What is the Kaseya Application Firewall?
7.0 introduced the Kaseya Application Firewall (KAF) in order to provide a higher level security for the overall system. KAF is a software module that is automatically installed as part of 7.0 and terminates incoming/outgoing traffic in order to provide a deeper level of security to mitigate application security attacks.
What does the Kaseya Application Firewall Do?
The KAF terminates web communication and Kaseya related traffic and inspects it prior to sending to internal services on the system or to the external network in order to:
Reduce the attack surface by exposing fewer ports to the external network
- Simplify network configuration by communicating to the external network on fewer ports
- Centralize logging of communication to/from the server which can be used for investigative purposes or anomaly detection
- Whitelist external resource requests to ensure they are valid (for example, ensure that external URLs are only for valid product pages to mitigate scanning for open web pages, etc..)
- Alert and potentially block malicious activity or application security attacks (e.g. XSS, SQL Injection, etc…)
What ports does the Kaseya Application Firewall Use?
In 7.0, KAF transmits and listens on ports 80, 443 and 5721. Thus, external traffic will be terminated by KAF on port 80, 443 and 5721, inspected, and then transmitted to the proper service running on the system to service the request (e.g. IIS, KServer, etc…). This protects internal services because they are no longer directly reachable, but is transparent to the external network.
It is planned that in post-7.0 versions, that KAF will further consolidate external ports and send/receive all traffic on port 443 only.
Why does Release 7.0 configure IIS to run on port 18081?
During the installation of 7.0, IIS is reconfigured to run on port 18081 and bound to localhost only. Thus, it will no longer be directly addressable from outside of the server and is protected by the Kaseya Application Firewall.
IIS needs cannot run on the default port 80 or 443 because KAF is using those ports to communicate with the “outside” world. Web traffic (port 80/443) coming to the server will be terminate by KAF, inspected, and passed to IIS on port 18081. Web traffic being sent will from IIS to KAF on port 18081, KAF will translate it to port 80/443 and pass it to the external network.
Why does SSRS (if running on the server) need to have its port configuration changed?
By default, SSRS runs on port 80 which will conflict with KAF. In the first 7.0 beta release, customers are requested to edit the configuration to port 18086. In the next beta release, the installer will automatically make this change. SSRS will then behave like IIS above (sends traffic to KAF and KAF receives external traffic and sends it internal to SSRS).
Do you have a port diagram on what the communication looks like?
Yes, please see below:
Can I configure the Kaseya Application Firewall?
At this time, KAF runs transparently on the system and does not have a GUI or user-configurable options.
If KAF terminates web traffic, how does this work with SSL (HTTPS)?
Since KAF terminates web traffic, it will also be the SSL termination point. Thus, if you already have an SSL Certificate installed on your IIS Server, wish to purchase a certificate and install on IIS or use IIS to create your own self-signed certificate, you will be able to export it out of IIS and import into KAF. Please click here for instructions.