Web Application Firewalls

5/24/2018 Web Application Firewalls

1/44

Copyright 2006 - The OWASP FoundationPermission is granted to copy, distriute and!or modi"y this documentunder the terms o" the #$% Free &ocumentation 'icense(

The OWASP Foundation

OWASP

AppSecEurope)ay 2006

http*!!+++(o+asp(org!

Web Application Firewalls:When Are They Useful?

Ian !istic

Thin"in# Stone

ianr+e.reator(com

/ 1166 03 240


2/44

$OWASP AppSec Europe $%%&

Ian !istic

We App5ication Securityspecia5ist &ee5oper(

Author o"Apache Security(

Founder o" Thin"in# Stone(

Author o" 'odSecurity(


3/44

(OWASP AppSec Europe $%%&

Why Use Web Application Firewalls?

7n the nutshe55*4( We app5ications are dep5oyed terri5y insecure(

2( &ee5opers shou5d, o" course, continue to strie toui5d etter!more secure so"t+are(

8( 9ut in the meantime, sysadmins must do somethingaout it( :Or, as 7 5i.e to say* We need ery helpwe can #et(;

)* Insecure applications aside+ WAFs are an

i,portant buildin# bloc" in eery -TTPnetwor"*


4/44

)OWASP AppSec Europe $%%&

.etwor" Firewalls /o .ot Wor" For -TTP

Firewall

Port 80HTTP Traffic

Web

Client

Web

Server

Application

Application

Database

Server


5/44

0OWASP AppSec Europe $%%&

WAFE1 234

Web Application Firewall Ealuation1riteria(

ProC 4(0 pu5ished in ?anuary(We are aout to start +or. on 4(4(
http://webappsec.org/http://webappsec.org/


6/44

&OWASP AppSec Europe $%%&

WAFE1 2$4

$ine sections*3* /eploy,ent Architecture

$* -TTP and -T'6 Support

(* /etection Techni7ues

)* Preention Techni7ues

0* 6o##in#

6( @eporting

1( )anagement3( Per"ormance

( B)'


7/44


WAFE1 2(4

WAF>C is not "or

the endors(It5s for the users*2So please oice your opinions94

http:www*webappsec*or#pro;ectswafec
http://www.webappsec.org/projects/wafec/http://www.webappsec.org/projects/wafec/http://www.webappsec.org/projects/wafec/http://www.webappsec.org/projects/wafec/


8/44


9/44

=OWASP AppSec Europe $%%&

WAF Identity Proble, 2$4

There are "our aspects to consider*3* Audit deice

$* Access control deice

(* 6ayer 8 routerswitch

)* Web Application -ardenin# tool

These are a55 a5id reEuirements ut the nameWeb Application Firewallis not suita5e(

On the 5o+er net+or. 5ayers +e hae adi""erent name "or each "unction(


10/44

3%OWASP AppSec Europe $%%&

WAF Identity Proble, 2(4

App5iance-oriented +e app5ication "ire+a55sclash+ith theApplication Assurance,ar"et(

Pro5ems so5ed 5ong time ago* 'oad a5ancing

C5ustering

SS' termination and acce5eration

Caching and transparent compression %@' re+riting

and so on


11/44


WAF Identity Proble, 2)4

Gey "actors*4( App5ication Assurance endors are ery strong(

2( We App5ication Fire+a55 endors not as much(

@esu5t* Appliance>oriented WAFs are bein#

assi,ilatedby the Application Assurance,ar"et*

7n the meantime* E,bedded WAFs are left alone because they

are not an all>or>nothin# proposition*


12/44

3$OWASP AppSec Europe $%%&

WAF Functionality

Overview


13/44

3(OWASP AppSec Europe $%%&

The Essentials 234

Full support for -TTP* Access to indiidua5 "ie5ds :"ie5d content, 5ength, "ie5d

count, etc;(

>ntire transaction :oth reEuest and response;(

%p5oaded "i5es(

Anti>easion features:a5so .no+n asnorma5isation!canonica5isation!trans"ormation"eatures;(


14/44

3)OWASP AppSec Europe $%%&

The Essentials 2$4

loc"in# features* Transaction

Connection

7P Address

Session

%ser

Honeypot redirection

TCP!7P resets :connection; 95oc.ing ia eDterna5 deice

What happens upon detection?


15/44


Fancy Features

Stateful operation: 7P Address data

Session data

%ser data

Eent 1orrelation

-i#h aailability: Fai5oer

'oad-a5ancing C5ustering

State rep5ication


16/44

3&OWASP AppSec Europe $%%&

-ard>1oded Protection Techni7ues 234

1oo"ie protection Sign!encrypt!irtua5ise

-idden field protection Sign!encrypt!irtua5ise

Session ,ana#e,ent protection >n"orce session duration timeout, inactiity timeout(

Preent "iDation(

Iirtua5ise session management( Preent hi


17/44


-ard>1oded Protection Techni7ues 2$4

rute>force protection 6in" alidation Signing

Iirtua5isation

!e7uest flow enforce,ent Statica55y

&ynamica55y


18/44

3


19/44

3=OWASP AppSec Europe $%%&

Other Thin#s To 1onsider 2$4

Etensibility* 7s it possi5e to add custom "unctiona5ity to the

"ire+a55J

7s the source code aai5a5eJ :9ut not as a

rep5acement "or a proper AP7(; Perfor,ance* $e+ connections per second(

)aDimum concurrent connections(

Transactions per second(

Throughput(

'atency(


20/44

$%OWASP AppSec Europe $%%&

Sinatures and

!ules


21/44

$3OWASP AppSec Europe $%%&

Si#natures or !ules?

3* Si#natures Simp5e teDt strings or regu5ar eDpression patterns

matched against input data(

$ot ery "5eDi5e(

$* !ules4( F5eDi5e(

2( )u5tip5e operators(

8( @u5e groups(

( Anti-easion "unctions(( 'ogica5 eDpressions(

6( Custom aria5es(


22/44

$$OWASP AppSec Europe $%%&

Three Protection Strate#ies

3* Eternal patchin# A5so .no+n as K


23/44

$(OWASP AppSec Europe $%%&

Auditin and H""#

"raffic $onitorin


24/44

$)OWASP AppSec Europe $%%&

Web Intrusion /etection

O"ten "orgotten ecause o" mar.etingpressures* /etectionis so 5ast year :decade;(

Preentionsounds and se55s much etterL

The pro5em +ith preention is that it is boundto failgien su""icient5y determined attac.er:or ineDperienced WAF operator;(

'onitorin#:5ogging and detection; is actua55y

more important as it a55o+s you toindependent5y audit tra""ic, and go ac. intime(


25/44


'onitorin# !e7uire,ents

Centra5isation( Transaction data storage(

Contro5 oer which transactions are lo##edand which parts of each transactionare

5ogged, dyna,icallyon the per>transactionasis( )inima5 in"ormation :session data;(

Partia5 transaction data(

Fu55 transaction data( Support "or data sanitisation(

Can imp5ement your retention po5icy(


26/44

$&OWASP AppSec Europe $%%&

Deployment


27/44


/eploy,ent

Three choices +hen it comes todep5oyment*

3* .etwor">leel deice(

$* !eerse proy(

(* E,bedded in web serer(


28/44

$


29/44

$=OWASP AppSec Europe $%%&

/eploy,ent 2(4

2( @eerse proDy

"ypically re%uires networ& re'confiuration.


30/44

(%OWASP AppSec Europe $%%&

/eploy,ent 2)4

8( >medded

Does not re%uire networ& re'confiuration.


31/44

(3OWASP AppSec Europe $%%&

/eploy,ent 204

4( $et+or. passie&oes not a""ect per"ormance(>asy to add(

$ot a ott5enec. or a point o" "ai5ure(

'imited preention options()ust hae copies o" SS' .eys(

2( $et+or. in-5ineA potentia5 ott5enec.(

Point o" "ai5ure()ust hae copies o" SS' .eys(>asy to add(


32/44

($OWASP AppSec Europe $%%&

/eploy,ent 2&4

8( @eerse proDyA potentia5 ott5enec.(Point o" "ai5ure(

@eEuires changes to net+or.:un5ess it=s a

transparent reerse proDy;()ust terminate SS' :can e a pro5em i" app5icationneeds to access c5ient certi"icate data;(

It5s a separate architecturesecurity layer*

( >medded>asy to add:and usua55y much cheaper;($ot a point o" "ai5ure(

%ses +e serer resources(


33/44

((OWASP AppSec Europe $%%&

!eerse Proy As a uildin# loc"

@eerse proDy patterns*4( Front door

2( 7ntegration reerse proDy

8( Protection reerse proDy

( Per"ormance reerse proDy( Sca5ai5ity reerse proDy

'ogica5 patterns, orthogona5 toeach other(

O"ten dep5oyed as a sing5e physica5reerse proDy(


34/44

()OWASP AppSec Europe $%%&

Front /oor 2304

)a.e a55 HTTP tra""ic go through the proDy Centra5isation ma.es access contro5,

5ogging, and monitoring easier


35/44


Inte#ration !eerse Proy 2$04

Comine mu5tip5e +e serers into one Hide the interna5s

&ecoup5e inter"ace "rom imp5ementation


36/44

(&OWASP AppSec Europe $%%&

Protection !eerse Proy 2(04

Oseres tra""ic in and out 95oc.s ina5id reEuests and attac.s

Preents in"ormation disc5osure


37/44


Perfor,ance !eerse Proy 2)04

Transparent caching Transparent response compression

SS' termination


38/44

(


39/44

(=OWASP AppSec Europe $%%&

Open Source

Approach( Apache

) $odSecurity


40/44

)%OWASP AppSec Europe $%%&

Apache

One o" the most used open source products( Aai5a5e on many p5at"orms(

Free, "ast, sta5e and re5ia5e(

>Dpertise +ide5y aai5a5e(

Apache 2(2(D :"ina55yL; re5eased +ith manyimproements* 7mproed authentication(

7mproed support "or caching(

Signi"icant improements to the modMproDy code:and 5oad a5ancing support;(

Ideal reerse proy*


41/44

)3OWASP AppSec Europe $%%&

'odSecurity

Adds WAF "unctiona5ity to Apache( 7n the )thyear o" dee5opment(

Free, open source, commercia55y supported(

7mp5ements most WAF "eatures :and theremaining ones are coming soon;(

Popu5ar and ery +ide5y used(

Fast, re5ia5e and predicta5e(


42/44

)$OWASP AppSec Europe $%%&

Apache B 'odSecurity

&ep5oy as reerse proy* Pic. a nice serer :7 am Euite

"ond o" Sun=s hard+areo""erings myse5";(

7nsta55 Apache 2(2(D(

Add )odSecurity(

Add SS' acce5eration card:optiona5;(

Or simp5y run )odSecurityin e,bedded ,ode(


43/44

)(OWASP AppSec Europe $%%&

'odSecurity

Strong areas* Auditin#lo##in# support*

!eal>ti,e traffic ,onitorin#*

Cust>in>ti,e patchin#*

Preention* Dery confi#urablepro#ra,,able*

Wea. areas*

.o auto,ation of the positie security ,odelapproach yet*


44/44

Than" you9

&o+n5oad this presentation "romhttp:www*thin"in#stone*co,tal"s

*uestions+

Documents

Web Application Firewalls