AQTRONiX
Info Security
News
Advisories
Whitepapers
 
WebKnight
Features
Download
Support
SQL Injection
Robots
Hot Linking
DoS
Testimonials
 
Desktop Lockdown
Features
 
Log Analysis
Features
Download
Manual
 

AQTRONIX WebKnight - Open Source Web Application Firewall (WAF) for IIS

What is it?

AQTRONIX WebKnight is an application firewall for IIS and other web servers and is released under the GNU General Public License. More particularly it is an ISAPI filter that secures your web server by blocking certain requests. If an alert is triggered WebKnight will take over and protect the web server. It does this by scanning all requests and processing them based on filter rules, set by the administrator. These rules are not based on a database of attack signatures that require regular updates. Instead WebKnight uses security filters as buffer overflow, SQL injection, directory traversal, character encoding and other attacks. This way WebKnight can protect your server against all known and unknown attacks. Because WebKnight is an ISAPI filter it has the advantage of working closely with the web server, this way it can do more than other firewalls and intrusion detection systems, like scanning encrypted traffic.

Features

These are some features of WebKnight.

  • Open Source
    WebKnight is free software under the terms of the GNU General Public License.
  • Logging
    By default all blocked requests are logged. In addition all allowed requests can be logged as well, or you can run WebKnight in logging only mode. This last operation mode allows you to see the attacks in the log files without blocking them. WebKnight can also prevent blocked attacks from being logged to the web server log files. This way your web server log files will be kept clean and accurate.
  • Customizable
    The firewall can be customized for any need, including blocking certain 0-day exploits before the vendor released a patch.
  • Compatible with Web-Based Applications
    WebKnight is compatible with Frontpage Extensions, WebDAV, Flash, Cold Fusion, Outlook Web Access, Outlook Mobile Access, SharePoint...
  • HTTP Error Logging
    WebKnight can be configured to log the HTTP errors from the web server. This way you can log common errors like '404 Not Found' or more severe ones like '500 Server Error' to the logfile. Doing so allows you to detect errors in scripts or attacks on them. You can also use it to simply find broken links in your web site or configuration mistakes.
  • SSL Protection
    Unlike traditional firewalls, WebKnight can protect encrypted sessions over HTTPS.
  • Third-Party Application Protection
    WebKnight not only protects the web server, but can also be configured to protect third-party web server applications, e-commerce web sites or your custom web site.
  • RFC compliant
    WebKnight is RFC compliant and also includes the ability to scan the requests for RFC compliance.
  • Low Total Cost of Ownership (TCO)
    WebKnight comes with a Windows Installer package and remote installation scripts making it easy to deploy WebKnight in your enterprise. WebKnight also comes with a graphical user interface for changing WebKnight settings.
  • Run-Time Update
    Changes to the settings of WebKnight do not require restarting the web server and can thus be done without disrupting any services for your users. For performance reasons, detecting these changes only occurs every 1 minute.
  • Authentication scanning
    Authentication scanning allows to scan for brute force attacks on accounts or DoS attacks on system accounts. It can also scan for weak passwords.
  • Connection control/monitoring
    You can block or monitor traffic coming from certain ip addresses or ranges. You can also monitor access to certain important files or limit the number of requests coming from a single IP address.
  • Blocking robots
    A large robots database makes it possible for blocking or only allowing certain types of robots. It is also possible to set up a bot trap for bad robots and to block aggressive robots.
  • Prevent hot linking
    Hot linking or direct linking to certain types of files (like images or file downloads), can be prevented.
New in WebKnight 3.0
  • Admin Web Interface
    Added a built-in website for WebKnight administration and statistics.
  • ISAPI Extension
    This enables raw data (POST data) scanning, just like the ISAPI filter does on IIS 5 but now for IIS7 and later (and IIS 6 Worker Process Mode).
  • User-Agent
    Some additional functionality in scanning the User-Agent header like high bit shellcode detection, special whitespace and spoofing detection.
  • Improved Engine
    Added some more rules and better default settings. Now, you can also exclude websites by Host header.
  • 32-bit on 64-bit IIS
    Also install a 32-bit version of WebKnight on 64-bit version operating system (for 32-bit application pools in IIS).
  • Settings per website
    Settings per website is also possible for IIS 7. Copy WebKnight.xml to WebKnight.[ApplicationPoolIdentity].xml like WebKnight.DefaultAppPool.xml for the default website.

New in WebKnight 4.0
  • Action per rule
    You can decide what action to take per rule instead of the same response for all rules. You can set the action to log, block, monitor or block the IP address per rule.

How to install

Installation in IIS with Windows Installer: (for IIS 6.0 see note below!) (for IIS 7 & 8 see note below!)

Double click the file WebKnight.msi. This will launch Windows Installer and install WebKnight on the local machine. This method will install WebKnight as a global filter on the local machine. If Windows Installer is not installed on your system, you can download it directly from Microsoft:
Windows Installer 2.0 Redistributable for Windows NT 4.0 and 2000
Windows Installer 2.0 Redistributable for Windows 95, 98, and Me

Installation in IIS with scripts:

To install/uninstall WebKnight on the local or remote machine you can use the file install.vbs/uninstall.vbs from the setup folder. This method will install WebKnight as a global filter on the selected host or localhost.

Manual installation as a global filter in IIS:

  1. Copy all the files in the Setup folder to a local folder on the server (e.g. C:\Program Files\AQTRONIX WebKnight).
  2. Open the IIS snap-in.
  3. Right-click the server name (not the site name) (in IIS 6 right-click Web Sites) under Internet Information Services in the MMC, and then select Properties.
  4. Verify that WWW Service is displayed in the Master Properties drop-down list, and click the Edit button. For IIS 6 go to next step.
  5. Choose the ISAPI Filters tab, and then click the Add button.
  6. In the Filter Properties window, type WebKnight, and enter the full path to WebKnight.dll in the Executable box.
  7. Select OK to close each dialog.
  8. Review any settings of WebKnight, by running config.exe that you copied locally.
  9. Restart IIS.

Manual installation as a site filter in IIS:

  1. Copy all the files in the Setup folder to a local folder on the server (e.g. C:\Program Files\AQTRONIX WebKnight\W3SVC1). Note: it is important to have a unique folder for each WebKnight installation!
  2. Open the IIS snap-in.
  3. Right-click the site name (not the server name) under Internet Information Services in the MMC, and then select Properties.
  4. Choose the ISAPI Filters tab, and then click the Add button.
  5. In the Filter Properties window, type WebKnight, and enter the full path to WebKnight.dll in the Executable box.
  6. Select OK to close each dialog.
  7. Review any settings of WebKnight, by running config.exe that you copied locally. (Make sure global filter capabilities are disabled: uncheck 'Is Installed As Global Filter')
  8. For IIS 6 you need to make sure that each site for which you installed WebKnight as a site filter, has its own application pool. This is because only one instance of WebKnight can be run in any application pool. By default all sites are running in the DefaultAppPool and can only contain one instance of WebKnight, so you can only have one site filter, unless you specify a different application pool for any additional site on which you are running WebKnight as a site filter.
  9. Restart IIS.

If you want to import your settings from urlscan, you can do that by copying the file urlscan.ini to the WebKnight directory. Delete WebKnight.xml (or rename it) and your settings from urlscan.ini will be imported in a new WebKnight.xml file when you restart your web server. This can be useful if you experienced problems with your urlscan installation and you had to customize the settings of urlscan and want to keep using these settings. If you want to load the default settings again, you can do that by deleting the files WebKnight.xml and urlscan.ini in the directory WebKnight and a new WebKnight.xml will be made with the default settings when you restart your web server.

Installation is IIS 5 and previous: You don't need to do anything extra, just follow one of the installation methods above.

Installation in IIS 6: to run WebKnight as a global filter in IIS 6, you have two options:

  1. Run IIS in IIS 5.0 Isolation mode (recommended)
  2. Continue running IIS in worker process mode but without the global filtering capabilities of WebKnight, and you need a unique log file per process. So you have to make sure you:
    • uncheck 'Is Installed As Global Filter' under Global Filter Capabilities
    • check 'Per Process Logging' under Logging (if you have multiple application pools running: each application pool will load its own instance of WebKnight, if you only have one pool, this is not required.)
    • Make sure the account NETWORK SERVICE (or whatever account(s) you set the application pool(s) to use) has change permission on the WebKnight folder and subfolders
    • WebKnight 3.0 and later comes with a built-in ISAPI Extension to scan the raw data (POST data). To use this functionality, add WebKnight.dll as a wildcard application mapping in IIS.
    • Restart IIS after doing the above changes.

Installation in IIS 7 & IIS 8

  • Allow ISAPI filters and extensions in IIS (by default this is not installed)
  • The MSI package provided with WebKnight 2.2 and later supports IIS 7 (do not use the install.vbs script). Previous versions of WebKnight can only be installed manually and also unless you uncheck "Is Installed As Global Filter" in the global filter capabilities.
  • check 'Per Process Logging' under Logging if you have multiple application pools running under the same user account: each application pool will load its own instance of WebKnight, if you only have one pool, this is not required. If you are running WebKnight 2.3 or later and using IIS 7.0 SP2 or IIS 7.5 then you also do not need this, as Per Process Owner Logging is enabled.
  • Make sure the application pool accounts (IIS 7.0: NETWORK SERVICE and IIS 7.5: IIS_IUSRS) have change permission on the WebKnight folder and subfolders. WebKnight 2.4 and later set the permissions automatically, but check this especially if you are not using the defaults.
  • Restart IIS after doing the above changes.

Installation in ISA Server 2000/2004/2006 and ForeFront TMG: Use the scripts ISAInstall.vbs and ISAUninstall.vbs. See this note for more information.

Non-IIS: Look at the documentation of your web server (Note: only web servers with ISAPI filter support can run WebKnight).


Published: 20/08/2002Document Type: General
Last modified: 12/11/2014Target: General
Visibility: PublicLanguage: English

[top]


Comments (use this form to send comments to the author of the page):
Text:
E-mail: (optional)
User Agents
Browse
My User-Agent?
Am I Infected?
Search
 
Members
Login
 
You are not logged in
    
AQTRONiX
Serious about Security
Copyright © 2014 AQTRONIX. All rights reserved.