Cognos Application Firewall (CAF)

Got from Ironside group.
http://www.ironsidegroup.com/2010/01/29/understanding-the-cognos-application-firewall/

Basic idea

Firewall will analyse the HTTP and XML request before the gateway or dispatcher process them.

IBM Cognos Application Firewall (CAF) is a security tool used to supplement the existing IBM Cognos 8 security infrastructure at the application level. CAF analyzes, modifies, and validates HTTP and XML requests before the gateways or dispatchers process them, and before they are sent to the requesting client or service. It acts as a smart proxy for the IBM Cognos product gateways and dispatchers, and prevents the IBM Cognos 8 components from malicious data. The most common forms of malicious data are buffer overflows and cross-site scripting (XSS) attacks, either through script injection in valid pages or redirection to other Web sites.”

what is the gateway URI does .

Note -Cognos has dispatcher it does not have gateway .Gateway is a part of cognow web server.you can directly send request to dispatcher too  however for security reason a gateway comes into picture

How does it work?

Request Validation

The Cognos Application Firewall examines all URLs that originate or terminate within your installation of IBM Cognos 8. If a URL contains a host name that does not match those that were configured on the Environment page of your Cognos Configuration application, then it will be rejected by default. This is to prevent a scenario where a user may be unknowingly directed to a malicious site, or even a site that is masquerading as IBM Cognos where their login or personal information may be captured and later used to compromise the system.

Error Message Obfuscation

The CAF will prevent any non-administrative user from ever seeing the actual details of any error message generated by the system. Instead, the dispatcher will supply a numeric SecureError ID which can then be referenced by an administrator within the server log file in order to extract the true details of this error message. This prevents users from obtaining potentially damaging information from detailed error messages, which often contain application and database server names, as well as application or query information that could be used by a savvy hacker to develop a targeted attack that could compromise either IBM Cognos or potentially any of the systems with which it interfaces.

Parameter Signing

The CAF also provides parameter signing, where a unique key or signature is generated and appended to report parameters by the application when a URL is constructed. Those signatures are then checked by the dispatcher when it receives the request to ensure that it originated from a trusted source and were not tampered with between the client and the application.