Use Wasm to Deploy WAF Deeper in the Service Mesh for Zero Trust and Compliance

Transcript

1. © Okta and/or its affiliates. All rights reserved. Highly sensitive

   information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED © Okta and/or its affiliates. All rights reserved. Highly sensitive information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED Use Wasm to Deploy WAF Deeper in the Service Mesh for Zero Trust and Compliance José Carlos Chávez Security Software Engineer @ okta

2. © Okta and/or its affiliates. All rights reserved. Highly sensitive

   information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED What is a Web Application Firewall (WAF)? • WAF is a proxy-based tool that inspect incoming/outgoing HTTP traffic. • Analyses traffic looking for malicious/unwanted content and blocking requests/responses accordingly. • Can be based on predefined rulesets describing well-known attacks. • Produces audit logs for every request that matched one of the rules for further analysis.

3. © Okta and/or its affiliates. All rights reserved. Highly sensitive

   information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED Why using a WAF? • Request/response inspection to avoid zero-day attacks, client-side attacks, bot attacks, etc. • Security rules: SQL Injection, XSS Attacks, Local/Remote File Inclusion, Size Restrictions, etc. • Anomaly scoring: assigns score to malformed/suspicious traffic and blocks based on thresholds. • Virtual patching: security patches at HTTP traffic level to skip CVEs • Audit logs for security analysis.

4. © Okta and/or its affiliates. All rights reserved. Highly sensitive

   information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED But… why using a WAF in service mesh? • Zero trust • Lift and shift • PCI DSS 4.0 compliance • Biggest hack of 2023 was SQL injection (MoveIt) • Robust Cybersecurity program

5. © Okta and/or its affiliates. All rights reserved. Highly sensitive

   information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED Crossing paths Istio Service mesh running envoy based sidecars as policy enforcers and allowing WebAssembly plugins filtering content at ingress or workload Envoy Proxy/Gateway allowing filters written in one language and compiled into WebAssembly (proxy-wasm ABI) WebAssembly Portable binary-code format for high performance executable programs. Coraza WAF Fast Web Application Firewall compilable to WebAssembly and supporting Coreruleset 4.0.

6. © Okta and/or its affiliates. All rights reserved. Highly sensitive

   information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED But how? SPOILER: In the sidecar At ingress: apiVersion: extensions.istio.io/v1alpha1 kind: WasmPlugin metadata: name: coraza-ingressgateway namespace: istio-ingress spec: phase: AUTHN # before auth priority: 10000 # the bigger the safer pluginConfig: default_directives: default directives_map: default: - Include @demo-conf - Include @crs-setup-conf - Include @owasp_crs/*.conf - SecRuleEngine On selector: matchLabels: app: istio-ingressgateway istio: ingressgateway url: oci://ghcr.io/corazawaf/coraza-proxy-wasm:0.5.0 Each namespace individually: apiVersion: extensions.istio.io/v1alpha1 kind: WasmPlugin metadata: name: coraza-crs namespace: my-namespace spec: phase: AUTHN # before auth pluginConfig: default_directives: default directives_map: default: - Include @demo-conf - Include @crs-setup-conf - Include @owasp_crs/*.conf - SecRuleEngine On selector: matchLabels: app: my-app url: oci://ghcr.io/corazawaf/coraza-proxy-wasm:0.5.0

7. © Okta and/or its affiliates. All rights reserved. Highly sensitive

   information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED Thank you! © Okta and/or its affiliates. All rights reserved. Highly sensitive information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED References: • https://github.com/corazawaf/coraza-proxy-wasm • https://github.com/tetratelabs/proxy-wasm-go-sdk • https://coreruleset.org/