Prev     Next

Chapter 4. How to recipes

Table of Contents

1. Operating mode
1.1. Changing operating mode
2. Adding a proxy
2.1. Adding an HTTP proxy
2.2. Adding an HTTPS proxy
3. Clustering configuration
3.1. Configuring a load balanced cluster
3.2. Configuring a fail-over cluster

1. Operating mode

A proxy can operate in one of four different modes:

Pass

In pass mode all requests are passed through the proxy. No requests are blocked and no logging is performed.

When a proxy is added this mode is selected per default.

Learn

In learn mode the proxy is learning from requests. No requests are blocked and only requests maching a set of negative criteria are logged and classified.

When no new information is gained from additional requests a policy is generated and the proxy automatically switches to detect mode, if configured to do so (default).

Detect

In detect mode the proxy behaves as if it was running in block mode with the prominent exception that nothing actually gets blocked. It only logs the actions that would have been taken if it was running in block mode. The detect mode can be compared to an intrusion detection system. It detects but does not prevent policy violations. This mode is useful for testing a policy before going into block mode.

Block

In block mode blocking and logging is performed according to the access policy.

Auto

In Auto mode the proxy automatically adapts to changes in the web applications. Auto mode offers instant protection by employing a combination of positive and negative policy rules. At first a general negative policy is enforced but as Profense maps a profile of the web applications and the web site in general the policy becomes more specific and shift towards a positive security model for specific applications.

Auto mode is only available in Profense™ Professional (and trial).

The operating mode can be changed in several places: In the list of configured proxies select the new operating mode in the Mode drop-down box for the proxy to be changed.

Proxy overview

In the list of configured proxies shown when selecting Proxy -> Manage the mode can be changed by selecting the new operating mode in the Mode drop-down box for the proxy to be changed.

Learner

In the Learner configuration and overview page ( Proxy -> Manage -> Policy -> Learning ) the mode can be changed by selecting the new operating mode in the Mode drop-down box.

Web Application Firewall configuration

In the Web application firewall configuration section ( Proxy -> Manage -> Settings -> Web application firewall ) the mode can also be changed via a Mode drop-down box.

Automatic change by learner

If the Learner is configured (default) to automatically build an access policy when information sampling thresholds are reached the operating mode will automatically be changed from Learn to Detect by the Learner when the sampled data is analyzed and a policy has been built.

2. Adding a proxy

Path: Proxy -> Manage + Add Proxy .

Follow the steps below.

In the Virtual server section

  1. Select HTTP as the protocol.

  2. Enter the fully qualified domain name (e.g. www.mydomain.com) or IP address in the Virtualhost/IP field - that is: The public address of the web server you want to add a proxy for.

  3. Select the port the TCP/IP port number assigned for the proxy. Default: <HTTP=80, HTTPS=443)

When the proxy is created virtual host aliases can be added in Proxy -> Manage -> Settings -> Servers .

For more information see Section 10.3, “Virtual host aliases”

In the Real web server section

  1. Select the protocol you want Profense™ to use for traffic between Profense™ and the web server. HTTP is the default selection but HTTPS is also possible if you want the traffic to be SSL-encrypted.

  2. Enter the IP address or domain name of the web server domain name requires a name server to be configured for Profense™ - see page 41)

  3. Enter the port number the web server is listening to.

Please refer to the proxy management section for details on configuring the proxy.

When the HTTP-proxy is configured click the save proxy button.

Select operating mode (Section 1, “Operating mode”), initial configuration (Section 5.1, “Initial configuration”) and, if necessary, set buggy web server options (Section 3.7, “Adding a Proxy”).

In the Virtual server section

  1. Select HTTPS as the protocol.

  2. Enter the fully qualified domain name (e.g. www.mydomain.com) or IP address in the Virtualhost/IP field - that is: The public address of the web server you want to add a proxy for.

  3. Select the port the TCP/IP port number assigned for the proxy. Default: <HTTP=80, HTTPS=443)

  4. Select the IP address for the SSL-proxy in the bind drop-down box. Be sure not to select an address which is bound to another SSL-proxy.

Initially the proxy will be created with a temporary "self signed" certificate. The real SSL certificate will be imported when the proxy is added to the system.

In the Real web server section

  1. Select the protocol you want Profense™ to use for traffic between Profense™ and the web server. HTTP is the default selection but HTTPS is also possible if you want the traffic to be SSL-encrypted.

  2. Enter the IP address or domain name of the web server domain name requires a name server to be configured for Profense

  3. Enter the port number the web server is listening to.

Please refer to the proxy management section for details on configuring the proxy.

Select operating mode (Section 1, “Operating mode”), initial configuration (Section 5.1, “Initial configuration”) and, if necessary, set buggy web server options (Section 3.7, “Adding a Proxy”).

When the HTTPS-proxy is configured click the Save proxy button.

When creating a proxy for an existing HTTPS web server you need to move the SSL-certificate from the web server to Profense™. This is done by exporting the SSL-certificate from the web server and importing it into Profense™.

Profense™ supports importing of PKCS12 and PEM encoded server certificates.

To export a certificate from the web server please refer to the vendors guidelines:

Microsoft

Microsoft guidelines can be found on these addresses:

IIS 5.0

How to back up a server certificate in Internet Information Services 5.0

IS 6.0

Exporting a Client Certificate for One-to-One Mapping

Export the certificate to a .PFX file (default) which is PKCS12 encoded.

Apache

For web servers running Apache:

  1. Obtain the SSL-certificate file from the web servers file system. By default the file is PEM-encoded.

To import a certificate go to Proxy -> Manage -> Settings -> Servers .

In the section Virtual web server select Update certificates .

Depending on the format of the certificate select the appropriate action in the bullet list.

If the certicifate is in the PKCS12 format follow the guidelines below:

  1. Enter the path to the certificate file in the PKCS12 file input field.

  2. Enter Passphrase in the Passphrase input field.

  3. Click Save settings in the lower button pane.

If the certificate is in the PEM format follow the guidelines below:

  1. Open the .PEM file in a text-editor. Copy the public certificate section of the certificate.

    The public key/certificate is the section of the certificate file between (and including) the certificate start and end tags. Example:

    -----BEGIN CERTIFICATE-----

Certificate characters

-----END CERTIFICATE-----

  2. Select Import SSL certificate In the Profense™ management interface

    Paste the SSL public key/certificate into the SSL-certificate field.

  3. Go back to the text editor and copy the (SSL) private key section of the certificate. The (SSL) private key is the section of the certificate file between (and including) the private key start and end tags. Example:

    -----BEGIN RSA PRIVATE KEY-----

Private key characters

-----END RSA PRIVATE KEY-----

  4. Enter the passphrase for the private key in the passphrase field (if the original private key was encrypted).

3. Clustering configuration

If Profense™ is run in a load balanced environment or in a high availability configuration a cluster of Profense™ nodes can be configured to share the same ACL. With ACL synchronization one Profense™ node is assigned the role of Teacher and the other units are assigned a Learn role.

To configure a load balanced (active/active) cluster of two Profense™ nodes do the following:

Node 1 (master) configuration

Create LOADBALANCE MASTER interfaces by doing the following:

  1. In Cluster virtual IP configuration enter the virtual IP address of the cluster in the the Virtual IP field.

  2. In Netmask enter the netmask specifying the subnet for the virtual ip.

  3. In the Type drop-down menu select LOADBALANCE MASTER.

  4. Click the Add virtual IP button.

This will create two Carp interfaces with types LOADBALANCE and FAILOVER and the same VIP (Virtual IP).

The LOADBALANCE interface with priority 254 and the FAILOVER interface with priority 154. Apart from the IP and Netmask, when changes are applied (the blinking message in the upper right corner of the window), your configuration should look like below:

Example of carp load balancing interfaces created om master.

Figure 4.1. Carp load balancing interfaces on master


Enable cluster synchronization and designate the role TEACH in the Synchronization configuration section:

  1. Select Enable proxy settings synchronization

  2. Select TEACH in the Mode drop-down.

  3. Enter a password for the cluster in the Password field.

  4. Click the Save button.
Node 2 (slave) configuration

Create LOADBALANCE SLAVE interfaces by doing the following:

  1. In Cluster virtual IP configuration enter the virtual IP address of the cluster in the the Virtual IP field.

  2. In Netmask enter the netmask specifying the subnet for the virtual ip.

  3. In the Type drop-down menu select LOADBALANCE SLAVE.

  4. Click the Add virtual IP button.

This will create two Carp interfaces with types LOADBALANCE and FAILOVER and the same VIP (Virtual IP).

The LOADBALANCE interface with priority 154 and the FAILOVER interface with priority 254. Note that the priority is opposite the carp interfaces on the master node ( node 1 ).

You now have two carp interfaces with the same VIP (Virtual IP) as the interfaces configured on node 1 like the example below. Remember to apply changes by clicking blinking link apply changes in the upper right window corner, otherwise the state of the interfaces will not be reported correctly.

Example of carp load balancing interfaces created om slave.

Figure 4.2. Carp load balancing interfaces on slave


Supposing there are no other or an equal amount of CARP interfaces configured on both nodes the VHID on the two nodes should be equal.

  1. On node 1 the LOADBALANCE interface should have the same VHID as the LOADBALANCE interface on node 2.

  2. On node 2 the FAILOVER interface should have the same VHID as the FAILOVER interface on node 1.

Otherwise configure the interfaces two achieve the above in CARP interfaces (Section 1.4, “CARP Interfaces”).

Enable cluster synchronization and designate the role LEARN in the Synchronization configuration section:

  1. Select Enable proxy settings synchronization

  2. Select LEARN in the Mode drop-down.

  3. Enter the same cluster password as for node 1for the cluster in the Password field.

  4. Click the Save button.

To configure a fail-over (active/passive) cluster of two Profense™ nodes do the following:

Node 1 configuration

Create a FAILOVER-MASTER interface by doing the following:

  1. In Cluster virtual IP configuration enter the virtual IP address of the cluster in the the Virtual IP field.

  2. In Netmask enter the netmask specifying the subnet for the virtual ip.

  3. In the Type drop-down menu select FAILOVER-MASTER.

  4. Click the Add virtual IP button.

Enable cluster synchronization and designate the role TEACH in the Synchronization configuration section:

  1. Select Enable proxy settings synchronization

  2. Select TEACH in the Mode drop-down.

  3. Enter a password for the cluster in the Password field.

  4. Click the Save button.
Node 2 configuration

Create a FAILOVER-BACKUP interface for the same virtual IP by doing the following:

  1. In Cluster virtual IP configuration enter the virtual IP address of the cluster in the Virtual IP field.

  2. In Netmask enter the netmask specifying the subnet for the virtual ip.

  3. In the Type drop-down menu select FAILOVER-BACKUP.

  4. Click the Add virtual IP button.

Enable cluster synchronization and designate the role LEARN in the Synchronization configuration section:

  1. Select Enable proxy settings synchronization

  2. Select LEARN in the Mode drop-down.

  3. Enter the same cluster password as for node 1for the cluster in the Password field.

  4. Click the Save button.
© 2007 Armorlogic
Prev     Next
Chapter 3. Working with Access Control Policies  Home  Chapter 5. Profense™ Proxy reference