 | |
ServerDefender AI Evaluation Guide
Here are some important tips that administrators and developers should follow when evaluating ServerDefender AI (SDAI) to get the most out of their new IIS Web application firewall:
- Prep for a smooth installation. Make sure to review Port80’s Install Notes for ISAPI filter installation tips at http://www.port80software.com/install.
- Choose SDAI training based on your site logs or real-time traffic. During installation, you will be prompted to choose which data SDAI uses to establish your baseline of normal traffic and enable the tool to identify anomalous hacker requests. Pick a source of date you think may have hack attempts, either real-time traffic or from your IIS log files.
- Reboot for Network IP Blocking. You will be able to use SDAI without rebooting the server once your installation is complete, but to block bad requests in the future at the network card layer, you will need to restart the operating system to engage the Network IP Blocking feature.
- Turning off SDAI is a bit non-standard. Unlike other Port80 tools, there is no global enable/disable functionality in SDAI. You can change the Security Mode (Under the Services node in the UI) to Training or Monitoring - Inactive Mode, which will mean that SDAI is recording requests but not blocking anything. Alternatively, you can disable the filter itself on the on ISAPI Filter Tab (right click Properties on the “Web Sites” node in the IIS Manager/MMC).
- Classifying events as trusted or untrusted is your most important SDAI task. After installation, click on the Training Data node in SDAI, and you should see it start to fill up with requests to your site from the logs or in real-time. SDAI will start to classify these requests as events, and you can then re-classify events as trusted or untrusted if necessary. Also, once training is completed, it is recommended that you review the Security Alert Logs to makes sure all events are classified correctly as what you really want to be trusted or untrusted. This ongoing reclassification is an important part of making SDAI work, and the more you classify events, the smarter SDAI will become at Web app firewalling your site.
- Identify and remediate any SDAI Rules conflicts with your site. During training, you may notice legitimate requests are being categorized as Untrusted based on SDAI’s predefined signatures for requests (these signatures can be managed in the SDAI Rules node under Requests). Check the default rules for HTP Methods, URL Paths (most likely place you will find a conflict), URL Query Strings or HTTP Request Headers versus your basic site structure, and then delete the rule that conflicts with your site design.
For example, there was a former default rule in URL Paths to not allow a request for “/scripts” to the site. We removed this from early versions of SDAI, as many sites have a “/scripts” directory. Once you have removed the conflicting signature, you will need to retrain SDAI. Please stop IIS directly, close any open IIS or SDAI UIs, delete YEVS.mdb and intrusionLog.mdb in C:\Program Files\Port80\ServerDefender Artificial Intelligence by default or in the installation directory used, then open SDAI, and retrain by right clicking the Services node and finally clicking Apply Training Data. IIS will be restarted, and the new training will occur. Previously blocked requests due to the signature conflict you found will now be removed from the training data, and relevant legitimate requests will be allowed by SDAI.
- Don’t be overly concerned by default on-screen and audio alerts. SDAI’s defaults for alerts show up on your IIS server, and may cause some initial confusion after your installation and training. You can manage these alerts under the Policy node > Threat Management Options, and then unchecking the Visual and Audio Alert setting.
- Manage SDAI Rules for Web requests. Under the Rules node > Requests, you can set up multiple exceptions for each Request rule if you edit it, and these can be separated by a semicolon (;). Within these Request rules, you can set the rule to do autoblocking or versus a one-time block. The concept is that when a rule is trigger for a block, you can set SDAI to automatically block the request IP for any requests from that same IP in the future. If you set the autoblocking option to NO, SDAI will still block the request, but only if it falls under that specific request rule. In general, autoblocking is a good thing, so long as you have reviewed the rules to make sure you do not have any signature conflicts for legitimate requests.
- Turn on and set Request Frequency security. Use SDAI to set up a general protective layer on your site based on the number of requests to a particular file or the site overall with the Request Frequency feature. Though off by default, manage this feature under the Rules node > Requests > URL Paths > Request Frequency tab. Select, edit, and enable the default “any_target_pages” rule here to have request frequency checking across the site, and set a requests/second ratio that works for your Web application. For request frequency on a particular page, like a login page to a Web application or protected content like images and videos (just a few examples), you will need to create a rule based on the URL Path for the page you want to have this frequency checking on.
- Classify events and tune the behavioral engine for maximum security. Once SDAI has been trained, it is important to understand the behavioral engine that will govern how future requests are handled. The power of SDAI lies in its many layers of defense –- from the rules for requests and IP addresses in the knowledgebase to your manual classification of events as Trusted or Untrusted during training or later on as you review the Security Alert Logs -– that protect against Web application attacks. In the Advanced Settings screen (expand the Management -> Services node and look in the middle of the screen for this button to access this control), you can manage how closely a request has to match the trustworthiness of a new request event in relation to SDAI rules or previous event classifications. The lower the sensitivity (less than 100%) to untrusted events set here, the greater the security. The higher the sensitivity (greater than 1%) to trusted events, the greater the security.
If, for example, the sensitivity level is set to 100%, an SDAI rule or event classification would have to be identical to the new request in order for the behavioral engine to classify the event as Untrusted (or Trusted). If you set the untrusted sensitivity to 100%, the behavioral engine will be less likely to block a request because there likely is not an already untrusted event that matches this new request exactly. If you set it to a smaller percentage, it will become smarter and use its advanced algorithms to learn and block more requests that partially match previously untrusted requests. The opposite would occur for the Trusted sensitivity number. If you set the trusted sensitivity to 100%, the behavioral engine will be more likely to block a request since it has to find in its database a trusted event that matches. If you set it to a smaller %, it will block fewer requests that match already trusted events, since it only takes a small variable to match a trusted event. Any time you are erring on the side of security, there will potentially be more false positives, which is why reviewing the Security Alert Logs and re-classifying events is an important ongoing maintenance activity with SDAI.
- Unfortunately, there are no trial extensions for SDAI. Given the nature of SDAI’s new licensing code, we will not be able to offer extensions to the trial period for this product. That said, if you purchase a license for testing and the product does not work in your environment, Port80 Software will offer a full refund for your order. And of course, we will be here with support at Port80 Software to help in your evaluation before and after your purchase.
- Review the Product Overview and ServerDefender AI Quick-Start in the Help files after installation. To get familiar with the UI and terms used in SDAI, we highly recommend a review of these help documents and the documentation for the product in general. Help files are only accessible from within an installed SDAI version, but you can also disable SDAI as you reviewing the docs after installation. If you need help on anything at all, please contact Port80 Support directly at http://www.port80software.com/help.
| |
| - evaluation guide |   |
| | |
