Scenario three: DataPower as a Web application firewall

This is one of the major DataPower Security Gateway services. We introduced it in 2.6, “Web application firewall service” on page 20.

Overview

The new and emerging tremendous challenge that we face today is not exposing Web user interfaces, but much more direct access to enterprise business logic in the form of Web services. In some cases, core business logic is now accessible outside of the enterprise for the first time. While such access enables greater flexibility and integration with partners, it also exposes business to far greater risks.

Web applications come with intrinsic weakness that hackers can exploit to attack them.

X M L Firew all and W eb S ervices G atew ay X S 40 E nterprise S ervice B us M essage B roker M essage B roker ES B ES B N etw ork Infrastructure S O AP /H TT P w ith W S-S ecurity

To overcome such concern, you need to use IBM WebSphere DataPower SOA Appliances Services to enforce security within your enterprise. The DataPower Security Gateway Web application firewall (WAF) service can be deployed in front of multiple Web servers to protect Web applications. In this case, DataPower monitors application traffic, performs a wide set of checks for Web application attacks, and reacts in real time. On the WebGui, this service is represented by the icon shown in Figure 4-29.

Figure 4-29 Web application firewall icon

Based on the typical deployment scenario diagram, in Figure 4-30 we depict the DataPower WAF service described in this section.

Figure 4-30 DataPower WAF service described in this section

The WAF service provides features to:

򐂰 Protect a back-end Web application from attacks using the built-in threat protection. 򐂰 Protect access to the Web application firewall.

򐂰 Validate parameters from an HTTP request using name-value profiles.

The DataPower WAF service is used to offload some functions from Web-based service applications executing on application servers and to protect access to the enterprise back-end Web applications. For example, authentication, limiting requests, and parameter validation are typically Web application tasks, which can be configured with little effort on the DataPower appliance. These tasks are often performed on J2EE application servers such as WebSphere Application Server.

How it works

Deployed on the company DMZ or intranet, DataPower WAF service enforces security within the enterprise by executing a custom security policy on messages that go through HTTP traffic, before sending or receiving them to or from a back-end Web application. The

DataPower Web application firewall service protection against malicious attacks is based on URL encoded strings. This allows defeating a wide range of application-layer attacks by providing immediate protection for applications against targeted vulnerabilities.

WAF service is configured to virtualize a back-end Web application, handle rate limit requests, and enforce an AAA policy. In fact, the WAF service can listen for requests on

External client XS40 S D SD ESC DL T PRO LIAN T8000 Web Application Servers Data base Server Enterprise Firewall

WAF service configured

multiple TCP ports to virtualize or proxy back-end Web applications. The WAF service can also require Web clients to send requests over the Secure Sockets Layer.

In situations when you need to limit the number of requests being sent to the back-end Web service, you can create a rate-limiting policy to control the number of requests.

You can also require clients to provide credentials when trying to access the Web application, which can be enforced using a DataPower AAA policy.

1. A Web browser, as an external client, connects to the Web application firewall service. 2. Once the user has been authenticated, the request is forwarded to the back-end Web

applications.

3. The Web application firewall service uses an AAA policy to validate users. This easy-to-apply policy saves time and provides immediate protection for production applications against Web application technology threats. Many of these threats simply pass through the Web-based typical security infrastructure.

4. In a production environment you would also need to secure the connection from the Web application firewall service to the back-end Web application, using either a security token or SSL. Of course, this is optional.

The WAF service offers better support for HTTP-based traffic. For XML-only traffic, we would rather use other DataPower services such as XML firewall, Web Service Proxy, or

multi-protocol gateway. HTTP threat protection is different from XML threat protection.

Web application security policy

The Web application security policy is defined using three maps:

Request References a Web request profile

Response References a Web response profile

Error References an error rule

A map is chosen to execute based on the matching rule. More than one map can execute for a given request. Multiple maps can be defined per request and response. Maps execute based on the matching rule definition. Each profile implements the security policy

configuration (AAA, HTTP threat protection, rate limiting, session management, and more).

Configuring the DataPower WAF service

Unlike other services on the DataPower appliances, the Web application firewall service does not have a service policy. Instead, it uses a custom Web application firewall security policy. The configuration of this policy does not use actions or have a GUI editor.

Host virtualization

DataPower appliances are typically deployed in the DMZ, which lets them perform pre-processing on incoming messages before they enter a company intranet. Web clients should not know the back-end endpoint of your Web application because if the back-end endpoint changes, your Web clients need to be notified of those changes, and because malicious users can send multiple requests to try to overwhelm the back-end Web

application. To hide the Web application end-point address from Web clients, you can define multiple TCP ports on which the WAF service listens for requests. This step is required when you are creating the WAF service.

Defining the WAF service front-end and back-end information

You first need to create a WAF service on the DataPower appliance. Start by defining the front-end and back-end information for the service. The Web application firewall rewrites the client host address and port number URL with the remote host address and port number.

In Figure 4-31, the front-side settings have SSL on, so the external client must connect using https. The part of the URI after the port number is the same URI sent to the back-end Web application.

Figure 4-31 Front-side settings have SSL on

Create an AAA policy to protect access to the WAF

In the next steps, you create an AAA policy that extracts the credentials from the message protocol and performs authentication using an AAA file.

Authentication

To authenticate:

1. Create a new AAA policy.

2. Create a new access control policy. 3. Configure an access control policy.

4. Define how to extract a user's identify from an incoming request.

5. Define how to authenticate the user identity stated within the incoming request message. 6. Check the credential mapping method.

Authorization

Configure the authorization step in the access control policy to allow any authenticated user. 1. The Define how to extract the resources page specifies how the access control policy

determines which resource the client has requested, for example, the URL sent by the client.

2. Check the resource mapping method.

3. The Define how to authorize a request page determines the access rules based on the resource and user.

Auditing

At the end, the AAA policy wizard lets you configure monitoring, logging, and post-processing options.

Note: In a production environment, an authorized user’s list usually resides in a corporate

directory server, such as a Lightweight Directory Access Protocol (LDAP) server. For test purposes, the list of authorized users can reside in an XML file named AAAInfo.xml. Since the file is included (disable in production) with every DataPower appliance, use it only for testing. Pa ck et F ilt er SOAP enabled Enterprise Application Pa ck et F ilt er Demilitarized Zone

Helps protect against •incoming attacks; •Incoming access control

XS40

Internet

Intranet Internet

The authorized counter and the rejected counter keep track of how many requests were allowed or denied access, respectively. The rejected counter has an additional feature to block further requests if a threshold is reached.

The logging section keeps track of the request and response message details for any authorized or rejected access attempts. The amount of message detail logged depends on the log level that you configure.

Post-processing

The post-processing section describes actions that you can apply to the message after the authentication, authorization, and auditing steps.

Rate limiting

High-volume Web sites may need to limit requests during certain periods. For example, a concert ticket Web site may experience a spike in traffic when concert tickets first go on sale. The WAF service lets you restrict the number of request messages within a given time interval. Requests over the specified number can be rejected, shaped, or logged. You can also limit the number of users connected and number of connections per user.

Summary

Securing the HTTP traffic in your company with the DataPower Web application firewall service provides you with a powerful and simple management solution of your back-end Web applications. You can use it to virtualize the endpoint address, handle rate limit requests, and enforce access control. You can configure these items using the Web application firewall service without writing any custom code.