The emergence of increasingly advanced threats is driving many organizations to seek out adaptive security solutions, which enable real-time response and flexible enforcement of custom security policies.
Today Incapsula addresses that need with the release of IncapRules, an extensive scripting language that provides our customers with complete and granular control over their application security.
IncapRules is a proprietary scripting language that allows Incapsula users to implement their own security and access control rules on top of our existing security logic. These rules can be either manually coded or generated via a dedicated GUI that helps users get acquainted with the rule generation process.
IncapRules is supported by a validation feature that helps prevent scripting errors, as well as a revision management system that helps track changes and revert to a previous rule version. Incapsula users are also provided with detailed documentation that further assists with rule generation.
IncapRules coding is supported by a dedicated GUI
IncapRules Basics – Filters, Triggers and Actions
IncapRules syntax was designed for simplicity. As such, it relies on a few dozen descriptively-named ‘Filters’ and a set of logic operators. These elements are combined together to form a ‘Trigger’ that leads to one of the pre-defined ‘Actions’. To demonstrate just how intuitive this language is, a rule that restricts public access to your application’s admin would look like this:
IncapRules Example: Block outside access to all “/admin” URLs
In this case, the Trigger is a combination of two Filters – one to mark the restricted URL and another to prevent access from all external IPs. Overall, IncapRules offers access to dozens of different filters, which allow you to create policies based on:
- HTTP Request Methods (Post or Get)
- Header values
- URL parameters
- Client types (e.g., Browser, Search Engine, Feed Fetched, etc.)
- IPs and Geo-locations
- Access rates on a request or session level
- Pool of 500 pre-defined client signatures (e.g., GoogleAds, CroneTask, WordPress bots, etc.)
The resulting Actions may also vary, with options ranging from ‘Silent Alert’, to initiation of additional challenges (e.g., CATPCHA, JS, etc), to absolute blocking of the specific visitor or even null-routing of all traffic from an IP address.
All in all, with its vast number of possible combinations, IncapRules allows for literally limitless possibilities – giving Incapsula’s users the flexibility they need to deal with any possible security scenario.
Real-Time Policy Implementation
In addition to its usefulness in enforcing security policies, the IncapRules language was also designed to work in conjunction with our recently announced Real-Time Event Monitoring. Thus, when combined, these features allow for instant data-driven responses to newly encountered security threats, while also providing immediate feedback for any action taken.
Real Time Event Monitoring:Some of the available view options
Simply put, you must be aware that user-agents can be fake, IPs can be spoofed, headers can be re-modeled and so on. And so, to provide reliable identification, you need to cross-verify various tell-tale signs to uncover the visitors’ true identity and intentions.
In such cases, when under attack, Incapsula users can leverage the Real-Time view to instantly identify the incoming threat and use that information to craft a case-specific rule. Then, as these rules take root, clients can use the Real-Time view to get live feedback on the results and modify the rule accordingly.
These kinds of management capabilities – combined with Incapsula’s own comprehensive security settings – are enough to cope with any type of threat in the nick of time.