, logging and monitoring , and output protection.Cognos Application Firewall (CAF) is a security tool used to supplement the existing Cognos 8 security infrastructure at the application level. CAF analyzes, modifies, and validates HTTP and XML requests before the gateways or dispatchers process them, and before they are sent to the requesting client or service. It acts as a smart proxy for the Cognos product gateways and dispatchers, and prevents the Cognos 8 components from malicious data. The most common forms of malicious data are buffer overflows and cross-site scripting (XSS) attacks, either through script injection in valid pages or redirection to other Web sites.
Cognos Application Firewall (CAF) provides Cognos 8
components with security features that include data validation and
protection , logging and monitoring , and output protection.
CAF is enabled by default, and should not be disabled.
You can update CAF independently of the other Cognos 8 components.
For more information about CAF, see the Installation and Configuration Guide, and the Architecture and Deployment Guide.
Validation of input data ensures that the data is in the expected format, based on a set of pre-defined variable rules. HTML variables, XML data, cookie values, and parameters are checked against this set of rules.
CAF performs positive validation of parameters instead of only searching for known script injection tags or common SQL injection signatures. Each parameter is validated against a rule that expects a certain data type in a certain format. If the data does not match the CAF rule, it is rejected.
To provide even stronger validation, CAF matches regular expression patterns to protect data inputs that use complicated formats.
A common type of attack is to trick a user into going to a harmful site by modifying the form parameters. The back button and error URL features of a product provide a prime target for this type of attacks.
CAF limits the list of hosts and domains that a back URL can access. CAF can be configured with a list of host names, including port numbers and domains. If a back URL contains a host or a domain that does not appear in the list, the request is rejected. By default, the host name of the dispatcher is added to the list. You can configure the list using Cognos Configuration.
For more information, see the Installation and Configuration Guide.
Cognos Application Firewall (CAF) can monitor and log all access to Cognos gateways and dispatchers. Use logging to track possible attacks or misuse of your Cognos applications.
You can configure CAF to log access to a specific file or to use Cognos log application (IPF) logging. If logging is enabled, all requests that fail validation by CAF are logged.
For more information, see the Installation and Configuration Guide.
Tip: You can use the Web server request log to obtain detailed information about the IP address of the source client in a suspected attack.
Many customers use third party applications, such as eTrust SiteMinder, to check for cross-site scripting vulnerabilities. These products block HTTP get requests that contain specific characters.
CAF encodes characters in Cascading Style Sheets (CSS) with URLs to prevent third-party cross-site scripting tools from blocking the characters.
The CAF XSS encoding feature applies only to customers who use the Cognos Connection portal.
CAF XSS encoding is disabled by default. To enable this feature, use Cognos Configuration.
For more information, see the Installation and Configuration Guide.
Some error messages may contain sensitive information, such as server names. By default, error message details in Cognos 8 are routed to IPF log files, and the secure error message option is enabled. The information presented to users indicates only the occurrence of an error, without any details.
You can specify who can retrieve full error details that may include sensitive information by changing the Detailed Errors capability in Cognos 8 administration. Typically, this capability is assigned to directory administrators, but you can assign it to other users as well. For more information, see Securing Functions and Features.
For information about retrieving full error details, see View Full Details for Secure Error Messages.
Parameter signing protects parameter values against tampering when they are sent to a Web browser. CAF can sign parameters or specific parts of data. Signing is used only in specific situations. It is enabled when CAF is enabled.
