Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Published byChristiana Barton Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation."— Presentation transcript:

1 Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP AppSec Europe May 2006 http://www.owasp.org/ Web Application Firewalls: When Are They Useful? Ivan Ristic Thinking Stone ivanr@webkreator.com +44 7766 508 210

2 OWASP AppSec Europe 2006 2 Ivan Ristic  Web Application Security specialist; Developer.  Author of Apache Security.  Founder of Thinking Stone.  Author of ModSecurity.

3 OWASP AppSec Europe 2006 3 Why Use Web Application Firewalls? In a nutshell: 1.Web applications are deployed terribly insecure. 2.Developers should, of course, continue to strive to build better/more secure software. 3.But in the meantime, sysadmins must do something about it. (Or, as I like to say: We need all the help we can get.) 4.Insecure applications aside, WAFs are an important building block in every HTTP network.

4 OWASP AppSec Europe 2006 4 Network Firewalls Do Not Work For HTTP Firewall Port 80 HTTP Traffic Web Client Web Server Application Database Server

5 OWASP AppSec Europe 2006 5 WAFEC (1)  Web Application Firewall Evaluation Criteria.  Project of the Web Application Security Consortium (webappsec.org).webappsec.org  It's an open project.  Nine WAF vendors on board, but I'd like to see more users on the list.  WAFEC v1.0 published in January.  We are about to start work on v1.1.

6 OWASP AppSec Europe 2006 6 WAFEC (2) Nine sections: 1.Deployment Architecture 2.HTTP and HTML Support 3.Detection Techniques 4.Prevention Techniques 5.Logging 6.Reporting 7.Management 8.Performance 9.XML

7 OWASP AppSec Europe 2006 7 WAFEC (3) WAFEC is not for the vendors. It's for the users. (So please voice your opinions!) http://www.webappsec.org/projects/wafec/

8 OWASP AppSec Europe 2006 8 WAF Identity Problem (1) There is a long-standing WAF identity problem. With the name, first of all: Web Adaptive Firewall Web Application Firewall Web Application Security Device Web Application Proxy Web Application Shield Web Shield Web Security Firewall Web Security Gateway Web Security Proxy Web Intrusion Detection System Web Intrusion Prevention System Adaptive Firewall Adaptive Proxy Adaptive Gateway Application Firewall Application-level Firewall Application-layer Firewall Application-level Security Gateway Application Level Gateway Application Security Device Application Security Gateway Stateful Multilayer Inspection Firewall

9 OWASP AppSec Europe 2006 9 WAF Identity Problem (2)  There are four aspects to consider: 1.Audit device 2.Access control device 3.Layer 7 router/switch 4.Web Application Hardening tool  These are all valid requirements but the name Web Application Firewall is not suitable.  On the lower network layers we have a different name for each function.

10 OWASP AppSec Europe 2006 10 WAF Identity Problem (3)  Appliance-oriented web application firewalls clash with the Application Assurance market.  Problems solved long time ago:  Load balancing  Clustering  SSL termination and acceleration  Caching and transparent compression  URL rewriting  …and so on

11 OWASP AppSec Europe 2006 11 WAF Identity Problem (4)  Key factors: 1.Application Assurance vendors are very strong. 2.Web Application Firewall vendors not as much.  Result:  Appliance-oriented WAFs are being assimilated by the Application Assurance market.  In the meantime:  Embedded WAFs are left alone because they are not an all-or-nothing proposition.

12 OWASP AppSec Europe 2006 12 WAF Functionality Overview

13 OWASP AppSec Europe 2006 13 The Essentials (1)  Full support for HTTP:  Access to individual fields (field content, length, field count, etc).  Entire transaction (both request and response).  Uploaded files.  Anti-evasion features (also known as normalisation/canonicalisation/transformation features).

14 OWASP AppSec Europe 2006 14 The Essentials (2)  Blocking features:  Transaction  Connection  IP Address  Session  User  Honeypot redirection  TCP/IP resets (connection)  Blocking via external device  What happens upon detection?

15 OWASP AppSec Europe 2006 15 Fancy Features  Stateful operation:  IP Address data  Session data  User data  Event Correlation  High availability:  Failover  Load-balancing  Clustering  State replication

16 OWASP AppSec Europe 2006 16 Hard-Coded Protection Techniques (1)  Cookie protection  Sign/encrypt/virtualise  Hidden field protection  Sign/encrypt/virtualise  Session management protection  Enforce session duration timeout, inactivity timeout.  Prevent fixation.  Virtualise session management.  Prevent hijacking or at least warn about it.

17 OWASP AppSec Europe 2006 17 Hard-Coded Protection Techniques (2)  Brute-force protection  Link validation  Signing  Virtualisation  Request flow enforcement  Statically  Dynamically

18 OWASP AppSec Europe 2006 18 Other Things To Consider (1)  Management:  Is it possible to manage multiple sensors from one place?  Support for administrative accounts with different privileges (both horisontal and vertical).  Reporting (giving Management what it wants):  On-demand and scheduled reports with support for customisation  XML:  WAFs are expected to provide basic support for XML parsing and validation.  Full XML support is usually available as an option, or as a completely separate product.

19 OWASP AppSec Europe 2006 19 Other Things To Consider (2)  Extensibility:  Is it possible to add custom functionality to the firewall?  Is the source code available? (But not as a replacement for a proper API.)  Performance:  New connections per second.  Maximum concurrent connections.  Transactions per second.  Throughput.  Latency.

20 OWASP AppSec Europe 2006 20 Signatures and Rules

21 OWASP AppSec Europe 2006 21 Signatures or Rules? 1.Signatures  Simple text strings or regular expression patterns matched against input data.  Not very flexible. 2.Rules 1.Flexible. 2.Multiple operators. 3.Rule groups. 4.Anti-evasion functions. 5.Logical expressions. 6.Custom variables.

22 OWASP AppSec Europe 2006 22 Three Protection Strategies 1.External patching  Also known as "just-in-time patching" or "virtual patching"). 2.Negative security model  Looking for bad stuff.  Typically used for Web Intrusion Detection.  Easy to start with but difficult to get right. 3.Positive security model  Verifying input is correct.  Usually automated, but very difficult to get right with applications that change.  It's very good but you need to set your expectations accordingly.

23 OWASP AppSec Europe 2006 23 Auditing and HTTP Traffic Monitoring

24 OWASP AppSec Europe 2006 24 Web Intrusion Detection  Often forgotten because of marketing pressures:  Detection is so last year (decade).  Prevention sounds and sells much better!  The problem with prevention is that it is bound to fail given sufficiently determined attacker.  Monitoring (logging and detection) is actually more important as it allows you to independently audit traffic, and go back in time.

25 OWASP AppSec Europe 2006 25 Monitoring Requirements  Centralisation.  Transaction data storage.  Control over which transactions are logged and which parts of each transaction are logged, dynamically on the per-transaction basis.  Minimal information (session data).  Partial transaction data.  Full transaction data.  Support for data sanitisation.  Can implement your retention policy.

26 OWASP AppSec Europe 2006 26 Deployment

27 OWASP AppSec Europe 2006 27 Deployment  Three choices when it comes to deployment: 1. Network-level device. 2. Reverse proxy. 3. Embedded in web server.

28 OWASP AppSec Europe 2006 28 Deployment (2) 1. Network-level device Does not require network re-configuration.

29 OWASP AppSec Europe 2006 29 Deployment (3) 2. Reverse proxy Typically requires network re-configuration.

30 OWASP AppSec Europe 2006 30 Deployment (4) 3. Embedded Does not require network re-configuration.

31 OWASP AppSec Europe 2006 31 Deployment (5) 1. Network passive  Does not affect performance.  Easy to add.  Not a bottleneck or a point of failure.  Limited prevention options.  Must have copies of SSL keys. 2. Network in-line  A potential bottleneck.  Point of failure.  Must have copies of SSL keys.  Easy to add.

32 OWASP AppSec Europe 2006 32 Deployment (6) 3. Reverse proxy  A potential bottleneck.  Point of failure.  Requires changes to network (unless it's a transparent reverse proxy).  Must terminate SSL (can be a problem if application needs to access client certificate data).  It's a separate architecture/security layer. 4. Embedded  Easy to add (and usually much cheaper).  Not a point of failure.  Uses web server resources.

33 OWASP AppSec Europe 2006 33 Reverse Proxy As a Building Block  Reverse proxy patterns: 1.Front door 2.Integration reverse proxy 3.Protection reverse proxy 4.Performance reverse proxy 5.Scalability reverse proxy  Logical patterns, orthogonal to each other.  Often deployed as a single physical reverse proxy.

34 OWASP AppSec Europe 2006 34 Front Door (1/5)  Make all HTTP traffic go through the proxy  Centralisation makes access control, logging, and monitoring easier

35 OWASP AppSec Europe 2006 35 Integration Reverse Proxy (2/5)  Combine multiple web servers into one  Hide the internals  Decouple interface from implementation

36 OWASP AppSec Europe 2006 36 Protection Reverse Proxy (3/5)  Observes traffic in and out  Blocks invalid requests and attacks  Prevents information disclosure

37 OWASP AppSec Europe 2006 37 Performance Reverse Proxy (4/5)  Transparent caching  Transparent response compression  SSL termination

38 OWASP AppSec Europe 2006 38 Scalability Reverse Proxy (5/5)  Load balancing  Fault tolerance  Clustering

39 OWASP AppSec Europe 2006 39 Open Source Approach: Apache + ModSecurity

40 OWASP AppSec Europe 2006 40 Apache  One of the most used open source products.  Available on many platforms.  Free, fast, stable and reliable.  Expertise widely available.  Apache 2.2.x (finally!) released with many improvements:  Improved authentication.  Improved support for caching.  Significant improvements to the mod_proxy code (and load balancing support).  Ideal reverse proxy.

41 OWASP AppSec Europe 2006 41 ModSecurity  Adds WAF functionality to Apache.  In the 4 th year of development.  Free, open source, commercially supported.  Implements most WAF features (and the remaining ones are coming soon).  Popular and very widely used.  Fast, reliable and predictable.

42 OWASP AppSec Europe 2006 42 Apache + ModSecurity  Deploy as reverse proxy:  Pick a nice server (I am quite fond of Sun's hardware offerings myself).  Install Apache 2.2.x.  Add ModSecurity.  Add SSL acceleration card (optional).  Or simply run ModSecurity in embedded mode.

43 OWASP AppSec Europe 2006 43 ModSecurity  Strong areas:  Auditing/logging support.  Real-time traffic monitoring.  Just-in-time patching.  Prevention.  Very configurable/programmable.  Weak areas:  No automation of the positive security model approach yet.

44 OWASP AppSec Europe 2006 44 Thank you! Download this presentation from http://www.owasp.org/index.php/ AppSec_Europe_2006 Questions?

Download ppt "Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation."

Similar presentations

www.dynamicsoft.com Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.

Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Security that is... Ergonomic, Economical and Efficient! In every way! Stonesoft SSL VPN SSL VPN.

Security that is... Ergonomic, Economical and Efficient! In every way! Stonesoft SSL VPN SSL VPN.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Adding scalability to legacy PHP web applications Overview Mario A. Valdez-Ramirez.

Adding scalability to legacy PHP web applications Overview Mario A. Valdez-Ramirez.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Highly Available Central Services An Intelligent Router Approach Thomas Finnern Thorsten Witt DESY/IT.

Highly Available Central Services An Intelligent Router Approach Thomas Finnern Thorsten Witt DESY/IT.
Barracuda Web Application Firewall

Barracuda Web Application Firewall
Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.

Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.
Network Management Overview IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Network Management Overview IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
OCT1 Principles From Chapter One of “Distributed Systems Concepts and Design”

OCT1 Principles From Chapter One of “Distributed Systems Concepts and Design”
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
IST346:  Web Services. Today’s Agenda  Learn the basics of how the Web works  Understand various web service architectures  Address scaling, security,

IST346:  Web Services. Today’s Agenda  Learn the basics of how the Web works  Understand various web service architectures  Address scaling, security,
Department Of Computer Engineering

Department Of Computer Engineering
Firewall Slides by John Rouda

Firewall Slides by John Rouda
Security Guidelines and Management

Security Guidelines and Management
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN

Similar presentations

Ads by Google