Due to the wide functional scopeof both solutions tested, we hadto divide the test into two secti­ons. This section deals with theWeb Application Firewall(WAF); its functions and admi­nistration. Section two looks atthe Identity and Access Manage­ment (IAM) solution.

Airlock WAFThe Airlock WAF works as a re­verse proxy and terminatesHTTP(S) connections. It is con­trolled via a central managementinterface, providing a centralpoint for implementing applicati­on access policies. It also provi­des a large number of powerfulfilter functions, including ICAPcontent filtering and SOAP/XM,AMF and JSON filters. One ofthe top features of the AirlockWAF 7 is API security, with pro­tection of SOAP and REST webservices. Other functions includepolicy learning, dynamic whitelisting, smart form protection,cookie protection and URL en­cryption.

Many functions can also be in­corporated in existing security in­frastructures: Malware scannersfrom third­party providers can beintegrated via ICAP, HSM devi­ces can be added and WAF noti­fications can be sent to SIEM in­stallations. Load balancing andfailover features can also be pro­vided. Ergon Informatik also hasan appliance for companies wan­ting to implement their WAF inhardware form.

FunctionalityIn operating mode the WAFworks between the regular com­pany firewall and the applicati­ons. Production environments,therefore, need interfaces in orderto maintain clear­cut separationbetween incoming and outgoingdata traffic. This is not essentialin test environments. Data trans­fer protection configuration hap­pens via mapping. This is set up

using a clear page within the ma­nagement tool, where the virtualhosts, that represent the protectedapplications to the outside, arelocated on the one side and theapplications to be protected arelocated on the other, in the DMZ.Only ports 80 and 443 are opento the outside.

To secure the application, withthe mouse, users drag lines bet­ween the virtual host, the map­ping and the application requiringprotection, thus configuring thedata transfer routes. Theseconnections can be cut or diver­ted at any time as the need arises.For security reasons, when newmapping is installed, all associa­ted rules are active, initially, toprevent any unwanted data trans­fers. To carry mapping over intoregular operating mode, adminis­trators need to adapt the configu­ration in the next step to ensure

Test subject: Airlock Web Application Firewall 7.0

Powerful protection for

Dr. Götz Güttich

With Airlock Web Application Firewall, Ergon Informatik offers a powerful solution forsecuring web applications. As a general rule, these applications don’t just needprotection from hacking and security breaches, we also need to ensure that only

authorised users have access to the data within them. This is why the manufacturercombines its Web Application Firewall with the ‘Airlock Identity and Access

Management’ authentication solution. Working together, these tools secure the datatraffic between users and applications and also ensure that there is absolute clarity asto which users have access to which applications and functions. This also means that

a central single sign­on infrastructure can be set up. We took a close look at bothproducts in the test lab.

1

web applications

that the desired information canpass through.

Threat handling establishes howthe system deals with policy in­fringements. For example, if theWAF establishes that a user is at­tempting to tamper with the datain a web form, the solution caneither simply generate a log entry

to block the request or end thesession completely.

‘Deny rules’ are a core compo­nent of the Airlock WAF securityconcept. They create a negativesecurity model, operating asblacklists. In the configurationinterface, every deny­rule entry,i.e. every line, represents a groupof rules. However, each groupaddresses a specific hacking att­empt. The ‘exceptions’ entry en­compasses acquired and manual­ly created rules.

When the administrators open agroup in the deny rule configura­tion they will see the various fil­ters. They have different securitylevels. As strict filters generatemore false positives than filtersthat are not, it makes sense for

operational purposes only to setthe security level very high whe­re absolutely necessary. Securitylevels are therefore dependent onthe application requiring protecti­on and individual data protectionrequirements. It is also importantto know whether hacking can co­me anonymously from the Inter­net, on a login page, for example,

or if there has already been a lo­gin and the user is known to thesystem. The manufacturer has al­ready pre­defined a large numberof rule groups for all types ofhacking. If the need arises, userscan add their own custom rules atany time.

The testTo run the test we installed Air­lock WAF in our test lab, linkedit up to the IAM solution mentio­ned before and set both productsrunning. For the purposes of thetest we used the WAF to secureaccess to the web interface of thePaessler PRTG network monito­ring solution we use here in thetest lab. We also used a test envi­ronment provided by the manu­facturer with a bookshop as theapplication needing to be secured

in order to take a close look at thefunctionality of the WAF.

InstallationThe Airlock WAF is based onCentOS 7. After downloadingthe installation ISO file from themanufacturer’s website we inte­grated it as a boot medium in avirtual machine running withVmware ESXi 6.5 Update 1.The virtual machine had a CPUwith a 2.6 GHz cycle frequencyand four cores, eight gigabytes ofRAM and 60 gigabytes of harddisk space. After the system star­ted from the ISO image we se­lected the ‘Install Airlock WAF’boot menu item. As is usual withCentos, the ‘Anaconda’ installa­tion manager came up right away.Before the actual installation be­gan we had the option to adaptthe configuration to suit the ma­nagement interface. The systemdid take a functioning configura­tion from our DHCP server but itwould be sensible in most casesto give the WAF to a dedicated IPaddress, which we did here. Wethen specified the destinationdisk for the installation, whichwas easy, as our VM only had avirtual hard disk, and acceptedthe pre­defined partitioning – thiscan also be adapted as required.Finally, we set the time zone andthe root password and defined auser for the configuration tool.The installation then started, andthe whole process took aroundten minutes in all. When the set­up was complete, we importedthe latest updates to bring our in­stallation completely up to date.

Initial configuration stepsAfter running through the setup,we accessed the WAF manage­ment tool via the URL: https://IP adress of the management in­terface. We then logged in with

2

Installing the WAF should not present IT administrators with any insurmoun­

table obstacles

our pre­generated credentials andwent to ‘System Setup’ to uploadour licence.

We were then ready to secure ac­cess to our first web application.All we needed to do was to go tothe management tool in the ‘Ap­plication Firewall’ menu on the‘Reverse Proxy’ page and enterthe application server with its IPaddress and a port number as the‘backend server’. If DNS nameresolution already exists on thenetwork, you can enter the sys­tem name instead of the IP ad­dress.

As soon as the ‘Reverse Proxy’has been defined, it’s time to setup a new virtual host to receiveincoming requests. Definition isvia a fully qualified domain na­me and an IP address with net­work mask. To encrypt data traf­fic via HTTPS, relevant employ­ees can also add a certificate atthis point.

Having done that, we configuredthe mapping between the virtualhost and the backend server. Asalready mentioned, this takesover the link between the virtualhost and the backend application,implementing the security logic.It must include an entry and a ba­ckend path. The entry path is thepath that users access via theirbrowser and the backend path isthe path via which the WAFsends requests. This leaves a lotof configuration options open. Soyou could have symmetricalmapping, where an entry path ta­kes data to an application or partof one, in order that you can se­cure whole applications or justcertain sub­pages. Alternatively,you can also have asymmetricalmapping, where a virtual host ta­kes different entry paths such as

‘/Application1’, ‘/Application2’and similar data, which are thensent on to various backend ser­vers with different applications.In the test we first configuredsymmetrical mapping with themanufacturer’s default details.To ensure that data transferswouldn’t be blocked we set thepreviously mentioned threathandling at ‘Log only’. This is agood idea for new mapping, asthe relevant employees can thenanalyse what would happen if theWAF blocking rules were, in fact,active. This prevents unwantedactivity and the necessary adapta­tions can be made.

Finally, we used the mouse tocreate the said links between themapping, server and host. Oncewe had activated our changes onthe WAF, the system was readyto go and we were able toconnect to the virtual host.

Important functionsBefore we look at how the WAFworks in practice, let’s take ano­ther quick look at the product’smajor features. It’s opportune totalk about protection against in­jection hacking like SQL injecti­on and XSS protection againsthacking in the form of forcefulbrowsing. Forceful browsing iswhen the hacker tries to gain ac­cess to protected pages or obtainsensitive information by enteringyour URL directly into theirbrowser’s address list. Unprotec­ted systems provide an opportu­nity to use this method to gainaccess to content that would nor­mally only be available after au­thentication, or acquire detailedinformation about the configura­tion of the web server in questi­on. The Airlock WAF offers aURL encryption function for pre­venting forceful browsing. This

means that, in operating mode,encrypted URLs are only valid inthe current session when in ope­ration mode. We will look at thisfeature in more detail later in ause case.

On the other hand, smart formprotection secures web applicati­on forms against tampering du­ring runtime. The WAF also en­sures that user data matches thedetails on the application’s origi­nal form. This prevents hackersfrom adding a fifth parameterwhen hoping to tamper with aninput form that only requiresfour. This feature also protectspreset values from tampering. Wewill also look at this again in ause case.

DyVEDynamic Value Endorsement(DyVE) is a function that sear­ches dynamically through JSONobjects delivered by backends forvalues permitted for the currentuser session. The parameters orJSON attributes of any subse­quent requests, such as RESTAPI calls, can then be checkedfor the use of reliable values.DyVE can also stop hackerschanging an account number in atransfer and tampering with onli­ne banking. Session fingerprin­ting notices changes in browsersand IP addresses used. Combi­ned with login information andthe like that the system obtainsfrom the IAM solution, it is flag­ged in operating mode if a logincomes from say Frankfurt at 9.00am and then Bangkok at 9:12 am.In this scenario, the system canbe configured so that a secondauthentication factor, such as asecurity question, is added auto­matically for the second login,ensuring that unauthorised userscan’t gain application access.

3

Policy LearningIf the policy learning function isactivated the WAF checks andanalyses data traffic and indicateswhat has been sent, from whereand to which location. It alsosuggests which rules should beimplemented to increase the se­curity level. Administrators canthen accept, modify or rejectthem. This function is useful foradapting the configuration to de­tailed requirements.

Allow RulesAllow rules in operating modedetermine which requests arepermitted. They therefore consti­tute white lists. Allow rules areused for analysing HTTP re­quests. Deny rules are usedwhen an allow rule has permitteda request. The Airlock WAF alsooffers an allow rule learningfunction which can be used to re­cord all details during a loginprocedure and converts them intorules that IT managers can thenaccept.

Working with labelsIn practice most companies use alarge number of the said map­pings – this can exceed 500 inmany environments – in theirconfiguration for controlling datatransfer between the virtual hostsand the applications that need se­curing. IT staff have the option oflabelling them to obtain a clearview of the mapping and makeinput configuration easier.

For example, there is the optionto label an Exchange or Share­Point input with ‘Microsoft’ oran Exchange 2016 input with‘test environment’ and an Ex­change 2013 input with ‘productenvironment’. When an admi­nistrator enters the label in theoverview search line the system

shows them the relevant map­ping. The labels can be combinedin all sorts of ways, making this avery powerful feature for IT ma­nagers as it makes configurationhighly transparent. For example,if an IT person wants to changethe security level for all Micro­soft applications within a compa­ny, all they need to do is enter theMicrosoft label in the search fieldand then change the security le­vel once for all entries. We hadno problems with this functionduring the test.

MonitoringWhen it comes to reporting andlogging, as already mentioned,the Airlock WAF not only mana­ges the transmission of informati­on to SIEM solutions, with logformats JSON and CEF, but alsooffers a log viewer with filters,and dynamic display of relevantand pre­defined searches. Thiscomes with various dashboardsand the option to run your ownevaluations. Once in the logviewer, you can also run drilldown procedures right down toactual log entries. A map is alsoincluded in the monitoring tools.When administrators zoom in onit they will see further details of

the regions accessed, tellingthem, for example, if most of thehacking attempts in the last hourcame from a particular country orcity.

The Airlock WAF in practiceFor the next part of the test weused the demo environment withthe bookstore, as previouslymentioned. It was called ‘Buggy­Book’ and, as the name suggests,has a large number of differentsecurity breaches. We startedwith a close look at the form pro­

tection function. We logged intothe unprotected bookstore asusers and bought a book. Therewas a minus in our account. Torectify the minus, we switched toaccount management and entereda voucher code in ‘Voucher’ thatwas worth 50 euros in the book­store. The online applicationthen showed us a confirmationpage with the amount of creditthat the voucher would give usand enabled us to add it to ouraccount by clicking ‘Confirm’.This worked perfectly.

At the next stage we repeated thisprocedure but did not click ‘Con­firm’ on the confirmation page

4

Mapping configuration defines data flow between the virtual host and the app­

lication requiring protection

but went to the developmenttools in our browser and lookedfor the value in the source codethat determined the voucheramount. We used the develop­ment tool to change this from 50to 5,000 euros and then clicked‘Confirm’.

The browser then sent this valueto the application. Where it hadno protection mechanism forcomparing the confirmed valuewith the original voucher value,it credited our account with 5,000euros without any problem at all.The ‘BuggyBook’ test applicati­on was therefore in urgent needof the security functions providedby the WAF.

To plug up the security breach re­vealed in this way without mo­difying the store application weactivated form protection in theWAF that prevents precisely thiskind of activity. When we repea­ted our attempt at fraud with acti­ve WAF protection in place, theWAF blocked the transfer of theincorrect parameter and recordedthe whole procedure in its log fi­les.

In the next use case we appliedthe Cross Site Scripting protecti­on function. We also sent a mes­sage to another user from ourbookstore user account via theinternal message function.

When we sent the message, weentered a script in the subjectfield for selecting the user’s ses­sion cookie information. Whenwe then logged in as the otheruser and accessed the message apopup appeared with the user’ssession information. Scripts areoften used for hacking unsecuresystems like this. The WAF re­pels scripting hackers via its de­

ny rules. So, in the next stage, weactivated a deny rule configurati­on that would recognise suspi­cious patterns in data transfers.The configuration then analysedthe transmitted fields and the pa­rameters contained in them. If adeny rule recognises a pattern,for example JavaScript, it blocks

the request immediately. This al­so works for JSON structures.

Once our new configuration wasactive, we attempted the samehack again. The WAF blockedthe request and recorded the acti­vity in the log files.

We then attempted a forcefulbrowsing hack via the browser.We entered the URL: “https://IP adress of the server /Bookstore / help / index.html?page=../ ../ WEBINF /web.xml;.The browser provided us with va­rious details about the systemconfiguration that we might usefor further hacking attempts.

The WAF URL encryption func­tion prevents this type ofhacking, encrypting target URLsat session level and ensuring thatnobody can access specific tar­

gets on the server. After we hadactivated this feature, the systemdiverted our attempt at access tothe web shop home page, so nodamage was done.

ConclusionWe were very impressed with thewide range of functions offered

by the Airlock WAF during thetest. When configured correctly,it ensures that everything arrivingat the application requiring pro­tection has been filtered and allpotential threats have been remo­ved.

This means that hackers don’t getanything at all from protectedapplications. In spite of the widerange of functions the manage­ment interface was relativelystraightforward, enabling securityadministrators to get to grips withthe solution quickly. While run­ning the test we were particularlyimpressed by the comprehensivereporting and logging, API secu­rity, smart form protection andURL encryption. Administratorswho have an urgent need to secu­re their applications from theoutside really ought to take alook at the Airlock product.

5

Individual deny rule filters were assembled in groups. A specific security level

can be set for each group.