 | |
ServerDefender AI Evaluation Guide
Here are some important tips that administrators and developers should follow when evaluating ServerDefender AI (SDAI) to get the most out of their new IIS Web application firewall:
- Prep for a smooth installation. Make sure to review Port80’s Install Notes for ISAPI filter installation tips at http://www.port80software.com/install.
- Choose SDAI training based on your site logs or real-time traffic. During installation, you will be prompted to choose the source of requests (either from your IIS logs or real-time traffic) which SDAI uses to train the behavioral engine that will identify and stop future attacks. In addition you will be given the choice of database size (small, medium or large). The bigger the training database (TDB), the more fine-grained the discriminations SDAI can make among trusted and untrusted requests.
- Reboot for Network IP Blocking. You will be able to use SDAI without rebooting the server once your installation is complete, but to block bad requests in the future at the network card layer, you will need to restart the operating system to engage the Network IP Blocking feature.
- Turning off SDAI. Unlike other Port80 tools, there is no global enable/disable functionality in SDAI. You can change the Security Mode (Under the Services node in the UI) to Training or Monitoring - Inactive Mode, which will mean that SDAI is recording requests but not blocking anything. Alternatively, you can disable the filter itself on the on ISAPI Filter Tab (right click Properties on the “Web Sites” node in the IIS Manager/MMC).
- Classifying events as trusted or untrusted is your most important SDAI task. After installation, click on the Training Data node in SDAI, and you should see it start to fill up with requests to your site from the logs or in real-time. SDAI will show which of these requests are already untrusted due to its built-in rules. It is up to you to mark any other suspect or malicious requests (for instance, those from a penetration test) as untrusted. You will want to review the training database carefully at the conclusion of the training period to ensure all requests are correctly identified. Once training is completed, you are automatically moved to Monitoring Inactive mode. At this point, the Security Alert Log (SAL) will show the results of both the built-in rules and your own training decisions, in terms of requests that will be blocked once ServerDefender AI goes into Monitoring Active ("live") mode. If you notice false positives in the SAL, you can go back to the training and mark those requests as trusted. These initial training and monitoring phases are an important part of making SDAI work at maximum effectiveness. The more carefully you classify events in the TDB, the smarter SDAI will become, tightening the security of your Web application.
- Identify and remediate any SDAI Rules conflicts with your site. During training, you may notice legitimate requests are being categorized as Untrusted based on SDAI’s predefined signatures for requests (these signatures can be managed in the SDAI Rules node under Requests). Check the default rules for HTP Methods, URL Paths (most likely place you will find a conflict), URL Query Strings or HTTP Request Headers versus your basic site structure, and then delete the rule that conflicts with your site design. For example, there was a former default rule in URL Paths to not allow a request for “/scripts” to the site. We removed this from early versions of SDAI, as many sites have a “/scripts” directory.
- Don’t be overly concerned by default on-screen and audio alerts. SDAI’s defaults for alerts show up on your IIS server, and may cause some initial confusion after your installation and training. You can manage these alerts under the Policy node > Threat Management Options, and then unchecking the Visual and Audio Alert setting.
- Manage SDAI Rules for Web requests. Under the Rules node > Requests, you can set up multiple exceptions for each Request rule if you edit it, and these can be separated by a semicolon (;). Within these Request rules, you can set the rule to do autoblocking or versus a one-time block. The concept is that when a rule is trigger for a block, you can set SDAI to automatically block the request IP for any requests from that same IP in the future. If you set the autoblocking option to NO, SDAI will still block the request, but only if it falls under that specific request rule. In general, autoblocking is a good thing, so long as you have reviewed the rules to make sure you do not have any signature conflicts for legitimate requests.
- Turn on and set Request Frequency security. Use SDAI to set up a general protective layer on your site based on the number of requests to a particular file or the site overall with the Request Frequency feature. Though off by default, manage this feature under the Rules node > Requests > URL Paths > Request Frequency tab. Select, edit, and enable the default “any_target_pages” rule here to have request frequency checking across the site, and set a requests/second ratio that works for your Web application. For request frequency on a particular page, like a login page to a Web application or protected content like images and videos (just a few examples), you will need to create a rule based on the URL Path for the page you want to have this frequency checking on.
- Tune the behavioral engine for maximum security. Once SDAI has been trained, it is important to understand how the behavioral engine works to decide whether future requests are stopped or not. In the Advanced Settings screen (Management -> Services -> ServerDefender AI -> Advanced Settings ), you can manage how closely a new request matches either an untrusted or trusted request in the training database. The lower the sensitivity (less than 100%) to untrusted events, the more likely SDAI will block future similar requests, providing tighter security. The lower the sensitivity however, the more likely SDAI will generate false positives and this is where re-testing in the training database is important to find the correct balance for your site. The opposite would occur for the trusted sensitivity number. If you set the trusted sensitivity to 100%, the behavioral engine will be more likely to block a new request since it has to find in its training database a trusted event that matches 100% in order for it to be considered trusted. If you set it to a smaller %, it will block fewer requests that match already trusted events.
- Review the Product Overview and ServerDefender AI Quick-Start in the Help files after installation. To get familiar with the UI and terms used in SDAI, we highly recommend a review of these help documents and the documentation for the product in general. Help files are only accessible from within an installed SDAI version, but you can also disable SDAI as you reviewing the docs after installation. If you need help on anything at all, please contact Port80 Support directly at http://www.port80software.com/help.
| |
| - evaluation guide |   |
| | |
