Mulesoft with Wallarm Policy¶

MuleSoft is an integration platform that enables seamless connectivity and data integration between services with an API gateway serving as the entry point for client applications to access APIs. With Wallarm, you can secure APIs on the Mulesoft Anypoint platform using the Wallarm policy. This article explains how to attach and utilize the policy.

The diagram below illustrates the high-level traffic flow when Wallarm policy is attached to APIs on the MuleSoft Anypoint platform, and Wallarm is configured to block malicious activity.

The solution involves deploying the Wallarm node externally and injecting custom code or policies into the specific platform. This enables traffic to be directed to the external Wallarm node for analysis and protection against potential threats. Referred to as Wallarm's connectors, they serve as the essential link between platforms like Azion Edge, Akamai Edge, Mulesoft, Apigee, and AWS Lambda, and the external Wallarm node. This approach ensures seamless integration, secure traffic analysis, risk mitigation, and overall platform security.

Use cases¶

Among all supported Wallarm deployment options, this solution is the recommended one for the following use cases:

Securing APIs deployed on the MuleSoft Anypoint platform with only one policy.
Requiring a security solution that offers comprehensive attack observation, reporting, and instant blocking of malicious requests.

Limitations¶

The solution has certain limitations as it only works with incoming requests:

Vulnerability discovery using the passive detection method does not function properly. The solution determines if an API is vulnerable or not based on server responses to malicious requests that are typical for the vulnerabilities it tests.
The Wallarm API Discovery cannot explore API inventory based on your traffic, as the solution relies on response analysis.
The protection against forced browsing is not available since it requires response code analysis.

Requirements¶

To proceed with the deployment, ensure that you meet the following requirements:

Understanding of the Mulesoft platform.
Maven (mvn) 3.8 or an earlier version is installed. Higher versions of Maven may encounter compatibility issues with the Mule plugin.
You have been assigned the Mulesoft Exchange contributor's role, enabling you to upload artifacts to your organization's Mulesoft Anypoint Platform account.
Your Mulesoft Exchange credentials (username and password) are specified in the <MAVEN_DIRECTORY>/conf/settings.xml file.
Your application and API are linked and running on Mulesoft.

Deployment¶

To secure APIs on the Mulesoft Anypoint platform using Wallarm policy, follow these steps:

Deploy a Wallarm node using one of the available deployment options.
Obtain the Wallarm policy and upload it to Mulesoft Exchange.
Attach the Wallarm policy to your API.

1. Deploy a Wallarm node¶

When utilizing the Wallarm policy, the traffic flow is in-line.

Choose one of the supported Wallarm node deployment solutions or artifacts for in-line deployment and follow the provided deployment instructions.

Configure the deployed node using the following template:

server {
    listen 80;

    server_name _;

    access_log off;
    wallarm_mode off;

    location / {
        proxy_set_header Host $http_x_forwarded_host;
        proxy_pass http://unix:/tmp/wallarm-nginx.sock;
    }
}

server {
    listen 443 ssl;

    server_name yourdomain-for-wallarm-node.tld;

    ### SSL configuration here

    access_log off;
    wallarm_mode off;

    location / {
        proxy_set_header Host $http_x_forwarded_host;
        proxy_pass http://unix:/tmp/wallarm-nginx.sock;
    }
}


server {
    listen unix:/tmp/wallarm-nginx.sock;

    server_name _;

    wallarm_mode monitoring;
    #wallarm_mode block;

    real_ip_header X-REAL-IP;
    set_real_ip_from unix:;

    location / {
        echo_read_request_body;
    }
}

Please ensure to pay attention to the following configurations:

TLS/SSL certificates for HTTPS traffic: To enable the Wallarm node to handle secure HTTPS traffic, configure the TLS/SSL certificates accordingly. The specific configuration will depend on the chosen deployment method. For example, if you are using NGINX, you can refer to its article for guidance.
Wallarm operation mode configuration.

Once the deployment is complete, make a note of the node instance IP as you will need it later to set the address for incoming request forwarding.

2. Obtain and upload the Wallarm policy to Mulesoft Exchange¶

To acquire and upload the Wallarm policy to Mulesoft Exchange, follow these steps:

Contact support@wallarm.com to obtain the Wallarm Mulesoft policy.
Extract the policy archive once you receive it.
Navigate to the policy directory:
```
cd <POLICY_DIRECTORY/wallarm
```
Within the pom.xml file → groupId parameter at the top of the file, specify your Mulesoft organization ID.

You can find your organization ID by navigating to Mulesoft Anypoint Platform → Access Management → Organization → choose your organization → copy its ID.

In your Maven .m2 directory, update the settings.xml file with your Exchange credentials:

<?xml version="1.0" encoding="UTF-8"?>
<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd">
  <servers>
    <server>
      <id>exchange-server</id>
      <username>myusername</username>
      <password>mypassword</password>
    </server>
  </servers>
</settings>

Deploy the policy to Mulesoft using the following command:
```
mvn clean deploy
```

Your custom policy is now available in your Mulesoft Anypoint Platform Exchange.

3. Attach the Wallarm policy to your API¶

You can attach the Wallarm policy to either all APIs or an individual API.

Attaching the policy to all APIs¶

To apply the Wallarm policy to all APIs using Mulesoft's Automated policy option, follow these steps:

In your Anypoint Platform, navigate to API Manager → Automated Policies.
Click Add automated policy and select the Wallarm policy from Exchange.
Specify WLRM REPORTING ENDPOINT which is the IP address on the Wallarm node instance including the http:// or https://.
If necessary, modify the maximum time period for Wallarm to process a single request by changing the value of WALLARM NODE REQUEST TIMEOUT.
Apply the policy.

Attaching the policy to an individual API¶

To secure an individual API with the Wallarm policy, follow these steps:

In your Anypoint Platform, navigate to API Manager and select the desired API.
Navigate to Policies → Add policy and select the Wallarm policy.
Specify WLRM REPORTING ENDPOINT which is the IP address on the Wallarm node instance including the http:// or https://.
If necessary, modify the maximum time period for Wallarm to process a single request by changing the value of WALLARM NODE REQUEST TIMEOUT.
Apply the policy.

Testing¶

To test the functionality of the deployed policy, follow these steps:

Send the request with the test Path Traversal attack to your API:
```
curl http://<YOUR_APP_IP_OR_DOMAIN>/etc/passwd
```
Open Wallarm Console → Events section in the US Cloud or EU Cloud and make sure the attack is displayed in the list.

If the Wallarm node mode is set to blocking, the request will also be blocked.

If the solution does not perform as expected, refer to the logs of your API by accessing Mulesoft Anypoint Platform → Runtime Manager → your application → Logs.

You can also verify whether the policy is applied to the API by navigating to your API in the API Manager and reviewing the policies applied on the Policies tab. For automated policies, you can use the See covered APIs option to view the APIs covered and the reasons for any exclusions.

Updating and uninstalling¶

To update the deployed Wallarm policy, follow these steps:

Remove the currently deployed Wallarm policy using the Remove policy option in either the automated policy list or the list of policies applied to an individual API.
Add the new policy following the steps 2-3 above.
Restart attached applications in the Runtime Manager to apply new policy.

To uninstall the policy, simply perform the first step of the update process.

Need assistance?¶

If you encounter any issues or require assistance with the described deployment of Wallarm's policy in conjunction with MuleSoft, you can reach out to the Wallarm support team. They are available to provide guidance and help resolve any problems you may face during the implementation process.