Protect Additional Assets
Last updated
Was this helpful?
Last updated
Was this helpful?
This page discusses how to add additional assets for protection.
When logged in to the open-appsec portal, click on the Assets option in the top navigation menu.
If you have not configured any assets yet, the portal will show the following and a New Asset option will be available. For creating a new Web Application asset, select New Asset->Web Application.
If you configured assets before, you can either click New Web Application or Clone Web Application.
Complete the following details:
Name - choose a clear distinguishable name for your asset
Tags (Optional) - can be used for searches.
Profile - Select the profile you have created during the previous step - make sure to connect your deployed agents to the SaaS management, see here: Connect Deployed Agents to SaaS Management Using Tool (K8s & Linux), Connect Deployed Agents to SaaS Management (Docker)
Step 3: Web Application/API details:
Add the URLs that users/clients will access to reach the application/API - configure at least one host address with optional non-standard port. open-appsec will protect these hosts.
Make sure to also configure the correct port for policy enforcement if you're not using the defaults (port 80 for HTTP and/or port 443 for HTTPS).
Examples:
https://www.acme.com
http://www.acme.com
https://www.acme.com/sales
https://sales.acme.com
https://172.20.20.4:3000 (sets non-standard port 3000 for policy enforcement)
https://sales.acme.com:* (specifying * as port will enforce policy for all destination ports)
Kong Gateway's default ports for inbound traffic for HTTP and HTTPS are 8000 and 8443. APISIX Gateway's default ports for inbound traffic for HTTP and HTTPS are 9080 and 9443.
Make sure to specify those correctly in addition to protocol, hostname and path as described above so that the specified asset will successfully match the traffic to your Gateway.
Define how the Machine Learning engine should distinguish between different API or human users.
Select the method by which different users will be distinguished from one another. The commonly used options are:
X-Forwarded-For Header - When there is a Reverse Proxy or ALB between the Reverse Proxy the agent is running on, and the internet - the original source IP address cannot be seen on the networking level. This option allows the Nano-Agent to identify the original source IP inside the X-Forwarded-For header. No additional parameters are required in the common case where a single Reverse Proxy/ALB is found before the agent's deployment.
Source IP Address - The Nano-Agent uses the source IP address as the identifier. No additional parameters are required.
Define how the Machine Learning engine should distinguish the users that can be trusted.
You may define trusted sources that serve as a baseline for comparison for benign behavior, and how many Users/Addresses must exhibit similar activity for it to really be considered benign by the learning model.
The Web Attacks open-appsec protection is already configured and set to "Learn/Detect" mode. This is visible in the Threat Prevention tab showing the security practices configuration.
At the top of the portal near the right corner, there is an "Enforce" option. Click on it to publish the configuration settings to the already deployed agent.
The color of the Asset in the assets screen represents the asset's state:
Orange: The asset is not connected to an agent
Blue: The asset is connected to an agent in learning mode
Green: The asset is connected to an agent in protection mode
This is explained in more details .
You do not need to make any changes as it is also recommended to start in "Learn/Detect" mode and move to prevent after the Machine Learning engine has reached a high enough learning level as explained .
