AppWall Implementation Plan V10 AppWall Verion 5 6

Assumptions and Recommendations
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Assumptions and Recommendations
It is recommended to begin the implemementation in QA/staging environment. You can deployment in production
but be cautions about traffic volume, and Auto Policy Generation profiles you use (Production Profile only.)
Gather required information for deployment:
Obtain Network Topology diagram
Get the domains\URLs with protocols (HTTP\HTTPS:Uniqe port).

Where is the SSL being terminated?
Are different IP\Port defined for every web site or is the web server based on Host Header?
Gather required information for Security Policy Planning:
If a penetration test was conducted and information can be gathered before the implemementation, it will be ve
Do you have a public Admin path that requires special attention?
Are there any File Upload folders? (if positive what extensions are valid)
Are there any Streaming Media files?
Where are the Login pages? We will need valid username and password for the testing.
Please define what is the Code Page for every site we need to protect (UTF-8, 8859-2 etc.)
Sensitive Cookies in the application?
Are Credit Card Numbers processed by the Application? Are the numbers in a database?
Any other confidential information (such as national ID numbers) that should not appear in the response?
Any know Web Application vulnerabilities you are aware of?
You would need a contact person who is knowledgeable on all web application areas and can perform all kind
activates (surfing, purchasing and such) and can also confirm that everything is working.
Is there a Security Page for the website?
For example: http://www.radware.com/securityblock/securityblock1.asp?_event_transid=2181105781
See our template here: http://kb.radware.com/questions/2695/
AppWall Implementation Steps (version 5.6)

PHASES Phase Description
PHASE 1
PHASE 2
PHASE 2.1
Details
Implementation Goals and Planning

Planning the implementation
Based on the your implementation goals plan the implementation:

- Select the relevant Security Policy Track
- The security track will derive how long should the implementation take
- How many web applications should be tested
Who are the people required to accomplish a successful implementation:
- Application QA
- Relevant Security personnel
- Application people that can address application scope questions and issues.
- Does this web application available for implementation
What traffic volume expected and what impact it might have on performance
Pre-Install Information Gathering
if the web application is externally accessible, you can View traffic, identify potential challenges, activate Auto Discovery
before arriving on site
Deployment in Staging Environment

Select preferable deployment: Virtual of Physical Appliance
If VMware ESX infrastructure exists, consider using AppWall VA.

If performance is part of evaluation criteria, verify that the Hosting ESX is running on reasonable HW, with the ability to
allocate required resources for the AppWall VA or use the physical appliance.
Select preferable deployment mode
Reverse Proxy: suitable for ADC deployment when original client IP address is not required in web app. If Client IP
address required for logging purposes only, you can add client ip address in XFF header and still use the Reverse Proxy.
The preferable deployment mode. For Additional information please refer to KB2559.
Transparent Proxy: suitable for ADC deployment when original client IP address required in web app. Please refer to
line 20 for limitations of this deployment mode.
Bridge: suitable for standalone AppWall deployments, usually in a non-ADC environment.
Preferably implement AppWall in Test/QA/Staging environment
It is highly recommended to deploy AppWall in a Test/QA/Staging environment first, especially as part of implementation.
If the prefered deployment is in the production environment, and the SSL traffic is terminated before the Web servers
you may consider using AppWall Monitor for span port traffic.
Deployment in production in-inline mode Gateway is not recommended but might be requested.
ADC (Alteon or AppDirector) deployment

Deploy AppWall only as after successful ADC deployment was validated. Pay
special attention to next item:
PHASE 2.2
Test the cache policy with Alteon / AppDirector on the target web site for afew
days prior to moving traffic through AppWall.
After redirecting the traffic through AppWall, set the cache only on AppWall farm (there is a common mistake to set
cache also on the web server farm).
Monitoring Traffic Volume (CEC)

ADC acceleration
Set on Alteon/AppDirector the Close on session end and check the peak value.
There is a limitation with activating Acceleration and SSL offloading features in AppDirector along with AppWall in
Transparent Proxy mode:
- AppDirector versions 1.x support Transparent servers but not SSL offloading.
- AppDirector versions 2.x support SSL Offloading but no transparent servers.
Caching
Set the caching only on AppWall Farm.

Do not enable caching during Auto Policy Generation phase.
SSL Termination
preferably enable SSL Termination at the ADC. If AppWall must process SSL traffic you have the option to set the tunnel
to either SSL-Clear or SSL-SSL mode. If using SSL-SSL consider smaller encryption key in the backend web servers
Multiplexing
Multiplexing might be an issue, as termination of one server tcp connection by AppWall upon security violation, might
impact multiple client connections. Recommended not to use.
Layer 7 Policy
In the scenario of many web servers which might result in many tunnels, use Host header based policy in the ADC.
Host header Policy enables defining single tunnel to different applications and different servers. The need for more than
a single tunnel will be when both SSL and HTTP traffic is used, and when multiple encoding types are utilized
(applications in different languages). For additional details about host based security policy please refer to KB2869
Redirect Policy
Disable Multiplexing on AppWall's Farm (in AppDirector)
LB rules based on source IP for testing e.g. QA\LAN

Before the actual AppWall deployment
AppWall Deployment
place AppWall in a server rack
Connect AppWall to the network. Make sure there are at least 2 available
network ports in the switch
At least one port used for web application traffic and one port for management. Additional NICS can be added. In Bridge
mode 2 NICs required for Bridge and one for management.
Define unique hostname for AppWall server, set management IP for remote
management
Upgrade to AppWall latest version
Install the latest Java on your PC in order to run AppWall MNG Application
https://MNG_IP/Console/
PHASE 3
Local AppWall Settings:
Time zone
DNS
Default Gateways for Management and Services
Routing Rules
Management IP
Services IP
Management Default Gateway for separated routing of Management traffic
In the
scenario of Bridge mode deployment, configure a bridge IP, from the relevant network segment
Bridge IP - for Bridge mode deployment; the bridge ip address must not be from the MNG subnet
MNG IP and Bridge IP must be with
a different networks
Validate that an authenticated license is installed on AppWall.
If management application shows "Ended with Errors" message at the bottom, follow the next instructions:
check > Forensics > initialization logs - look for red items:
usually License issue or Is
Verify that the relevant AppWall instance is running (Gateway or Cluster)

Verify AppWall License match instance type
For additional details regarding Cluster deployment please refer to KB2441

There are 2 types of license for AppWall. Base platform license and throughput license. There is still backward
compatibility for the previous Licenses with no throughput limitation
Map network topology

Set services (Web traffic) IP addresses, define required routing rules
SSL Certificate
Have a network topology map
Define Network Firewall rules for web traffic

Define Network Firewall rules for remote management:
The IPs of Administrator, Partner & Radware.
Open Ports - change rule for port 80/443 to allow access to AppWall instead of directly to Servers
Open TCP ports in the network Firewall for management interface (for encrypted mgmt traffic):
8200 (Gateway management)
8270 (Cluster management)
443 for Web Interface
22 for CLI (SSH)
2214 and 9216 (Vision) - for more details please refer to KB2710
Check code-page for every protected website
Verify (in the user guide) that the required code-pages are supported.
If not contact Support to add support for required Code-page
Create and configure in AppWall a security page
Build a Company Security page to which users will be redirected upon security violation (e.g. "Please contact customer
support."). An advance security page which can process query parameters, can accept and show event transaction ID
for easier search in Forensics (by default the parameter name is "_event_transid").
For more details please refer to KB2695
Rollback plan & execution
what do YOU do in a case of emergency:

move tunnel to BYPASS state
Define ADC Backup Servers that routes directly to Servers
Ask the Admin to provide all SSL server certificates and the passwords
Install certificates on Alteon / AppDirector.
Define SSL policy.
If end-to-end SSL required, import certificates to AppWall as well.
Initial Configuration: Create a Tunnel in Passive Mode

Add web servers
In ADC deployment it will usually be an internal VIP that will balance the traffic to the web servers.
In non-ADC environment, Web server interface will be the protected web server.
in Bridge mode deployment, you can also set a Web Farm
Create a new tunnel(s) in AppWall. If creating an SSL tunnel select the Server
certificates imported in phase 2
defining 1-2 tunnels to protect the implementation sites.
consider the limitation of number of tunnels
If at this phase protecting multiple servers is required, you should plan how to distribute traffic to your applications: The
total number of tunnels which can be defined in AppWall is limited to 50. Even without reaching this limit, if you are
required to add more than 15 tunnels, you should consider revising your tunnel planning:
Please refer to Layer 7 Policy section (C 24).
XFF (X-Forwarded-For) or TrueIP HTTP header
Set the tunnel default working mode to Passive

HTTP Properties and Parsing Properties review
Review other tunnel settings to be relevant to the tested application
If relevant, add X-Forwarded-For setting in Tunnel Properties.
PHASE 4
Configure AppWall to add client source IP address to the XFF header

Configure AppWall to retrieval client IP address from XFF when AppWall receives client IP in XFF Header. Possible
scenarios might be:
- AppDirector Client NAT
- ISA Server
- CDN (e.g. Akamai)
- Other Proxies
For additional details, please refer to KB2559 and KB2528
Code page, Masking Errors, Server Identity

Message size: a preliminary inspection of message size should be performed.
In the scenario of Reverse or Transparent Proxy implementation, when application needs clients source IP addresses
Selecting Security Implementation Strategy

Based on the implementation goals/requirements/plan select the most relevant The Security Implementation Strategies detailed herein are independent one from each other. In real-life
Security Implementation Strategy: one of the options 4.1, 4.2 or 4.3
implementation scenario, it might be a reasonable approach to begin with one implementation strategy, and in future
phases to switch to a different strategy to address wider scope of security threats.
During the implementation it is recommended to select one of the security implementation strategies listed herein
based on the requirements.
The levels presented are just recommendations; Different policies can be defined.
When selecting the Implementation Strategy, consider the Security TCO
Tradeoff:
Risk, values and tradeoffs

Low False Positive Rate vs. Security Coverage to wide scope of threats.
Performance impact
TCO - availability of resources to maintain the policy
Time for deployment
Consider how you can hedge the risk/effort through implementation of

Application Paths
PHASE 4.1:
Security
Level 1
Defining Standard Security policy
Time for Level: 3 day(s)

depends on Application size and efficiency of testing process
In the Security Policy view, create a new Web Application using the web
application wizard, with:
- "/" Application Path
- Rapid Auto Policy Generation mode
- Select the relevant Profile: If staging environment select Manual Browsing or
Manual Crawling; if Production, select Production Rapid.
Web Application can be defined on a:

- Web Server
- Host
- Application Folder
At the host level (under web application) configure the Security Page
Browse through AppWall
at the Host level setting in the Security Policy

Initially the admin should access the application through AppWall to validate traffic is processed properly and basic
legitimate requests are not blocked. Specifically check message size logs that nothing is blocked
Let the Auto-discovery build application tree according to processed traffic

Forward traffic through AppWall:
- In staging environment forward only legitimate (attack free) traffic
- In production environment you can forward real application traffic
Auto Discovery will show access information (parameters status codes, 404, etc.) and application structure
define who will access the application through AppWall in the first phase (QA, test group, admin). Warning: do not use
staging profiles in production environment.
Testing
QA team or admin, either manually or also using a crawler browse through the entire Web application (make sure all
dark corners are accessed as well) - to generate logs for later fine tuning.
Verify that Vulnerabilities, Database and HTTP Methods security filters are
enabled. Review the Path Blocking filter findings, disable Safe Reply\Path
Blocking in case there is no need.
Let the system generate policy automatically
Fine tuning through Refining the security policy from the Security events, using
"Refine!" button
Configure the AppWall system to forward events to Vision Reporter

Backup the policy
Violations of HTTP RFC should be fixed in application or can be set to be ignored by AppWall either for specific URL or
for "Any URL".
Review all Security events in the Forensics view.
At this point all traffic should be legitimate and should not be blocked. Refine the events that generate false positives.
At this point 404 status code can be identified as well (broken links)
consider using Discard all rules or Apply to all other pages
Right Click - backup or from Web Based Management interface
OR
PHASE 4.2:
Security
Level 4.2.1:
2
PHASE
Defining Advanced Security policy

The Auto Policy Generated Policy
- Rapid Auto Policy Generation mode
Manual Crawling; if Production, select Production Rapid.
At the host level (under web application) configure the Security Page
Create Application Paths (if required) with Rapid Auto Policy Generation Mode.
Activate relevant Security filters in these Application Paths based on the next
inputs:
Identify where sensitive data might be residing in the application. Create
Application Paths and activate Safe Reply Filter on relevant sections
Time for Level: 3 - 4 days

- Web Server
- Host
at the Host level setting in the Security Policy
Payment and shopping cart web app pages

Any page that might leak sensitive info
If there is no Credit Card Numbers, Social Security Numbers or other types of Sensitive data - Disable this filter
Verify that Vulnerabilities, Database and HTTP Methods security filters are
enabled in all Application Paths
or in Full Auto mode

Testing
"Refine!" button
Message Size and RFC properties are part of the Auto Policy Generation. Nevertheless review the events for details and
refine:
Message size and parsing properties events should be reviewed first
for (Any URL)
Parameters Security Bypass list can be updated to bypass cookies that do not require protection. Add the Alteon /
AppDirector persistency cookie to the list of bypassed parameters
Additional security features can be enabled based on needs and requirements
PHASE 4.2.2
e.g. if during penetration test a specific folder was identified as exposing sensitive info and should not be accessed, can
be added to Path Blocking

Advanced Manually Set Security Features
Indentify what is considered as sensitive information, in the organization. Define Some organization regard different data as sensitive. If possible use custom pattern in Safe Replay to mitigate
custom sensitive patterns for Safe Reply
sensitive data leakage.
integration with external DLP solution available through ICAP protocol
Is there any /admin/ application path (for configuration of the web site, creating Add Path Blocking filter to all Application paths, and add sensitive folders to Path Blocking filter on all application
web users, etc). if so, consider using path blocking for that path.
Paths.
If limited access is needed, define web role(s) based on source IP address or based on Successful Login Detection. You
can then allow access to these path only relevant role.
Is there any file upload folder? if so, use "File Upload"
If exists create Application Path for Upload application and define File Upload filter on it with specific allowed file types
If limited access is needed, define web
role(s) based on source IP address or based on Successful Login Detection. You can then allow access to these path only
relevant role.
Are there any streaming files (swf, avi, mpeg, radio). if so use "bypass
if exists - define to bypass in tunnel level "Security Bypass" tab. Also allows ignoring problematic applications cookies
extensions"
(ASP, Google, etc.)
use Brute Force security filter to secure login pages
Create Application Path for Login page and Authenticated pages, and enable Brute Force Filter on them. For additional
information, refer to KB2952.
Identify sensitive cookies and secure them.
Securing cookies (the default is signing, but you can also encrypt) impacts performance
Preferably secure only the sensitive cookies identified rather than securing all
Session security filter events should be reviewed to define whether there are cookies that should not be processed as
the client side need to read or manipulate them.
Backup the policy
Defining Complete Security policy
Time for Level: ~2 weeks

OR
PHASE 4.3:
Security
Level 4.3.1:
3
PHASE
The Auto Policy Generated Policy
- Extended Auto Policy Generation mode
Manual Crawling; if Production, select Production Automatic
Set the Auto mode in the Web Application wizard

As of AppWall version 5.0 the / Application Path is recursive.
- Web Server
- Host
if possible import and process sitemap.xml for shorter time for initial policy
Tools which AppWall offers for Auto Policy Generation:

Traffic Processing (AC) test/prod
External Crawler test (C:\WINDOWS\system32\drivers\etc\hosts)
External Sitemap Generator staging or producation
Sitemap import staging or producation
Internal Crawler staging or producation
- Limitations: HTTPS, Redirects, login

Based on Auto Discovery review, consider whether you need a Regular
Expression based Application Path
repeat this periodically at the during the initial auto policy process.
For Regular Expression Application Path please refer to KB2506

Testing
"Refine!" button
Message Size and RFC properties are part of the Auto Policy Generation. Nevertheless review the events for details and
refine:
Message size and parsing properties events should be reviewed first
for (Any URL)
Parameters Security Bypass list can be updated to bypass cookies that do not require protection. Add the Alteon /
AppDirector persistency cookie to the list of bypassed parameters
Turn Auto Policy Generation off

Review and Tune auto - generated policy
PHASE 4.3.2

Advanced Manually Set Security Features
In case where parameters are used globally across the application, configure
global parameters policy
after at least 1 week, preferably longer

review the generated Application Paths, the utilized Security Filters and the generated refinements for the relevant
security filters
modify and tune the policy:
- delete non-relevant Application Paths
- create RegEx based Application paths (only when there are many application paths that can be merged into few
RegEx based Application Paths)
0
Defining a list of parameters in the Global Parameters filter significantly simplifies the learning phase of the Parameters
Filter
In case the application processes XML client input and / or web services import
WSDL file and activate WebServices or XMLSecurity where needed.
Create Application Paths (if required) with Extended Auto Policy Generation
Mode. Activate relevant Security filters in these Application Paths based on the
next
inputs:
Double
check that SafeReply filter activated where required, by Auto Policy
Generation. If not create Application Paths and activate Safe Reply Filter on
relevant sections
Payment section and shopping cart web app pages must be secured by SafeReply
Any page that might leak sensitive info
Indentify what is considered as sensitive information, in the organization. Define Some organization regard different data as sensitive. If possible use custom pattern in Safe Replay to mitigate
custom sensitive patterns for Safe Reply
sensitive data leakage.
integration with external DLP solution available through ICAP protocol
Is there any /admin/ application path (for configuration of the web site, creating Add Path Blocking filter to all Application paths, and add sensitive folders to Path Blocking filter on all application
web users, etc). if so, consider using path blocking for that path.
Paths.
If limited access is needed, define web role(s) based on source IP address or based on Successful Login Detection. You
can then allow access to these path only relevant role.
Is there any file upload folder? if so, use "File Upload"
If exists create Application Path for Upload application and define File Upload filter on it with specific allowed file types
If limited access is needed, define web
role(s) based on source IP address or based on Successful Login Detection. You can then allow access to these path only
relevant role.
Are there any streaming files (swf, avi, mpeg, radio). if so use "bypass
extensions"
if exists - define to bypass in tunnel level "Security Bypass" tab. Also allows ignoring problematic applications cookies
(ASP, Google, etc.)
use Brute Force security filter to secure login pages
Create Application Path for Login page and Authenticated pages, and enable Brute Force Filter on them. For additional
information, refer to KB2952.
Identify sensitive cookies and secure them.
Securing cookies (the default is signing, but you can also encrypt) impacts performance
Preferably secure only the sensitive cookies identified rather than securing all
Session security filter events should be reviewed to define whether there are cookies that should not be processed as
the client side need to read or manipulate them.
When required configure the Authentication and User Tracking settings under
the host
Enables:
- Authentication
- single-sign-on to multiple application
- successful login detection to cross and sub domain application
- role-based policy for authenticated users and for guests
- role-based policy by mapping AppWall roles to LDAP groups
Logging filter - highly effects performance; use it only selectively and for
specific application paths for short periods of time.
PHASE 5
Form field and parameters protection or obfuscation should be utilized only

where required
Usually as a solution for known sensitive parameters or penetration test result.
Backup the policy
Advanced Tuning
Avoid from Product fingerprint
PHASE 6
CSRF protection is set to Passive by default. Review the logs change the mode to Active if required
In "Hosts" section under "Security Policy" tab you have the CSRF protection settings. Please manually REFINE by either allowing domain name (e.g.
*.domain.com) or specific file under the new "Hosts" section.
View Dashboard - view active connection per tunnel to learn normal behavior
(baseline).
update max active connections in tunnel configuration if needed (a good Active Connections :TPS ration should be ~
1:2-3)
Idle session timeout
You should also trace the ration between Active connections to the Transactions Rate (TPS) - High Active connections
to Transactions Rate ratio might indicate wrong settings of idle connections in the web server and in the AppWall tunnel
Backup the policy
Vision Reporter
Configuring AppWall for events distribution
Security Reports
Application Intelligence
PCI Compliance
Correlating Reports
Alerts
PHASE 7
PHASE 9
under Configuration View > Services you can configure the Vision Reporter settings. For more details please refer to KB
2826
Configuring Multi-Tenancy
You may consider configuring user Authentication and Role based policy with
Active Directory, LDAP, and Radius.
For additional information please refer to kb2882
Setting policy per web application (Tenant / Customer)
Reminder: Web Application can be defined on a:

- Web Server
- Host
Creating AppWall users with management RBAC per web application
a. Administrator
b. Web Application Owner
c. Web Application Viewer
Reporting per customer
PHASE 8
Change the K_V_D__ cookies prefixes \ "_event_transid" parameter name of security page\ make sure the security page
neither contain the expressions such as "Web Application Firewall" \ "AppWall" or similar
can be shown when logging in as Web Application owner and viewing the reports only of your owned applications
Switching to Active mode (in staging environment)
when no false positives found in the events
Change the chosen tunnel state to Active mode

review logs periodically and refine policy as needed
Review Vision reports and Forensics info
Backup the policy
after all events are handled and refined, change tunnel mode to Active
Moving to Production (passive mode)
when no event from internal testing generated and you ready to move to active
Change the Staging environment AppWall tunnel mode to passive
change Automatic Configuration profile to Production pro"Production Rapid" or "Production Automatic" Traffic analysis profiles !!!
Transfer AppWall policy form staging environment to the production AppWall

create a branded informative page with transaction ID for case tracking of false for additional information pleas refer to kb 2695
positive incidents
Review the security events periodically
Remember: Your tunnel is still in Passive mode !!!
PHASE 10
Switching to Active mode (in Production)

Once the Auto Policy Generation process is in advanced state, you can proceed
to next step of switching to active mode
How you know Auto Policy Generation is in advanced state:

Auto Policy Generation progress bar reaches at least 75%
AllowList refinements (in Rapid mode you should expect to see 5 - 10 common file extensions)
In Rapid mode system is recommended to be in passive mode 4 - 7 days. In extended mode, depending on traffic
volume and diversity of the traffic, system is recommended to be in passive mode 1 - 3 weeks.
disable the "Suppress Events when Auto Configuration Learns" check box in the
Security Policies > Auto Policy Generation
You now have 2 possible approaches as to how to switch the system to Active
mode in production
select the active Implementation Strategy: one of the options 10.1 or 10.2
PHASE 10.1: The Conservative Approach
Active Filter By Filter
Reminder: when auto policy generation system switches a security filter to

active mode it means the policy optimization process accomplished for this filter
in the relevant application path and host.
For all the Security Filters which were switched to active mode by the Auto
policy, manually change the working mode passive.
For all these Security Filters manually change the automation mode to "Auto
Refinement".
Create custom views in Forensics Security Log to filter the security events by
"tunnel" event
Refine\review Tunnel event
switch tunnel to active while all the filters are Passive

Security Filters.
For each such filter review the events and make sure there are no false positives
switch filter by filter to active mode
Depending on how frequently the web application is being updated and
You can consider disabling Automatic Policy Generation either per filter or globally across the device in the Security
modified, consider to disable Automatic Policy Generation per
Policies > Auto Policy Generation. You can also disable tunnel's "Auto Policy optimization" in the relevant tunnel >
filter\tunnel\device
"General Properties".
OR
PHASE 10.2: The Rapid Approach
Active Tunnel
Security Filters.
For each such filter review the events and make sure there are no false positives
consider disabling Automatic Policy Generation per filter\tunnel\device
depending on how frequently the web application is being updated and modified.
Refine\review Tunnel event
"tunnel" event
switch tunnel to active while all the filters are Passive
consider to disable Automatic Policy Generation per filter\tunnel\device
depending on how frequently the web application is being updated and modified.

AppWall Implementation Plan V10 AppWall Verion 5 6

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

AppWall Implementation Plan V10 AppWall Verion 5 6

Caricato da

Copyright:

Formati disponibili

Assumptions and Recommendations

Assumptions and Recommendations

Get the domains\URLs with protocols (HTTP\HTTPS:Uniqe port).

AppWall Implementation Steps (version 5.6)

Implementation Goals and Planning

Based on the your implementation goals plan the implementation:

Pre-Install Information Gathering

Deployment in Staging Environment

If VMware ESX infrastructure exists, consider using AppWall VA.

Select preferable deployment mode

Preferably implement AppWall in Test/QA/Staging environment

ADC (Alteon or AppDirector) deployment

Monitoring Traffic Volume (CEC)

Set the caching only on AppWall Farm.

LB rules based on source IP for testing e.g. QA\LAN

Local AppWall Settings:

Validate that an authenticated license is installed on AppWall.

Verify that the relevant AppWall instance is running (Gateway or Cluster)

For additional details regarding Cluster deployment please refer to KB2441

Map network topology

Have a network topology map

Define Network Firewall rules for web traffic

Check code-page for every protected website

Create and configure in AppWall a security page

Rollback plan & execution

what do YOU do in a case of emergency:

Initial Configuration: Create a Tunnel in Passive Mode

defining 1-2 tunnels to protect the implementation sites.

consider the limitation of number of tunnels

XFF (X-Forwarded-For) or TrueIP HTTP header

Set the tunnel default working mode to Passive

Configure AppWall to add client source IP address to the XFF header

Code page, Masking Errors, Server Identity

Selecting Security Implementation Strategy

Risk, values and tradeoffs

Consider how you can hedge the risk/effort through implementation of

Defining Standard Security policy

Time for Level: 3 day(s)

Web Application can be defined on a:

at the Host level setting in the Security Policy

Let the Auto-discovery build application tree according to processed traffic

Configure the AppWall system to forward events to Vision Reporter

Right Click - backup or from Web Based Management interface

Defining Advanced Security policy

Time for Level: 3 - 4 days

at the Host level setting in the Security Policy

Payment and shopping cart web app pages

or in Full Auto mode

Browse through AppWall

Let the Auto-discovery build application tree according to processed traffic

Additional security features can be enabled based on needs and requirements

Configure the AppWall system to forward events to Vision Reporter

Identify sensitive cookies and secure them.

Backup the policy

Right Click - backup or from Web Based Management interface

Defining Complete Security policy

Time for Level: ~2 weeks

The Auto Policy Generated Policy

Set the Auto mode in the Web Application wizard

Tools which AppWall offers for Auto Policy Generation:

Browse through AppWall

Let the Auto-discovery build application tree according to processed traffic

Forward traffic through AppWall: