This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Limit Web Application Security to a group of IP

Hi,

I use Web Application Security as a Reverse Proxy. I need to limit only one external IP or a group of IPs to use this feature. I don't wont any other IPs can reach the destnation Server.

Is there a solution?

Thanks in advance


This thread was automatically locked due to age.
  • There currently isn't the means to set WAS/WAF for use by specific hosts or networks, but both IIS and Apache have the means to limit connections by these criteria.  There is currently a feature request for this ability that you can add points to.  Allow or block certain ip's to the webserver
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • I understand but may be usefull to use WAF to redirect web trafic on exernal web pages where I have no control.
  • Well, there is a work-around, but it's a bit clumsy, at present.  I haven't tried this, bit it should work.

    Use two DNATs, in this order:

    - 1: {group of allowed IPs} -> Web Surfing -> External [Additional] (Address) : DNAT -> External [Additional] (Address)

    - 2: Internet -> Web Surfing -> External [Additional] (Address) : DNAT -> {non-existent IP}

    I don't think the first rule creates an infinite loop, but, as I said, I haven't tried it.  The alternative that is messier still but I know will work is one rule liike 2 above but with Internet replaced by {group of network definitions that include all IPs except the allowed IPs}.

    Please let us know if you tried either and if it worked.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I've gone ahead with the suggested clumsy work-around and its working. For clarification, is this work-around successful due to the ASG order of operations (nat > proxy > firewall > routing) ?

    In essence rule 1 passes allowed IPs through to the proxy? while rule 2 blackholes all additional requests?

    Does anyone have implementation guideline do's or don'ts on this that they'd be willing to share?
  • Darcym, don't forget to go vote for the feature request mentioned above at feature.astaro.com... My understanding is that Sophos/Astaro will be doing some work on the WAF feature in Version 9... Maybe if we get some votes down on that feature it'll happen sooner or later... I'll be tossing a few votes on it myself shortly.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • Darcym, don't forget to go vote for the feature request mentioned above at feature.astaro.com... My understanding is that Sophos/Astaro will be doing some work on the WAF feature in Version 9... Maybe if we get some votes down on that feature it'll happen sooner or later... I'll be tossing a few votes on it myself shortly.


    Already done under:
    Web Application Security: White / Blacklist Support for Visitor IP's
  • Good deal!  One of the best things Astaro has done is create that feature request site... And they definitely pay attention to it!

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.