how to setup total application security · 6. your domain is now configured with total application...
TRANSCRIPT
How to Setup Total Application Security
How to Setup Total Application Security
1 Confidential | Copyright © 2016 Indusface | All Rights Reserved
TABLE OF CONTENTS
Access Total Application Security on AWS Marketplace .............................................................................................................. 2
Configuring Total Application Security ....................................................................................................................................... 12
Total Application Security – Portal Access ................................................................................................................................. 17
Indusface Total Application Security Portal Tour ....................................................................................................................... 19
Summary ................................................................................................................................................................................... 19 Detect ........................................................................................................................................................................................ 20 Protect ....................................................................................................................................................................................... 21 Monitor ..................................................................................................................................................................................... 22
Appendix A: Creating new Security Group ..................................................................................................................................... 23
Appendix B: SSL Configuration ....................................................................................................................................................... 27 Steps to follow with other file formats (P12, PFX, PEM, JKS) .................................................................................................... 27 Steps to follow with .crt format files ......................................................................................................................................... 28
Appendix C: Routing Traffic ........................................................................................................................................................... 29
How to Setup Total Application Security
2 Confidential | Copyright © 2016 Indusface | All Rights Reserved
Access Total Application Security on AWS Marketplace
1. Please visit the AWS Marketplace https://aws.amazon.com/marketplace. Look for Total Application Security: Scan, Pen-Testing, Managed WAF & DDoS page, and click GO.
2. Go through What is the correct instance type for my website? link under Resources section to determine the right
instance for your website and then click Continue.
How to Setup Total Application Security
3 Confidential | Copyright © 2016 Indusface | All Rights Reserved
3. Click 1-Click Launch tab.
4. In the Software Pricing widget, select Subscription Term and Applicable Instance Type.
5. In the Version widget, select the default version.
6. In the Region widget, click Region drop down box to select the region to host the AMI. This region will guide what
subnet and VPC can use for the AMI.
How to Setup Total Application Security
4 Confidential | Copyright © 2016 Indusface | All Rights Reserved
7. In the EC2 Instance Type widget, select an instance of your choice. Not sure of which instance type to select? We have made an Instance Selection Guide too.
8. Now under the VPC Settings widget, do one of the following:
Click VPC dropdown box to select the VPC ID to deploy instance. The Subnet drop-down will appear, select appropriate subnet.
To create one new VPC, click Create a VPC
Note: If subnet is private then provide NAT router and Gateway details.
Click VPC dropdown box to select the EC2 Classic.
How to Setup Total Application Security
5 Confidential | Copyright © 2016 Indusface | All Rights Reserved
9. Create one Security Group and in Security Group widget, select created security group from the drop down.
Note: A security group is a set of firewall rules that control traffic for a particular instance. Click Security Groups for more information.
For HTTP Website For HTTPS Website For HTTP & HTTPS websites
HTTP HTTPS HTTPS & HTTP
SSH SSH SSH
Port (8080) Port (8080) Port (8080)
Connection Method Protocol Port Range Source (IP or Group)
HTTPS TCP 443 - 443 0.0.0.0/0
HTTP TCP 80 - 80 0.0.0.0/0
Custom TCP Rule TCP 8080 - 8080 0.0.0.0/0
SSH TCP 22 - 22 Public IP of your Company
10. Click key pair dropdown to select a Key Pair. Key Pair widget ensures only you have access to the Total Application
Security.
How to Setup Total Application Security
6 Confidential | Copyright © 2016 Indusface | All Rights Reserved
11. Click Accept Terms & Launch with 1-Click.
Note: If you are an existing AWS customer, the button will be labeled as Launch with 1-Click.
12. Confirmation pop-up page will appear and follow the on screen instructions. Click AWS Management Console link
on the page.
How to Setup Total Application Security
7 Confidential | Copyright © 2016 Indusface | All Rights Reserved
13. Resources page will appear, click Running Instances.
14. Instances page will appear. Sort by launch timestamp in the table to identify the most recent instance you launched.
15. Under Name column, provide the name for the instances.
How to Setup Total Application Security
8 Confidential | Copyright © 2016 Indusface | All Rights Reserved
16. Make a note of launched Instance ID.
17. In the left navigation pane, under NETWORK & SECURITY, click Elastic IPs to create one static IP for your instance.
18. Click Allocate New Address.
How to Setup Total Application Security
9 Confidential | Copyright © 2016 Indusface | All Rights Reserved
19. Allocate New Address pop-up will appear. Select one option from the EIP used in drop-down and then click Yes, Allocate.
20. Allocate New Address pop-up window will appear with Elastic IP. Click View Elastic IP to see the assigned IP.
21. Allocated Elastic IP will appear. Click Actions, select Associate Address and do one of the following:
How to Setup Total Application Security
10 Confidential | Copyright © 2016 Indusface | All Rights Reserved
a. If it is EC2 environment, enter Instance ID in the Instance text box and then click Associate.
b. If it is VPC environment, enter instance ID/network interface in the Instance/Network Interface text box
and click Associate.
How to Setup Total Application Security
11 Confidential | Copyright © 2016 Indusface | All Rights Reserved
22. In the navigation pane, click Instances. Examine the Status Checks, ensure that the status is changed from Initializing to 2/2 checks passed. Make a note of the Public IP address.
23. Paste your public IP as <Public IP>:8080 in the browser to attain the TAS Domain Registration page. Your AMI has been launched successfully and configured with the Publlic IP address. Now the next step is to configure TAS on the AMI instance.
How to Setup Total Application Security
12 Confidential | Copyright © 2016 Indusface | All Rights Reserved
Configuring Total Application Security
1. Paste the public IP as <Public IP>:8080 in the browser to attain the TAS Domain Registration page.
2. Provide Domain Name in the Domain Name (URL) text box, Web Application IP address will appear automatically in the IP Address Of Website text box.
How to Setup Total Application Security
13 Confidential | Copyright © 2016 Indusface | All Rights Reserved
For HTTPS Website
1. Select HTTPS Site? Check box and select one of the option for the SSL termination and then click CONFIGURE.
a. Select SSL terminates at WAF to set up HTTPS communication until WAF. Upload SSL Certificate in WAF and route the traffic through WAF.
b. Select SSL terminates outside of WAF to set up HTTPS communication until Load Balancer and use the
respective IP address for Routing Change.
2. Indusface TAS - WAF Status page will appear. Click icon to change the domain details in the TAS Domain
Registration page if required.
How to Setup Total Application Security
14 Confidential | Copyright © 2016 Indusface | All Rights Reserved
3. Perform SSL Configuration and Routing Configuration steps to secure your website.
Note: This will help you with configuring traffic routing change and other configurations. Without configuring, you cannot avail the TAS facilities like viewing attacks, vulnerabilities, measures to protect and assistance from managed security service.
4. Refresh the Indusface TAS - WAF Status page, Configuration Status will turn green if the Routing and SSL Configuration was successful. If any attacks happened to the website, Last Attack column will display date and time of attack encountered.
5. Click to view the website logs.
6. Your domain is now configured with Total Application Security – Web Application Firewall AMI. Click Click here
link to register with Indusface Web Application Firewall portal in order to get detailed insights on detected
vulnerabilities, DDoS attacks, application attacks and 24/7 security expert support.
How to Setup Total Application Security
15 Confidential | Copyright © 2016 Indusface | All Rights Reserved
For HTTP Website
1. Provide Domain Name in the Domain Name (URL) text box, Web Application IP address will appear in the IP Address Of Website text box and then click CONFIGURE.
2. Indusface TAS - WAF Status page will appear. Click icon to change the domain details in the TAS Domain
Registration page if required.
3. Perform Routing Configuration steps to secure your website.
Note: This will help you with configuring traffic routing change and other configurations. Without configuring, you cannot avail the TAS facilities like viewing attacks, vulnerabilities, measures to protect and assistance from managed security service.
How to Setup Total Application Security
16 Confidential | Copyright © 2016 Indusface | All Rights Reserved
4. Refresh the Indusface TAS - WAF Status page, Configuration Status will turn green if the Routing Configuration was successful.
5. After Routing Configuration, if any attacks happened to the website, Last Attack column will display date and time of the attack encountered.
6. Click to view the website logs.
7. Your domain is now configured with Total Application Security – Web Application Firewall AMI. Click Click here
link to register with Indusface Web Application Firewall portal in order to get detailed insights on detected
vulnerabilities, DDoS attacks, application attacks and 24/7 security expert support.
How to Setup Total Application Security
17 Confidential | Copyright © 2016 Indusface | All Rights Reserved
Total Application Security – Portal Access 1. Total Application Security login page will appear. Enter the Username (password is prepopulated automatically)
and click REGISTER.
Parameter Description
Username Provide your AWS Customer ID as username.
E.g. 123456789000 (without hyphen)
Password It will prepopulate the launched instance ID as password. E.g.: i-123a4b56
Note: If required, you can also edit and change the password on this page.
2. Indusface TAS login page will appear. Provide Username, Password and the click Sign In.
How to Setup Total Application Security
18 Confidential | Copyright © 2016 Indusface | All Rights Reserved
All Sites - Health Summary page will appear that serves as the entry point for the website and displays the Health status (How secure) of the website. 3. Initiate scan by clicking Scan Now under Last Scan to scan your domain to detect the web application
vulnerabilities, malwares, and business logic flaws.
5. Once the scan completed, Last Scan will display the date and time.
6. Click Detect tab and then click Download Scan Report to view the scan report.
You website is now successfully configured to be used with Indusface Total Application Security.
How to Setup Total Application Security
19 Confidential | Copyright © 2016 Indusface | All Rights Reserved
Indusface Total Application Security Portal Tour For detailed features of the Total Application Security portal, please visit Guided Tour
Summary Summary tab provides an overview of the number of detected and blocked vulnerabilities, number of application DDoS attempts and Top five categories names of the attacks, IPs, countries, and URIs. The page attributes can be customized for sites and number of days.
How to Setup Total Application Security
20 Confidential | Copyright © 2016 Indusface | All Rights Reserved
Detect Detect tab provides an overview of the website scan and detected vulnerabilities details. It helps initiate scans, download the scan report, request pen-testing scan, request POCs and custom rules. The page attributes can be customized for the websites. A simple doughnut chart shows top five noticed vulnerabilities count and their percentage.
How to Setup Total Application Security
21 Confidential | Copyright © 2016 Indusface | All Rights Reserved
Protect Protect tab provides an overview of the real-time blocked attacks by WAF and displays top five IPs, attack categories and URIs. It offers attack categories and severities graphs. The page attributes can be customized for sites, type of attacks and number of days.
How to Setup Total Application Security
22 Confidential | Copyright © 2016 Indusface | All Rights Reserved
Monitor Monitor tab provides an overview of the real-time logged attacks by WAF and displays top five IPs, attack categories, and URIs. It offers time line graph to represent the Bandwidth (avg kb per min) and Requests (hourly). The page attributes can be customized for sites and number of days.
For detailed features of the Total Application Security portal, please take visit Guided Tour
How to Setup Total Application Security
23 Confidential | Copyright © 2016 Indusface | All Rights Reserved
Appendix A: Creating new Security Group
1. Go to AWS Management Console. Resources page will appear.
2. Click Running Instances.
How to Setup Total Application Security
24 Confidential | Copyright © 2016 Indusface | All Rights Reserved
3. Security Group page will appear. Click Create Security Group.
4. Create Security Group pop-up will appear. Click Add Rule.
How to Setup Total Application Security
25 Confidential | Copyright © 2016 Indusface | All Rights Reserved
5. Select the inbound rules from the Type drop down.
For HTTP Website For HTTPS Website For HTTP & HTTPS websites
HTTP HTTPS HTTPS & HTTP
SSH SSH SSH
Port (8080) Port (8080) Port (8080)
Connection Method Protocol Port Range Source (IP or Group)
HTTPS TCP 443 - 443 0.0.0.0/0
HTTP TCP 80 - 80 0.0.0.0/0
Custom TCP Rule TCP 8080 0.0.0.0/0
SSH TCP 22 - 22 Public IP of your Company
6. Provide group name and description details in the respective text boxes and then Click Create.
How to Setup Total Application Security
26 Confidential | Copyright © 2016 Indusface | All Rights Reserved
7. Security Group page will appear with the created group.
8. Go to Total Application Security: Scan, Pen-Testing, Managed WAF & DDoS page, and in Security Group widget
select created security group from the drop down.
How to Setup Total Application Security
27 Confidential | Copyright © 2016 Indusface | All Rights Reserved
Appendix B: SSL Configuration
Steps to follow with other file formats (P12, PFX, PEM, JKS)
Prerequisites:
File Format Passwords
JKS Key Password , Keystore Password
PFX/P12 Key Password
SSL Conversion Steps
Follow the steps below to migrate the SSL from your machine to Indusface Total Application Security- WAF AMI with appropriate file format (CRT). 1. Copy the certificates to the Indusface TAS-AMI using any file transfer tool into /home/ec2-user.
2. Log into your AMI using any SSH client (E.g. PuTTY)
a. Specify the destination Host Name or IP Address of the WAF AMI and use the associated Key Pair (same key pair associated while lunching the AMI instance from the AWS Marketplace.)
3. A terminal will open up. Specify the Username ec2-user and then proceed with authentication.
4. Switch to root user by executing the command sudo su –
5. Copy SSL files to /mnt directory by executing the command cp <cert_filename> /mnt
6. Now run the command ls to list all the certificates in the /mnt directory.
NOTE: Make sure not more than one file exists with the same extension in /mnt.
7. Change the directory to /media using the command cd /media
8. Run the command ls to list the contents in the directory. It will return the file convert_ssl.sh.
9. Run the command ./convert_ssl.sh <file_format> <domain_name>, press ‘y’ and provide password to convert the files into CRT file format.
NOTE: If the certificate file is not password protected, press enter to proceed. All the converted files will be placed automatically in /etc/httpd/ssl folder.
10. Success message will appear. To ensure change directory to cd /etc/httpd/ssl and run the command ls to list all
the files in the folder, the following files should be listed.
<domain_name>.crt
<domain_name>-server.key
<domain_name>-chain.crt
NOTE: If the conversion is not successful, please contact Indusface Support at [email protected] 11. After completion of SSL configuration, follow the Traffic Routing steps.
How to Setup Total Application Security
28 Confidential | Copyright © 2016 Indusface | All Rights Reserved
Steps to follow with .crt format files Consider your domain name as “yourdomain.com” and rename the SSL certificates as per your domain name in the format mentioned in the table.
Certificate Format
Server Certificate yourdomain.com.crt
Private Key Certificate yourdomain.com-server.key
Chain File yourdomain.com-chain.crt
Note: If you have multiple Chain files, put all the files in yourdomain.com-chain.crt file.
1. Copy the above files from your machine to the Indusface TAS AMI using any file transfer tool into /tmp directory.
2. Log into your AMI using any SSH client (E.g. PuTTY)
o Specify the destination Host Name or IP Address of the WAF AMI and use the associated Key Pair (same key pair associated while lunching the AMI instance from the AWS Marketplace.)
3. A terminal will open up. Specify the Username ec2-user and then proceed with authentication.
4. Switch to root user by executing the command sudo su –
5. Change the directory to cd /etc/httpd/ssl/
6. Run the below command to copy the files from /tmp directory to /etc/https/ssl/
cp /tmp/yourdomain* /etc/httpd/ssl/
7. Run the command to rename apache configuration file
mv /etc/httpd/indusface/<yourdomain>.conf.disabled
/etc/httpd/indusface/<yourdomain>.conf
8. Run the command to restart the apache systemctl restart httpd.service
Removing passphrase from the private key 1. To remove the passphrase from a private key type the command.
openssl rsa -in yourdomain.com-server.key -out yourdomain.com-server.key1
Enter the pass phrase for the website.
2. Create a back-up file of yourdomain.com-server.key, by executing the command
mv yourdomain.com-server.key yourdomain.com-server.key_bak
3. Rename the file yourdomain.com-server.key1 to yourdomain.com-server.key by executing the command
mv yourdomain.com-server.key1 yourdomain.com-server.key
4. Now type the command ls to list the certificates, the following files should be listed.
yourdomain.com.crt
yourdomain.com-server.key
yourdomain.com-server.key_bak
yourdomain.com-chain.crt
5. After completion of SSL configuration, follow the Traffic Routing steps.
How to Setup Total Application Security
29 Confidential | Copyright © 2016 Indusface | All Rights Reserved
Appendix C: Routing Traffic 1. Click Routing Configuration Required to use the Indusface Total Application Security, you need to ensure that all
the traffic goes through Indusface Total Application Security, AMI by implementing one of the following methods.
Single Node Deployment
If you are using SSL and SSL is terminated at the WAF AMI:
i. You need to set up the SSL certificate and keys as per instructions in SSL Configuration DOC before changing your routing. Failure to do it in this sequence will result in disruption to your website traffic.
Change your DNS A record to point to the public IP address of the Indusface WAF AMI.
Single Node Deployment with ELB
Update ELB to forward traffic on ports 80 & 443 to the IP address of the Indusface WAF AMI.
SSL is terminated at the ELB so no SSL configuration required in this model.
Multi Node Deployment With ELB
Contact support for routing change instructions
2. After completion of routing, refresh the Indusface TAS - WAF Status page.