SlideShare ist ein Scribd-Unternehmen logo
1 von 44
Web Application Firewalls:
             When Are They Useful?



             Ivan Ristic
             Thinking Stone
             ivanr@webkreator.com
             +44 7766 508 210
OWASP
AppSec
Europe
 May 2006    Copyright © 2006 - The OWASP Foundation
             Permission is granted to copy, distribute and/or modify this document
             under the terms of the GNU Free Documentation License.




             The OWASP Foundation
             http://www.owasp.org/
Ivan Ristic

Web Application Security
 specialist; Developer.
Author of Apache Security.

Author of ModSecurity.



Founder of Thinking Stone.


                          OWASP AppSec Europe 2006   2
Why Use Web Application Firewalls?

 In the nutshell:
  1. Web applications are deployed terribly insecure.
  2. Developers should, of course, continue to strive to
     build better/more secure software.
  3. But in the meantime, sysadmins must do something
     about it. (Or, as I like to say: We need very help
     we can get.)
  4. Insecure applications aside, WAFs are an
     important building block in every HTTP
     network.


                                 OWASP AppSec Europe 2006   3
Network Firewalls Do Not Work For HTTP

                Firewall




                              Application
                                             Database
 Web              Web
                                              Server
 Client          Server       Application




HTTP Traffic     Port 80




                           OWASP AppSec Europe 2006     4
WAFEC (1)

Web Application Firewall Evaluation
 Criteria.
Project of the Web Application Security
 Consortium (webappsec.org).
It's an open project.
Nine WAF vendors on board, but I'd like to see
 more users on the list.
WAFEC v1.0 published in January.
We are about to start work on v1.1.

                           OWASP AppSec Europe 2006   5
WAFEC (2)

 Nine sections:
  1.   Deployment Architecture
  2.   HTTP and HTML Support
  3.   Detection Techniques
  4.   Prevention Techniques
  5.   Logging
  6.   Reporting
  7.   Management
  8.   Performance
  9.   XML

                             OWASP AppSec Europe 2006   6
WAFEC (3)



      WAFEC is not for
         the vendors.
      It's for the users.
   (So please voice your opinions!)

http://www.webappsec.org/projects/wafec/


                        OWASP AppSec Europe 2006   7
WAF Identity Problem (1)

 There is a long-standing WAF identity problem.
 With the name, first of all*:
  Adaptive Firewall                    Web Adaptive Firewall
  Adaptive Proxy                       Web Application Firewall
  Adaptive Gateway                     Web Application Security Device
  Application Firewall                 Web Application Proxy
  Application-level Firewall           Web Application Shield
  Application-layer Firewall           Web Shield
  Application-level Security Gateway   Web Security Firewall
  Application Level Gateway            Web Security Gateway
  Application Security Device          Web Security Proxy
  Application Security Gateway         Web Intrusion Detection System
  Stateful Multilayer Inspection       Web Intrusion Prevention System
       Firewall
 List compiled by Achim Hoffmann.
                                          OWASP AppSec Europe 2006       8
WAF Identity Problem (2)

 There are four aspects to consider:
  1.   Audit device
  2.   Access control device
  3.   Layer 7 router/switch
  4.   Web Application Hardening tool
 These are all valid requirements but the name
  Web Application Firewall is not suitable.
 On the lower network layers we have a
  different name for each function.


                              OWASP AppSec Europe 2006   9
WAF Identity Problem (3)

 Appliance-oriented web application firewalls
  clash with the Application Assurance
  market.
 Problems solved long time ago:
      Load balancing
  
      Clustering
  
      SSL termination and acceleration
  
      Caching and transparent compression
  
      URL rewriting
  
      …and so on
  

                                OWASP AppSec Europe 2006   10
WAF Identity Problem (4)

 Key factors:
  1. Application Assurance vendors are very strong.
  2. Web Application Firewall vendors not as much.
 Result:
   Appliance-oriented WAFs are being
    assimilated by the Application Assurance
    market.
 In the meantime:
   Embedded WAFs are left alone because they
    are not an all-or-nothing proposition.

                                OWASP AppSec Europe 2006   11
WAF Functionality
   Overview




           OWASP AppSec Europe 2006   12
The Essentials (1)

 Full support for HTTP:
   Access to individual fields (field content, length, field
    count, etc).
   Entire transaction (both request and response).
   Uploaded files.
 Anti-evasion features (also known as
   normalisation/canonicalisation/transformation
   features).




                                   OWASP AppSec Europe 2006     13
The Essentials (2)

 Blocking features:
      Transaction
  
      Connection
  
      IP Address
  
      Session
  
      User
  
      Honeypot redirection
  
      TCP/IP resets (connection)
  
      Blocking via external device
  
 What happens upon detection?

                                     OWASP AppSec Europe 2006   14
Fancy Features

 Stateful operation:
   IP Address data
   Session data
   User data
 Event Correlation
 High availability:
      Failover
  
      Load-balancing
  
      Clustering
  
      State replication
  

                             OWASP AppSec Europe 2006   15
Hard-Coded Protection Techniques (1)

 Cookie protection
   Sign/encrypt/virtualise
 Hidden field protection
   Sign/encrypt/virtualise
 Session management protection
      Enforce session duration timeout, inactivity timeout.
  
      Prevent fixation.
  
      Virtualise session management.
  
      Prevent hijacking or at least warn about it.
  


                                  OWASP AppSec Europe 2006    16
Hard-Coded Protection Techniques (2)

 Brute-force protection
 Link validation
   Signing
   Virtualisation
 Request flow enforcement
   Statically
   Dynamically




                           OWASP AppSec Europe 2006   17
Other Things To Consider (1)

 Management:
   Is it possible to manage multiple sensors from one place?
   Support for administrative accounts with different privileges
    (both horisontal and vertical).
 Reporting (giving Management what it wants):
   On-demand and scheduled reports with support for cus
 XML:
   WAFs are expected to provide basic support for XML parsing
    and validation.
   Full XML support is usually available as an option, or as a
    completely separate product.



                                       OWASP AppSec Europe 2006     18
Other Things To Consider (2)

 Extensibility:
   Is it possible to add custom functionality to the
    firewall?
   Is the source code available? (But not as a
    replacement for a proper API.)
 Performance:
      New connections per second.
  
      Maximum concurrent connections.
  
      Transactions per second.
  
      Throughput.
  
      Latency.
  
                                  OWASP AppSec Europe 2006   19
Signatures and
    Rules




         OWASP AppSec Europe 2006   20
Signatures or Rules?

1. Signatures
   Simple text strings or regular expression patterns
    matched against input data.
   Not very flexible.
2. Rules
  1.   Flexible.
  2.   Multiple operators.
  3.   Rule groups.
  4.   Anti-evasion functions.
  5.   Logical expressions.
  6.   Custom variables.

                                 OWASP AppSec Europe 2006   21
Three Protection Strategies

1. External patching
   Also known as "just-in-time patching" or "virtual patching").
2. Negative security model
   Looking for bad stuff.
   Typically used for Web Intrusion Detection.
   Easy to start with but difficult to get right.
3. Positive security model
   Verifying input is correct.
   Usually automated, but very difficult to get right with
    applications that change.
   It's very good but you need to set your expectations
    accordingly.


                                        OWASP AppSec Europe 2006    22
Auditing and HTTP
Traffic Monitoring




           OWASP AppSec Europe 2006   23
Web Intrusion Detection

 Often forgotten because of marketing
  pressures:
   Detection is so last year (decade).
   Prevention sounds and sells much better!
 The problem with prevention is that it is bound
  to fail given sufficiently determined attacker
  (or inexperienced WAF operator).
 Monitoring (logging and detection) is actually
  more important as it allows you to
  independently audit traffic, and go back in
  time.

                              OWASP AppSec Europe 2006   24
Monitoring Requirements

 Centralisation.
 Transaction data storage.
 Control over which transactions are logged
  and which parts of each transaction are
  logged, dynamically on the per-transaction
  basis.
   Minimal information (session data).
   Partial transaction data.
   Full transaction data.
 Support for data sanitisation.
 Can implement your retention policy.
                                OWASP AppSec Europe 2006   25
Deployment




       OWASP AppSec Europe 2006   26
Deployment

 Three choices when it comes to
  deployment:
   1. Network-level device.
   2. Reverse proxy.
   3. Embedded in web server.




                    OWASP AppSec Europe 2006   27
Deployment (2)

1. Network-level device




        Does not require network re-configuration.

                                  OWASP AppSec Europe 2006   28
Deployment (3)

2. Reverse proxy




      Typically requires network re-configuration.



                                  OWASP AppSec Europe 2006   29
Deployment (4)

3. Embedded




     Does not require network re-configuration.


                                  OWASP AppSec Europe 2006   30
Deployment (5)

1. Network passive
   Does not affect performance.
   Easy to add.
   Not a bottleneck or a point of failure.
   Limited prevention options.
   Must have copies of SSL keys.
2. Network in-line
   A potential bottleneck.
   Point of failure.
   Must have copies of SSL keys.
   Easy to add.

                                  OWASP AppSec Europe 2006   31
Deployment (6)

3. Reverse proxy
   A potential bottleneck.
   Point of failure.
   Requires changes to network (unless it's a
    transparent reverse proxy).
   Must terminate SSL (can be a problem if application
    needs to access client certificate data).
   It's a separate architecture/security layer.
4. Embedded
   Easy to add (and usually much cheaper).
   Not a point of failure.
   Uses web server resources.
                                 OWASP AppSec Europe 2006   32
Reverse Proxy As a Building Block

 Reverse proxy patterns:
  1.   Front door
  2.   Integration reverse proxy
  3.   Protection reverse proxy
  4.   Performance reverse proxy
  5.   Scalability reverse proxy
 Logical patterns, orthogonal to
  each other.
 Often deployed as a single physical
  reverse proxy.

                                   OWASP AppSec Europe 2006   33
Front Door (1/5)

 Make all HTTP traffic go through the proxy
 Centralisation makes access control,
  logging, and monitoring easier




                           OWASP AppSec Europe 2006   34
Integration Reverse Proxy (2/5)

 Combine multiple web servers into one
 Hide the internals
 Decouple interface from implementation




                          OWASP AppSec Europe 2006   35
Protection Reverse Proxy (3/5)

 Observes traffic in and out
 Blocks invalid requests and attacks
 Prevents information disclosure




                            OWASP AppSec Europe 2006   36
Performance Reverse Proxy (4/5)

 Transparent caching
 Transparent response compression
 SSL termination




                         OWASP AppSec Europe 2006   37
Scalability Reverse Proxy (5/5)

 Load balancing
 Fault tolerance
 Clustering




                         OWASP AppSec Europe 2006   38
Open Source
Approach: Apache
  + ModSecurity




          OWASP AppSec Europe 2006   39
Apache

    One of the most used open source products.

    Available on many platforms.

    Free, fast, stable and reliable.

    Expertise widely available.

    Apache 2.2.x (finally!) released with many

    improvements:
     Improved authentication.
     Improved support for caching.
     Significant improvements to the mod_proxy code
      (and load balancing support).
 Ideal reverse proxy.
                                 OWASP AppSec Europe 2006   40
ModSecurity

  Adds WAF functionality to Apache.

  In the 4th year of development.

  Free, open source, commercially supported.

  Implements most WAF features (and the

  remaining ones are coming soon).
 Popular and very widely used.
 Fast, reliable and predictable.




                            OWASP AppSec Europe 2006   41
Apache + ModSecurity

 Deploy as reverse proxy:
   Pick a nice server (I am quite
    fond of Sun's hardware
    offerings myself).
   Install Apache 2.2.x.
   Add ModSecurity.
   Add SSL acceleration card
    (optional).
 Or simply run ModSecurity
  in embedded mode.

                                 OWASP AppSec Europe 2006   42
ModSecurity

 Strong areas:
      Auditing/logging support.
  
      Real-time traffic monitoring.
  
      Just-in-time patching.
  
      Prevention.
  
      Very configurable/programmable.
  
 Weak areas:
   No automation of the positive security model
    approach yet.



                            OWASP AppSec Europe 2006   43
Questions?

          Thank you!
    Download this presentation from
http://www.thinkingstone.com/talks/



                    OWASP AppSec Europe 2006   44

Weitere ähnliche Inhalte

Was ist angesagt?

Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2F-Secure Corporation
 
Building a low cost hack lab
Building a low cost hack labBuilding a low cost hack lab
Building a low cost hack labJoe McCray
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-mspMike Saunders
 
Wireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's  more than cracking WEPWireless Pentesting: It's  more than cracking WEP
Wireless Pentesting: It's more than cracking WEPJoe McCray
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itCyber Security Alliance
 
Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Deivid Toledo
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 
Presentatie McAfee: Optimale Endpoint Protection 26062015
Presentatie McAfee: Optimale Endpoint Protection 26062015Presentatie McAfee: Optimale Endpoint Protection 26062015
Presentatie McAfee: Optimale Endpoint Protection 26062015SLBdiensten
 
Presentación - Cisco ASA with FirePOWER Services
Presentación -  Cisco ASA with FirePOWER ServicesPresentación -  Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER ServicesOscar Romano
 
Check Point SandBlast and SandBlast Agent
Check Point SandBlast and SandBlast AgentCheck Point SandBlast and SandBlast Agent
Check Point SandBlast and SandBlast AgentMarketingArrowECS_CZ
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedJoe McCray
 
CyberCentral Summit 2018 in Prague
CyberCentral Summit 2018 in PragueCyberCentral Summit 2018 in Prague
CyberCentral Summit 2018 in PragueAlexander Leonov
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafIMMUNIO
 
CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2Zero Science Lab
 

Was ist angesagt? (20)

Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2
 
CCNP Security-IPS
CCNP Security-IPSCCNP Security-IPS
CCNP Security-IPS
 
Building a low cost hack lab
Building a low cost hack labBuilding a low cost hack lab
Building a low cost hack lab
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
 
Wireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's  more than cracking WEPWireless Pentesting: It's  more than cracking WEP
Wireless Pentesting: It's more than cracking WEP
 
CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewall
 
Sandboxing
SandboxingSandboxing
Sandboxing
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
 
QualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application FirewallQualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application Firewall
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce it
 
Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
 
Presentatie McAfee: Optimale Endpoint Protection 26062015
Presentatie McAfee: Optimale Endpoint Protection 26062015Presentatie McAfee: Optimale Endpoint Protection 26062015
Presentatie McAfee: Optimale Endpoint Protection 26062015
 
Presentación - Cisco ASA with FirePOWER Services
Presentación -  Cisco ASA with FirePOWER ServicesPresentación -  Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER Services
 
Check Point SandBlast and SandBlast Agent
Check Point SandBlast and SandBlast AgentCheck Point SandBlast and SandBlast Agent
Check Point SandBlast and SandBlast Agent
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got Owned
 
CyberCentral Summit 2018 in Prague
CyberCentral Summit 2018 in PragueCyberCentral Summit 2018 in Prague
CyberCentral Summit 2018 in Prague
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs waf
 
Check point response to Cisco NGFW competitive
Check point response to Cisco NGFW competitiveCheck point response to Cisco NGFW competitive
Check point response to Cisco NGFW competitive
 
CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2
 

Ähnlich wie Web Application Frewall

Best Practices Guide: Introducing Web Application Firewalls
Best Practices Guide: Introducing Web Application FirewallsBest Practices Guide: Introducing Web Application Firewalls
Best Practices Guide: Introducing Web Application Firewallsalexmeisel
 
Ajax Security
Ajax SecurityAjax Security
Ajax Securitydrkimsky
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
Vsc 71-se-presentation-training
Vsc 71-se-presentation-trainingVsc 71-se-presentation-training
Vsc 71-se-presentation-trainingnarit_ton
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowaspdrewz lin
 
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatBasic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatVladyslav Radetsky
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilitiesOWASP
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012DefCamp
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewalldavidjohnrace
 
OWASP Europe Summit Portugal 2008. Web Application Assessments
OWASP Europe Summit Portugal 2008. Web Application AssessmentsOWASP Europe Summit Portugal 2008. Web Application Assessments
OWASP Europe Summit Portugal 2008. Web Application AssessmentsInternet Security Auditors
 
Http Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacksHttp Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacksStefano Di Paola
 
Magento Application Security [EN]
Magento Application Security [EN]Magento Application Security [EN]
Magento Application Security [EN]Anna Völkl
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit ERPScan
 
WAFFLE - A Web Application Firewall that defies rules
WAFFLE - A Web Application Firewall that defies rulesWAFFLE - A Web Application Firewall that defies rules
WAFFLE - A Web Application Firewall that defies rulesDimitris Gkizanis
 

Ähnlich wie Web Application Frewall (20)

Best Practices Guide: Introducing Web Application Firewalls
Best Practices Guide: Introducing Web Application FirewallsBest Practices Guide: Introducing Web Application Firewalls
Best Practices Guide: Introducing Web Application Firewalls
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
 
2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pj
 
B&W Netsparker overview
B&W Netsparker overviewB&W Netsparker overview
B&W Netsparker overview
 
Vsc 71-se-presentation-training
Vsc 71-se-presentation-trainingVsc 71-se-presentation-training
Vsc 71-se-presentation-training
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowasp
 
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatBasic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewall
 
Locust Fear
Locust FearLocust Fear
Locust Fear
 
OWASP Europe Summit Portugal 2008. Web Application Assessments
OWASP Europe Summit Portugal 2008. Web Application AssessmentsOWASP Europe Summit Portugal 2008. Web Application Assessments
OWASP Europe Summit Portugal 2008. Web Application Assessments
 
Http Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacksHttp Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacks
 
Magento Application Security [EN]
Magento Application Security [EN]Magento Application Security [EN]
Magento Application Security [EN]
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit
 
WAFFLE - A Web Application Firewall that defies rules
WAFFLE - A Web Application Firewall that defies rulesWAFFLE - A Web Application Firewall that defies rules
WAFFLE - A Web Application Firewall that defies rules
 

Mehr von Abhishek Singh

Cobbler Summit - Automated Xen VM Deployment
Cobbler Summit - Automated Xen VM DeploymentCobbler Summit - Automated Xen VM Deployment
Cobbler Summit - Automated Xen VM DeploymentAbhishek Singh
 
Mapreduce - Simplified Data Processing on Large Clusters
Mapreduce - Simplified Data Processing on Large ClustersMapreduce - Simplified Data Processing on Large Clusters
Mapreduce - Simplified Data Processing on Large ClustersAbhishek Singh
 
Web Server Clustering - OSSCAMP
Web Server Clustering - OSSCAMPWeb Server Clustering - OSSCAMP
Web Server Clustering - OSSCAMPAbhishek Singh
 
Happy Independence Day To All Indians
Happy Independence Day To All IndiansHappy Independence Day To All Indians
Happy Independence Day To All IndiansAbhishek Singh
 
Scaling a Rails Application from the Bottom Up
Scaling a Rails Application from the Bottom Up Scaling a Rails Application from the Bottom Up
Scaling a Rails Application from the Bottom Up Abhishek Singh
 
Xen_and_Rails_deployment
Xen_and_Rails_deploymentXen_and_Rails_deployment
Xen_and_Rails_deploymentAbhishek Singh
 
India's Smallest Car Ever
India's Smallest Car EverIndia's Smallest Car Ever
India's Smallest Car EverAbhishek Singh
 
Make Over Of An Orange
Make Over Of An OrangeMake Over Of An Orange
Make Over Of An OrangeAbhishek Singh
 
Cute Friendship Quotes
Cute Friendship QuotesCute Friendship Quotes
Cute Friendship QuotesAbhishek Singh
 
Series of Cool Pics Part 3
Series of Cool Pics Part 3Series of Cool Pics Part 3
Series of Cool Pics Part 3Abhishek Singh
 
Series of Cool Pictures Part 2
Series of Cool Pictures Part 2Series of Cool Pictures Part 2
Series of Cool Pictures Part 2Abhishek Singh
 
Series Of Cool Picutres Part 1
Series Of Cool Picutres Part 1Series Of Cool Picutres Part 1
Series Of Cool Picutres Part 1Abhishek Singh
 

Mehr von Abhishek Singh (20)

Cobbler Summit - Automated Xen VM Deployment
Cobbler Summit - Automated Xen VM DeploymentCobbler Summit - Automated Xen VM Deployment
Cobbler Summit - Automated Xen VM Deployment
 
Mapreduce - Simplified Data Processing on Large Clusters
Mapreduce - Simplified Data Processing on Large ClustersMapreduce - Simplified Data Processing on Large Clusters
Mapreduce - Simplified Data Processing on Large Clusters
 
Web Server Clustering - OSSCAMP
Web Server Clustering - OSSCAMPWeb Server Clustering - OSSCAMP
Web Server Clustering - OSSCAMP
 
Happy Independence Day To All Indians
Happy Independence Day To All IndiansHappy Independence Day To All Indians
Happy Independence Day To All Indians
 
Scaling a Rails Application from the Bottom Up
Scaling a Rails Application from the Bottom Up Scaling a Rails Application from the Bottom Up
Scaling a Rails Application from the Bottom Up
 
test
testtest
test
 
How to Charm a Woman
How to Charm a WomanHow to Charm a Woman
How to Charm a Woman
 
Xen_and_Rails_deployment
Xen_and_Rails_deploymentXen_and_Rails_deployment
Xen_and_Rails_deployment
 
India's Smallest Car Ever
India's Smallest Car EverIndia's Smallest Car Ever
India's Smallest Car Ever
 
Software BABA
Software BABASoftware BABA
Software BABA
 
Make Over Of An Orange
Make Over Of An OrangeMake Over Of An Orange
Make Over Of An Orange
 
Cute Friendship Quotes
Cute Friendship QuotesCute Friendship Quotes
Cute Friendship Quotes
 
Series of Cool Pics Part 3
Series of Cool Pics Part 3Series of Cool Pics Part 3
Series of Cool Pics Part 3
 
Series of Cool Pictures Part 2
Series of Cool Pictures Part 2Series of Cool Pictures Part 2
Series of Cool Pictures Part 2
 
Name Confusion
Name ConfusionName Confusion
Name Confusion
 
Series Of Cool Picutres Part 1
Series Of Cool Picutres Part 1Series Of Cool Picutres Part 1
Series Of Cool Picutres Part 1
 
KUbuntu
KUbuntuKUbuntu
KUbuntu
 
Monit
MonitMonit
Monit
 
Fun
Fun Fun
Fun
 
Namste London
Namste LondonNamste London
Namste London
 

Kürzlich hochgeladen

Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 

Kürzlich hochgeladen (20)

Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 

Web Application Frewall

  • 1. Web Application Firewalls: When Are They Useful? Ivan Ristic Thinking Stone ivanr@webkreator.com +44 7766 508 210 OWASP AppSec Europe May 2006 Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation http://www.owasp.org/
  • 2. Ivan Ristic Web Application Security specialist; Developer. Author of Apache Security. Author of ModSecurity. Founder of Thinking Stone. OWASP AppSec Europe 2006 2
  • 3. Why Use Web Application Firewalls?  In the nutshell: 1. Web applications are deployed terribly insecure. 2. Developers should, of course, continue to strive to build better/more secure software. 3. But in the meantime, sysadmins must do something about it. (Or, as I like to say: We need very help we can get.) 4. Insecure applications aside, WAFs are an important building block in every HTTP network. OWASP AppSec Europe 2006 3
  • 4. Network Firewalls Do Not Work For HTTP Firewall Application Database Web Web Server Client Server Application HTTP Traffic Port 80 OWASP AppSec Europe 2006 4
  • 5. WAFEC (1) Web Application Firewall Evaluation Criteria. Project of the Web Application Security Consortium (webappsec.org). It's an open project. Nine WAF vendors on board, but I'd like to see more users on the list. WAFEC v1.0 published in January. We are about to start work on v1.1. OWASP AppSec Europe 2006 5
  • 6. WAFEC (2)  Nine sections: 1. Deployment Architecture 2. HTTP and HTML Support 3. Detection Techniques 4. Prevention Techniques 5. Logging 6. Reporting 7. Management 8. Performance 9. XML OWASP AppSec Europe 2006 6
  • 7. WAFEC (3) WAFEC is not for the vendors. It's for the users. (So please voice your opinions!) http://www.webappsec.org/projects/wafec/ OWASP AppSec Europe 2006 7
  • 8. WAF Identity Problem (1)  There is a long-standing WAF identity problem.  With the name, first of all*: Adaptive Firewall Web Adaptive Firewall Adaptive Proxy Web Application Firewall Adaptive Gateway Web Application Security Device Application Firewall Web Application Proxy Application-level Firewall Web Application Shield Application-layer Firewall Web Shield Application-level Security Gateway Web Security Firewall Application Level Gateway Web Security Gateway Application Security Device Web Security Proxy Application Security Gateway Web Intrusion Detection System Stateful Multilayer Inspection Web Intrusion Prevention System Firewall List compiled by Achim Hoffmann. OWASP AppSec Europe 2006 8
  • 9. WAF Identity Problem (2)  There are four aspects to consider: 1. Audit device 2. Access control device 3. Layer 7 router/switch 4. Web Application Hardening tool  These are all valid requirements but the name Web Application Firewall is not suitable.  On the lower network layers we have a different name for each function. OWASP AppSec Europe 2006 9
  • 10. WAF Identity Problem (3)  Appliance-oriented web application firewalls clash with the Application Assurance market.  Problems solved long time ago: Load balancing  Clustering  SSL termination and acceleration  Caching and transparent compression  URL rewriting  …and so on  OWASP AppSec Europe 2006 10
  • 11. WAF Identity Problem (4)  Key factors: 1. Application Assurance vendors are very strong. 2. Web Application Firewall vendors not as much.  Result:  Appliance-oriented WAFs are being assimilated by the Application Assurance market.  In the meantime:  Embedded WAFs are left alone because they are not an all-or-nothing proposition. OWASP AppSec Europe 2006 11
  • 12. WAF Functionality Overview OWASP AppSec Europe 2006 12
  • 13. The Essentials (1)  Full support for HTTP:  Access to individual fields (field content, length, field count, etc).  Entire transaction (both request and response).  Uploaded files.  Anti-evasion features (also known as normalisation/canonicalisation/transformation features). OWASP AppSec Europe 2006 13
  • 14. The Essentials (2)  Blocking features: Transaction  Connection  IP Address  Session  User  Honeypot redirection  TCP/IP resets (connection)  Blocking via external device   What happens upon detection? OWASP AppSec Europe 2006 14
  • 15. Fancy Features  Stateful operation:  IP Address data  Session data  User data  Event Correlation  High availability: Failover  Load-balancing  Clustering  State replication  OWASP AppSec Europe 2006 15
  • 16. Hard-Coded Protection Techniques (1)  Cookie protection  Sign/encrypt/virtualise  Hidden field protection  Sign/encrypt/virtualise  Session management protection Enforce session duration timeout, inactivity timeout.  Prevent fixation.  Virtualise session management.  Prevent hijacking or at least warn about it.  OWASP AppSec Europe 2006 16
  • 17. Hard-Coded Protection Techniques (2)  Brute-force protection  Link validation  Signing  Virtualisation  Request flow enforcement  Statically  Dynamically OWASP AppSec Europe 2006 17
  • 18. Other Things To Consider (1)  Management:  Is it possible to manage multiple sensors from one place?  Support for administrative accounts with different privileges (both horisontal and vertical).  Reporting (giving Management what it wants):  On-demand and scheduled reports with support for cus  XML:  WAFs are expected to provide basic support for XML parsing and validation.  Full XML support is usually available as an option, or as a completely separate product. OWASP AppSec Europe 2006 18
  • 19. Other Things To Consider (2)  Extensibility:  Is it possible to add custom functionality to the firewall?  Is the source code available? (But not as a replacement for a proper API.)  Performance: New connections per second.  Maximum concurrent connections.  Transactions per second.  Throughput.  Latency.  OWASP AppSec Europe 2006 19
  • 20. Signatures and Rules OWASP AppSec Europe 2006 20
  • 21. Signatures or Rules? 1. Signatures  Simple text strings or regular expression patterns matched against input data.  Not very flexible. 2. Rules 1. Flexible. 2. Multiple operators. 3. Rule groups. 4. Anti-evasion functions. 5. Logical expressions. 6. Custom variables. OWASP AppSec Europe 2006 21
  • 22. Three Protection Strategies 1. External patching  Also known as "just-in-time patching" or "virtual patching"). 2. Negative security model  Looking for bad stuff.  Typically used for Web Intrusion Detection.  Easy to start with but difficult to get right. 3. Positive security model  Verifying input is correct.  Usually automated, but very difficult to get right with applications that change.  It's very good but you need to set your expectations accordingly. OWASP AppSec Europe 2006 22
  • 23. Auditing and HTTP Traffic Monitoring OWASP AppSec Europe 2006 23
  • 24. Web Intrusion Detection  Often forgotten because of marketing pressures:  Detection is so last year (decade).  Prevention sounds and sells much better!  The problem with prevention is that it is bound to fail given sufficiently determined attacker (or inexperienced WAF operator).  Monitoring (logging and detection) is actually more important as it allows you to independently audit traffic, and go back in time. OWASP AppSec Europe 2006 24
  • 25. Monitoring Requirements  Centralisation.  Transaction data storage.  Control over which transactions are logged and which parts of each transaction are logged, dynamically on the per-transaction basis.  Minimal information (session data).  Partial transaction data.  Full transaction data.  Support for data sanitisation.  Can implement your retention policy. OWASP AppSec Europe 2006 25
  • 26. Deployment OWASP AppSec Europe 2006 26
  • 27. Deployment  Three choices when it comes to deployment: 1. Network-level device. 2. Reverse proxy. 3. Embedded in web server. OWASP AppSec Europe 2006 27
  • 28. Deployment (2) 1. Network-level device Does not require network re-configuration. OWASP AppSec Europe 2006 28
  • 29. Deployment (3) 2. Reverse proxy Typically requires network re-configuration. OWASP AppSec Europe 2006 29
  • 30. Deployment (4) 3. Embedded Does not require network re-configuration. OWASP AppSec Europe 2006 30
  • 31. Deployment (5) 1. Network passive  Does not affect performance.  Easy to add.  Not a bottleneck or a point of failure.  Limited prevention options.  Must have copies of SSL keys. 2. Network in-line  A potential bottleneck.  Point of failure.  Must have copies of SSL keys.  Easy to add. OWASP AppSec Europe 2006 31
  • 32. Deployment (6) 3. Reverse proxy  A potential bottleneck.  Point of failure.  Requires changes to network (unless it's a transparent reverse proxy).  Must terminate SSL (can be a problem if application needs to access client certificate data).  It's a separate architecture/security layer. 4. Embedded  Easy to add (and usually much cheaper).  Not a point of failure.  Uses web server resources. OWASP AppSec Europe 2006 32
  • 33. Reverse Proxy As a Building Block  Reverse proxy patterns: 1. Front door 2. Integration reverse proxy 3. Protection reverse proxy 4. Performance reverse proxy 5. Scalability reverse proxy  Logical patterns, orthogonal to each other.  Often deployed as a single physical reverse proxy. OWASP AppSec Europe 2006 33
  • 34. Front Door (1/5)  Make all HTTP traffic go through the proxy  Centralisation makes access control, logging, and monitoring easier OWASP AppSec Europe 2006 34
  • 35. Integration Reverse Proxy (2/5)  Combine multiple web servers into one  Hide the internals  Decouple interface from implementation OWASP AppSec Europe 2006 35
  • 36. Protection Reverse Proxy (3/5)  Observes traffic in and out  Blocks invalid requests and attacks  Prevents information disclosure OWASP AppSec Europe 2006 36
  • 37. Performance Reverse Proxy (4/5)  Transparent caching  Transparent response compression  SSL termination OWASP AppSec Europe 2006 37
  • 38. Scalability Reverse Proxy (5/5)  Load balancing  Fault tolerance  Clustering OWASP AppSec Europe 2006 38
  • 39. Open Source Approach: Apache + ModSecurity OWASP AppSec Europe 2006 39
  • 40. Apache One of the most used open source products.  Available on many platforms.  Free, fast, stable and reliable.  Expertise widely available.  Apache 2.2.x (finally!) released with many  improvements:  Improved authentication.  Improved support for caching.  Significant improvements to the mod_proxy code (and load balancing support).  Ideal reverse proxy. OWASP AppSec Europe 2006 40
  • 41. ModSecurity Adds WAF functionality to Apache.  In the 4th year of development.  Free, open source, commercially supported.  Implements most WAF features (and the  remaining ones are coming soon).  Popular and very widely used.  Fast, reliable and predictable. OWASP AppSec Europe 2006 41
  • 42. Apache + ModSecurity  Deploy as reverse proxy:  Pick a nice server (I am quite fond of Sun's hardware offerings myself).  Install Apache 2.2.x.  Add ModSecurity.  Add SSL acceleration card (optional).  Or simply run ModSecurity in embedded mode. OWASP AppSec Europe 2006 42
  • 43. ModSecurity  Strong areas: Auditing/logging support.  Real-time traffic monitoring.  Just-in-time patching.  Prevention.  Very configurable/programmable.   Weak areas:  No automation of the positive security model approach yet. OWASP AppSec Europe 2006 43
  • 44. Questions? Thank you! Download this presentation from http://www.thinkingstone.com/talks/ OWASP AppSec Europe 2006 44