bring your own license. - indusface › docs › how to setup total...bring your own license. -...

Bring Your Own License.


1 Confidential | Copyright © 2016 Indusface | All Rights Reserved

TABLE OF CONTENTS

Access Total Application Security – BYOL on AWS Marketplace ................................................................................................ 3

Configuring Total Application Security ................................................................................................................................... 13

Adding a Website ........................................................................................................................................................................... 16

Indusface Total Application Security Portal Tour .................................................................................................................... 21

Profile and Licensing Info ....................................................................................................................................................... 21

Documents ............................................................................................................................................................................ 23

Logout ................................................................................................................................................................................... 23

Summary ............................................................................................................................................................................... 23

Block Status ................................................................................................................................................................................... 25

DDoS Attacks Blocked .................................................................................................................................................................... 26

Top 5 Attack Categories ................................................................................................................................................................. 26

Top 5 Attacks By IPs ....................................................................................................................................................................... 27

Top 5 Attacks By Countries ............................................................................................................................................................ 27

Top 5 Attacked URIs ....................................................................................................................................................................... 28

Detect ................................................................................................................................................................................... 29

Detected Vulnerabilities ................................................................................................................................................................. 30

Vulnerabilities Categories .............................................................................................................................................................. 30

Vulnerabilities details .................................................................................................................................................................... 31

Scanning and Pen Testing .............................................................................................................................................................. 32

Protect .................................................................................................................................................................................. 35

Blocked Attacks .............................................................................................................................................................................. 36

Attacks By IP .................................................................................................................................................................................. 36

Attacks By Category ....................................................................................................................................................................... 39

Attacks By URI ................................................................................................................................................................................ 41

Monitor ................................................................................................................................................................................. 44

Attacks By IP .................................................................................................................................................................................. 45

Settings ................................................................................................................................................................................. 54

Web Application IP Address ........................................................................................................................................................... 54

WAF Status .................................................................................................................................................................................... 55

IPs Blacklisted ................................................................................................................................................................................ 55

IPs Whitelisted ............................................................................................................................................................................... 55

Countries Blacklisted ...................................................................................................................................................................... 55

URIs Whitelisted ............................................................................................................................................................................. 56



Forgot Password .................................................................................................................................................................... 57

Appendix A: SSL Configuration ............................................................................................................................................... 58

Appendix B: Routing Traffic ................................................................................................................................................... 60



Access Total Application Security – BYOL on AWS Marketplace

1. Please visit the AWS Marketplace https://aws.amazon.com/marketplace. Look for Total Application Security: Scan,

Pen‐Testing, Managed WAF & DDoS ‐ BYOL page, and click GO.

2. Go through What is the correct instance type for my website? link under Resources section to determine the right

instance for your website and then click Continue. 3. Click 1‐Click Launch tab.

4. In the Software Pricing widget, select Subscription Term and Applicable Instance Type.



5. In the Version widget, select the version 4.1 or latest.

6. In the Region widget, click Region drop down box to select the region to host the AMI. This region will guide what

subnet and VPC can use for the AMI.



7. In the EC2 Instance Type widget, select an instance of your choice. Not sure of which instance type to select? We have made an Instance Selection Guide too.

8. Now under the VPC Settings widget, do one of the following:

Click VPC dropdown box to select the VPC ID to deploy instance. The Subnet drop‐down will appear, select appropriate subnet. To create one new VPC, click Create a VPC

Note: If subnet is private then provide NAT router and Gateway details.

Click VPC dropdown box to select the EC2 Classic.



9. Create one Security Group and in Security Group widget, select created security group from the drop down.

Note: A security group is a set of firewall rules that control traffic for a particular instance. Click Security Groups for more information.

For HTTP Website For HTTPS Website For HTTP & HTTPS websites

HTTP HTTPS HTTPS & HTTP

SSH SSH SSH

Port (8080) Port (8080) Port (8080)

Connection Method Protocol Port Range Source (IP or Group)

HTTPS TCP 443 0.0.0.0/0

HTTP TCP 80 0.0.0.0/0

Custom TCP Rule TCP 8080 0.0.0.0/0

SSH TCP 22 Source IP to provide SSH access

10. Click key pair dropdown to select a Key Pair. Key Pair widget ensures only you have access to the Total Application

Security.



11. Click Accept Terms & Launch with 1‐Click.

Note: If you are an existing AWS customer, the button will be labeled as Launch with 1‐Click.

12. Confirmation pop‐up page will appear and follow the on screen instructions. Click AWS Management Console link

on the page.

13. Resources page will appear, click Running Instances.



14. Instances page will appear. Sort by launch timestamp in the table to identify the most recent instance you launched.

15. Under Name column, provide the name for the instances.



16. Make a note of launched Instance ID.

17. In the left navigation pane, under NETWORK & SECURITY, click Elastic IPs to create one static IP for your instance.

18. Click Allocate New Address.



19. Allocate New Address pop‐up will appear. Select one option from the EIP used in drop‐down and then click Yes, Allocate.

20. Allocate New Address pop‐up window will appear with Elastic IP. Click View Elastic IP to see the assigned IP.

21. Allocated Elastic IP will appear. Click Actions, select Associate Address and do one of the following:



a. If it is EC2 environment, enter Instance ID in the Instance text box and then click Associate.

b. If it is VPC environment, enter instance ID/network interface in the Instance/Network Interface text box

and click Associate.



22. In the navigation pane, click Instances. Examine the Status Checks, ensure that the status is changed from Initializing to 2/2 checks passed. Make a note of the Public IP address.

Your AMI has been launched successfully and configured with the Publlic IP address. Now the next step is to configure TAS on the AMI instance.



Configuring Total Application Security

1. Paste the public IP as <Public IP>:8080 in the browser to attain the TAS Domain Registration page.

After launching AMI successfully, press Click here to sign‐up to register.



2. Indusface Total Application Security – signup page will appear, provide the details and click Register



3. Indusface TAS login page will appear. Provide Username, Password, and the click Sign In.

4. All Sites ‐ Health Summary page will appear that serves as the entry point for the website, click on Add Website

to add a website.



Adding a Website To add a website, click on add website icon in All Sites – Health Summary page which has four steps to complete the

process.

1. Provide the code of license which will be protecting the added website. License information like expiry is

provided just below the license box depending on the license code, provide the details. Scan URL is URL used for scanning, by default, it is the domain name of that website.

2. Check on the protocol type and combination depending on the requirement and click submit.



3. If protocol combination type has HTTPS, then upload SSL certificates (recommended) or skip by pressing Skip

to configure it manually.

4. Check details of the website and click on submit to finish the process.

Note: If you want to revert the selection, it is only done by clicking back in the second step.

1. All Sites – Health Summary page will appear. Initiate scan for new website by clicking Scan Now under Last

Scan to scan your domain to detect the web application vulnerabilities, malware, and business logic flaws.



5. Initiate scan by clicking Scan Now under Last Scan to scan your domain to detect the web application vulnerabilities, malware, and business logic flaws.

6. Once the scan completed, Last Scan will display the date and time.

7. Your website is now successfully configured to be used with Indusface Total Application Security. 8. License Expiry displays when a website’s license is going to expire and when it expires, it display’s Renew Now

below the date. 9. Click Detect tab and then click Download Scan Report to view the scan report.

10. When you click Renew Now it takes you to Profile page where you can renew/upgrade your license.



11. Click on renew now/upgrade license and provide the license key which you want to upgrade and press renew license.



12. If the configuration status has not been routed, it shows red symbol requesting routing configuration, click on Routing Configuration Required Appendix B: Routing Traffic. Refresh the page to get status to turn green.



Indusface Total Application Security Portal Tour For detailed features of the Total Application Security portal, please visit Guided Tour

Profile and Licensing Info To edit login, enter the required details in the respective text boxes and click save to update the details.

Parameter Description

User Name Displays your username.

Email Address Provide email address to request Pen Testing to get POC if You requested and notifications

Contact number Provide the updated contact number.



To reset the password, enter the details in change password and click change.

In license info, click on Add License to add a new license to your website

A pop‐up will come asking you to Add license key, after typing the key, click Add License.

Parameter Description

Current Password Provide the current password

New Password Provide new password.

Confirm Password Re‐type the new password.



Documents 1. Click to view TAS assistance documents.

Logout

1. Click to log out from the portal.

Summary The summary tab provides an overview of the number of detected and blocked vulnerabilities, a number of application DDoS attempts and Top five categories names of the attacks, IPs, countries, and URIs. The page attributes can be customized for sites and number of days.



Block Status 1. Block Status widget shows the number of vulnerabilities detected in the website scanning, a number of attacks

blocked against detected and protected vulnerabilities and the total number of blocked attacks.

2. Vulnerabilities Detected shows the number of vulnerabilities detected in the most recent website scanning. Same

can be seen severity wise in Detect tab.

3. Blocked Against Detected Vulnerabilities shows a total number of attacks blocked by detected and protected

vulnerability categories.



4. Total blocked Attacks shows a total number of attacks blocked. Same can be seen severity wise in Protect tab.

DDoS Attacks Blocked DDoS Attacks Blocked widget shows a number of blocked DDoS and Bot attacks.

Top 5 Attack Categories Top 5 Attack Categories widget displays regular analysis of top five attacks. Each color in doughnut chart indicates a different attack type with their count and percentages.



Top 5 Attacks By IPs Top 5 Attacks By IPs displays top five IPs lists from where the attacks are encountered and the attacks count.

Top 5 Attacks By Countries Top 5 Attacks By Countries widget displays top five countries from where the attacks are encountered and there count.



Top 5 Attacked URIs Top 5 Attacked URIs widget shows top five attacked URIs and attacks count.



Detect The detect tab provides an overview of the website scan and detected vulnerabilities details. It helps initiate scans, download the scan report, request a pen‐testing scan, request POCs, and custom rules. The page attributes can be customized for the websites. A simple doughnut chart shows top five noticed vulnerabilities count and their percentage.



Detected Vulnerabilities It shows a count of most recent detected vulnerabilities in the website scanning.

Vulnerabilities Categories Doughnut chart displays blocked vulnerability categories with their count and percentages.



Vulnerabilities details Vulnerabilities table displays the Severity of the vulnerability, Vulnerability category, whether the vulnerability protected or not and attacked URI. 1. To request proof of concept of any vulnerability or to request custom rules for any unprotected vulnerability,

select the check boxes of the respective vulnerabilities and then click Request POC or Request Custom Rules on

top right side of the Vulnerabilities table.



Scanning and Pen Testing 1. Click Now in Schedule Scan Now widget to initiate a scan.

2. Click Request in Request Pen Testing widget, which looks for security weaknesses.

3. Vulnerabilities detected in scanning can be viewed in the Web Application Scan summary widget that displays

date, time of the completed scan and detected vulnerabilities count (Includes Critical, high, Medium, Low, and

Info).

4. Vulnerabilities detected in pen testing can be viewed in the Monitor tab.



a. For a detailed analysis of vulnerabilities detected in pen testing, initiate scan along with pen testing and

download scan report, which includes pen‐testing results.

5. To view preceding 10 scans vulnerability details, click Last Scan drop down and select one scanned date.

Respective scan detected Vulnerabilities count will appear.



6. For further analysis, click Download Scan Report to get a report with respective to selected scan date.

Note: Disable pop‐up blocking to download the Band input and output values. Follow these steps to disable the pop‐ups in different browsers. Google Chrome ‐ Click Download Scan Report, it will show the pop‐up icon on the top right side of the window

before bookmarks’ icon. Click Allow pop‐up. Mozilla Firefox ‐ Click Download Scan Report, it will display a message on the top of the window with an Options

icon. Click Options to disable the pop‐up to generate the reports. Opera ‐ Click Download Scan Report, it will show the pop‐up icon on the top right side of the window

before bookmarks’ icon. Click Allow pop‐up.



Protect Protect tab provides an overview of the real‐time blocked attacks by WAF and displays top five IPs, attack categories and URIs. It offers attack categories and severities graphs. The page attributes can be customized for sites, type of attacks and number of days.



Blocked Attacks

It shows a count of blocked attacks by impact severity and displays date and time of lastly blocked attack.

Attacks By IP

1. Attacks By IP table displays blocked IP addresses from where the attacks are encountered on the website, IP

Reputation whether that IP is good or bad, attacks count, Severity of the attack, Country name from which

country the attacks are happening and Details.



2. In Attacks By IP table, find the IP of which information needs to be viewed and then click Details to the

respective IP to view the information in detail.

3. Attack from IP pop‐up window will appear displaying violations details of that particular IP.

4. Click Whitelist IP to allow traffic from the IP or click Blacklist IP to drop the traffic from the IP or click Blacklist

Country to drop the traffic from the country.



5. Mouse over on nodes in the graph, which will show event name, date, time, and count respectively.

6. To view attack payload of the particular attack category in the pop‐up window, find the category of which

attack payload needs to be viewed and then click Details to the respective category to view the payload. Attack

Payload pop‐up will appear.



Attacks By Category 1. Attacks By Category table displays blocked attacks Category, attacks count, Severity of the attack, and Details.

2. In Attacks By Category table, find the category of which information needs to be viewed and then click Details to

the respective attack category to view the details in detail.



3. Attack Categories Details pop‐up window will appear displaying violations details of that particular attack

category.

4. Mouse over on nodes in the graph, which will show event name, date, time and count, respectively.

5. To view attack payload of the particular IP Address in the pop‐up window, find the IP of which attack payload

needs to be viewed and then click Details to the respective IP Address to view the payload. Attack Payload pop‐

up will appear.



Attacks By URI

1. Attacks By URI table displays blocked URIs from where the attacks are happening on the website, Attacks count,

Severity of the attack and Details.

2. In Attacked URI table, find the URI of which information needs to be viewed and then click Details to the

respective URI to view the details in detail.



3. Attack URI Details pop‐up window will appear displaying violations details of that particular URI.

4. Click Whitelist URI to allow traffic from the URI.

5. Mouse over on nodes in the graph, which will show event name, date, time, and count respectively.





up will appear.



Monitor Monitor tab provides an overview of the real‐time logged attacks by WAF and displays top five IPs, attack categories, and URIs. It offers timeline graph to represent the Bandwidth (Avg kb per min) and Requests (hourly). The page attributes can be customized for sites and number of days.

For detailed features of the Total Application Security portal, please take a visit.



It shows a count of created Custom Rules, Total POCs, and Vulnerabilities detected in pen testing. Whenever a customer asks for proof of concepts for vulnerabilities in the detect tab, that will reflect in Total POCs in Monitor tab.

Attacks By IP

1. Attacks By IP table displays logged IP addresses from where the attacks are encountered on the website, IP

Reputation whether that IP is good or bad, attacks count, Severity of the attack, Country name from which

country the attacks are happening and Details

2. In Attacks By IP table, find the IP of which information needs to be viewed and then click Details to the respective

IP to view the details in detail.



3. Attack from IP pop‐up window will appear displaying violations details of that particular IP.

4. Click Whitelist IP to allow traffic from the IP or click Blacklist IP to drop traffic from the IP or click Blacklist

Country to drop traffic from the country.



5. Mouse over on nodes in the graph, which will show event name, date & time and count respectively.

6. To view attack payload of the particular attack category in the pop‐up window, find the category of which attack

payload needs to be viewed and then click Details to the respective category to view the payload. Attack Payload

pop‐up will appear.



Attacks By Category

1. Attacks By Category table displays logged attacks Category, attacks count, Severity of the attack, and Details.

2. In Attacks By Category table, find the category of which information needs to be viewed and then click Details to

the respective attack category to view the details in detail.

3. Attack Categories Details pop‐up window will appear displaying violations details of that particular attack

category.






up will appear.



Attacks By URI

1. Attacked URI table displays logged URIs from where the attacks are happening on the website, Attacks count,

Severity of the attack and Details.

2. In Attacks By URI table, find the URI of which information needs to be viewed and then click Details to the

respective URI to view the details in detail.

3. Attack URI Details pop‐up window will appear displaying violations details of that particular URI.



4. Click Whitelist URI to allow traffic from the URI.




up will appear.



Monitor Action Summary Monitor Action Summary displays all the actions performed on TAS portal, time of action taken and details of those actions.

Under Action Taken, only the name of the action is displayed, the detailed action is viewed under Details category.



Settings Settings page assist WAF settings management and configuration. Based on the analytics, a user can block or whitelist the traffic to the website from specific IP Addresses and countries. The user can add an exception by compiling a list of URIs considered safe to allow traffic from respective URI. Click to navigate to the settings page.

The settings page will appear. Click Back to navigate to the Summary tab.

Web Application IP Address It will display default web application IP address. If there is a change in the IP address, provide new IP in the text box and click Update to update the web application IP address.

.



WAF Status

Select one option to perform by WAF and click Update.

Log and Block ‐ WAF logs and blocks the attacks

Log Only ‐ WAF logs the attacks

Disabled ‐ WAF turned off

IPs Blacklisted Click to add IP addresses in the text box to drop the connection from that particular IP Address and click Save.

IPs Whitelisted Click to add IP addresses in the text box to allow the traffic from that particular IP Address and click Save.

Countries Blacklisted Click and select one Country from the drop down to block the traffic from that particular Country and click Save.



URIs Whitelisted Click to add URI in the textbox to allow the traffic from that particular URI and click Save.



Forgot Password 1. Press Click here links next to Forgot password on the login page for lost/forgotten passwords.

2. Enter the Username and text shown and then Click Submit.

3. It will display a message An email has been sent with your new password as confirmation, click Continue.

4. The new password will send to the registered email address.

5. Enter the Username and new Password to login.



Appendix A: SSL Configuration

Steps to follow with other file formats (P12, PFX, PEM, JKS)

Prerequisites:

File Format Passwords

JKS Key Password , Keystore Password

PFX/P12 Key Password

SSL Conversion Steps

Follow the steps below to migrate the SSL from your machine to Indusface Total Application Security‐ WAF AMI with the appropriate file format (CRT).

1. Copy the certificates to the Indusface TAS‐AMI using any file transfer tool into /home/ec2-user.

2. Log into your AMI using any SSH client (E.g. PuTTY)

a. Specify the destination Host Name or IP Address of the WAF AMI and use the associated Key Pair (same key pair associated while launching the AMI instance from the AWS Marketplace.)

3. A terminal will open up. Specify the Username ec2-user and then proceed with authentication.

4. Switch to root user by executing the command sudo su –

5. Copy SSL files to /mnt directory by executing the command cp <cert_filename> /mnt

6. Now run the command ls to list all the certificates in the /mnt directory.

NOTE: Make sure not more than one file exists with the same extension in /mnt.

7. Change the directory to /media using the command cd /media

8. Run the command ls to list the contents of the directory. It will return the file convert_ssl.sh.

9. Run the command ./convert_ssl.sh <file_format> <domain_name>, press ‘y’ and provide password to convert the files into CRT file format.

NOTE: If the certificate file is not password protected, press enter to proceed. All the converted files will be placed automatically in /etc/httpd/ssl folder.

10. A success message will appear. To ensure change directory to cd /etc/httpd/ssl and run the command ls to list all

the files in the folder, the following files should be listed.

<domain_name>.crt <domain_name>-server.key <domain_name>-chain.crt

NOTE: If the conversion is not successful, please contact Indusface Support at [email protected]

11. After completion of SSL configuration, follow the Traffic Routing steps.



Steps to follow with .crt format files Consider your domain name as “yourdomain.com” and rename the SSL certificates as per your domain name in the format mentioned in the table.

Certificate Format

Server Certificate yourdomain.com.crt

Private Key Certificate yourdomain.com-server.key

Chain File yourdomain.com-chain.crt

Note: If you have multiple Chain files, put all the files in yourdomain.com-chain.crt file.

1. Copy the above files from your machine to the Indusface TAS AMI using any file transfer tool into /tmp directory.

2. Log into your AMI using any SSH client (E.g. PuTTY)

o Specify the destination Host Name or IP Address of the WAF AMI and use the associated Key Pair (same key pair associated while launching the AMI instance from the AWS Marketplace.)

3. A terminal will open up. Specify the Username ec2-user and then proceed with authentication.

4. Switch to root user by executing the command sudo su –

5. Change the directory to cd /etc/httpd/ssl/

6. Run the below command to copy the files from /tmp directory to /etc/https/ssl/ cp /tmp/yourdomain* /etc/httpd/ssl/

7. Run the command to rename apache configuration file

mv /etc/httpd/indusface/<yourdomain>.conf.disabled /etc/httpd/indusface/<yourdomain>.conf

8. Run the command to restart the apache systemctl restart httpd.service

Removing passphrase from the private key

1. To remove the passphrase from a private key type the command.

openssl rsa -in yourdomain.com-server.key -out yourdomain.com-server.key1

Enter the pass phrase for the website.

2. Create a backup file of yourdomain.com‐server.key, by executing the command

mv yourdomain.com-server.key yourdomain.com-server.key_bak

3. Rename the file yourdomain.com‐server.key1 to yourdomain.com‐server.key by executing the command

mv yourdomain.com-server.key1 yourdomain.com-server.key

4. Now type the command ls to list the certificates, the following files should be listed. yourdomain.com.crt yourdomain.com-server.key yourdomain.com-server.key_bak yourdomain.com-chain.crt

5. After completion of SSL configuration, follow the Traffic Routing steps.



Appendix B: Routing Traffic 1. Click Routing Configuration Required to use the Indusface Total Application Security, you need to ensure that all

the traffic goes through Indusface Total Application Security, AMI by implementing one of the following methods.

Single Node Deployment

If you are using SSL and SSL is terminated at the WAF AMI:

i. You need to set up the SSL certificate and keys as per instructions in SSL Configuration DOC before changing your routing. Failure to do it in this sequence will result in disruption to your website traffic.

Change your DNS A record to point to the public IP address of the Indusface WAF AMI.

Single Node Deployment with ELB

Update ELB to forward traffic on ports 80 & 443 to the IP address of the Indusface WAF AMI.

SSL is terminated at the ELB so no SSL configuration required in this model.

Multi‐Node Deployment With ELB

Contact support for routing change instructions

2. After completion of routing, refresh the Indusface TAS ‐ WAF Status page.