|
ThreatSentry FAQ
Can you give me a basic overview of
ThreatSentry?
ThreatSentry is a Web application firewall that combines
conventional web application layer defense mechanisms
with a behavior-based comparative analysis component
founded on automated and assisted learning. ThreatSentry
protects Windows-based Web servers installed with
Microsoft Internet Information Services (IIS) from
known, new, internal and external system threats and
misuse.
ThreatSentry is designed to overcome the limitations of
security products that rely solely on configured rules,
policies, and attack signature matching. ThreatSentry
protects IIS from an array of exploits and
vulnerabilities including SQL injection, brute force,
Denial of Service (DoS), file uploading, cross site
scripting/XSS, directory traversal, parameter
manipulation, buffer overflow, parser Evasion, high-bit
shellcode, printer protocol, remote data services, and
other Web-based attacks.
ThreatSentry is implemented as an ISAPI extension which
collects and feeds data through a knowledgebase
classification framework. Events that match explicit
rules (signatures and other settings) are immediately
classified as Trusted or Untrusted depending on the
applicable rule. ThreatSentry immediately blocks
Untrusted events (in “Monitoring – Active” security
mode) before IIS responds and applies whatever other
“Threat Management” policies that may be configured.
ThreatSentry also leverages a behavior-based analytic
engine, the Adaptive Security Engine (ASE), which
profiles typical system behavior and identifies/blocks
activity that departs from this baseline or is similar
to known untrusted requests. ThreatSentry can identify
and prevent any type of activity that could be harmful
to the host, regardless of whether it is known
(documented) or not (new or unknown threats).
Training Mode
Once installed, ThreatSentry collects and organizes IIS-specific
data (HTTP/HTTPS requests and IP addresses) into
clusters that reflect the normal use patterns (both
trusted and untrusted) within the server environment
(“Training Mode” from Services > Security Mode
properties). The process of organizing these clusters is
guided through the use of a built-in knowledgebase of
published attack signatures. Once the required number of
training events has been collected, ThreatSentry shifts
automatically into "Monitoring" mode.
Monitoring Mode
In "Monitoring Mode", ThreatSentry compares all incoming
HTTP/HTTPS requests to IIS against the knowledgebase to
determine whether it matches an existing rule, and then
the established Training Database to determine whether
it falls within an acceptable range of trusted activity.
If it does, the process continues. If it does not,
ThreatSentry blocks the request and initiates whatever
action(s) have been configured on the Policy > Threat
Management properties, ranging from posting an onscreen
alert, blocking the untrusted connection, or shutting
down IIS altogether,
Event Classification
Maintaining ThreatSentry is simple. Proper
classification of events is essential and can be
accomplished as Security Alerts are displayed, or during
periodic review of the Security Alert Log. After one or
more events have been reclassified, the Training
Database is "Re-Trained", and ThreatSentry will remember
not only the correct classification of the particular
event(s), but also its various characteristics which
will be applied to the analysis of other events.
back to top
What are the minimum system requirements required to
install and run ThreatSentry?
ThreatSentry runs on Windows 2000 or 2003 Web servers
with Microsoft's Internet Information Services (IIS 5
and 6). ThreatSentry requires a standard Intel or
similar processor (>700 Mhz), 64mb minimum RAM, and at
least 15 MB of free disk space.
back to top
What is ThreatSentry’s performance under stress and
load? Any incompatibility issues with firewalls or
anti-virus applications?
ThreatSentry’s system throughput is a direct function of
the traffic on the particular Web server (volume of
HTTP/HTTPS requests to IIS per second) and it's CPU. A
2.6 GHz server should be adequate to handle traffic of
several dozen connections per second. There are no known
compatibility conflicts with any anti-virus or firewall
products, and ThreatSentry is designed to augment these
systems by adding Web application firewall protection
over HTTP and HTTPS. ThreatSentry can be operated in
signature detection only-mode (behavioral engine
disabled) to achieve greater throughput levels,
bypassing the more processor-intensive behavioral
learning layer.
back to top
How long is the training period for ThreatSentry?
The initial training phase is determined automatically
and commences when ThreatSentry is first installed. The
duration of the initial training phase is determined by
considering the specific characteristics of the server
environment and related factors such as processor speed,
memory and the configurable number of unique events
deemed sufficient to establish the baseline database.
Typically training is completed within several minutes.
back to top
Once trained, does ThreatSentry require additional
training sessions?
Not typically. Administrators can modify the
ThreatSentry knowledgebase, change event
classifications, and re-initiate training on the fly.
These features enable ThreatSentry to continuously
conform to whatever changes might naturally occur in the
environment and become increasingly accurate over time.
In cases where a system has been rebuilt or undergone
some other significant change, it is advisable to switch
the Security Mode to Training or Monitoring – Inactive
so that ThreatSentry has time to assimilate the changes
or the administrator can re-train the system from
scratch (re-training ThreatSentry from scratch requires
that the Training Database – stored at YEVS.mdb in the
ThreatSentry program files directory, be deleted. Once
deleted, ThreatSentry will automatically create a new
YEVS.mdb).
back to top
I just installed ThreatSentry and encountered no
installation errors, but the service remains down. I
have rebooted and checked the ISAPI snap-in, however the
ISAPI filter priority is listed as “unknown”. What now?
The IIS service will be down until ThreatSentry
registers the first request. You can manually generate a
training event by proactively requesting a page from any
local Web site to be protected by ThreatSentry.
back to top
I am trying to test ThreatSentry locally (on the same
machine I have it installed on), but nothing shows up in
Training Data or the Security Alert Logs. What is the
issue?
If you are testing ThreatSentry with a browser or
load/stress tool from the same local machine that you
have ThreatSentry installed upon, make sure that your
internal IP address is not on the Trusted IP Addresses
list (ThreatSentry Settings Manager > YOUR WEB SERVER
NAME > Management > Rules > IP Addresses > Trusted IP
Addresses). Otherwise, your requests will not show up in
Training Data or the Security Alert Log, as Trusted IP
traffic is not logged by ThreatSentry.
Also, if you are concerned about "internal" hackers
(employees or partners with access from your LAN), you
may not want to trust those internal IP addresses within
ThreatSentry, as you will not be able to log any of
those Trusted IP Address requests.
back to top
If ThreatSentry is going through the training process on
a server that's already been compromised, won't the
training baseline also be corrupt?
ThreatSentry mitigates this risk by filtering all events
generated and captured during the initial training phase
against an extensive knowledgebase of commonly known and
previously detected threats. Administrators can also
manually configure exceptions and specific rules.
Basically, malicious events will be identified during
training to ensure a clean baseline.
back to top
ThreatSentry is blocking legitimate requests -- is the
AI engine failing, and how can I fix this?
This most likely means that one of your legitimate file
and/or directory names for the blocked requests matches
a current ThreatSentry signature. To resolve this,
review the signatures under the Rules > Requests section
of the Settings Manager to find the match to the current
rule, and delete it or add an exception to the rule that
makes sense. If you are having a hard time finding the
signature match or would like some help, just send
Privacyware Support a copy of the URL request that is
failing, and we will review it to make sure you are not
running into a current signature and to get your
legitimate traffic through the ThreatSentry Web app
firewall.
back to top
After I install ThreatSentry, must I continue to run my
existing firewall and other security solutions?
ThreatSentry is complementary and fully compatible with
most other popular security solutions that you may have
deployed on your system. ThreatSentry can detect and
prevent many vulnerabilities (e.g. hacks over HTTP and
HTTPS) which evade traditional firewalls, as they are
not designed to provide this type of protection.
ThreatSentry can also be used to monitor "internal"
activities that occur behind the firewall and out of the
"line of sight" of typical network security utilities.
back to top
What types of data does ThreatSentry monitor and assess?
This version of ThreatSentry is designed specifically to
protect Microsoft IIS Web servers. ThreatSentry uses an
ISAPI extension to collect IIS-specific request/response
variables to conduct anomaly analysis and threat
prevention.
back to top
Have you pre-configured any specific rules or documented
any known threats?
ThreatSentry includes a comprehensive knowledgebase of
known threat profiles or signatures. This knowledgebase
is used during initial training to augment the creation
of the baseline database.
back to top
Does ThreatSentry actually prevent threats and
intrusions?
ThreatSentry's primary point of differentiation is its
effectiveness in detecting known and, most importantly,
new or unaddressed threats. ThreatSentry is configurable
to initiate preventative actions to thwart intrusion
attempts and other types of misuse by issuing alerts and
executing specific preventative actions.
back to top
What interface is required to integrate ThreatSentry
with other applications?
ThreatSentry's Settings Manager is implemented as a
Microsoft Management Console (MMC) Snap-in. The data
collection component for the service is an ISAPI filter.
back to top
What is the cost for ThreatSentry and what licensing
options are available?
ThreatSentry pricing begins at $649 for a single server
license. Volume discounts are applied for orders of five
or more. The standard license includes one year of
support and software upgrades. An additional year of
support and upgrade protection can be purchased at the
time of initial purchase for 20% of the current software
price. Support and upgrade contracts can be extended
anytime during or after the live contract term for 25%
and 30% of the current software price respectively. For
additional information regarding software licensing,
pleas contact
sales@privacyware.com.
back to top
What happens if the license for ThreatSentry is expired
after 1 year? Would it still run but can’t be upgraded?
Once the support term for ThreatSentry has expired, the
software will continue to function normally, but you
will be ineligible for software updates or product
and/or technical support.
back to top
When will a Windows Server 2008/IIS7 compatible version
of ThreatSentry be available?
ThreatSentry v4 is currently under development and is
scheduled for release sometime by the end of 2008. The
new version will support Windows Server 2008 and
Internet Information services v7 and 64 bit
environments. The Training Databases and Security Alert
Log databases will be migrated to MS SQL (vs current
Access model), offer enhanced central management
architecture and several other feature improvements.
back to top
My Security Alert Log has become large and is slow to
display in the MMC snap-in. How can I remedy this issue?
ThreatSentry’s Security Alert Log can be archived or
deleted to eliminate this issue. To do so, locate the
IntrusionLog.mdb file stored in the ThreatSentry program
file directory. Perform a “Save As” to archive the
current file or simply delete it if the data is not
needed. Once ThreatSentry has been re-started, a new
IntrusionLog.mdb will be created.
back to top
What is the proper way to define a Target url signature
exception?
ThreatSentry enables exceptions to be defined for attack
signatures appearing in the Target url portion of the
request string. An exception can be defined in terms of
where, in relation to the target url, the attack
signature is located, i.e. “Appears Right” or “Appears
Anywhere”.
For example,
www.privacyware.com/cmd.exe,
would be triggered if the rule was defined using
"anywhere" or "right", but
www.cmd.exe.privacyware.com
would only be triggered if the rule was defined using
"anywhere".
back to top
I’ve installed ThreatSentry successfully and the service
is running (Monitoring or Training), but no events
appear to be getting processed. What should I do?
ThreatSentry v 3.0.64.0 and higher must be added to the
list of Wildcard Applications and the process may need
to be configured manually. To do so, follow the steps
outlined below.
1)
Go to
Start -> Administrative Tools -> Computer Management
2)
Expand
the Services and Applications node -> Internet
Information Services.
3)
Highlight Default Web Site under the Web Sites folder,
apply right mouse click and select Properties.
4)
Select
the Home Directory tab and then the Configuration button
near the bottom of the dialog. An Application
Configuration dialog will appear.
5)
On the
Mappings tab, check to see that the PWIISAPIES.dll is
displayed in the Wildcard Application maps window near
the bottom of the screen. If not, select the Insert
button. The Add/Edit Application Extension mapping
dialog will appear. Locate the PWIISAPIES.dll in the
ThreatSentry program files directory, and add it to the
list. You will be prompted and need to enclose the
entire directory path in “”. Also, uncheck the Verify
that file exists box. Then click OK.
6)
Repeat
this process for all Web sites.
back to top
I’ve just updated ThreatSentry and
see that my custom rules are no longer reflected. Can
these custom rules be retrieved?
When
updating ThreatSentry software (version 3.0.64.0 or
higher), your existing MappingRules.xml file will be
preserved, but renamed as MappingRules_Old.xml (and
stored in the ThreatSentry program files directory).
Currently, ThreatSentry does not automatically
synchronize previous MappingRules files, so any custom
rules that you may have added (including Trusted and
Untrusted IPs) will not be reflected after upgrading the
software. The MappingRules_Old.xml file provides a
reference to enable your custom rules to be copied to
the new default MappingRules.xml file after upgrading.
Alternatively, the MappingRules.xml file can be archived
(or deleted) and the MappingRules_Old.xml can be renamed
to MappingRules.xml.
back to top
How does ThreatSentry handle
encrypted traffic?
ThreatSentry is embedded into the web server (IIS) and
therefore inspects the SSL data immediately after they
have been decrypted.
back to top
How does ThreatSentry's port-level
firewall component work?
If an IP is added to the blocked list and the "Firewall
- Close All Ports to Blocked IPs" option is OFF, TS
could still indicate that a bad request from an IP was
caused by Type "Blocked IP" (or other Types) as filtered
by the ISAPI extension (and not the NDIS driver). If the
"Firewall - Close All Ports to Blocked IPs" option is
ON, there would be no record of the event in the IIS log
or the SAL (as the ISAPI extension and IIS never see the
request).
back to top
Having problems registering your product?
Request a new
registration code.
Still
Need Help? Submit a
Privacyware
Support Ticket.
|
