Embed Size (px)
Citation preview
digital media services
WAF White Paper
Securing your website with Verizon’s Web Application Firewall (WAF)Executive summaryVerizon Digital Media Services’ third-generation WAF provides business owners with a more transparent, flexible way to secure their websites. This white paper outlines how our WAF differentiates itself from the competition, providing you with complete visibility and control to protect your website, your way. Our professional services team acts as a partner rather than a hindrance, further exemplifying our goal to help you become more agile and responsive to the needs of your business and your users.
Who should read this:
Business Decision Makers
Technical Decision Makers
ContentWhat is a Web Application? . . . . . . . . . . . . . . . . . . . . 3
What is a WAF? . . . . . . . . . . . . . . . . . . . . . . . . . . 3
What makes the Verizon WAF different? . . . . . . . . . . . . . 4
How does the Verizon WAF work? . . . . . . . . . . . . . . . . 4
Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Final notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Threat detection modes . . . . . . . . . . . . . . . . . . . . . 8
Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Anomaly Scoring . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Example – Signature Mode . . . . . . . . . . . . . . . . . . . . . 9
Example – Anomaly Scoring Mode . . . . . . . . . . . . . . . . . . 10
The Verizon “professional services as a partnership” model . . . 11
Closing: Why choose Verizon’s WAF to secure your website? . . . 12
Verizon Digital Media Services | WAF White Paper 3
What is a Web Application?
If you operate a website that provides a service to users – customers, employees, partners, etc. – then you’re likely running a web application. In fact, there is a good chance you have multiple web applications spanning a diverse collection of operating systems, database software and storage devices. Every single time users interact with your website, they make a connection to your web servers, which interact with your database servers, which read and write to and from your storage servers. Much of the world’s business activities, such as online shopping, commerce and hotel booking, rely on web applications and their ability to consistently and securely exchange data with each other.
These applications process and store extremely sensitive data (e.g., credit card numbers, social security information, personal information, etc.), and it is for precisely this reason that these applications have become a prime target for attackers. Malicious users and groups have developed an arsenal of methods they can use to wreak havoc on web applications, including theft of personal information (e.g. via SQL injection), website defacement (e.g. via cross-site scripting), and the complete shutdown of business by blocking access to a company’s page (e.g. via distributed denial of service). More recently, these attackers have discovered that by merely providing the threat of an attack, they can extort money from paranoid and unprepared businesses.
Securing your website against cunning attackers is paramount for protecting your business. And one of the most effective ways to protect a web application from these attacks is by deploying a Web Application Firewall (WAF).
What is a WAF?
At the most fundamental level, a WAF is a device that monitors and analyzes all traffic going into a web application in real time and blocks those requests that are determined to be malicious. Legitimate traffic is allowed to continue on to the web application, while malicious traffic is stopped before it reaches the victim’s servers.
The first generation of WAFs was comprised of physical devices that were deployed on premise. Businesses were responsible for deploying, configuring, monitoring and maintaining these devices on their own; if web traffic exceeded the capacity of the WAF hardware due to business growth, business owners had to invest in additional devices or resign themselves to feeling insecure in their inability to protect themselves.
The second generation of WAFs moved to the cloud. These legacy WAFs still exist today and operate as a “black box” with little-to-no transparency regarding their underlying architecture. Customers are entirely dependent on the professional services of the WAF provider, and they are unable to remain agile and involved.
Verizon Digital Media Services | WAF White Paper 4
How does the Verizon WAF work?
The Verizon WAF is built on the open source ModSecurity framework, which gives us the ability and flexibility of limitless deployment options.
In order for an HTTP request to be analyzed by the WAF, the following must take place (see Figure A):
• The HTTP request must match a rule in the HTTP Rules Engine
• The Rules Engine must call a WAF Instance
• The WAF Instance must call a WAF Profile
HTTPRules Engine
WAFInstance
WAFProfile
NotMalicious
OriginServer
HTTP403
MaliciousAlert Mode
MaliciousBlock Mode
ConditionMatched
User Internet
Malicious?Yes / No
HTTPRequest
HTTPRule Triggered
VerizonEdge Servers
[ Figure A ]
WAF configuration is comprised of:
• Policies
• Profiles
• Instances
What makes the Verizon WAF different?
Verizon has ushered in the third generation of WAFs, which operates as an “open box”, engineered specifically to empower website owners to proactively protect their web assets on their own, with as much or as little assistance from Verizon as they wish. Regardless of the level of assistance we provide, our WAF customers have complete visibility and control over all WAF configurations, reports and logs. The WAF dashboard enables customers to monitor malicious traffic and dig deeper into the event log to discover more granular information about events, such as where the traffic originated, and why it was flagged as malicious.
Because our WAF is built into the Verizon content delivery network at a fundamental level, it benefits from our network of 80+ Super PoPs (points of presence) and tens of terabits per second of capacity. Rather than needing to purchase additional hardware, customers benefit from unlimited scalability on the Verizon network. Every server deployed in our Application Delivery Network and Verizon TRANSACT runs our WAF software, which allows for traffic to be spread across to maximize performance and minimize delay. The WAF is in-line and always-on, and our engineers can respond quickly to any problems.
Verizon Digital Media Services | WAF White Paper 5
PolicyA Policy is a collection of rules. A rule is the basic mechanism used in detecting malicious behavior in HTTP traffic. For example, rule ID 960007 (“Empty Host Header”) in the Verizon WAF will trigger when an HTTP request is missing a host header (see Figure B).
ONON960007 Empty Host Header
[ Figure B ]
A Policy is simply a group of related WAF rules. For example, the “Protocol Anomalies” Policy (see Figure C) contains all rules that are related to detecting HTTP requests that don’t comply with HTTP standards (e.g., empty user agent strings, empty host headers, etc.).
Protocol anomalies ONON 0 Rules Disabled
[ Figure C ]
ProfileA Profile is a collection of security configurations that are collectively used to determine whether HTTP traffic is malicious. Profiles can be created either from built-in templates or from the ground up, and it is recommended that two different Profiles be created (one for Production and one for Auditing).
Profiles consist of the following:
Rule Set A rule set is a collection of rules regardless of whether they are related to each other. Verizon WAF uses the following rule sets:
• OWASP CRS The OWASP Core Rule Set provides protection against generic vulnerabilities (e.g., SQL injection and cross-site scripting).
• Trustwave The Trustwave commercial rule set provides protection against specific vulnerabilities (e.g. WordPress and ColdFusion). Trustwave updates these rules regularly, and these updates are automatically integrated with the Verizon WAF. There is no action required on the customer’s part. For more information, please refer to https://www.trustwave.com/Products/Application-Security/ModSecurity-Rules-and-Support/.
• Trustwave-OWASP Integrated Rule Set Verizon has combined the OWASP CRS with the Trustwave commercial rule set into a single integrated rule set that contains all available rules from both individual rule sets (see Figure D).
Rulesets
Detection Modes
Trustware – OWASPIntegration – Application version Latest
Trustware – OWASPIntegration – Generic version Latest
Trustware – Standalone – Application version LatestTrustware – Standalone – Application version 1.0.0Trustware – Standalone – Application version Latest – Beta
Trustware – OWASPIntegration – Generic version 1.0.0
Trustware – Standalone – Generic version LatestTrustware – Standalone – Generic version 1.0.0
Trustware – OWASPIntegration – Application version 1.0.0Trustware – OWASPIntegration – Application version Latest – Beta
OWASP – CRS version 2.2.9OWASP – CRS version 2.2.8
Trustware – OWASPIntegration – Application version
[ Figure D ]
Verizon Digital Media Services | WAF White Paper 6
Detection Mode Profiles can be configured to perform in either Signature or Anomaly Scoring mode. See “Threat detection modes” below for more information (see Figure E).
Detection Modes Anomaly Score Threshold
Anomaly Scoring
Signature
Anomaly Scoring 15
[ Figure E ]
Policies Individual policies (described above) can be enabled/disabled, and individual rules within each policy can be enabled/disabled.
IP-GEO Access Controls These controls allow whitelisting and blacklisting of specific IP addresses, CIDR-formatted IP ranges and entire geographic regions based on country code.
HTTP Request Access Controls These controls allow whitelisting and blacklisting of specific user agents, URLs and referrers.
Global Settings These controls cannot be disabled, but they can be adjusted:
• Maximum number of parameters in a query string
• Maximum number of total characters in a query string value
• Maximum number of characters in a single query string parameter name
• Maximum number of characters in a single query string parameter value
• Maximum individual file size
• Maximum total file size
• Allowed HTTP methods (e.g., GET and POST)
• Allowed HTTP versions (e.g., HTTP/1.1)
• Allowed content types (MIME types)
• Disallowed file extensions
• Custom name for the response header included with responses blocked by the WAF
Verizon Digital Media Services | WAF White Paper 7
InstanceAn Instance is used to determine which Profile will be used to analyze HTTP traffic and then what action will be taken on that traffic if it is determined to be malicious. Each Instance specifies a mandatory Production Profile and an optional Audit Profile:
Production Profile The Production Profile can be set to either block or alert mode:
• When in block mode, malicious traffic (as determined by the particular Profile described above) is blocked and never reaches the customer origin server. Instead, the Verizon WAF returns an HTTP 403 response, and the event information is logged.
• In alert mode, malicious traffic is not blocked, but the event is logged.
Audit Profile The Audit Profile is optional and always acts in alert mode. A Profile is designated as an Audit Profile when a customer wishes to see what events would have been blocked by the WAF without actually disrupting production traffic (see Figure F).
Production Action
Audit Profile Optionalblock
alert
block
[ Figure F ]
Final notesThe configuration options described above have no impact unless the Instance is called by the Rules Engine. An Instance can be bound to all incoming traffic using the “Always” condition, or it can be bound to specific conditions using IF-THEN clauses. However, only one Instance can be bound to a particular condition (i.e., after a set of conditions has been evaluated by the Rules Engine, then incoming HTTP requests can only be evaluated by a single Instance).
For many competitors, WAF changes can take more than an hour to propagate, while changes made within Verizon’s WAF usually take effect within five minutes.
Verizon Digital Media Services | WAF White Paper 8
Threat detection modes
After a request has been processed for whitelist and blacklist matches, it is analyzed according to the WAF profile’s rule set. A WAF profile can be configured to perform this threat analysis in one of two modes: Signature and Anomaly Scoring (see Figure G).
No
WAF ThreatAnalysis
IncomingRequest
Legitimate Tra�cWhitelisted?
Blacklisted?Threat
≥Threshold?No
Malicious Tra�c
No
YesYes
Yes
[ Figure G ]
SignatureSignature mode classifies a request as malicious if it violates any WAF rule. Once a violation occurs, no additional processing is performed on the request. All violations, regardless of severity, are treated equally. As a result, lower severity rules may need to be disabled to ensure that legitimate traffic is not blocked.
Anomaly ScoringAnomaly scoring mode improves threat detection accuracy by defining a threshold that must be met before a request is classified as malicious. Each request is processed to determine whether there is a signature match on any of the WAF rules that are enabled in the profile. If a match occurs, then a sub-score is calculated and added to the running total. The request is classified as malicious only if the running total exceeds the configured threshold. If the threshold is not met after processing each rule, then the request is considered to be legitimate traffic.
Verizon Digital Media Services | WAF White Paper 9
Example – Signature ModeThe log seen on Figure H shows details of a request that triggered rule ID 990002, “Request Indicates a Security Scanner Scanned the Site”. Because the profile was in Signature mode, the request was identified as malicious, and no additional processing was performed.
{
“Epoch Time”: 1448319170.86597,
“Matched On”: “REQUEST_HEADERS:User-Agent”,
“Rule Severity”: 2,
“Profile Type”: “PRODUCTION”,
“Client IP”: [redacted],
“Rule Message”: “Request Indicates a Security Scanner Scanned the Site”,
“Rule Tags”: “OWASP_CRS/AUTOMATION/SECURITY_SCANNER”,
“Timestamp”: “2015-11-23T22:52:50.86597Z”,
“URL”: [redacted],
“Matched Data”: [redacted],
“Country Code”: [redacted],
“Rule Policy”: “Bad robots”,
“Action Type”: “ALERT”,
“Host”: [redacted],
“Instance Name”: “Single Instance”,
“Profile Name”: “Integrated Alerting “,
“Rule ID”: 990002,
“User Agent”: “sqlmap/1.0-dev-nongit-20150707 (http://sqlmap.org)”,
“id”: “jU1t2kNwunrMDBCbgc06JKvbuXtBRE1mFxeFS3sE-cbALSuUyAJq_
Mu8UQ2xDTcgRxbhJjhnkY23Laj22PGhXw==”,
“Matched Value”: “sqlmap/1.0-dev-nongit-20150707 (http://sqlmap.org)”
}
[ Figure H ]
Verizon Digital Media Services | WAF White Paper 10
Example – Anomaly Scoring ModeThe log seen on Figure I shows details of a request that triggered two rules. The first rule (rule ID 990002, “Request Indicates a Security Scanner Scanned the Site”) is identical to what we saw in Figure H, which outlined the profile that was in Signature mode. However, in Figure I, our profile is in Anomaly Scoring mode with a threshold of 10. This particular anomaly contributed a sub-score of 5. Because the anomaly threshold was not met after identification of this particular anomaly, the WAF continued processing the request for additional anomalies. The next rule (rule ID 950005, “Remote File Access Attempt”), was then triggered and contributed an additional sub-score of 5. At that point, the cumulative anomaly score was 10, which triggered the profile’s threshold and caused the request to be identified as malicious.
{
“Epoch Time”: 1448318646.504353,
“Profile Type”: “PRODUCTION”,
“Client IP”: [redacted],
“Rule Message”: “Inbound Anomaly Score Exceeded (Total Score: 10, SQLi=0, XSS=0): Last Matched Message: Remote File Access Attempt”,
“Sub Event Count”: 2,
“Timestamp”: “2015-11-23T22:44:06.504353Z”,
“URL”: [redacted],
“Country Code”: [redacted],
“Rule Policy”: “Inbound blocking”,
“Action Type”: “ALERT”,
“Host”: [redacted],
“Instance Name”: “Single Instance”,
“Profile Name”: “Integrated Alerting “,
“Rule Tags”: “OWASP_CRS/ANOMALY/EXCEEDED”,
“Rule ID”: 981176,
“Sub Events”: [
{
“Matched On”: “REQUEST_HEADERS:User-Agent”,
“Rule Message”: “Request Indicates a Security Scanner Scanned the Site”,
“Matched Data”: “.tables where 2>1-- ../../../etc/passwd”,
“Total Anomaly Score”: 5,
“Rule ID”: 990002,
“Rule Severity”: 2,
“Matched Value”: “sqlmap/1.0-dev-nongit-20150707 (http://sqlmap.org)”
},
{
“Matched On”: “ARGS_NAMES:bmHF=7267 AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables WHERE 2>1-- ../../../ etc/passwd”,
Verizon Digital Media Services | WAF White Paper 11
“Rule Message”: “Remote File Access Attempt”,
“Matched Data”: “/etc/”,
“Total Anomaly Score”: 10,
“Rule ID”: 950005,
“Rule Severity”: 2,
“Matched Value”: “bmhf=7267 and 1=1 union all select 1 2 3 table_name from information_schema.tables where 2>1-- ../../../etc/passwd”
}
],
“User Agent”: “sqlmap/1.0-dev-nongit-20150707 (http://sqlmap.org)”,
“id”: “1WDgoTugFTw2VJZNwPrM0RJ2mxsHFH7mCbLLtEDXplc-1g5keUDNa VRelAy3gvaWZX6pV8v4yD7lUfBzPWRMLQ==”
}
[ Figure I ]
The Verizon “professional services as a partnership” model
Verizon offers security expertise as a partnership model. Our security professionals act as your partners and are accessible at the time of your choosing. This support structure provides significant benefits to our customers:
• You gain direct access to security engineers who can step in when needed or collaborate with you to build features into the WAF. This informal advisory relationship allows for fast response and greater efficiency, which is in direct contrast to the legacy-cloud WAF model in which interactions are slow, inefficient and expensive.
• Our engineers are intimately familiar with the WAF and information security in general. Our experience and expertise allow us to perform fast evaluations and provide intelligent and actionable advice.
• We have been at the forefront of web security for years and have produced the Data Breach Investigation Report (DBIR) every year since 2008.
• You have the option of working with a dedicated security professional who is assigned to onboard your website to the WAF. The dedicated security professional will analyze your security needs, craft a custom WAF configuration in collaboration with your technical team, and monitor the WAF to fine-tune its settings to fit your needs. Once you are fully on boarded, the designated security professional can be further engaged to provide ongoing support. This support includes: reviewing significant WAF and security events, learning about changes in your technical environment, providing regular checkups on your WAF, and proposing WAF and security configuration changes based on event reviews, internet threat landscapes and customer input.
Verizon Digital Media Services | WAF White Paper 12
Closing: Why choose Verizon’s WAF to secure your website?
As the face of your business, your website needs to perform 24 x 7 x 365. A downed website can easily result in lost revenue and unhappy users. At Verizon, we know how important it is for you to maintain user satisfaction, but we also realize not every business is the same. Each business owner has unique and distinct needs in how they run their business. And this is exactly why we created a WAF that puts you in control of your website’s security.
With Verizon’s WAF you enjoy:
• An open box, third-generation version of WAF that empowers you to protect your websites on your own
• Complete visibility and control over all your WAF configurations, reports and logs
• The ability to monitor malicious traffic and explore activity on a deeper level with our WAF dashboard
• Limitless deployment options based on a ModSecurity framework
• Powerful performance and minimized delay leveraging Verizon’s 80+ Super PoPs and tens of terabits per second of capacity
• U.S.-based engineer support that’s always-on
• A flexible, partnership approach to professional services; you choose how much or how little you’d like for us to be involved
Verizon Digital Media Services’ next-generation platform brings together world-class technologies to prepare, deliver, display and monetize digital content so users can watch and enjoy on their terms. Built on one of the world’s largest networks, Verizon Digital Media Services empowers content providers to deliver great user experiences on every screen.
For more information on Verizon Digital Media Services, please visit VerizonDigitalMedia.com.
©2016 Verizon Digital Media Services
