Securing Modern Apps with Zero Trust and Next-Gen Web Application Firewall

Transcript

1. Securing Modern Apps with
   Zero Trust and Next-Gen Web
   Application Firewall
   

   View Slide

2. SOFTWARE ENGINEER @ TETRATE
   José Carlos
   Chávez
   ● Open source enthusiast
   ● OWASP Coraza WAF
   Co-leader
   ● Zipkin core member
   ● Loving father
   @jcchavezs
   

   View Slide

3. WEB APPLICATION FIREWALL
   @jcchavezs
   WAF, for friends and family
   

   View Slide

4. WEB
   APPLICATION
   FIREWALL
   Traditionally a WAF:
   ● Helps protect web applications by filtering and
   monitoring HTTP traffic between a web application and
   the Internet.
   ● Protects web applications from malicious traffic such
   as cross-site forgery (CSRF), cross-site-scripting (XSS),
   file inclusion, and SQL injection, among others.
   ● It is a protocol layer 7 defense (in the OSI model) acting
   as a reverse-proxy having clients pass through the WAF
   before reaching the server.
   @jcchavezs
   

   View Slide

5. WEB
   APPLICATION
   FIREWALL
   @jcchavezs
   WAF
   SERVER
   ATTACKER
   APP
   DEVICE
   

   View Slide

6. IP FENCING
   Deny specific IP through a denylist.
   GEO-FENCING AND GEO-BLOCKING
   Creates a virtual perimeter around a specific
   geographical area using GeoIP databases.
   REQUEST/RESPONSE INSPECTION
   Examines request/response elements
   matching them with known malicious values
   to distinguish between legitimate and
   malicious requests.
   Avoids zero-day attacks, client-side attacks,
   bot attacks, virus files, etc.
   SECURITY RULES
   - SQL Injection
   - XSS Attacks
   - Local and Remote File Inclusion
   - Size Restrictions
   - Command Injection
   - Unknown Bad Inputs
   6
   @jcchavezs
   WEB
   APPLICATION
   FIREWALL
   FEATURES
   

   View Slide

7. ANOMALY SCORING
   If a rule matches, WAF applies a score for
   each deviation:
   - A simple deviation like a misspelled URL
   might only receive a low score.
   - A more serious one, e.g. an attempt to
   inject SQL code, receives a higher score.
   DDoS RATE LIMITING
   Restricts the number of requests that a
   particular IP address can send to a server
   within a given timeframe. The rate limit is
   typically set based on a predetermined
   threshold that is considered safe for normal
   traffic, and any requests that exceed this limit
   are blocked.
   BOT MITIGATION
   Analyzes cookies sent by the browser and
   check them to the databases of known bot
   cookies. Some examples:
   - CAPTCHA challenges
   - Bot Pretender
   - Web Scraping Protection
   - Bot Intelligence
   7
   @jcchavezs
   WEB
   APPLICATION
   FIREWALL
   FEATURES
   

   View Slide

8. “
   There was a time when security was
   easy. “I need more security – I will just
   buy another firewall”
   @jcchavezs
   OH
   

   View Slide

9. PERIMETER
   SECURITY
   CHALLENGES
   ● There is no single, easily identifiable perimeter for the
   enterprise: cloud, on-prem, multi-cloud, third-party
   services, FaaS, artifact registries, etc.
   ● In the times of microservices the majority of the traffic
   is East-West whereas perimeter security focus on
   North-South.
   ● Gateways have to carry knowledge about the upstream
   components which ends up in adding more security
   policies on the perimeter firewall, leading to
   operational complexity, misconfigurations, change
   management, timely policy updates, etc.
   ● The guiding principle of perimeter security is "Trust but
   Verify"
   @jcchavezs
   

   View Slide

10. ZERO TRUST
    enabling the right user under the right conditions to gain the right access to the right data
    @jcchavezs
    

    View Slide

11. “
    Zero trust (ZT) is the term for an
    evolving set of cybersecurity
    paradigms that move defenses
    from static, network-based
    perimeters to focus on users, assets,
    and resources
    @jcchavezs
    NIST 800-207
    Zero Trust Architecture
    

    View Slide

12. ZERO TRUST
    DRIVER
    ASSUMPTIONS
    ● Trust can no longer be based on a network perimeter as
    perimeters can always be breached.
    ● Policies have to be defined based on the assumption
    that the attacker is already inside of the network.
    ● All access decisions have to rely on least-privilege,
    per-request, and context-based principles and on
    identities associated with users, services, and devices.
    ● Security and access state constantly change over time.
    @jcchavezs
    

    View Slide

13. ZERO TRUST
    TENETS
    1. All data sources and computing services are considered
    resources: Networks today consist of a dynamic array of
    devices from traditional items such as servers and
    endpoints to more dynamic cloud computing services such
    as FaaS, which may execute with specific permissions to
    other resources in your environment.
    2. Communications are secured regardless of location:
    The access policy should be a default-to-deny. Explicit
    access must be granted to specific resources.
    3. Access to individual resources is granted on a
    per-session basis: Trust should not extend beyond a single
    session, each session should involve the same rigor to
    resolve access and permissions. @jcchavezs
    

    View Slide

14. ZERO TRUST
    TENETS
    4. Access to resources is determined by dynamic policy
    and other behavioral and environmental attributes:
    several attributes come into play when evaluating access
    and policies should be open to such decision input. The
    more context, the better e.g. network, cluster, security
    group, tenant, etc.
    5. Monitor and measure integrity and security posture of
    owned and associated assets: no device or asset is
    inherently trusted, every resource request should trigger a
    security posture evaluation. This includes continuously
    monitoring the state of system assets that have access to
    the environment.
    @jcchavezs
    

    View Slide

15. ZERO TRUST
    TENETS
    6. Dynamic resource authentication and authorization
    strictly enforced before access allowed: granting access
    and trust is occurring in a dynamic and ongoing fashion. It is
    an iterative process with a myriad of factors coming into
    play with each policy enforcement decision on every
    request.
    7. Collect info on current state of asset, network
    infrastructure, and communications to improve security
    posture: operators must run continuous monitoring
    capabilities to ensure they are aware of what is occurring in
    the system over the time and take actions when identify
    patterns.
    @jcchavezs
    

    View Slide

16. Security is a combination of multiple
    protection mechanism on multiple levels
    Logical Components of Zero Trust Architecture
    @jcchavezs
    Source: NIST 800-207, Zero Trust Architecture
    

    View Slide

17. WEB APPLICATION
    FIREWALL: AN
    OPPORTUNITY
    7. COLLECT INFO ON CURRENT STATE OF
    COMMUNICATIONS
    - Continuous monitoring the audit logs from
    traffic and improve the security posture.
    5. INTEGRITY AND SECURITY POSTURE
    - Every resource request should trigger a
    security posture evaluation.
    - When identify an attack, apply patches and
    vulnerability remediations.
    @jcchavezs
    

    View Slide

18. “
    Zero trust (ZT) is the term for an
    evolving set of cybersecurity
    paradigms that move defenses
    from static, network-based
    perimeters to focus on users, assets,
    and resources
    @jcchavezs
    NIST 800-207
    Zero Trust Architecture
    

    View Slide

19. ZERO TRUST WEB
    APPLICATION
    FIREWALL
    ● Protects workloads by filtering and monitoring
    incoming traffic between workloads at PEP.
    ● Protects workloads from attacks such as cross-site
    forgery (CSRF), cross-site-scripting (XSS), file inclusion,
    and SQL injection, among others..
    ● Leverages wide network patches for zero day
    vulnerabilities (e.g. log4shell).
    ● Allows to on-board legacy applications in a lifted and
    shifted fashion.
    ● Provides audit logs for further analysis and improve
    security posture through adaptive rulesets.
    @jcchavezs
    

    View Slide

20. @jcchavezs
    

    View Slide

21. OWASP CORAZA WAF
    coraza.io | https://github.com/corazawaf/coraza
    @jcchavezs
    

    View Slide

22. CORAZA WEB
    APPLICATION
    FIREWALL
    ● Modsecurity compatible: modsec EOL is March 2024
    ● Focused on Coreruleset v4: Newest and shiniest
    ruleset from OWASP.
    ● Multiplatform connectors:
    ○ Native Go, Caddy,
    ○ Envoy, Istio, Kong using proxy-wasm spec
    ● Pluggable Architecture: Experimental plugins API for
    extending functionality.
    ● High throughput: Performance driven, aimed to be run
    in critical path (e.g. PEP).
    @jcchavezs
    

    View Slide

23. CONCLUSIONS
    ● Zero trust isn’t incompatible with network based
    security approaches.
    ● No single component or function will be sufficient to
    achieve a good level of security alone, but collectively
    they need to enforce security patterns across different
    layers in the system.
    @jcchavezs
    

    View Slide

24. For any further queries, feel free to contact me at [email protected]
    Thank you everyone.
    jcchavezs jcchavezs www.tetrate.io
    

    View Slide

25. References
    PCI Web Application
    Security Requirements
    https://pcidssguide.com/pci-web-application-security-requirements/
    NIST SP 800-207A: A Zero Trust Architecture (ZTA) Model for Access Control in Cloud Native Applications in Multi-Location
    Environments
    @jcchavezs
    NIST 800-207: Zero Trust Architecture
    WHAT YOU NEED TO KNOW
    ABOUT CLOUD LIFT & SHIFT
    MIGRATIONS
    https://f.hubspotusercontent10.net/hubfs/423210/cloud-lift-and-shift-migrations-whitepape
    r.pdf
    

    View Slide

26. Securing Modern Apps with
    Zero Trust and Next-Gen Web
    Application Firewall
    

    View Slide

27. SURVIVORSHIP
    BIAS
    @jcchavezs
    Source: Wikipedia
    

    View Slide