OWASP App Sec EU2006 WAFs When AreThey Useful

Information about OWASP App Sec EU2006 WAFs When AreThey Useful

Published on August 30, 2007

Author: Clown

Source: authorstream.com

Content

Web Application Firewalls:When Are They Useful?:  Web Application Firewalls: When Are They Useful? Ivan Ristic Thinking Stone [email protected] +44 7766 508 210 Ivan Ristic:  Ivan Ristic Web Application Security specialist; Developer. Author of Apache Security. Founder of Thinking Stone. Author of ModSecurity. Why Use Web Application Firewalls?:  Why Use Web Application Firewalls? In a nutshell: Web applications are deployed terribly insecure. Developers should, of course, continue to strive to build better/more secure software. But in the meantime, sysadmins must do something about it. (Or, as I like to say: We need all the help we can get.) Insecure applications aside, WAFs are an important building block in every HTTP network. Network Firewalls Do Not Work For HTTP:  Network Firewalls Do Not Work For HTTP Firewall Port 80 HTTP Traffic Web Client Web Server Application Application Database Server WAFEC (1):  WAFEC (1) Web Application Firewall Evaluation Criteria. Project of the Web Application Security Consortium (webappsec.org). It's an open project. Nine WAF vendors on board, but I'd like to see more users on the list. WAFEC v1.0 published in January. We are about to start work on v1.1. WAFEC (2):  WAFEC (2) Nine sections: Deployment Architecture HTTP and HTML Support Detection Techniques Prevention Techniques Logging Reporting Management Performance XML WAFEC (3):  WAFEC (3) WAFEC is not for the vendors. It's for the users. (So please voice your opinions!) http://www.webappsec.org/projects/wafec/ WAF Identity Problem (1):  WAF Identity Problem (1) There is a long-standing WAF identity problem. With the name, first of all: Web Adaptive Firewall Web Application Firewall Web Application Security Device Web Application Proxy Web Application Shield Web Shield Web Security Firewall Web Security Gateway Web Security Proxy Web Intrusion Detection System Web Intrusion Prevention System Adaptive Firewall Adaptive Proxy Adaptive Gateway Application Firewall Application-level Firewall Application-layer Firewall Application-level Security Gateway Application Level Gateway Application Security Device Application Security Gateway Stateful Multilayer Inspection Firewall WAF Identity Problem (2):  WAF Identity Problem (2) There are four aspects to consider: Audit device Access control device Layer 7 router/switch Web Application Hardening tool These are all valid requirements but the name Web Application Firewall is not suitable. On the lower network layers we have a different name for each function. WAF Identity Problem (3):  WAF Identity Problem (3) Appliance-oriented web application firewalls clash with the Application Assurance market. Problems solved long time ago: Load balancing Clustering SSL termination and acceleration Caching and transparent compression URL rewriting …and so on WAF Identity Problem (4):  WAF Identity Problem (4) Key factors: Application Assurance vendors are very strong. Web Application Firewall vendors not as much. Result: Appliance-oriented WAFs are being assimilated by the Application Assurance market. In the meantime: Embedded WAFs are left alone because they are not an all-or-nothing proposition. Slide12:  WAF Functionality Overview The Essentials (1):  The Essentials (1) Full support for HTTP: Access to individual fields (field content, length, field count, etc). Entire transaction (both request and response). Uploaded files. Anti-evasion features (also known as normalisation/canonicalisation/transformation features). The Essentials (2):  The Essentials (2) Blocking features: Transaction Connection IP Address Session User Honeypot redirection TCP/IP resets (connection) Blocking via external device What happens upon detection? Fancy Features:  Fancy Features Stateful operation: IP Address data Session data User data Event Correlation High availability: Failover Load-balancing Clustering State replication Hard-Coded Protection Techniques (1):  Hard-Coded Protection Techniques (1) Cookie protection Sign/encrypt/virtualise Hidden field protection Sign/encrypt/virtualise Session management protection Enforce session duration timeout, inactivity timeout. Prevent fixation. Virtualise session management. Prevent hijacking or at least warn about it. Hard-Coded Protection Techniques (2):  Hard-Coded Protection Techniques (2) Brute-force protection Link validation Signing Virtualisation Request flow enforcement Statically Dynamically Other Things To Consider (1):  Other Things To Consider (1) Management: Is it possible to manage multiple sensors from one place? Support for administrative accounts with different privileges (both horisontal and vertical). Reporting (giving Management what it wants): On-demand and scheduled reports with support for customisation XML: WAFs are expected to provide basic support for XML parsing and validation. Full XML support is usually available as an option, or as a completely separate product. Other Things To Consider (2):  Other Things To Consider (2) Extensibility: Is it possible to add custom functionality to the firewall? Is the source code available? (But not as a replacement for a proper API.) Performance: New connections per second. Maximum concurrent connections. Transactions per second. Throughput. Latency. Slide20:  Signatures and Rules Signatures or Rules?:  Signatures or Rules? Signatures Simple text strings or regular expression patterns matched against input data. Not very flexible. Rules Flexible. Multiple operators. Rule groups. Anti-evasion functions. Logical expressions. Custom variables. Three Protection Strategies:  Three Protection Strategies External patching Also known as 'just-in-time patching' or 'virtual patching'). Negative security model Looking for bad stuff. Typically used for Web Intrusion Detection. Easy to start with but difficult to get right. Positive security model Verifying input is correct. Usually automated, but very difficult to get right with applications that change. It's very good but you need to set your expectations accordingly. Slide23:  Auditing and HTTP Traffic Monitoring Web Intrusion Detection:  Web Intrusion Detection Often forgotten because of marketing pressures: Detection is so last year (decade). Prevention sounds and sells much better! The problem with prevention is that it is bound to fail given sufficiently determined attacker. Monitoring (logging and detection) is actually more important as it allows you to independently audit traffic, and go back in time. Monitoring Requirements:  Monitoring Requirements Centralisation. Transaction data storage. Control over which transactions are logged and which parts of each transaction are logged, dynamically on the per-transaction basis. Minimal information (session data). Partial transaction data. Full transaction data. Support for data sanitisation. Can implement your retention policy. Slide26:  Deployment Deployment:  Deployment Three choices when it comes to deployment: Network-level device. Reverse proxy. Embedded in web server. Deployment (2):  Deployment (2) 1. Network-level device Does not require network re-configuration. Deployment (3):  Deployment (3) 2. Reverse proxy Typically requires network re-configuration. Deployment (4):  Deployment (4) 3. Embedded Does not require network re-configuration. Deployment (5):  Deployment (5) 1. Network passive Does not affect performance. Easy to add. Not a bottleneck or a point of failure. Limited prevention options. Must have copies of SSL keys. 2. Network in-line A potential bottleneck. Point of failure. Must have copies of SSL keys. Easy to add. Deployment (6):  Deployment (6) 3. Reverse proxy A potential bottleneck. Point of failure. Requires changes to network (unless it's a transparent reverse proxy). Must terminate SSL (can be a problem if application needs to access client certificate data). It's a separate architecture/security layer. 4. Embedded Easy to add (and usually much cheaper). Not a point of failure. Uses web server resources. Reverse Proxy As a Building Block:  Reverse Proxy As a Building Block Reverse proxy patterns: Front door Integration reverse proxy Protection reverse proxy Performance reverse proxy Scalability reverse proxy Logical patterns, orthogonal to each other. Often deployed as a single physical reverse proxy. Front Door (1/5):  Front Door (1/5) Make all HTTP traffic go through the proxy Centralisation makes access control, logging, and monitoring easier Integration Reverse Proxy (2/5):  Integration Reverse Proxy (2/5) Combine multiple web servers into one Hide the internals Decouple interface from implementation Protection Reverse Proxy (3/5):  Protection Reverse Proxy (3/5) Observes traffic in and out Blocks invalid requests and attacks Prevents information disclosure Performance Reverse Proxy (4/5):  Performance Reverse Proxy (4/5) Transparent caching Transparent response compression SSL termination Scalability Reverse Proxy (5/5):  Scalability Reverse Proxy (5/5) Load balancing Fault tolerance Clustering Slide39:  Open Source Approach: Apache + ModSecurity Apache:  Apache One of the most used open source products. Available on many platforms. Free, fast, stable and reliable. Expertise widely available. Apache 2.2.x (finally!) released with many improvements: Improved authentication. Improved support for caching. Significant improvements to the mod_proxy code (and load balancing support). Ideal reverse proxy. ModSecurity:  ModSecurity Adds WAF functionality to Apache. In the 4th year of development. Free, open source, commercially supported. Implements most WAF features (and the remaining ones are coming soon). Popular and very widely used. Fast, reliable and predictable. Apache + ModSecurity:  Apache + ModSecurity Deploy as reverse proxy: Pick a nice server (I am quite fond of Sun's hardware offerings myself). Install Apache 2.2.x. Add ModSecurity. Add SSL acceleration card (optional). Or simply run ModSecurity in embedded mode. ModSecurity:  ModSecurity Strong areas: Auditing/logging support. Real-time traffic monitoring. Just-in-time patching. Prevention. Very configurable/programmable. Weak areas: No automation of the positive security model approach yet. Slide44:  Thank you! Download this presentation from http://www.owasp.org/index.php/ AppSec_Europe_2006 Questions?

Related presentations


Other presentations created by Clown

nano technology presentation
30. 08. 2007
0 views

nano technology presentation

TC2000 Presentation AAII
22. 04. 2008
0 views

TC2000 Presentation AAII

chapter 28 notes
17. 04. 2008
0 views

chapter 28 notes

dacorogna
13. 04. 2008
0 views

dacorogna

CH6Slides
09. 04. 2008
0 views

CH6Slides

WHERE DOES WEATHER COME FROM
07. 04. 2008
0 views

WHERE DOES WEATHER COME FROM

ISSJS
30. 03. 2008
0 views

ISSJS

PeakOil
27. 03. 2008
0 views

PeakOil

Scales and Questionnaire Tips
05. 11. 2007
0 views

Scales and Questionnaire Tips

sasaki
17. 06. 2007
0 views

sasaki

Political Cartoons
17. 06. 2007
0 views

Political Cartoons

principles of restoration
17. 06. 2007
0 views

principles of restoration

Revolutionary War Powerpoint
28. 02. 2008
0 views

Revolutionary War Powerpoint

4 How to never get sick again
13. 12. 2007
0 views

4 How to never get sick again

03 RFID
29. 02. 2008
0 views

03 RFID

ch 08 international issues
27. 09. 2007
0 views

ch 08 international issues

MHP in Germany sto v1
12. 10. 2007
0 views

MHP in Germany sto v1

Wireless Broadband Korea Kim
11. 09. 2007
0 views

Wireless Broadband Korea Kim

JimBasney
11. 09. 2007
0 views

JimBasney

Grade 105 Presentation
02. 10. 2007
0 views

Grade 105 Presentation

Dongxian He APAN 2004
11. 10. 2007
0 views

Dongxian He APAN 2004

OWASP Denver Nov 06 presentation
30. 08. 2007
0 views

OWASP Denver Nov 06 presentation

2004 religion Killen Shibley
30. 08. 2007
0 views

2004 religion Killen Shibley

allied partnerships 170505051319
30. 08. 2007
0 views

allied partnerships 170505051319

Satellite Broadcast
30. 08. 2007
0 views

Satellite Broadcast

vslive2005 keynote
28. 11. 2007
0 views

vslive2005 keynote

ADSL QoS
29. 11. 2007
0 views

ADSL QoS

RestaurantsKitchens
07. 12. 2007
0 views

RestaurantsKitchens

Othello 1
01. 11. 2007
0 views

Othello 1

LITERACY CENTERS FOR COACHES
05. 11. 2007
0 views

LITERACY CENTERS FOR COACHES

TKaM jeopardy
05. 11. 2007
0 views

TKaM jeopardy

HR XML Seminaire 16 11 2005
30. 08. 2007
0 views

HR XML Seminaire 16 11 2005

Mangenot1 2
02. 11. 2007
0 views

Mangenot1 2

PDC Review Jay 041118
26. 11. 2007
0 views

PDC Review Jay 041118

ks4 where energy
18. 12. 2007
0 views

ks4 where energy

aula voip
28. 12. 2007
0 views

aula voip

Chapter 7
28. 11. 2007
0 views

Chapter 7

Web CT Student Orient
10. 12. 2007
0 views

Web CT Student Orient

ch7S07govt2302
01. 01. 2008
0 views

ch7S07govt2302

Philadelphia FryODiesel
07. 01. 2008
0 views

Philadelphia FryODiesel

Hafner Eco Eng pres1
03. 01. 2008
0 views

Hafner Eco Eng pres1

psy203s authoritarian
30. 08. 2007
0 views

psy203s authoritarian

MMS Spoofing
30. 08. 2007
0 views

MMS Spoofing

WTFD New
01. 10. 2007
0 views

WTFD New

Presentación Cilca 2005
14. 11. 2007
0 views

Presentación Cilca 2005

rtbbntalk
15. 11. 2007
0 views

rtbbntalk

Chapter32
24. 12. 2007
0 views

Chapter32

Homeland Security Congressional
05. 01. 2008
0 views

Homeland Security Congressional

Recursion
07. 01. 2008
0 views

Recursion

CNOMMeetingICC2006
21. 11. 2007
0 views

CNOMMeetingICC2006

airforce camp brief 1
23. 12. 2007
0 views

airforce camp brief 1

favourites
26. 06. 2007
0 views

favourites

Presentation Atelier Bangkok2
31. 12. 2007
0 views

Presentation Atelier Bangkok2

kerala piravi06
26. 06. 2007
0 views

kerala piravi06

jim quinn
26. 06. 2007
0 views

jim quinn

ioc report
26. 06. 2007
0 views

ioc report

Good Movies
26. 06. 2007
0 views

Good Movies

Generation Gap Trivia
26. 06. 2007
0 views

Generation Gap Trivia

gates
26. 06. 2007
0 views

gates

Fulbright Movies
26. 06. 2007
0 views

Fulbright Movies

food and menus
26. 06. 2007
0 views

food and menus

lecture32
07. 10. 2007
0 views

lecture32

Astra Sales Kit 3 1 06
03. 01. 2008
0 views

Astra Sales Kit 3 1 06

KALEB
26. 06. 2007
0 views

KALEB

milestone6 action
27. 11. 2007
0 views

milestone6 action

game consoles edit
26. 06. 2007
0 views

game consoles edit

303lec13
30. 08. 2007
0 views

303lec13

Fabric Spade Amalgam Chief
26. 06. 2007
0 views

Fabric Spade Amalgam Chief

FY2006 Tourism Media Plan
26. 06. 2007
0 views

FY2006 Tourism Media Plan

F303 Class 18
30. 08. 2007
0 views

F303 Class 18

political humor
17. 06. 2007
0 views

political humor

regional dialects
17. 06. 2007
0 views

regional dialects

Quantifying Quality MASTER
17. 06. 2007
0 views

Quantifying Quality MASTER

PS270Lect14
17. 06. 2007
0 views

PS270Lect14

prosestyles
17. 06. 2007
0 views

prosestyles

2091ppt
14. 12. 2007
0 views

2091ppt

rosary
17. 06. 2007
0 views

rosary

rhetorical devices
17. 06. 2007
0 views

rhetorical devices

Research Paper
17. 06. 2007
0 views

Research Paper

Relationships Presentation
17. 06. 2007
0 views

Relationships Presentation

relationships
17. 06. 2007
0 views

relationships

Polyamory 101class
17. 06. 2007
0 views

Polyamory 101class

Hobbes and Locke
30. 08. 2007
0 views

Hobbes and Locke

fastook no movies
26. 06. 2007
0 views

fastook no movies

En Jean Delion Stigma
02. 01. 2008
0 views

En Jean Delion Stigma

Forbrugeren 2008 1
26. 06. 2007
0 views

Forbrugeren 2008 1

FairTrade
16. 11. 2007
0 views

FairTrade

dyna202 5509
05. 11. 2007
0 views

dyna202 5509

recipes
05. 12. 2007
0 views

recipes

NatureAreaTrees
30. 08. 2007
0 views

NatureAreaTrees

CRAY
11. 09. 2007
0 views

CRAY

enum 6
11. 09. 2007
0 views

enum 6

05 ncs courses
12. 03. 2008
0 views

05 ncs courses

20020913 Moon Soo Kang
11. 09. 2007
0 views

20020913 Moon Soo Kang

epomodule
08. 11. 2007
0 views

epomodule

goetz vortragenergie2302
22. 11. 2007
0 views

goetz vortragenergie2302

The Black Power 000
30. 08. 2007
0 views

The Black Power 000

Security Engineering In Vista
30. 08. 2007
0 views

Security Engineering In Vista

FA05 cs294 5 lecture 6 final
20. 11. 2007
0 views

FA05 cs294 5 lecture 6 final

etherb
01. 01. 2008
0 views

etherb

SDE Presentation
30. 08. 2007
0 views

SDE Presentation

AFuelsCall1 032305
26. 02. 2008
0 views

AFuelsCall1 032305

11th meeting Shuji Shimizu
09. 10. 2007
0 views

11th meeting Shuji Shimizu

2 Fleet Manegement
23. 11. 2007
0 views

2 Fleet Manegement

Biophysics GYoon
04. 01. 2008
0 views

Biophysics GYoon