Can you give me a basic overview of ThreatSentry?
ThreatSentry is a Web Application Firewall and Intrusion Prevention solution that helps system administrators improve web application security and comply with regulatory demands such as Section 6.6 of the Payment Card Industry Data Security Standard. ThreatSentry supports Windows Server 2012, 2008/R2, 2003 and 2000 and IIS 7/8 (native module), 6 (ISAPI Extension) and 5 (ISAPI Filter) on 32 and 64 bit systems.
ThreatSentry’s knowledgebase of pre-configured filters is designed to identify and block a broad range of web application threats including Structured Query Language (SQL) Injection, DoS, Cross Site Request Forgery (CSRF/XSRF), Cross-Site Scripting (XSS) and other attack techniques. ThreatSentry’s conventional defense capabilities are augmented by a behavior-based Intrusion prevention component that profiles typical request activity and detects unusual events and patterns indicative of zero-day and targeted attacks. Default configuration settings are designed to deliver optimal out-of-box performance and administrative ease.
What are the minimum system requirements required to install and run ThreatSentry?
ThreatSentry supports Windows 2000, 2003, 2008 and 2012 Web servers with Microsoft's Internet Information Services (IIS 5, 6, 7, 8). ThreatSentry requires a standard Intel or similar processor (>700 Mhz), 64mb minimum RAM, and at least 50 MB of free disk space
What is ThreatSentry’s performance under stress and load?
ThreatSentry is designed to support enterprise grade web application traffic and handle http/https request exceeding several hundred connections per second.
I just installed ThreatSentry and encountered no installation errors, but the service remains down
The ThreatSentry service may reflect a "Down" status until it processes the first request. You can manually generate a training event by manually requesting a page from any application/site hosted on the server.
I am trying to test ThreatSentry locally (on the same machine I have it installed on), but nothing shows up in Training Data or the Security Alert Logs. What is the issue?
If you are testing ThreatSentry with a browser or load/stress tool from the same local machine on which you've installed ThreatSentry, make sure that your internal IP address is not on the Trusted IP Addresses list (ThreatSentry Settings Manager > YOUR WEB SERVER NAME > Management > Rules > IP Addresses > Trusted IP Addresses). Otherwise, your requests will not show up in Training Data or the Security Alert Log, as Trusted IP traffic is not logged by ThreatSentry.
If you are concerned about "internal" hackers (employees or partners with access from your LAN), you may not want to trust those internal IP addresses within ThreatSentry, as you will not be able to log any of those Trusted IP Address requests.
If ThreatSentry is going through the training process on a server that's already been compromised, won't the training baseline also be corrupt?
ThreatSentry mitigates this risk by filtering all events generated and captured during the initial training phase against an extensive knowledgebase of commonly known and previously detected threats. Administrators can also manually configure exceptions and specific rules. Basically, malicious events will be identified during training to ensure a clean baseline.
ThreatSentry is blocking legitimate requests -- how can I fix this?
This most likely means that one of your legitimate file and/or directory names for the blocked requests matches an existing ThreatSentry rule/filter. To resolve this, map the rule Type indicated in the Security Alert Log to the relevant signature under the Rules > Requests section of the Settings Manager. The rule can be modified (tuned, disabled, create Exclude URL rule, etc.) to address the false positive. Contact Privacyware technical support for assistance.
After I install ThreatSentry, must I continue to run my existing firewall and other security solutions?
ThreatSentry is complementary and fully compatible with most other popular security solutions that you may have deployed on your system. ThreatSentry can detect and prevent many vulnerabilities (e.g. hacks over HTTP and HTTPS) which evade traditional firewalls and other security appliances or devices. ThreatSentry can also be operated to monitor "internal" activities that occur behind the firewall and out of the "line of sight" of typical network security products.
What types of data does ThreatSentry monitor and assess?
This version of ThreatSentry is designed specifically to protect Microsoft IIS Web servers.
Have you pre-configured any specific rules or documented any known threats?
ThreatSentry includes a comprehensive knowledgebase of known threat profiles or signatures. This knowledgebase is used for direct filtering of web application requests as well as for establishing the training baseline for the behavioral engine.
Does ThreatSentry actually prevent threats and intrusions?
Yes. ThreatSentry identifies and blocks web application threats such as Structured Query Language (SQL) Injection, DDoS, Cross Site Request Forgery (CSRF/XSRF), Cross-Site Scripting (XSS) and other types of attacks
What interface is required to integrate ThreatSentry with other applications?
ThreatSentry's Settings Manager is implemented as a Microsoft Management Console (MMC) Snap-in. The data collection component for the service is a Native Module for IIS7 and IIS8, and ISAPI Extension for IIS6 and ISAPI Flter for IIS5. ThreatSentry relies on Microsoft SQL for filtering rules and Security Alert and Training event storage.
What is the cost for ThreatSentry and what licensing options are available?
ThreatSentry pricing begins at $649 for a single server license. Volume discounts are applied for orders of five or more. The standard license includes one year of support and software upgrades. Annual support and upgrade contracts can be extended anytime during or after the current contract term. Support agreements that are expired by more than 12 months are not eligible for renewal and require re-purchase of the ThreatSentry software license. Subscription-based pricing for Data Centers and Hosting Service Providers is available. For additional information regarding software licensing, please contact [email protected].
What happens if the license for ThreatSentry is expired after 1 year? Would it still run but can’t be upgraded?
Once the support term for ThreatSentry has expired, the software will continue to function normally, but you will be ineligible for software updates or product and/or technical support until the support and maintenance term has been renewed.
What is the proper way to define a Target url signature exception?
ThreatSentry enables exceptions to be defined for attack signatures appearing in the Target url portion of the request string. An exception can be defined in terms of where, in relation to the target url, the attack signature is located, i.e. “Appears Right” or “Appears Anywhere”.
For example, www.privacyware.com/cmd.exe, would be triggered if the rule was defined using "anywhere" or "right", but www.cmd.exe.privacyware.com would only be triggered if the rule was defined using "anywhere".
How does ThreatSentry handle encrypted traffic?
ThreatSentry is embedded into the web server (IIS) and therefore inspects the SSL data immediately after they have been decrypted.
How does ThreatSentry's port-level firewall component work?
If an IP is added to the blocked list and the "Firewall - Close All Ports to Blocked IPs" option is OFF, TS could still indicate that a bad request from an IP was caused by Type "Blocked IP" (or other Types) as filtered by the Native Module or ISAPI extension (and not the NDIS driver). If the "Firewall - Close All Ports to Blocked IPs" option is ON, there would be no record of the event in the IIS log or the SAL (as the ISAPI extension and IIS will never see the request).