quarantyne: Modern Web Firewall
Quarantyne · Modern Web Firewall
Quarantyne is a reverse-proxy written in java. It fronts a web application or API and protects it from fraudulent behaviour, misuse, bots and cyber-attacks. It cannot stop them all, but it will definitely make it harder and more expensive to perform.
It’s like a firewall but smarter, because it does not just block traffic because the user-agent is not in a whitelist. Quarantyne also performs deep request inspection to detect if, for example, the password used has been compromised before, or if the email is disposable, with minimal configuration and no changes in your application.
Features
Wide coverage of common HTTP threats and misuse
Quarantyne is able to detect the following threats and misuse.
Label | Definition | Behavior | Implemented |
---|---|---|---|
LBD | Large Body Data | Overload target’s form processor with POST/PUT request with body > 1MB | yes |
FAS | Fast Browsing | Request rate faster than regular human browsing | yes |
CPW | Compromised Password | Password used is known from previous data breach. Possible account takeover | yes |
DMX | Disposable Email | Email used is a disposable emails service | yes |
IPR | IP Address Rotation | Same visitor is rotating its IP addresses | no |
SHD | Suspicious Request Headers | Abnormal HTTP Request Headers | yes |
SUA | Suspicious User-Agent | User Agent not from a regular web browser | yes |
PCX | Public Cloud Execution | IP address belongs to a public cloud service like AWS or GCP | no |
IPD | IP/Country discrepancy | Country inferred from visitor IP is different from country field in submitted request | no |
SGE | Suspicious Geolocation | This request is not usually received from this geolocation. Possible account takeover. | no |
Deep traffic analysis
Quarantyne performs deep inspection of web traffic going to your application to verify that the data being sent is not compromised or junk.
Generic integration
Quarantyne adds extra HTTP headers to the request it proxies to your service. For example, an HTTP request coming from AWS will bear the following headers:
- X-Quarantyne-Labels: PCX
- X-Quarantyne-RequestId: 08a0e31a-f1a5-4660-9316-0fdf5d2a959d
Active protection
Quarantyne can be configured to stop malicious requests from reaching your servers, avoiding wasting computing/DB/cache resources, metrics skew, junk data… See (Passive vs Active)[#passivevsactive].
Metrics & health reporting
Quarantyne binds to an internal adminPort, where metrics (latencies, success rate…), as well as the health of the proxy, are reported.
Privacy-friendly / GDPR compliance
Quarantyne is offline software. It runs inside your private network and does not communicate over the Internet with anyone to share data about your traffic, your business, or your users.
Ops Friendly.
Single jar with 0 dependencies. Metrics are available on [proxyHost]:[adminPort]/metrics. Service health is available on [proxyHost]:[adminPort]/health
Passive vs. Active
Passive mode
Quarantyne lets you decide how you want to handle requests it flags. Quarantyne’s default configuration is to NOT block tainted traffic. This traffic will make its way to your server and will be labelled as such via HTTP headers.
Passive mode is the recommended way to get familiar with Quarantyne and to get a sense of what’s going on inside your web traffic. In your application, log or plot the incoming Quarantyne labels and you might be surprised (or not) by what you find!
Active Mode
In active mode, Quarantyne prevents tainted traffic from reaching your application. Blocking happens only you configure explicitely Quarantyne to do so. The configuration section explains how traffic blocking can be enabled.
Install && Use
Copyright 2018 Edouard Swiac