Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Lab Exercises
Using IBM X-Force Deep Packet
Inspection in the IBM Security Access
Manager Appliance
IBM Training
Contents
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Exercise 1 Enabling the PAM module in ISAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Exercise 2 Testing the PAM module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
The following diagram illustrates the lab setup used for this demo.
There are three virtual machines, each connected with the single network interface card to the
virtual switch.
• ISAM is the IBM virtual appliance used for access management solutions. It includes a built-in
authentication and access management engine, internal LDAP-complaint Directory Server, and
reverse proxy module. The reverse proxy module controls access to the back-end web
applications over a special connection called a junction.
Uempty
Note: The transparent path junction is already configured on the ISAM appliance. You can review
the junction setup in Appendix. Junction setup on page 11.
• Vulnerable Server contains several vulnerable applications. This demo uses the fictional
company Altoro Mutual and demonstrates the vulnerability of the Altoro Mutual web application.
• Client Machine is used to access the ISAM administration interface and perform single sign-on
to the Altoro Mutual web application. It is also used to demonstrate SQL Injection and cross-site
scripting attacks, and to show how ISAM can protect your environment.
Note: This virtual machine is running Ubuntu 16.x Linux and uses Firefox.
2. Enter the following URL to access the Access Manager administration interface:
https://192.168.42.199
Uempty
3. Log in as admin using password P@ssw0rd.
7. In the Web Content Protection Configuration window, select the following options:
a. Operating Configuration tab
i. Select Enable Web Content Protection.
Important: In simulation mode, PAM reports attacks and provides information about blocking
(simulate blocking), but the attack happens because the appliance is in simulation mode. When
you can review attack results, it helps you understand the anatomy of the attack and determine
how to best prevent it. If you want to block attacks, do not select simulation mode.
Uempty
iii. In the Resource Action section, leave the default settings.
b. Click the Issues tab and review the default settings. The issues listed are X-Force
signatures that recognize different HTTP vulnerabilities and block the attacks.
c. Click the Audit tab. To view the attacks blocked by PAM, elect Enable Log Detailed Audit
Events.
Uempty
d. Click the Advanced Configuration tab and leave the default settings.
8. Click Save.
2. Enter the following URL to access the Altoro Mutual web junction:
https://192.168.42.200/altoromutual
4. At the top of the Altoro Mutual Login page, click the Sign In link.
Uempty
The SSO mechanism automatically logs the user into the application and displays the View
Account Details page.
Uempty
Hint: You can copy the attack string from the web-attacks-sample text file on the desktop.
7. Click Submit and note that the Action column includes user login credentials.
This type of attack is known as an SQL Injection data manipulation attack and can be blocked
by PAM. In this demo, PAM is configured in Simulation mode. While blocking does not occur in
Simulation mode, the attack details are recorded in the pam.log file.
2. From the Firefox toolbar, click the No-Scripts icon and select Allow Scripts Globally
(dangerous).
3. If the session has expired, log in to Altoro Mutual as jsmith using password P@ssw0rd.
Uempty
6. On the Feedback form, in the Your Name field, enter the attack script:
<script> alert('Hello World') </script>
Uempty
5. Click Manage > Logging.
6. In the Manage Reverse Proxy Log Files window, select pam.log and click View.
Hint: You can download the log or copy it into a text editor to enable text search capabilities.
Uempty
8. Look for the security events that are related to SQL injection and cross-site scripting attacks.
Note: Note that even if the action field shows Block, the attack was not blocked, because the
appliance was using simulation mode. Simulation mode is indicated in the log as non-enforcing.
To set up the Single Sign On junction from the appliance to the Altoro Mutual web application,
perform the following high-level steps:
• Configure the network interface
• Configure the runtime component
• Configure the reverse proxy component
• Configure the SSO user
• Create the forms-based SSO configuration file
• Configure the junction
Uempty
6. Add a new IP address: 192.168.42.200/24.
2. Before you configure the runtime component, you must set the embedded LDAP password.
Select Manage > Embedded LDAP.
3. In the pop-up window, type the password P@ssw0rd and click Submit.
4. Click Configure.
c. Click Next.
g. Click Finish.
Uempty
6. Review the System Notification message and Status to confirm that the runtime component has
been successfully configured.
3. In the New Reverse Proxy Instance window, perform the following steps:
a. For Instance Name, use web1.
c. Click Next.
d. On the IBM Security Access Manager tab, for the Administrator Password, type
P@ssw0rd.
e. Click Next.
f. On the Transport tab, select both Enable HTTP and Enable HTTPS.
g. Click Finish.
Uempty
4. Review the System Notification message and Status to confirm that the new proxy instance has
been successfully configured.
2. Log in to the Policy Administration tool using user sec_master and password P@ssw0rd.
3. Select GSO Resources > Create GSO and perform the following steps:
a. For GSO Name, enter altoroj.
c. Click Create.
d. Click Done.
4. Select User > Create User and configure the following settings:
a. User Id: jsmith
Uempty
c. Surname: Smith
d. Password: P@ssw0rd
5. Click Create.
b. Type: GSO
d. Password: demo1234
Uempty
e. Confirm Password: demo1234
9. Click Create.
3. In the create window, replace the Content field with following information:
[forms-sso-login-pages]
login-page-stanza = altoro-login
[altoro-login]
login-page = /altoromutual/login.jsp
login-form-action = doLogin
gso-resource = altoroj
argument-stanza = args-for-altoro-login
[args-for-altoro-login]
uid = gso:username
passw = gso:password
5. Click OK.
Uempty
Configure the junction
1. In the Access Manager web administration interface, navigate to Secure Web Settings >
Reverse Proxy.
4. In the Junction Management - web1 window, select New > Standard Junction.
c. Leave the default values and skip the Basic Authentication tab.
e. Leave the default values and skip the SSO and LTPA tab.
g. Click Save.
Uempty
3. At the top of the Altoro Mutual Login page, click the Sign In link.
4. Confirm that you are not asked for login credentials again and that the Account details page
displays.
5. To log out of the Altoro Mutual, click the Sign Off link.
Hint: Enter the following URL to access the web application without using a junction and observe
the login behavior: http://192.168.42.201/altoromutual.
Uempty
IBM Training