Web Application Firewalls Revisited November 2023

SOFTWARE ENGINEER @ TETRATE José Carlos Chávez ● Open source & Security enthusiast ● OWASP Coraza WAF Co-leader ● Zipkin core member ● Loving father @jcchavezs November 2023

WEB APPLICATION FIREWALL @jcchavezs WAF, for friends and family November 2023

WEB APPLICATION FIREWALL Traditionally a WAF: ● Helps to protect web applications by filtering and monitoring HTTP traffic between a web application and the *Internet*. ● Protects web applications from malicious traffic. ● It is a protocol layer 7 defense (OSI model) acting as a reverse-proxy having clients pass through the WAF before reaching the server. ● Produces audit logging with more detailed information about the requests made to your server (request/response headers and body) @jcchavezs November 2023

WEB APPLICATION FIREWALL @jcchavezs WAF SERVER ATTACKER APP DEVICE November 2023 Perimeter boundary

WEB APPLICATION FIREWALL: FEATURES 1. IP-fencing through a denylist 2. Geo-fencing and geo-blocking through a virtual perimeter 3. Request/response inspection to avoid zero-day attacks, client-side attacks, bot attacks, virus files, etc. 4. Security rules: SQL Injection, XSS Attacks, Local and Remote File Inclusion, Size Restrictions, etc. 5. Anomaly scoring for matching rules 6. DDoS rate limiting for IPs 7. Bot mitigation by analyzing the cookie sent by the browser @jcchavezs November 2023

“ There was a time when security was easy. “I need more security – I will just buy another firewall” @jcchavezs OH November 2023

WEB APPLICATION FIREWALL @jcchavezs WAF SERVER ATTACKER APP DEVICE November 2023 Perimeter boundary

PERIMETER SECURITY CHALLENGES ● There is no single, easily identifiable perimeter for the enterprise: cloud, on-prem, multi-cloud, third-party services, FaaS, artifact registries, etc. ● In the era of microservices the majority of the traffic is East-West whereas perimeter security focus on North-South. ● Ingress has to carry knowledge about the upstream components (more security policies on the perimeter firewall), leading to operational complexity, misconfigurations, change management, timely policy updates, etc. ● The guiding principle of perimeter security is "Trust but Verify" @jcchavezs November 2023

ZERO TRUST enabling the right user under the right conditions to gain the right access to the right data @jcchavezs November 2023

ZERO (implicit) TRUST enabling the right user under the right conditions to gain the right access to the right data @jcchavezs November 2023

“ Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources @jcchavezs NIST 800-207 Zero Trust Architecture November 2023

ZERO TRUST DRIVER ASSUMPTIONS ● Trust can no longer be based on a network perimeter as perimeters can always be breached. ● Policies have to be defined based on the assumption that the attacker is already inside of the network. ● All access decisions have to rely on least-privilege, per-request, and context-based principles and on identities associated with users, services, and devices. ● Security and access state constantly change over time. @jcchavezs November 2023

ZERO TRUST TENETS 1. All data sources and computing services are resources: Switching from static servers and endpoints to dynamic cloud computing services such as Pods or FaaS 2. Communications are secured regardless of location: The access policy should be a default-to-deny. Explicit access must be granted to specific resources. 3. Access to individual resources is granted on a per-session basis: Trust should not extend beyond a single session, each session should involve the same rigor to resolve access and permissions. 4. Access to resources is determined by dynamic policies and context: several attributes come into play when evaluating access. @jcchavezs November 2023

ZERO TRUST TENETS 5. Monitor and measure integrity and security posture of assets: every resource request should trigger a security posture evaluation. Continuously monitoring the state of system assets that have access. 6. Dynamic resource authN and authZ strictly enforced before access allowed: Constant cycle of obtaining access, scanning and assessing threats, adapting, and continually re evaluating trust in ongoing communications. 7. Collect info on current state of asset, network infrastructure, and communications to improve security posture: Continuously monitoring capabilities to ensure awareness of what is occurring in the system over the time and take actions when identify risky patterns. @jcchavezs November 2023

Security is a combination of multiple protection mechanism on multiple levels Logical Components of Zero Trust Architecture @jcchavezs Source: NIST 800-207, Zero Trust Architecture November 2023

ZERO TRUST BASED WEB APPLICATION FIREWALL By popular demand @jcchavezs November 2023

ZERO TRUST WEB APPLICATION FIREWALL ● Protects workloads by filtering and monitoring traffic between workloads at PEPs. ● Leverages wide network patches for zero day vulnerabilities (e.g. log4shell). ● Allows to on-board legacy applications in a lift & shift fashion. ● Flexible ruleset based on the applications internals and security posture. ● Provides audit logs for further analysis and improve security posture through adaptive rulesets. @jcchavezs November 2023

@jcchavezs November 2023

OWASP CORAZA WAF coraza.io | https://github.com/corazawaf/coraza | @corazaio @jcchavezs November 2023

CORAZA WEB APPLICATION FIREWALL ● Open source Web Application Firewall ● Written in Go ● Inspired by modsecurity and supports seclang: modsec EOL is July 2024 ● Focused on OWASP Core Rule Set v4: Newest and shiniest ruleset from OWASP (currently RC2). ● Version 3.0 received the Production Flagship from OWASP. @jcchavezs November 2023

CORAZA WEB APPLICATION FIREWALL ● Multiplatform connectors: ○ Native Go, Caddy, Traefik (WIP) ○ Envoy, Istio, Kong using proxy-wasm spec ○ Fully compatible with Webassembly which allows to run it in different stacks. ● Pluggable Architecture: Experimental Plugins API for extending functionality and write custom WAF features e.g. Rate limiting and Geo IP ● High throughput: Performance driven, aimed to be run in critical path (e.g. PEP). ● Portable and easily distributable. @jcchavezs November 2023

CONCLUSIONS ● Zero trust isn’t incompatible with network/perimeter based security approaches. Both are needed. ● Web Application Firewalls are still relevant to achieve inter resource communication. ● Security is a dynamic process not an static attribute. @jcchavezs November 2023

For any further queries, feel free to contact me at [email protected] Thank you everyone. jcchavezs jcchavezs www.tetrate.io

References PCI Web Application Security Requirements https://pcidssguide.com/pci-web-application-security-requirements/ NIST SP 800-207A: A Zero Trust Architecture (ZTA) Model for Access Control in Cloud Native Applications in Multi-Location Environments @jcchavezs NIST 800-207: Zero Trust Architecture WHAT YOU NEED TO KNOW ABOUT CLOUD LIFT & SHIFT MIGRATIONS https://f.hubspotusercontent10.net/hubfs/423210/cloud-lift-and-shift-migrations-whitepape r.pdf

Web Application Firewalls Revisited November 2023

SURVIVORSHIP BIAS @jcchavezs Source: Wikipedia November 2023