure 38 Group Rights 43 aeee Uo al Ee o ME 44 Figure 42 Web Application Configuration NNN 47 Figure 43 Add Web Application NNN 48 Figure 44 Successful creation of Web Application ccccccsscccccsscccessrserseeeesseeeeseseeeeesesssesseaneteeeeeseeeggs 48 Figure 45 User Management AANEREN 49 Figure 46 Create Ueer EEE EEe 49 Figure 47 New User Creaton EARE NNNNEEEEEEENEEEAEENNANEEEEEEEEEEEEEEEE EEEE nS 50 Figure 48 Successful Creation of USEF AAA 50 Figure 49 Role RIQNKS AAA 51 Figure 50 Creating New Role nannt NNE EEEEEEEEEEEEEAAANEEEEEEEEEEEEEEE EEEE E EnS 51 Figure 51 Create ole 52 SWAF V 1 5 beta Dated 2010 04 OTT SW AF Ultimate Security 1 SWAF SWAF is a Web Application Firewall which is capable of protecting web applications against all types of application layer attacks known or unknown It is built using a hybrid security model that permits only valid application behavior to be executed without relying on attack signatures It analyzes bidirectional traffic including SSL encrypted communication and uses Semantics based techniques to verify and validate the traffic which enables SW AF to provide protection against OWASP Top Ten attacks and many more application level vulnerabilities without making any changes to the target application 1 1 SWAF Features SWAF provides real time web application security SWAF is capable of protecting against Zero day attacks
18. Figure 12 Top Infected Traffic Ortgoinatore AAA 17 Figure 13 Top Infected Traffic Originators Ratio 18 Figure 14 Current Infected Traffic Detail 18 Figure 15 Access LOG Search AAA 19 Figure 16 Current Infected Traffic Details AAA 21 Figure 17 Access Traffic cen ener nee ktnrnArENNAANAANNENNNNEEEEEEEEEEEEEENEEEEEEEEEEEEEEEEEEEEEEE EnS 22 Figure 18 Access Traffic Ratio ee ene ern on ne nee EENEN EnS 23 Figure 19 Access Traffic Details 24 PONELA eC ETOC aaraa 25 Peed WSC ge e pg I O ra peso ena cbc cane vas wereaaiaeaeseunmaritanieeana aaueauanaerenemnerenenans 25 lala lege ge Tame DE dl EE 26 Figure 23 Attacks Ratio mR eee eee 27 Figure 24 CPU Bal ELL rrii eee eee 27 Figure 25 Configuratio E 28 Figure 26 Log Configurations ccccccccccccccceeeseeeeesseeeseccceeeeeeeeeeeeeseeceeeeseeeeeaeeeeeeeeeeeeseeeseeseessteetaaanneneeegs 29 Figure 27 Proxy CONFIQUIATIONS NN 31 Figure 28 Email Copntfguraton nnn nn NNEEEEEEEEEENAEENANNEEEEEEEEEEEEEEE EEEE E EnS 32 Figure 29 Protocol Validation Contgurations 34 Figure 30 DoS Contouratons EErEE EEE 36 Figure 31 Stateful Attacks Contfiguration NEE nnEEEEEEEE EEEE 37 Figure 32 Web Application Contouratons erene 38 Figure 33 DB BaCKUD cicirine aoa aeea oa Taa Ei SEEN Ene oiai 39 SWAF V 1 5 beta Dated 2010 04 OTT SW AF Ultimate Security Figure 34 Configuration Backup 40 Figure 35 Update Rules Fles AAA 41 Figure 36 User Management AANEREN 41 Figure 3
19. Figure 46 Successful Creation of User 3 3 2 Assigning role to a User To assign a role to a user select the user from the list and check mark the role from the list of User Roles given below Press update to confirm the request SWAF V 1 5 beta Dated 2010 04 A Semantic based SWAF Web Application Firewall Utlimate Security ADMINISTRATIVE System Monitor Traffic Analyzer Statistics Configuration User Management gt User Management Audit Log AM SWAF Ultimate Security Role Rights Role Name TEA TS KH m System Monitor fe Il Traffic Analyzer gt E Statistics gt Configuration gt G Rights Create New User Update Create New Role Figure 47 Role Rights 3 3 3 Creating a User Role A K Semantic based SWAPF7 Web Application Firewall G ff Security ADMINISTRATIVE System Monitor Traffic Analyzer Statistics Configuration User Management User Management Audit Log SWAF V 1 5 beta Dated 2010 04 1 Press the Create New Role button on the Role Rights Screen Role Rights Role Name SWAF v gt gt O K Lade Leder Leder System Monitor Traffic Analyzer Statistics Configuration Rights Audit Log Figure 48 Creating New Role OTT SWAF Ultimate Security 2 A screen to specify the Role name and Role Description appears on the screen Specify the required information and press the Create b
20. Screen 897 2 amp menu 900 2010 04 28 15 39 50 0 title Hidden Field Tampering Desc 10 3 18 144 10 3 18 150 attack Screen 8972 amp menu 3900 2010 04 28 15 39 50 0 title Hidden Field Tampering Desc e Figure 12 Current Infected Traffic Detail SWAF V 1 5 beta Dated 2010 04 OTT SWAF Ultimate Security 2 1 3 3 Search Menu This menu gives the option to search for desired information related to access and infected log 2 1 3 3 1 Access Log Search This screen shows the access log which provides search on the following Protocol HTTP Method Get Post Originator IP the IP address of client Host IP address which is Application Server Resource Accessed Tells how many hits Access Time time allotted for resource accessed A RK Semantic based SW AF Web Application Firewall Ufimate Security ADMINISTRATIVE Ce oo System Monitor Access Log Search Traffic Analyzer Protocol Method Access Traffic gt Infected Traffic Originator IP Host IP Search From Date 2010 04 23 f To Date 2010 04 29 L Applicaton Name 10 3 18 150 D eege Originator IP Host IP Address Resource Accessed Access Time 10 3 18 100 10 3 18 150 hintOver jpg 2010 04 29 10 29 19 0 10 3 18 100 10 3 18 150 params Over jpg 2010 04 29 10 29 19 0 10 3 18 100 10 3 18 150 javaOver jpg 2010 04 29 10 29 19 0 10 3 18 100 10 3 18 150 1x1_open gif 2010 04 29 10 29 19 0 10 3 18 100 10 3 18 150 helpOver jpg 2010 04 29 10 29 19 0
21. The attack configuration menu includes screens to configure protocol validation DOS attack and stateful attack configurations 2 1 5 2 1 Protocol Validation Configuration Screen Figure 29 shows the protocol validation configurations Protocol Validation Configuration Validation Configuration Protocol Validation Types of protocols that SWAF Supports e g HTTP HTTPS etc Length Checking Whether to check the length of header or not SWAF V 1 5 beta Dated 2010 04 OTT SW AF Ultimate Security Expect header It is a HTTP 1 1 request header using this header attacker can exploit web server vulnerabilities so administrator can uncheck to protect its web server if it has such vulnerabilities Request Validation Whether the request comply the RFC 26 16 standard or not Response Validation Whether the response is comply the RFC 26 16 standard or not Parameter Configuration Max Arguments The arguments can not exceed as inputted by the administrator M ax Headers The headers can not exceed as inputted by the administrator Post parameter length It is the length of post parameter Query parameter length It is the length of query parameter M ax header name The header name cannot exceed the inputted value M ax header value The header value cannot exceed the inputted value Max URI length The maximum length of URI Universal Resource Identifier M ax request body The maximum HTTP body length HTTP Conf
22. WAF is built using a hybrid security model which provides an optimized solution where both positive and negative security models complement each other to provide comprehensive level of security 7 PCI compliance SWAF is built to be PCI DSS Payment Card Industry Data Security Standard compliant 8 Better Performance SWAF is designed to deliver performance as it provides deep packet inspection and content filtering on the basis of semantic information related to protocol application and attacks resulting in effective efficient and reliable security system Following features are built to enhance performance of the system e SSL Offloading SSL offloading relieves the Web server of the processing burden of encrypting and or decrypting traffic sent via SSL SWAF V 1 5 beta Dated 2010 04 och SW AF Ultimate Security e Load balancing Load balancing distributes traffic efficiently among network servers so that no individual server gets overburdened e Http traffic compression Caching Caching helps improve the following two factors to enhance the speed of Web applications v Reducing the number of request response roundtrips v Reducing the number of bytes transferred between the server and the client Similarly HTTP Compression can dramatically decrease the number of bytes that are transmitted between the server and the client SWAF supports HTTP caching and compression to improve on the performance of
23. ailed SWAF V 1 5 beta Dated 2010 04 OTT SWAF Ultimate Security description of configuring a Web Application with SAWF In the second Scenario the user and group creation and then the process of assigning a user to a group groups is described 3 1 Example scenario 1 This Example scenario gives a stepwise description of configuring a web application to be protected using SWAF 3 2 Configuring a Web Application with SWAF To configure a web application with SWAF press the Create Button on the Web Application Configuration Screen of the Configuration Tab A RI Semantic based SWAE7 Web Application Firewall timate Security ADMINISTRATIVE Figure 40 Web Application Configuration A new window to specify the Web Application details appears on the screen after specifying the required information click on the Create Button to confirm the request following is the screenshot of the explained screen SWAF V 1 5 beta Dated 2010 04 CTT SWAF Ultimate Security Add Web Application Application Name 218 150 Host Ip Host Port HTTPS Enabled Figure 41 Add Web Application A message box specifying the successful configuration of the Web Application is displayed on the screen Web Application Entry Created Successfully Figure 42 Successful creation of Web Application 3 3 Example scenario 2 The following example scenario presents a stepwise description
24. alidation Configurations 2 1 5 2 2 DOS Attack Configuration Screen Figure 30 shows the details of DOS Denial of Service attack Dos Configuration SWAF V 1 5 beta Dated 2010 04 OTT SW AF Ultimate Security Enable Disable Dos Enable will stop the Dos attack and disable will not stop the Dos attack Concurrent requests second The overall requests send by the user to Web Server If it exceeds the given value it will be denied Concurrent requests user second The maximum requests send by the user to a single page if it exceeds it will be denied Blocking time in seconds The time in which user is block to send more requests Exceptions Allowed IP Allowed traffic Allow the traffic against the given IP Allowed resource Allowed resource traffic Allow the traffic against the Allowed resource SWAF V 1 5 beta Dated 2010 04 Page 35 OTT SWAF Ultimate Security A J Semantic based SWAF Web Application Firewall Uhimate Security ADMINISTRATIVE n DOS Attack Configuration Stateful Attacks Configuration DOS Attack Congiguration DOS Configuration Exceptions Allowed IP Allowed Traffic Add Delete Figure 28 DoS Configurations 2 1 5 2 3 Stateful Attacks Configuration The stateful attack configuration screen provides configuration facility for attacks such as CSRF and hidden field exploits which require the state of the application to be maintained on SWAF
25. alyzer From Date 2010 04 24 BZ To Date 2010 04 28 L Last Hrs v Submit Statistics Gece User Id Form Name Modified Date Configuration admin Stateful Attacks Confi 2010 04 28 13 09 43 0 uration admin Stateful Attacks Configuration 2010 04 28 13 08 38 0 User Management admin Web Application Configuration 2010 04 28 12 29 28 0 admin Web Application Configuration 2010 04 28 12 28 38 0 H Audit Log admin Web Application Configuration 2010 04 28 12 28 38 0 H H t User Log admin Web Application Configuration 2010 04 28 12 24 23 0 Audit Log admin Web Application Configuration 2010 04 28 12 20 53 0 g admin Email Configuration 2010 04 27 14 57 40 0 faisal Email Configuration 2010 04 27 14 47 11 0 admin User Managment 2010 04 27 14 45 49 0 admin Group Rights 2010 04 27 14 45 43 0 admin User Managment 2010 04 27 14 45 38 0 admin Group Rights 2010 04 27 14 45 33 0 Copyright 2010 DTS JAPAN t Figure 39 Audit Log Figure presents the audit log information provided to the user The audit log screen contains the User Id Specifies the user id of user who logged into the system Form Name Specifying the screen where changes have been done and Modified Date Gives the date and time on which the change has been done 3 Case Study This section presents the usage scenarios of SWAF the intension is to facilitate the user in performing desired operations with ease The first usage scenario gives a det
26. ce Accessed Access Time Attack Type gt Access Traffic 10 3 18 100 10 3 18 150 favicon ico 2010 04 29 10 26 44 0 title Buffer Overflow Attack Descrit Infected Traffic i Sanch 10 3 18 100 10 3 18 150 attack 2010 04 29 10 26 43 0 title Buffer Overflow Attack Descrit 10 3 18 119 10 3 18 150 attack Screen 166 amp menu 1008sv 2010 04 28 18 00 22 0 title Buffer Overflow Attack Descrit 10 3 18 254 10 3 18 150 amp stage 3 2010 04 28 16 27 04 0 title SQLi Description SQL Injectic 10 3 18 254 10 3 18 150 amp stage 3 2010 04 28 16 27 03 0 title SQLi Description SQL Injectic 10 3 18 254 10 3 18 150 amp stage 3 2010 04 28 16 27 02 0 title SQLi Description SQL Injectic 10 3 18 254 10 3 18 150 amp stage 3 2010 04 28 16 26 50 0 title SQLi Description SQL Injectic 10 3 18 254 10 3 18 150 amp stage 3 2010 04 28 16 26 49 0 title SQLi Description SQL Injectic Statistics 10 3 18 254 10 3 18 150 amp stage 3 2010 04 28 16 26 48 0 title SQLi Description SQL Injectic Configuration 10 3 18 254 10 3 18 150 amp stage 3 2010 04 28 16 26 30 0 title SQLi Description SQL Injectic 10 3 18 254 10 3 18 150 amp stage 3 2010 04 28 16 26 29 0 title SQLi Description SQL Injectic aer eee 10 3 18 254 10 3 18 150 amp stage 3 2010 04 28 16 26 27 0 title SQLi Description SQL Injectic Audit Log 10 3 18 144 10 3 18 150 attack Screen 897 2 amp menu 300 2010 04 28 15 39 51 0 title Hidden Field Tampering Desc 10 3 18 144 10 3 18 150 attack
27. en Fie POST 10 3 18 244 10 3 18 150 creen er 2010 04 29 16 12 58 0 title Hidden Fie POST 10 3 18 244 10 3 18 150 creen er 2010 04 29 16 12 30 0 title Hidden Fie POST 10 3 18 244 10 3 18 150 creen er 2010 04 29 16 12 27 0 title Hidden Fie POST 10 3 18 244 10 3 18 150 creen er 2010 04 29 16 12 24 0 title Hidden Fie POST 10 3 18 244 10 3 18 150 creen er 2010 04 29 16 12 21 0 title Hidden Fie POST 10 3 18 244 10 3 18 150 creen er 2010 04 29 16 12 17 0 title Hidden Fie POST 10 3 18 244 10 3 18 150 creen er 2010 04 29 16 12 11 0 title Hidden Fie POST 10 3 18 244 10 3 18 150 creen er 2010 04 29 16 12 08 0 title Hidden Fie POST 10 3 18 244 10 3 18 150 creen er 2010 04 29 16 12 05 0 title Hidden Fie Copyright 2010 DTS JAPAN R Figure 14 Current Infected Traffic Details 2 1 4 Statistics Menu The statistics M enu facilitates the administrator to analyze the statistical information related to access and infected traffic 2 1 4 1 Access Traffic Menu The access traffic menu enables the administrator to view statistics related to access traffic 2 1 4 1 1 Access Traffic The screenshot below shows the bar chart for the access traffic generated by the clients The administrator can select the dates for which he wants to view the statistics for The screen also provides the facility of specifying the duration for which the statistics need to be displayed in the chart After specifying the required information the administrato
28. enu 2010 04 28 15 24 18 0 itle Hidden Field Tamperin ES u SaN u SES SES u SSE u EES w 0 0 E E E F E E F EF ooo ow y WW WR MN Wi D D D D D D D D D D D D D 10 3 18 144 eserve 10 3 18 150 reen 8972 amp menu 2010 04 28 15 24 22 0 e Hidden Field Tamperini Figure 20 Infected Traffic Detail 2 1 4 3 Attacks Ratio Screen Figure 23 shows different attacks generated during the start and end date given by the user and the ratio of these attacks SWAF V 1 5 beta Dated 2010 04 AM SW AF Ultimate Security A KI Semantic based SWAPF7 Web Application Firewall Utimate Security ADMINISTRATIVE System Monitor Traffic Analyzer From Date 2010 04 22 To Date 2010 04 29 s ae Submit Print Statistics L E L L J Access Traffic Infected Traffic Attacks Ratio gt CPU Statistics Configuration User Management Audit Log BR Buffer Overflow Attack CSRF BR sau Cross Site Script H Hidden Field Tampering Figure 21 Attacks Ratio 2 1 4 4 CPU Statistics Screen Figure 24 shows the statistics of CPU between two dates PER Semantic based SWAF7 Web Application Firewall Ulimate Security ADMINISTRATIVE System Monitor Traffic Analyzer Statistics i 2010 04 22 S To Date 2010 04 29 f lastHrs v j Submit Access Traffic Infected Traffic Attacks Ratio gt CPU Statistics Configuration User Management Audit Log Figure 22 CPU
29. es SWAF V 1 5 beta Dated 2010 04 be SW AF Ultimate Security A k Semantic based SWAF Web Application Firewall Utimate Security ADMINISTRATIVE System Monitor Access Traffic Load CPU Load System Load Traffic Comparision Server Monitor t Application Monitor t System Summary Traffic Analyzer Su JO ON Statistics Configuration User Management Audit Log Time last 150 sec Figure 4 Access Traffic Load 2 1 2 2 2 Infected Traffic Load Screen This figure shows the system load of Infected Traffic anc Semantic based SWAF7 Web Application Firewall Uimate Security ADMINISTRATIVE Access Traffic Load System Monitor Current Infected Traffic CPU Load gt System Load 32 gt Traffic Comparision 30 Server Monitor 28 gt Application Monitor 26 24 22 20 18 System Summary Traffic Analyzer 16 14 Statistics s aHPepy JO ON 12 Configuration 10 8 User Management Audit Log 6 4 2 o Time last 150 sec Figure 2 Infected Traffic Load SWAF V 1 5 beta Dated 2010 04 CTT SWAF Ultimate Security 2 1 2 3 Traffic Comparison Figure 5 shows the comparison between access and infected traffic A Semantic based SWAPF7 Web Application Firewall timate Security ADMINISTRATIVE System Monitor Traffic Comparision CPU Load System Load 1200 Traffic Comparision Server Monitor SES Application Monitor
30. f a business process or system function CPU Utilization Whenever a hard disk is transferring data over the interface to the rest of the system it uses some of the system s resources One of the more critical of these resources Is how much CPU time Is required for the transfer This is called the CPU utilization of the transfer SWAF V 1 5 beta Dated 2010 04 Page 54
31. ffic SWAF V 1 5 beta Dated 2010 04 OTT SWAF Ultimate Security Infected Header log Configuration This option is use to log the header for the malicious requests Infected content log Configuration Each HTTP request has some body It is use to log the body of the infected traffic Log Flush Configuration Access log flush Time After the mention days the access Traffic log will remove automatically Infected log flush Time After the mention days the infected traffic log will remove automatically A E Semantic based SWAF Web Application Firewall Ulimate Security ADMINISTRATIVE System Monitor Log Configuration Traffic Analyzer Log Configuration Statistics v Access Log Configuration Configuration _ Infected Log Configuration FireWall Configuration wl Infected Header Log Configuration Attack Configuration ue 9 9 gt Web Application Configuration v Infected Content Log Configuration gt Backup Log Flush Configuration t Update Rules Access Log Flush Time in days 1 e Infected Log Flush Time in days 13 v Update Default Settings Copyright 2010 DTS JAPAN Figure 24 Log Configurations 2 1 5 1 2 Proxy Configuration Screen Figure 27 shows the proxy setting to the administrator Database Configurations the administrator to set the database path its driver username and password SWAF V 1 5 beta Dated 2010 04 SWAF V 1 5 beta Dated 2010 04
32. fic Comparision CPU 24 100 b P Server Monitor Load 1 44 100 Application Monitor Memory Physical 884 23MB 0 99GB D System Summary Memory Svwap OGB 1 94GB Sockets File 40 532 Processes 1 122 Traffic Analyzer Statistics Configuration User Management Audit Log Copyright 2010 DTS JAPAN lt Figure 5 System State Screen 2 1 2 6 2 System Info Screen This figure shows the information about system anc Semantic based SW AF Web Application Firewall Utimate Security ADMINISTRATIVE System State System Monitor CPU Load System Load System Information Traffic Comparision cpu Intel R Core TM 2 Duo CPU E8400 3 00GHz Genuinelntel gt i Server Monitor Memory 0 99GB SE i Application Monitor Up Time 30 min System Summary Local Time April 29 2010 10 29 36 AM PKT Traffic Analyzer Statistics Configuration User Management Audit Log Copyright 2010 DTS JAPAN Figure 6 System Info SWAF V 1 5 beta Dated 2010 04 OTT SWAF Ultimate Security 2 1 3 Traffic Analyzer Traffic analyzer menu provide the administrator the option to view access and infected traffic and search for the desired information 2 1 3 1 Access Traffic M enu Access traffic menu gives the administrator the option to view statistics related to access log This information includes details of top traffic originators and their ratio and the current traffic passing through SWAF
33. iguration HTTP versions It receives only requests these three versions if all checkboxes are check otherwise if any checkbox is uncheck it will not receive the requests of that particular version SWAF V 1 5 beta Dated 2010 04 Page 33 OTT SWAF Ultimate Security HTTP methods It will receive only the checked methods Requests Exceptions Disallowed file types Disallowed those files which are add by the Administrator Allow redirection website Allow the request redirection to the given website A KI Semantic based SWAF Web Application Firewall Ufimate Security ADMINISTRATIVE C Protocol Validation Configuration DOS Attack Configuration Stateful Attacks Configuration System Monitor Protocol Validation Configuration Traffic Analyzer Validation Configuration Statistics v Protocol Validation v Length Checking v Expect Header v Request Validation v Response Configuration Parameter Configuration FireWall Configuration Attack Configuration Max Arguments 300 Max Headers S 3 i Web Application Configuration Post Parameter Length 76500 Query Parameter Length Max Header Name 300 Max Header Value Max URI Length 2000 Max Request Body HTTP Configuration HTTP Methods V eer V post V HEAD PUT _ DELETE OPTION TRACE V CONNECT Exceptions Disallowed File Type Allowed Redirection Website i Jl BS Add Delate Figure 27 Protocol V
34. itor Infected Traffic Detail Traffic Analyzer From Date 2010 04 23 o Date 2010 04 29 G Last Hrs e Statistics Originator IP riginator s Country Host IP Address ack Type Access Traff ee 10 3 126 131 eserve 10 3 18 150 enu 1 2010 04 28 12 42 16 0 e SOU Description SQL 1 4 gt Infected Traff ee ee 10 3 126 131 eserve 10 3 18 150 reen 162 amp menu 1 2010 04 28 12 42 25 0 e Hidden Field Tamperin gt Attacks Rati et 10 3 126 131 eserve 10 3 18 150 reen 162 amp menu 1 2010 04 28 12 42 48 0 e Hidden Field Tamperim gt CPU Statistics 10 3 18 108 10 3 18 150 2010 04 28 12 52 54 0 er Hidden Field Tamperin 10 3 18 108 es 10 3 18 150 2010 04 28 12 53 04 0 er Hidden Field Tamperin 10 3 18 108 eserve 10 3 18 150 reen 225 amp menu 1 2010 04 28 12 56 48 0 er Hidden Field Tamperin 10 3 18 108 eserve 10 3 18 150 ck Screen 225 amp menu 1 2010 04 28 12 56 54 0 itle Hidden Field Tamperim 10 3 18 108 10 3 18 150 Screen 225 amp menu 1 2010 04 28 12 56 58 0 itle Hidden Field Tamperin 10 3 18 108 eserve 10 3 18 150 Screen 225 amp menu 1 2010 04 28 12 57 21 0 itle Hidden Field Tamperim 10 3 18 119 10 3 18 150 reen 88428 amp fromRe 2010 04 28 13 27 35 0 itle CSRF Description Cros 10 3 18 119 eserve 10 3 18 150 Screen 8898 amp menu 2010 04 28 14 51 10 0 itle SQLi Description SQL 1 10 3 18 144 10 3 18 150 Screen 8972 amp m 2010 04 28 15 24 14 0 itle Hidden Field Tamperin 10 3 18 144 eserve 10 3 18 150 Screen 8972 amp m
35. of creating a user and providing him rights by assigning him to a group or groups 3 3 1 Creating a new user 1 To create a new user the user need to enable the User M anagement tab And click on the Create New User button SWAF V 1 5 beta Dated 2010 04 Page 48 AM SWAF Ultimate Security PTE Semantic based Web Application Firewall ADMINISTRATIVE Menu System Monitor User Management Traffic Analyzer User Name Role Name SWAF Statistics faisal gt E System Monitor Configuration ra Traffic Analyzer eme F gt Statistics EE KU Configuration gt User Management gt G Rights KU Audit Log User Roles O O swar Audit Log Update Create New Role Figure 43 User Management 2 A screen to create a new user appears System Montor Traffic Anatyter Mathetxs Configuration Create User User Management Username aer Management Password etss Cancel Update Create New User Update Create Mew Rote Figure 44 Create User SWAF V 1 5 beta Dated 2010 04 OTT SWAF Ultimate Security The administrator needs to specify the username and password for the new user and press on the create button Create User Password tt Create bh Ca noel Figure 45 New User Creation A message specifying successful creation of the user is displayed on the screen User Created Successfully OK
36. on Configuration Screen Figure 32 shows the number of application servers running behind SWAF their IP addresses the port on which they are listening and if the application uses HTTPS SWAF V 1 5 beta Dated 2010 04 SWAF V 1 5 beta Dated 2010 04 A SW AF Uthimate Security ADMINISTRATIVE CTT SWAF Ultimate Security KI Semantic based Web Application Firewall Web Application Configuration Figure 30 Web Application Configurations 2 1 5 4 Backup The backup menu has two further tabs the configuration backup tab and the DB backup tab The detail for each is provided below 2 1 5 4 1 DB Backup The DB backup configuration screen provides the option to configure and restore Database Backup To create a DB backup the administrator needs to press on the Backup Now button and to restore the backup the administrator needs to select the specific backup from the Backup list and press the Restore button Backup now When it is clicked backup of database is created 26 05 2010 05 16 27 dd mm yy Hr min sec This is the format for the database backup Page 38 Ae SW AF Ulimate Security ADMINISTRATIVE System Monitor Traffic Analyzer Statistics Configuration FireWall Configuration Attack Configuration Web Application Configuration gt Backup t Update Rules SWAF V 1 5 beta Dated 2010 04 T a SWAF Ultimate Security Restore When the user want to restore
37. r submits the request to the system which then displays the chart on the basis of the given information The printing option is also available on the screen The SWAF V 1 5 beta Dated 2010 04 OTT SWAF Ultimate Security administrator can press the Print button to take a print the chart displayed on the screen sad Semantic based AF Web Application Firewall Security ADMINISTRATIVE CD System Monitor Access Traffic Traffic Analyzer From Date 2010 04 27 L To Date 2010 04 29 fl Last Hr Statistics s R Submit Print 1200 Access Traffic Infected Traffic 1000 gt Attacks Ratio gt CPU Statistics Configuration User Management Audit Log 10 3 18 100 10 3 18 254 10 3 18 119 10 3 18 144 10 3 18 108 Clients Figure 15 Access Traffic 2 1 4 1 2 Access Traffic Ratio This Figure shows another representation of above figure This screen shows the pie chart to identify the ratio of access traffic generated by different clients SWAF V 1 5 beta Dated 2010 04 ad SW AF Ultimate Security A KI Semantic based SWAF Web Application Firewall Climate Security ADMINISTRATIVE System Monitor Access Traffic Ratio Traffic Analyzer From Date 2010 04 23 PE To Date 2010 04 29 Bd Last Hrs e Submit Print Statistics bessie b s Access Traffic gt Infected Traffic Attacks Ratio gt CPU Statistics BR 10 3 18 100 ff 10 3 18 119 RB 10 3 18 108
38. reen 2 1 1 SWAF Administrator Panel The administrator panel of SWAF enables the administrator to perform System Monitoring Traffic Analysis view statistics set configurations perform user management and view audit logs The administrator can perform the above mentioned tasks by selecting the desired item from the menu displayed at left side of the screen Figure 1 Presents the screenshot of the administrative panel SWAF V 1 5 beta Dated 2010 04 CTT SWAF Ultimate Security A Semantic based SWAEF7 Web Application Firewall Ulimate Security ADMINISTRATIVE Figure 2 Administrative Panel Following section presents the details of the menu items and the screens associated with them 2 1 2 System Monitor Menu 2 1 2 1 CPU load Figure 2 shows the CPU utilization of SWAF machine and this graph is updated after every 5seconds SWAF V 1 5 beta Dated 2010 04 OTT SWAF Ultimate Security A Semantic based SW AF Web Application Firewall Ufimate Security ADMINISTRATIVE System Monitor CPU Load gt System Load Traffic Comparision Server Monitor t Application Monitor System Summary Figure 3 CPU Load 2 1 2 2 System Load This menu facilitates the user to system load in terms of access and infected traffic 2 1 2 2 1 Access Traffic load Screen Figure 3 shows the system load of Access Traffic and number of hits generated by different IP address
39. the backup he will click this button J Semantic based Web Application Firewall DataBase Backup DataBase Backup DataBase Restore Backups Figure 31 DB Backup 2 1 5 4 2 Configuration Backup The screen can be used to configure backup The screen gives the option of providing the backup type using the dropdown list and to restore the backup at a later stage OTT SWAF Ultimate Security PE Semantic based SWAF Web Application Firewall timate Security ADMINISTRATIVE Prone Cran System Monitor Traffic Analyzer Statistics Configuration FireWall Configuration Attack Configuration Web Application Configuration Backup Update Rules 2 1 5 5 SWAF V 1 5 beta Dated 2010 04 Configuration Backup Configuration Backup Configuration Restore Configuration Type DataBase Configurat v Backups Figure 32 Configuration Backup Update Rules The Update rules screen provides the option to update rule files The administrator is required to specify his username and password to perform the update operation The purpose of this screen is to update the knowledge base that contains the attack detection rules The knowledgebase must be updated if update exists the update will be provide by the swaf update server in order to have the latest attack definition list AM SWAF Ultimate Security A Semantic based SWAPF7 Web Application Firewall Ufimate Securit
40. utton to confirm the request Figure 49 Create Role A message specifying the successful creation of the group appears on the screen 3 To assign rights to the Role select the role from the drop down menu given on the Role Rights Screen Check mark the rights that you want to assign to the group and press Update Button to confirm the request SWAF V 1 5 beta Dated 2010 04 Page 52 a A Semantic based SWAF7 Web Application Firewall Uimate Security ADMINISTRATIVE System Monitor Traffic Analyzer Statistics Configuration User Management User Management Audit Log SWAF V 1 5 beta Dated 2010 04 User Name faisal zafar User Roles OD LJ swar IN LJ Guest Li el nevrole Update Create New User be SW AF Ultimate Security Role Name newrole e ie v System Monitor K el Traffic Analyzer gt V Statistics gt Configuration K Rights Create New Role Figure 50 Assigning role to user OTT SW AF Ultimate Security Glossary Access Log An access log is a list of all the requests for individual files that people have requested from a Web site These files will include the HTM Lfiles and their imbedded graphic images and any other associated files that get transmitted Audit Log Audit log is a chronological sequence of audit records each of which contains evidence directly pertaining to and resulting from the execution o
41. which is still an unattainable goal for existing WAF solutions In addition to this SWAF possess the following distinguishing features 1 Semantics based Analysis and Rule Generation SWAF uses semantic based techniques to understand the context of user input which helps detect abnormal behavior and facilitates in providing a sturdy defense mechanism against OWASP top ten attacks and other complex attacks Automatic rule generation improves attack detection mechanism Analysis is carried out using the reasoning ability provided by semantics 2 Automated Application Profiling SWAF supports automated application profiling The profile is semantically saved and the positive security model is developed by utilizing the reasoning ability provided by ontologies 3 Inbound and Outbound traffic analysis and filtering SWAF V 1 5 beta Dated 2010 04 OTT SW AF Ultimate Security It analyzes all the bi directional traffic and scrutinizes it for abnormal behavior 4 SSL Attacks Detection SWAF also has the capability to protect SSL encrypted traffic It intercepts the bi directional SSL traffic stream and decrypts traffic to scrutinize it for malicious behavior 5 HTTP Protocol Validation SWAF not only provide content filtering but also perform HTTP protocol enforcement If the packet presents HTTP protocol violation it is considered Invalid and hence discarded 6 Comprehensive Security using Hybrid Security M odel S
42. y ADMINISTRATIVE System Monitor Update Rule Files Traffic Analyzer Update Rule Files Statistics User name Configuration Passwor d FireWall Configuration Attack Configuration Web Application Configuration Backup Update Rules Figure 33 Update Rules Files 2 1 6 User Management Figure 36 shows the User Management menu which includes 2 sub menus which refer to the User Management and role rights a Semantic based SW AF Web Application Firewall Ufimate Security ADMINISTRATIVE System Monitor Traffic Analyzer Role Name SWAF x Statistics aisa gt IW System Monitor gt IW Traffic Analyzer gt G E Statistics User Management m Configuration gt E Configuration K LI Rights gt IW Audit Log User Management Update Create New User Update Create New Role Figure 34 User Management SWAF V 1 5 beta Dated 2010 04 SW s i Ultimate Security 2 1 6 1 User Management Figure 37 shows user management screen update is used to change the rights of a user New users can be created using this screen A Semantic based SW AF Web Application Firewall Ufimate Security ADMINISTRATIVE Figure 35 User Management 2 1 6 2 Role Rights Screen Figure 38 shows the role rights which can be assigned to specific The rights are specified and can be checked to select the rights for a given role SWAF V 1 5 beta Dated 2010 04 cad SWAF
Download Pdf Manuals
Related Search