Upload
nginx-inc
View
157
Download
3
Embed Size (px)
Citation preview
MORE INFORMATION AT NGINX.COM
NGINX Plus with ModSecurity WAFProtect your applications
MORE INFORMATION AT NGINX.COM
Faisal MemonProduct Marketer at NGINX, Inc.
Formerly:- Technical Marketing Engineer, Riverbed- Software Developer, Cisco Systems
Eric LugoTechnical Solutions Architect at NGINX, Inc.
Formerly:- Solutions Engineer, Cloudflare
MORE INFORMATION AT NGINX.COM
• First OSS release in 2004• Company founded in 2011• VC-backed by industry
leaders• 190+ million open source
users• 1,000+ customers• 120+ employees
Igor Sysoev, NGINX creator and founder
MORE INFORMATION AT NGINX.COM
The Current Security Climate• 50% increase in web app attacks and 125% increase in DDoS in the
past year
• Krebs on Security – 620 Gbps DDoS attack using hacked IoT devices• Mirai source code released• Dyn hit with DDoS using Mirai
• Adult Friend Finder – User data compromised by LFI attack
• Democratic National Committee (DNC) – Emails hacked and released• Conspiracy against Bernie Sanders revealed• Head of DNC and 3 others forced to resign
• Code Spaces – Went out of business after data deleted by attacker
MORE INFORMATION AT NGINX.COM
Protecting Yourself• Restrict recursive DNS requests to local hosts only
• Proactively keep PCs and endpoints patched and up-to-date
• Change all passwords to something not in a dictionary
• Don’t use the same password for everything
• Sanitize all input to web apps
• Use two-factor authentication
MORE INFORMATION AT NGINX.COM
Protecting Yourself• CDN services that can absorb large scale DDoS attacks
• Akamai, Cloudflare, Google Shield, etc.
• Network firewall• Palo Alto, Check Point, Cisco, pfSense, etc.
• Intrusion Prevention/Detection Systems (IPS/IDS)
• Security Information and Event Management (SIEM)
• Secure Web Gateway
• Web application firewall (WAF)
MORE INFORMATION AT NGINX.COM
Comprehensive Protection for Critical Apps and Data
• SQL injection (SQLi)• Local file inclusion
(LFI)• Remote file inclusion
(RFI)• Remote code
execution (RCE)• Cross-site request
forgery (CSRF)• Cross-site scripting
(XSS)• Credit card leakages• HTTP protocol
violations
MORE INFORMATION AT NGINX.COM
ModSecurity Background“...even when you understand web security it is difficult to produce secure code, especially when working under the pressure so common in today’s software development projects.”
—Ivan Ristic, ModSecurity creator
• Initial open source release in 2002
• Used by tens of thousands of websites today
• Over 3,000 downloads/month
• Large, active, and enthusiastic community backing
MORE INFORMATION AT NGINX.COM
Why NGINX Plus with ModSecurity WAF?• Cut costs
• Over 66% savings in 5 year TCO vs. Imperva
• Software flexibility• Deploy on bare metal, containers, and public cloud
• Easy Deployment• Install on standard Linux servers• Application delivery and security in one place
• Open platform• Standard PCRE regex based rules language
• PCI-DSS Requirement 6.6 compliance
MORE INFORMATION AT NGINX.COM
How to get ModSecurity WAF?• Currently for non-production usage only
• Based on early ModSecurity 3.0 release candidate
• Email [email protected] for access
MORE INFORMATION AT NGINX.COM
ModSecurity Processing Phases
MORE INFORMATION AT NGINX.COM
OWASP• “Open Web Application Security Project”
• Non-profit organization, providing OpenSource Tools• Core Rule Set (CRS)
• Generic Rules• Base line for any app server• Low risk of False-Positives
• Protects• SQL Injection (SQLi)• Cross Site Scripting (XSS)• Many other attacks
• Last update 2013 • Researching for 2017 list• Support for CRS included with subscription
MORE INFORMATION AT NGINX.COM
Performance• Only run ModSecurity for Dynamic content• Bypass OWASP security rules for static assets and Cache them!
• Images, CSS, JS, PDF, and other Media files• Use NGINX Rate-limiting
MORE INFORMATION AT NGINX.COM
Caveats, Current State, and Missing Pieces• Public Blacklist
• IP Reputation, Spamhaus, Project Honeypot, etc.• Response/Request Body Stream
• On the fly HTML/json/xml body Rewriting• DoS protection
• ModSecurity for NGINX does not include DoS protection• NGINX can already do this with limit_req_zone
MORE INFORMATION AT NGINX.COM
Demo
MORE INFORMATION AT NGINX.COM
Summary• All applications are now targets for attackers
• NGINX Plus with ModSecurity WAF protects against a broad range of attacks
• Cut costs and gain flexibility compared to other leading WAFs
• ModSecurity has 5 processing phases and is anchored by the OWASP Core rule set
• Improve performance by bypassing static content
• Email [email protected] to get early access