Virtual Appliance of the Nemesida WAF

Guide to using Nemesida WAF as a Virtual Appliance (virtual disk for KVM/VMware/VirtualBox).

Content

Virtual Appliance

Yandex VM

All images are based on Debian 11 distribution. The system can be accessed as root without a password. Before using the products, you must update the components of the virtual machine:
# apt update && apt upgrade -y

Virtual Appliance

Filtering node

The image is intended to filter incoming Nginx HTTP(s) requests to the server and contains the following components:

Nginx latest version (Stable);
Dynamic module Nemesida WAF;
Nemesida AI MLA machine learning agent.

To deploy, you need to do the following:
1. Create a virtual machine using image of a virtual disk with a dynamic module Nemesida WAF;
2. Perform basic configuration of Nemesida WAF modules in the file /etc/nginx/nwaf/conf/global/nwaf.conf:

nwaf_license_key – Nemesida WAF license key;
nwaf_sys_proxy – proxy server address (if used);
nwaf_api_proxy – the address of the proxy server (if used) to access the Nemesida WAF API;
nwaf_api_conf – the address of the Nemesida WAF API server for sending information about detected anomalies.

3. After making changes, restart the services:

# systemctl restart nginx mla_main nwaf_update

4. Create a user of the RabbitMQ service for remote connection of the Nemesida AI MLC module:

# rabbitmqctl add_user USER PASSWORD
# rabbitmqctl set_permissions -p / USER ".*" ".*" ".*"

where USER and PASSWORD are the username and password for connecting the Nemesida AI MLC module.
5. Complete the module setup using the Nemesida WAF Cabinet.

Nemesida AI MLC

The image is intended to build behavioral models and identify other anomalies (DDoS L7, brute force attacks, etc.). It contains the machine learning module Nemesida AI MLC.

To deploy, you need to do the following:
1. Create a virtual machine using image of a virtual disk with the Nemesida AI MLC module;
2. Perform the basic configuration of the Nemesida AI MLC module in the file /opt/mlc/mlc.conf:

nwaf_license_key – Nemesida WAF license key;
api_uri – address of Nemesida WAF API for sending information about the status of training models and information about detected anomalies;
rmq_host – connection parameters to the RabbitMQ service on the server with Nemesida WAF. It is allowed to use multiple values separated by a space;
sys_proxy – the address of the proxy server (if used);
api_proxy – the address of the proxy server (if used) to access the Nemesida WAF API;

3. After making changes, restart the service:

# systemctl restart mlc_main

4. Complete the module setup using the Nemesida WAF Cabinet.

Nemesida WAF WEB

The image is intended for configuring the interaction of components with each other, visualizing information about attacks and managing the training of the Nemesida AI module. Contains the following components:

Nginx latest version (stable);
Nemesida WAF API;
Nemesida WAF Cabinet.

To deploy, you need to do the following:
1. Create a virtual machine using image of a virtual disk with modules Nemesida WAF API and Nemesida WAF Cabinet;
2. If a proxy server is used, specify it in the configuration files of the Nemesida WAF API modules and Nemesida WAF Cabinet:

Proxy server settings

in the file /var/www/nw-api/settings.py:
```
PROXY = 'http://proxy.example.com:3128'
```

in the file /var/www/app/cabinet/settings.py:

HTTP_PROXY_CONF = 'http://proxy.example.com:3128'

3. Execute the script for generating unique passwords for DB users, the secret key Django and creating a Nemesida WAF Cabinet administrator:

# /bin/bash /opt/first_launch.sh

The script will be automatically deleted after execution.

Before you start working in your Nemesida WAF Cabinet, read the manual.

Yandex VM

Filtering node

The image is intended to filter incoming Nginx HTTP(s) requests to the server and contains the following components:

Nginx latest version (Stable);
Dynamic module Nemesida WAF;
Nemesida AI MLA machine learning agent.

To deploy, you need to do the following:
1. Create a VM with the dynamic module Nemesida WAF;
2. Perform basic configuration of Nemesida WAF modules in the file /etc/nginx/nwaf/conf/global/nwaf.conf:

nwaf_license_key – Nemesida WAF license key;
nwaf_sys_proxy – proxy server address (if used);
nwaf_api_proxy – the address of the proxy server (if used) to access the Nemesida WAF API;
nwaf_api_conf – the address of the Nemesida WAF API server for sending information about detected anomalies;
nwaf_rmq – connection parameters to the local RabbitMQ service on the server with Nemesida WAF.

Received by the Nemesida WAF dynamic module requests is sent for storage to the local RabbitMQ service, from where it is collected for subsequent processing by the Nemesida AI MLC module. The process of receiving data by the Nemesida AI MLC module is recommended to be performed using a secure connection.

To do this, make changes to the configuration file /etc/nginx/nginx.conf or /etc/rabbitmq/rabbitmq.conf on each VM with the dynamic module installed.

Configuration example for nginx.conf:
...
stream {
        server {
                listen 5673 ssl;
                proxy_pass 127.0.0.1:5672;
                ssl_certificate /etc/nginx/SSL/crt/example.com.crt;
                ssl_certificate_key /etc/nginx/SSL/private/example.com.key;
        }
}
...

The listen 5673 ssl; parameter specifies the port on which the server will accept requests with a secure connection.
For security reasons, it is recommended to allow access to servers only from the IP addresses of virtual machines where the Nemesida AI MLC module is installed, and certificates used for secure connection must be trusted for them.

3. After making changes, restart the services:

# systemctl restart nginx mla_main nwaf_update

4. Create a user of the RabbitMQ service for remote connection of the Nemesida AI MLC module:

# rabbitmqctl add_user USER PASSWORD
# rabbitmqctl set_permissions -p / USER ".*" ".*" ".*"

where USER and PASSWORD are the username and password for connecting the Nemesida AI MLC module.
5. Complete the module setup using the Nemesida WAF Cabinet.

Nemesida AI MLC

The image is intended to build behavioral models and identify other anomalies (DDoS L7, brute force attacks, etc.). It contains the machine learning module Nemesida AI MLC.

To deploy, you need to do the following:
1. Create a VM with the Nemesida AI MLC module;
2. Perform the basic configuration of the Nemesida AI MLC module in the file /opt/mlc/mlc.conf:

nwaf_license_key – Nemesida WAF license key;
api_uri – address of Nemesida WAF API for sending information about the status of training models and information about detected anomalies;
rmq_host – connection parameters to the RabbitMQ service on the server with Nemesida WAF. It is allowed to use multiple values separated by a space;
sys_proxy – the address of the proxy server (if used);
api_proxy – the address of the proxy server (if used) to access the Nemesida WAF API.

For the rmq_host parameter, it is recommended to use the secure connection:
rmq_host = ssl://guest:guest@example.com:5673
To use an arbitrary port, it must be specified, otherwise the standard port 5672 will be used.

Before using a secure connection, it must be configured on each server with the Nemesida WAF dynamic module installed.

If the secure connection is not required, then it can be used:
rmq_host = guest:guest@example.com

3. After making changes, restart the service:

# systemctl restart mlc_main

4. Complete the module setup using the Nemesida WAF Cabinet.

Nemesida WAF WEB

Nginx latest version (stable);
Nemesida WAF API;
Nemesida WAF Cabinet.

To deploy, you need to do the following:
1. Create a VM with modules Nemesida WAF API and Nemesida WAF Cabinet;
2. Execute the script for generating unique passwords for DB users, the secret key Django and creating a Nemesida WAF Cabinet administrator:

# /bin/bash /opt/first_launch.sh

The script will be automatically deleted after execution.

Before you start working in your Nemesida WAF Cabinet, read the manual.