- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-23-2012 03:42 AM
Dear all,
we are trying to protect a JBOSS web server against a server default configuration vulnerability. This is described at.
How can Palo Alto protect servers against this kind of vulnerability?
Best regards,
Juan Pablo
05-23-2012 12:18 PM
When you setup your security rule make it as tight as possible.
In this particular case I guess web-browsing would be the proper appid to use (look at http://apps.paloaltonetworks.com/applipedia/ for available appid's unless you have access to a PA-device) along with "application-default" as service (or even better set a manual port/ports for this, such as TCP80), like so:
appid: web-browsing
service: TCP80
action: allow
The above is plain SPI (stateful packet inspection, regarding the service option) with the addition of applicationfirewalling (regarding the appid option).
Now - for added security you should enable vulnerability protection aswell.
A common setup for vulnprotection is to use following setup:
critical: block
high: block
medium: block
low: default
informational: default
You can set low and informational to block aswell however default is the recommended in order to lower risk of false-positives (default means that default action (either allow or block) will be applied according to the default specificed by PA themselfs).
In order to find out if the IDP function of PA-device will be able to spot the vuln you linked to you can search in http://wwapps.paloaltonetworks.com/ThreatVault/
Since your link doesnt have CVE info I can only guess which of the following detectable threats is the one mentioned in your link:
34765 | JBoss Java Class BeanShellDeployer Directory Traversal Vulnerability | high | CVE-2006-5750CVE-2010-0738 |
34764 | JBoss Java Class MainDeployer Directory Traversal Vulnerability | high | CVE-2006-5750CVE-2010-0738 |
34763 | JBoss Server 7 Web Management Console War File Deployment | medium | |
34509 | JBoss Java Class Security Bypass Vulnerability | high | CVE-2010-0738 |
33561 | JBoss JMX Java Class DeploymentFileRepository Directory Traversal Vulnerability | high | CVE-2010-0738 |
33547 | JBoss JMX Console DeploymentFileRepository Directory Traversal Vulnerability | high | CVE-2010-0738 |
33268 | JBoss Java Class DeploymentFileRepository Directory Traversal Vulnerability | high | CVE-2006-5750CVE-2010-0738 |
You can click on each id to see a more detailed explanation of what the current vuln is about along with references etc.
Then you can take this a few steps further (depending on needs etc).
For example only allow identified users to be let through your PA-device (using userid function) or you can allow a particular sourceip (and if connected to internet you can also allow based on country or for that matter block specific countries (note however that geoip isnt foolproof but can be helpful to get rid of most of the bad hosts who tries to connect to your resources).
05-23-2012 12:18 PM
When you setup your security rule make it as tight as possible.
In this particular case I guess web-browsing would be the proper appid to use (look at http://apps.paloaltonetworks.com/applipedia/ for available appid's unless you have access to a PA-device) along with "application-default" as service (or even better set a manual port/ports for this, such as TCP80), like so:
appid: web-browsing
service: TCP80
action: allow
The above is plain SPI (stateful packet inspection, regarding the service option) with the addition of applicationfirewalling (regarding the appid option).
Now - for added security you should enable vulnerability protection aswell.
A common setup for vulnprotection is to use following setup:
critical: block
high: block
medium: block
low: default
informational: default
You can set low and informational to block aswell however default is the recommended in order to lower risk of false-positives (default means that default action (either allow or block) will be applied according to the default specificed by PA themselfs).
In order to find out if the IDP function of PA-device will be able to spot the vuln you linked to you can search in http://wwapps.paloaltonetworks.com/ThreatVault/
Since your link doesnt have CVE info I can only guess which of the following detectable threats is the one mentioned in your link:
34765 | JBoss Java Class BeanShellDeployer Directory Traversal Vulnerability | high | CVE-2006-5750CVE-2010-0738 |
34764 | JBoss Java Class MainDeployer Directory Traversal Vulnerability | high | CVE-2006-5750CVE-2010-0738 |
34763 | JBoss Server 7 Web Management Console War File Deployment | medium | |
34509 | JBoss Java Class Security Bypass Vulnerability | high | CVE-2010-0738 |
33561 | JBoss JMX Java Class DeploymentFileRepository Directory Traversal Vulnerability | high | CVE-2010-0738 |
33547 | JBoss JMX Console DeploymentFileRepository Directory Traversal Vulnerability | high | CVE-2010-0738 |
33268 | JBoss Java Class DeploymentFileRepository Directory Traversal Vulnerability | high | CVE-2006-5750CVE-2010-0738 |
You can click on each id to see a more detailed explanation of what the current vuln is about along with references etc.
Then you can take this a few steps further (depending on needs etc).
For example only allow identified users to be let through your PA-device (using userid function) or you can allow a particular sourceip (and if connected to internet you can also allow based on country or for that matter block specific countries (note however that geoip isnt foolproof but can be helpful to get rid of most of the bad hosts who tries to connect to your resources).
05-24-2012 06:24 AM
Hi Mikand,
good point!!!! thank you very much!!!!
Best regards,
Juan Pabo
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!