Configure Alert Logic Managed Web Application Firewall (WAF)

When you access the Alert Logic Managed Web Application Firewall (WAF) interface the first time, you must add your websites and test the website proxy. After you configure and test your websites, the test attack should register in the deny log.

Add a website

Open the Add Website page

  1. In the Alert Logic Console, click Configuration, and then click the Inline web application firewall (WAF).
  2. In the left navigation pane, click Appliances.
  3. In the item row of your appliance, click Manage Appliance.
  4. On the Manage Appliance page, in the left navigation pane, under Services, click Websites.
  5. On the Websites page, click Add Website.

Modify the virtual web server

Test your website proxy

Once you have added a website, you can test whether Inline WAF can connect to the backend web server. You can also test Inline WAF in Detect mode and Protect mode.

The following walkthrough assumes you have configured your website to be used as the default virtual host for the listen IP. You should also make sure that your website proxy is in Detect mode. You can change these settings after testing.

To set your website proxy in Detect mode, on the Websites page, for the website you want to test, in the Mode column, select Detect

Test Connectivity

In your web browser's address bar, type your public IP. The browser should open the default website for your backend web server.

This test will not affect production traffic.

Test Detect mode

In your browser's address bar, type your public IP followed by "/?x=a%00" and press Enter (e.g. 204.110.218.96/?x=a%00). The browser should open the default website for your backend web server, however, this attack should be registered on the Deny log as a DOS attempt.

To view your Deny log:

On the Websites page, click in the main menu, point to Log, and click Deny Log.

Attacks on your website proxy are registered here.

To view details of any Deny log entry, click the Details icon ().

Test Protect mode

Once you have tested the connectivity and Detect mode for your website, the next step is to test the Protect mode.

To test Protect mode:

  1. On the Websites page, for the website you want to test, in the Mode column, select Protect
  2. In your browser's address bar, type your public (Elastic) IP followed by "/?x=a%00" and press Enter (e.g. 204.110.218.96/?x=a%00). The browser should show a 404 error message. This attack should also be registered on the Deny log as a DOS attempt.

About Learning

When a website is first created, the default security policy is signature based. As the Learner maps the website, the policy shifts toward a positive security model for specific applications. The Learner analyzes incoming static requests, web applications, and input parameters to build a complete profile of the website.

To avoid learning from worms, attacks, and other unauthorized access, the Learner employs a combination of heuristic attack classification, statistics, and server responses.

When learning is enabled for the website, the Learner works in asynchronous mode to process a queue of traffic samples between 10,000 and 200,000 requests each. For each sample processed, the Learner builds a trial policy, compares it to the former trial policy, and records the number of changes. Once the continuous processed samples result in no change between trials, the learned policy is stable enough to commit to the WAF.

It is possible to have Managed WAF run in Protect mode while learning. This starts signature-based protection against known attacks. While this provides immediate protection, friendly traffic may be blocked if you start Managed WAF in Protect mode without a learning period.

About the Websites page

The Websites page contains your Websites list. On this list, you will find all websites configured on your Managed WAF appliance.

To open the Websites page:

In the Managed WAF application, in the left navigation, under Services, click Websites.

The Websites list

Each website in the list is a proxy service that listens for incoming traffic for specific virtual host names (e.g. www.example.com). It then proxies it to the backend Real web server, which would typically be one or more web servers running in your VPC.

Blackhole

The Blackhole is the first in the Websites list. Managed WAF uses it to respond to requests for domain names that your other websites are not configured to listen to. These requests are blocked and logged in the Blackhole deny log of the website. This way of blocking requests for unknown host names automatically stops most attack probes from automated agents that traverse an entire IP range looking for vulnerable hosts.

Website proxies other than the Blackhole proxy can be configured to be the default website proxy for unknown host names. This allows the blocking from the Blackhole website proxy to be overridden.

Websites list details

Name Description
ID The ID for the website, also indicates the sequence number of added websites.
Name The internal name you give your website proxy.
Deploy The proxy deployment mode. For Amazon Web Services, only Reverse proxies are allowed.
Virtual web server The domain name and port number combination for the website you want protected.
Listens to The IP address bound to the virtual host.
Real web server The domain name for your backend web server.
Mode Blocking mode. You can select either Detect, Protect, or Pass mode.

Selecting a Block mode

On the Websites list, you can select a Block mode for your website. This determines how Managed WAF monitors your website traffic.

Protect mode

This mode blocks and logs all violations according to the access policy.

Detect mode

In the default Detect mode preset, only logging occurs and no blocking protection is activated. Blocking protection that would occur in Protect mode is logged and available for review in the deny log. Operating in the default detect preset is comparable to an intrusion detection system (IDS)—it detects and logs activities but does not protect or prevent policy violations.

When the Inline WAF is first deployed in front of a production website, Alert Logic recommends the Detect mode while the initial tuning takes place. This is the default mode when you select the WAF configuration when you create the website.

Pass mode

In Pass mode, all requests are passed through the website proxy. No requests are blocked and no logging is performed. This mode is not configurable because no filters are active in this mode.

Related topics