Home ยป FAQ

Frequently Asked Questions


Background
Do I need dotDefender if I already have a firewall and/or anti-virus installed?
 
Yes. Application attacks consist of seemingly legitimate HTTP/ HTTPS requests that contain malicious code. Examples include SQL injection, cross-site scripting, session hijacking and more. These dangerous attacks will appear as completely harmless traffic to the network firewall, IPS or anti-virus, and will be allowed to pass through, unless stopped by an application firewall.

Applicure’s dotDefender is a software based application firewall that analyzes all incoming traffic and stops requests that may harm valuable business assets.

Why Intrusion prevention systems (IPS) cannot protect against abuse of Web applications?
 
Many people get confused and mislead by thinking that Firewall and IPS (Intrusion Prevention System) provide overall web application protection. Here we address the most common assumptions about IPS:
 
  • Many IPS systems cannot even look into simple SSL encryption, and are, therefore, relegated to blindly forwarding SSL traffic without inspection.
     
    IPS operate at the network layers, not the application layers. They can only examine HTTP headers, and do not look into the HTML and the URL of requests. IPS systems look at packets on the wire, not entire requests, so they lack the application-specific knowledge to tell a good request from a bad one. Devices that evaluate IP packets or protocols,without an awareness of the application payload cannot provide application protection.
    Without an awareness of the HTML data payload these layer 3 devices cannot recognize and overcome these types of application layer threats.

    Many attacks are not to be recognized without additional information to the authorizing/authentication and prevented.

     
    In addition, IPS cannot understand the intricacies of application languages, thwart session-based application-layer attacks, or detect injection of malicious code.
     
  • Maintenance costs of the system should not be underestimated. So that the system remains safe, it must be supervised and updated regularly.
 
IPS in all in one devices require a large maintenance effort.

 

IPSs also commonly generate false positives, so that aside from offering insufficient Web application security, they also waste IT resources.

 

 
Put all those functions together, and Web application firewalls are able to thwart the many dangerous application exploits that elude network firewalls and IPSs

 

 

What is the difference between software-based Web Application Firewall (WAF) and appliance-based WAF?

 

Appliance deployed in the data center for the protection of machines hosting Web-based applications; these often include additional functionality such as load balancing, acceleration and encryption.

 

 

Host-Based Software Solutions

Network Appliance 
Performance
Have no effect on network performance as they do not break the network infrastructure
Create latency in network traffic due to operation as reverse-proxies and SSL decryption / encryption overhead
 
Data Protection
No need to handle SSL certificates, since the web server handles SSL traffic in the usual manner.
Require concentrating all SSL server certificates within the appliance. This creates a central point for certificate theft by hackers.
 
Application-
Awareness		 Reside on the web server, identifying all installed applications and websites. Rules are adapted specifically per application. "Application-blind" since they are deployed on the network with no relation to the web applications. Need to "learn" the application structures over a long period of time.
Total Cost of Ownership dotDefender starts from $3,995 per server. Applicure Technologies offer variety of pricing programs.The pricing program includes enterprise license offering, perpetual licenses, annual usage licenses and SaaS solutions. Est. price $20,000-30,000 per appliance. Require professional services round the clock due to the dynamic nature of the learning mechanisms.
Deployment & Maintenance 5 minute installation process. No "learning" period. User is not required to have application security knowledge. Antivirus-like plug & play operation. Application-awareness eases the process of defining new rules. Require professional understanding of networking, databases and web application security. Continuous maintenance and configuration. Estimated setup time of one month prior to production.

 

How can dotDefender protect my web server if it does not stop attacks before they get there?

 

dotDefender examines incoming requests when they are opened by the web server. At this position, dotDefender sees the request exactly as the web server sees it, and can stop any malicious attempt in an efficient and timely manner.

What is the difference between dotDefender Monitor and dotDefender?

 

dotDefender Monitor identifies and logs web applications attacks, while the full version identifies and blocks web applications attacks, as well as performing logging activities.
Learn more:
If after installing dotDefender Monitor I want to evaluate dotDefender, what should I do?
 
With two clicks of your mouse, you can fully protect your website and web applications by upgrading to the full dotDefender web application firewall solution:
 

1.Uninstall dotDefender Monitor and download the dotDefender full system for a free 30-day trial. Note that the trial version can be deployed in "Monitor only" mode as well.

2.The installation is simple and only requires a few minutes. Free training and support, as well as automatic live updates, are available should you require assistance.
 

What types of data does dotDefender monitor and assess?

 

dotDefender monitors HTTP requests including: file uploads, web form submissions, XML traffic including all web services (SOAP), VoIP.
In addition, dotDefender can be adapted out-of-the-box to preconfigured applications such as MS-Sharepoint and MS Outlook Web Access.
 

My server was corrupted prior to deploying dotDefender. Can dotDefender help me during the restoration process?

 

Yes, dotDefender can block additional attempts to attack your website while you tend to the application's code fixes and data restore.

Why Web applications require a unique approach?

Application-level attacks evade traditional perimeter security measures

• Application-level attacks (e.g., SQL injection, cross-site scripting, session hijacking, etc.) consist of seemingly legitimate HTTP/ HTTPS requests that cannot be detected by traditional perimeter security methods such as network firewalls, IPS or anti-virus.
• According to Gartner, 75% of all attacks on websites and web applications target the application level and not the infrastructure.
 

Internal Breaches are biggest threat to corporate data

• Businesses’ online presence and internal applications (e.g., CRM, ERP, HR, internal information portals) are using web-based applications to access, store, transmit and manage sensitive data. 
• Today, the security configuration of internal applications has become the first and last line of defense against malicious attacks and data theft.
• 75 percent of organizations in US, UK, France and Germany have had data breaches caused by negligent insiders and 26 percent had a breach caused by a malicious insider. (Ponemon Institute, 2008 Study)
 

Web application security has become a legal requirement

• The PCI DSS stipulates that any company that accepts credit, debit or bank cards must secure its web applications. Section 6.6 requires that companies either install an application layer firewall in front of web applications, or have all custom application code viewed for vulnerabilities by an outside organization that specializes in application security.  Non-compliance with the standard may result in security breaches, lost customers, potential lawsuits and fines.
 
Support
What servers does dotDefender support?

 

dotDefender’s  system requirements

 

 

IIS

Apache 
Server versions
IIS 6.0
IIS 7.0
 1) 1.3.21 or higher
     2.0.42 or higher
     2.2.X
2) Perl Interpreter
3) GLIBC 2.3.2 or higher
Operating Systems
Windows 2008
Windows 2003
Linux (packages: RPM, Debian, Generic)
Solaris 8/9/10-SPARC
Solaris 10-X86
FreeBSD-X86 (6.1 or higher)
MacOS 10-PC Intel

 

Where can I get more help on dotDefender?

We are available to support you!  If you need support or have any questions during dotDefender download, installation or deployment process, please feel free to contact http://applicuresupport.helpserve.com
How do I get support and updates for dotDefender?
 
Our standard maintenance package includes technical support, live updates, and new releases. Signatures are updated automatically, whereas website security rules are sent for approval by the site administrator to support customization.
Evaluate & Purchase
How can I evaluate dotDefender?

 

To evaluate dotDefender simply download the 30 day trial version. The trial version is fully functional and provides all the benefits of a licensed dotDefender system.
What is dotDefender license policy?

 

Our license policy is based on the provision of a perpetual license for the dotDefender software. The license price is on a per web server basis. A standard maintenance package includes technical support, live updates, and new software releases.

Applicure Technologies offer variety of pricing programs for government, education, enterprise, business partners, hosting providers and affiliates. The pricing program includes enterprise license offering, perpetual licenses, annual usage licenses and SaaS solutions. To choose the optimal program for your current and future needs, please complete the Purchase Form and our sales team will contact you shortly.
 

How can I purchase dotDefender?

 

To purchase dotDefender please complete the Purchase form and the Applicure sales team will contact you shortly.
Getting Started
How do I install dotDefender? (UNIX / Windows)

 

After downloading the software and filling in a valid email address  you will receive a license file by email. The email will contain Instructions on installing the license file and activating dotDefender.

download dotDefender

dotDefender for Apache Installation Guide

 

What types of operating modes does dotDefender support?
 
dotDefender can operate in two modes: monitoring or protection. Use monitoring mode to see all the attacks identified by dotDefender. In protection mode, dotDefender will prevent these attacks.
You can customize dotDefender website security rules to your needs. dotDefender supports multiple sites, by allowing you to define different settings for each site. A white list mechanism enriches your website protection customization efforts. For central management, dotDefender can also be integrated with your organization’s network management system.
 
Will dotDefender affect my network and web server resources?

 

There is no impact to the network, since dotDefender works as a web server plug-in. It was designed to consume very little web server resources, and has negligible effect on performance.
How long should the monitoring period for dotDefender last?

 

This would depend on your traffic volumes and the diversity of URI's being accessed.  A typical monitoring period is around one week.
How do I request future features in dotDefender?

 

We always welcome customer input and feature suggestions, which help us learn from their experience and improve dotDefender for the benefit of all our customers. Please complete our contact form with your comments. Your remarks will contribute to new versions of dotDefender.
Technical Support
How do I allow an IP address, or a range of IP addresses?
 
To allow an IP address or a range of IP addresses, add a User-Defined Rule. For further information on the regular expressions, contact Applicure support.
 
Note:  This IP address or range of IP addresses will be Whitelisted for all rules.
1.Open the dotDefender Administration Console.
2.Expand the required Profile.
3.Expand Patterns.
4.Expand Whitelist.
5.Select User Defined.
6.In the right pane, click Add New Rule.
7.In the Rule Type window, select Search in custom fields of HTTP requests and click Next.
8.In the Custom Fields window, select Match with remote address (REMOTE_ADDRESS) from the Standard HTTP Requests fields section click Next.
9.To Whitelist one IP address, in the Create Pattern window, enter the IP address beginning with the caret sign and ending with the dollar sign and add backslashes before each dot (since this is a regular expression field). For example, to Whitelist the IP 192.168.200.100, enter:
^192\.168\.200\.100$
10.To Whitelist a range of IP addresses, in the Create Pattern window, enter a regular expression representing the range. For example, to Whitelist the range 10.20.54.0-10.20.68.255, enter:
^10\.20\.((5[4-9])|(6[0-8]))\.(([0-9])|([1-9][0-9])|(1[0-9][0-9])|(2[0-4][0-9])|(25[0-5]))$
11.In the same window, in the Take Action field, select Whitelist and choose whether to log all events for the IP or not.
12.Click Next.
13.In the Scope to Search window, click Next and then click Finish.
14.Click the arrow for the settings to take effect. The following window appears.

15.Click OK.
How do I allow updates?

 

Open port 80 in the firewall for the following addresses:
services.installshield.com
updates.applicure.com

What is a User-Agent and why does dotDefender block certain browsers?

 

A User-Agent is an HTTP header, containing a string identifying the software being used by the client to connect to the web site. For example, this might be Internet Explorer, Mozilla Firefox, Nokia, or Motorola cellular phones. The Bad User-Agents database is a very effective mechanism for distinguishing legitimate surfers from automatic, malicious tools meant for scanning and attacking the web site. There are borderline situations where a component that has been used by malicious software is also used in legitimate software, especially in auto scripts and bots, for example, Indy library. In this case, see How do I let one "good" User-Agent pass through?
What is a Proxy attack?

 

A proxy attack is an attempt to use your web server as a jumping point to attack other sites. Your web server then attacks other sites.