Web Application Firewalls

Published on December 2016 | Categories: Documents | Downloads: 18 | Comments: 0 | Views: 152
of 44
Download PDF   Embed   Report

Web Application Firewalls

Comments

Content


Copyright © 2006 - The OWASP Foundation
Permission is granted to copy, distriute and!or modi"y this document
under the terms o" the #$% Free &ocumentation 'icense(
The OWASP Foundation
OWASP
AppSec
Europe
)ay 2006
http*!!+++(o+asp(org!
Web Application Firewalls:
When Are They Useful?
Ian !istic
Thin"in# Stone
i,anr-+e.reator(com
/00 1166 203 240
$ OWASP AppSec Europe $%%&
Ian !istic

We App5ication Security
specia5ist6 &e,e5oper(

Author o" Apache Security(

Founder o" Thin"in# Stone(

Author o" 'odSecurity(
( OWASP AppSec Europe $%%&
Why Use Web Application Firewalls?

7n the nutshe55*
4( We app5ications are dep5oyed terri5y insecure(
2( &e,e5opers shou5d, o" course, continue to stri,e to
ui5d etter!more secure so"t+are(
8( 9ut in the meantime, sysadmins must do something
aout it( :Or, as 7 5i.e to say* We need ery help
we can #et(;
)* Insecure applications aside+ WAFs are an
i,portant buildin# bloc" in eery -TTP
networ"*
) OWASP AppSec Europe $%%&
.etwor" Firewalls /o .ot Wor" For -TTP
Firewall
Port 80
HTTP Traffic
Web
Client
Web
Server
Application
Application
Database
Server
0 OWASP AppSec Europe $%%&
WAFE1 234

Web Application Firewall Ealuation
1riteria(

Pro<ect o" the We App5ication Security
Consortium :+eappsec(org;(

7t=s an open pro<ect(

$ine WAF ,endors on oard, ut I5d li"e to see
,ore users on the list*

WAF>C ,4(0 pu5ished in ?anuary(

We are aout to start +or. on ,4(4(
& OWASP AppSec Europe $%%&
WAFE1 2$4

$ine sections*
3* /eploy,ent Architecture
$* -TTP and -T'6 Support
(* /etection Techni7ues
)* Preention Techni7ues
0* 6o##in#
6( @eporting
1( )anagement
3( Per"ormance
A( B)'
8 OWASP AppSec Europe $%%&
WAFE1 2(4
WAF>C is not "or
the ,endors(
It5s for the users*
2So please oice your opinions94
http:::www*webappsec*or#:pro;ects:wafec:
< OWASP AppSec Europe $%%&
WAF Identity Proble, 234

There is a 5ong-standing WAF identity pro5em(

With the na,e, "irst o" a55C*
We Adapti,e Fire+a55
Web Application Firewall
We App5ication Security &e,ice
We App5ication ProDy
We App5ication Shie5d
We Shie5d
We Security Fire+a55
We Security #ate+ay
We Security ProDy
We 7ntrusion &etection System
We 7ntrusion Pre,ention System
Adapti,e Fire+a55
Adapti,e ProDy
Adapti,e #ate+ay
App5ication Fire+a55
App5ication-5e,e5 Fire+a55
App5ication-5ayer Fire+a55
App5ication-5e,e5 Security #ate+ay
App5ication 'e,e5 #ate+ay
App5ication Security &e,ice
App5ication Security #ate+ay
State"u5 )u5ti5ayer 7nspection
Fire+a55
List compiled by Achim Hoffmann.
= OWASP AppSec Europe $%%&
WAF Identity Proble, 2$4

There are "our aspects to consider*
3* Audit deice
$* Access control deice
(* 6ayer 8 router:switch
)* Web Application -ardenin# tool

These are a55 ,a5id reEuirements ut the name
Web Application Firewall is not suita5e(

On the 5o+er net+or. 5ayers +e ha,e a
di""erent name "or each "unction(
3% OWASP AppSec Europe $%%&
WAF Identity Proble, 2(4

App5iance-oriented +e app5ication "ire+a55s
clash +ith the Application Assurance
,ar"et(

Pro5ems so5,ed 5ong time ago*

'oad a5ancing

C5ustering

SS' termination and acce5eration

Caching and transparent compression

%@' re+riting

Fand so on
33 OWASP AppSec Europe $%%&
WAF Identity Proble, 2)4

Gey "actors*
4( App5ication Assurance ,endors are ,ery strong(
2( We App5ication Fire+a55 ,endors not as much(

@esu5t*

Appliance>oriented WAFs are bein#
assi,ilated by the Application Assurance
,ar"et*

7n the meantime*

E,bedded WAFs are left alone because they
are not an all>or>nothin# proposition*
3$ OWASP AppSec Europe $%%&
WAF Functionality
Overview
3( OWASP AppSec Europe $%%&
The Essentials 234

Full support for -TTP*

Access to indi,idua5 "ie5ds :"ie5d content, 5ength, "ie5d
count, etc;(

>ntire transaction :oth reEuest and response;(

%p5oaded "i5es(

Anti>easion features :a5so .no+n as
norma5isation!canonica5isation!trans"ormation
"eatures;(
3) OWASP AppSec Europe $%%&
The Essentials 2$4

?loc"in# features*

Transaction

Connection

7P Address

Session

%ser

Honeypot redirection

TCP!7P resets :connection;

95oc.ing ,ia eDterna5 de,ice

What happens upon detection?
30 OWASP AppSec Europe $%%&
Fancy Features

Stateful operation:

7P Address data

Session data

%ser data

Eent 1orrelation

-i#h aailability:

Fai5o,er

'oad-a5ancing

C5ustering

State rep5ication
3& OWASP AppSec Europe $%%&
-ard>1oded Protection Techni7ues 234

1oo"ie protection

Sign!encrypt!,irtua5ise

-idden field protection

Sign!encrypt!,irtua5ise

Session ,ana#e,ent protection

>n"orce session duration timeout, inacti,ity timeout(

Pre,ent "iDation(

Iirtua5ise session management(

Pre,ent hi<ac.ing or at 5east +arn aout it(
38 OWASP AppSec Europe $%%&
-ard>1oded Protection Techni7ues 2$4

?rute>force protection

6in" alidation

Signing

Iirtua5isation

!e7uest flow enforce,ent

Statica55y

&ynamica55y
3< OWASP AppSec Europe $%%&
Other Thin#s To 1onsider 234

'ana#e,ent*

7s it possi5e to manage mu5tip5e sensors "rom one p5aceJ

Support "or administrati,e accounts +ith di""erent pri,i5eges
:oth horisonta5 and ,ertica5;(

!eportin# :gi,ing )anagement +hat it +ants;*

On-demand and schedu5ed reports +ith support "or cus

@'6*

WAFs are eDpected to pro,ide asic support "or B)' parsing
and ,a5idation(

Fu55 B)' support is usua55y a,ai5a5e as an option, or as a
comp5ete5y separate product(
3= OWASP AppSec Europe $%%&
Other Thin#s To 1onsider 2$4

EAtensibility*

7s it possi5e to add custom "unctiona5ity to the
"ire+a55J

7s the source code a,ai5a5eJ :9ut not as a
rep5acement "or a proper AP7(;

Perfor,ance*

$e+ connections per second(

)aDimum concurrent connections(

Transactions per second(

Throughput(

'atency(
$% OWASP AppSec Europe $%%&
Sinatures and
!ules
$3 OWASP AppSec Europe $%%&
Si#natures or !ules?
3* Si#natures

Simp5e teDt strings or regu5ar eDpression patterns
matched against input data(

$ot ,ery "5eDi5e(
$* !ules
4( F5eDi5e(
2( )u5tip5e operators(
8( @u5e groups(
0( Anti-e,asion "unctions(
2( 'ogica5 eDpressions(
6( Custom ,aria5es(
$$ OWASP AppSec Europe $%%&
Three Protection Strate#ies
3* EAternal patchin#

A5so .no+n as K<ust-in-time patchingK or K,irtua5 patchingK;(
$* .e#atie security ,odel

'oo.ing "or ad stu""(

Typica55y used "or We 7ntrusion &etection(

>asy to start +ith ut di""icu5t to get right(
(* Positie security ,odel

Ieri"ying input is correct(

%sua55y automated, ut ,ery di""icu5t to get right +ith
app5ications that change(

7t=s ,ery good ut you need to set your eDpectations
according5y(
$( OWASP AppSec Europe $%%&
Auditin and H""#
"raffic $onitorin
$) OWASP AppSec Europe $%%&
Web Intrusion /etection

O"ten "orgotten ecause o" mar.eting
pressures*

/etection is so 5ast year :decade;(

Preention sounds and se55s much etterL

The pro5em +ith pre,ention is that it is bound
to fail gi,en su""icient5y determined attac.er
:or ineDperienced WAF operator;(

'onitorin# :5ogging and detection; is actua55y
more important as it a55o+s you to
independent5y audit tra""ic, and go ac. in
time(
$0 OWASP AppSec Europe $%%&
'onitorin# !e7uire,ents

Centra5isation(

Transaction data storage(

Contro5 o,er which transactions are lo##ed
and which parts of each transaction are
5ogged, dyna,ically on the per>transaction
asis(

)inima5 in"ormation :session data;(

Partia5 transaction data(

Fu55 transaction data(

Support "or data sanitisation(

Can imp5ement your retention po5icy(
$& OWASP AppSec Europe $%%&
Deployment
$8 OWASP AppSec Europe $%%&
/eploy,ent

Three choices +hen it comes to
dep5oyment*
3* .etwor">leel deice(
$* !eerse proAy(
(* E,bedded in web serer(
$< OWASP AppSec Europe $%%&
/eploy,ent 2$4
4( $et+or.-5e,e5 de,ice
Does not re%uire networ& re'confiuration.
$= OWASP AppSec Europe $%%&
/eploy,ent 2(4
2( @e,erse proDy
"ypically re%uires networ& re'confiuration.
(% OWASP AppSec Europe $%%&
/eploy,ent 2)4
8( >medded
Does not re%uire networ& re'confiuration.
(3 OWASP AppSec Europe $%%&
/eploy,ent 204
4( $et+or. passi,e

&oes not a""ect per"ormance(

>asy to add(

$ot a ott5enec. or a point o" "ai5ure(

'imited pre,ention options(

)ust ha,e copies o" SS' .eys(
2( $et+or. in-5ine

A potentia5 ott5enec.(

Point o" "ai5ure(

)ust ha,e copies o" SS' .eys(

>asy to add(
($ OWASP AppSec Europe $%%&
/eploy,ent 2&4
8( @e,erse proDy

A potentia5 ott5enec.(

Point o" "ai5ure(

@eEuires changes to net+or. :un5ess it=s a
transparent re,erse proDy;(

)ust terminate SS' :can e a pro5em i" app5ication
needs to access c5ient certi"icate data;(

It5s a separate architecture:security layer*
0( >medded

>asy to add :and usua55y much cheaper;(

$ot a point o" "ai5ure(

%ses +e ser,er resources(
(( OWASP AppSec Europe $%%&
!eerse ProAy As a ?uildin# ?loc"

@e,erse proDy patterns*
4( Front door
2( 7ntegration re,erse proDy
8( Protection re,erse proDy
0( Per"ormance re,erse proDy
2( Sca5ai5ity re,erse proDy

'ogica5 patterns, orthogona5 to
each other(

O"ten dep5oyed as a sing5e physica5
re,erse proDy(
() OWASP AppSec Europe $%%&
Front /oor 23:04

)a.e a55 HTTP tra""ic go through the proDy

Centra5isation ma.es access contro5,
5ogging, and monitoring easier
(0 OWASP AppSec Europe $%%&
Inte#ration !eerse ProAy 2$:04

Comine mu5tip5e +e ser,ers into one

Hide the interna5s

&ecoup5e inter"ace "rom imp5ementation
(& OWASP AppSec Europe $%%&
Protection !eerse ProAy 2(:04

Oser,es tra""ic in and out

95oc.s in,a5id reEuests and attac.s

Pre,ents in"ormation disc5osure
(8 OWASP AppSec Europe $%%&
Perfor,ance !eerse ProAy 2):04

Transparent caching

Transparent response compression

SS' termination
(< OWASP AppSec Europe $%%&
Scalability !eerse ProAy 20:04

'oad a5ancing

Fau5t to5erance

C5ustering
(= OWASP AppSec Europe $%%&
Open Source
Approach( Apache
) $odSecurity
)% OWASP AppSec Europe $%%&
Apache

One o" the most used open source products(

A,ai5a5e on many p5at"orms(

Free, "ast, sta5e and re5ia5e(

>Dpertise +ide5y a,ai5a5e(

Apache 2(2(D :"ina55yL; re5eased +ith many
impro,ements*

7mpro,ed authentication(

7mpro,ed support "or caching(

Signi"icant impro,ements to the modMproDy code
:and 5oad a5ancing support;(

Ideal reerse proAy*
)3 OWASP AppSec Europe $%%&
'odSecurity

Adds WAF "unctiona5ity to Apache(

7n the )
th
year o" de,e5opment(

Free, open source, commercia55y supported(

7mp5ements most WAF "eatures :and the
remaining ones are coming soon;(

Popu5ar and ,ery +ide5y used(

Fast, re5ia5e and predicta5e(
)$ OWASP AppSec Europe $%%&
Apache B 'odSecurity

&ep5oy as reerse proAy*

Pic. a nice ser,er :7 am Euite
"ond o" Sun=s hard+are
o""erings myse5";(

7nsta55 Apache 2(2(D(

Add )odSecurity(

Add SS' acce5eration card
:optiona5;(

Or simp5y run )odSecurity
in e,bedded ,ode(
)( OWASP AppSec Europe $%%&
'odSecurity

Strong areas*

Auditin#:lo##in# support*

!eal>ti,e traffic ,onitorin#*

Cust>in>ti,e patchin#*

Preention*

Dery confi#urable:pro#ra,,able*

Wea. areas*

.o auto,ation of the positie security ,odel
approach yet*
)) OWASP AppSec Europe $%%&
Than" you9
&o+n5oad this presentation "rom
http:::www*thin"in#stone*co,:tal"s:
*uestions+

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close