OCI技術資料 : Web Application Firewall (WAF) 概要

Transcript

1. Web Application Firewall (WAF) 概要 Web Application Firewall Level 100

   Oracle Cloud Infrastructure 2021 4

2. Oracle Cloud Infrastructure DDoS OCI DDoS Protection OCI Web Application

   Firewall OCI OCI / / ✔ ✔ 3/4 ✔ ✔ 7 - ✔ - ✔ - ✔ - ✔ DDoS Web Copyright © 2021, Oracle and/or its affiliates 2

3. L3 4 OCI • SYN flood UDP flood ICMP flood

   NTP reflection DNS reflection • (<-> ) ( ) OCI DDoS Protection : L3/L4 DDoS OCI Region DDoS Protection compute Database Storage Internet Copyright © 2021, Oracle and/or its affiliates 3

4. Web OCI Copyright © 2021, Oracle and/or its affiliates 4

   WAF and Anti-Bot Protection Oracle Cloud , URL, IP, 600 OWASP 10 OCI Web Application Firewall

5. • 600 • • AI & • • OCI DNS

   • IP • DoS • IT 24x365 • +Good Traffic • : 1000 150GB 3420 OCI Web Application Firewall Copyright © 2021, Oracle and/or its affiliates 5

6. OCI Web Application Firewall Copyright © 2021, Oracle and/or its

   affiliates 6 Web Server WAF Edge PoP Edge PoP • Web ( ) • WAF OCI PoP • IP WAF • (WAF ) OCI WAF OCI REGION VCN WAF Policy Internet Gateway Customer Premises Equipment /

7. OCI PoP Copyright © 2021, Oracle and/or its affiliates 7

   SAN JOSE, CA PHOENIX CHICAGO ASHBURN TORONTO MONTREAL SANTIAGO VINHEDO SAO PAULO NEWPORT AMSTERDAM FRANKFURT ZURICH LONDON SWEDEN ITALY FRANCE JEDDAH ISRAEL DUBAI MUMBAI HYDERABAD SINGAPORE CHUNCHEON SEOUL TOKYO OSAKA JOHANNESBURG SYDNEY MELBOURNE Commercial Commercial Planned Government Government Planned Microsoft Interconnect Azure SAUDI 2 UAE 2 Edge Points of Presence OCI Web Application Firewall

8. 1. DNS www.example.com CNAME( ) www-example- com.o.waas.oci.oraclecloud.net 2. www-example-com.o.waas.oci.oraclecloud.net 3.

   WAF (lb.examples.com) 4. OCI Web Application Firewall DNS WAF オリジン OCI/ / OCI / PoP Welcomed Users / Good Bots Bad Actors / Bad Bots DNS www.example.com CNAME www-example-com.o.waas.oci.oraclecloud.net SSL/TLS Copyright © 2021, Oracle and/or its affiliates 8 www-example-com.o.waas.oci.oraclecloud.net lb.example.com

9. OCI Web Application Firewall 9 URI URI WAF CNAME -

   CAPCHA - JavaScript Challenge - Human Interaction - WAF URI DNS CNAME WAF Step1 Step3 Step4 Step2 SSL ( ) SSL(TLS) WAF Copyright © 2021, Oracle and/or its affiliates

10. Copyright © 2021, Oracle and/or its affiliates 10 1 OCI

    - Web Application Firewall - Requests ¥72 1,000,000 Incoming Requests / Month 2 OCI - Web Application Firewall - Good Traffic ¥18 Gigabyte of Good Traffic / Month ※ 3 OCI - Web Application Firewall - Bot Management ¥480 1,000,000 Incoming Requests / Month ※ WAF 1 Cloud / OnP Origin Welcomed Users / Good Bots Bad Actors / Bad Bots 1.Requests 3.Bot Management 2.Good Traffic Edge PoP WAF OCI Web Application Firewall

11. Copyright © 2021, Oracle and/or its affiliates 11 OCI Web

    Application Firewall 保護機能の詳細

12. Bad IP Bot WAF OCI Web Application Firewall 4 Copyright

    © 2021, Oracle and/or its affiliates 12

13. (Protection Rules) Copyright © 2021, Oracle and/or its affiliates 13

    • 600 • • Block( ) Detect( ) Off( ) • mod_security AI • (ML) ( ) • OWASP • •

14. (Access Rules) (Access Control) Copyright © 2021, Oracle and/or its

    affiliates 14 URL • URL is • URL is not • URL starts with • URL ends with • URL contains • URL regex URL Perl IP • Client IP Address is • Client IP Address is not IPv6 / • Country is • Country is not API 2 UserAgent • User Agent is • User Agent is not HTTP • HTTP Header contains <name> <value>

15. (Access Rules) • • • • URL • ( )

    • CAPTCHA (Access Control) Copyright © 2021, Oracle and/or its affiliates 15

16. IP (IP Address Whitelist) WAF IP CIDR IP IP CIDR

    WAF IP Whitelist (Access Control) Copyright © 2021, Oracle and/or its affiliates 16

17. IP (Threat Intelligence) IP OCI Web Application Firewall Bad IP

    • 2021 19 • • https://docs.cloud.oracle.com/iaas/Content/WAF/Tasks/threatintel.htm CLI/API ( ) (Threat Intelligence) Copyright © 2021, Oracle and/or its affiliates 17

18. WAF (Bot Management) Copyright © 2021, Oracle and/or its affiliates

    18 Bot 5 • JavaScript • • • (API ) • CAPCHA Bot

19. JavaScript ( ) JavaScript • • CAPTCHA (Bot Management) ※

    ※ Copyright © 2021, Oracle and/or its affiliates 19 JavaScript (JavaScript Challenge)

20. JavaScript Challenge cookies IP [root@web01 opc]# oci waas human-interaction-challenge get

    --waas- policy-id ocid1.waaspolicy.oc1..aaaaaaaa4cfdrmewdfoz4v63zibycdoukag4eoyvn3dmexl5kc 7hvykuo5fq { "data": { "action": "DETECT", "action-expiration-in-seconds": 60, "challenge-settings": { "block-action": "SHOW_ERROR_PAGE", "block-error-page-code": "HIC", "block-error-page-description": "Access blocked by website owner. Please contact support.", "block-error-page-message": "Access to the website is blocked.", "block-response-code": 403, "captcha-footer": "Enter the letters and numbers as they are shown in image above.", "captcha-header": "We have detected an increased number of attempts to access this website. To help us keep this site secure, please let us know that you are not a robot by entering the text from the image below.", "captcha-submit-label": "Yes, I am human.", "captcha-title": "Are you human?" }, "failure-threshold": 10, "failure-threshold-expiration-in-seconds": 60, "interaction-threshold": 3, "is-enabled": true, "recording-period-in-seconds": 15, "set-http-header": null } } (Bot Management) Copyright © 2021, Oracle and/or its affiliates 20 (Human Interacion Challenge)

21. 50 ( ) [root@web01 opc]# oci waas device-fingerprint-challenge get --waas-

    policy-id ocid1.waaspolicy.oc1..aaaaaaaa4cfdrmewdfoz4v63zibycdoukag4eoyvn3dmexl5kc 7hvykuo5fq { "data": { "action": "DETECT", "action-expiration-in-seconds": 60, "challenge-settings": { "block-action": "SHOW_ERROR_PAGE", "block-error-page-code": "DFC", "block-error-page-description": "Access blocked by website owner. Please contact support.", "block-error-page-message": "Access to the website is blocked.", "block-response-code": 403, "captcha-footer": "Enter the letters and numbers as they are shown in image above.", "captcha-header": "We have detected an increased number of attempts to access this website. To help us keep this site secure, please let us know that you are not a robot by entering the text from the image below.", "captcha-submit-label": "Yes, I am human.", "captcha-title": "Are you human?" }, "failure-threshold": 10, "failure-threshold-expiration-in-seconds": 60, "is-enabled": true, (Bot Management) Copyright © 2021, Oracle and/or its affiliates 21 (Device Fingerprint Challenge)

22. (Access Rate Limiting) IP IP (Bot Management) [root@web01 opc]# oci

    waas address-rate-limiting get-waf --waas-policy- id ocid1.waaspolicy.oc1..aaaaaaaa4cfdrmewdfoz4v63zibycdoukag4eoyvn3dmexl5kc 7hvykuo5fq { "data": { "allowed-rate-per-address": 1, "block-response-code": 503, "is-enabled": true, "max-delayed-count-per-address": 10 }, "etag": "2019-02-22T07:21:12.383Z" } [root@web01 opc]# Copyright © 2021, Oracle and/or its affiliates 22

23. CAPTCHA (CAPTCHA Challenge) • URL • (Bot Management) Copyright ©

    2021, Oracle and/or its affiliates 23

24. 1. • IP • Bot • IP 2. 3. JavaScript

    (Bot ) 4. (Bot ) 5. (Bot ) 6. CAPTCHA (Bot ) 7. 8. (Bot ) OCI Web Application Firewall Copyright © 2021, Oracle and/or its affiliates 24

25. Copyright © 2021, Oracle and/or its affiliates 25 OCI Web

    Application Firewall 運⽤の考え⽅

26. u False Positive ( ) ü ü u False Negative

    ( ) ü ü Hacker User User Hacker False Positive False Negative Copyright © 2021, Oracle and/or its affiliates 26

27. Copyright © 2021, Oracle and/or its affiliates 27 Bot /

    IP IP IP IP IP Webアプリの特性に合わせて、 必要なBot対策を有効化。 ü JavaScriptチャレンジ ü ヒューマン・インタラクション・チャレンジ ü ジフィンガープリントチャレンジ ü CAPTCHAチャレンジ Bot Bot Bot OCI - Web Application Firewall - Bot Management

28. 3 Copyright © 2021, Oracle and/or its affiliates 28 OWASP

    CRS3 3.0 CRS3 2.2.9 OWASP Top10 A1 PCI SQL SQL Injection SQLi SQL Injection Character Anomaly Usage A1~A10 CAPEC OWASP CRS3 CVE WASCTC CC Leakage Wordpress Server Webapp PCI SharePoint Apps SQL Injection Cross-site Scripting Local File Inclusion PHP Injection Remote File Inclusion HTTP Exploit kit

29. OWASP-* CRS CRS3 OWASP ModSecurity Core Rule Set(CRS)& Top 10

    OWASP Core Rule Set(CRS) Top10 CAPEC Common Attack Pattern Enumeration & Classification(CAPEC) CAPEC→MITRE CVE-* Common Vulnerabilities and Exposures(CVE) CVE→MITRE WASCTC WASC Threat Classification WASCTC Web Application Security Consortium(WASC) Oracle Copyright © 2021, Oracle and/or its affiliates 29

30. – (SQL Injections) 30 1 - Ctrl+F "SQL Injections" 2

    - OCI ID ID

31. CRS CRS3 ( CRS v2.2.9) – CRS Copyright © 2021,

    Oracle and/or its affiliates 31 https://github.com/SpiderLabs/owasp-modsecurity- crs/blob/v3.2/master/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf GitHub Core Rule Set

32. Ø OCI Web Application Firewall OWASP Core Rule Set CRS

    ü CRS 2.2.9 (False Positive) ü CRS 3.0 ver. 2.2.9 (False Positive) ü CRS 3.1 ü CRS 3.2 Copyright © 2021, Oracle and/or its affiliates 32 https://github.com/SpiderLabs/owasp-modsecurity-crs/releases CRS CRS 3.0 False Positive : CRS

33. n OCI Web Application Firewall https://docs.cloud.oracle.com/ja-jp/iaas/Content/WAF/Reference/protectionruleids.htm n OWASP ModSecurity Core

    Rule Set CRS OWASP GitHub https://coreruleset.org n Common Attack Pattern Enumeration & Classification CAPEC https://capec.mitre.org n Common Vulnerabilities and Exposures CVE https://cve.mitre.org n WASC Threat Classification WASCTC http://projects.webappsec.org/w/page/13246927/FrontPage Copyright © 2021, Oracle and/or its affiliates 33

34. Copyright © 2021, Oracle and/or its affiliates 34 Web

35. Thank you 35 Copyright © 2021, Oracle and/or its affiliates

36. None

37. Our mission is to help people see data in new

    ways, discover insights, unlock endless possibilities.