Security levels

A security level represents a set of deny rules with different filter strengths. The security level is separately adjustable for each group on the Deny Rule tab of mappings. The overview on the global deny rule page (Application Firewall -> Deny Rules) indicates which deny rule is associated with which security levels. Using security levels, it is possible to adjust filter strength individually per attack type and mapping with a single click.

In order to change the security level on many groups and mappings at once, use the corresponding "bulk operations" on the reverse-proxy view.

Legacy

The Legacy level is introduced for backwards compatibility and for simplifying migration of mappings. It contains the default rules from Airlock Gateway 5.0 before security levels were introduced.

We recommend switching security levels of all mappings to either Basic, Standard, or Strict. The new security levels contain revised rules superior to the Legacy rules.

Basic

Rules in level Basic focus on a low false positive rate, simplifying integration of applications. Note, however, that certain attack variants may not be covered.

Indications for using level Basic:

  • Level Standard requires too many exceptions.
  • Application access is protected by upstream authentication.

Standard

Level Standard is the default setting on new mappings. It provides strong filters and a low false positive rate. Exceptions may be required for input fields containing syntactical elements similar to JavaScript or SQL.

Indications for using level Standard:

  • The application is complex or dynamic.
  • The application uses many input fields with unrestricted input values, e.g., free texts or comments.
  • Application access is protected by upstream authentication.
  • Level Strict requires too many exceptions.

Strict

Level Strict focuses on blocking many potential attack variants. This level is recommended for very sensitive applications and typically requires some integration effort.

Indications for using level Strict:

  • Login pages and other critical pages exposed directly to the Internet, without upstream authentication.
  • The application is rather simple.
  • Application data is very sensitive (high risk).
  • Low code quality of application.

Custom

Allows enabling/disabling of all rules in the group individually.