|
ThreatSentry FAQ
Can you give me a basic overview of
ThreatSentry?
ThreatSentry is a Web Application Firewall and Intrusion
Prevention solution that helps system administrators
improve web application security and comply with
regulatory demands such as Section 6.6 of the Payment
Card Industry Data Security Standard. ThreatSentry 4
supports Windows Server 2008 R2 and IIS 7 on 32 and 64
bit systems.
An ISAPI Extension hosted in MMC, ThreatSentry’s
knowledgebase of pre-configured filters is designed to
identify and block a broad range of web application
threats including Structured Query Language (SQL)
Injection, DoS, Cross Site Request Forgery (CSRF/XSRF),
Cross-Site Scripting (XSS) and other attack techniques.
ThreatSentry’s conventional defense capabilities are
augmented by a behavior-based Intrusion prevention
component that profiles typical request activity and
detects unusual events and patterns indicative of
zero-day and targeted attacks. Default configuration
settings are designed to deliver optimal out-of-box
performance and administrative ease.
back to top
What are the minimum system requirements required to
install and run ThreatSentry?
ThreatSentry runs on Windows 2000, 2003 and 2008 Web servers
with Microsoft's Internet Information Services (IIS 5,
6, 7.x). ThreatSentry requires a standard Intel or
similar processor (>700 Mhz), 64mb minimum RAM, and at
least 50 MB of free disk space.
back to top
What is ThreatSentry’s performance under stress and
load?
ThreatSentry’s system throughput is a direct function of
the traffic on the particular Web server (volume of
HTTP/HTTPS requests to IIS per second) and it's CPU. A
2.6 GHz server should be adequate to handle traffic of
several hundred connections per second.
back to top
I just installed ThreatSentry and encountered no
installation errors, but the service remains down. I
have rebooted and checked the ISAPI snap-in, however the
ISAPI filter priority is listed as “unknown”. What now?
The ThreatSentry service will be down until it processes
the first request. You can manually generate a
training event by proactively requesting a page from any
local Web site to be protected by ThreatSentry.
back to top
I am trying to test ThreatSentry locally (on the same
machine I have it installed on), but nothing shows up in
Training Data or the Security Alert Logs. What is the
issue?
If you are testing ThreatSentry with a browser or
load/stress tool from the same local machine that you
have ThreatSentry installed upon, make sure that your
internal IP address is not on the Trusted IP Addresses
list (ThreatSentry Settings Manager > YOUR WEB SERVER
NAME > Management > Rules > IP Addresses > Trusted IP
Addresses). Otherwise, your requests will not show up in
Training Data or the Security Alert Log, as Trusted IP
traffic is not logged by ThreatSentry.
Also, if you are concerned about "internal" hackers
(employees or partners with access from your LAN), you
may not want to trust those internal IP addresses within
ThreatSentry, as you will not be able to log any of
those Trusted IP Address requests.
back to top
If ThreatSentry is going through the training process on
a server that's already been compromised, won't the
training baseline also be corrupt?
ThreatSentry mitigates this risk by filtering all events
generated and captured during the initial training phase
against an extensive knowledgebase of commonly known and
previously detected threats. Administrators can also
manually configure exceptions and specific rules.
Basically, malicious events will be identified during
training to ensure a clean baseline.
back to top
ThreatSentry is blocking legitimate requests -- is the
AI engine failing, and how can I fix this?
This most likely means that one of your legitimate file
and/or directory names for the blocked requests matches
a current ThreatSentry rule/filter. To resolve this,
review the signatures under the Rules > Requests section
of the Settings Manager to find the match to the current
rule, and delete it or add an exception to the rule that
makes sense. If you are having a hard time finding the
signature match or would like some help, just send Privacyware Support a copy of the URL request that is
failing, and we will review it to make sure you are not
running into a current signature and to get your
legitimate traffic through the ThreatSentry Web app
firewall.
back to top
After I install ThreatSentry, must I continue to run my
existing firewall and other security solutions?
ThreatSentry is complementary and fully compatible with
most other popular security solutions that you may have
deployed on your system. ThreatSentry can detect and
prevent many vulnerabilities (e.g. hacks over HTTP and
HTTPS) which evade traditional firewalls and other
security appliances or devices. ThreatSentry can also be
operated to monitor "internal"
activities that occur behind the firewall and out of the
"line of sight" of typical network security
products.
back to top
What types of data does ThreatSentry monitor and assess?
This version of ThreatSentry is designed specifically to
protect Microsoft IIS Web servers. ThreatSentry uses an
ISAPI extension to collect IIS-specific request/response
variables to conduct anomaly analysis and threat
prevention.
back to top
Have you pre-configured any specific rules or documented
any known threats?
ThreatSentry includes a comprehensive knowledgebase of
known threat profiles or signatures. This knowledgebase
is used for direct filtering of web application requests
as well as for establishing the training baseline for
the behavioral engine.
back to top
Does ThreatSentry actually prevent threats and
intrusions?
ThreatSentry's primary point of differentiation is its
effectiveness in detecting known and, most importantly,
new or unaddressed threats. ThreatSentry is configurable
to initiate preventative actions to thwart intrusion
attempts and other types of misuse by issuing alerts and
executing specific preventative actions.
back to top
What interface is required to integrate ThreatSentry
with other applications?
ThreatSentry's Settings Manager is implemented as a
Microsoft Management Console (MMC) Snap-in. The data
collection component for the service is an ISAPI
extension (filter in IIS5).
back to top
What is the cost for ThreatSentry and what licensing
options are available?
ThreatSentry pricing begins at $649 for a single server
license. Volume discounts are applied for orders of five
or more. The standard license includes one year of
support and software upgrades. An additional year of
support and upgrade protection can be purchased at the
time of initial purchase for 20% of the current software
price. Support and upgrade contracts can be extended
anytime during or after the live contract term for 25%
and 30% of the current software price respectively. For
additional information regarding software licensing,
pleas contact
sales@privacyware.com.
back to top
What happens if the license for ThreatSentry is expired
after 1 year? Would it still run but can’t be upgraded?
Once the support term for ThreatSentry has expired, the
software will continue to function normally, but you
will be ineligible for software updates or product
and/or technical support until you've renewed your
support and maintenance term.
back to top
What is the proper way to define a Target url signature
exception?
ThreatSentry enables exceptions to be defined for attack
signatures appearing in the Target url portion of the
request string. An exception can be defined in terms of
where, in relation to the target url, the attack
signature is located, i.e. “Appears Right” or “Appears
Anywhere”.
For example,
www.privacyware.com/cmd.exe,
would be triggered if the rule was defined using
"anywhere" or "right", but
www.cmd.exe.privacyware.com
would only be triggered if the rule was defined using
"anywhere".
back to top
How does ThreatSentry handle
encrypted traffic?
ThreatSentry is embedded into the web server (IIS) and
therefore inspects the SSL data immediately after they
have been decrypted.
back to top
How does ThreatSentry's port-level
firewall component work?
If an IP is added to the blocked list and the "Firewall
- Close All Ports to Blocked IPs" option is OFF, TS
could still indicate that a bad request from an IP was
caused by Type "Blocked IP" (or other Types) as filtered
by the ISAPI extension (and not the NDIS driver). If the
"Firewall - Close All Ports to Blocked IPs" option is
ON, there would be no record of the event in the IIS log
or the SAL (as the ISAPI extension and IIS never see the
request).
back to top
Having problems registering your product?
Request a new
registration code.
Still
Need Help? Submit a
Privacyware
Support Ticket.
|
