WEB Application Firewall
The Netbull WEB Application Firewall works as a reverse proxy and we design it to detect and treat attacks, including zero time (zero day attacks), in WEB environments. The system has the following features:
HTTP traffic logging
WEB servers typically logging the traffic in a useful format for business analysis, but remaining in traffic logging of WEB applications. Most of them are not able to logging the request bodies. That’s why most attacks now carried out via POST requests, making the system invisible. The system makes possible the full logging of HTTP transactions, allowing the logging of all requests and responses as well as the taking detailed decisions to be made about what is logged and when, ensuring logging only relevant data. Because some of the requests and / or responses may contain sensitive data in certain fields, the WAF can be configured to cover these fields before they are written to the log file.
Real time monitoring and attacks detection
Besides the logging, simultaneously can monitor HTTP traffic in real time to detect any attacks. In this case, it operates as intrusion detection tool, which allows us to have an appropriate response to suspicious events that take place in our system.
Some of the attacks which successfully detects and prevents are:
- SQL injection
- Directory traversal
- Cross-site scripting attacks
- Malicious Robots
- WEB Worms
- Parameter Tampering
- Malicious Encoding
- Vulnerability Scanning
- Command Injection
- Illegal Encoding
- Form Field Tampering
It should be noted that the detection of attacks done even for encrypted or compressed content, as many WEB Application Firewall systems have difficulties in analyzing the SSL traffic. This is not a problem because first decrypts and decompresses the traffic and then checks for attacks.
It can also act immediately to prevent access to WEB applications from attacks. The system uses three approaches:
Flexible rules engine
- Negative security model. A negative security model monitors requests for abnormal, unusual behavior and common attacks on WEB applications. Keeps extent anomaly for each request, IP address, application sessions, and user accounts. The requests are largely abnormality either recorded or rejected.
- Positive security model. In a positive security model, only valid requests are accepted and all the rest are discarded. This model requires knowledge of protected WEB applications. Therefore a positive security model works best with the heave used applications but updated rarely, so that the maintenance of the model is reduced to a minimum.
- Known weaknesses and vulnerabilities. The rules language makes it an ideal external updates tool. External patching, often referred to as Virtual Patching has to do with the opportunity reduction. The required time for update and vulnerabilities elimination of applications often takes weeks. Through the system, applications can be updated externally, without touching the source code of the application (even without any access to it), making the environment system until update application itself.
In the heart of the system is a flexible rules engine. Applies the rules language, which is a specialized easy to use and flexible programming language designed to work with HTTP transaction data: common action are simple, while complicated operations are possible. The included rules containing a complete set of rules that implement security increasing in general, protocols validation and common security issues detection of WEB applications.
Another important feature of the system is that it can protect a whole different functional WEB servers such as Apache, IIS, etc.