Baseline Protection Wizard
Purpose
To start the Baseline Protection Wizard, from the Application Control menu select an application, select the Wizards tab and click Baseline Protection Wizard.
The Baseline Protection Wizard provides your web application with comprehensive general protection, based on blacklisting of known vulnerabilities and attacks. This provides you with a quick and efficient mechanism to protect your applications against security vulnerabilities and attacks. Another major advantage is the fact that new baselines are made available when new types of attacks emerge. To take advantage of new baselines, you simply step through the wizard again to apply the updated ruleset. (For general information see Baseline Protection and Configuring and Updating Baseline Protection).
ATTENTION
You must commit and activate your configuration after you complete the wizard (see
Committing and Activating Ruleset Changes). As with any changes to your rulesets, you must commit and activate the change to apply the baseline and protect your web application.
For more information regarding Wizards, see Using Wizards to Configure Applications.
Prerequisites
At least one baseline version needs to be available in your local database (see Baseline Management).
Attributes
Attribute | Meaning |
---|---|
Update to latest version |
(This option isn't available when the wizard is run for the first time for an application. In this case the wizard starts with Choose Baseline Version.) Select this option if you want to update the baseline to the most recent version. If you applied manual changes to a configuration, the manual changes are not overwritten if you update a baseline. The wizard only adds definitions that do not affect your current manual settings. |
Choose Baseline Version |
(This attribute can only be configured if the option Update to latest version has not been activated.) Select this option to choose the baseline you want to apply. Baseline Management allows you to view all the baseline rule definitions that are available in your local database. |
Choose Baseline Categories |
(This attribute can only be configured if the option Update to latest version has not been activated.) Baseline Categories describe different types of attacks. Each baseline rule belongs to one of these categories. Select the required options to enable or disable baseline protection for the different types of attack (see Basics of Web Application Security and Glossary):
For maximum security, we recommend you do not deactivate a category unless you are absolutely sure that your web application does not use any technology that is vulnerable to that category of attack, or if you manually configured appropriate handlers. |
Excluded Headers |
You can specify headers to be ignored by the Baseline Protection Hander. vWAF treats excluded headers as case insensitive (the case is ignored). Note that the default header 'Referer' is added automatically. If the Baseline Protection Handler was configured previously (prior to the release of the Baseline Protection Wizard excluded headers feature) and excluded headers were defined - the excluded headers are retained. Any new excluded headers that you define using the wizard are appended to the existing list. Headers added here appear in the handler attribute: 'exclude_from_baseline_check'. |
Excluded Arguments |
You can define arguments to be ignored by the Baseline Protection Handler. Note that the default argument '__viewstate' is added automatically. If the Baseline Protection Hander was configured previously (prior to the release of the Baseline Protection Wizard excluded arguments feature) and excluded arguments were defined - the excluded arguments are retained (any new excluded arguments that you define using the wizard are appended to the existing list). New arguments added by the wizard can be entered and treated as case insensitive or case sensitive. By default, arguments are treated as case insensitive. This can be overridden, if required, using the Case Insensitive Arguments option below. If case sensitive arguments already exist (as part of a previous configuration), they are retained and the Case Insensitive Arguments option below is set to case sensitive. Excluded arguments are added to the handler attribute: 'exclude_from_baseline_check'. |
Case Insensitive Arguments |
This determines whether or not arguments are treated as case insensitive or case sensitive. It sets the handler attribute: 'handle_excluded_args_case_insensitive'. The Case Insensitive Arguments option is a global setting and applies to all arguments. Unless your baseline protection ruleset includes case sensitive arguments, it is recommended you keep the case insensitive (default) setting. However, if you require support for case sensitive arguments, you need to set this option to case sensitive. If this is the first time set up of baseline protection for the application, the parameter is enabled by default (and recommended). It ensures argument attributes are treated as case insensitive. New arguments added by the wizard are treated as case insensitive by default. However, if case sensitive arguments already exist (as part of a previous configuration), they are retained and all arguments are treated as case sensitive (the default is overridden). |
Choose Baseline Tags |
(This attribute can only be configured if the option Update to latest version has not been activated.) Baseline tags describe particular products or technologies that could be attacked. These include: XSS, ASP, Java LDAP, JSP, MySQL, Oracle, MS-Access, PHP, and MSSQL . These tags are attached to baseline rules, if these rules are not generic for a category (for example, SQL Inject), and protect against attacks for a specific technologies (such as SQL injection against MySQL database). You enable the baseline tags required for your application. For example, select/deselect tags to ignore all the rules which are MySQL specific. For maximum security, we recommend you do not disable a tag unless you are absolutely sure that your web application does not use this technology or if you manually configured appropriate handlers. |
New Baseline Categories |
(This attribute can only be configured if the option Update to latest version has been activated and if this baseline version features new baseline categories.) Activate all categories that correspond to any scenario of attack that your web application might be vulnerable to. When in doubt, we recommend activating all new categories. |
New Baseline Tags |
(This attribute is only available if a new Baseline Tag is included in an updated baseline.) If a new Baseline Tag is available, you can choose to enable or disable the new tag. For maximum security, we recommend you do not disable a tag unless you are absolutely sure that your web application does not use this technology or if you manually configured appropriate handlers. |
Reject Multiple Encoded Data |
Certain types of data must be encoded and vWAF is able to detect multiple encoding evasion attempts. If this option is enabled, vWAF will deny requests if they exceed the maximum number of decoding steps. More detailed options and settings are set in the Baseline Protection Handler. |
Handlers configured by the Baseline Protection Wizard
The Baseline Protection Wizard configures the following handler: