Protection policies

Using policies, you can define protection against vulnerability exploits such as cookie, URL, and form manipulation. Policies also mitigate common threats such as protocol violations and cross-site scripting (XSS) attacks. The firewall provides default policies for use with some common web services.

Protection Settings

Cookie signing: Using cookie signing, you can mitigate attempts to obtain private session data and engage in fraudulent activity by tampering with cookies. When the web server sets a cookie, a second cookie is added to the first cookie containing a hash built from the name and value of the primary cookie and a secret that is known only by the firewall. If a request cannot provide a correct cookie pair, the cookie will be dropped.
Static URL hardening: Static URL hardening prevents users from manually constructing “deep links” that lead to unauthorized access. When a client requests a website, all static URLs of the website are signed using a procedure similar to cookie signing. Also, the response from the web server is analyzed regarding what links can be validly requested next.
Form hardening: To prevent SQL injection and other exploits, form hardening saves the original structure of a web form and signs it. If the structure of a form has changed when it is submitted, the firewall rejects the request.
Anti-virus: Protect a web server against viruses.
Block clients with bad reputation: Block clients that have a bad reputation according to real-time blackhole lists (RBLs) and GeoIP information. For RBLs, the firewall uses Cyren IP reputation intelligence and SORBS. For GeoIP, the firewall uses Maxmind. The firewall blocks clients that belong to the A1 (anonymous proxies or VPN services) and A2 (satellite ISP) classifications.

Common Threat Protection

Protocol violations: Enforce adherence to the RFC standard specification of the HTTP/S protocol. Violating these standards usually indicates malicious intent.
Protocol anomalies: Search for common usage patterns. Lack of such patterns often indicates malicious requests. These patterns include, among other things, HTTP headers such as “Host” and “User-Agent”.
Request limits: Enforce reasonable limits on the number and ranges of request arguments. Overloading request arguments is a typical attack vector.
HTTP policy: Narrow the allowed usage of the HTTP protocol. Web browsers typically use only a limited subset of all possible HTTP options. Disallowing the rarely-used options protects against attackers aiming at these options.
Bad robots: Check for usage patterns characteristic of bots and crawlers. By denying them access, possible vulnerabilities on your web servers are less likely to be discovered.
Generic attacks: Search for attempted command executions common to most attacks. After having breached a web server, an attacker usually tries to execute commands on the server like expanding privileges or manipulating data stores. By searching for these post-breach execution attempts, attacks can be detected that might otherwise have gone unnoticed, for example because they targeted a vulnerable service by the means of legitimate access.
SQL injection attacks: Check for embedded SQL commands and escape characters in request arguments. Most attacks on web servers target input fields that can be used to direct embedded SQL commands to the database.
XSS attacks: Check for embedded script tags and code in request arguments. Typical cross-site scripting attacks aim at injecting script code into input fields on a target web server, often in a legitimate way.
Tight security: Perform tight security checks on requests, such as checking for prohibited path traversal attempts.
Trojans: Check for usage patterns that are characteristic of trojans.
Note This setting does not prevent the installation of trojans. Trojan protection is provided by anti-virus scanning.
Outbound: Prevent web servers from leaking information to the client. This includes, among other things, error messages sent by servers which attackers can use to gather sensitive information or detect specific vulnerabilities.