Basic concepts: Deny rules

Deny rules establish a negative security model, they are also known as black lists.

They are organized in groups, where each group cover certain aspects of attacks and define conditions for request attributes such as HTTP method, request parameters or headers.

For a request to be blocked by a deny rule group, the following conditions must hold:

  • Any deny rule in the group must match.
    That is, matching states of deny rules within a group are combined by a logical OR operation.
  • A deny rule matches if all defined conditions match.
    That is, conditions within deny rules are combined with a logical AND operation.

Default deny rules

Airlock Microgateway provides a set of default deny rule groups to protect against common attack scenarios. For example, there are specific deny rule groups dealing with SQL injection or Cross-site scripting (XSS) attacks. These default deny rule groups are identified by the "(default)" name prefix and have a configurable security level.

Security levels

A security level represents a set of deny rules with different filter strengths. The security level is separately adjustable for each deny rule group. The documentation of the default deny rule groups provides information which deny rule is associated with which security levels. The security level can be adjusted individually per attack type.

Basic

Rules in level Basic focus on a low false positive rate, simplifying integration of applications. Note, however, that certain attack variants may not be covered.

Indications for using level Basic:

  • Level Standard requires too many exceptions.
  • Application access is protected by upstream authentication.

Standard

Level Standard is the default setting on new mappings. It provides strong filters and a low false positive rate. Exceptions may be required for input fields containing syntactical elements similar to JavaScript or SQL.

Indications for using level Standard:

  • The application is complex or dynamic.
  • The application uses many input fields with unrestricted input values, e.g., free texts or comments.
  • Application access is protected by upstream authentication.
  • Level Strict requires too many exceptions.

Strict

Level Strict focuses on blocking many potential attack variants. This level is recommended for very sensitive applications and typically requires some integration effort.

Indications for using level Strict:

  • Login pages and other critical pages exposed directly to the Internet, without upstream authentication.
  • The application is rather simple.
  • Application data is very sensitive (high risk).
  • Low code quality of application.

Filtering JSON attributes

Airlock Microgateway automatically generates parameters from JSON objects. These JSON parameters are treated like parameters in GET or POST requests. For details please refer to the JSON filtering page.