QualysGuard WAF Starter Guide
QualysGuard® WAF Getting Started Guide March 19, 2014
Verity Confidential
Copyright 2014 by Qualys, Inc. All Rights Reserved. Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc. All other trademarks are the property of their respective owners. Qualys, Inc. 1600 Bridge Parkway Redwood Shores, CA 94065 1 (650) 801 6100
Contents Why Use a Web Application Firewall? .......................................................... 4 The Qualys Advantage.................................................................................... 5 Set Up Your WAF ............................................................................................ 6 Create a New WAF ................................................................................................................................. 6 Create Security Policies .......................................................................................................................... 7 Create a New Site .................................................................................................................................... 8 Check Your Deployment Status.......................................................................................................... 10 What’s next?........................................................................................................................................... 10
Deploy Your WAF in Amazon EC2 ............................................................... 11 Launch a New EC2 Instance................................................................................................................ Go to your Amazon EC2 Dashboard and launch an instance ............................................... Step 1: Choose the WAF AMI ..................................................................................................... Step 2: Choose Instance Type ..................................................................................................... Step 3: Configure Instance........................................................................................................... Additional steps (optional) ......................................................................................................... Launch your WAF AMI instance ............................................................................................... Add Your WAF AMI to the Load Balancer ....................................................................................... Step 1: Create an HTTP Load Balancer Instance...................................................................... Step 2: Set up your Health Checks ............................................................................................. Step 3: Add Your WAF Instance in the Cluster ....................................................................... Step 4: Redirect Your Traffic to the Load Balancer Hostname ..............................................
11 11 12 12 13 13 13 14 14 14 15 15
Deploy Your WAF in VMware ...................................................................... 16 Start Your vSphere Client .................................................................................................................... Choose the Source ................................................................................................................................. Verify the Virtual Appliance Details ................................................................................................. Select a Name......................................................................................................................................... Other Configurations............................................................................................................................ Configure Properties............................................................................................................................. Application .................................................................................................................................... Networking Properties ................................................................................................................ Verify Your Virtual Appliance Settings ............................................................................................. Test the availability of your site through WAF ................................................................................
16 16 17 17 17 18 18 18 19 19
Check Your WAF Status and Events ........................................................... 20 Contact Support ............................................................................................ 21
3
Why Use a Web Application Firewall? HTTP(S) is the foundation of data communication for the World Wide Web, and functions as a request-response protocol for communications. Mobile apps, cloud computing, API communications, Intranet applications and webmail are common tools we use every day. These applications are all communicating over HTTP(S).
Qualys provides applications that allow you to scan and identify vulnerabilities - QualysGuard Vulnerability Management (VM) and QualysGuard Web Application Scanning (WAS). Experience shows that patching web site source code can take longer than expected, depending on the affected component, development resources, and how agile the company is in applying and validating software updates. That’s why Qualys is now introducing a new application - Web Application Firewall (WAF). This is an immediate remediation tool that is able to protect your web applications against attacks and gives your development team time to fix important security issues. Using the WAF application users can deploy multiple web application firewall instances. Each firewall consists of a virtual appliance that is configured to reverse proxy your HTTP(S) traffic. This appliance will be located in your virtualization platform (Amazon EC2 or VMware) and will be instantiated from a Qualys machine image. We’ll walk you thru the steps in this user guide. 4
The Qualys Advantage Qualys offers a powerful, next generation web application firewall that uses an always up to date security ruleset to secure your web applications. This modern firewall uses a cloud-based approach and provides a classic mode of operation and deployment. All security events are routed through the QualysGuard Cloud Platform. They are continuously monitored and analyzed by our security researchers in order to compute the best ruleset for blocking the latest attacks and zero-day vulnerabilities. QualysGuard WAF users set up security policies based on rules to filter, monitor, block and report on events.
5
Set Up Your WAF A WAF is a web application firewall instance that is configured to monitor one or more of your sites. It’s easy to get started. Log in to QualysGuard and choose WAF from the application picker to go to the WAF application. (If you don’t see the WAF option, please contact your Technical Account Manager to enable the feature.)
Create a New WAF Go to Sites > WAFs and click the New WAF button.
Give your WAF instance an arbitrary name and click Finish. You’ll see the new instance in the WAFs list. Notice the registration token. You’ll use this to instantiate your Amazon EC2 or VMware virtual appliance - we’ll show you how to do this later.
6
QualysGuard WAF Getting Started Guide Set Up Your WAF
Create Security Policies You'll be prompted to assign a security policy to each site you configure for WAF monitoring. A security policy is a set of security configurations that you apply to your sites. We provide a security policy to get you started and you can configure others. Go to Configuration > Security Policies and click the New Policy Button.
Follow the wizard to make the settings. Tip: You might want to turn help tips on (in the title bar) to display them when you hover over field names. Application Security Set the sensitivity level to be applied for certain event types. Information Leakage Choose options for server cloaking, sensitive header suppression, error messages and sensitive file requests. HTTP Protocol Configure HTTP protocol analysis for the policy. Declarative Security Configure settings for cookie protection, content-type sniffing and browser cross-site scripting. Access Control Set the rules for responding to traffic based on origin - country, IP, URL path, etc. Policy Controls Set the response level you want to apply to detected threats.
7
QualysGuard WAF Getting Started Guide Set Up Your WAF
Create a New Site This is your web site that will be monitored by your web application firewall. Go to Sites > Site Management and click the New Site button. Use the wizard to configure your WAF. Configure Network Settings Tell us the site's primary and secondary URLs (secondary URLs are aliases or other names which might be used by your users to address your site). Also enter the IP address of your site's origin server.
Configure SSL Support If your site’s primary or secondary base URL uses the HTTPS protocol, upload your SSL certificate in PEM format. You can upload it from your file system or just drag and drop it into the wizard. If your private key requires a passphrase, select the check box, enter and confirm your passphrase, then upload your private in PEM key and chained intermediate certificates.
8
QualysGuard WAF Getting Started Guide Set Up Your WAF
Apply a Security Policy and Access Control Rules Choose a security policy and define access control rules for responding to traffic based on date and time or origin - country, IP, URL path, etc.
Select a WAF Select the WAF you want to monitor this site (this is the WAF you already created). It’s possible for multiple WAFs to monitor a site.
9
QualysGuard WAF Getting Started Guide Set Up Your WAF
Check Your Deployment Status Go to Sites > Site Management to see your new site.
This icon indicates that your site is “inactive”. This is because the WAF for this site has not yet been deployed in your virtualization platform - Amazon EC2 or VMware.
What’s next? You’ll need to deploy your WAF in your virtualization platform - Amazon EC2 or VMware. This takes just a couple of minutes - we’ll walk you through the steps.
10
Deploy Your WAF in Amazon EC2 Follow the steps below to deploy your WAF instance in Amazon EC2 and configure your DNS. You’ll need to funnel traffic through the WAF by changing your DNS. Once you complete these steps, we’ll start monitoring your site for security violations. Your WAF will start making outbound connections to the QualysGuard Cloud Platform for regular health checks - these confirm the WAF is properly configured and has the latest software.
Launch a New EC2 Instance Go to your Amazon EC2 Dashboard and launch an instance
11
QualysGuard WAF Getting Started Guide Deploy Your WAF in Amazon EC2
Step 1: Choose the WAF AMI Click My AMIs and then select the QualysGuard WAF AMI. Tip - Use the search box to find this quickly. Just enter “WAF” and click Enter.
Don’t See the Qualys WAF AMI? Please contact your Technical Account Manager or our Support Team for assistance. Step 2: Choose Instance Type You’ll choose from a wide variety of instance types.
Select an instance type and then click Next: Configure Instance Details.
12
QualysGuard WAF Getting Started Guide Deploy Your WAF in Amazon EC2
Step 3: Configure Instance Open Advanced Details. In the User Data field, enter your WAF registration token and other properties as appropriate. RNS_TOKEN (Required) Enter the WAF registration token in this format: RNS_TOKEN=your_token. You can find this token by going to the WAFs list (Sites > WAFs). RNS_URL This is the URL of the QualysGuard Cloud Platform hosting your QualysGuard account. Enter the URL in this format: RNS_URL=https://rns.qualys.com PROXY_URL If the WAF needs to connect to the QualysGuard Cloud Platform through an HTTP proxy, please input the URL of the proxy. Enter the proxy URL in this format: PROXY_URL=proxy_url WAF_SSL_PASSPHRASE If your site’s primary or secondary base URL uses the HTTPS protocol
and your private key requires a passphrase, please input your passphrase. Enter the passphrase in this format: WAF_SSL_PASSPHRASE=passphrase
Additional steps (optional) You might want to add storage, tag the instance and configure security groups. Launch your WAF AMI instance Be sure to wait until the WAF AMI status is green (this means it’s running). Then you’re ready to add the AMI instance to the EC2 load balancer (see the next section).
13
QualysGuard WAF Getting Started Guide Deploy Your WAF in Amazon EC2
Add Your WAF AMI to the Load Balancer Step 1: Create an HTTP Load Balancer Instance
Step 2: Set up your Health Checks Choose the TCP Ping Protocol option. Later, when your site is online, you can choose a URL for a comprehensive health check.
14
QualysGuard WAF Getting Started Guide Deploy Your WAF in Amazon EC2
Step 3: Add Your WAF Instance in the Cluster Click the Select check box beside your WAF instance to add it to the load balancer. Your load balancer is now created and will soon be able to handle requests.
Step 4: Redirect Your Traffic to the Load Balancer Hostname Test the availability of your site through the load balancer. Once confirmed, you’ll need to alias your DNS entries to the Amazon EC2 load balancer you just created.
15
Deploy Your WAF in VMware Follow the steps below to deploy your WAF instance in VMware and configure your DNS. You’ll need to funnel traffic through the WAF by changing your DNS. Once you complete these steps, we’ll start monitoring your site for security violations. Your WAF will start making outbound connections to the QualysGuard Cloud Platform for regular health checks - these confirm the WAF is properly configured and has the latest software.
Start Your vSphere Client Choose “Deploy OVF File”. This starts the OVA Template wizard.
Choose the Source Browse to the downloaded OVA and select it (or enter the URL where the OVA can be downloaded).
16
QualysGuard WAF Getting Started Guide Deploy Your WAF in VMware
Verify the Virtual Appliance Details
Select a Name A default name for your WAF instance is provided by the WAF image file. You have the option to provide your own arbitrary name.
Other Configurations For other configurations, select settings appropriate for your environment: Location, Storage, Disk Format and Network Mapping.
17
QualysGuard WAF Getting Started Guide Deploy Your WAF in VMware
Configure Properties Enter your WAF registration token and other properties as appropriate. Application RNS_TOKEN (Required) Enter the WAF registration token. You can find this token by going to the WAFs list (Sites > WAFs). RNS_URL This is the URL of the QualysGuard Cloud Platform hosting your QualysGuard account. Please enter https://rns.qualys.com PROXY_URL If the WAF needs to connect to the QualysGuard Cloud Platform through an HTTP proxy please input the URL of the proxy here. WAF_SSL_PASSPHRASE If your site’s primary or secondary base URL uses the HTTPS protocol
and your private key requires a passphrase, please input your passphrase here. WAF_USER_DATA This property is currently unused.
Networking Properties Leave these blank if you want a local DHCP server to assign an IP address, netmask, gateway and DNS servers to the WAF instance. Otherwise, supply appropriate values for your environment.
18
QualysGuard WAF Getting Started Guide Deploy Your WAF in VMware
Verify Your Virtual Appliance Settings And click Finish.
Test the availability of your site through WAF Once confirmed, you’ll need to alias DNS entries to direct traffic at your origin infrastructure.
19
Check Your WAF Status and Events We recommend you check to be sure the WAF you’ve created has an active status. Once your WAF instance is running in your virtualization platform the status will be active.
Once your WAF is active, we’ll start monitoring your site for security violations according to the policies you’ve applied to the site. You’ll see security violations listed as events. To view your events, click Events in the top menu bar.
20
QualysGuard WAF Getting Started Guide Contact Support
To discover more about an event, hover over an event and choose View Event Details from the Quick Actions menu.
Contact Support Qualys is committed to providing you with the most thorough support. Through online documentation, telephone help, and direct email support, Qualys ensures that your questions will be answered in the fastest time possible. We support you 7 days a week, 24 hours a day. Access online support information at www.qualys.com/support/.
21
Verity Confidential
Copyright 2014 by Qualys, Inc. All Rights Reserved. Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc. All other trademarks are the property of their respective owners. Qualys, Inc. 1600 Bridge Parkway Redwood Shores, CA 94065 1 (650) 801 6100
Contents Why Use a Web Application Firewall? .......................................................... 4 The Qualys Advantage.................................................................................... 5 Set Up Your WAF ............................................................................................ 6 Create a New WAF ................................................................................................................................. 6 Create Security Policies .......................................................................................................................... 7 Create a New Site .................................................................................................................................... 8 Check Your Deployment Status.......................................................................................................... 10 What’s next?........................................................................................................................................... 10
Deploy Your WAF in Amazon EC2 ............................................................... 11 Launch a New EC2 Instance................................................................................................................ Go to your Amazon EC2 Dashboard and launch an instance ............................................... Step 1: Choose the WAF AMI ..................................................................................................... Step 2: Choose Instance Type ..................................................................................................... Step 3: Configure Instance........................................................................................................... Additional steps (optional) ......................................................................................................... Launch your WAF AMI instance ............................................................................................... Add Your WAF AMI to the Load Balancer ....................................................................................... Step 1: Create an HTTP Load Balancer Instance...................................................................... Step 2: Set up your Health Checks ............................................................................................. Step 3: Add Your WAF Instance in the Cluster ....................................................................... Step 4: Redirect Your Traffic to the Load Balancer Hostname ..............................................
11 11 12 12 13 13 13 14 14 14 15 15
Deploy Your WAF in VMware ...................................................................... 16 Start Your vSphere Client .................................................................................................................... Choose the Source ................................................................................................................................. Verify the Virtual Appliance Details ................................................................................................. Select a Name......................................................................................................................................... Other Configurations............................................................................................................................ Configure Properties............................................................................................................................. Application .................................................................................................................................... Networking Properties ................................................................................................................ Verify Your Virtual Appliance Settings ............................................................................................. Test the availability of your site through WAF ................................................................................
16 16 17 17 17 18 18 18 19 19
Check Your WAF Status and Events ........................................................... 20 Contact Support ............................................................................................ 21
3
Why Use a Web Application Firewall? HTTP(S) is the foundation of data communication for the World Wide Web, and functions as a request-response protocol for communications. Mobile apps, cloud computing, API communications, Intranet applications and webmail are common tools we use every day. These applications are all communicating over HTTP(S).
Qualys provides applications that allow you to scan and identify vulnerabilities - QualysGuard Vulnerability Management (VM) and QualysGuard Web Application Scanning (WAS). Experience shows that patching web site source code can take longer than expected, depending on the affected component, development resources, and how agile the company is in applying and validating software updates. That’s why Qualys is now introducing a new application - Web Application Firewall (WAF). This is an immediate remediation tool that is able to protect your web applications against attacks and gives your development team time to fix important security issues. Using the WAF application users can deploy multiple web application firewall instances. Each firewall consists of a virtual appliance that is configured to reverse proxy your HTTP(S) traffic. This appliance will be located in your virtualization platform (Amazon EC2 or VMware) and will be instantiated from a Qualys machine image. We’ll walk you thru the steps in this user guide. 4
The Qualys Advantage Qualys offers a powerful, next generation web application firewall that uses an always up to date security ruleset to secure your web applications. This modern firewall uses a cloud-based approach and provides a classic mode of operation and deployment. All security events are routed through the QualysGuard Cloud Platform. They are continuously monitored and analyzed by our security researchers in order to compute the best ruleset for blocking the latest attacks and zero-day vulnerabilities. QualysGuard WAF users set up security policies based on rules to filter, monitor, block and report on events.
5
Set Up Your WAF A WAF is a web application firewall instance that is configured to monitor one or more of your sites. It’s easy to get started. Log in to QualysGuard and choose WAF from the application picker to go to the WAF application. (If you don’t see the WAF option, please contact your Technical Account Manager to enable the feature.)
Create a New WAF Go to Sites > WAFs and click the New WAF button.
Give your WAF instance an arbitrary name and click Finish. You’ll see the new instance in the WAFs list. Notice the registration token. You’ll use this to instantiate your Amazon EC2 or VMware virtual appliance - we’ll show you how to do this later.
6
QualysGuard WAF Getting Started Guide Set Up Your WAF
Create Security Policies You'll be prompted to assign a security policy to each site you configure for WAF monitoring. A security policy is a set of security configurations that you apply to your sites. We provide a security policy to get you started and you can configure others. Go to Configuration > Security Policies and click the New Policy Button.
Follow the wizard to make the settings. Tip: You might want to turn help tips on (in the title bar) to display them when you hover over field names. Application Security Set the sensitivity level to be applied for certain event types. Information Leakage Choose options for server cloaking, sensitive header suppression, error messages and sensitive file requests. HTTP Protocol Configure HTTP protocol analysis for the policy. Declarative Security Configure settings for cookie protection, content-type sniffing and browser cross-site scripting. Access Control Set the rules for responding to traffic based on origin - country, IP, URL path, etc. Policy Controls Set the response level you want to apply to detected threats.
7
QualysGuard WAF Getting Started Guide Set Up Your WAF
Create a New Site This is your web site that will be monitored by your web application firewall. Go to Sites > Site Management and click the New Site button. Use the wizard to configure your WAF. Configure Network Settings Tell us the site's primary and secondary URLs (secondary URLs are aliases or other names which might be used by your users to address your site). Also enter the IP address of your site's origin server.
Configure SSL Support If your site’s primary or secondary base URL uses the HTTPS protocol, upload your SSL certificate in PEM format. You can upload it from your file system or just drag and drop it into the wizard. If your private key requires a passphrase, select the check box, enter and confirm your passphrase, then upload your private in PEM key and chained intermediate certificates.
8
QualysGuard WAF Getting Started Guide Set Up Your WAF
Apply a Security Policy and Access Control Rules Choose a security policy and define access control rules for responding to traffic based on date and time or origin - country, IP, URL path, etc.
Select a WAF Select the WAF you want to monitor this site (this is the WAF you already created). It’s possible for multiple WAFs to monitor a site.
9
QualysGuard WAF Getting Started Guide Set Up Your WAF
Check Your Deployment Status Go to Sites > Site Management to see your new site.
This icon indicates that your site is “inactive”. This is because the WAF for this site has not yet been deployed in your virtualization platform - Amazon EC2 or VMware.
What’s next? You’ll need to deploy your WAF in your virtualization platform - Amazon EC2 or VMware. This takes just a couple of minutes - we’ll walk you through the steps.
10
Deploy Your WAF in Amazon EC2 Follow the steps below to deploy your WAF instance in Amazon EC2 and configure your DNS. You’ll need to funnel traffic through the WAF by changing your DNS. Once you complete these steps, we’ll start monitoring your site for security violations. Your WAF will start making outbound connections to the QualysGuard Cloud Platform for regular health checks - these confirm the WAF is properly configured and has the latest software.
Launch a New EC2 Instance Go to your Amazon EC2 Dashboard and launch an instance
11
QualysGuard WAF Getting Started Guide Deploy Your WAF in Amazon EC2
Step 1: Choose the WAF AMI Click My AMIs and then select the QualysGuard WAF AMI. Tip - Use the search box to find this quickly. Just enter “WAF” and click Enter.
Don’t See the Qualys WAF AMI? Please contact your Technical Account Manager or our Support Team for assistance. Step 2: Choose Instance Type You’ll choose from a wide variety of instance types.
Select an instance type and then click Next: Configure Instance Details.
12
QualysGuard WAF Getting Started Guide Deploy Your WAF in Amazon EC2
Step 3: Configure Instance Open Advanced Details. In the User Data field, enter your WAF registration token and other properties as appropriate. RNS_TOKEN (Required) Enter the WAF registration token in this format: RNS_TOKEN=your_token. You can find this token by going to the WAFs list (Sites > WAFs). RNS_URL This is the URL of the QualysGuard Cloud Platform hosting your QualysGuard account. Enter the URL in this format: RNS_URL=https://rns.qualys.com PROXY_URL If the WAF needs to connect to the QualysGuard Cloud Platform through an HTTP proxy, please input the URL of the proxy. Enter the proxy URL in this format: PROXY_URL=proxy_url WAF_SSL_PASSPHRASE If your site’s primary or secondary base URL uses the HTTPS protocol
and your private key requires a passphrase, please input your passphrase. Enter the passphrase in this format: WAF_SSL_PASSPHRASE=passphrase
Additional steps (optional) You might want to add storage, tag the instance and configure security groups. Launch your WAF AMI instance Be sure to wait until the WAF AMI status is green (this means it’s running). Then you’re ready to add the AMI instance to the EC2 load balancer (see the next section).
13
QualysGuard WAF Getting Started Guide Deploy Your WAF in Amazon EC2
Add Your WAF AMI to the Load Balancer Step 1: Create an HTTP Load Balancer Instance
Step 2: Set up your Health Checks Choose the TCP Ping Protocol option. Later, when your site is online, you can choose a URL for a comprehensive health check.
14
QualysGuard WAF Getting Started Guide Deploy Your WAF in Amazon EC2
Step 3: Add Your WAF Instance in the Cluster Click the Select check box beside your WAF instance to add it to the load balancer. Your load balancer is now created and will soon be able to handle requests.
Step 4: Redirect Your Traffic to the Load Balancer Hostname Test the availability of your site through the load balancer. Once confirmed, you’ll need to alias your DNS entries to the Amazon EC2 load balancer you just created.
15
Deploy Your WAF in VMware Follow the steps below to deploy your WAF instance in VMware and configure your DNS. You’ll need to funnel traffic through the WAF by changing your DNS. Once you complete these steps, we’ll start monitoring your site for security violations. Your WAF will start making outbound connections to the QualysGuard Cloud Platform for regular health checks - these confirm the WAF is properly configured and has the latest software.
Start Your vSphere Client Choose “Deploy OVF File”. This starts the OVA Template wizard.
Choose the Source Browse to the downloaded OVA and select it (or enter the URL where the OVA can be downloaded).
16
QualysGuard WAF Getting Started Guide Deploy Your WAF in VMware
Verify the Virtual Appliance Details
Select a Name A default name for your WAF instance is provided by the WAF image file. You have the option to provide your own arbitrary name.
Other Configurations For other configurations, select settings appropriate for your environment: Location, Storage, Disk Format and Network Mapping.
17
QualysGuard WAF Getting Started Guide Deploy Your WAF in VMware
Configure Properties Enter your WAF registration token and other properties as appropriate. Application RNS_TOKEN (Required) Enter the WAF registration token. You can find this token by going to the WAFs list (Sites > WAFs). RNS_URL This is the URL of the QualysGuard Cloud Platform hosting your QualysGuard account. Please enter https://rns.qualys.com PROXY_URL If the WAF needs to connect to the QualysGuard Cloud Platform through an HTTP proxy please input the URL of the proxy here. WAF_SSL_PASSPHRASE If your site’s primary or secondary base URL uses the HTTPS protocol
and your private key requires a passphrase, please input your passphrase here. WAF_USER_DATA This property is currently unused.
Networking Properties Leave these blank if you want a local DHCP server to assign an IP address, netmask, gateway and DNS servers to the WAF instance. Otherwise, supply appropriate values for your environment.
18
QualysGuard WAF Getting Started Guide Deploy Your WAF in VMware
Verify Your Virtual Appliance Settings And click Finish.
Test the availability of your site through WAF Once confirmed, you’ll need to alias DNS entries to direct traffic at your origin infrastructure.
19
Check Your WAF Status and Events We recommend you check to be sure the WAF you’ve created has an active status. Once your WAF instance is running in your virtualization platform the status will be active.
Once your WAF is active, we’ll start monitoring your site for security violations according to the policies you’ve applied to the site. You’ll see security violations listed as events. To view your events, click Events in the top menu bar.
20
QualysGuard WAF Getting Started Guide Contact Support
To discover more about an event, hover over an event and choose View Event Details from the Quick Actions menu.
Contact Support Qualys is committed to providing you with the most thorough support. Through online documentation, telephone help, and direct email support, Qualys ensures that your questions will be answered in the fastest time possible. We support you 7 days a week, 24 hours a day. Access online support information at www.qualys.com/support/.
21
