IBM Security Verify Access – Next Generation Web Application Firewall – Technical Preview

Content

Background

In the past IBM Security Verify Access has provided Web Application Firewall support using the ‘Web Content Protection’ (WCP) functionality.  The engine which is used by the WCP functionality is provided by IBM X-Force and is also used in the Intrusion Protection Systems offered by IBM.  This engine will no longer be maintained by IBM and will go out of support at the end of 2022.  Customers will continue to be able to use the WCP functionality, but no further updates to the rules engine will be available after 2022.

An alternative Web Application Firewall capability, which is based on the ModSecurity rules engine, is being introduced into Verify Accesses Reverse Proxy. 

ModSecurity, sometimes called Modsec, is an open-source web application firewall (WAF). Originally designed as a module for the Apache HTTP Server, it has evolved to provide an array of Hypertext Transfer Protocol request and response filtering capabilities along with other security features across a number of different platforms including Apache HTTP Server, Microsoft IIS and Nginx. 

The platform provides a rule configuration language known as 'SecRules' for real-time monitoring, logging, and filtering of Hypertext Transfer Protocol communications based on user-defined rules.

Although not its only configuration, ModSecurity is most commonly deployed to provide protection against generic classes of vulnerabilities using the OWASP ModSecurity Core Rule Set (CRS).  This is an open-source set of rules written in ModSecurity's SecRules language. The project is part of OWASP, the Open Web Application Security Project.

WebSEAL now incorporates the ModSecurity rules processing engine, which can be enabled on a per request basis, and the IBM Security Verify Access firmware embeds v3.3.2 of the CRS.

In v10.0.4, this has been made available as a ‘technical preview’ or ‘Beta’ functionality.

Configuration

The steps to configure the web application firewall are described in the attached PDF document.

Support

The new Web Application Firewall capability in IBM Security Verify Access v10.0.4.0 is provided as a technical preview only.  IBM discourages its use in mission critical/production environments. Administrators should be prepared to disable this functionality if it causes unexpected behaviour.

IBM Support is available for this new capability; however for this technical preview release, it is limited to tickets raised with a Severity of 4 (lowest).

Standard support for this new capability is targeted in the next release*.

It should also be noted that IBM does not claim responsibility for the OWASP ModSecurity Core Rule Set (CRS) files which are supplied with IBM Security Verify Access.  These files are provided as-is and any issues which are encountered with the Core Rule Set files should be raised using the recommended support procedure for the CRS.

IBM would like to hear any feedback on this capability, please share your experience on the IBM Security Verify Community.

(*) IBM’s statements regarding its plans, directions, and intent are
subject to change or withdrawal without notice at IBM’s sole discretion.

Information regarding potential future products is intended to outline
our general product direction and it should not be relied on in making a purchasing decision.

The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.

Known Issues

Known issues where possible will be tracked here.