Dell SMA 200 Administration Manual page 65

Slowloris Protection
In addition to the top ten threats listed previously, Web Application Firewall protects against Slowloris HTTP
Denial of Service attacks. This means that Web Application Firewall also protects all the backend Web servers
against this attack. Many Web servers, including Apache, are vulnerable to Slowloris. Slowloris is especially
effective against Web servers that use threaded processes and limit the amount of threading allowed.
Slowloris is a stealthy, slow-acting attack that sends partial HTTP requests at regular intervals to hold
connections open to the Web server. It gradually ties up all the sockets, consuming sockets as they are freed up
when other connections are closed. Slowloris can send different host headers, and can send GET, HEAD, and
POST requests. The string of partial requests makes Slowloris comparable to a SYN flood, except that it uses
HTTP rather than TCP. Only the targeted Web server is affected, while other services and ports on the same
server are still available. When the attack is terminated, the Web server can return to normal within as little as
5 seconds, making Slowloris useful for causing a brief downtime or distraction while other attacks are initiated.
After the attack stops or the session is closed, the Web server logs can show several hundred 400 errors.
For more information about how Web Application Firewall protects against the OWASP top ten and Slowloris
types of attacks, see How Does Web Application Firewall Work? on page 66.
Offloaded Web Application Protection
Web Application Firewall can also protect an offloaded Web application that is a special purpose portal created
to provide seamless access to a Web application running on a server behind the SMA/SRA appliance. The portal
must be configured as a virtual host. It is possible to disable authentication and access policy enforcement for
such an offloaded host. If authentication is enabled, a suitable domain needs to be associated with this portal
and all Dell SonicWALL advanced authentication features such as One Time Password, Two-factor
Authentication, and Single Sign-On apply to the offloaded host.
Application Profiling
Application Profiling (Phase 1) allows the administrator to generate custom rules in an automated manner based
on a trusted set of inputs. This is a highly effective method of providing security to Web applications because it
develops a profile of what inputs are acceptable by the application. Everything else is denied, providing positive
security enforcement. This results in fewer false positives than generic signatures that adopt a negative security
model. When the administrator places the device in learning mode in a staging environment, the SMA/SRA
appliance learns valid inputs for each URL accessed by the trusted users. At any point during or after the
learning process, the custom rules can be generated based on the "learned" profiles.
Rate Limiting for Custom Rules
You can track the rate at which a custom rule, or rule chain, is being matched. This is extremely useful to block
dictionary attacks or brute force attacks. The action for the rule chain is triggered only if the rule chain is
matched as many times as configured.
Cookie Tampering Protection
Cookie Tampering Protection is an important item in the Payment Card Industry Data Security Standard (PCI DSS)
section 6.6 requirements and part of the Web Application Firewall evaluation criteria that offers strict security
for cookies set by the backend Web servers. Various techniques such as encryption and message digest are used
to prevent cookie tampering. See Configuring Cookie Tampering Protection Settings on page 283 for additional
information.
Credit Card and Social Security Number Protection
Credit Card/SSN protection is a Data Loss Prevention technique that ensures that sensitive information, such as
credit card numbers and Social Security numbers are not leaked within Web pages. After such leakage is
detected, the administrator can choose to mask these numbers partially or wholly, present a configurable error
page, or simply log the event. See Configuring Information Disclosure Protection on page 285 for additional
information.
Web Site Cloaking
Web Site Cloaking prevents guessing the Web server implementation and exploiting its vulnerabilities. See
Configuring Web Site Cloaking on page 284 for additional information.
Dell SonicWALL Secure Mobile Access 8.5
65
Administration Guide