Prev     Next

Chapter 2. Getting started

Table of Contents

1. Installing Profense
1.1. Hardware
1.2. Necessary information
1.3. Installation
2. Using the Profense™ web management interface
2.1. Accessing Profense™ web management interface
2.2. Navigating Profense™ web management interface
3. Basic administration
3.1. Definitions
3.2. Getting help
3.3. Change administrator password
3.4. Configuring interfaces
3.5. Configuring for updates
3.6. Installing updates
3.7. Adding a Proxy
3.8. Deleting a proxy
3.9. Developing the Policy
3.10. System monitoring
3.11. Backup and restore

1. Installing Profense

Profense™ includes a secured operating system and can be installed on most AMD64 and i386 compatible hardware platforms incl. virtual platforms.

During the Profense™ installation, the harddisk you install it on, will be completely erased.

For testing purposes, Profense™ can be installed on most PCs. For production use, we recommend usage of a hardware platform which is tested and approved by Armorlogic. Please refer to our home page for the current list: www.armorlogic.com/purchase_supported_hardware.html.

During the Profense™ installation, you will be asked to supply the following information:

  1. IP address(es) for the system's network interfaces

  2. Network mask for the respective interfaces

  3. Gateway IP address (default route)

  1. If you have downloaded a Profense™ ISO-image, start with creating a Profense™ CD-ROM from the image. The resulting CD-ROM is bootable. If you are installing on a virtual platform you can probably skip this step as you can mount the ISO-image directly.

  2. Boot the installation platform from the Profense™ CD-ROM or ISO-image.

  3. Follow the on-screen instructions. Depending on the size of the harddisk you install on, the installation usually takes between 5 and 15 minutes.

  4. When the installation is finished, the address and login credentials for the web-based management interface are displayed at the screen. Remember to note this information.

  5. Remove the CD-ROM from the CD-ROM drive and reboot the platform.

2. Using the Profense™ web management interface

Profense™ management interface contains many features to help you manage the security of your web applications and servers. In this section, we attempt to highlight all of these features, by listing tasks that you should perform to correctly configure Profense™. The information contained in this table presumes that you have successfully installed and configured Profense™ on your hardware.

To access Profense™ management interface, open a web-browser and enter URL https://profense_ip_address:2000/. The management interface port (which by default is 2000) can be changed.

If you are accessing the management interface for the first time, you will be asked for a license key.

If you do not have a license key follow the instructions below the license key input field. We recommend that you activate the Profense™ Professional 30-day trial as the trial is fully functional and later can be converted to either a Professional or the free license.

Enter the license key and click the "Activate" button. If the key is valid, you will be asked to agree to the Profense™ license agreement. After you have read and agreed to the license terms you are redirect to the "Profense™ administration login" screen.

Note: The first time you log in to the CLI, use the default username "admin" and the default password "admin123". This can be changed when logged in.

The management interface is divided into 3 main sections:

Configuration of all defined virtual proxies, including proxy settings, ACL (access control list) administration, configuration of proxy global security settings and logs.

Configuration of system parameters like network interfaces, IP addresses, fail-over, network settings (DNS, NTP, SMTP), viewing of system logs and status information, including administration of updates, backup and configuration restore.

Main (vertical) menu system is on the left side of the screen. Content assigned to the menu item is displayed on the right side of the screen. An additional horizontal menu system appears where applicable.

Access to help help and support related information including documentation, version information and support links.

3. Basic administration

This section describes most of the basic administration tasks that can be performed via Profense™ management interface.

Web server: A web server is a logical server defined by its web address - i.e. http://www.armorlogic.com or https://www.armorlogic.com.

Protecting a web site serving traffic both on HTTP and HTTPS on the same DNS-address, requires therefore the creation of two Profense™ proxies.

Proxy: Profense™ protects a web site by acting as a filtering proxy for the sites web servers. Profense™ can handle several web servers and every server is referred to as a "proxy" in Profense™.

Clicking on Help in the horisontal menu will display the manual reference section covering the current window.

The complete manual is available in HTML and PDF versions in the Help section of the left menu pane .

Change the administrator password from the default value in:

System -> Users

Be sure to bind "inbound traffic" to at least one of the systems interfaces in:

System -> Interfaces

Otherwise the requests to the systems proxies will not be answered.

In order for the automated update system to work, you need to configure a DNS-server in:

System -> Configuration

Also Profense™ needs to be able to initiate the following outbound connections:

29700/tcp: querying of available updates

8080/tcp: download of available packages

to the host "updates.Profense™.net". Make sure that these connections are allowed.

To install available updates, perform the following steps:

  1. Click on System -> Updates in the left menu

  2. Select updates you want to install under Available updates section by checking the box to the right

  3. Click on the Install button

[Note] Note

Updates must be installed in the correct order. This is enforced by the system.
[Note] Note

Updates to the core Profense™ components require system reboot. A message will appear on the screen informing the system administrator that a reboot is needed in order to complete the update.

To manage, add and remove proxies select Proxy -> Manage in the left menu pane. This will take you to the proxy overview page.

To add a new proxy, click on the Add proxy button in the proxy overview page.

The Proxy -> Add section consists of the subsections:

Virtual web server

Enter the HTTP address of the web server you want to proxy connections for including protocol and port. This address is the one you want the web sites visitors to see.

When selecting HTTPS as the protocol a temporary certificate will be generated. When the new proxy is created the certificate can be replaced by importing the real certificate in Proxy -> Manage -> Settings -> Servers .

Real web server

Enter the address of the web server you want Profense™ to redirect allowed client requests to. This address is the address of the web server you want to protect.

Initial operating mode

The proxy can operate in one of the five major modes below:

Pass through

No filtering or learning applied. All requests are passed through to web systems.

Load balancing and acceleration features working as configured.

Learn

All requests are passed through to web systems. Requests and web server responses are analyzed by the learner and a policy is gradually built upon the information learned. When learning thresholds are reached, by default the system will switch to detect mode.

Load balancing and acceleration features working as configured.

Detect

All requests are passed through to web systems but the policy is applied and requests violating the policy are logged. This mode can best be compared to an IDS-system applying a positive policy.

Load balancing and acceleration features working as configured.

Block

All requests are validated against the policy and requests validating the policy are logged and blocked according to the block action configured.

Load balancing and acceleration features working as configured.

Auto

In Auto mode the proxy automatically adapts to changes in the web applications. Auto mode offers instant protection by employing a combination of positive and negative policy rules. At first a general negative policy is enforced but as Profense maps a profile of the web applications and the web site in general the policy becomes more specific and shift towards a positive security model for specific applications.

Auto mode is only available in Profense™ Professional (and trial).

Default selection : License dependent:

Professional and Professional Trial license

Auto mode

Base license

Pass through

Initial policy configuration

Should a basic policy be configured or not? The two options are:

Normal policy configuration

No policy is configured as the policy is expected to be configured automatically by the learner.

Normal policy configuration with basic (loose) policy rules

With this option selected a few very general policy rules are configured.

Default selection: depends on Initial operating mode.

Pass through and Learn: Normal policy configuration.

Detect and Block: Normal policy configuration with basic (loose) policy rules.

Buggy web server options

In some cases (mostly when IIS is envolved) it can be necessary to disable real server keep-alive and/or down grade the real server to HTTP/1.0. You want to start without these options unless you know for certain that they are necessary.

If this is the first proxy you create do not enable any of these options. They can be set later in Proxy -> Manage + Settings -> Servers if necessary.

Disable real server keep alive

In some cases (mostly when IIS is involved) using keep-alive to backend servers can result in "Bad gateway" error (502) being sent to the client due to the web server not handling the keep-alive connection well.

To check if it is necessary to enable this feature look for log lines like "(54)Connection reset by peer: proxy: error reading status line from remote server" in the system core log ( System -> Logs + Core ).

This is an option to compensate for buggy web server implementations. In some cases (mostly when you do not need to enable it) it will force the real server to downgrade to HTTP/1.0 disabling cookies, etc.

Force HTTP 1.0 protocol to real server

As above, this is an option to compensate for buggy web server implementations.

All selections, except for the Virtualhost/IP can be changed later so it is perfectly OK to accept default selections.

When all necessary fields are filled out press the button: Save proxy

When the new proxy is saved you will be redirected to Proxy -> Manage -> Settings .

To delete a proxy from the system, perform the following steps:

  1. Click on Proxy -> Manage in the left menu

  2. From the overview list shown, simply locate the proxy you want to delete and click on the X symbol to the right of the proxy you want to delete

  3. Confirm the action by clicking on OK button in the dialog box that appears on the screen

The level of automation and the tools and methods available and for developing the policy depends on the license.

The Policy can either be developed automatically using the Learner or manually or using a combination. That is: modifying the automatically generated policy manually. The learner does a pretty good job though and in most cases it is not necessary to post modify the automatically generated policy.

In Profense™ Professional (and trial) Auto mode is available. Auto mode start out with negative filtering and gradually shifts towards positive filtering as the website and web applications are learned.

If you want to build the policy manually please familiarize yourselve with the access policy chapter of the Profense Manual.

In Auto mode the proxy automatically adapts to changes in the web applications. Auto mode offers instant protection by employing a combination of positive and negative policy rules. At first a general negative policy is enforced but as Profense maps a profile of the web applications and the web site in general the policy becomes more specific and shift towards a positive security model for specific applications.

  1. Make sure requests to the web site you want to protect are handled by Profense™ by pointing DNS lookups to the web system to Profense™.

  2. Configure the proxy to run in Auto mode (if not already done so) by setting the mode using the mode selector in Proxy -> Manage or by accepting default mode and policy configuration when creating a proxy.

  3. Watch the policy evolve as Profense learns the website and web applications. For every 10,000 requests the Learner analyzes the learning state a.o. by building a trial policy and comparing it to former trial policies. When configurable threshold values are reached for request parameters or paths (URI's) the Learner adapts the policy to enforce positive validation of these.

  4. The Proxy stays in Auto mode and when new content or new applications are added to the web site they are learned and the policy is adapted.

Auto mode is only available in Professional and Professional trial licenses.

To build a policy automatically:

  1. Make sure requests to the web site you want to protect are handled by Profense™ by pointing DNS lookups to the web system to Profense™.

  2. Configure the proxy to run in Learn mode (if not already done so) by setting the mode using the mode selector in Proxy -> Manage .

  3. Wait for the learning process to complete. For every 10,000 requests the Learner analyzes the learning state a.o. by building a trial policy and comparing it to former trial policies. When configurable threshold values are reached the Learner automatically change the Proxy operating mode to Detect.

    Note that for Profense™ to learn the "behaviour" of one or more web applications it is necessary that the learning data are representative of normal traffic to the web site in question. By default the Learner is configured not to switch to Detect mode until 100,000 requests have been handled by the Learner without resulting in policy changes. This threshold is if course configurable.

  4. Let the Proxy run for a while in Detect mode to ensure that the policy is working as intended and then switch to Block mode.

Learn mode is available in all licenses.

To view the current system status, click on System -> Status in the left menu. A page showing important system parameters is displayed.

[Note] Note

System monitoring can be performed externally by accessing the URL https://profense_system_ip_address:2000/monitor.html. Make sure that the management interface is available on the selected IP address by verifying the configuration under the Bind section

Backup and restore can be performed via filesystem, FTP or SCP.

To manually backup the entire Profense™ configuration to a file, perform the following steps:

  1. Click on System -> Tools in the left menu

  2. Click on the Download button right to the Export section of Backup

  3. Select a directory where to save the file and confirm the prompted dialog

To restore the entire Profense™ configuration from a file, perform the following steps:

  1. Click on System -> Tools in the left menu

  2. Click on the Browse button right to the File upload section of Backup

  3. Select the file containing the previously saved Profense™ configuration and confirm the prompted dialog

  4. Click on the Upload button

To restore the entire Profense™ configuration from an FTP server, perform the following steps:

  1. Click on System -> Tools in the left menu

  2. Enter the full path to the Profense™ configuration file stored on the FTP server configured in the FTP download field section of Backup

  3. Click on the Download button

To configure automated FTP backup, perform the following steps:

  1. Click on System -> Configuration in the left menu

  2. Under Auto-backup enter the required information

  3. Check the Enable FTP auto-backup checkbox

  4. Click on the Save button.

To restore the entire Profense™ configuration from an SCP server, perform the following steps:

  1. Click on System -> Tools in the left menu

  2. Enter the full path to the Profense™ configuration file stored on the SCP server configured in the SCP download field section of Backup

  3. Click on the Download button

To configure automated SCP backup, perform the following steps:

  1. Click on System -> Configuration in the left menu

  2. Under Auto-backup enter the required information

  3. Check the Enable SCP auto-backup checkbox

  4. Click on the Save button.

© 2007 Armorlogic
Prev     Next
Chapter 1. Profense™  Home  Chapter 3. Working with Access Control Policies