Slowloris Protection; Offloaded Web Application Protection; Application Profiling; Rate Limiting For Custom Rules - SonicWALL SMA 400 Administration Manual

A2 - Injection Injection flaws, particularly SQL injection, are common in Web applications.
Flaws Injection occurs when user-supplied data is sent to an interpreter as part of a
command or query. The attacker's hostile data tricks the interpreter into
executing unintended commands or changing data.
A3 - Malicious Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile
File Execution code and data, resulting in devastating attacks, such as total server compromise.
Malicious file execution attacks affect PHP, XML and any framework which
accepts filenames or files from users.
A4 - Insecure A direct object reference occurs when a developer exposes a reference to an
Direct Object internal implementation object, such as a file, directory, database record, or key,
Reference as a URL or form parameter. Attackers can manipulate those references to
access other objects without authorization.
A5 - Cross Site A CSRF attack forces a logged-on victim's browser to send a pre-authenticated
Request request to a vulnerable Web application that then forces the victim's browser to
Forgery do a hostile action to the benefit of the attacker. CSRF can be as powerful as the
(CSRF) Web application that it attacks.
A6 - Applications can unintentionally leak information about their configuration,
Information internal workings, or violate privacy through a variety of application problems.
Leakage and Attackers use this weakness to steal sensitive data, or conduct more serious
Improper Error attacks.
Handling
A7 - Broken Account credentials and session tokens are often not properly protected.
Authentication Attackers compromise passwords, keys, or authentication tokens to assume
and Session other users' identities.
Management
A8 - Insecure Web applications rarely use cryptographic functions properly to protect data and
Cryptographic credentials. Attackers use weakly protected data to conduct identity theft and
Storage other crimes, such as credit card fraud.
A9 - Insecure Applications frequently fail to encrypt network traffic when it is necessary to
Communications protect sensitive communications.
A10 - Failure to Frequently, an application only protects sensitive functionality by preventing the
Restrict URL display of links or URLs to unauthorized users. Attackers can use this weakness
Access to access and complete unauthorized operations by accessing those URLs
directly.

Slowloris Protection

In addition to the top ten threats listed previously, Web Application Firewall protects against Slowloris HTTP Denial of Service attacks. This means that
Web Application Firewall also protects all the backend Web servers against this attack. Many Web servers, including Apache, are vulnerable to Slowloris.
Slowloris is especially effective against Web servers that use threaded processes and limit the amount of threading allowed.
Slowloris is a stealthy, slow-acting attack that sends partial HTTP requests at regular intervals to hold connections open to the Web server. It gradually ties
up all the sockets, consuming sockets as they are freed up when other connections are closed. Slowloris can send different host headers, and can send
GET, HEAD, and POST requests. The string of partial requests makes Slowloris comparable to a SYN flood, except that it uses HTTP rather than TCP.
Only the targeted Web server is affected, while other services and ports on the same server are still available. When the attack is terminated, the Web
server can return to normal within as little as 5 seconds, making Slowloris useful for causing a brief downtime or distraction while other attacks are initiated.
After the attack stops or the session is closed, the Web server logs can show several hundred 400 errors.
For more information about how Web Application Firewall protects against the OWASP top ten and Slowloris types of attacks, see
Application Firewall Work?.

Offloaded Web Application Protection

Web Application Firewall can also protect an offloaded Web application that is a special purpose portal created to provide seamless access to a Web
application running on a server behind the SMA/SRA appliance. The portal must be configured as a virtual host. It is possible to disable authentication and
access policy enforcement for such an offloaded host. If authentication is enabled, a suitable domain needs to be associated with this portal and all
SonicWall Inc. advanced authentication features such as One Time Password, Two-factor Authentication, and Single Sign-On apply to the offloaded host.

Application Profiling

Application Profiling (Phase 1) allows the administrator to generate custom rules in an automated manner based on a trusted set of inputs. This is a highly
effective method of providing security to Web applications because it develops a profile of what inputs are acceptable by the application. Everything else is
denied, providing positive security enforcement. This results in fewer false positives than generic signatures that adopt a negative security model. When the
administrator places the device in learning mode in a staging environment, the SMA/SRA appliance learns valid inputs for each URL accessed by the
trusted users. At any point during or after the learning process, the custom rules can be generated based on the "learned" profiles.

Rate Limiting for Custom Rules

You can track the rate at which a custom rule, or rule chain, is being matched. This is extremely useful to block dictionary attacks or brute force attacks.
The action for the rule chain is triggered only if the rule chain is matched as many times as configured.
How Does Web