1
Semantic based Web Application
Firewall (SWAF - V 1.6)
I
I
n
n
s
s
t
t
a
a
l
l
l
l
a
a
t
t
i
i
o
o
n
n
a
a
n
n
d
d
T
T
r
r
o
o
u
u
b
b
l
l
e
e
s
s
h
h
o
o
o
o
t
t
i
i
n
n
g
g
M
M
a
a
n
n
u
u
a
a
l
l
Installation Manual
SWAF Deployment Scenario:
Figure 1: SWAF Deployment Scenario
The Figure -1 above shows the deployment scenario for SWAF. To have a clear picture of the deployment we will explain it with the help of an example. The deployment has three layers that are:
Client
SWAF Firewall Applications
A bit of explanation of each layer is as:
Client: Client requests an application that is deployed behind SWAF firewall.
SWAF Firewall: SWAF Firewall is a server installed on the internet network that fulfills the client requests for the application.
Applications: Applications deployed are part of private organizational network. They incoming / outgoing requests are processed by the SWAF to check their legitimacy.
Client SWAF Firewall
Now, we will explain the deployment process with the help of an example:
In this example we have moved from client end to the application end. Clients are allocated dynamic IPs as when connected. In concern to the internet, we are currently supporting virtual domain name hosting.
Server Address: 115.186.131.113
Virtual Domain Name Hosting Mapping:
Global Address Host Name Private Network Address Port Address 115.186.131.113 www.app1.com 192.168.1.3 80
115.186.131.113 www.app2.com 192.168.1.4 80 115.186.131.113 www.app3.com 192.168.1.5 80
When client requests for
www.app2.com
URL the DNS server maps the request to the server IP
address 115.186.131.113 where SWAF is running. SWAF intercepts, validates, and if valid
forwards the request to the desired application. SWAF has its own mapping tables which store
mapping of
www.app2.com
to 192.168.1.4:80. The request is forwarded to the desired
application.
Hardware and Software Recommendations
Hardware:
Processor: Intel Core 2 Quad 3.0 GHz
RAM: 4GB
SWAF Installation
1. Download the virtual appliance from web (Note: The link would be emailed to the concerned person. In case of visualized procedure of downloading appliance, refer to Appendix – A). 2. Load the SWAF Appliance in any virtual environment (Note: For loading SWAF appliance refer
to Appendix - B).
3. After loading the SWAF appliance, the next step is to configure its network. (Note: For network configuration refer to Appendix – C).
4. The SWAF would be switch on automatically as CentOS Service. 5. Register the software by providing the license.
SWAF Troubleshooting
Problem # 1: I tried accessing SWAF from the browser but there is no response. What should I do? Solution
1.
First of all check the root folder and open the SWAF.txt file and check if there is any message like port is
already bound then SWAF is not running correctly because some another application must be using the
port that SWAF wants. To solve the problem you have to either stop the other application that is listening on the desired port or follow these steps to change the listening port of SWAF
1. Open this folder /root/SWAF_dist/SWAF
2. Locate the start.sh file and open it in text editor
3. Find the port like 8888 for HTTP and 4443 for HTTPS and change it to your desired one. 2.
First of all check the root folder and open the SWAF.txt file and check if there is any message like
connection refused then please follows these steps
1. Check the httpd status using service httpd status
2. If found unrecognized service then install it using yum httpd install
3. If status is stopped then please start it using service httpd start
4. Now try to access the SWAF
Problem # 2: I tried accessing SWAF from browser but I get Application not found error. What I should do to resolve the problem?
Solution:
You have to follow these steps.
Access the web interface of SWAF.
Login to system and go to the configuration tab. Then go to the Web Application interface
And add your desired application and now try to access it
Problem #3: I tried accessing SWAF from browser but I get Application down error. What should I do? Solution
You have to check your application server status, Is it running? Because this message appears when the application is not running.
Solution
Some times when we run JBoss, it gives the jvm_bind exception, because there are some ports required by JBoss for communication, so if those ports are already used by some application, than jvm_bind exception occurs.
Glossary
Virtual Domain Name Hosting: IP-based virtual hosts use the IP address of the connection to determine the correct virtual host to serve. Therefore you need to have a separate IP address for each host. With name-based virtual hosting, the server relies on the client to report the hostname as part of the HTTP headers. Using this technique, many different hosts can share the same IP address.
Universal Resource Locator (URL): Uniform Resource Locator (URL) is a subset of the Uniform Resource Identifier (URI) that specifies where an identified resource is available and the mechanism for retrieving it
Domain Name Server (DNS): The Domain Name System (DNS) servers distribute the job of mapping
Appendix –A: SWAF Download:
1. The SWAF can be downloaded from link: http://swaf.seecs.nust.edu.pk 2. After accessing this link go to download button as shown in snapshot.
4. For obtaining the license send email to: [email protected] or [email protected]
with the download file name.
Appendix B: Configuring Virtual Appliance
Step 2: Click the apply button
Step 3: Installation progress of virtual box in progress.
Step 5: In top left of Screen click the Applications tab System tools Oracle VM virtual box. Click to open it. You should have this screen on your desktop.
Step 7: Click Appliance file and click next.
Step 9: Loading in Progress.
Step 11: Now provide user name and password. Login: root
Appendix C: Configuring Appliance Network.
1. You can configure network card by editing text files stored in /etc/sysconfig/network-scripts/ directory. First change directory to /etc/sysconfig/network-scripts/:
cd /etc/sysconfig/network-scripts/
2. To edit/create first NIC file, type command: vii ifcfg-eth0
3. Append/modify as follows:
# Intel Corporation 82573E Gigabit Ethernet Controller (Copper) DEVICE=eth0 BOOTPROTO=static DHCPCLASS= HWADDR=00:30:48:56:A6:2E IPADDR=10.10.29.66 NETMASK=255.255.255.0 ONBOOT=yes
Note: To escape insert mode press esc and to save the file write :wq
4. Save and close the file. Define default gateway (router IP) and hostname in /etc/sysconfig//network file:
vi /etc/sysconfig/network
5. Append/modify configuration as follows: NETWORKING=yes
HOSTNAME=www1.nixcraft.in GATEWAY=10.10.29.65
6. Save and close the file. Restart networking: /etc/init.d/network restart.
