Dell SMA 200 Administration Manual page 67

• How Does Cookie Tampering Protection Work?
• How Does Application Profiling Work?
• How Does Rate Limiting for Custom Rules Work?
How are Signatures Used to Prevent Attacks?
For Cross Site Scripting, Injection Flaws, Malicious File Execution, and Insecure Direct Object Reference
vulnerabilities, the Web Application Firewall feature uses a black list of signatures that are known to make Web
applications vulnerable. New updates to these signatures are periodically downloaded from a Dell SonicWALL
signature database server, providing protection from recently introduced attacks.
Figure 3. How signatures are used to prevent attacks
When input arrives from the Internet, Web Application Firewall inspects HTTP/HTTPS request headers, cookies,
POST data, query strings, response headers, and content. It compares the input to both a black list and a white
list of signatures. If pattern matching succeeds for any signature, the event is logged and/or the input is
blocked if so configured. If blocked, an error page is returned to the client and access to the resource is
prevented. If blocked, an error page is returned to the client and access to the resource is prevented. The
threat details are not exposed in the URL of the error page. If configured for detection only, the attack is logged
but the client can still access the resource. If no signature is matched, the request is forwarded to the Web
server for handling.
Figure 4. What happens when no signature is matched
on page 71
on page 72
on page 73
Dell SonicWALL Secure Mobile Access 8.5
67
Administration Guide