Denyall WAF User Guide for AWS Version 5.5

DenyAll WAF User guide for AWS Version 5.5

10/29/2015

Summary

1. About this document ...... 3 1.1 Purpose ...... 3 2. Getting started ...... 3 2.1 Introduction ...... 3 2.2 AMI description ...... 3 2.3 Requirements ...... 3 3. Create an instance ...... 4 3.1 Subscribe to DenyAll WAF AMI ...... 4 3.2 Create an instance from the AWS Marketplace using “1-click launch” ...... 4 3.3 Create an instance from the EC2 console ...... 5 4. Access the instance ...... 6 4.1 Access the GUI ...... 6 4.2 Access the instance through SSH ...... 7 5. Use the software ...... 8 5.1 BYOL model ...... 8 5.2 Change the default password ...... 8

1. About this document

1.1 Purpose

This document describes how to configure DenyAll Web Application Firewall on Amazon’s Cloud (AWS).

2. Getting started

2.1 Introduction

DenyAll Web Application Firewall provides a multilayered approach to security services to dynamically detect and block malicious content while efficiently passing benign traffic through.

This all-in-one solution protects and manages multiple security solutions - Web Application Firewall, Web Services Firewall and Web Access Management - in a single management console (centralized administration station, monitoring, reverse proxy, etc.). The platform also provides cache, acceleration and optimization of your web traffic.

DenyAll WAF integrates three modules:

1. Web Application Firewall (WAF): to protect the web applications vital to every business against external threats and to assure continuous service. 2. Web Services Firewall (WSF): to protect the infrastructure, information networks and application servers against attacks while preventing denial of service and anticipating traffic overload. 3. Web Access Management (WAM): to simplify Web access authentication while maintaining a high level of security, without agent deployment on the application server.

2.2 AMI description

The DenyAll WAF AMI (version 5.5) relies on a x86_64 architecture and a Debian 6.0.10.

This stack supports all HVM instance types.

2.3 Requirements

In order to install DenyAll WAF on Amazon EC2, you will need an Amazon Web Services (AWS) user account to subscribe to the DenyAll WAF AMI you want to use. If you do not have an AWS account yet, click “Create a new account” at the top of the page. Account activation one takes a minute.

DenyAll WAF – release notes 10/29/2015 3/9

DenyAll WAF installation requires a minimum of 1 CPU (or virtual core), 2 GB RAM and 32 GB of Hard Disk.

Therefore, the installation is supported on all instance types compatible with HVM 64 bits. In particular, we recommend using the m3/m4 or c3/c4 instance types, with a standard EBS volume of 32 GB.

DenyAll WAF is administered using a Java GUI that requires Java to be installed on the client device.

3. Create an instance

3.1 Subscribe to DenyAll WAF AMI

In order to use DenyAll WAF on Amazon EC2, you first need to connect to AWS with your account and visit the DenyAll WAF AMI page1 at the AWS Marketplace. This page summarizes the product information, the license agreement, maintenance & support policies and links to a few external resources.

Once ready, subscribe to our AMI by clicking the button.

Note: AWS IAM users are not currently supported in AWS Marketplace. An AWS admin from your organization may need to perform the act of subscribing to the AMI using a direct AWS account. Then the AMI will become visible to you in the AWS Management Console, and you will be able to launch it using your AWS IAM credentials.

3.2 Create an instance from the AWS Marketplace using “1-click launch”

In order to create an instance, select the “1-click launch” tab .

Then, in this tab, select the appropriate configuration of the instance:

 We recommend you use the latest version of the software. However, you may wish to instantiate an older version.  Select the EC2 region where the AMI will be instantiated.  Choose an instance type. See the best practices described in chapter 2.3  The security group needs to be set to allow the administrator to access the GUI (on port 3001/tcp) and the linux shell via SSH (22/tcp), as illustrated below. For all visitors of the protected web applications, open the appropriate HTTP port(s), for instance 80/tcp.

1 https://aws.amazon.com/marketplace/pp/B0176XF11G

DenyAll WAF – release notes 10/29/2015 4/9

 Finally, select the SSH key pair to access the file system.

Once the instance is configured, click this button to launch it:

3.3 Create an instance from the EC2 console

You can also select the AMI from the EC2 console.

To do so, first go to the EC2 Management Console and then click “Sign in to the AWS Console” to connect to your EC2 console.

Then, launch a new instance, by either:

 clicking the button under “Create Instance” on the EC2 Console Dashboard;

 navigating to the Instances menu and clicking the button under My Instances. Then filter “Marketplace images” on “All Platforms” and search for “denyall” in the

field provided. Select the DenyAll WAF product click the button.  Follow the Wizard to configure your instance.  The last step requires editing the security groups. You should only authorize the networking flows that are required to and from the instance. You must at least activate the access to GUI (3001/tcp) from your IP (or through a bastion). Here is an example of configuration :

Finally, review and lunch your instance.

DenyAll WAF – release notes 10/29/2015 5/9

4. Access the instance

4.1 Access the GUI

Once the instance is displayed as and the status checks has passed you can connect to the GUI using the Java client.

Note: you may wait a few minutes after the “running” state and the checks are passed, as the software is installed at first boot, which requires a few minutes.

You can download the latest Java Administration Interface on DenyAll’s customer area.

Note: if you do not have access to your customer area, please contact your partner or account manager at DenyAll.

Once the Java client installed, connect to the GUI using the “admin” login and the instance id as password. You can retrieve the instance id from the AWS console:

DenyAll WAF – release notes 10/29/2015 6/9

4.2 Access the instance through SSH

You can log to the instance via SSH (22/tcp) with any SSH client, using the “admin” login and your SSH private key.

Once logged in, you will get a TUI (Text User Interface) to let you access a small set of commands.

DenyAll WAF – release notes 10/29/2015 7/9

5. Use the software

5.1 BYOL model

The AMI implements the Bring Your Own License model, e.g. you will need to contact your sales partner or DenyAll account manager to buy a license and activate the software.

Once you have your license, please follow the administration guide to install the license in the instance.

5.2 Change the default password

Although the instance id is quite unpredictable, we recommend you change the instance password to the password of your choice.

In order to change the default password (set as the instance id), please follow the administration guide.

DenyAll WAF – release notes 10/29/2015 8/9

Headquarter

6 avenue de la Cristallerie 92310 Sèvres - FRANCE

Tel : +33 (0)1 46 20 96 00 Fax : +33 (0)1 46 20 96 02

Email : [email protected]