SlideShare ist ein Scribd-Unternehmen logo

WAF 101

Null Bhubaneswar
Null Bhubaneswar

Web application firewall 101

Technologie
1 von 20
Downloaden Sie, um offline zu lesen
1 Web Application Firewall Null Bhubaneswar 18 March 2023 Sampad Rout
SAMPAD ROUT CISSP® Security Architect | Microsoft A little about me 2
3 GE Industrial R&D security ( Aviation, Power and Water, Renewable Energy, Appliances, Transportation) Royal Bank Of Scotland Securing banking platform mostly mortgage division of Coutts AT&T Securing the Media division HBO, Warner Media Microsoft Securing the Ad Platform Outside Org Reviewer for ISC2, Contribution to Opensource (Virtual Patch / IaC), Trainer EXPERIENCES SO FAR What do I do in Spare time XBOX | BLOG | Stories and Movies Subject Matter Expert on AppSec | Data Protection | Secure Architecture | Container Security | API Security
Firewall - Definition, Nomenclature and History, WAF, Difference between Firewall and WAF What is what 01. Pattern Identifiers, Default mechanism, Template rules, Advanced rules, IP reputation CONTENTS 101 Demo How a WAF works 4 03. Look and feel of the rules , Signals and GUI 02. 04. & If Something I left covering which I should have + Q&A Architecture & Placements
What is What Firewall, Nomenclature & History, WAF, Difference between Firewall and WAF 01. 5
What is a Firewall 6 The name firewall : It came from similar in purpose to physical firewalls designed to contain fires and keep them from spreading. ● Firewalls established a barrier between a network that was internal to a company and considered trusted, and an external network, that was considered untrusted. ● In a simple sense a Firewall controls what traffic should be allowed and what to be blocked into your system based on defined rules & patterns.
7
8 A Firewall is a network security device, may come in as a software, a hardware device or a SaaS model, that monitors and filters incoming and outgoing network traffic based on an organization’s previously established security policies. — Common Definition
Firewall Evolution 9 How firewall was enhanced through out Firewall Generations First Generation Second Generation 2.5 Generation Stateless Stateful, Bidirectional Targeted / Specialized Firewalls Packet Filters based on IP and Ports / L3 or L4 Connection / Session based IP , Ports / L3 or L4 IPS, UTM,URL Filtering IP Tables, OS firewall, Basic Switches Usage : ACLs Advanced Switches Usage : ACLs , DMZ Up to L5-L7, Scaling and Performance IP Spoofing, Valid return traffic vs Imposter Good traffic vs Bad Traffic Signature oriented, No Dynamisms
Firewall Evolution Cont.. 10 How firewall was enhanced through out Firewall Generations Third Generation Next-Gen Stateful, Scalable Stateful, Hybrid, RBAC, User grp identify HTTP conversation & apps specific attacks/ L7 Deep packet inspection, Adv threat protection/L7 Host based Application firewalls, WAF Performance, QoS, non- Disruptive Vendor issued NGFW Juniper, CISCO, Checkmarx etc
Web Application Firewall A web application firewall (WAF) protects web applications (hosted in any platform)from a variety of application layer attacks such as cross-site scripting (XSS), SQL injection etc (OWASP Top 10) and beyond. 11 Port / OSI ref model Layer 2 DataLink Layer 3 Network Layer 4 Transport Layer 5 Session Layer 6 Presentation Layer 7 Application Layer 1 Physical WEB APP FIREWALL NETWORK FIREWALL
12 How a WAF works 02. Pattern Identifiers, Default mechanism, Template rules, Advanced rules, IP reputation
Based on Actions / Perform Traffic Pattern Audit/ Monitor Block Allow (Supersedes) Defined Set Whitelist(Supersedes) Blacklist Handle / Gauge True Positives False Positives True Negatives False Negatives RBAC Read-only (Most) App based (App Owners) Admin (Ops) Super User / God mode (Improvements) Action Matrix 13
PREVENTIVE & TECHNICAL CONTROL 14 Basic Model DESCRIPTION EXAMPLE Happened nth time If a malicious event happens for nth number of time with in a defined period from a particular IP/user. XSS/ Inj attack / Failed login pattern detected 50 times in a minute - Block Reputation WAF’s global analysis engine IP, DCs gets flagged as bad actors for 24 hrs globally Templated rules Supports zero-days and virtual patching If there is no patch released or You are not able to patch Complex and Adv rules Complex rules, Combination of rules Whitelist ~ Blacklisted, Allowed ~Blocked and track~ discover
15 LET’S SEE HOW IT LOOKS 03. Enough Talk, Let’s see it in action
Start from the basic: ● OWASP / Port Swigger XSS Cheat sheet. ● Analyzing your app environment and traffic pattern. ● Any Zero-day ● How a IaC rule look like. HOW TO RULE 101 16 scope = "global" group_operator = "all" expiration = "" conditions { type = "single" field = ”domains" operator = "inList" value = "instances-scw-cloud" } actions { type = ”Whitelist" marking = "scw-cloud" } conditions { field = "method" operator = "doesNotEqual" type = "single" value = "DELETE” || value = "PATCH” || value = "GET” || value = "POST” || value = "OPTIONS” || value = "HEAD” || value = "PUT” || } actions { marking = "wrong- http-method" type = "block" } •
Architecture 17 04. How the WAF Functionally and Logically placed in Network
Functional Architecture 18
Where you should Place it 19 1 Reverse Proxy 2 Side Car 3 On the Frontend 4 SaaS Model 5 Customized requirement (Istio, Envoy, Serverless, Agent Only) 6 PaaS Model WAF Strategic Placement
Q&A

Empfohlen

OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
WAFs.pptx
WAFs.pptxWAFs.pptx
WAFs.pptxHamzaJamil41
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Serverless Siege: AWS Lambda Pentesting - OWASP Top 10 Serverless C0c0n 2023
Serverless Siege: AWS Lambda Pentesting - OWASP Top 10 Serverless C0c0n 2023Serverless Siege: AWS Lambda Pentesting - OWASP Top 10 Serverless C0c0n 2023
Serverless Siege: AWS Lambda Pentesting - OWASP Top 10 Serverless C0c0n 2023Divyanshu
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksIndusfacePvtLtd
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 1042Crunch
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop Ivan Novikov
 

Empfohlen

OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
WAFs.pptx
WAFs.pptxWAFs.pptx
WAFs.pptxHamzaJamil41
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Serverless Siege: AWS Lambda Pentesting - OWASP Top 10 Serverless C0c0n 2023
Serverless Siege: AWS Lambda Pentesting - OWASP Top 10 Serverless C0c0n 2023Serverless Siege: AWS Lambda Pentesting - OWASP Top 10 Serverless C0c0n 2023
Serverless Siege: AWS Lambda Pentesting - OWASP Top 10 Serverless C0c0n 2023Divyanshu
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksIndusfacePvtLtd
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 1042Crunch
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop Ivan Novikov
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide Isabelle Mauny
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Kong API Gateway
Kong API Gateway Kong API Gateway
Kong API Gateway Chris Mague
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & DevelopmentAshok Pundit
 
(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS AttacksAmazon Web Services
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top TenChristian Heinrich
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips confluent
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application FirewallChandrapal Badshah
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPPaul Ionescu
 
Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopDavid Sweigert
 
AWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and ComplianceAWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and ComplianceGaurav "GP" Pal
 

Weitere ähnliche Inhalte

Was ist angesagt?

OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide Isabelle Mauny
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Kong API Gateway
Kong API Gateway Kong API Gateway
Kong API Gateway Chris Mague
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & DevelopmentAshok Pundit
 
(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS AttacksAmazon Web Services
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips confluent
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPPaul Ionescu
 

Was ist angesagt? (20)

OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
 
Kong API Gateway
Kong API Gateway Kong API Gateway
Kong API Gateway
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & Development
 
(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application Firewall
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
 

Ähnlich wie WAF 101

Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopDavid Sweigert
 
AWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and ComplianceAWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and ComplianceGaurav "GP" Pal
 
Why Its time to Upgrade a Next-Generation Firewall
Why Its time to Upgrade a Next-Generation FirewallWhy Its time to Upgrade a Next-Generation Firewall
Why Its time to Upgrade a Next-Generation FirewallAli Kapucu
 
Sophos Day Belgium - What's cooking in Sophos' Network Security Group?
Sophos Day Belgium - What's cooking in Sophos' Network Security Group?Sophos Day Belgium - What's cooking in Sophos' Network Security Group?
Sophos Day Belgium - What's cooking in Sophos' Network Security Group?Sophos Benelux
 
Architecting Secure Web Systems
Architecting Secure Web SystemsArchitecting Secure Web Systems
Architecting Secure Web SystemsInnoTech
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...Neil Matatall
 
Advanced threat security - Cyber Security For The Real World
Advanced threat security - Cyber Security For The Real WorldAdvanced threat security - Cyber Security For The Real World
Advanced threat security - Cyber Security For The Real WorldCisco Canada
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposPriyanka Aash
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsRod Soto
 
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...Chrysostomos Christofi
 
Infrastructure security & Incident Management
Infrastructure security & Incident Management Infrastructure security & Incident Management
Infrastructure security & Incident Management nullowaspmumbai
 
Sourcefire Webinar - NEW GENERATION IPS
Sourcefire Webinar - NEW GENERATION IPSSourcefire Webinar - NEW GENERATION IPS
Sourcefire Webinar - NEW GENERATION IPSmmiznoni
 
Intelligent adware blocker symantec
Intelligent adware blocker symantecIntelligent adware blocker symantec
Intelligent adware blocker symantecPednekar Prajakta
 
ANET SureLog SIEM IntelligentResponse
ANET SureLog SIEM IntelligentResponseANET SureLog SIEM IntelligentResponse
ANET SureLog SIEM IntelligentResponseErtugrul Akbas
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security PresentationSimplex
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedSounil Yu
 
Cloud Security:Threats & Mitgations
Cloud Security:Threats & MitgationsCloud Security:Threats & Mitgations
Cloud Security:Threats & MitgationsIndicThreads
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
 

Ähnlich wie WAF 101 (20)

Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loop
 
AWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and ComplianceAWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and Compliance
 
Why Its time to Upgrade a Next-Generation Firewall
Why Its time to Upgrade a Next-Generation FirewallWhy Its time to Upgrade a Next-Generation Firewall
Why Its time to Upgrade a Next-Generation Firewall
 
Sophos Day Belgium - What's cooking in Sophos' Network Security Group?
Sophos Day Belgium - What's cooking in Sophos' Network Security Group?Sophos Day Belgium - What's cooking in Sophos' Network Security Group?
Sophos Day Belgium - What's cooking in Sophos' Network Security Group?
 
Day4
Day4Day4
Day4
 
Architecting Secure Web Systems
Architecting Secure Web SystemsArchitecting Secure Web Systems
Architecting Secure Web Systems
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
 
Advanced threat security - Cyber Security For The Real World
Advanced threat security - Cyber Security For The Real WorldAdvanced threat security - Cyber Security For The Real World
Advanced threat security - Cyber Security For The Real World
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gpos
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
 
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
 
Infrastructure security & Incident Management
Infrastructure security & Incident Management Infrastructure security & Incident Management
Infrastructure security & Incident Management
 
Sourcefire Webinar - NEW GENERATION IPS
Sourcefire Webinar - NEW GENERATION IPSSourcefire Webinar - NEW GENERATION IPS
Sourcefire Webinar - NEW GENERATION IPS
 
Intelligent adware blocker symantec
Intelligent adware blocker symantecIntelligent adware blocker symantec
Intelligent adware blocker symantec
 
ANET SureLog SIEM IntelligentResponse
ANET SureLog SIEM IntelligentResponseANET SureLog SIEM IntelligentResponse
ANET SureLog SIEM IntelligentResponse
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security Presentation
 
security onion
security onionsecurity onion
security onion
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
 
Cloud Security:Threats & Mitgations
Cloud Security:Threats & MitgationsCloud Security:Threats & Mitgations
Cloud Security:Threats & Mitgations
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
 

Mehr von Null Bhubaneswar

Intro to Reverse Engineering
Intro to Reverse EngineeringIntro to Reverse Engineering
Intro to Reverse EngineeringNull Bhubaneswar
 
Lightweight static code analysis with semgrep
Lightweight static code analysis with semgrepLightweight static code analysis with semgrep
Lightweight static code analysis with semgrepNull Bhubaneswar
 
Online_financial_fraud Episode 2
Online_financial_fraud Episode 2Online_financial_fraud Episode 2
Online_financial_fraud Episode 2Null Bhubaneswar
 

Mehr von Null Bhubaneswar (16)

Online_financial_fraud3
Online_financial_fraud3Online_financial_fraud3
Online_financial_fraud3
 
Web App Pen Test
Web App Pen TestWeb App Pen Test
Web App Pen Test
 
BurpSuiteOverview
BurpSuiteOverviewBurpSuiteOverview
BurpSuiteOverview
 
Blue Team
Blue TeamBlue Team
Blue Team
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
 
Linux Basic Commands
Linux Basic CommandsLinux Basic Commands
Linux Basic Commands
 
Intro to Reverse Engineering
Intro to Reverse EngineeringIntro to Reverse Engineering
Intro to Reverse Engineering
 
Lightweight static code analysis with semgrep
Lightweight static code analysis with semgrepLightweight static code analysis with semgrep
Lightweight static code analysis with semgrep
 
Saying Hello to Bug Bounty
Saying Hello to Bug BountySaying Hello to Bug Bounty
Saying Hello to Bug Bounty
 
Information Security 201
Information Security 201Information Security 201
Information Security 201
 
Online_financial_fraud Episode 2
Online_financial_fraud Episode 2Online_financial_fraud Episode 2
Online_financial_fraud Episode 2
 
Information Security 101
Information Security 101Information Security 101
Information Security 101
 
Cloud_PT
Cloud_PT Cloud_PT
Cloud_PT
 
Online Financial Fraud
Online Financial FraudOnline Financial Fraud
Online Financial Fraud
 
Introduction_to_Cloud
Introduction_to_CloudIntroduction_to_Cloud
Introduction_to_Cloud
 
how_to_get_into_infosec
how_to_get_into_infosechow_to_get_into_infosec
how_to_get_into_infosec
 

Kürzlich hochgeladen

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 

Kürzlich hochgeladen (20)

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 

WAF 101

  • 1. 1 Web Application Firewall Null Bhubaneswar 18 March 2023 Sampad Rout
  • 2. SAMPAD ROUT CISSP® Security Architect | Microsoft A little about me 2
  • 3. 3 GE Industrial R&D security ( Aviation, Power and Water, Renewable Energy, Appliances, Transportation) Royal Bank Of Scotland Securing banking platform mostly mortgage division of Coutts AT&T Securing the Media division HBO, Warner Media Microsoft Securing the Ad Platform Outside Org Reviewer for ISC2, Contribution to Opensource (Virtual Patch / IaC), Trainer EXPERIENCES SO FAR What do I do in Spare time XBOX | BLOG | Stories and Movies Subject Matter Expert on AppSec | Data Protection | Secure Architecture | Container Security | API Security
  • 4. Firewall - Definition, Nomenclature and History, WAF, Difference between Firewall and WAF What is what 01. Pattern Identifiers, Default mechanism, Template rules, Advanced rules, IP reputation CONTENTS 101 Demo How a WAF works 4 03. Look and feel of the rules , Signals and GUI 02. 04. & If Something I left covering which I should have + Q&A Architecture & Placements
  • 5. What is What Firewall, Nomenclature & History, WAF, Difference between Firewall and WAF 01. 5
  • 6. What is a Firewall 6 The name firewall : It came from similar in purpose to physical firewalls designed to contain fires and keep them from spreading. ● Firewalls established a barrier between a network that was internal to a company and considered trusted, and an external network, that was considered untrusted. ● In a simple sense a Firewall controls what traffic should be allowed and what to be blocked into your system based on defined rules & patterns.
  • 7. 7
  • 8. 8 A Firewall is a network security device, may come in as a software, a hardware device or a SaaS model, that monitors and filters incoming and outgoing network traffic based on an organization’s previously established security policies. — Common Definition
  • 9. Firewall Evolution 9 How firewall was enhanced through out Firewall Generations First Generation Second Generation 2.5 Generation Stateless Stateful, Bidirectional Targeted / Specialized Firewalls Packet Filters based on IP and Ports / L3 or L4 Connection / Session based IP , Ports / L3 or L4 IPS, UTM,URL Filtering IP Tables, OS firewall, Basic Switches Usage : ACLs Advanced Switches Usage : ACLs , DMZ Up to L5-L7, Scaling and Performance IP Spoofing, Valid return traffic vs Imposter Good traffic vs Bad Traffic Signature oriented, No Dynamisms
  • 10. Firewall Evolution Cont.. 10 How firewall was enhanced through out Firewall Generations Third Generation Next-Gen Stateful, Scalable Stateful, Hybrid, RBAC, User grp identify HTTP conversation & apps specific attacks/ L7 Deep packet inspection, Adv threat protection/L7 Host based Application firewalls, WAF Performance, QoS, non- Disruptive Vendor issued NGFW Juniper, CISCO, Checkmarx etc
  • 11. Web Application Firewall A web application firewall (WAF) protects web applications (hosted in any platform)from a variety of application layer attacks such as cross-site scripting (XSS), SQL injection etc (OWASP Top 10) and beyond. 11 Port / OSI ref model Layer 2 DataLink Layer 3 Network Layer 4 Transport Layer 5 Session Layer 6 Presentation Layer 7 Application Layer 1 Physical WEB APP FIREWALL NETWORK FIREWALL
  • 12. 12 How a WAF works 02. Pattern Identifiers, Default mechanism, Template rules, Advanced rules, IP reputation
  • 13. Based on Actions / Perform Traffic Pattern Audit/ Monitor Block Allow (Supersedes) Defined Set Whitelist(Supersedes) Blacklist Handle / Gauge True Positives False Positives True Negatives False Negatives RBAC Read-only (Most) App based (App Owners) Admin (Ops) Super User / God mode (Improvements) Action Matrix 13
  • 14. PREVENTIVE & TECHNICAL CONTROL 14 Basic Model DESCRIPTION EXAMPLE Happened nth time If a malicious event happens for nth number of time with in a defined period from a particular IP/user. XSS/ Inj attack / Failed login pattern detected 50 times in a minute - Block Reputation WAF’s global analysis engine IP, DCs gets flagged as bad actors for 24 hrs globally Templated rules Supports zero-days and virtual patching If there is no patch released or You are not able to patch Complex and Adv rules Complex rules, Combination of rules Whitelist ~ Blacklisted, Allowed ~Blocked and track~ discover
  • 15. 15 LET’S SEE HOW IT LOOKS 03. Enough Talk, Let’s see it in action
  • 16. Start from the basic: ● OWASP / Port Swigger XSS Cheat sheet. ● Analyzing your app environment and traffic pattern. ● Any Zero-day ● How a IaC rule look like. HOW TO RULE 101 16 scope = "global" group_operator = "all" expiration = "" conditions { type = "single" field = ”domains" operator = "inList" value = "instances-scw-cloud" } actions { type = ”Whitelist" marking = "scw-cloud" } conditions { field = "method" operator = "doesNotEqual" type = "single" value = "DELETE” || value = "PATCH” || value = "GET” || value = "POST” || value = "OPTIONS” || value = "HEAD” || value = "PUT” || } actions { marking = "wrong- http-method" type = "block" } •
  • 17. Architecture 17 04. How the WAF Functionally and Logically placed in Network
  • 19. Where you should Place it 19 1 Reverse Proxy 2 Side Car 3 On the Frontend 4 SaaS Model 5 Customized requirement (Istio, Envoy, Serverless, Agent Only) 6 PaaS Model WAF Strategic Placement
  • 20. Q&A