web application firewalls
DESCRIPTION
Web Application FirewallsTRANSCRIPT
-
5/24/2018 Web Application Firewalls
1/44
Copyright 2006 - The OWASP FoundationPermission is granted to copy, distriute and!or modi"y this documentunder the terms o" the #$% Free &ocumentation 'icense(
The OWASP Foundation
OWASP
AppSecEurope)ay 2006
http*!!+++(o+asp(org!
Web Application Firewalls:When Are They Useful?
Ian !istic
Thin"in# Stone
ianr+e.reator(com
/ 1166 03 240
-
5/24/2018 Web Application Firewalls
2/44
$OWASP AppSec Europe $%%&
Ian !istic
We App5ication Securityspecia5ist &ee5oper(
Author o"Apache Security(
Founder o" Thin"in# Stone(
Author o" 'odSecurity(
-
5/24/2018 Web Application Firewalls
3/44
(OWASP AppSec Europe $%%&
Why Use Web Application Firewalls?
7n the nutshe55*4( We app5ications are dep5oyed terri5y insecure(
2( &ee5opers shou5d, o" course, continue to strie toui5d etter!more secure so"t+are(
8( 9ut in the meantime, sysadmins must do somethingaout it( :Or, as 7 5i.e to say* We need ery helpwe can #et(;
)* Insecure applications aside+ WAFs are an
i,portant buildin# bloc" in eery -TTPnetwor"*
-
5/24/2018 Web Application Firewalls
4/44
)OWASP AppSec Europe $%%&
.etwor" Firewalls /o .ot Wor" For -TTP
Firewall
Port 80HTTP Traffic
Web
Client
Web
Server
Application
Application
Database
Server
-
5/24/2018 Web Application Firewalls
5/44
0OWASP AppSec Europe $%%&
WAFE1 234
Web Application Firewall Ealuation1riteria(
ProC 4(0 pu5ished in ?anuary(We are aout to start +or. on 4(4(
http://webappsec.org/http://webappsec.org/ -
5/24/2018 Web Application Firewalls
6/44
&OWASP AppSec Europe $%%&
WAFE1 2$4
$ine sections*3* /eploy,ent Architecture
$* -TTP and -T'6 Support
(* /etection Techni7ues
)* Preention Techni7ues
0* 6o##in#
6( @eporting
1( )anagement3( Per"ormance
( B)'
-
5/24/2018 Web Application Firewalls
7/44
8OWASP AppSec Europe $%%&
WAFE1 2(4
WAF>C is not "or
the endors(It5s for the users*2So please oice your opinions94
http:www*webappsec*or#pro;ectswafec
http://www.webappsec.org/projects/wafec/http://www.webappsec.org/projects/wafec/http://www.webappsec.org/projects/wafec/http://www.webappsec.org/projects/wafec/ -
5/24/2018 Web Application Firewalls
8/44
-
5/24/2018 Web Application Firewalls
9/44
=OWASP AppSec Europe $%%&
WAF Identity Proble, 2$4
There are "our aspects to consider*3* Audit deice
$* Access control deice
(* 6ayer 8 routerswitch
)* Web Application -ardenin# tool
These are a55 a5id reEuirements ut the nameWeb Application Firewallis not suita5e(
On the 5o+er net+or. 5ayers +e hae adi""erent name "or each "unction(
-
5/24/2018 Web Application Firewalls
10/44
3%OWASP AppSec Europe $%%&
WAF Identity Proble, 2(4
App5iance-oriented +e app5ication "ire+a55sclash+ith theApplication Assurance,ar"et(
Pro5ems so5ed 5ong time ago* 'oad a5ancing
C5ustering
SS' termination and acce5eration
Caching and transparent compression %@' re+riting
and so on
-
5/24/2018 Web Application Firewalls
11/44
33OWASP AppSec Europe $%%&
WAF Identity Proble, 2)4
Gey "actors*4( App5ication Assurance endors are ery strong(
2( We App5ication Fire+a55 endors not as much(
@esu5t* Appliance>oriented WAFs are bein#
assi,ilatedby the Application Assurance,ar"et*
7n the meantime* E,bedded WAFs are left alone because they
are not an all>or>nothin# proposition*
-
5/24/2018 Web Application Firewalls
12/44
3$OWASP AppSec Europe $%%&
WAF Functionality
Overview
-
5/24/2018 Web Application Firewalls
13/44
3(OWASP AppSec Europe $%%&
The Essentials 234
Full support for -TTP* Access to indiidua5 "ie5ds :"ie5d content, 5ength, "ie5d
count, etc;(
>ntire transaction :oth reEuest and response;(
%p5oaded "i5es(
Anti>easion features:a5so .no+n asnorma5isation!canonica5isation!trans"ormation"eatures;(
-
5/24/2018 Web Application Firewalls
14/44
3)OWASP AppSec Europe $%%&
The Essentials 2$4
loc"in# features* Transaction
Connection
7P Address
Session
%ser
Honeypot redirection
TCP!7P resets :connection; 95oc.ing ia eDterna5 deice
What happens upon detection?
-
5/24/2018 Web Application Firewalls
15/44
30OWASP AppSec Europe $%%&
Fancy Features
Stateful operation: 7P Address data
Session data
%ser data
Eent 1orrelation
-i#h aailability: Fai5oer
'oad-a5ancing C5ustering
State rep5ication
-
5/24/2018 Web Application Firewalls
16/44
3&OWASP AppSec Europe $%%&
-ard>1oded Protection Techni7ues 234
1oo"ie protection Sign!encrypt!irtua5ise
-idden field protection Sign!encrypt!irtua5ise
Session ,ana#e,ent protection >n"orce session duration timeout, inactiity timeout(
Preent "iDation(
Iirtua5ise session management( Preent hi
-
5/24/2018 Web Application Firewalls
17/44
38OWASP AppSec Europe $%%&
-ard>1oded Protection Techni7ues 2$4
rute>force protection 6in" alidation Signing
Iirtua5isation
!e7uest flow enforce,ent Statica55y
&ynamica55y
-
5/24/2018 Web Application Firewalls
18/44
3
-
5/24/2018 Web Application Firewalls
19/44
3=OWASP AppSec Europe $%%&
Other Thin#s To 1onsider 2$4
Etensibility* 7s it possi5e to add custom "unctiona5ity to the
"ire+a55J
7s the source code aai5a5eJ :9ut not as a
rep5acement "or a proper AP7(; Perfor,ance* $e+ connections per second(
)aDimum concurrent connections(
Transactions per second(
Throughput(
'atency(
-
5/24/2018 Web Application Firewalls
20/44
$%OWASP AppSec Europe $%%&
Sinatures and
!ules
-
5/24/2018 Web Application Firewalls
21/44
$3OWASP AppSec Europe $%%&
Si#natures or !ules?
3* Si#natures Simp5e teDt strings or regu5ar eDpression patterns
matched against input data(
$ot ery "5eDi5e(
$* !ules4( F5eDi5e(
2( )u5tip5e operators(
8( @u5e groups(
( Anti-easion "unctions(( 'ogica5 eDpressions(
6( Custom aria5es(
-
5/24/2018 Web Application Firewalls
22/44
$$OWASP AppSec Europe $%%&
Three Protection Strate#ies
3* Eternal patchin# A5so .no+n as K
-
5/24/2018 Web Application Firewalls
23/44
$(OWASP AppSec Europe $%%&
Auditin and H""#
"raffic $onitorin
-
5/24/2018 Web Application Firewalls
24/44
$)OWASP AppSec Europe $%%&
Web Intrusion /etection
O"ten "orgotten ecause o" mar.etingpressures* /etectionis so 5ast year :decade;(
Preentionsounds and se55s much etterL
The pro5em +ith preention is that it is boundto failgien su""icient5y determined attac.er:or ineDperienced WAF operator;(
'onitorin#:5ogging and detection; is actua55y
more important as it a55o+s you toindependent5y audit tra""ic, and go ac. intime(
-
5/24/2018 Web Application Firewalls
25/44
$0OWASP AppSec Europe $%%&
'onitorin# !e7uire,ents
Centra5isation( Transaction data storage(
Contro5 oer which transactions are lo##edand which parts of each transactionare
5ogged, dyna,icallyon the per>transactionasis( )inima5 in"ormation :session data;(
Partia5 transaction data(
Fu55 transaction data( Support "or data sanitisation(
Can imp5ement your retention po5icy(
-
5/24/2018 Web Application Firewalls
26/44
$&OWASP AppSec Europe $%%&
Deployment
-
5/24/2018 Web Application Firewalls
27/44
$8OWASP AppSec Europe $%%&
/eploy,ent
Three choices +hen it comes todep5oyment*
3* .etwor">leel deice(
$* !eerse proy(
(* E,bedded in web serer(
-
5/24/2018 Web Application Firewalls
28/44
$
-
5/24/2018 Web Application Firewalls
29/44
$=OWASP AppSec Europe $%%&
/eploy,ent 2(4
2( @eerse proDy
"ypically re%uires networ& re'confiuration.
-
5/24/2018 Web Application Firewalls
30/44
(%OWASP AppSec Europe $%%&
/eploy,ent 2)4
8( >medded
Does not re%uire networ& re'confiuration.
-
5/24/2018 Web Application Firewalls
31/44
(3OWASP AppSec Europe $%%&
/eploy,ent 204
4( $et+or. passie&oes not a""ect per"ormance(>asy to add(
$ot a ott5enec. or a point o" "ai5ure(
'imited preention options()ust hae copies o" SS' .eys(
2( $et+or. in-5ineA potentia5 ott5enec.(
Point o" "ai5ure()ust hae copies o" SS' .eys(>asy to add(
-
5/24/2018 Web Application Firewalls
32/44
($OWASP AppSec Europe $%%&
/eploy,ent 2&4
8( @eerse proDyA potentia5 ott5enec.(Point o" "ai5ure(
@eEuires changes to net+or.:un5ess it=s a
transparent reerse proDy;()ust terminate SS' :can e a pro5em i" app5icationneeds to access c5ient certi"icate data;(
It5s a separate architecturesecurity layer*
( >medded>asy to add:and usua55y much cheaper;($ot a point o" "ai5ure(
%ses +e serer resources(
-
5/24/2018 Web Application Firewalls
33/44
((OWASP AppSec Europe $%%&
!eerse Proy As a uildin# loc"
@eerse proDy patterns*4( Front door
2( 7ntegration reerse proDy
8( Protection reerse proDy
( Per"ormance reerse proDy( Sca5ai5ity reerse proDy
'ogica5 patterns, orthogona5 toeach other(
O"ten dep5oyed as a sing5e physica5reerse proDy(
-
5/24/2018 Web Application Firewalls
34/44
()OWASP AppSec Europe $%%&
Front /oor 2304
)a.e a55 HTTP tra""ic go through the proDy Centra5isation ma.es access contro5,
5ogging, and monitoring easier
-
5/24/2018 Web Application Firewalls
35/44
(0OWASP AppSec Europe $%%&
Inte#ration !eerse Proy 2$04
Comine mu5tip5e +e serers into one Hide the interna5s
&ecoup5e inter"ace "rom imp5ementation
-
5/24/2018 Web Application Firewalls
36/44
(&OWASP AppSec Europe $%%&
Protection !eerse Proy 2(04
Oseres tra""ic in and out 95oc.s ina5id reEuests and attac.s
Preents in"ormation disc5osure
-
5/24/2018 Web Application Firewalls
37/44
(8OWASP AppSec Europe $%%&
Perfor,ance !eerse Proy 2)04
Transparent caching Transparent response compression
SS' termination
-
5/24/2018 Web Application Firewalls
38/44
(
-
5/24/2018 Web Application Firewalls
39/44
(=OWASP AppSec Europe $%%&
Open Source
Approach( Apache
) $odSecurity
-
5/24/2018 Web Application Firewalls
40/44
)%OWASP AppSec Europe $%%&
Apache
One o" the most used open source products( Aai5a5e on many p5at"orms(
Free, "ast, sta5e and re5ia5e(
>Dpertise +ide5y aai5a5e(
Apache 2(2(D :"ina55yL; re5eased +ith manyimproements* 7mproed authentication(
7mproed support "or caching(
Signi"icant improements to the modMproDy code:and 5oad a5ancing support;(
Ideal reerse proy*
-
5/24/2018 Web Application Firewalls
41/44
)3OWASP AppSec Europe $%%&
'odSecurity
Adds WAF "unctiona5ity to Apache( 7n the )thyear o" dee5opment(
Free, open source, commercia55y supported(
7mp5ements most WAF "eatures :and theremaining ones are coming soon;(
Popu5ar and ery +ide5y used(
Fast, re5ia5e and predicta5e(
-
5/24/2018 Web Application Firewalls
42/44
)$OWASP AppSec Europe $%%&
Apache B 'odSecurity
&ep5oy as reerse proy* Pic. a nice serer :7 am Euite
"ond o" Sun=s hard+areo""erings myse5";(
7nsta55 Apache 2(2(D(
Add )odSecurity(
Add SS' acce5eration card:optiona5;(
Or simp5y run )odSecurityin e,bedded ,ode(
-
5/24/2018 Web Application Firewalls
43/44
)(OWASP AppSec Europe $%%&
'odSecurity
Strong areas* Auditin#lo##in# support*
!eal>ti,e traffic ,onitorin#*
Cust>in>ti,e patchin#*
Preention* Dery confi#urablepro#ra,,able*
Wea. areas*
.o auto,ation of the positie security ,odelapproach yet*
-
5/24/2018 Web Application Firewalls
44/44
Than" you9
&o+n5oad this presentation "romhttp:www*thin"in#stone*co,tal"s
*uestions+