AEGIS

Support / FAQ

"Aegis" is a cloud type IPS/WAF
To introduce our system you need to install our agent program
(software that communicates between your server and our system) to your host server.

About installation and the technical correspondence with our main system.

Our agent program "Aegis" needs to be installed to host server holding global IP, working on Linux and windows based machines, including virtual server.

"Aegis" Checks and send by encrypted codes (AES), all log data for all traffic passing through your requested server to our data center, therefor to allow a real time security.

*If an attack is detected by the IP or the signature pattern, "Aegis" is going to block the corresponding traffic from it's IP tables.
The amount of server or its software will not affect the function of "Aegis" as the log is written in its decryptable form.

*You do not have to worry about rebooting your server. The size of our agent program communicating between the main system is only about one floppy disc, the occupancy to your server will not even be 1%.

Here are outline about our Aegis IPS / WAF
FAQs for more details about our web security system.

  • Q1Do I need to install your agent software to our webserver?

    Yes. It will be one contract per one global IP.

  • Q2Is there any version for the webserver to run your system?

    No Aegis will work on any version.

  • Q3Will the agent software work on Apache or Tomcat based HTTP running on a Daemon system and on several IP?

    The contract is per IP.
    The type of server does not matter as long as the logs are readable(Apatche format) for Aegis.
    *On the last page of our presentation sheet you may check the types of log Aegesi is able to survey on its default status.

    CentOS
    /var/log/secure
    /var/log/messages
    /var/log/maillog

    Debian
    /var/log/auth.log
    /var/log/messages
    /var/log/mail.log

    Windows
    Application.evtx
    Security.evtx
    System.evtx

    Apache
    /var/log/httpd/access_log
    /var/log/httpd/error_log

    Apache2
    /var/log/httpd/access.log
    /var/log/httpd/error.log

    IIS
    Exyymmdd.log
    *Please check the log file name because it may change
    by the rotation settings.

  • Q4Will Aegis work or going to be a problem if we change our host name or URL?

    It will depend on the structure. Please ask or inform us before.

  • Q5 Our network is irregular, customized and very complex and we are managing login session of several different web server. How can you install your securiyt system?

    If you have an original network, we will first sign a NDA and we will bring depending on the complexity of your network, our engineer or our partner consultant to structure the best solution.

  • Q6Can you stop DDoS attack?

    Yes, if our agent program detects that your server is under a numerous unauthorized or illegal access, it will react and stop them. However if a tremendous traffic is targeting a system placed in front of our program, Aegis might highly not be able to intervene and react.
    In that case the issue is going to shift to the data center or network or the infrastructure company. 
    In addition as Aegis works on cloud system we set an equivalent threshold to prevent Dos attacks. We also ask you to understand that we set a low threshold for Dos attack detection to prevent performance failure (whether if it is not an attack) for our remaining clients.

(1) Questions about functions

  • Q1Is it possible to prevent cyber hijacking?

    Yes.

  • Q2Can your system prevent malware, spyware, phishing, spam etc.?

    Yes.

  • Q3How is the security level of your main system?

    The security standard of our server is based on compliance of FISC (Center for Financial Industry Information System). There is also a physical security to access the main system from the operation center. Access to PC in the data center are limited to few IP and accounts from the control center, the location is not disclosed for security reason.

  • Q4What are the differences between Aegis and WAF?

    Firstly let me explain about the difference between WAF and IPS.
    IPS protection domain are platform layer such as OS, middleware, whereas WAF protects web applications running on platform. The characteristic of our system is, it is able to accumulate signature patterns targeted to both IPS and WAF.

  • Q5What are the differences between your agent program (Aegis) type firewall, and security appliance firewall?

    The most distinguishing difference is that appliance firewall needs a dedicated hardware on your network. Therefore you might have to pay several tens of thousands of US$ just for the initial cost and furthermore pay for the staff who can manage the hardware.
    Unlike it, as our agent program is a cloud system and works as a virtual appliance, there is no initial cost for the hardware and no maintenance or management cost as well.

  • Q6Is there time rug for stopping an attack?

    Technically there is a millisecond level delay during the transmission, but this does not affect our system at all to stop and react if an attack is detected.

  • Q7What are the OS on witch Aegis works?

    FreeBSD (all versions)
    OpenBSD (all versions)
    NetBSD (all versions)
    Solaris 2.7, 2.8, 2.9, 10 and 11
    AIX 5.3, 6.1 and 7.1
    HP-UX 10, 11, 11i
    Windows Server 2003, 2008 and 2012
    MacOSX 10
    VMWare ESX 3.0, 3.5 and 4.0 (include CIS checks)

  • Q8How long does it take for the reconnection after the blocking?

    It will take about or more than 10mn until the order from the iptables is deleted.

  • Q9Are the communication encrypted while sending logs to the virtual appliance?

    Yes, They are send in AES128.

  • Q10Is it possible to survey more than one log file?

    Yes but some configuration is needed to our agent program.

  • Q11Is it possible to turn your security off, or in other words ignore certain attack?

    No we cannot.

  • Q12Do you have any performance on cloud storage service such as AWS or Softlayer?

    Yes, we do have many on both of them

  • Q13What specification does the server need in order to run your agent program?

    Memory:2MB RAM
    CPU: Dual core CPU
    HDD: More than 12GB of free space

  • Q14How to manage if the detection is a mistake?

    There is no false negative as Aegis detects from signature pattern basis. However we will ask you the follow procedure if it happens by any chance.
    •Erase the referred rule from the iptables
    •Temporarily stop the agent program
    •Add on the whitelist if the IP address is static

  • Q15How the security range are different between open source firewall and Aegis?

    For example if we try to detect attacks by using the same signature pattern file both on Aegis and File 2 ban, we can say that they are very much alike.
    Aegis has its own reliable signature and by combining its original signature pattern, detection level is much higher and man-hours is unnecessary as updates are automatic.

  • Q16Can I change or update the version of middleware after the setting up on the web server and databases?

    Yes, but please let us know if the logs signal changes after the update.

  • Q17Is there any type of server, old server that you are not supporting?

    There might be few cases. Please contact us directly if your server does not appear on our supporting list, we will examine for you.

  • Q18Is Aegis a program to protect public server?

    It is a program to protect servers with global IP. It does not include private network hosts.

  • Q19If I'm using a load balancer, do I need to install Aegis to all servers?

    Whether your load balancer is consisting on one IP, we would recommend a contract per server and individually install our program in order to keep a higher security.

  • Q20What are the merit of introducing on a VPN?

    We are considering such threats under VPN;

    (1)Thread of unauthorized access and data stealing in case of VPN password leaking.
    (2)Thread of brute force attack to steal your VPN password.
    (3)Thread of Dos attack (confusion by intense reset order) to devices allowing VPN communication.
    *Our service is also a solution for those cases.

  • Q21Is it possible to install on a router?

    In most cases you cannot install any software on a router. Instead of installing you can yourself set up your router to send syslog to the virtual appliance.
    However this setting is not made to block any attack, and the administrator will have to operate the ACL setting.
    *This service is out of our price list but, please feel free to contact us if you wish us to set up your router.

  • Q22I am afraid that we already have been hacked. Is it possible to make some inspection find and cleanse malware and backdoor that have been set?

    We are able to detect and stop malware and rootkit to but our program is not aimed to find and remove backdoor programs that are already set. Therefore we cannot support malwares set before introducing our security system.

  • Q23Can you regulate access to certain URL?

    No, we cannot.

  • Q24Can you stop Facebook crawler?

    No, because we do not consider a simple signature such as a crawler is a threat. If you wish please add manually on your current FW.

  • Q25When you say blocking the attack by surveying the log, is it not going to be late to react on time?

    As Aegis reacts through the traffic log, it needs to receive few attacks before intervention. This procedure does not mean we let malicious intrusions and our system is secure.

  • Q26Our "contact us" (inquiry) page might be under attack. Can you Aegis stop if this is an attack?

    Yes, we can. There is a high chance that this is a type of XSS.

  • Q27Is there a merit on introducing on a DNS server?

    Yes, to avoid and prevent DNS changer, hijacking that can be aimed to move and shift your URL to the attacker side.

  • Q28Does the traffic volume increase while sending the logs?

    Yes but only the log data, and they are in a very small packet.

  • Q29Could there be unauthorized access to our servers even if we limit accessible IP?

    Yes, even if you limit access using SSH, your server might be under threat if your IP is been hijacked or your webserver is directly attacked.

  • Q30Can Aegis can support Struts2 weakness?

    Yes we are able to protect. Please let us know if you are using Strusts2 in advance.

(2)Questions about installation

  • Q1Do I have to hand over the root authority? If so how would you ensure safety?

    It will not be necessary if you can install our agent program yourself. You may just give us a temporary pass in case if we install the program for you, and change onto a new password when our task is over.

  • Q2How many days is required to launch the service?

    We ask our client 5 working days, either to finish the installation or to give you the agent key if you plan to do the installation yourself, after the application form is filled up.

  • Q3What information does the application form require?

    These are the information required for the application.
    ・IP address
    ・OS information
    ・Server location
      ( for technical information please have at this below Q3 )
    ・Post traffic (If you have)
    ・Log format you are using
    ・CMS information if you are using
    (if you request us the installation)
    ・Server login information

    Please contact us or download and fill up the application form from here.

  • Q4We would like you to do the installation for us but we are using SSH key code login. How will this be possible?

    There is no problem. We are just going to ask you to send us the key code to access your server.

  • Q5Can you set several recipient for notice emails?

    Yes.

  • Q6How would the contract be if there are several IP addresses in the same server?

    The contract is going to be per IP. For example even if one installation is enough for 5 IPs in the same server, the work behind for collecting, analyzing logs is going to be IP based.

  • Q7What would the installation going to be, if we ask you to do it for us?

    The procedures are;

    1. add host on the host file.
     *Adding virtual appliance server.
    2.installation of our agent program.
     *Including acquisition of package on wget command.
    3.Setting by changing and activating the iptables
     *Set logging information (add "accept" on the virtual appliance depending on the setting)

  • Q8Is it possible to set a white list? (allow access to specific IP)

    Yes, please give us the list of IPs you don't want to block.

(3)Question asked after the installation

  • Q1Do I need to manually update the signature?

    No you do not have to, the signature updates are all automatic.

  • Q2How often are the signatures updated?

    The updates are actually on a daily basis.

  • Q3Will the cost change if we add new IP in the same server, and we also want it to be surveyed after we started the service?

    The contract is per IP. If you have several IP you want to be surveyed whether before or after installing Aegis, we need to know all IP information as we also have to update and configure our main system too.

  • Q4Is it possible to temporarily stop and restart the service?

    Yes, please give us request.

  • Q5Is it possible to just receive email notice and leave the access including the ones that are detected?

    Yes, the price remains the same and we call it the IDS mode. You cannot configure the setting so please give us instruction.

  • Q6Is there going to be a notice in case of disconnection between the agent and the virtual appliance?

    Yes, a notice will also be send after recovering.

  • Q7How to manage if there is a new log do survey?

    There is no problem but you will have to configure the agent program.

  • Q8Is there going to be any stress on the communication and transmission of data after installing your agent program?

    There is almost no stress as the CPU load is less than 1%. This is a big point compared to hosting type service.
    However there might delays in case if you are using a very low spec server or if you are having trouble with connection.

  • Q9We have installed your agent program and checked the communication between the main system but there are no signal of attack.

    1. Check if the agent is properly configured. Confirm or send checking the below files;
     ・/var/ossec/etc/ossec.conf
     ・/var/ossec/logs/ossec.log
     ・Log directory and name of the log file.

    2. Check if the log format are customized Confirm or send checking the below files;
     ・Log format (setting of httpd.conf LogFormat)
     ・Samples of Apache a access_log, error_log (10-20 lines report)

    3. Check if the your network structure has a low risk of external penetration.

(4)More technical questions

  • Q1What are the conditions and procedures needed for installation on a Linux server?

    We need a compiled environment to install Aegis, we will also ask you to create a hole to enable communication between our main system.
    ■For installation
    ・complier: cc or gcc
    ・comand: make

    ■Other
    ・rsyslog or syslog are operating
    ・iptables is valid

  • Q2What are the conditions and procedures needed for installation on a Windows server?

    We need a compiled environment to install Aegis, we will also ask you to create a hole to enable communication between our main system.
    ■For installation
    .exe files are executable

  • Q3What are the type of logs you will be collecting?

    Red Hat(Federa,CnetOS,etc.)
     messages
     secure
     maillog

    debian(Ubuntu,etc.)
     messages
     auth.log
     mail.log

    Windows
     %SystemRoot%\System32\Winevt\Logs\Security.evtx
     %SystemRoot%\System32\Winevt\Logs\Application.evtx
     %SystemRoot%\System32\Winevt\Logs\System.evtx

    apache
     httpd/error_log
     httpd/access_log

    apache2(debian)
     httpd/error.log
     httpd/access.log

    IIS
    exYYMMDD.log

    (Please do not change the log directory once the service has started)

  • Q4How does the protection work?

    The process works as below;
    For Redhat Linux: iptables
    For Debian Linux: ipfw
    For Windows: black hole processing in the rooting table (metric set to 0)

  • Q5Can I add rules to iptables?

    Yes you can, the additional rules will not affect the service.

  • Q6What kind of log would be detected in case of SQL injection?

    Examples;

    ・access_log
    xxx.xxx.xxx.xxx ・- [dd/mm/yyyy:hh:mm:ss -0300] "GET/modules.php?name=Downloads&d_op=modifydownloadrequest&%20lid=-1%20UNION%20SELECT%200,username,user_id,user_password,name,%20user_email,user_level,0,0%20FROM%20nuke_users HTTP/1.1"200 9918 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR1.1.4322)"

    xxx.xxx.xxx.xxx is (IP address)
    dd/mm/yyyy is day month year

    By looking at
    " lid=-1%20UNION%20SELECT%200,username,user_id,user_password,name "
    We may know that this is a request including SQL text. We therefore block this request as an attack to SQL

    Detected logs are error of Apache access log, containing the followings as an example;
    select%20
    select+
    insert%20
    %20from%20
    %20where%20
    union%20
    union+
    where+
    null,null
    xp_cmdshell

  • Q7What kind of log would be detected in case of cross site scripting?

    Detected logs are error of Apache access log, containing the followings as an example;

    %3Cscript
    %3C%2Fscript
    script>
    script%3E
    SRC=javascript
    IMG%20
    %20ONLOAD=
    INPUT%20
    iframe%20

  • Q8What kind of log would be detected in case of brute force attack?

    ■Target log: /var/log/secure

    ■Example of log;
    Mmm DD 03:23:10 xxhostnamexx sshd[11380]: Failed password for root from xx.xx.xx.xx port 38426 ssh2


    (presuming that there were 20 log failures in between the communication)


    Mmm DD 03:23:50 xxhostnamexx sshd[11380]: Failed password for root from xx.xx.xx.xx port 38430 ssh2

    ■Log description
    xxhostnamexx・・・ : supervised hostname or IP address
    xx.xx.xx.xx・・・ : IP address of origin or attackers IP address
    Failed password・・・ : message showing the password failure
    for root・・・ : showing login trial using "root" account

    ■Review
    The above example shows 22 login failure within 1mn. We may notice that it has been a "Brute force attack" as they all came from 1 IP. The main system adds on it's iptables and start protection.

  • Q9What kind of log would be detected in case of DDoS + brute force attack?

    ■Target log:/var/log/secure

    ■Example of log;
    Mmm DD 03:23:10 xxhostnamexx sshd[11380]: Failed password for root from 1.1.1.1 port 38426 ssh2
    Mmm DD 03:23:11 xxhostnamexx sshd[11380]: Failed password for root from 1.1.1.2 port 38427 ssh2
    Mmm DD 03:23:12 xxhostnamexx sshd[11380]: Failed password for root from 1.1.1.3 port 38428 ssh2
    Mmm DD 03:23:13 xxhostnamexx sshd[11380]: Failed password for root from 1.1.1.4 port 38429 ssh2
    Mmm DD 03:23:14 xxhostnamexx sshd[11380]: Failed password for root from 1.1.1.5 port 38430 ssh2
    →Detecting access failure within short time(5sec)
    raising the detection level



    Mmm DD 03:23:30 xxhostnamexx sshd[11380]: Failed password for root from 1.1.1.1 port 38431 ssh2
    Mmm DD 03:23:31 xxhostnamexx sshd[11380]: Failed password for root from 1.1.1.2 port 38432 ssh2
    Mmm DD 03:23:32 xxhostnamexx sshd[11380]: Failed password for root from 1.1.1.3 port 38433 ssh2
    Mmm DD 03:23:33 xxhostnamexx sshd[11380]: Failed password for root from 1.1.1.4 port 38434 ssh2
    Mmm DD 03:23:34 xxhostnamexx sshd[11380]: Failed password for root from 1.1.1.5 port 38435 ssh2
    →Same situation during the additional 10 seconds
    raising again the detection level


    Mmm DD 03:23:50 xxhostnamexx sshd[11380]: Failed password for root from 1.1.1.1 port 38431 ssh2
    Mmm DD 03:23:51 xxhostnamexx sshd[11380]: Failed password for root from 1.1.1.2 port 38432 ssh2
    →If the same situation still continues the system will detect as DDos+ Brute force attack

    ■Log description
    xxhostnamexx・・・ : supervised hostname or IP address
    xx.xx.xx.xx・・・ : IP address of origin or attackers IP address
    Failed password・・・ : message showing the password failure
    for root・・・ : showing login trial using "root" account

    ■Description
    We will raise the possibility of DDos attack by detecting login failure including SSH login failure, even from different hosts in a short time.
    If then the situation does not change we judge as DDos & Brute force attack.

  • Q10What does detected potential web scan activities means?

    It is detected when several access are trying to access a website witch does not exist, in a short time. As for an example an attacker can try to access by typing the URL to scan webpages that the administrator is not willing to release.

  • Q11Is it possible to look at all logs, including usual access?

    Yes, however they are not row data and only the malicious patterns are saved after being reformatted in our virtual appliance.

  • Q12Is it worth introducing Aegis to a hot standby server, and is there going to be any difference on the price?

    It is 1 contract per main server 1 contract per hot standby, there is no change on the price. We also would recommend to introduce our service, because once the server is connected to the World Wide Web it is exposed to any danger.

  • Q13If we notice after installation that we are using the same port (zabbix port 10050 TCP for example) can we change it?

    Yes, by changing your port to 10060 TCP for example.

  • Q14Can I add new rules on the iptables?

    Yes, by just following the usual procedure.

  • Q15Isn't there going to be a confusion in the setting if we change the iptables file after the set up?

    It only might occur if there is an intense attack, so the possibility remains very low.

  • Q16Is it installable on HaProxy?

    Yes by assembling all logs to the HaProxy.

  • Q17Is it possible to cut access when using Tor?

    Yes, but we have to add that it is possible to block attacker using Tor address but it doesn't mean that it can block all communication using Tor.

  • Q18Is there a way to cut HTTP requests, where HTTP responses such as Cookies and Forms have intentionally been modified on client side?

    No, as Aegis is not designed to secure client and users PC.

  • Q19What is the traffic load to send logs to the main system?

    Ex.) 300 access in 1 sec
    300PV/sec
    150byte/ PV = 45KB
    Just 45KB of load per second.

  • Q20Can you give me an example of a customized Apache format?

    In case of an Apatche
    123.125.71.109 - - [24/Jun/2013:04:27:31 +0900] "GET / HTTP/1.1" 200 54 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
    *Apache default parameter

    In case of an IIS
    2007-03-03 01:17:39 66.194.6.79 - W3SVC3 SERVER55 192.168.1.15 80 GET /index.html - 200 0 17691 117 15 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+Q312460) - -
    *field as below
    date time c-ip cs-username s-sitename s-computername s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status sc-bytes cs-bytes time-taken cs-version cs(User-Agent) cs(Cookie) cs(Referer)

    Please contact us for more questions.

  • Q21Why can you detect and stop from UDP transmission witch is not on your list?

    Our system is also able to detect from UDP as long as the connection is not interrupted.

  • Q22Can you correspond to POST method communication?

    Yes, but please tell us the log format as we need the logging information to configure our virtual appliance.

  • Q23Does it work if we only authorize SElinux?

    Yes.

© AEGIS Security Systems