{ "authors": [ { "email": "rules@neuralwall.io", "name": "NeuralWall Rules Team", "org": "NeuralWall" } ], "description": { "en": "This scenario covers exposing an HTTPS web server hosted in the DMZ and reachable\nfrom the Internet. It includes inbound SSL decryption (ssl_inbound_inspection) to\nenable L7 inspection of encrypted traffic, along with the DNS dependency rules\nrequired for the service to function. This scenario is particularly sensitive: the\nexposed server is a direct target for public-facing application exploitation, payload\ninjection, and use of the service as a C2 relay. Full security profiles (antivirus,\nIPS, c2_protection, url_filtering, file_control, sandboxing) are mandatory on the\nmain allow rule.\n", "fr": "Ce scénario couvre l'exposition d'un serveur web HTTPS hébergé en DMZ et accessible\ndepuis Internet. Il inclut le déchiffrement SSL entrant (ssl_inbound_inspection) pour\npermettre l'inspection L7 du trafic chiffré, ainsi que les règles de dépendance DNS\nnécessaires au bon fonctionnement du service. Ce scénario est particulièrement sensible :\nle serveur exposé est une cible directe pour l'exploitation de vulnérabilités publiques,\nl'injection de charge utile et l'utilisation détournée du service comme relais C2.\nLes profils de sécurité complets (antivirus, IPS, c2_protection, url_filtering,\nfile_control, sandboxing) sont obligatoires sur la règle allow principale.\n" }, "id": "expose_public_https_web_service", "mitre_attack": [ { "name": "Exploit Public-Facing Application", "tactic": "initial-access", "technique_id": "T1190" }, { "name": "Application Layer Protocol: Web Protocols", "tactic": "command-and-control", "technique_id": "T1071.001" }, { "name": "Ingress Tool Transfer", "tactic": "command-and-control", "technique_id": "T1105" }, { "name": "Command and Scripting Interpreter", "tactic": "execution", "technique_id": "T1059" } ], "rules": [ { "action": "allow", "application": { "app_id": "web_browsing", "category": "general_internet", "default_ports": [ "tcp/443", "tcp/80" ], "depends_on": [ "dns", "ssl" ], "risk": 4 }, "decryption": { "mode": "ssl_inbound_inspection" }, "direction": "inbound", "logging": { "log_end": true, "log_forwarding": true, "log_start": false, "profile": "siem_high_priority" }, "rationale": { "en": "This rule allows inbound HTTPS traffic from the Internet to the DMZ web server.\nThe ssl_inbound_inspection decryption mode is enabled to allow L7 inspection:\nwithout it, antivirus, IPS, and sandboxing see an opaque stream and cannot detect\nexploits or payloads. Security profiles are all set to blocking mode (not just alert)\nbecause the attack surface is maximal on a public-facing service. Port 80 is included\nfor HTTP→HTTPS redirection; a server-side redirect rule is recommended in addition.\n", "fr": "Cette règle autorise le trafic HTTPS entrant d'Internet vers le serveur web en DMZ.\nLe déchiffrement ssl_inbound_inspection est activé pour permettre l'inspection L7 :\nsans lui, antivirus, IPS et sandboxing voient un flux opaque et ne peuvent pas\ndétecter les exploits ni les charges utiles. Les profils de sécurité sont tous\nactivés en mode blocage (pas seulement alerte) car la surface d'attaque est maximale\nsur un service public. Le port 80 est inclus pour la redirection HTTP→HTTPS ; une\nrègle de redirection applicative côté serveur est recommandée en complément.\n" }, "security_profiles": { "antivirus": { "action": "block" }, "c2_protection": { "action": "block", "min_severity": "low" }, "file_control": { "block_types": [ "pe", "elf", "script", "encrypted_archive" ], "direction": "inbound" }, "ips": { "action": "block", "min_severity": "medium" }, "sandboxing": { "enabled": true, "file_types": [ "pe", "pdf", "office", "jar", "script" ] }, "url_filtering": { "block_categories": [ "malware", "phishing", "c2", "newly_registered_domain", "proxy_avoidance", "hacking", "compromised" ], "uncategorized_action": "block" } }, "service": { "app_default": true, "ports": [ "443", "80" ], "protocol": "tcp" }, "zones": { "destination": [ "dmz" ], "source": [ "internet" ] } }, { "action": "allow", "application": { "app_id": "dns", "category": "networking", "default_ports": [ "udp/53", "tcp/53" ], "risk": 2 }, "decryption": { "mode": "none" }, "direction": "internal", "logging": { "log_end": true, "log_forwarding": true, "profile": "siem_default" }, "rationale": { "en": "DNS resolution is required for the DMZ web service to function properly (OCSP/CRL\nresolution for certificate validation, upstream dependencies, updates). The flow\nis restricted to a trusted internal resolver (not directly to the Internet) to\nprevent DNS rebinding and limit the exfiltration surface. The dns_security profile\nwith sinkhole blocks DNS tunneling that could be used as a covert C2 channel from\na compromised server. Decryption not applicable: standard DNS over UDP is not\nencrypted.\n", "fr": "La résolution DNS est requise pour le bon fonctionnement du service web en DMZ\n(résolution OCSP/CRL pour la validation de certificats, dépendances amont, mises\nà jour). Le flux est restreint vers un résolveur interne de confiance (pas\ndirectement vers Internet) pour éviter le DNS rebinding et limiter la surface\nd'exfiltration. Le profil dns_security avec sinkhole bloque le tunneling DNS\nqui pourrait être utilisé comme canal C2 discret depuis un serveur compromis.\nDéchiffrement non applicable : DNS UDP standard n'est pas chiffré.\n" }, "security_profiles": { "dns_security": { "action": "block", "sinkhole": true } }, "service": { "app_default": true, "ports": [ "53" ], "protocol": "udp" }, "zones": { "destination": [ "internal" ], "source": [ "dmz" ] } }, { "action": "drop", "application": { "app_id": "any_application", "category": "unknown", "risk": 5 }, "direction": "outbound", "logging": { "log_end": true, "log_forwarding": true, "log_start": true, "profile": "siem_high_priority" }, "rationale": { "en": "Deny-by-default rule: any traffic initiated from the DMZ toward the Internet that\nis not explicitly covered by an allow rule above is silently dropped. This rule is\ncritical to contain a compromised DMZ server and prevent the establishment of an\noutbound C2 channel (T1071.001) or data exfiltration. The 'any_application' app_id\nwith 'unknown' category is justified here: this is a catch-all blocking rule, not\nan allow rule.\n", "fr": "Règle de deny-by-default : tout trafic initié depuis la DMZ vers Internet qui\nn'est pas explicitement couvert par une règle allow ci-dessus est bloqué\nsilencieusement. Cette règle est critique pour contenir un serveur DMZ compromis\net empêcher l'établissement d'un canal C2 sortant (T1071.001) ou l'exfiltration\nde données. L'app_id 'any_application' avec category 'unknown' est justifié ici :\nil s'agit d'une règle de blocage de \"catch-all\", non d'une règle allow.\n" }, "service": { "protocol": "any" }, "zones": { "destination": [ "internet" ], "source": [ "dmz" ] } } ], "schema_version": "1.0.0", "threat_model": { "attacker_goal": { "en": "Gain initial access on the DMZ server by exploiting the public HTTPS service,\ndrop a payload or implant, then establish an outbound C2 channel or pivot into\nthe internal network (privilege escalation, lateral movement).\n", "fr": "Obtenir un accès initial sur le serveur DMZ via l'exploitation du service HTTPS\npublic, déposer une charge utile ou un implant, puis établir un canal C2 sortant\nou pivoter vers le réseau interne (élévation de privilèges, mouvement latéral).\n" }, "key_controls": [ "ssl_inbound_inspection", "ips", "antivirus", "sandboxing", "c2_protection", "file_control", "dns_security" ], "summary": { "en": "A web service directly exposed to the Internet represents the widest attack surface\nof a perimeter. The attacker attempts to exploit an application vulnerability\n(public CVE, injection, misconfiguration) to gain initial access on the DMZ, then\nmove laterally toward the internal network. Without inbound SSL decryption, L7\ninspection is blind: antivirus, IPS, and sandboxing see only an opaque stream.\nWith ssl_inbound_inspection, the stream is re-encrypted toward the server after\ninspection — the server certificate must be imported into the firewall.\n", "fr": "Un service web exposé directement sur Internet constitue la surface d'attaque la\nplus large d'un périmètre. L'attaquant cherche à exploiter une vulnérabilité\napplicative (CVE publique, injection, mauvaise configuration) pour obtenir un\naccès initial sur la DMZ, puis progresser latéralement vers le réseau interne.\nSans déchiffrement SSL entrant, l'inspection L7 est aveugle : antivirus, IPS et\nsandboxing ne voient qu'un flux opaque. Avec ssl_inbound_inspection, le flux est\nre-chiffré côté serveur après inspection — le certificat serveur doit être importé\ndans le firewall.\n" } }, "title": { "en": "Exposing a public HTTPS web service from the Internet to the DMZ", "fr": "Exposition d'un service web HTTPS public depuis Internet vers la DMZ" }, "trust_tier": "reviewed", "version": "1.0.0" }