What are Shield Objects?
Shield Objects are RedShield configuration elements applied to a vWAF, designed to mitigate specific vulnerabilities.
A Shield Object may detect illegal requests (or in some cases, illegal responses); and may apply transformations to server responses before sending to the client (eg, inserting a HTTP header).
A Shield Object may exist in different states, according to whether it is actively transforming responses, and/or actively blocking illegal requests.
The diagram below shows the functional states in which a Shield Object may exist:
Example: Cross Site Scripting
This Shield Object detects and blocks illegal requests, but does not perform any transformation of responses.
Vulnerability Name: | Cross Site Scripting | |
Illegal Content Detection: |
Any request which contains illegal input containing characters or strings identified as being a Cross Site Scripting attack, will be detected and mitigated. Possible States: Transparent, Blocking |
|
Insecure Content Transformation: |
N/A |
|
An Advanced Shield Object which mitigates Cross Site Request Scripting, may for example be Transparent. This means that it is detecting and logging any requests which contain Cross Site Scripting attacks; but these are still passed through to the server.
After policy tuning and transition of the vWAF to blocking mode, the Shield Object may then be Blocking. This means that it is blocking any requests which contain Cross Site Scripting attacks.
Example: Missing HSTS Header
This Shield Object transforms server responses by inserting a header which may be required for security purposes; but does not block any type of illegal request.
Vulnerability Name: | Missing HSTS Header (HTTP Strict Transport Security) | |
Illegal Content Detection: |
N/A |
|
Insecure Content Transformation: |
All server responses should have an HSTS header inserted into the HTTP headers. Possible States: Inactive, Active |
|
This Shield Object may for example be Active.
As there is no blocking associated with this Shield Object, it cannot be "Transparent" and its state does not generally change during policy tuning. Once it is initially implemented it continues inserting headers into responses.
Example: Cross Site Request Forgery
This Shield Object both transforms server responses by inserting tokens, and also detects and blocks any illegal request which does not include a valid token.
Vulnerability Name: | Cross Site Request Forgery | |
Illegal Content Detection: |
Any request with missing CSRF token, or illegal token, should be detected and mitigated Possible States: Transparent, Blocking |
|
Insecure Content Transformation: |
All server responses should have CSRF tokens appended to relevant links Possible States: Inactive, Active |
|
This Shield Object may for example be Active and Transparent.
After policy tuning and transition of the vWAF to blocking mode, the Shield Object may then be Active and Blocking. This means that it is actively appending CSRF tokens to relevant links in all server responses, validating them in subsequent client requests, and blocking any requests which do not contain a valid token.
Comments