Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Key Components

    WebApp Secure includes the following components:

    Core Data Types

    • Attackers–Attackers, also called hackers and profiles, are the core data type within WebApp Secure. Attackers can have multiple sessions, locations, environments, and can trigger multiple Incidents. All data on an attacker is tied back to the same place for the same malicious behavior. Based on a combination of incidents, or the manual intervention of the administrator, counter responses are applied to an attacker. Each attacker is assigned a severity level based on the highest-complexity incident the attacker has triggered.
    • Sessions–Sessions are groups of HTTP requests performed by a user on a protected web site. There is a one-to-one mapping between a session and a fingerprint. If a session turns malicious, an attacker profile is created. These sessions can also be consolidated over time to perform fuzzy-logic matching on traffic patterns.
    • Fingerprint–WebApp Secure fingerprints incoming HTTP requests using a proprietary combination of traditional and non-traditional methods. These fingerprints ensure that all traffic from the same source is consolidated under the same session and / or attacker.
    • Incidents–An incident is a recorded instance of a particular security threat. The full HTTP request and response of each incident is recorded and related back to an attacker, session, environment, and location. For convenience's sake, similar incidents may be grouped within a 24-hour time period. Incidents have five complexity levels: informational, suspicious, low, medium, and high. An attacker profile is automatically created once a session triggers at least one low, medium, or high incident.
    • Locations–A location is created by parsing an IP address. Each IP address that is implicated in an attack, either because it is the attacker's IP address or because it is the IP address of a proxy server that acted as an intermediary, is geo-coded and the results, inlcuding the IP address itself, are stored as a location.
    • Environments–An environment is created by parsing a user-agent string. Every web browser, and many common tools and scripts, emit a user-agent header as part of their request. WebApp Secure parses this header and stores the results as an environment.
    • Counter Responses–A counter response is an alternate HTTP response that will be served to an attacker. Such responses can be triggered manually by an administrator who is logged into the Web UI, or automatically by way of customizable autoresponse rules that ship with WebApp Secure.

    Security Engine

    The Security Engine is the core of WebApp Secure. It consists of several components that work together to secure your web sites and applications. See Security Engine Configuration.

    • Location Manager–The location manager parses IP addresses, determines which ones should be implicated in attacks, and stores this information for later use. It also powers integration with Content Delivery Networks, such as Akamai, which use alternate headers for IP address information.
    • Environment Manager–The environment manager parses user-agent headers and stores this information for later use.
    • Session Manager–The session manager keeps track of activity from each user profile and maintains fingerprints used to identify unique users, enabling tracking beyond the IP address.
    • Processors–Processors are pluggable modules that provide specific security-related functionality. A full description of each processor, including all available configuration options, is available the processors section which begins here Processors Overview.

    Support Services

    Services run in the background, performing tasks such as sending alerts, generating reports, or performing maintenance tasks.

    • Alert Service–WebApp Secure can send e-mail alerts to administrators when an incident of a specified severity is detected. For instance, the system can send out an e-mail notification to a specific administrator who is on-call if an incident level of critical is detected, allowing the administrator to respond quickly to the threat. It can also send alerts to e-mail addresses on a defined schedule, and/or send SNMP traps to one or more SNMP servers. The initial configuration of the alert service is performed with the configuration wizard, and these settings are also available through the Services tab in the Web UI. See Using the Configuration Wizard.
    • Backup Service–Configure the frequency, type, and destination for system backups. These settings can be configured through the configuration wizard, or through the Backups section of the Web UI.See Using the Configuration Wizard.
    • Counter Response Service–The counter response service handles the deployment of responses triggered by incidents. This service is configured to use the response rules. See Response Overview.
    • Database Cleanup Service–This service purges expired data from the database on a regular schedule.See CLI: Config: Setting a Configuration Parameter.
    • External Response Service–The external response service manages the connection to the Juniper Networks SRX Series Service Gateway, which can be used to perform external counter responses. See Configure the SRX Series Integration.
    • NTP Servers–To keep your appliance clock synchronized to the correct time, WebApp Secure allows the configuration of NTP servers. The appliance can use suggested publicly-available NTP server pools, or it can be configured to use an internal NTP server for timekeeping. See NTP Service.
    • Self-Monitoring–WebApp Secure can monitor its own status and in the case of a failure, automatically recover or notify you when there is a non-recoverable event. See Self-Monitoring for alert configuration options.
    • Session Aggregation Service–The session aggregation service attempts to aggregate sessions on your system, based on common fingerprint attributes.
    • SMTP Settings–Various parts of the system can send emails. WebApp Secure can function as its own SMTP server, or you can configure it to use an existing MTA on your network. See Using the Configuration Wizard.
    • The Spotlight Connector–The Spotlight Connector provides feeds to the SRX series for automatically filtering traffic on both network and application layers. WebApp Secure detects threats and periodically submits data to a component called the Spotlight Connector. Spotlight Connector publishes the submitted threat data as a standard feed to the SRX series device. See Enable the Spotlight Connector Service.
    • Spotlight Secure–Spotlight Secure is designed to provide additional intelligence. If enabled, a two-way communication process shares information about attackers and attacks to and from a Spotlight server run by Juniper Networks. This allows WebApp Secure to positively identify attackers that have attacked other Juniper customers. This service also provides additional details about sessions which allows Juniper to make more informed decisions on how to respond to threats. By default, the service is turned off. See Enable Spotlight Secure.

    Published: 2014-06-27