Web applications of all kinds, whether online shops or partner portals, have in recent years increasingly become the target of hacker attacks. The attackers are using methods which are specifically aimed at exploiting potential weak spots in the web application software itself – and this is why they are not detected, or are not detected with sufficient accuracy, by traditional IT security systems such as network firewalls or IDS/IPS systems. OWASP develops tools and best practices to support developers, project managers and security testers in the development and operation of secure web applications. Additional protection against attacks, in particular for already productive web applications, is offered by what is still a emerging category of IT security systems, known as Web Application Firewalls (hereinafter referred to simply as WAF), often also called Web Application Shields or Web Application Security Filters.

1. OWASP Asia 2008
Best Practices Guide:
Web Application Firewalls
Alexander Meisel
CTO art of defence
OWASP German Chapter
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org

2. OWASP 2

3. What is this?
OWASP 2

4. What is this?
OWASP 2

5. What is this?
OWASP 2

6. What is this?
OWASP 2

7. What is this?
Security Hole in
our Web App!!!
OWASP 2

8. What is this?
Security Hole in
our Web App!!!
Let’s fix it using a Web Application Firewall (WAF)! ;-)
OWASP 2

9. What is this?
Security Hole in
our Web App!!!
Let’s fix it using a Web Application Firewall (WAF)! ;-)
But HOW ON EARTH do I deploy a WAF correctly?
OWASP 2

10. Big “Thank you!!!” to the Authors
 Maximilian Dermann
 Lufthansa Technik AG
 Mirko Dziadzka
 art of defence GmbH
 Boris Hemkemeier
 OWASP German Chapter
 Achim Hoffmann
 SecureNet GmbH
 Alexander Meisel
 art of defence GmbH
 Matthias Rohr
 SecureNet GmbH
 Thomas Schreiber
 SecureNet GmbH
OWASP 3

11. Contents
Introduction and aim
Characteristics of web apps with regards to
security
Overview of what WAFs can do
Benefits and risks of WAFs
Protection against the OWASP TOP 10 (App vs.
WAF vs. Policy)
Criteria for deciding whether or not to use WAFs
Best practices for introduction and operation of
WAFs
OWASP

12. Introduction and aim
Introduction
Online Businesses
Weak spot HTTP
Reference to PCI DSS
Definition of the term “Web Application Firewall”
NOT a Network Firewall
Not only Hardware
Targeted audience
Technical decision-makers
People responsible for operations and security
Application Owners
OWASP 5

13. Characteristics of web applications with
regards to security
Higher level aspects in the company
Prioritizing Web Apps in regard to their importance
 Access to personal customer data
 Access to (confidential) company information
– Image loss
 Certifications
Technical Aspects
Test and quality assurance
Documentation
Vendor-Contracts
OWASP 6

14. Overview of what WAFs can do
Where do WAFs fit into the Web App Sec field
WAFs are part of a solution
Main benefits of a WAF
Additional functionality
What can be archived with WAFs
Table with (wanted) functionality
 examples: CSRF, Session fixation, *-Injection
Rating / Evaluation:
 + can be very well implemented using a WAF
 - can not be implemented
 ! dependents on the WAF/application/requirements
 = can partly be implemented with a WAF
OWASP 7

15. Table (Just a small example)
OWASP 8

16. Benefits and risks of WAFs (I)
Main benefits of WAFs
Base line security
Compliance
Just-in-time patching of problems
Additional benefits of (depending on functionality)
Central reporting and error logging
SSL termination
URL-Encryption
....
OWASP 9

17. Benefits and risks of WAFs (II)
Risks involved using WAFs
False positives
Increased complexity
Yet another proxy
Potential side effects if the WAF terminates the
application
OWASP 10

18. Protection against the OWASP TOP 10
App vs. WAF vs. Policy
Three types of applications:
T1: Web application in design phase
T2: Already productive app which can easily be
changed (e.g. with MVC architecture)
T3: Productive app which cannot be modified or only
with difficulty
Table of OWASP TOP 10 in regards to work
required with the 3 types of application to fix the
problem
in the application itself
using a WAF
using a policy OWASP 11

19. OWASP Top 10 (Example)
OWASP 12

20. Criteria for deciding whether or not to use
Web Application Firewalls (I)
Company wide criteria:
Importance of the app for the success of the
company
Number of web applications
Complexity
Operational costs
Performance and scalability
OWASP 13

21. Criteria for deciding whether or not to use
Web Application Firewalls (II)
Criteria with regard to the web application
Changeability of the application
Documentation
Maintenance contracts
Time required fixing bugs in third-party products
Consideration of financial aspects
Avoidance of financial damage via successful attacks
Costs of using a WAF
 License costs
 Update costs
 Project costs for evaluation and introducing a WAF
 Volume of work required / Personnel costs
OWASP 14

22. Criteria for deciding whether or not to use
Web Application Firewalls (II)
Evaluation and Summary
OWASP 15

23. Best practices for introduction and operation
of Web Application Firewalls (I)
Infrastructure
Central or decentralized infrastructure
 central proxy application
 host based - plug-in approach
 virtualization !!???!!!
Performance
 GBits/Second throughput on hardware does NOT matter
 HTTP requests processed per second is important
 Simultaneous web application users
 Think of peak load times (pre Christmas rush)
OWASP 16

24. Best practices for introduction and operation
of Web Application Firewalls (II)
Organizational aspects
Security Policies
 Try not to change security policies already in place
Suggestion of new job position
 WAF application manager
– One-off task of commissioning a WAF
– In-depth knowledge of WAF capabilities
– Alarm and Error management
– Changes to the rule-set
– Talking to the development department(s)
OWASP 17

25. Best practices for introduction and operation
of Web Application Firewalls (III)
Iterative procedure
Step 1
 Definition of the people responsible for security
– ideally the “WAF application manager”
Step 2
 Baseline security for all web applications
– mostly blacklisting using vendor signatures
– monitor for false positives/negatives and get rid of them
Step 3
 Prioritized list of all web applications which need to be secured
– Use the checklist (attached to the paper)
Further Steps:
 Work through the list and systematically secure the app
OWASP 18

26. Appendices
Checklist to define the ‘accessibility’ of the web
application
The more points you score the, the better is the
access to web application
Job descriptions for the ‘new guys’
WAF platform manager
 needed in really complex/big environments
WAF application manager (per application)
Application manager
OWASP 19

27. Where to find on the net?
OWASP Wiki of course
https://www.owasp.org/index.php/
Best_Practices:_Web_Application_Firewalls
OWASP 20

28. Hot Fix
Patch
Thank you!
Questions?
Alexander Meisel
alexander.meisel@artofdefence.com
OWASP 21

29. Hot Fix
Patch
Thank you!
Questions?
Alexander Meisel
alexander.meisel@artofdefence.com
OWASP 21

30. Hot Fix
Patch
BTW: I love Taiwan!!! ;-)
Thank you!
Questions?
Alexander Meisel
alexander.meisel@artofdefence.com
OWASP 21