Implementing a WAF

Transcript

1. TRIALS & TRIBULATIONS OF WAF MARK HILLICK - @MARKOFU Thursday

   20 May 2010

2. AWK -F: '/ROOT/ {PRINT $5}' /ETC/PASSWD Mark Hillick Thursday 20

   May 2010

3. PHASES Introduction Starting Out Design Test Implementation Post-Implementation Thursday 20

   May 2010

4. INTRODUCTION - WHAT IS A WAF? Thursday 20 May 2010

5. INTRODUCTION - WAF TODAY? WAF Marketplace Maturing Compliance Boo Thursday

   20 May 2010

6. INTRODUCTION - WAF TODAY? WAF deployments were initially propelled by

   PCI ......... but are now increasingly driven by security best practices. Source: Forrester 2010 Thursday 20 May 2010

7. INTRODUCTION - NUMBERS $200 million 20% Thursday 20 May 2010

8. INTRODUCTION - VENDORS Software/Hardware Commercial/Open Source Thursday 20 May 2010

9. INTRODUCTION - EH???? WHAT???? XSS XSRF SQL Injection APT Zero

   Day Click Jacking Cookie/Session Hijacking Thursday 20 May 2010

10. INTRODUCTION - COMPETITORS IDS Reverse Proxy IPS Network FW Proxy

    Secure Code Thursday 20 May 2010

11. INTRODUCTION - PRE-SALES Know your subject Question, Ask, Query, Demand

    Plan, Test, Plan, Test Thursday 20 May 2010

12. STARTING OUT - GOAL Thursday 20 May 2010

13. STARTING OUT - RESEARCH Research -> knowledge & understanding Thursday

    20 May 2010

14. STARTING OUT - SATISTICS 6.5 times more expensive to fix

    a flaw in development than during design, 15 times more in testing, and 100 times more in development. Source http://2010survey.whitehatimperva.com/ Thursday 20 May 2010

15. STARTING OUT - INTERNAL SELL (1) Technical issues in business

    language (e.g. just-in- time patching) and a bit of Thursday 20 May 2010

16. STARTING OUT - INTERNAL SELL (2) Know your costs Advantages

    over cheaper alternatives! Thursday 20 May 2010

17. STARTING OUT - INTERNAL SELL (4) There is a disconnect

    between the acknowledgement of security issues and the willingness to fix them. Source: The HP Security Laboratory Blog Thursday 20 May 2010

18. STARTING OUT - INTERNAL SELL (4) Do not oversell WAF

    != unhackable Thursday 20 May 2010

19. STARTING OUT - PLAN (1) I love it when...... Copyright

    © NBC Thursday 20 May 2010

20. STARTING OUT - PLAN (2) WANTED!!!! Owner/Champion/Lover Thursday 20 May

    2010

21. STARTING OUT - PLAN (3) Thursday 20 May 2010

22. STARTING OUT - PLAN (4) UAT & SDLC Configuration -

    Delegation? Alerting Incident Response Plan Logging & Analysis Reporting Thursday 20 May 2010

23. TEST - TEST SOURCE: http://www.flickr.com/photos/ kodomut/ Thursday 20 May 2010

24. TEST - SDLC How does it change? When? Who? Thursday

    20 May 2010

25. TEST - OPERATIONAL Not what you want, is it? Thursday

    20 May 2010

26. TEST - FUNCTIONAL Functional Generic Specific SOURCE: http://www.flickr.com/photos/ 54724780@N00/ Thursday

    20 May 2010

27. TEST - STRESS STRESS == LEARNING SOURCE: http://www.flickr.com/photos/ 54724780@N00/ Thursday

    20 May 2010

28. TEST - THE FUN ‘BIT’ Does it work....... SOURCE: http://nmap.org/movies.html

    Copyright © Warner Bros. Thursday 20 May 2010

29. TEST - POLICY Administration Policy Who has access? Delegation? Change

    Management - different? Incident Response Plan? What is an Incident? Thursday 20 May 2010

30. IMPLEMENTATION - PLAN Plan B? Copyright © Fox Thursday 20

    May 2010

31. IMPLEMENTATION - ALMOST Almost there, don’t cut corners! COMPLETE TESTING

    FULLY!!!!! Thursday 20 May 2010

32. IMPLEMENTATION - SET-UP +.ve Security Model Transparent Informational Logging Generic

    versus Specific Analysis Reporting Thursday 20 May 2010

33. IMPLEMENTATION - READ Check your logs!!! Thursday 20 May 2010

34. IMPLEMENTATION - HACK External Testing Thursday 20 May 2010

35. IMPLEMENTATION Transparent -> Blocking Generic -> Specific Thursday 20 May

    2010

36. POST-IMPLEMENTATION - WAF Your infrastructure has changed!! Patching, Policy Changes,

    Application Upgrades Thursday 20 May 2010

37. POST-IMP - STILL, OH YES? SDLC Network Firewall & ACLs

    Code Analysis Penetration &Vulnerability Testing Incident Response Plan???? -> Incident? What? Thursday 20 May 2010

38. POST-IMP - TICK TOCK, NO MORE!! Thursday 20 May 2010

39. POST-IMP - USE IT! NO!!!!!! Thursday 20 May 2010

40. POST-IMPLEMENTATION - STILL? As someone-else once said!! Thursday 20 May

    2010

41. RESOURCES SANS Reading Room (Scareware via Web App exploit) SANS,

    Owasp, WebAppSec Web 2.0 -> Blogs, Twitter Vendor Sites Thursday 20 May 2010

42. CONCLUSION - WAF Extra layer of defence but also admin

    Can be an excellent and effective solution Is it what I need? Only a part of defence-in-depth!!!! Thursday 20 May 2010