Application Firewalls (WAFs) Neil Matatall | November 5, 2009 University of California, Irvine OWASP Orange County Chapter Lead Educause Effective Practices WG Member
WAFs as well as commercial WAFs • I am here to sell you on the idea of WAFs, but not to sell you a WAF • I will try to confuse you • Every situation is different • Key phrase: it depends!
~14,228 employees • Rapidly expanding while our budget is rapidly shrinking • Recently started consolidating IT across the campus • The Security team was one of the first groups to work together across former business units
that makes everything secure exists • When one layer fails, and it will, there should be a compensating strategy User Identity Management Authentication Network/Web Account Admin Firewalls, Encryption Applica Authoriza Logging/A Policies, Standards, Procedures, Te Approved Tools a Exceptions by Regularly re This is commonly known as the “Defense in Depth” Strategy
appliance, web server plugin, or filter that applies a set of rules to an HTTP conversation • Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection • A WAF inspects the HTTP content at the application layer, beyond what a network firewall would typically inspect at the IP and transport layers
• A way to analyze the requests and responses for suspicious activity • A way to increase visibility of web traffic1 • A debug tool2 • An incredibly powerful, complex, and difficult beast 1. We’ve Been Blind to Attacks on Our Web Sites 2. Ryan Barnett: Why Did Our Web Application Crash? Leveraging WAF Logging Data
Firewalls generally inspect IP addresses and ports, layers 3 and 4 • WAFs inspect HTTP requests/responses at layer 7 • A magical device that works on its own • An end-all solution to all application security problems • An excuse to write insecure code
have vulnerabilities1 • 75% of all Internet attacks target applications2 • PCI-DSS • 6.6: Installing a web-application layer firewall in front of public facing web applications. • 10: Track and monitor all access to credit card data • Software Vendors may not be willing (or even in business) to fix vulnerabilities 1 White Hat - statistic for initial examination; 2 Gartner Research;
have a very diverse pool of code • Tight resources make fixing the code a painful process • Many small, single-purpose applications make alternative technologies difficult to use • Built-in user community • Campus Groups • Educause Effective Practices Group • Mailing Lists
• signature based – checks for known attacks • Similar to anti-virus • Open Source! • OWASP Core Rules Set: Best Starting Point • Accepted as the best open source WAF • Sees the SSL traffic after Apache has decrypted the traffic
to manage… • Only one person was trained to update the rules • Multiple instances meant multiple updates and upgrades • No protection for IIS, difficult for Windows • WebKnight did not meet our needs • The vendor products had many features ModSecurity did not have • Mainly, the Positive Security Model
protection • Like AV, these can be bypassed with the smallest tweak • E.g. UNION SQL Injection Attack1 • BLOCKED: /?id=1+union+select+1,2,3 /* • NOT BLOCKED: /?id=1/*union*/union /*select*/ select+1,2,3 -- • After being processed, the request will become: • index.php?id=1/*uni X on*/union /*sel X ect*/ select+1,2,3 -- • Query: “select * from somewhere where id=“ + id • Becomes: select * from somewhere where id=1 union select 1,2,3 -- 1. Methods to Bypass a Web Application Firewall
product • As we gradually moved hosts behind the vendor WAF, we left ModSecurity up while the vendor WAF is in learning mode • We removed ModSecurity once we were certain that the vendor device was functioning better than ModSecurity Surprisingly, nobody noticed a performance hit when running the network device in tandem with ModSecurity
Learning mode: tries to profile applications and learn “normal” behavior • Also employs Negative security model as well • User tracking: record logins and associate traffic with user names (DB and Web) • Reporting • Decrypt SSL Traffic
amount • Next, spend a good amount of time simply learning the applications and tuning the WAF • The main goal is to learn all parameter names • Slowly tighten restrictions • Start applying anything you removed in the first phase • Enable harsher responses, such as IP or User blocking • The ultimate goal is to have a WAF with no exceptions
• How many applications do you have? • What types of servers do your applications run on? • How much time do you have to devote to this? • Do you have someone knowledgeable in application security? • How much money do you have? • Review the Web Application Firewall Evaluation Criteria from WASC (webappsec.org)
• Audit all access to tables, logins, etc • Forensic capabilities, records each query • Enforce SOX, PCI, HIPAA, etc • Restrict access based on time, location, etc • Reports: Access to sensitive tables, assessment results, new accounts created
common vulnerabilities in applications • Generally sends a request meant to cause the application to behave incorrectly • For XSS it usually sends <script> tags to see if < becomes < • For SQL Injection it sends ‘;”-= to see if an exception is thrown • Some can scan web services • Some can perform penetration testing
tools to manually assess the posture of the application • Automated • Give a tool a starting point and let it discover • Crawling, Analyzing, and Testing Phases • SAAS • Continually test the application for vulnerabilities
year • We integrate AppScan into our development lifecycle • All new applications undergo a full scan • All “major changes” undergo a full re-scan • All minor changes require a small, focused scan
the entire application • This can involve multiple sets of credentials • Production or Test Machines? • We scan test machines • Test environment must mirror production environment • Inside or outside the network? • Always done from inside the network
patched” by importing scan results • Splunk • Send events over syslog to central log server to correlate events across all layers and hosts • Correlate audit data to system events (in progress) • Intrusion Prevention System • Create signatures for blatant attacks and block them at a lower level
URLs learned by your WAF have been tested by your scanner or • Use the scanner to explore your site • Scan When? • You can use the statistics generated by your WAF to detect changes to applications (lifecycle FAIL) •Ryan Barnett: Scanner and WAF Data Sharing
amount of “Parameter Type” and “Parameter Value Length” violations where “normal” input had “suspicious” data • An inattentive operator may have added these to the profile, thus weakening the WAF for an upcoming attack • “Sounds like another method of social engineering to me. Victimizing the managers who demand uptime and ease of use over security”
attacker adds suspicious characters to seemingly harmless data • GET /somefile.html?name=Neil Matatall’” 2) Tricking the profiler when the app is still in learning mode to learn potentially malicious behavior • Do recon by adding blatant attacks (cmd.exe, xp_cmdshell, <script>)
“Pollution” differently • The WAF must know the underlying architecture to handle this accordingly • E.g. / index.jsp ? par1=val1 & par1=val2 Methods to Bypass a Web Application Firewall
few cases where we had to bend to the WAFs demands • Non-standard query strings lessened the WAFs coverage • Re-architect VLANs • SVN had to be moved to another port • Parameter names had to be adjusted
Outgoing SSNs and CCs • Assessments: Scuba Failed, SecureSphere wins • Collaboration with campus networking group resulted in signatures being added to IDS • Caught campus-wide No-Nos • Developers were using GET when POST was required • Servers were leaking code, developers didn’t know • Helped debug application issues (scope creep!)
bounds • What if you could do full input validation in the WAF? • Complex Data types? Email Address? Filenames? Phone Numbers? Currency? • Access Management? • In a large number of cases, all authorization decisions can be made based on parameters/cookies/session information
• Imperva, Breach, F5 • Vulnerability Assessments • Open Source • Joomla, Fortify* Open Review Project • Vendor • WhiteHat Security, IBM AppScan, HP Web Inpsect, Cenzic, NT Objectives
Web Sites • Why Did Our Web Application Crash? Leveraging WAF Logging Data • Scanner and WAF Data Sharing • Web Application Security Statistics • Methods to Bypass a Web Application Firewall • Web Application Firewall Products • Web Application Firewall Deployment Mode Considerations • Web Application Firewall Evaluation Criteria • Application Scanner Evaluation Criteria • Approved Scanning Vendors • xkcd: Security
property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
ndm
pocke
tk3fftk
ioki
irof
rollbear
kishida
minodriven
yukukotani
guaca
matsuo_atsushi
j5ik2o
takter00
mfonobong
csswizardry
maggiecrowley
moore
jonoalderson
inesmontani
scottboms
trishagee
zakiyama
marcelosomers
![Example Attack: What the WAF Sees GET //// ? _SERVER[DOCUMENT_ROOT]](https://files.speakerdeck.com/presentations/4f23e77070060130111922000a918550/slide_17.jpg){kind=link}
