Configuring web protection

Use the Web Protection tab on the Web Application Protection page for the Network IPS appliance to enable protection signatures that protect your web applications from well-known web application security attacks.

About this task

Navigating in the Network IPS Local Management Interface: Secure Protection Settings > Security Modules > Web Application Protection

Navigating in the SiteProtector™ system: select the Web Application Protection policy

Procedure

  1. Click the Add icon.
  2. Choose a protection domain from the list; either the global domain or a custom domain. If you are using a custom domain, you can include groups of network devices (web applications) that you want to protect against web application security attacks. For more information about adding a protection domain, see Configuring protection domains.
  3. In the Web Protection Categories area, configure the categories that are appropriate for your network. You can enable the category and you can edit them. To edit the web protection category, click the Edit icon and configure the following options:
    Attention: If you disable a category that was previously saved, this change removes parameter names and web application security checks that you previously enabled.
    Option Description
    Show Security Events Lists the security event signatures that are associated with the category.
    Enabled Enables the web protection category.
    Ignore Event Instructs the appliance to ignore events that match the criteria that are set for the event.
    Display Defines how you want to display the event in the SiteProtector Console:
    • None: Does not display the detected event.
    • Without Raw: Logs a summary of the event.
    • With Raw: Logs a summary and the associated packet capture.
    Block Blocks the attack by dropping packets and sending resets to TCP connections.
    Log Evidence
    Determines the type of packet to capture when suspicious traffic triggers events. The appliance logs files to the /var/iss/ directory. You can retrieve log evidence files from Review Analysis and Diagnostics > Downloads > Logs and Packet Captures > Log Evidence.
    • None: The appliance captures no traffic.
    • Offending Packet: The appliance captures the suspicious traffic.
    • Connection: The appliance captures all traffic that matches the event protocol, source and destination address, source and destination port, or VLAN ID.
    • Interface: The appliance captures all traffic that passes through the specified interfaces.
    • All Interfaces: The appliance captures all traffic that passes through all interfaces.
    Note: Connection, Interface, and All Interfaces are not available for the SNORT feature.
    Email Specifies the email name that receives alerts about events.
    Note: If the email address does not display in the list, you can configure email responses in Secure Protection Settings > Response Tuning > Responses.
    Quarantine Specifies responses that block intruders, including worms and Trojan horses, when the appliance detects events.
    Notes:
    • Quarantine responses work only when you configure the appliance to run in inline protection mode.
    • If the quarantine response does not display in the list, you can configure quarantine responses in Secure Protection Settings > Response Tuning > Responses.
    SNMP Sends an SNMP trap that includes pertinent information about the event.
    Note: If the SNMP trap does not display in the list, you can configure SNMP traps in Secure Protection Settings > Response Tuning > Responses.
    User Specified Specifies a user-specified response to security events.
    Note: If the user-defined response does not display in the list, you can configure user-specified responses in Secure Protection Settings > Response Tuning > Responses.
    • Client-side Attacks Tuning
    • Injection Attacks Tuning
    • Malicious File Execution Tuning
    • Cross-site Request Forgery Tuning
    Configures shared tuning settings.
    Note: Shared Tuning signatures cannot be assigned to unique protection domains. The appliance assigns settings in shared tuning to the global protection domain. For more information about shared tuning, see Configuring shared tuning.
    Client-side Attacks: The Enable Client Protection check box enables Client-side Attack events for the global protection domain. Use this option if you want to enable these events for the global protection domain but you applied the WAP policy to a custom protection domain. The appliance assigns the Client-side Attack events to the global protection domain.
  4. Click OK.