SecureSphere 9.5 Lab Manual - ADMIN @OIMIPERA Environment Introduction: CloudShare Familiarize yourself with the Cloudshare Lab environment 1. Launch your CloudShare virtual lab environment. 2. Practice transition from one vitual PC to another and using the available screen resolution views to fit best with your local PC. This 9.5 Lab Manual is written for use with the IMPV-Training- 9.5p3 CloudShare Blueprint. _> Topic 1: Launch your CloudShare virtual lab environment. a IMPORTANT: If the training environment has local workstations, you are in a MicroTek / VMware based class. Start at page 6 for this lab. Your instructor has sent you an email to the address you provided during class sign-in. Double-check that the invitation sent by the instructor matches the “Blueprint” version intended for this class: IMPV-Training-9.5p3 From the email, Click the CloudShare link to access your lab environment. EG: httos://use.cloudshare.com/Course/12345 Enter your email address and the class passphrase and click the Login button. This will begin loading your environment, Your environment may take several minutes to load the first time, be patient. Environment Intvodution: CloudShare og (©2013 lmperva, Inc. All rights reserved,SecureSphere 9.5 Lab Manual - ADMIN @iVIPER 7. Notify your instructor if: a. You are having difficulty logging in. b. The first-time startup is taking more than 7 Minutes. 8. When your environment has fully loaded, you will see the following Topology page. This landing Page is your primary navigation tool to connect to the available virtual environments. 9, Take a few minutes to become familiar with the machine names, the relative location of servers and the IP addresses configured. @iVIPERWA Wome ied bieesps eT (@ CloudShore~ Vitual SecureSphere Enviroment inthe Cloud \ Sroge rt Client Poa GW 192.168,53.1 192,168.56.254 ‘Bridge Mode SecureSphere Management External GW 192.168.53.254 “VEDA DB* “VEDA WEB" “Winak3-00-CT" MSSaL 2005 is File Server POC. 192.168.53.100 192.168.54.1 192,168.54 149 } 10. All of the course labs will be completed from the CloudShare Interface to the topology environments. 11. WARNING: Avoid the Actions > Revert Now link. This will delete your current lab configuration and provide you with a fresh set of environments. This will be used at a later time, between the ADMIN and WAF; or between ADMIN and DBsec; or between ADMIN and FileSec. {Screenshot on next page) Environment Introduction: CloudShare ©2013 Imperva, Ine. All rights reserved.SecureSphere 9.5 Lab Manual — ADMIN Revert _——y { Warning: Avoid Revert Action Seam a— “=\ Topic 2: Connect to a virtual system via the CloudShare Se) RDP browser plug-in. 1. From the topology diagram, you can right-click on any of the topology objects and choose Open Link in New Tab. 2. Do this for the Client PC now. | Open Link Client PC & 192.168.5: OpenLinkin New Window. 192.168.54, Save Target As... Print Target bphere GW - ge Mode 3. The first time this connection is made, a browser plug-in is installed that will enable RDP through your browser. Depending on your browser type and version and security settings, this plug-in install should be seen as a pop-up or a warning that a pop-up was attempted, 4, Accept the relevant download and install dialog boxes to follow the on-screen install instructions. 5. After install, it may be necessary to refresh or restart your browser. 6, Troubleshooting: If the page loads and you get an error or you don’t see the Client PC, locate the “Troubleshoot” link to diagnose issues with the plug-in (Gareenshot on next page) Environment Introduction: ClowdShare (© 2013 Imperva, Inc. All rights reservedSecureSphere 9.5 Lab Manual ~ ADMIN @OiMPERWA OIMPERW © days s2hausiah | ations Direct Link: https://use.cloudshare.com/test.mve 7. Once connected, play with the screen resolution options to fit to your desired view. ‘a. Resolution options are both square and wide-screen options using RDP. b. There is a “Full screen” option which is recommended for small monitors / laptops. c. The “Reconnect” button can be used to re-establish a connection lost due to internet disconnection or high latency. Resolution: [EREEGERMIMEs] | switch to Console | 8. Itis possible to open more than one environment using multiple browser windows or “tabbed browsing” (See next page). Warning: if you are training in a location with poor internet bandwidth, you should only open the RDP session that you currently need for the lab task. (Screenshot on next page) ©2013 Imperva, ne. All rights reserved.SecureShere 95 Lab Mam ~ ADMIN @iVIPERA Welcome michael | Sexe Client Pc & Gw 192.168.53.1 192.168.54.254 ‘SecureSphere GW Bridge Mode Extemal GW 192.168.53.254 “VEDA DB" MSSaL 2005, 192.168.53.109 Important: Skip the next section “Environment Introduction: MicroTek” Your Next lab will start on page 14. an Report any significant or annoying system slowness to your Ti ps: instructor who will open a support case with CloudShare. It may nore be a factor of the local internet connectivity. + Ifyou are automatically logged out of CloudShare, close all local browser windows and re-connect to CloudShare again. + Keep your CloudShare system active longer by periodically opening a tab from the Topology page. + DO NOT revert after each lab. Use the Revert action only at the end of each lab book before beginning a new class. 5 Environment Introduction: CloudShare ©2013 Imperva, ne, All rights reserved,SccureSphere 9.5 Lab Manual - ADMIN @OiMPERU Environment Introduction: VMware & Tips: Familiarize yourself with the VMware Lab environment. 1. Login to the classroom PC provided by the training center and start the VMware Workstation application. 2. Launch the VMware-based virtual machines used for this training class and practice transition from one virtual PC to another and using the available VMware controls to adjust screen resolution and other viewing options to best fit your preferences and local PC. 3._ Test connections to each VM and take a “Day 1 Begin” snapshot. This 9.5 Lab Manual is written for use with the MicroTek Training Center — IMPV-Training-9.5p3 Ghost Image. Topic 1: Login to the classroom PC provided by the training _> center and launch the VMware Workstation application. 1, Your PC has been imaged to be an identical lab environment for consistent training delivery. It should be running Windows 7 in 64-bit to take advantage of at least 4 GB of RAM. Please inform your instructor if your PC does not meet this requirement. 2. The Windows 7 OS should present you with one login as user “student” who has full Administrator rights. There should be no password. 3. The student user desktop should appear with one directory named “Tools” that contains a file named “info.bxt”. Open and familiarize yourself with the content of this file which includes usernames and passwords for the lab environments used during training, (Screenshot on next page) Environment Introduction: VMware 6 ©2013 Imperva, Inc. All rights reserved,SecuteSphere 9.5 Lalb Manual ~ ADMIN @IMIPERV & Ti ps: Known Issue #1: ‘Some training locations setup the Host PC with a proxy server configuration in the browsers. Also, typically routing is disabled or not functioning between the Lab VMs and the outside world (internet). This is acceptable as there is no need to connect to the internet from the lab machines. 4. Launch VMware Workstation from the desktop icon. i 5. You should see 5 STOPPED environments when you first launch VMware Wokstation. (Screenshot on next page) Environment Introduction: VMware {© 2013 Imperva, Inc, All ights reserve.SecureSphere 9.5 Lab Manual - ADMIN @OiIVIPERVU ie tae Ver WM Team Wines Hep @ure sam ae Securesphere 8265 fever? Eowntones Boor? Soe 6. If there are no open tabs or if one is missing from the list, you will need to browse for the relevant Virtual OS configuration files and open them. a. File > Open, Browse to C:\Users\student\Documents\Virtual Machines\, b. Open the relevant folder and .vmx file. Etec Se ea Environment Introduction: VMware ©2013 Imperva, Inc All rights reserved.SecureSphere 9.5 Lab Manual - ADMIN @ iVIPER a Topic 2: Power on the Virtual Machines and become > familiar with VMware buttons and screen view options. 1. Once all five tabs are visible, start SecureSphere. a. Select the SecureSphere 8265 VM tab and open the VM menu item and click Power > Power On. b. If prompted, select "I moved it” and click OK. Note: Choosing “move” will allow the MAC address to remain static which is required for proper lab functionality. c. Starting SecureSphere for the first time will take 15-20 minutes. d. Continue for now but before using SecureSphere or taking a snapshot, validate that it has fully started. 2. Start Veda DB. a, Select the Veda DB VM tab and open the VM menu item and click Power > Power On. 3. Start Veda Web IIS. a, Select the Vedaweb-IIS VM tab and open the VM menu item and click Power > Power On. 4, Start Win2K3 File Server a. Select the Win2K3 File Server VM tab and open the VM menu item and click Power > Power On. s All your VM environments should now be running: Windows Help DescioqG| so Environment Introduction: VMware (©2013 Imperva, ne, All rights reserved.SecureSphere 9.5 Lab Manual — ADMIN @GiIMIPERA 6. Recognize the following “dangerous” buttons. You should avoid using them during lab because they can make you lose all lab data (start over from scratch...) Gy Ghent PC: VNvare Workstation tel fle Ean View VM Team Windows Help a geo Stop — Power Off This is like pushing the power button on your computer or pulling the power plug. It is particularly important that Oracle running on the SecureSphere management module is not abruptly terminated. Reset VM ~ Reboot the virtual machine Not much different than stop. Revert Snapshot This will erase all Lab progress and send you back to the starting place for class. Close & reboot Host OS VMware is configured to continue running your VMs in the background even if closed, However, if the Host OS is rebooted, it is similar to a Power Off event on the VMs. Reboot, Shutdown, or Hibernate on the Host OS can all be bad for the integrity of your Lab progress. Be sure to “Suspend” all 5 of your VMs before stopping the Host PC. 7. Practice changing VMware view modes using the Windows Virtual Machines. e Select nt PC, Click into the center of the window and use the keystroke: CTRL+ALT+INSERT (not DELETE) Login as Administrator with password = paSSword. Click on the full screen icon or navigate to menu View > Full Screen, Try to use the menu bar at the top of the screen to switch to the Veda Database VM. Login as Administrator with the same password as before. Notice that there is only one visible START icon Baa Because you are in “full screen” mode. Switch to “window” mode and maximize the window. 10 Environment Introduction: VMware ©2013 Imperva, ne. All rights reserved,SecureSphere 9.5 Lab Manual — ADMIN @OiMIPER i. Notice that this view may be hard to use for two reasons ~ 1) the whole OS may not fit in the window depending on your screen resolution; and, 2) you now have two task bars and two start menus. Finally, change the VMware view to “Quick Switch” mode. Tp re renee k. Notice that this view allows easy transition among the 4 Virtual Machines used in lab but also hides the Host OS toolbar and start menu. This is the preferred view for class labs. |. Move your mouse to the top of the screen to get a VMware drop-down menu, Facies eine 4 Gs) A Topic 3: Verify each virtual machine booted properly and > save a “Day 1 Begin” snapshot to use later in class. 1. Practice using the SecureSphere Virtual Machine by select the SecureSphere VM tab and click mouse into the center of the window. 2. Login as Username: root Password: root12 3. Type the command: date 4. Compare the current time listed with the time on other VMs and the host PC. Your local time zone could be different which may be confusing in future labs. Keep this in mind. " Environment Introduction: VMware ©2013 Imperva, ne. All rights reserved,secureSpher95 Lab Manual ~ ADMIN @iMPERU 5. When SecureSphere is FULLY BOOTED, run the following command: impctl status e Booting the SecureSphere VM can take over 15 minutes. Ti ps: Before moving to the next step, verify that all three major = components are “Running” but that only the Watchdog status is reporting “Not Running”. The impet! command can interfere with starting services and prevent normal operation. Confirm the initial system boot has completed before running this command aN Warni ng: DO NOT RUN impctl status while SecureSphere is booting. 6. After confirming that the gateway, server, and database processes are running, try to move your mouse out of SecureSphere. Notice it is not visible. Use [CTRL+ALT] keystroke to get out of the VM. 7. Capture snapshots of all 5 VMs once they are running and you are logged in to the OS. These will be used later in the class to revert between lab books and to recover from power outages or other unexpected problems. a, Select the tab of the first Windows VM. b. From the VM drop-down menu, choose Snapshot > Snapshot Manager. Edt View [Team nds Heb Piet nb 6 ‘Removable Devices Fe a Tale Sopot, Revestt Sraphot Snapshot Manager col4H 1 Release candate 80/050 07:13am 8. From the Snapshot Manager window, choose Take Snapshot... (Screenshot on next page) 12 Environment Introduction: VMware © 2013 Imperva, ne, All ights reserved,SecureSphere 9.5 Lab Manual — ADMIN @OiMIPERV 9. Name the snapshot, “Begin Day 1”. 10, Close the snapshot menu and change the VMware virtual machine tab to the next running Windows Virtual Machine. 11. Repeat capturing the snapshot steps for each of the Windows VMs. 12, Finally, capture a snapshot of the SecureSphere VM. instructor. + Periodically capture a new snapshot to save as a disaster recovery in the event of any unexpected power outage or other anomaly. * Use the Snapshot Go To action only at the end of each lab book before beginning a new class and select your Day 1 ‘snapshot. Tip S: © Report any significant or annoying system slowness to your Environment Introduction: VMware © 2013 Imperva, ne, All sights reserved.SecureSphere 9.5 Lab Manual - ADMIN @ IMIPERVA Lab 1: GUI Familiarity and ADC Update he Goal: ‘Access SecureSphere’s Web GUI and ensure it is up-to-date and ready for use, ce . _» Topics: 1. Connect to SecureSphere. 2. Explore the SecureSphere GUI features and configure initial preferences. 3. Practice manipulating the filters under Monitor. 4. Understand that hanging page tabs can be used to both hide or reveal sections of the GUI. 5. Update ADC content via a previously downloaded file on Client Pc. Tips: Watch for available tips in the lab context. —» Topic 1: Connect to SecureSphere 1. Minimize open windows to view the Desktop. 2. Open the Mozilla Firefox Web browser on Client PC by clicking on the desktop shortcut. Connect to SecureSphere's management URL: https://192.168.53.200:8083 3. Click OK on “Security Error: Domain Name Mismatch” window. 4. If you get a license expiration error, request a new license from your instructor and wait for further instructions. 5. Enter the SecureSphere GUI credentials: User: admin Password: 1qa2wsx (©2013 Imperva, ne. All ights reserved,SecureSphiet95 Lab Manual ~ ADMIN @OiMPERW 6. Click Login. Note: If you are asked to reset the password, simply reset it back to this password “1qa2wsx” ae Topic 2: Explore the SecureSphere GUI features and _- configure initial preferences. 1. Use your mouse to hover over the Page Tab. Observe how a drop down list appears from the Page tab. This allows you to jump directly to your desired page. an | Pee] TST = Capo] a tac Asi Resain| Mani Tia) | ial E dbortanste [Swraes | caus | poons | Setine [set Moe 2. Goto the Preferences workspace, and click Preferences tab. 3. Change your home page selection to “Alerts” 4. Change the “Default time frame for event filtering” value from “Filter the last 3 days” to "Filter the last 365 days”. or Preferences TSeve Select home page: © User Detois © User Preferences: © Discovery 8 Classification | User Rights Resuts © Stes © agents © Bio Coneate © Drewosee Soerning Paicios © Aude Dota © tsnage Reports © Dsshbosra © vioktons © systen Everts CO wsts | General setings | Posing: Show 50 tems on each page. Deft re frame | ser oven stern 5. Click lel Save 15 Lab I: GUI Familiarity and ADC Update © 2013 Imperva, Inc. All rights reservedSecureSphere 9.5 Lab Manual ~ ADMIN \ _» Topic 3: Practice manipulating the filters under Monitor. 1. Goto Main > Monitor > System Events and create a new custom system event filter which shows only events which are High Severity within the last 700 days. [ ooncracr [Sverre] a Dy sinsy Click on the “Advanced Filter” Advanced» jcon at the bottom of the Basic Filter section. | Locate the Last Few Days criteria and click the green up arrow * to enabled this field, Locate and move the Severity criteria up as well. Use the plus icon to expand the Last Few Days and Severity criteria. Feereneee 7 Populate the Last Few Days criteria “Last | LostfewDays (acrmecAaie me ——— x __ Days” with the value 365. In the Severity criteria, locate the value crew: fons =] High and use the green right arrow L@) | eee aves | to move the value High into the “Selected” | eeu text area, Click the In the popup window enter the name button. High Severity System Events and click the button. The filter will be saved and applied 2. Click the Filter or Details hanging tabs and notice how this feature allows you to hide or unhide window pane views: 16 Lab 1: GUI Familiarity and ADC Update © 2013 Immperva, Ine. All rights reserved.. ° SecureSphere 9.5 Lab Manual - ADMIN OiIMPERA 3. Use the Quick Search feature which is available on several screens by typing the word “License” into the search dialog box and clicking on the magnifying glass icon. Notice the filter is listed under the Custom folder in the Filter explorer pane. SOREN SPHERE —— ee iy anion ped Lit [es-teemstrees cena ire 4, Browse to Main > Monitor > Alerts and open the Advanced filter dialog box in the bottom left corner of the screen. (f) aano 3 uel | Read 192.168.583.200 [ieee sta 5. Add Time Frame from the Available Field to the Enabled Fields list by clicking on the green UP + Time frarne arrow. 6. Edit the Time Frame criteria to filter for January 1, 2013 - January 31, 2013. 7. Apply the new filter and observe the change to the Alerts list view. 8. In the Quick Filter, search for the string: cmd.exe Q1. Does a Quick Filter search within the context of a.) an Advanced Filter that is already applied; or b.) the User Preferences time frame (overriding the advanced filter)? 9. Use the Clear Filter icons under both Basic Filter and Quick Filter to undo your changes. 17 Lab |: GUI Familiarity and ADC Update ©2013 Imperva, Ine. Al rights reserved,SecureSphere 95 Lab Manual ~ ADMIN @iMPERW fin Topic 4: Understand that hanging page tabs can be used to > both hide or reveal sections of the GUI. 1. From Main > Monitor > Violations, click on the Filter hanging page tab to see the effect, 2, Repeat with the Details hanging page tab on the same screen. 3. From Main > Audit > DB Audit Data, click on the Filter hanging page tab to see the effect. Q2. How are the defaults on these two pages different? Soy ‘© The hanging tab sometimes reveals a window pane which is Ti ps: hidden by default. oP am + The Basic Filter, Quick Filter, and Advanced filter mechanism work independently of each other and cancel the other's filter choices. Sn Topic 5: Update the ADC content via a previously > downloaded file on Client PC. 1. Goto Admin > ADC. 2. Under Manual ADC Update, click the Browse button. Lab 1: GUI Familiarity and ADC Update ©2013 Imperva, ne, Al rights reserved.SecureSphere 9.5 Lab Manual - ADMIN @iVIPERA 3. Go to C:\ Documents and Settings Desktop\Tools\9.5\ and open the content-9.5.0.2- 1.15.2013.mpry file. uMPER CURCSPHERE™ | Cis) owmesanc caren fe CUE ures watti ABC fs amt ADC Uda Fiecam ewes 50311820100e =] (tom Fcattex [Fr ewe 4. Click Upload to send the ADC Content file to SecureSphere. NOTE: This process may take several minutes to complete. 5. When completed successfully, "The Last update from ADC was on:” date should change from September 30, 2012 to December 31, 2012. 6. cick bel save. 7. Close the SecureSphere GUI by clicking Log out, then verify by cli 8. Close the Mozilla Firefox browser instance. ing Yes. we + Always update ADC content immediately following any major Ti ps: SecureSphere updates including: initial installation, patch norm installation, and version upgrades. * Best practice for updating the ADC is to configure direct connectivity from your MX to Imperva and configuring the Automatic ADC Update section to fetch ADC Content every week. Preferences time frame and overrides any applied advanced filter. 2: The Audit Data “filter” hanging tab reveals a default hidden Page section, Qn Key: Qt: A Quick Filter searches within the context of the User 19 Lab 1: GUI Familiarity and ADC Update ©2013 Imperva, Ine. All rights reserved.SecureSphere 9.5 Lab Manual - ADMIN @ iIVIPERW Lab 2: SecureSphere Deployment Goal: In this lab, you will demonstrate an understanding of Oal: SecureSphere's different deployment options and how to best appl fn p ply them in your network. fan 1. Sketch a visual description of your network and how \ ice: SecureSphere should be deployed in order to monitor and > Topics: protect t propery. 2. Hold class discussion over one stucent’s network deployment desis Ti ps: Sketch your data center's network components, including all worn connections. + Mark which components should be monitored / protected. * Identify on which connections the SecureSphere Gateways should be placed and what their license mode will be: Web/DB/File/ALL. * Decide which deployment option suits the different roles, ‘Identify SecureSphere hierarchy objects in your network ~ which are your Server Groups, Services etc, 20 Lab 2: Securespere Deployment ©2013 Imperva, Ine. All rights reserved.SecureSphere 9.5 Lab Manual ~ ADMIN Example: © Example: 21 Lab 2: SecureSpere Deployment ©2013 mperva, Ine. All rights reserved,SecureSphere 9.5 Lab Manual — ADMIN Internal Users | | : Database o Servers = Web Users Internet Dedicated Management (MX) Mx etho WAF and DB Security and Monitoring GW etho - > Your Network: 22 Lab 2: SecureSphere Deployment ©2013 Imperva, Ine. All rights reserved,SecureSphere 9.5 Lab Manual — ADMIN @OiMPERV Ry Lab 2: SecureSphere Deployment Class Discussion: QL: What are the important factors for the Site Tree config? 2: Why do you need to understand the network topology? Q3: Why is a load balancer in your network relevant? When should you split servers into two or more "Server Groups” and when should you combine them into the same “Server Group"? Q5: Why is the “Application” object important in SecureSphere? ©2013 Imperva, Ine. All rights reserved,SecureSphere 9.5 Lab Manual — ADMIN @ iVIPERVA Lab 3: Get Started — Site Objects ye Goal: Sen » Topics: & Tips: In this lab, you will interpret your lab network physical characteristics into SecureSphere logical objects by using the Site, Server Group, Service & Application objects. 1. Determine what needs protecting. 2. Understand that an un-configured SecureSphere will not monitor or alert activity. 3. Configure SecureSphere to monitor and protect the SuperVeda Web and DB system via the default policies, 4, Generate violation triggering traffic through the SecureSphere gateway’s bridge. 5._ View the results of your test traffic. Watch for available tips in the lab context. fa. ‘SS Topic 1: Determine: What needs protecting? 1. Your mandate is to protect the SuperVeda web, database, and AD file server resources. Determine the relevant IPs and ports. @. One method to get this information is to review the available topology diagram. If using CloudShare, click the Topology tab to reveal the map. If using VMware workstation, review the desktop wallpaper. Ql. What is the IP of "Veda Web”? Q2. What is the IP of “Veda DB”? Q3. What is the IP of “Win2K3-DC-CT"? b, Asecond method is to verify this information directly on the server. Open a console or RDP session to “Veda Web”. ¢. Open a command line in windows on Veda Web Start > Run > cmd.exe Lab 3: Got Started ~ Site Objects ©2013 Imperva, nc. Al rights reserved,SecureSphere 9.5 Lab Manual ~ ADMIN @OiVIPERVA , Print the IP address in use by the Veda Web server: ipconfig Q4. Is the IP of Veda Web above correctly documented? 2. Determine if the IPs of the SuperVeda environment already protected by reviewing the pre- existing Site Tree objects. 3. Exit the Veda Web environment and connect to the Client PC environment. 4. From Client PC, connect to SecureSphere using FireFox. 5. Browse to Main > Setup > Sites and expand the Default Site and Z Lab Site objects if needed to be able to see all Server Groups. 6. Click on each of the existing Server Group objects and review the “Protected IP Addresses” listed on the “Definitions” tab to verify if the SuperVeda servers noted in the topology diagram are currently protected. an Aaron | Perens | Take | > Lopate nots | iontee| Twos) > FS Were one Seve |S Wrrcaoveo save Q5. Are any of the IPs of SuperVeda topology diagram currently protected? 25 Started Site Objects © 2013 Imperva, Ine. All rights reserved.SecureSphere 9.5 Lab Manual — ADMIN @ IVIPERWA Ss \. Topic 2: Understand that an un-configured SecureSphere > will not monitor or alert acti ty. 1. From Client PC, open a new Internet Explorer browser session. The Home page should automatically take you to http://www.superveda.com 2. Click on the Seareh link. 3. Type the following, and then click Find: cmd.exe 4. Then type the following, and click Find: ‘or1=1-- Strings like * or 1=1 -- can be copied and pasted from info.txt file found in the ..Desktop/Tools/9.5/... folder on Client PC. 5. Notice that running the above command generated a signature sensitive event as well as a successful SQL injection against the Superveda web application, QO leitetramchen ie Q6. If you looked for these events in SecureSphere, would you see any record of them by default with the current configuration? Q7. What are some places in the GUI you could look to verify your answer? Web security alerts found here: DB activity records found here: File server CIFS activity found here: Lab 3: Get Started ~ Site Objects 26 © 2013 Imperva, Inc, All ights reservedSecureSphr 9. Lab Manual ~ ADMIN @GiMPERUW Site. _» Topic 3: Configure the SuperVeda Site object hierarchy. 1. From Client PC, run Mozilla Firefox to connect to SecureSphere. 2. Go to Main > Setup > Sites. 3. From the Sites Tree window pane, right-click the “All” folder at the root of the sites tree and select “Create Site”. 4. Name the new site Veda Data Center Site, choose “From Scratch”, and click Create. 5. Configure SecureSphere to protect and monitor the Veda Web Server: a. Right-click "Veda Data Center Site” object and select “Create Server Group’. b. Name the server group Veda Web Server Group, and click Create. . Click on the Veda Web Server Group object in the Sites Tree and select the Definitions tab. d. During initial configuration, verify that the Operation mode = Simulation. €. Under the “Protected IP Addresses” table, click the Create New "icon in order to add the IP: 192.168.54.1. f. Verify that the correct SecureSphere gateway is protecting this server by choosing the gateway group = Prima. 9. click bel save, Bd etn ste Elon aver se ———— 5 ne Data Center Ste Operation oO vem er Se a wor "fhe Smutin oomee = lronun ussat sever Window Domai: fre x aliPrenmeveasore ai fprentes sv 2010 © wees Gann conmtonn = ep crave Sever —— Protected Addresses h. Right-click the Veda Web Server Group object and select “Create Service”. Name the service Veda HTTP Service, choose HTTP Service from the drop-down list, and click Create, Started ~ Site Objects ©2013 Imperva, Inc. All rights reserved.SeeureSphore 9.5 Lab Manual ~ ADMIN @iVIPERA j. Expand the "Veda HTTP Service” object by clicking the | plus icon. Notice a “Default Web Application" is defined automatically by creating the HTTP Service object. 6. Configure SecureSphere to protect and monitor the Veda DB Server: a. Right-click "Veda Data Center Site” object and select “Create Server Group”, b, Name the server group Veda DB Server Group, and click Create. . Click on the Veda DB Server Group object in the Sites Tree and select the Definitions tab. d. During initial configuration, verify that the Operation mode = Simulation, e. Under the “Protected IP Addresses” table, click the Create New "F icon in order to add the IP: 192.168.53.100, f. Verify that the correct SecureSphere gateway is protecting this server by choosing the gateway group = Prima. g. Click bel save. h. Right-click the Veda DB Server Group object and select “Create Service”. i, Name the service Veda MsSQL Service, choose MsSQL Service from the drop-down list, and click Create, i, Read the configuration reminder. Fert nnn on a an ae) ii, This important waming applies to Database, File and SharePoint . For the remainder of the admin labs, you can permanently disable this warning by checking Don’t remind me again and click Ignore, j. Expand the "Veda MsSQL Service” object by clicking the + plus icon. Notice a “Default MsSql Application’ is defined automatically by creating the MsSQL service object. 28 Lab 3: Get Stated ~ Site Objects ©2013 Imperva, In. All rights reserved.SecureSphere 9.5 Lab Manual - ADMIN oor Group: Ved Dita Cater Group TeiSee Tete [ Sevier Pot a ° Cn en esas it ee, C: and SOL x! ie eta te Ws fI04 sve © ee BB Seer Ga (8 Voon SOL Seve 6 cotanss apscsten 120d Sever cup 1S Det vit apne Protected Addresses hae oa i When defining the protected IP address on the server group object, you must define the securesphere gateway group which does the protecting. Q8. How does this configuration exist; or, when did this gateway group object become part of the configuration? (From lecture/class discussion) Q9. Where (in the GUT) could you go to change the name of the gateway group and other details about the SecureSphere gateway object? Q10. How many times can the same protected IP be configured in multiple server groups and be protected / monitored by the same gateway group? (From lecture/class discussion) Advanced users can use the SecureSphere console CLI to validate ara when a gateway has begun enforcing a policy for a new server & Ti ps: group using the following command: noF watch -d cat /proc/hades/pelist Look for the server group’s name to appear in the Protected Entities list. Verify your configuration and troubleshoot with your instructor if you do not see your server group added after a few minutes. 2. Topic 4: Generate traffic through the SecureSphere _> Gateway's bridge. 29 Objects ‘© 2013 Imperva, In. All rights reserved. Lab 3: Get StatedSecureSphere 9.5 Lab Manual — ADMIN @GiMPERU 1. Use the Client PC environment to generate violation traffic to the protected Veda Web application server: a. Use Tabbed Browsing in CloudShare or VMware VM tabs to choose the Client PC environment window. b. Minimize the SecureSphere GUI currently open in Firefox. c, Use Internet Explorer to connect to http://www.superveda.com, d. Browse to the Login page to generate traffic using the following credentials: Username: — bugsb Password: carrots Note: This activity causes the application server to send an SQL lookup query to the Veda MsSQL server in order to validate the login. rs [BT poms gota cere Se eT . After successfully logging in to the application, click the Search link on the left menu bar of SuperVeda. f._ In the search field, type the following and then click “Find”: cmd.exe Lab 3: Get Stated ~ Site Objects (©2013 Imperva, Ine. All rights reserved.SecureSphere 9.5 Lab Manual ~ ADMIN EE \Go+ BE tioitmsmevedcn’ SSS i vor Fors Tos eb Links EDA Admrcrsten System p,Sipr VEDA jr @- 9. Close the Internet Explorer browser inside the Client PC environment. 2. Run the same test as above but use the Veda DB environment to generate violation traffic to the protected Veda Web application server: a, Use Tabbed Browsing in CloudShare or VMware VM tabs to choose the Veda DB environment window. b. Use Internet Explorer to connect to http://www,superveda.com. . Browse to the Login page to generate traffic using the following credentials: Username: — bugsb Password: carrots d. Click the Search link on the left menu bar of SuperVeda, e. In the search field, type the following and then click “Find”: cmd.exe f, Close the Internet Explorer browser inside the Veda DB environment. o Topic 5: View the results of your test traffic captured by the SecureSphere default policies. Connect to the Client PC environment. Re-expand or open the Firefox browser to connect to the SecureSphere GUI. Browse to Main > Monitor > Violations. a ener Use the Quick Filter to fiter for emd.exe (You may need to click | refresh) 31 Lab 3: Get Started ~ Site Objects ©2013 Imperva, ne. All rights reserved,SecureSphere 9.5 Lab Manual — ADMIN @iVIPERV 5. Review the violation detai Date / Timestamp Date / Timestamp 2: in the alerts and document the latest violation Date & Timestamps: Ie fara < amano = nto Src ewan SL loa Source warts 0 ses = 7. In the “Scope” window on the top left corner, define the following: Policy: Default Rule — Time Frame: Last Hour 8. Select the Source IPs view, Events z «Ifthe above scope setting and view were already open, you & Ti ps: must click the Update button to refresh the last hour of events. 32 Lab 3: Get Started ~ Site Objects © 2013 Imperva, Ine. All rights reserved,SecureSphere 9.5 Lab Manual - ADMIN @ IVIPERVA Q11. Are there any query “Hits” that have originated from the 192.168.54.1 IP? If yes, how many? Q12. Why are these hits coming from this specific IP when the violation traffic came from Client PC and Veda DB? Qa Key: Q6: No. There is no server group configured with the protected IP of SuperVeda. Q7: Locations: Web alerts: Main > Monitor > Alerts, DB activity: Main > Audit > DB Audit Data, File Server CIFS activity: Main > Audit > File Audit Data Q8: The gateway name is defined when the gateway is first registered to its management server during initial install & config using the tool “impcfg”. By default, the gateway is created inside a group object with the same name. Q9: Main > Setup > Gateways 10: Only 1 server group per IP protected by the same gateway. But multiple IPs can be protected using the same server group. QI1: Varies by testing Q12: The database audit traffic comes from the web application server's IP address. This illustrates that user activity to the web server impacts the web server's queries to the database (of course). 33 Lab 3: Get Started ~ Site Objects ©2013 Imperva, Ine. All ights reserved,SecureSphere 9.5 Lab Manual ~ ADMIN @ IVIPERWA Lab 4: Active Blocking In this lab, you will test active blocking of violation traffic and see the SecureSphere WAF's default error page which sends a block notification to the client. 1. Test the default reaction to a SQL injection which reveals credit card numbers. 2. Configure the Veda Web server group to enforce policies in "Active" operational mode, 3. Attack again while in Active operational mode and understand the default WAF error page configuration, 4. Customize the Default Error Page and search for the blocked event in the SecureSphere monitor logs. & Tips: Watch for available tips in the lab context. = Topic 1: Test the default reaction to a SQL injection which > reveals credit card numbers. 1, From Client PC, minimize the Firefox browser to the SecureSphere GUI. 2. Run SQL Injection on SuperVeda using IE (internet explorer): 3. Go to the “Search” page on SuperVeda. No need to login. 4. Insert the following string in the field and click Find: XXX’ UNION SELECT 1, 1, Username + 4, 1, 1,1 FROM Users ~- ‘+ Password +':'+ CCNumber + ':' + CCDate, Tips . Remember: You can copy/paste strings like the one above from i the info.txt file in the ...esktop/Tools/9.5/.. folder on Client PC, 34 Lab 4: Active Blocking ©2013 Inmperva, ne, All ights reserved.SecureSphere 9.5 Lab Manual — ADMIN @GiIMPERVA 5. Observe how the web application responds. rere Testteseorts FOOD ete TT FROM Uses] (Fe) | Poiasa0 OHS ft Instock ( 6. Using Firefox, browse to Main > Monitor > Dashboard and see the alert generated following this action, Praia + PU Load + Connectionsisee ‘Server Group /Service Application Source P Description ‘Vedio Serv Vada HTTP Sen |Defaul Web Ap_192.168.54 254 ‘SOL. ection on nerameler sting hy ‘Veda Web Serv Veda HTTP Ser |Defaull Web ap 182,168.54 254 SQL hyecton UNON SELECT aeck @ zits “eds Wen Ser Voda HT Sar Detau Wib Ap 122.168 4254 SOL econ on perance ting Note: SecureSphere shows the © stop icon indicating a blocking policy matched this event. However, you received the web application's credit card dump response, meaning that the action arrived to the web server and was successful. 7. Click on one of the “block” events and notice the event details show Actions: Immediate Block (Simulation Mode). Also note that the alert text was black font instead of red font. Lab 4: Active Blocking ©2013 Imperva, ne. All rights reserved,SecureSphere 9.5 Lab Manual ~ ADMIN @ IVIPERVA comédosearch.aep, Inmet Bock (Sendo Wx Violation Type itp Severity Hoh Poliey Name Wieb CoreletionPotcy 1032 fn \.. Topic 2: Configure the Veda Web server group to enforce -© policies in "Active" operational mode. 1, Browse to Main > Setup > Sites and expand the Veda Data Center Site and then select the Veda Web Server Group. 2, On the definitions tab, change the “Operation Mode” from Simulation to Active. 3. click bel save, Give the gateway a moment to implement the new “operation mode” change before testing. Advanced users can re-run the below Tips: command from the SecureSphere gateway CLI to view progress: Ips: watch -d cat /proc/hades/pelist rere Poms OR ere ce eae Te Se) one Perera Sem mee Te ICTRL + cj to end the watch command. din Topic 3: Attack again while in Active operational mode and understand the default WAF error page configuration. 1, From Client PC, minimize the SecureSphere GUI Firefox browser. 36 Lab 4: Active Blocking © 2013 lnmperva, nc, Al ights reserved,SecureSphere 9.5 Lab Manual ~ ADMIN @OiMPERV 2. Open a new IE browser session (close and re-open if needed). 3. Re-run the previous SQL injection string: 0X" UNION SELECT 1, 1, Username +':' + Password +':' + CCNumber +':' + CCDate, 1,1, 1,1 FROM Users -- 4. Observe the new response from the web server. If you see the credit ard data leakage again, troubleshoot your configuration and then request help from instructor if needed. 5. From the SecureSphere GUI, browse to Main > Setup > Sites. 6. Expand the "Veda Web Server Group” object and click on Veda HTTP Service. 7. Select the “Definitions” tab and expand the + “Error Page” configuration section. 8. Review the “Default Error Page” HTML. Q1. How does this HTML page configuration compare to the new response received after your SQL injection attack activity was blocked by SecureSphere? x Topic 4: Customize the Default Error Page and search for = the blocked event in the SecureSphere monitor logs. 1. From the Veda HTTP Service object’s “Definitions” tab, “+! expand the “Error Page” configuration section 2. Add a phone number to the “Contact support...” sentence before the
tag. Contact support at 555-555-5555 for additional information,
3. cick bell save. 4. Retest the attack page using a new IE browser session to see the modified error page. 7 Lab 4: Active BlockingSecureSphere 9.5 Lab Manual — ADMIN Error Error “This page cart be splayed. Contact suppost at (585) 8 £309 foe ado information The incident ID is lent ID number from your browser error message to the clipboard. 6. Paste this id number into the "Quick Filter” under Main > Monitor > Violations. Q2. What did this search reveal? Q3. As a “Best Practices” it is advised to change the text displayed by the default error page of any security appliance or web server. Why is this important? Q4. Why is it not possible to test the functionality of your customized error page while your server group is configured in “Simulation” operational mode? Q5. What are 2 indications in the SecureSphere Monitor that indicate that a violation was “Active” blocked instead of “Simulation” blocked? 1. 2 38 Lab 4: Active Blocking © 2013 Imperva, Ine. All rights reserved.SecureSphere 9.5 Lab Manual ~ ADMIN @iVIPERUA Qa Key: Lab 4; Active Blocking QL: The html shown defines the message seen in the returned data in the browser. Q2: The incident ID finds the session ID that is related to the block event. If the same session generated multiple events, those would appear in the filter too. Q3: Using any default message in production can allow “Fingerprinting”. This informs an attacker that your server is behind a SecureSphere security device. Any information is too much... ‘Q4; SecureSphere can only replace the normal reply message with the error message when it has blocked the normal response. Q5: 1.) Red font & 2.) Absence of (Simulation Mode) in the block details. 390 © 2013 Imperva, nc. Al rights reservedSecureSphere 9.5 Lab Manual — ADMIN @ iIVIPERVWA Lab 5: Basic Policy Creation Goal: In this lab, you will create a new policy and apply it to your site fs Oal: tree, then test a simulation mode block. i 1, Observe the default policy reaction to a series of poorly Topics: formatted HTTP protocol connections 2. Change to simulation mode, then create & apply a new security policy with a customized set of reactions, 3._ Test the impact of the new policy & Tips: Watch for available tips in the lab context, = Topic 1: Observe the default policy reaction to a series of S poorly formatted HTTP protocol connections. 1. From Client PC, minimize the Firefox GUI browser to SecureSphere. 2. Open an invalid protocol HTTP connection from Client PC using TELNET from a command Prompt: a. From the Start menu, choose Run. b. Open: emd.exe c. Type: telnet 192.168.54.1 80 d. [Enter] . From the telnet prompt, type the following followed by [Enter] twice. POST / 40 Lab: Basic Policy Creation ©2013 Imperva, nc, Al ights reserved,SecureSphere 9.5 Lab Manuel ~ ADMIN @iVIPERVA & Ti ps: IMPORTANT: You will not be able to see what you are typing with era - the Windows Telnet command. To simplify this process, copy the POST / command from info,txt. Desktop > Tools > info.txt Q1. What type of message was displayed? 3. Open a second HTTP connection using TELNET with a slightly different invalid string: a. From the command prompt, open a new telnet session on port 80: telnet 192.168.54.1 80 b. Inside the TELNET prompt, type the following followed by [Enter] twice: POST / HTTP/1.1 Tips : Note: IMPORTANT: You will not be able to see what you are typing peal . with the Windows Telnet command. To simplify this process, copy the POST / command from info.txt. Desktop > Tools > info.txt Q2. How was the HTTP response different this time? I was not different, check your above command syntax for typos. 4, Review the default policy alerts generated by these events in the SecureSphere GUI by browsing to Main > Monitor > Violations. 5. Clear any existing filters, 6. Add a “Basic Filter” for “By Alert Type: Protocol” and then click Apply. 7. Refresh OI the Violation list and find the two protocol violations caused by these connections. eo tara [Sera] Bo noms Samat manent nota oem Test2 [f oma 3B tess AREY AHP ren Test 1 F dsipaae aso] SB wm uaa feweoquon tone wea ccs © Brit mmm faite see GB awn r 3 iat cot nomen 8. Select each of these events from the Violation List view and review the Event details for each. 9. Notice that “Illegal HTTP Version” has a default policy action of Block. 4 Lab 5: Basic Policy Creation © 2013 Imperva, Inc, All rights reserve.SecureSphere 9.5 Lab Manual — ADMIN @ IMIPERVA 1) *<) Event 7120820979496302029: legal HTTP Ver: Details |{ Response 5B mega wrtp version Event 7420820979496382029: Illegal HTTP Version ! |": Key Value n Type. http. Severity High Policy Hame Web Protocol Policy Alert Humber 1035 Violation Description Wegal HTTP Version Violated tem HTTP Version Immediate Action a 10, Notice that "Post Request ~ Missing Content Type” has a default policy severity of Medium. 1] Event 7420820979496382030: Post Request - Missing Content Type | Details || additional violations |/ Response 5 Post Request - 19 Content Type. Event 7120820979496382030: Post Request - Missing Content Type || Key Value Violation Type http Severity Medium << Policy Nome ‘Web Protocol icy Alert Humber 1037 Violation Description Post Request - Missing Content Type Violated Item Post Request - Misgyq Content 1 Immediate Action None Q3. What is the Policy Name that generated both of these violations? Q4. What extra violation is shown when you clear the “protocol” filter in the Violation tab? Topic 2: Change to simulation mode, then create & apply a © new security policy with a customized set of actions. 42 Lab 5: Basic Policy Creation ©2013 Imperva, Ine. All rights reserved.SecureSphere 9.5 Lab Manual - ADMIN @OIMPERA 1, Browse to Main > Setup > Sites. Expand the Veda Data Center Site and select Veda Web Server Group. 2. Switch the operation mode to Simulation. 3. Click bl save. Tips - Best Practices: If your goal is minimizing service disruptions, then aon : when making a policy change consider 1.) changing the operational mode from active to simulation; 2.) testing; 3.) returning to active, 4. View the default policy rules and review the Apply To information on that policy. a, Browse to Main > Policies > Security. b. Clear any existing filters and Apply a new filter for only “By Type > Web >Service Level:” HTTP Protocol Validation cc. Left-click on the Web Protocol Policy from the list view d. Read the Policy Rules details which generated the above violations. e. Choose the “Apply To” page tab to see the locations this policy is currently applied. MPERVA ECURESPHERE’ TIL eC Sa [ east Fer |[Sevedrire | 1B BY ADC Keywords ec Policies, Meath ot Tye aaoa 2 es 2 dete ste 4 ZOA sever Ved DataCenter Ste ff © Veee 06 Server Croup al vec wen Server Group 5 ais 2 Lab Ste Eterptice Server Croup Fru MeSl. Server ai Zrouns we Server wf ZPentestsv-2010 ER wet Protocol olcy, HTTP Pretacel Valse} 5 Ly Service Level saree Protacevaidaton Web Service Correlated Vale F cookie sigring Vatcetion Fur Protocl Sigetures web Service Custom 5. Create a new HTTP Protocol Validation policy so that Illegal HTTP Version will not block and Post Requests - Missing Content Type will write “No Alert”. Important — Only make this change on the Veda HTTP Service. Do not implement the change on ALL protected web services. a. Left-click the Create New "f icon in the Policies list view and choose Web Service. 43 Lab 5: Basie Policy Creation (©2013 Imperva, nc, Al ights reserved,- 7 SecureSphere 95 Lab Manual ~ ADMIN @iMIPER Policies 14 aa> dT Policy 2 Type Eure protocol! validation b. Populate the Create New Policy window: Name: Class Customized Web Protocol Policy From Scratch, Type: HTTP Protocol Valid: c. Click Create. 6. Modify the new policy to change the default actions for the tested events and apply the customized policy to the Veda HTTP Service object. a. Left-click the new policy from the Policies List pane. b, Open the "Policy Rules” tab from the policy detail pane. c. Scroll down and change the action on “Illegal HTTP Version” from Block to None. Policy name: Class Customized Web Protocol Policy Policy Rules |{ Apply To |{ advanced ce mayen CURT VE ro) TOW ¥ legal HTTP Version d. Scroll down and change the default Severity on “Post Request. - Missing Content Type” from Medium to No Alert. BB Post Request - Missing Content Type None) || RFC(missing). tora Low Mectiuin SoHE [Redundant HTTP Headers tie High None e. Click FU Save. Open the “Apply To” tab from the policy detail pane. g. Expand the “Veda Data Center Site” & "Veda Web Server Group” in order to check the box next to Veda HTTP Service. 44 Lab 5: Basie Poliey Creation ©2013 Imperva, Ine. All rights reserved,SecureSphere 9.5 Lab Manual — ADMIN OiMPER QS. Why does checking Veda HTTP Service in the “Apply To” tab of this policy trigger a warning message? (Siiniieteieciinetanichasisndaensiioomees x 4 Note: You are replacing poicy: Web Protocol Policy. oD h. Click OK on the warning message. i Glick bel save. Q6. Why did we create a new policy? Why not just modify the default policy? Bm > Topic 3: Test the impact of the new policy. 1. From Client PC, minimize the Firefox GUI browser to SecureSphere. 2. Open an invalid protocol HTTP connection from Client PC using TELNET from a command prompt: a. From the Start menu, choose Run. b. Open: cmd.exe c. Type: telnet 192.168.54.1 80 d. [Enter] e. From the telnet prompt, type the following followed by [Enter] twice. Post / Q7. What type of message was displayed? 45 Lab 5: Basic Policy Creation (©2013 Imperva, ne. All rights reserved.SecureSphere 9.5 Lab Manual - ADMIN @OiMPER Q8. What are two reasons that the message returned was different in this test than in the 1) 2) 3. Open a second HTTP connection using TELNET with a slightly different invalid string: a. From the command prompt, open a new telnet session on port 80: telnet 192.168.54.1 80 b. Inside the TELNET prompt, type the following followed by [Enter] twice: POST / HTTP/1.1. Q9. What type of message was displayed now? 4. Review the new policy alerts generated by these events in the SecureSphere GUI. 5. From the SecureSphere GUI, browse to Main > Monitor > Violations. 6. Refresh ‘| the Violation list and find the protocol violations caused by these connections. 7. Select the recent events from the Violation list pane and review the details for each that is displayed, 8. Notice that “Illegal HTTP Version” has a policy action of None. 1 *e) Event 8696120571697621908: legal HTTP Version Additional Violations || Response GB mega trtP version Event 869612057469762490 Value egal HTTP Version Violation Description tlegel HTTP Version Violated tem HTTP Version Immediate Action None —— 9. Notice that "Post Request ~ Missing Content Type” does not show up on the Violations list. 46 Lab 5: Basie Poliey Creation © 2013 Imperva, Inc. All rights reserved. suedSecureSphere 9.5 Lab Manual — ADMIN @ IVIPERVA 10. However, the “Suspicious Response Code” violation does still occur because this policy was not changed. Select it from the Violation list pane. 11. View the details and confirm that this was generated by your second action that was set to "No Alert”. 12. Then, click on the “Additional Violations” tab to see what information exists there. 13. Leave Veda Web Server Group in Simulation Mode for the future labs that will be run. Ti ps . Even though a policy rule may be defined as “No Alert”, if the rule is still “Enabled”, then the gateway stil records the event for pee correlation with events in custom policies - demonstrated above. 1] Event 7420820979496382033: Custom Rule Violation Additional Violations |[ Response BAPE Custom Rule Violation Event 7420820979496382033: Custom Rule Violation Key Value Violation Type http Severity Medium Policy Name Suspicious Response Code (Palicy Description) Alert Humber 1033 Violation Description Suspicious Response Code Violated item Custom Violation Immediate Action None Matched Patterns 47 Lab 5: Basic Poliey Creation ©2013 Lmperva, ne. All rights reserved,SecureSphere 9.5 Lab Manual - ADMIN Event 7420820979496382033,¢Post Request - Missing Content Type Key Violation Type. Severity Policy Mame Alert Number lation Description Violated tem Immediate Action Ql: A SecureSphere default blocking error page Q2: A Microsoft IIS server error page. ‘AN Key: Q3: Web Protocol Policy Q4: Custom Rule Violation: “Suspicious Response Code” Q5: Some policies are exclusive. It is not allowed to apply more than one of these policy types to a Site Tree object at one time. The warning message indicates that the currently applied policy will be replaced with the new policy if you continue. 6: Default policies can be protected from manual changes but could also be updated by future ADC updates which may revert your customized changes. By created a new policy, we can avoid that conflict and can selectively apply the changes to the desired service. Q7: A Microsoft IIS server error page. QB: 1.) The policy is no longer actively enforced. Simulation mode cannot display a SecureSphere block error page. 2.) The rule being tested is no longer defined to “Block”. Because it is not blocked at the rule level, even in Active mode, there would be no SecureSphere block error page. Q9: A Microsoft IIS server error page. 48 Lab 5: Basie Policy Creation © 2013 Imperva, Inc. All rights reserved,SecureSphere 9.5 Lab Manual — ADMIN @OIVIPERVA Lab 6: Followed Actions Goal: In this lab, you will practice using Followed Actions to send al: Notifications as well as to define a quarantine action by source IP, a 1. Prepare the email relay server service on Veda DB before lab. oes 2. Configure an Action Interface and/or Action Set in order to =» Topics : define the desired Followed Action in a policy. ai 3. Use your new action set to be the followed action of a security policy. 4, Test your Followed Action configuration by initiating multiple failed logins though the gateway bridge. 5. View the results in SecureSphere and email. Ti ps: Watch for available tips in the lab context. an Topic 1: Prepare the email relay server service on Veda DB _> before lab. 1, Open the Veda DB environment using tabbed browsing in CloudShare or by selecting the correct VMware tab if using local virtualization. arm ° 2. Look for the ArGoSoft server service running in the system tray: eee ee 3. If not yet running, launch ArGoSoft by double-clicking the application icon on the Veda DB desktop: 4. Once running in the system tray, double-click the system tray icon. 49 Lab 6: Followed Actions ©2013 Imperva, ne. Al rights reserved,SecureSphere 9.5 Lab Manual — ADMIN @OiIMPERU 5. Configure the Tools > Options menu to Allow Relay during this lab. Note: Email Delivery is disabled in the training environment. However the ArgoSoft Mail Server must be configured with Allow Relay to function properly in this lab. HRle Lose | SMTP Aubericaton Sema” | Lecsoanene | Bate oussewe FEZ v1.2 F Lassen # sone Sa TF Pumas tt Set oe ela TF Ho Premerd aap Legato F DoW Ue ie nee Aloe dion Recast a FF ten Bsr nae Dignalirsge HO] coe | 6. Click OK. The ArGoSoft mailserver can be unstable. If it is already running stop with the red ™ stop button 7. Click the green start button to start the ArGoSoft Server. & Tips . + Since external Delivery has been disabled, you will need to view the ArGoSoft log to validate lab success. > Bl eWl me vera png a Debate 8 OZ Lab 6; Followed Actions ©2013 Imperva, ne. Al rights reserved,secureSphere 95 Lab Manusl~ ADMIN @iIMPERW Bm Topic 2: Configure an Action Interface and/or Action Set in > order to define the desired Followed Action in a policy. 1, Return to the Client PC environment. 2. Create a new Action Set to both notify you via email and quarantine the source IP of a repeated failed database login event. ies > Action Sets. b. Create a new Action Set by clicking the Create New "P icon. Name: Email and Block IP 10 Minutes Event Type: Security Violations — All ©. Click Create. a. Browse to Main > Poli Bison sat x] d. Click on the Email and Block IP 10 Minutes Action Set from the left-hand pane list view in order to configure this new object. e. From the right-hand Available Action Interfaces list pane, expand (+) the Email > Send an Email option. f, Notice that the available Action Interface “Email > Send an Email” does not contain much pre-defined information about the email server. But it does contain the word mail” which you may know does not resolve to the correct email server IP. This won't work as-is and must be changed. 31 Lab 6: Followed Actions © 2013 Imperva, ne. All ights reserved,SecureSphere 9.5 Lab Manual ~ ADMIN 3. Edit the “Send an Email” Action Interface. a. Browse to Admin > System Definitions -> Action Interfaces under the “Management Server Settings” category. b. Open the (+) symbol to edit the Send an Email action interface. ©. Pre-define the email server IP to point to the ArGoSoft Relay running on Veda Database and give a source email address: ‘SMTP Server Address: 192.168.53.100 From Address: [email protected] NOTE: Because this lab source email is fake, it may be routed to a spam filter on your destination email server. a. click bel save Ti ps: * Because of the word “mail” in the address field we were forced : : to edit the Action Interface. However, if not we would have been faced with a real-world decision: 1) Define the details in an Action Set; or 2) Define the details in the Action Interface? + If we need to create several Action Sets that use email as an action, we should edit the Action Interface so that these details don’t need to be repeatedly entered, + If we only need one Action Set to use this email server, then we could just define all the details directly from the Action Set. 4. Edit the Email and Block IP 10 minutes Action Set again with the new values. a. Browse to Main > Policies > Action Sets and highlight the correct action set. Lab 6: Followed Actions ©2013 Imperva, ne, Al rights reserved,SecureSphere 9.5 Lab Manual - ADMIN @GiMPERV b. Add the Email > Send an Email and IP Block > Block an IP from the “Available Action Interfaces” to the “Selected Actions” list using the ~ UP arrow. Select YE_X] Action Set name: Email and Block IP 10 Minutes Action Set Type Emailend Block 10 Winules Security Violaliqggs}| Selected Actions Long IP Block + Email > Send an Email Long Session Biock Long User Btock ‘Short I Block Short Session Block Short User Block Terminate Session Available Action Interfaces, . Configure the Action Set Policy Email rule: EMAIL rule Name: Send to me SMTP Server Address: To Address: CC Address: Email Subject, Body, Format: Leave default or experiment with un-checking and using the Populate button. Run on Every Event: Enabled d. Configure the Action Set Policy IP Block rule: IP Block rule Name: Block for 10 minutes Duration: 600 Trusted IPs: 53 Lab 6: Followed Actions ©2013 Imperva, ne. All ights reserved,SecureSphere 9.5 Lab Manual — ADMIN @iMPERUA froma ‘realneorn on Tonasess rel con | ens ss tetes ence) & weoteat | SEE ICES notre ca Z| | raentiryEvet B (ST Buck an UP BiocR> Bock mes) " | Duron (cen) = es ©. Click bel save. & Tips = Note: Be careful outside of the lab environment when choosing to eect a use “Run on Every Event” together with an Email action. A web penetration test/scanner could generate thousands of emails! & Topic 3: Use your new action set to be the followed action > of a security policy correlation rule. From Client PC, use Firefox to browse to Main > Pol ies > Security and use the filter to find the "By Type > DB-Service Level:” DB Service Correlated Validation policies. 2. Click Apply on the filter pane. 3. Highlight the SQL Correlation Policy from the list pane. Edit the Excessive Attempts of Database Login rule’s Followed Action and choose Email and Block IP 10 minutes from the drop-down list. 5. Click bell save. 54 Lab 6: Followed Actions © 2013 Imperva, ine. Al rights reserved.SectneSphete 9.5 Lab Manual - ADMIN @iIMIPERWA Prtqn I [reve =] [Ena orsteace T=) Towel vain F cosever creed Vat oS Topic 4: Test your Followed Action configuration by s initiating multiple failed logins though the gateway bridge. 1, Open the Veda WEB environment using tabbed browsing in CloudShare or by selecting the correct VMware tab if using local virtualization, 2. Login to the Veda Web IS server desktop environment. 3. From the Veda Web IIS, launch Query Analyzer A using the desktop icon. 4, Use the Veda Web server to login to Veda DB from across the SecureSphere GW's bridge with the wrong password more than 5 times in 2 minutes and verify the IP is blocked (simulated) and you receive an email, (Alternative ~ look at ArGoSoft email log records to see attempted mail). ‘2, Attempt to login to Veda DB with the wrong credentials: SQL Server: 192.168.53.100 SQL Server authentication Login Name: VEDA_App Password: Click OK on the error message and repeat the click on OK to re-submit the wrong credentials 5 more times. 35 © 2013 Imperva, ne, All sights reserved,SecureSphere 9.5 Lab Manual — ADMIN @ IVIPERWA CY en EER Fut sa. Sam snd Comat 1921625210, Q cohen ver MeL Le 16, Phase 7o08 3 et 0. eveogn foe se YEO. 5. Login correctly using a valid username and password: SQL Server: 192.168,53.100 SQL Server authentication Login Name: VEDA_App Password: VEDA_Pass NOTE: If still unsuccessful to log in, notice the above username and password are case sensitive and try again. SS Topic 5: View the results in SecureSphere and email. 1, Connect to Client PC and use the SecureSphere GUI via Firefox to review the details of the event. 2. Browse to Main > Monitor > Blocked Sources and notice the Block by IP event. 3. Review the details by clicking on the alert no. link. Email and Block IP 10 Mnutes: An emall was sent to [email protected] ( 7:26:51 PM) Email and Block IP 10 Minutes: IP was blocked. Duration: 600 ee 2010 7:26:44 PM 56 Lab 6: Followed Actions ©2013 Imperva, Ine. All rights reserved.SecureSphere 9.5 Lab Manual ~ ADMIN @OlmMPERU Q1. The real user name of “VEDA_App” was not shown in the alert using the default configuration. What name was shown instead? 4. Un-quarantine your source IP address by selecting Actions > Release Blocked Sources. 5. Refresh the screen by clicking on the Currently Blocked Sources filter view. ie Main Admin | Preferences | Tasks | > Lagaut| 7 ‘ed Classification | Setup. | Profle Eee cosy Risk Management Dh Rcieace Sacked Sore pot ‘ - jocking Time» |Manual Release Time |Event Count~ Last Event Thme~ Aut Mis2 165541 2n0n0 7:26:44 FL 5 ‘2mam07 261 PM 12, Q2. Given the “Block by source IP" followed action and the above success indication, were you still able to login using the correct credentials after triggering this? Why / Why not? 6. Connect to Veda DB to view the ArGoSoft email relay log to verify that an email relay was attempted. 7. Stop the ArGoSoft mail server relay. §/18/2010 12 syie/zol0 12: §/18/2010 12 §/18/2010 12: §/1g/zo10 12: §/18/2010 12 S/18/2010 12: S/18/2010 12: 5/18/2010 12: 5 Requested SMTP connection from 192.169.53.19 Received 16947 bytes SHTP connection with 192.169.53.19 ended. ID=18 1 191 Delivering to mefamail.com 131 Attemwting to deliver to the domain email. 191 DNS Timeout. Will retry in 0 hr 10 min 201 Delivering to meffmail.com 201 Attempting to deliver to the domain omail.«| 20] DNS Timeout. Will retry in 0 hr 10 min [Delivery on (Connections: 0 Pending: 1 Delivering: 0 o an a an aN an an an aM Class Discussion: Q3. What is the risk of u: 19 quarantine followed actions by Source IP? Q4. How can this risk be reduced? 37 Lab 6: Followed Actions © 2013 Imperva, Inc, All rights reserved,SecureSphere 9.5 Lab Manual ~ ADMIN @ IMIPERV Q5. Why was the username identified as “hashed user”? Q6. The instructions specified to connect to the DB server across the SecureSphere GW bridge from the Veda IIS server. Would this lab generate the same results if the failed logins originated on the local Veda DB server? Why? Q7. ...Or from Client PC? Why? Ti ps . Note: Among other topics, resolving hashed db user configuration a settings and the use of database agents are covered in more detail in the advanced labs of the Database Security & Compliance course, Lab 6: Followed Actions © 2013 Imperva, In. All rights reserved.7 © SecureSphere 9.5 Lab Manual - ADMIN @HVIPERVA Quy Key: Lab 6: Followed Actions Ql: Hashed User Q2: The Veda DB MsSQL server group is not protected in “active” mode. Q3: Quarantine of an e-business application server can be an undesired potential outage even though quarantine of an end user may be required by policy. Q4: The Action Set provides an option to exclude a defined group of source IPs to avoid this risk. QS: The MSSQL 2005 DB server hashes (encrypts) the username and password during authentication. ‘This can be accomplished via Kerberos but is most likely encrypted using the Microsoft default SSL certificate installed with MSSQL server, To see the username, the ‘SecureSphere administrator must import the relevant decryption password and/or SSL keys. Q6: No. A network appliance cannot monitor a connection that both originates and terminates directly on the database server directly. For this event to be monitored, a SecureSphere local DB Agent must be installed, Q7: No. The deployment strategy of this lab gateway did not define Network monitoring between the Client PC and Veda DB servers. Recall from the deployment lesson that this represents a gap in protection. This coverage gap should be avoided in a production by understanding the connection options and network architecture of your business and deploying SecureSphere appropriately. 59 © 2013 Imperva, nc. All rights reserved.SooureSphere 9.5 Lab Manual = ADMIN @OiMIPERA Lab 7: System Events Policies Goal: In this lab, you will practice creating and defining a core set of Oal: recommended System Event policies together with a relevant set of Followed Actions to send notifications about these events. Verify that the Kiwi SYSLOG server is running. View the default behavior of SecureSphere to a failed login. Create a new Action Set to use syslog for notification of configured system event violations. 4. Create a new System Event policy and test. 5. Edit the System Event policy so that it only triggers when the failed login is from the user "admin". yee Tips: Watch for available tips in the lab context. en Topic 1: Verify that the Kiwi SYSLOG server is running on > the Veda DB environment. 1, Connect to the Veda DB environment using tabbed browsing in CloudShare or by selecting the relevant tab from VMware when using local virtualization. 2. From Veda DB, use the desktop icon to launch the “Kiwi Syslog Daemon” 22 60 Lab 7; System Events Policies © 2013 Imperva, In. All rights reserved.SecureSphere 9.5 Lab Manual - ADMIN. OiIMPERV 3. Using the "Manage” menu options, verify that the service is running. File Edt View | Manage Help 2) GE] Gy Wstalthe Syslopd service Uninstal the Syslogd service Date | Time | start the Syslogd service CoD Stop the Syslogd service Chr#F2 ng the Syslogd service Cubes Show the Syslogd service state Cur Debus options “= Topic 2: View the default behavior of SecureSphere to a > failed login. From Client PC, if currently connected to the SecureSphere GUI client, click Log out. ‘Attempt to logon as admin using a random password. View the failed logon message. aenNe Logon again using the correct credentials (admin/1qa2wsx) and then browse to Main > Monitor > System Events. Filter By SubSystem = User Notice the message, “Login failed for user admin”. Browse to Main > Policies > System Events. Notice that there are no System Events policies defined by default in this view. enon Qi. What is the sole function of a System Events Policy since all system events are automatically recorded to the Monitor > System Events log by default? aN Topic 3: Create a new Action Set to use syslog for notification of configured system event violations. 1. Browse to Main > Policies > Action Sets, 61 Lab 7; System Events Policies ©2013 Imperva, Ine. All rights reserved.SccureSphere 9.5 Lab Manual ~ ADMIN @iVIPERVA 2. Create a new Action Set *! of type “System Event”, Name: Test syslog user login Event Type: System Events. 3. Click Create. 4. Populate several Selected Actions: a. Left-click the new Action Set from the Select window pane. b, Move System Log > Log to System Log (syslog) up to the Selected Actions list 2 times. c. Move System Log > Log system event to System Log (syslog) using the CEF standard up to the Selected Actions list 1 time. Selected Actions ble Action Interfaces Email >» Send an Email + SNMP Trap > SNMP Trap aoa & Tips: B + System Log > Log system event to System Log (sysiog) using the CEF standard ‘System Log > Log to System Log (syslog) .System Log > Log to System Log (syslog) ‘0S Command > Run a Shell Command System Log » Log custom security event to System Log (sysiog) using the CEF standard System Log » Log network security event to System Log (syslog) using the CEF standard System Log > Log security eventto Envision System Log » Log security eventto System Log (syslog) using the CEF standard System Log = Log system event to Envision ‘System Log > Log system event to System Log (syslog) using the CEF standard System Log * Log to System Log (syslog) Review Task> Create a Review Task Assignment Task Assign a3 Task Remedy Create Incident » Remedy Create Incident We are using 3 syslog Action Interfaces in one Action set for lab ‘comparison reasons only. In the production, you would typically have only the supported format for your SYSLOG vendor with a message relative to the logged event. 5. Expand the (+) Action Interfaces to configure each of the System Log actions. 6. Create the following as shown in the below screenshot: Lab 7: System Events Policies 62 ©2013 Imperva, ne. All rights reserved,= ° SecureSphere 9.5 Lab Manual ~ ADMIN @GiMPERV 1.) a CEF standard hard-coded message; 2.) a Simple message; & 3.) a flexible message using SYSLOG placeholders to define the message content. 7. click bl save. [EIR] Action Set name: Test sysiog user login GSave Pe || _Setecten actions 2 Securty Vielat| [E1# System Log > Log system event to System Log (sysiog) using the CEF standard Securty Vila] | name: Securty Vila} | cer standard Parameter Value = ss Syslog Host jv92.168 53.100 Syslog Log Level INFO CEF-omperva Message Inc [SecureSpherefi(SecureSphereVersion(Event eventType cert rtetercsightDate($ Event createTime)) cateSystemEvent Facity KERN = Run on Every Event w | EI ¥ System Log> Log to System Log (syslog) Name: : : 5 Simple mascoge Parameter Wetton atte gn = Syslog Host 4192.168 53.100 Syslog Log Level WARN = g)| Message ‘Aaiin failed to login to SecureSphere F}| Fecity LOcALO = Fun on Every Event BP EI ¥ System Log > Log to System Log (syslog) Note: i mee ustom message wih placeheders Parameter sheeting a Syslog Host 4182.168 53.100 Syslog Log Level WARN = Message Event message) al §(Evert createTime) Fecity ee Fun on Every Event B | Policies > System Events and create a new * System Event policy from the list pane (not the filter pane). Name: Syslog — Login failed ‘Type: Login Failed 2. Click Create. 3. Define the Followed Action in the policy. a. Highlight the new policy from the list pane. b. Click the Followed Action page tab. . Choose Test syslog user login Action Set from the Followed Action drop-down menu. 4. Click bell save. 4, From Client PC, view the new syslog policy notification behavior of SecureSphere to a failed login, a. From the SecureSphere GUI client browser, choose Log out. b. Attempt to logon as admin using a random password. c. Change the username to Amy (case sensitive) and attempt to logon using a random password. 5, From the Veda DB server desktop environment, view the Kiwi Syslog server messages generated by these failed login attempts. Lab 7: System Events Policies © 2013 Imperva, Inc. Al rights reserved.SecureSphere 9.5 Lab Manual ~ ADMIN @OMMIPERW (22210 Local Waring 182. 16853.13 02:22:10 Local Warning _192.160.52.19 (0518-2010 022205 Kemel info’ ——TOPTGREITT TET Uliapev Ine Bocwesphovel” OLagn Taaeaogm 182.1085 1} Reoson bod exedontiiifigM sure-Syrte 05.18.2010 0222-03 Local2Wawing 192-16853.13. Login faded for weer admin (P= 12 168 53.1] Reason: bod en |Jost2m0 022203 Local Warring 192.168.5219 Adin filed t login fo Soeur phove I 1a [SN wea [siwaR0 Q2. Each Syslog message format has an advantage and disadvantage. What are one advantage and one disadvantage for each of these three examples? © Topic 5: Edit the System Event policy so that it only triggers when the failed login is from the user "admin". 1. Logon using the correct admin credentials (admin-1qa2wsx) and then browse to Main > Monitor > System Events. 2, Recall that the system event message includes the detail of the user name, “Login failed for user admin”, Login failed for user admin (IP: 192.168 .53.1) Reason: bad | credentials Message: 3. Edit the system event policy. a. Browse to Main > Policies > System Events. b. Select the Syslog — Login failed policy from the list pane, 65 Lab 7: System Events Policies ©2013 Imperva, ne. All rights reserved,SecureSphere 9.5 Lab Manual - ADMIN @ IVIPERVA c. Open the Policy Details page tab. d. Define the Matching Text Segments Matching Text Segments: admin e. cick bal save, 4. From Veda DB, clear the syslog messages from the Kiwi service a. Select, View > Clear Display from the drop-down menu, 5. From Client PC, retest the failed logins from both admin and Amy again. Q3. How are the results different? Q4. How could this customization ability be useful in other pol Sn Optional Task: Add 3 more System Event policies that are > considered best practice by Imperva professional services. 1. Browse to the Main > Policies > System Events and create the following types: 2. Gateway State Change Matching Text: Disconnected 3. Hardware Failure Matching Text: 4, Gateway CPU Utilization Matching Text: 80 66 Lab 7: System Events Policies © 2013 Imperva, nc. Al rights reserved,SecuteSphere 9.5 Lab Manual ~ ADMIN @iVIPERA & Tips: Note: "80" in this case is a threshold value rather than a literal value which would trigger on 85% CPU also for example. Qa Key: Lab 7: System Events Policies Ql: The system event policies are used to externalize any desired messages from the system event logs. Q2: Various. However, notice that the hard-coded message failed to indicate that “Amy” was the bad login, 3: The hardcoded admin failed login message is now always accurate. The failed logins by Amy are no longer covered by THIS system event policy. Q4: Various. 67 © 2013 Imperva, nc. All rights reservedSecureSphere 9.5 Lab Manual —- ADMIN @ IVIPERWA ga Goal: > Topics: Lab 8: Monitoring In this lab, you will use the tools under Monitor Menu Tab to analyze events that have been generated so far in the course labs. Understanding Monitor > Dashboard, Understanding Monitor > Alerts. Practice Alert filtering, Practice marking alerts for future review and/or collaborative actions. Understand the ability to delete Alert Aggregation rows from the Monitor > Alerts page. Understanding Violations. Understanding the Violation details, yoseNe xo Important: Events may not properly display due to the filter Last Few Days defaulting to 3. If you are not seeing Alerts or Violations after setting a Basic Filter, Click the Advancea> Filter button and check for the presence of the Last Few Days Enabled Field, If present, verify the value of 365 in Last __days. fa awn S Topic 1: Understanding the Dashboard. From Client PC, connect to SecureSphere using Firefox and view the Monitor menu tab alerts: Browse to Main > Monitor > Dashboard. On the far left side of the GUI, left-click on the prima gateway. Underneath it, click on the Server Groups tab, then click on the Selected Gateway Info tab to compare these two values. Qi. What is different in these two tabs’ Server Group lists? Lab 8: Monitoring 68 ©2013 Imperva, Inc All rights reserved.SecureSphere 9.5 Lab Manual~ ADMIN @OMMIPERW 2. Hover your mouse over any red (!) exclamation points or red (x) in the list. What are the error messages provided? ® 9, Q3. Review the drop-down selection list options within the Dashboard graphs. List the 5 chart types available: 1) 2) 3) 4) 5) Q4. What does Alternate do? Review the available options when a chart is right-clicked. Under the Latest Alerts list, hover over the Severity color icons and the Type icons, Left-click on one of the alert events and review the pop-up window contents. Close the pop-up window, 5. 6. 7. 8. _» Topic 2: Understanding Monitor > Alerts. 1. Browse to Main > Monitor > Alerts. Nv Use both Clear buttons to remove any existing filters, uieke Fier Se ps “WFAdvanced » and y Sort the Alert List pane by # so that the largest number of aggregated events is on top. Click the Suspicious Response Code Alert from the list pane. s 69 Lab 8: Monitoring, © 2013 Imperva, Inc, All ights reserved.SecureSphere 9.5 Lab Manual - ADMIN @iMIPERV Poker, Sittin Reson ae i ssn) Aeoresned tram 1318 (¢ hours, mine, 39 wes dat updated 1210.2) GQ tientaiw Tons Mule Unsthorzed Some Abies ities orp Puaetr ton 9 Inte trem ong Parrett tmanbte eau HTP Versen tom "tie Mea Respansecode rom 123 Pit onto rom 83.8.5. ] Swce"” —fannosea te At IL arabes Lines 5. Using the information in the Detail pane, explore the following buttons and links and answer general questions about this Alert Aggregation Q5. What does clicking the pen do? Q6. What does clicking the exclamation point icon +! do? Q7. What does clicking the (Policy Description) link do? Q8. What does clicking the name of the policy do? 9. What types of pop-up windows appear when the various magnifying glass under "Statistical Information” are clicked? Q10. Why is the “Alert aggregated by:” information important? 6. Expand (+) one of the Violation details. Q11. Why is the section “Additional Violations” important and how do they relate to the Alert that you are currently reviewing? 70 Lab 8: Monitoring. ©2013 Imperva, nc, All ights reserved,SecureSphere 9.5 Lab Manual - ADMIN @ iVIPER. Q12. What options are available under the large Save As button (top-right corner of the screen)? 1) 2) 3) _» Topic 3: Practice Alert Filtering. 1. Use both Clear buttons to remove any existing filters. 2. Use the Quick Filter to search for the word “Multiple”, ees In a production environment, the word “multiple” can help you Ti ps: focus on a slightly more important category of events that will help Nor Tm reduce the overall event tuning more quickly. 3. Without clearing the filter, open the Basic Filter > By Alert Type category and check Signature. 4, Click Apply. Q13. Is the Quick Filter still applied or is only the Basic Filter applied? 5. Open the Basic Filter > By Source IP category and add Operation: Equals Value: 192.168.53.100 6. Click Apply. 7. Click Save. 8, Name the save filter Signature Alerts from VedaDB and click Save again. 1 Lab 8: Monitoring, ©2013 Imperva, ne, All rights reserved,SccureSphere 9.5 Lab Manual - ADMIN © IMIPERVA 9. Click the Clear button to clear your filter, 10. Open the Saved Filters tab and click on the name of the filter just created. = Topic 4: Practice marking alerts for future review and/or > collaborative actions. Left-click, then right-click on your most recent cmd.exe signature alerts in the list pane. Choose Mark as Dismissed. Left-click, then right-click on a different cmd.exe signature alert. Choose Mark as Unread. Log out from the SecureSphere GUT. Log in as admin with the same password as admin (1qa2wsx). Browse to Main > Monitor > Alerts and open the Saved Filters tab. Left-click on Signature Alerts from VedaDB. Notice that the read/unread alerts are the same for both users. PPNAnawne Notice that the “dismissed” alert icon appears on one of the alerts, 10. Right-click on Signature Alerts from VedaDB. Q14. What options are available? y 2) 4S Topic 5: Understand the ability to delete Alert Aggregation _> rows from the Monitor > Alerts page. nD Lab 8: Monitoring, (©2013 Imperva, ne. All rights reserved.SecuteSphere 9.5 Lab Manual ~ ADMIN @iVIPERVA 1. Click on the Basic 2. Then check Dismissed under the By Alert Flag filter category. 3. Click Apply. 4. Verify that there is only one alert after applying the filter (ignore more aggregated violations in iter tab and then click Clear filter. the same alert line). 5. From the Details pane, make a note of the Event Time for this Violation: 6. Because we know that this alert was generated by our own personal testing, we can delete this alert from the system, 7. Click Actions > Delete Filtered Alerts, At first glance, the ability to delete alerts may appear to be an audit integrity concern. However, we are about to explore an important distinction between “Alerts” (which are aggregated groups of violations) and Violations” (which are a record of the individual events). Tips: _» Topic 6: Understanding Violations. 1. Browse to Main > Monitor > Violations. 2. Open Basic Filter > By Alert Type and check Signature, 3. Open the Basic Filter > By Source IP category and add: Operation: Equals Value: 192.168.53.100 4. Click Apply. 5. Sort the list pane columns by Time so that the most recent signature violation is on the top of the list by clicking the word Time until the single red arrow is point down. 6. Review the last few cmd.exe violations’ Event Det fe and verify that the : Event “deleted” alert aggregation did NOT also delete the Violation Event. Lab &: Monitoring ©2013 Imnperva, ne, All rights reserved,SecureSphere 9.5 Lab Manual — ADMIN @ IVIPERVA Se. _» Topic 7: Understanding the Violation details. 1. From Main > Monitor > Violations, click the Clear buttons to remove any existing filters. 2. Expand the By Type category under the Basic Filter tab and check Signature. 3. Click Apply. 4, Select any of the available signature violations from the list pane to review the details pane information. Q15. What do the three action buttons in the violation details pane allow you to accomplish? Q16. What does the Yellow Highlighted data section attempt to show you (best effort)? From the By Alert Type filter category, uncheck Signature and check Profile instead. Click Apply. Log out as admini. Log in as admin. era ay Q17. What tuning icon exists in a profile violation which was NOT seen under a signature violation? Flip between two violations to see the change if needed. 74 Lab 8: Monitoring © 2013 Imperva, Inc, All tights reserved.: SecuteSphete 95 Lab Manual ~ ADMIN @iVIPERVA Q18. What view does the magnifying glass in open in a profile violation that is different than a signature violation? & Tips: The plus icon for altering a detail to a profile configuration +, is different than adding an exception —& to a security rule violation. + While similar, the two actions are quite different. This concept will be discussed in more detail in both WAF and DB profiling and tuning lessons. Qn Key: Lab 8: Monitoring, Qt: One server groups does not have a protected IP defined; thus, it has no protecting gateway group defined. This unprotected Server Group drops from the selected gateway list. Q2: Not running and missing private key. Q3: 1.CPU Load, 2. Hits/sec, 3. Connections/sec, 4. Throughput, 5. Alerts per Severity. Q4: Alternate rotates two graph measurements every selected timeframe. (QS: Opens the policy that generated the alert/violation Q6: Provides an explanation of the alert/violation. Q7: Opens a pop-up window with a description. Q8: Opens a pop-up window to the policy itself (same as pencil icon). (Q9: Pie & graph chart analysis Q10: Alert aggregated by explains by what criteria the listed violations have been grouped together in this single alert. Qt: Aggregation groups similar violations in the same alert. However, it may be important to know what other violations occurred in the context of this same source packet or session. It helps confirm real attacks from false positive alerts. Q12: Export the currently filtered alerts list to PDF, Alerts CSV, and CSV formats. Q13: Only one filter method can be applied at one time. Q14: Edit and Delete. Q15: Information, go to contributing configuration (signature or Profile), add an exception. Q16: Highlights the string in the packet that represents the violation. Q1?: (+) add to profile 18: The magnifying glass icon is a link to the profile, (©2013 Imperva, ne. All rights reserved,SecureSphere 9.5 Lab Manual — ADMIN Goal: —» Topics: Tips: @iMPERWA Lab 9: Reporting In this lab, you will use SecureSphere's reporting platform to generate a summary violations report and two system events reports. Create a yearly tuning summary report. Create a weekly System Events report. Create a report based on the Weekly System Events Summary to will drill down into "User" details. When reporting in a lab environment, it may sometimes be necessary to use the “Time Frame" criteria in addition to the “Last Few Days” criteria if you are missing required events from today. IF needed, create a timeframe selection that reports on the number of days required through tomorrow in order to be sure to collect all of today’s events (not just until midnight the previous day). Sometimes changing the “Last Few Days” data scope generates a validation error. 1) Change to 7 & save; 2) re-add desired value & save in order to fix _» Topic 1: Create a yearly tuning summary report. 1, From Client PC, connect to SecureSphere using Firefox . 2. Browse to Main > Reports > Manage Reports and click the create new "f icon and select Alerts. Name: Yearly Tuning Report Summary Radio: From Scratch 3. Click Create. 4. Leave the “General Details” tab default, for now. Lab 9: Reporting 16 ©2013 Inmperva, ne. All rights reserved,Secure 9.5 Lab Manual - ADMIN @iMIPERA 5. Open the Data Scope page tab 6. Use the + expand and © green arrow select icons to define the following match criteria: Last Few Days: 365 7. Be sure that the criteria has been moved ‘up to the “Enabled Fields” section. 8. click bell save. 9. Configure the Tabular View to remove the table: a. On the Tabular page tab, uncheck the Tabular View option. Report: Yearly Tuning Report Summary idSave «|[ General Details |[ Data Scope |{ Tabular | Data Analysis views |[ Schedutin] > mn [2 Tabutar view — sueeq 7# Tips: + Asa Summary Report it will only contain graphs. Tabular Ips: data is useful for more detailed reporting and reviews. * A*yearly” report is a lab-based unrealistic example. In production, tuning reports should be run Daily for the first few weeks and then Weekly after most tuning has been completed. 10. Click on the Data Analysis Views page tab in order to configure the report graphs. 11. Check all 5 Data Analysis View boxes and fill in the details as follows: a. View 1 Title: Top 10 Server Group event distribution Chart Type: Pie X-Axis: Server Group Y-Axis: Num. of Events b. View 2 Title: Top 10 events by Alert Name Chart Type: Pie X-Axis: ‘Alert Name Y-Axis: Num. of Events 7 Lab 9: Reporting ©2013 Imperva, ne. All rights reserved.SecureSphere 9.5 Lab Manual — ADMIN c. View 3 Title: Chart Type: Chart Type: X-Axis: Y-axis: e. View 5 Title: Chart Type: 12. click bell save. 13. Select Actions > Run Report. @iMPERW Top 10 Source IPs Pie Source IP Num. of Events Distribution of events by Severity ie Severity Num. of Events Top 10 events related to ThreatRadar Pie ThreatRadar service Num, of Events 14. Download the report and view it in Adobe PDF viewer. Tips: Real-world suggestion (not required in lab): Edit, save, and re-run the report until you are satisfied with the content and the view. Schedule and define followed actions later. During the Tuning lab, we will re-visit this basie summary report and practice using it for production tuning, ‘ Ss Topic 2: Create a weekly System Events report. 1. Browse to Main > Reports > Manage Reports and click the create new "* icon and select System Events. Name: Weekly System Events Summary Radio: From Scratch is Lab 9; Reporting © 2013 Imperva, In, All ights reserved.SecureSphere 9.5 Lab Manual - ADMIN @GiIMIPERVA 2. Click Create. 3. Leave the “General Details” tab default, for now. 4, Open the Data Scope page tab. 5. Use the | expand and “> green arrow select icons to define the following match criteria: Last Few Days: 7 6. Be sure that the criteria have been moved “> up to the “Enabled Fields” section. 7. Open the Tabular View to remove the table: a. On the Tabular page tab, uncheck the Tabular View option. 8. Open the Data Analysis Views to add relevant graphs: 9. Check only one Data Analysis View box and fill in the details as follows: a. View 1: Title: Count of System Events by Subsystem Chart Type: Pie X-Axis: Subsystem Y-Axis: Occurrences 10. click bell save. 11, Select Actions > Run Report. 12, Download the report and view it. >. Topic 3: Create a report based on the Weekly System = Events Summary to allow drill-down into "User" details. = (mar) | | : Lae 79 Lab 9: Reporting, ©2013 Imperva, Ine, All rights reserved,SecureSphere 9.5 Lab Manual - ADMIN @ iIVIPERVA 1. Browse to Main > Reports > Manage Reports and click the create new “F icon and select ‘System Events. Name: System Events Analysis - User Subsystem Radio: Use Existing Drop-down: Weekly System Events Summary 2. Click Create. 3. Leave the "General Details” tab default, for nov, 4. Open the Data Scope page tab. 5. Use the + expand and “P green arrow select icons to define the following match criteria: Last Few Days: 7 Subsystem: User 6. Be sure that both criteria have been moved “> up to the “Enabled Fields” section. + [ General Details |[ Data scope |[ tabular |[ Data Analysis views || Scheduling « Fiter: Enabled Fields By Last Few Days | pa | Predethed Values: Salectet |Profte —> 7. Open the Tabular View in order to configure the relevant tables: 8. On the Tabular page tab, check the Tabular View option. Note: As an “Analysis Report” it will contain both data and graphs. 9. Move the following Available Columns to the Selected field using the right-arrow 2 icon. Severity Message Create Time 80 Lab 9: Reporting ©2013 Imperva, Inc.All rights reserved.: SecureSpher 9.5 Lab Manual ~ ADMIN @iVIPERVU 10. Add Sorting criteria: First By: Severity Then By: Message 11. Check Generate group headers, 12. Click a] Save. 13, Select Actions > Run Report. 14. Download the report and view it. Q1. How did adding an additional Data Scope field change the content of the report? Q2. Play with the filter options in the Reports List pane by checking/un-checking the Show Favorites and Show Enabled options. What do these options change? Q3. Where is a report “enabled”? What type of user does it benefit for the administrator to “enable” a report? Q4. How is a report added as a “favorite”? Who does it benefit to tag a report as a “favorite”? Q2: Show Favorites filter shows only my favorite reports. Show Enabled shows the globally enabled reports but not any other reports, Q3: On the General Details tab of the report by an “Administrator”. It benefits all users who are not in the administrators group in Imperva since if not enabled, they cannot see this report. (Q4: By right-clicking the report name in the list pane or by creating the report yourself. The “favorite” option only impacts your own login. Qa Key: Q1: Additional Scope fields make reports more narrowly defined. 81 Lab 9; Reporting, ©2013 Imperva, ne. All sights reserved.SecureSphere 9.5 Lab Manual — ADMIN @ IVIPERVWA Lab 10: Administration In this lab, you will practice two common administrator tasks - User Management & SecureSphere Maintenance. Create a “Read Only” user and then test. Edit the user object for additional privileges. Configure an FTP archive Action Set to use for backups. Configure a scheduled backup of the SecureSphere MX configuration and alerts using an FTP archive action Review additional maintenance options and MX table space. awn Tips . Watch for available tips in the lab context. S _» Topic 1: Create a "Read Only" user and then test. 1. From Client PC, connect to SecureSphere using Firefox and browse to Admin > Users & Permissions. 2. Start by clicking the "F -'=-~ button and select Create New User Name: Amy Password: 1ga2wsx Authentication: SecureSphere Leave the Member Of area unchanged Click Create. Log out as admin. Log in as Amy — 1qa2wsx. Browse to Main > Policies > Security. ayay 82 Lab 10: Administration © 2013 Imperva, nc. Al rights reservedSecureSphere 9.5 Lab Manual — ADMIN. @OiVIPERVA 7. Attempt to create a new policy by selecting the "* Create icon, defining a name and type, and then clicking the Create button. Q1. What error message to you get? “> Topic 2: Add selected rights to the Amy user object and => retest. From Client PC, Log out as Amy. Log in as admin. Browse to Admin > Users and Permissions. Select the user Amy. Open the Permissions page tab. ey een On the Users & Permissions menu, scroll down to the Permissions section 7. The top level blue checkbox can not be edited. You will need to expand the folders to select the underlying folders. Click on each folder to expand it, and then click on every internal item and click corresponding View checkbox. 2 ssemn ee 4 c]sever Dscovery A4°%. Gf Ge wm =}eecsietin PororF RP For 00 Use Rats y oF f R Gf Poror ef ror | 4 fF fe fF FR Poh fr Rk FR @ Poror fF ig eo foe fh ow : “ 83 Lal 10: Administration (©2013 Imperva, ne. All ights eserved,SecureSphere 9.5 Lab Manual — ADMIN @ IVIPERVA 8. When you are done, verify that all folders show a check in the View column indicating the sub- options have all been selected, tecve catego View fet Crosle View Eat sean Types Subsysiers bos! Obects 9. Click on the Navigation Tab 10. Edit the navigation locations to give access to all sections of the GUI except for “Dashboard”, “Alerts” and “System Events”, User Amy foo oro Sate |[ Waar neem] Sates waadguaauadad4d4 11.clck Fel save. 12, Log out as admin. 13, Log in as Amy. 14, Try to browse to the Admin workspace. 15, Try to browse to Main > Monitor > Alerts. 16, Browse to Main > Reports > Manage Reports. Lab 10: Administration (© 2013 Imperva, Inc. All rights reserved,SecureSphere 9.5 Lab Manual ~ ADMIN @ IVIPERVWA Q2. What list pane filter option does not exist for a non-administrator user under “Manage Reports”? backups. Use tabbed browsing in CloudShare or select the appropriate VM to access the Veda DB environment to verify that FTP Server is running. a. Double-click the FileZilla Server icon in the Windows System Tray. b. If the icon is not in the system tray, double-click the application shortcut on the desktop, c. Verify that the status shows “Ready”. Return to the Client PC environment and open the SecureSphere GUI. 3. Be sure you are logged in as admin, 4. Create an Archival Action Set to use for Backups. a. Browse to Main > Policies > Action Set and create a new action set. Name: FTP Backup Event Type: Archiving Once created, highlight the FTP Backup action set. Move FTP > Archive to a FTP Location from the “Available Action Interfaces” list UP. # to the “Selected Actions”, . Expand “+ the Action Interface and define it: Name: FTP to Veda_DB C:\Inetpub\ftproot\backup\ Host: 192.168.53.100 Port: 21 Remote Directory: /backup Username: anonymous Password: [email protected] . cick kel save. 85 Lab 10: Administration © 2013 Imperva, ine, Al ights reserved,SecureSphere 9.5 Lab Manual - ADMIN @iVIPERA ® Topic 4: Configure a scheduled backup of the SecureSphere > MX configuration and alerts using an FTP archive action. ‘Schedule it to run monthly. awn Browse to Admin > Maintenance > Export System. Select the FTP Backup from the Archiving Action drop-down menu. Pick any Starting From date and At Time in the past. 5, Click bel save (... before next step). 6. Runa full system export by clicking Export Now. Tips: This will take several minutes to complete depending on available resources and size of export. You can check the status by browsing to Admin > Job Status, and selecting the scheduled backup. You can also check the detailed progress from command line using the “server log” if you think it may be taking too long, The GUI method to “Export System” always includes the Alert data which can produce a large file. Command line allows you to exclude the alerts using the “full_expimp.sh” script. 7. Verify that the backup file appears in the archive location, 8. C:\Inetpub\ftproot\backup\*.tgz fe. _» Topic 5: Review additional maintenance options. 1. Browse to Admin > Maintenance > Reports Archive. 2. Browse to Admin > Maintenance > System Events Archive. 3. Notice the MX table space graph indicator. Q3. How much Oracle table space is available for System Events storage on the MX? 4, Browse to Admin > Jobs Status and select the Exporting Full System filter. On the Full System Export job, open the Execution History tab. 5. Review the details of past events (success and fall if any). Lab 10: Administration 86 © 2013 Imperva, Inc. All rights reserved.SecureSphere 9.5 Lab Manual — ADMIN IVIPERVA Qn Key: Lab 10: Administration Q1: Error, you do not have permission to perform this action, Please contact the administrator for details. Q2: Show Enabled. QB: 2,048 MB 87 ©2013 Imperva, Ine. All rights reserved,VOGT IO NOHO O OO NON HG oo oN gg o0o00L AO000K: