, logging and monitoring , and output
protection.IBM Cognos Application Firewall (CAF) is a security tool used to supplement the existing IBM Cognos 8 security infrastructure at the application level. CAF analyzes, modifies, and validates HTTP and XML requests before the gateways or dispatchers process them, and before they are sent to the requesting client or service. It acts as a smart proxy for the IBM Cognos product gateways and dispatchers, and prevents the IBM Cognos 8 components from malicious data. The most common forms of malicious data are buffer overflows and cross-site scripting (XSS) attacks, either through script injection in valid pages or redirection to other Web sites.
IBM Cognos Application Firewall (CAF) provides IBM Cognos 8
components with security features that include data validation and
protection , logging and monitoring , and output
protection.
CAF is enabled by default, and should not be disabled.
You can update CAF independently of the other IBM Cognos 8 components.
For more information about CAF, see the Installation and Configuration Guide, and the Architecture and Deployment Guide.
Validation of input data ensures that the data is in the expected format, based on a set of pre-defined variable rules. HTML variables, XML data, cookie values, and parameters are checked against this set of rules.
CAF performs positive validation of parameters instead of only searching for known script injection tags or common SQL injection signatures. Each parameter is validated against a rule that expects a certain data type in a certain format. If the data does not match the CAF rule, it is rejected.
To provide even stronger validation, CAF matches regular expression patterns to protect data inputs that use complicated formats.
A common type of attack is to trick a user into going to a harmful site by modifying the form parameters. The back button and error URL features of a product provide a prime target for this type of attack.
CAF limits the list of hosts and domains that a back URL can access. CAF can be configured with a list of host names, including port numbers and domains. If a back URL contains a host or a domain that does not appear in the list, the request is rejected. By default, the host name of the dispatcher is added to the list. You can configure the list using IBM Cognos Configuration.
For more information, see the Installation and Configuration Guide.
IBM Cognos Application Firewall (CAF) can monitor and log all access to IBM Cognos gateways and dispatchers. Use logging to track possible attacks or misuse of your IBM Cognos applications.
You can configure CAF to log access to a specific file or to use IBM Cognos log application (IPF) logging. If logging is enabled, all requests that fail validation by CAF are logged.
For more information, see the Installation and Configuration Guide.
Tip: You can use the Web server request log to obtain detailed information about the IP address of the source client in a suspected attack.
Many customers use other applications, such as eTrust SiteMinder, to check for cross-site scripting vulnerabilities. These products block HTTP get requests that contain specific characters.
CAF encodes characters in Cascading Style Sheets (CSS) with URLs to prevent other cross-site scripting tools from blocking the characters.
The CAF XSS encoding feature applies only to customers who use the IBM Cognos Connection portal.
CAF XSS encoding is disabled by default. To enable this feature, use IBM Cognos Configuration.
For more information, see the Installation and Configuration Guide.
Some error messages may contain sensitive information, such as server names. By default, error message details in IBM Cognos 8 are routed to IPF log files, and the secure error message option is enabled. The information presented to users indicates only the occurrence of an error, without any details.
You can specify who can retrieve full error details that may include sensitive information by changing the Detailed Errors capability in IBM Cognos 8 administration. Typically, this capability is assigned to directory administrators, but you can assign it to other users as well. For more information, see Secured Functions and Features.
For information about retrieving full error details, see View Full Details for Secure Error Messages.
Parameter signing protects parameter values against tampering when they are sent to a Web browser. CAF can sign parameters or specific parts of data. Signing is used only in specific situations. It is enabled when CAF is enabled.
