Web Server Security URL Hardening Questions

UTM Firewall requires membership for participation - click to join

Thread Info

State Not Answered
Locked Locked
Replies 12 replies
Subscribers 1 subscriber
Views 11654 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

URL Hardening Questions

tomtomtom over 12 years ago

I have set up WAF in the following way:

1. virtual webserver:

Domains: domain.com
Real Web Servers: Lotus Domino Server
Firewall Profile: Advanced Protection (with URL hardening)

2. real webserver:

name: Lotus Domino Server
host: an internal host (external access via DNAT)

3. firewall profiles:

Advanced with URL hardening.

For testing purposes I have entered only "www.domain.com" in URL hardening.

I tried to open "domain.com/otherthings" directly and this still works. I thought URL hardening would disable the direct access to URLs not entered in the "Entry URL"-list

Do I missunderstand URL hardening or is it the DNAT which does not work with WAF?

This thread was automatically locked due to age.

Parents

0 BAlfson over 12 years ago

That's a good question, Brian, and, in fact, that rule is one that's meant to help people stay out of trouble.

Your need is more sophisticated, and, in fact, you can write a firewall rule that's applied before proxies. The trick is to use the "(Address)" object created by WebAdmin when you define an Interface or an Additional Address.

With, for example, an Additional Address of "Card Auth" on the External interface, use "External [Card Auth] (Address)" as the 'Destination' in the traffic selector portion of the rule. The rule then will apply to the INPUT chain and be processed before the traffic gets to the WAF.

So, you would have a rule like '{group of allowed IPs} -> HTTPS -> External [Card Auth] (Address) : Allow' followed by a similar Drop rule for "Any" traffic arriving.

Is that what you were trying to accomplish?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 12 years ago

That's a good question, Brian, and, in fact, that rule is one that's meant to help people stay out of trouble.

Your need is more sophisticated, and, in fact, you can write a firewall rule that's applied before proxies. The trick is to use the "(Address)" object created by WebAdmin when you define an Interface or an Additional Address.

With, for example, an Additional Address of "Card Auth" on the External interface, use "External [Card Auth] (Address)" as the 'Destination' in the traffic selector portion of the rule. The rule then will apply to the INPUT chain and be processed before the traffic gets to the WAF.

So, you would have a rule like '{group of allowed IPs} -> HTTPS -> External [Card Auth] (Address) : Allow' followed by a similar Drop rule for "Any" traffic arriving.

Is that what you were trying to accomplish?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data