 |  | | |
| ||||||
 |  |  |  | | ||||||
 | ||||||||||
 |  | choose a product: | | |
| |  What is the difference between ServerDefender AI and the upcoming ServerDefender VP products? Both ServerDefender Artificial Intelligence (AI) and the soon-to-be-released ServerDefender Vulnerability Protection (VP) are Web application firewalls for Microsoft IIS-based Web sites and the application and database servers behind IIS. While both offer coverage from a host of Web application attack vectors, ServerDefender AI offers both signature-based protection (pre-loaded request types to block) and also has the capability to learn from your traffic and turn that data into a powerful anomaly detection system. ServerDefender VP will block many of the same attacks that ServerDefender AI will stop, but ServerDefender VP was designed for customers who want solid protection with a minimum of administrative effort. ServerDefender AI is for customers who want maximum protection and are willing to put in some additional administrative effort to get it, especially when it comes to training the behavioral AI layer for anomaly defense. Also, ServerDefender AI can manage Web app firewalling for multiple servers from one console, while ServerDefender VP's first version will manage one Web server only, not other instances of ServerDefender VP on other machines across the LAN. back to top Can you give me a basic overview of ServerDefender AI? ServerDefender Artificial Intelligence or ServerDefender AI is a Web application software firewall that combines conventional application layer defense mechanisms with a behavior-based comparative analysis component founded on automated and assisted learning. ServerDefender AI protects Windows-based Web servers installed with Microsoft Internet Information Services (IIS) from known, new, internal and external system threats and misuse. ServerDefender AI is designed to overcome the limitations of security products that rely solely on configured rules, policies, and attack signature matching. ServerDefender AI protects IIS from an array of exploits and vulnerabilities including SQL injection, brute force, Denial of Service (DoS), file uploading, cross site scripting/XSS, directory traversal, parameter manipulation, buffer overflow, parser Evasion, high-bit shellcode, printer protocol, remote data services, and others Web-based attacks. ServerDefender AI is implemented as an ISAPI filter which collects and feeds data through a knowledgebase classification framework. Events that match explicit rules (signatures and other settings) are immediately classified as Trusted or Untrusted depending on the applicable rule. ServerDefender AI immediately blocks Untrusted events (in “Monitoring – Active” security mode) before IIS responds and applies whatever other “Threat Management” policies that may be configured. ServerDefender AI also leverages a behavior-based analytic engine, the Adaptive Security Engine (ASE), which profiles typical system behavior and identifies/blocks activity that departs from this baseline. ServerDefender AI can identify and prevent any type of activity that could be harmful to the host, regardless of whether it is known (documented) or not (new or unknown threats). Training Mode Once installed, ServerDefender AI collects and organizes IIS-specific data (HTTP/HTTPS requests and IP addresses) into clusters that reflect the normal use patterns (both trusted and untrusted) within the server environment (“Training Mode” from Services > Security Mode properties). The process of organizing these clusters is guided through the use of a built-in knowledgebase of published attack signatures. Once the required number of training events has been collected, ServerDefender AI shifts automatically into "Monitoring" mode. Monitoring Mode In "Monitoring Mode", ServerDefender AI compares all incoming HTTP/HTTPS requests to IIS against the knowledgebase to determine whether it matches an existing rule, and then the established Training Database to determine whether it falls within an acceptable range of trusted activity. If it does, the process continues. If it does not, ServerDefender AI blocks the request and initiates whatever action(s) have been configured on the Policy > Threat Management properties, ranging from posting an onscreen alert, blocking the untrusted connection, or shutting down IIS altogether, Event Classification Maintaining ServerDefender AI is simple. Proper classification of events is essential and can be accomplished as Security Alerts are displayed, or during periodic review of the Security Alert Log. After one or more events have been reclassified, the Training Database is "Re-Trained", and ServerDefender AI will remember not only the correct classification of the particular event(s), but also its various characteristics which will be applied to the analysis of other events. back to top What are the minimum system requirements required to install and run ServerDefender AI? ServerDefender AI runs on Windows 2000 or 2003 Web servers with Microsoft's Internet Information Services (IIS 5 and 6). ServerDefender AI requires a standard Intel or similar processor (>700 Mhz), 64mb minimum RAM, and at least 15 MB of free disk space. back to top What is ServerDefender AI’s performance under stress and load? Any incompatibility issues with firewalls or anti-virus applications? ServerDefender AI’s system throughput is a direct function of the traffic on the particular Web server (volume of HTTP/HTTPS requests to IIS per second) and it's CPU. A 2.6 GHz server should be adequate to handle traffic of several dozen connections per second. There are no known compatibility conflicts with any anti-virus or firewall products, and ServerDefender AI is designed to augment these systems by adding Web application firewall protection over HTTP and HTTPS. ServerDefender AI can be operated in with signature detection only-mode to achieve greater throughput levels, bypassing the more processor-intensive behavioral learning mode. back to top How long is the training period for ServerDefender AI? The initial training phase is determined automatically and commences when ServerDefender AI is first installed. The duration of the initial training phase is determined by considering the specific characteristics of the server environment and related factors such as processor speed, memory and the configurable number of unique events deemed sufficient to establish the baseline database. Typically training is completed within 15 minutes to several hours. back to top Once trained, does ServerDefender AI require additional training sessions? Not typically. Administrators can modify the ServerDefender AI knowledgebase, change event classifications, and re-initiate training on the fly. These features enable ServerDefender AI to continuously conform to whatever changes might naturally occur in the environment and become increasingly accurate over time. In cases where a system has been rebuilt or undergone some other significant change, it is advisable to switch the Security Mode to Training or Monitoring – Inactive so that ServerDefender AI has time to assimilate the changes. back to top I just installed ServerDefender AI and encountered no installation errors, but the service remains down. I have rebooted and checked the ISAPI snap-in, however the ISAPI filter priority is listed as “unknown”. What now? The IIS service will be down until ServerDefender AI registers the first request. You can manually generate a training event by proactively requesting a page from any local Web site to be protected by ServerDefender AI. back to top I am trying to test ServerDefender AI locally (on the same machine I have it installed on), but nothing shows up in Training Data or the Security Alert Logs. What is the issue? If you are testing ServerDefender AI with a browser or load/stress tool from the same local machine that you have ServerDefender AI installed upon, make sure that your internal IP address is not on the Trusted IP Addresses list (ServerDefender AI Settings Manager > YOUR WEB SERVER NAME > Management > Rules > IP Addresses > Trusted IP Addresses). Otherwise, your requests will not show up in Training Data or the Security Alert Log, as Trusted IP traffic is not logged by ServerDefender AI. Also, if you are concerned about "internal" hackers (employees or partners with access from your LAN), you may not want to trust those internal IP addresses within ServerDefender AI, as you will not be able to log any of those Trusted IP Address requests in ServerDefender AI unless you alter the defaults. back to top If ServerDefender AI is going through the training process on a server that's already been compromised, won't the training baseline also be corrupt? ServerDefender AI mitigates this risk by filtering all events generated and captured during the initial training phase against an extensive knowledgebase of commonly known and previously detected threats. Administrators can also manually configure exceptions and specific rules. Basically, malicious events will be identified during training to ensure a clean baseline. back to top How do I block SQL injection attacks with ServerDefender AI? After you install ServerDefender AI, by default the software will shift into Training Mode, and you will see requests fill up in the ‘Training Data’ node in the Settings Manager tree. To stop SQL injections, we recommend setting the behavioral engine from its default level of 90% sensitivity for untrusted events to a 50-75% sensitivity level for stopping these types of attacks -- and enabling the option to have ServerDefender AI review URL query string elements (which is off by default). To set the sensitivity, navigate to Management -> Services -> ServerDefender AI -> Properties -> Use Behavioral Engine -> Advanced Settings dialog. The rule of thumb is that the lower the sensitivity, the more powerful the behavioral engine security. On the same dialog, you will want to click the option to "Include URL Query Strings", and then press OK to save your settings. It is more likely you may start to see some false positives in this state, and this is where tuning of the training mode is required to re-classify events as trusted or untrusted to make sure the bad traffic is blocked -- while legitimate requests are allowed to pass ServerDefender AI for processing and response by the IIS Web server. You will need to locate these requests in the training data either coming directly from your IIS logs or from your own penetration testing (basically, re-requesting part of the attack you want to defend against with ServerDefender AI installed on that IIS server). Once you see these requests in the Training Data list, re-classify them by right clicking each request and labeling it as ‘Untrusted’. From there, ServerDefender AI will extend this knowledge into its behavioral engine and stop future similar SQL injection attacks. back to top ServerDefender AI is blocking legitimate requests -- is the AI engine failing, and how can I fix this? This most likely means that one of your legitimate file and/or directory names for the blocked requests matches a current ServerDefender AI signature. For example, ServerDefender AI blocks "/script" by default, to avoid hackers accessing server-side processed scripts in this common folder name. However, if you have all of your JavaScript in a /script directory, you will get blocks for all of the legitimate requests for files in the /script directory with ServerDefender AI running on default settings. To solve this troubling but minor issue, review the signatures under the Rules > Requests section of the Settings Manager to find the match to the current rule, and delete it or add an exception to the rule that makes sense. If you are having a hard time finding the signature match or would like some help, just send Port80 Support a copy of the URL request that is failing, and we will review it to make sure you are not running into a current signature and to get your legitimate traffic through the ServerDefender AI Web app firewall. back to top After I install ServerDefender AI, must I continue to run my existing firewall and other security solutions? ServerDefender AI is complementary and fully compatible with most other popular security solutions that you may have deployed on your system. ServerDefender AI can detect and prevent many vulnerabilities (e.g. hacks over HTTP and HTTPS) which evade traditional firewalls, as they are not designed to provide this type of protection. ServerDefender AI can also be used to monitor "internal" activities that occur behind the firewall and out of the "line of sight" of typical network security utilities. back to top What types of data does ServerDefender AI monitor and assess? This version of ServerDefender AI is designed specifically to protect Microsoft IIS Web servers. ServerDefender AI uses an ISAPI filter to collect IIS-specific request/response variables to conduct anomaly analysis and threat prevention. back to top Have you pre-configured any specific rules or documented any known threats? ServerDefender AI includes a comprehensive knowledgebase of known threat profiles or signatures. This knowledgebase is used during initial training to augment the creation of the baseline database. back to top Does ServerDefender AI actually prevent threats and intrusions? ServerDefender AI's primary point of differentiation is its effectiveness in detecting known and, most importantly, new or unaddressed threats. ServerDefender AI is configurable to initiate preventative actions to thwart intrusion attempts and other types of misuse by issuing alerts and executing specific preventative actions. back to top What interface is required to integrate ServerDefender AI with other applications? ServerDefender AI's Settings Manager is implemented as a Microsoft Management Console (MMC) Snap-in. The data collection component for the service is an ISAPI filter. back to top ServerDefender AI's user interface looks different from other Port80 Software products. Is it compatible with other Port80 tools? ServerDefender AI's Settings Manager is implemented as a Microsoft Management Console (MMC) Snap-in, while the majority of Port80 Software's other tools have their own independent user interfaces that do not really on an MMC snap-in. Functionally, ServerDefender AI works very much the same as other Port80 tools, but you will need to expand nodes with the MMC snap-in and right click for certain controls, unlike other Port80 products which have tabbed, exposed UIs. All Port80 Software products are fully compatible with each other and most third-party tools that extend the IIS Web server. back to top | | |
 | |||||
 | |||||
|
| ||||
