Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OCI技術資料 : Web Application Firewall (WAF) 概要

OCI技術資料 : Web Application Firewall (WAF) 概要

Oracle Cloud Infrastructure (OCI) の技術説明資料、Web Application Firewall (WAF) サービスの概要編 (Level 100) です。

Web Application Firewall (WAF) サービスは、OCI内外に配置されたWebアプリケーションを悪意のある攻撃から保護することができるマネージドサービスです。
OCI WAFを利用すると、既存のアプリケーションには手を入れることなく、プロキシとして利用する形でOWASP Top10やCRS3に準拠した保護ルールや、攻撃に応じてアダプティブな保護を行うBot管理機能を利用し、Webアプリケーションを高度に保護することができるようになります。

Transcript

  1. Web Application Firewall (WAF) 概要 Web Application Firewall Level 100

    Oracle Cloud Infrastructure 2021 4
  2. Oracle Cloud Infrastructure DDoS OCI DDoS Protection OCI Web Application

    Firewall OCI OCI / / ✔ ✔ 3/4 ✔ ✔ 7 - ✔ - ✔ - ✔ - ✔ DDoS Web Copyright © 2021, Oracle and/or its affiliates 2
  3. L3 4 OCI • SYN flood UDP flood ICMP flood

    NTP reflection DNS reflection • (<-> ) ( ) OCI DDoS Protection : L3/L4 DDoS OCI Region DDoS Protection compute Database Storage Internet Copyright © 2021, Oracle and/or its affiliates 3
  4. Web OCI Copyright © 2021, Oracle and/or its affiliates 4

    WAF and Anti-Bot Protection Oracle Cloud , URL, IP, 600 OWASP 10 OCI Web Application Firewall
  5. • 600 • • AI & • • OCI DNS

    • IP • DoS • IT 24x365 • +Good Traffic • : 1000 150GB 3420 OCI Web Application Firewall Copyright © 2021, Oracle and/or its affiliates 5
  6. OCI Web Application Firewall Copyright © 2021, Oracle and/or its

    affiliates 6 Web Server WAF Edge PoP Edge PoP • Web ( ) • WAF OCI PoP • IP WAF • (WAF ) OCI WAF OCI REGION VCN WAF Policy Internet Gateway Customer Premises Equipment /
  7. OCI PoP Copyright © 2021, Oracle and/or its affiliates 7

    SAN JOSE, CA PHOENIX CHICAGO ASHBURN TORONTO MONTREAL SANTIAGO VINHEDO SAO PAULO NEWPORT AMSTERDAM FRANKFURT ZURICH LONDON SWEDEN ITALY FRANCE JEDDAH ISRAEL DUBAI MUMBAI HYDERABAD SINGAPORE CHUNCHEON SEOUL TOKYO OSAKA JOHANNESBURG SYDNEY MELBOURNE Commercial Commercial Planned Government Government Planned Microsoft Interconnect Azure SAUDI 2 UAE 2 Edge Points of Presence OCI Web Application Firewall
  8. 1. DNS www.example.com CNAME( ) www-example- com.o.waas.oci.oraclecloud.net 2. www-example-com.o.waas.oci.oraclecloud.net 3.

    WAF (lb.examples.com) 4. OCI Web Application Firewall DNS WAF オリジン OCI/ / OCI / PoP Welcomed Users / Good Bots Bad Actors / Bad Bots DNS www.example.com CNAME www-example-com.o.waas.oci.oraclecloud.net SSL/TLS Copyright © 2021, Oracle and/or its affiliates 8 www-example-com.o.waas.oci.oraclecloud.net lb.example.com
  9. OCI Web Application Firewall 9 URI URI WAF CNAME -

    CAPCHA - JavaScript Challenge - Human Interaction - WAF URI DNS CNAME WAF Step1 Step3 Step4 Step2 SSL ( ) SSL(TLS) WAF Copyright © 2021, Oracle and/or its affiliates
  10. Copyright © 2021, Oracle and/or its affiliates 10 1 OCI

    - Web Application Firewall - Requests ¥72 1,000,000 Incoming Requests / Month 2 OCI - Web Application Firewall - Good Traffic ¥18 Gigabyte of Good Traffic / Month ※ 3 OCI - Web Application Firewall - Bot Management ¥480 1,000,000 Incoming Requests / Month ※ WAF 1 Cloud / OnP Origin Welcomed Users / Good Bots Bad Actors / Bad Bots 1.Requests 3.Bot Management 2.Good Traffic Edge PoP WAF OCI Web Application Firewall
  11. Copyright © 2021, Oracle and/or its affiliates 11 OCI Web

    Application Firewall 保護機能の詳細
  12. Bad IP Bot WAF OCI Web Application Firewall 4 Copyright

    © 2021, Oracle and/or its affiliates 12
  13. (Protection Rules) Copyright © 2021, Oracle and/or its affiliates 13

    • 600 • • Block( ) Detect( ) Off( ) • mod_security AI • (ML) ( ) • OWASP • •
  14. (Access Rules) (Access Control) Copyright © 2021, Oracle and/or its

    affiliates 14 URL • URL is • URL is not • URL starts with • URL ends with • URL contains • URL regex URL Perl IP • Client IP Address is • Client IP Address is not IPv6 / • Country is • Country is not API 2 UserAgent • User Agent is • User Agent is not HTTP • HTTP Header contains <name> <value>
  15. (Access Rules) • • • • URL • ( )

    • CAPTCHA (Access Control) Copyright © 2021, Oracle and/or its affiliates 15
  16. IP (IP Address Whitelist) WAF IP CIDR IP IP CIDR

    WAF IP Whitelist (Access Control) Copyright © 2021, Oracle and/or its affiliates 16
  17. IP (Threat Intelligence) IP OCI Web Application Firewall Bad IP

    • 2021 19 • • https://docs.cloud.oracle.com/iaas/Content/WAF/Tasks/threatintel.htm CLI/API ( ) (Threat Intelligence) Copyright © 2021, Oracle and/or its affiliates 17
  18. WAF (Bot Management) Copyright © 2021, Oracle and/or its affiliates

    18 Bot 5 • JavaScript • • • (API ) • CAPCHA Bot
  19. JavaScript ( ) JavaScript • • CAPTCHA (Bot Management) ※

    ※ Copyright © 2021, Oracle and/or its affiliates 19 JavaScript (JavaScript Challenge)
  20. JavaScript Challenge cookies IP [root@web01 opc]# oci waas human-interaction-challenge get

    --waas- policy-id ocid1.waaspolicy.oc1..aaaaaaaa4cfdrmewdfoz4v63zibycdoukag4eoyvn3dmexl5kc 7hvykuo5fq { "data": { "action": "DETECT", "action-expiration-in-seconds": 60, "challenge-settings": { "block-action": "SHOW_ERROR_PAGE", "block-error-page-code": "HIC", "block-error-page-description": "Access blocked by website owner. Please contact support.", "block-error-page-message": "Access to the website is blocked.", "block-response-code": 403, "captcha-footer": "Enter the letters and numbers as they are shown in image above.", "captcha-header": "We have detected an increased number of attempts to access this website. To help us keep this site secure, please let us know that you are not a robot by entering the text from the image below.", "captcha-submit-label": "Yes, I am human.", "captcha-title": "Are you human?" }, "failure-threshold": 10, "failure-threshold-expiration-in-seconds": 60, "interaction-threshold": 3, "is-enabled": true, "recording-period-in-seconds": 15, "set-http-header": null } } (Bot Management) Copyright © 2021, Oracle and/or its affiliates 20 (Human Interacion Challenge)
  21. 50 ( ) [root@web01 opc]# oci waas device-fingerprint-challenge get --waas-

    policy-id ocid1.waaspolicy.oc1..aaaaaaaa4cfdrmewdfoz4v63zibycdoukag4eoyvn3dmexl5kc 7hvykuo5fq { "data": { "action": "DETECT", "action-expiration-in-seconds": 60, "challenge-settings": { "block-action": "SHOW_ERROR_PAGE", "block-error-page-code": "DFC", "block-error-page-description": "Access blocked by website owner. Please contact support.", "block-error-page-message": "Access to the website is blocked.", "block-response-code": 403, "captcha-footer": "Enter the letters and numbers as they are shown in image above.", "captcha-header": "We have detected an increased number of attempts to access this website. To help us keep this site secure, please let us know that you are not a robot by entering the text from the image below.", "captcha-submit-label": "Yes, I am human.", "captcha-title": "Are you human?" }, "failure-threshold": 10, "failure-threshold-expiration-in-seconds": 60, "is-enabled": true, (Bot Management) Copyright © 2021, Oracle and/or its affiliates 21 (Device Fingerprint Challenge)
  22. (Access Rate Limiting) IP IP (Bot Management) [root@web01 opc]# oci

    waas address-rate-limiting get-waf --waas-policy- id ocid1.waaspolicy.oc1..aaaaaaaa4cfdrmewdfoz4v63zibycdoukag4eoyvn3dmexl5kc 7hvykuo5fq { "data": { "allowed-rate-per-address": 1, "block-response-code": 503, "is-enabled": true, "max-delayed-count-per-address": 10 }, "etag": "2019-02-22T07:21:12.383Z" } [root@web01 opc]# Copyright © 2021, Oracle and/or its affiliates 22
  23. CAPTCHA (CAPTCHA Challenge) • URL • (Bot Management) Copyright ©

    2021, Oracle and/or its affiliates 23
  24. 1. • IP • Bot • IP 2. 3. JavaScript

    (Bot ) 4. (Bot ) 5. (Bot ) 6. CAPTCHA (Bot ) 7. 8. (Bot ) OCI Web Application Firewall Copyright © 2021, Oracle and/or its affiliates 24
  25. Copyright © 2021, Oracle and/or its affiliates 25 OCI Web

    Application Firewall 運⽤の考え⽅
  26. u False Positive ( ) ü ü u False Negative

    ( ) ü ü Hacker User User Hacker False Positive False Negative Copyright © 2021, Oracle and/or its affiliates 26
  27. Copyright © 2021, Oracle and/or its affiliates 27 Bot /

    IP IP IP IP IP Webアプリの特性に合わせて、 必要なBot対策を有効化。 ü JavaScriptチャレンジ ü ヒューマン・インタラクション・チャレンジ ü ジフィンガープリントチャレンジ ü CAPTCHAチャレンジ Bot Bot Bot OCI - Web Application Firewall - Bot Management
  28. 3 Copyright © 2021, Oracle and/or its affiliates 28 OWASP

    CRS3 3.0 CRS3 2.2.9 OWASP Top10 A1 PCI SQL SQL Injection SQLi SQL Injection Character Anomaly Usage A1~A10 CAPEC OWASP CRS3 CVE WASCTC CC Leakage Wordpress Server Webapp PCI SharePoint Apps SQL Injection Cross-site Scripting Local File Inclusion PHP Injection Remote File Inclusion HTTP Exploit kit
  29. OWASP-* CRS CRS3 OWASP ModSecurity Core Rule Set(CRS)& Top 10

    OWASP Core Rule Set(CRS) Top10 CAPEC Common Attack Pattern Enumeration & Classification(CAPEC) CAPEC→MITRE CVE-* Common Vulnerabilities and Exposures(CVE) CVE→MITRE WASCTC WASC Threat Classification WASCTC Web Application Security Consortium(WASC) Oracle Copyright © 2021, Oracle and/or its affiliates 29
  30. – (SQL Injections) 30 1 - Ctrl+F "SQL Injections" 2

    - OCI ID ID
  31. CRS CRS3 ( CRS v2.2.9) – CRS Copyright © 2021,

    Oracle and/or its affiliates 31 https://github.com/SpiderLabs/owasp-modsecurity- crs/blob/v3.2/master/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf GitHub Core Rule Set
  32. Ø OCI Web Application Firewall OWASP Core Rule Set CRS

    ü CRS 2.2.9 (False Positive) ü CRS 3.0 ver. 2.2.9 (False Positive) ü CRS 3.1 ü CRS 3.2 Copyright © 2021, Oracle and/or its affiliates 32 https://github.com/SpiderLabs/owasp-modsecurity-crs/releases CRS CRS 3.0 False Positive : CRS
  33. n OCI Web Application Firewall https://docs.cloud.oracle.com/ja-jp/iaas/Content/WAF/Reference/protectionruleids.htm n OWASP ModSecurity Core

    Rule Set CRS OWASP GitHub https://coreruleset.org n Common Attack Pattern Enumeration & Classification CAPEC https://capec.mitre.org n Common Vulnerabilities and Exposures CVE https://cve.mitre.org n WASC Threat Classification WASCTC http://projects.webappsec.org/w/page/13246927/FrontPage Copyright © 2021, Oracle and/or its affiliates 33
  34. Copyright © 2021, Oracle and/or its affiliates 34 Web

  35. Thank you 35 Copyright © 2021, Oracle and/or its affiliates

  36. None
  37. Our mission is to help people see data in new

    ways, discover insights, unlock endless possibilities.