AQTRONIX WebKnight - Application Firewall for Web Servers

• What is it?
• Features
• Wanted Features
• Install
• Why make this tool?
• Why open source?
• Getting involved
• Contact
• Copyright

What is it?

AQTRONIX WebKnight is an application firewall for IIS and other web servers and is released under the GNU General Public License. More particularly it is an ISAPI filter that secures your web server by blocking certain requests. If an alert is triggered WebKnight will take over and protect the web server. It does this by scanning all requests and processing them based on filter rules, set by the administrator. These rules are not based on a database of attack signatures that require regular updates. Instead WebKnight uses security filters as buffer overflow, SQL injection, directory traversal, character encoding and other attacks. This way WebKnight can protect your server against all known and unknown attacks. Because WebKnight is an ISAPI filter it has the advantage of working closely with the web server, this way it can do more than other firewalls and intrusion detection systems, like scanning encrypted traffic.

-Top-

Features

These are some features of WebKnight.

• Open Source
  WebKnight is free software under the terms of the GNU General Public License.
• Logging
  By default all blocked requests are logged. In addition all allowed requests can be logged as well, or you can run WebKnight in logging only mode. This last operation mode allows you to see the attacks in the log files without blocking them. WebKnight can also prevent blocked attacks from being logged to the web server log files. This way your web server log files will be kept clean.
• HTTP Error Logging
  WebKnight can be configured to log the HTTP errors from the web server. This way you can log common errors like '404 Not Found' or more severe ones like '500 Server Error' to the logfile. Doing so allows you to detect errors in scripts or attacks on them. You can also use it to simply find broken links in your web site or configuration mistakes.
• SSL Protection
  Unlike traditional firewalls, WebKnight can protect encrypted sessions over HTTPS.
• Third-Party Application Protection
  WebKnight not only protects the web server, but can also be configured to protect third-party web server applications, e-commerce web sites or your custom web site.
• RFC compliant
  WebKnight is RFC compliant and also includes the ability to scan the requests for RFC compliance.
• Low Total Cost of Ownership (TCO)
  WebKnight comes with a Windows Installer package and remote installation scripts making it easy to deploy WebKnight in your enterprise. WebKnight also comes with a graphical user interface for changing WebKnight settings.
• Run-Time Update
  Changes to the settings of WebKnight do not require restarting the web server and can thus be done without disrupting any services for your users. For performance reasons, detecting these changes only occurs every 1 minute.

-Top-

Wanted features (I'm working on these)

• Microsoft Management Console
  WebKnight settings can be managed from within the Management Console with an MMC plug-in.
• Central Policy Management
  WebKnight can use a local policy from a file or you can use an enterprise policy in Active Directory.
• Compatible with Web-Based Applications
  WebKnight is compatible with Frontpage Extensions, WebDAV, Flash, Cold Fusion, Outlook Web Access, SharePoint...
• Real-Time Statistics
• Logging to ODBC Database

-Top-

How to install

Installation in IIS with Windows Installer: (for IIS 6.0 see note below!)

Double click the file WebKnight.msi. This will launch Windows Installer and install WebKnight on the local machine. This method will install WebKnight as a global filter on the local machine. If Windows Installer is not installed on your system, you can download it directly from Microsoft:
Windows Installer 2.0 Redistributable for Windows NT 4.0 and 2000
Windows Installer 2.0 Redistributable for Windows 95, 98, and Me

Installation in IIS with scripts:

To install/uninstall WebKnight on the local or remote machine you can use the file install.vbs/uninstall.vbs from the setup folder. This method will install WebKnight as a global filter on the selected host or localhost.

Manual installation as a global filter in IIS:

1. Copy all the files in the Setup folder to a local folder on the server (e.g. C:\Program Files\AQTRONIX WebKnight).
2. Open the IIS snap-in.
3. Right-click the server name (not the site name) under Internet Information Services in the MMC, and then select Properties.
4. Verify that WWW Service is displayed in the Master Properties drop-down list, and click the Edit button.
5. Choose the ISAPI Filters tab, and then click the Add button.
6. In the Filter Properties window, type WebKnight, and enter the full path to WebKnight.dll in the Executable box.
7. Select OK to close each dialog.
8. Review any settings of WebKnight, by running config.exe that you copied locally.
9. Restart IIS.

Manual installation as a site filter in IIS:

1. Copy all the files in the Setup folder to a local folder on the server (e.g. C:\Program Files\AQTRONIX WebKnight\W3SVC1). Note: it is important to have a unique folder for each WebKnight installation!
2. Open the IIS snap-in.
3. Right-click the site name (not the server name) under Internet Information Services in the MMC, and then select Properties.
4. Choose the ISAPI Filters tab, and then click the Add button.
5. In the Filter Properties window, type WebKnight, and enter the full path to WebKnight.dll in the Executable box.
6. Select OK to close each dialog.
7. Review any settings of WebKnight, by running config.exe that you copied locally. (Make sure global filter capabilities are disabled: uncheck 'Is Installed As Global Filter')
8. Restart IIS.

If you want to import your settings from urlscan, you can do that by copying the file urlscan.ini to the WebKnight directory. Delete WebKnight.xml (or rename it) and your settings from urlscan.ini will be imported in a new WebKnight.xml file when you restart your web server. This can be useful if you experienced problems with your urlscan installation and you had to customize the settings of urlscan and want to keep using these settings. If you want to load the default settings again, you can do that by deleting the files WebKnight.xml and urlscan.ini in the directory WebKnight and a new WebKnight.xml will be made with the default settings when you restart your web server.

Installation in IIS 6.0: to run WebKnight as a global filter in IIS 6.0, you have two options:

1. Run IIS in IIS 5.0 Isolation mode (recommended)
2. Continue running IIS in worker process mode but without the global filtering capabilities of WebKnight, and you need a unique log file per process. So you have to make sure you:
   • uncheck 'Is Installed As Global Filter' under Global Filter Capabilities
   • check 'Per Process Logging' under Logging
   • Make sure the account NETWORK SERVICE has change permission on the WebKnight folder and subfolders

Non-IIS: Look at the documentation of your web server (Note: only web servers with ISAPI filter support can run WebKnight).

-Top-

Why make this tool?

Very simple: I wanted to block viruses, script kiddies... and I wanted to prevent them from filling the web server log files and give them a nice legal notice or special response which crashes their script kiddie tool. I also wanted to be able to see all attempts without having to read all the web server log files. A possible solution was intrusion detection. However, this does not stop them, it only warns you, by analysing all the packets that passes your system. This has a second disadvantage because it cannot analyse packets sent over SSL (because it is encrypted of course). So I needed a tool which worked closely with IIS and could block certain requests even over SSL. One such tool was URLScan (free tool from Microsoft). However, I wanted to add functionality (the moment I started coding this tool, MS were at version 2.5 of urlscan) and I wanted to be able to block new attacks before the vendor has released a patch. So I started coding my own "urlscan". Today I can say I have an application that does what urlscan does and so much more...

-Top-

Why open source?

I know the feeling of wanting to add some functionality of some program and not being able to. With a security application like this, it is irresponsible not to make it open source. This way I know others will review the code, hacking the source, making the final product very secure. This is at least what I want to see happening. In fact this program is more than open source: it is free! You have the permission to change it, port it, do whatever you like with it on the condition that you agree with the terms of the GNU General Public License. This license gives you the freedom but also asks to respect and give the same freedom to others!

-Top-

Getting involved

If you want to get involved, no problem :) There's plenty of work to do. We need testing, writing customized xml files or if you're a programmer, we have the list of wanted features or you can help finishing the current work (you can search the source code for "TO DO" and you will find everything that needs to be done. A "to do"-list is also present in the file WebKnight.cpp

-Top-

Contact Information

Website: http://www.aqtronix.com/webknight
E-mail: parcifal@aqtronix.com

-Top-

Copyright

AQTRONIX WebKnight - ISAPI Filter for securing web servers
Copyright 2003 Parcifal Aertssen

This file is part of AQTRONIX WebKnight.

AQTRONIX WebKnight is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License as
published by the Free Software Foundation; either version 2 of the
License, or (at your option) any later version.

AQTRONIX WebKnight is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with AQTRONIX WebKnight; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

-Top-