Web Application Firewall (WAF) 概要 Web Application Firewall Level 100 Oracle Cloud Infrastructure 2021 4

Oracle Cloud Infrastructure DDoS OCI DDoS Protection OCI Web Application Firewall OCI OCI / / ✔ ✔ 3/4 ✔ ✔ 7 - ✔ - ✔ - ✔ - ✔ DDoS Web Copyright © 2021, Oracle and/or its affiliates 2

L3 4 OCI • SYN flood UDP flood ICMP flood NTP reflection DNS reflection • (<-> ) ( ) OCI DDoS Protection : L3/L4 DDoS OCI Region DDoS Protection compute Database Storage Internet Copyright © 2021, Oracle and/or its affiliates 3

Web OCI Copyright © 2021, Oracle and/or its affiliates 4 WAF and Anti-Bot Protection Oracle Cloud , URL, IP, 600 OWASP 10 OCI Web Application Firewall

• 600 • • AI & • • OCI DNS • IP • DoS • IT 24x365 • +Good Traffic • : 1000 150GB 3420 OCI Web Application Firewall Copyright © 2021, Oracle and/or its affiliates 5

OCI Web Application Firewall Copyright © 2021, Oracle and/or its affiliates 6 Web Server WAF Edge PoP Edge PoP • Web ( ) • WAF OCI PoP • IP WAF • (WAF ) OCI WAF OCI REGION VCN WAF Policy Internet Gateway Customer Premises Equipment /

OCI PoP Copyright © 2021, Oracle and/or its affiliates 7 SAN JOSE, CA PHOENIX CHICAGO ASHBURN TORONTO MONTREAL SANTIAGO VINHEDO SAO PAULO NEWPORT AMSTERDAM FRANKFURT ZURICH LONDON SWEDEN ITALY FRANCE JEDDAH ISRAEL DUBAI MUMBAI HYDERABAD SINGAPORE CHUNCHEON SEOUL TOKYO OSAKA JOHANNESBURG SYDNEY MELBOURNE Commercial Commercial Planned Government Government Planned Microsoft Interconnect Azure SAUDI 2 UAE 2 Edge Points of Presence OCI Web Application Firewall

1. DNS www.example.com CNAME( ) www-example- com.o.waas.oci.oraclecloud.net 2. www-example-com.o.waas.oci.oraclecloud.net 3. WAF (lb.examples.com) 4. OCI Web Application Firewall DNS WAF オリジン OCI/ / OCI / PoP Welcomed Users / Good Bots Bad Actors / Bad Bots DNS www.example.com CNAME www-example-com.o.waas.oci.oraclecloud.net SSL/TLS Copyright © 2021, Oracle and/or its affiliates 8 www-example-com.o.waas.oci.oraclecloud.net lb.example.com

OCI Web Application Firewall 9 URI URI WAF CNAME - CAPCHA - JavaScript Challenge - Human Interaction - WAF URI DNS CNAME WAF Step1 Step3 Step4 Step2 SSL ( ) SSL(TLS) WAF Copyright © 2021, Oracle and/or its affiliates

Copyright © 2021, Oracle and/or its affiliates 10 1 OCI - Web Application Firewall - Requests ¥72 1,000,000 Incoming Requests / Month 2 OCI - Web Application Firewall - Good Traffic ¥18 Gigabyte of Good Traffic / Month ※ 3 OCI - Web Application Firewall - Bot Management ¥480 1,000,000 Incoming Requests / Month ※ WAF 1 Cloud / OnP Origin Welcomed Users / Good Bots Bad Actors / Bad Bots 1.Requests 3.Bot Management 2.Good Traffic Edge PoP WAF OCI Web Application Firewall

Copyright © 2021, Oracle and/or its affiliates 11 OCI Web Application Firewall 保護機能の詳細

Bad IP Bot WAF OCI Web Application Firewall 4 Copyright © 2021, Oracle and/or its affiliates 12

(Protection Rules) Copyright © 2021, Oracle and/or its affiliates 13 • 600 • • Block( ) Detect( ) Off( ) • mod_security AI • (ML) ( ) • OWASP • •

(Access Rules) (Access Control) Copyright © 2021, Oracle and/or its affiliates 14 URL • URL is • URL is not • URL starts with • URL ends with • URL contains • URL regex URL Perl IP • Client IP Address is • Client IP Address is not IPv6 / • Country is • Country is not API 2 UserAgent • User Agent is • User Agent is not HTTP • HTTP Header contains

(Access Rules) • • • • URL • ( ) • CAPTCHA (Access Control) Copyright © 2021, Oracle and/or its affiliates 15

IP (IP Address Whitelist) WAF IP CIDR IP IP CIDR WAF IP Whitelist (Access Control) Copyright © 2021, Oracle and/or its affiliates 16

IP (Threat Intelligence) IP OCI Web Application Firewall Bad IP • 2021 19 • • https://docs.cloud.oracle.com/iaas/Content/WAF/Tasks/threatintel.htm CLI/API ( ) (Threat Intelligence) Copyright © 2021, Oracle and/or its affiliates 17

WAF (Bot Management) Copyright © 2021, Oracle and/or its affiliates 18 Bot 5 • JavaScript • • • (API ) • CAPCHA Bot

JavaScript ( ) JavaScript • • CAPTCHA (Bot Management) ※ ※ Copyright © 2021, Oracle and/or its affiliates 19 JavaScript (JavaScript Challenge)

JavaScript Challenge cookies IP [root@web01 opc]# oci waas human-interaction-challenge get --waas- policy-id ocid1.waaspolicy.oc1..aaaaaaaa4cfdrmewdfoz4v63zibycdoukag4eoyvn3dmexl5kc 7hvykuo5fq { "data": { "action": "DETECT", "action-expiration-in-seconds": 60, "challenge-settings": { "block-action": "SHOW_ERROR_PAGE", "block-error-page-code": "HIC", "block-error-page-description": "Access blocked by website owner. Please contact support.", "block-error-page-message": "Access to the website is blocked.", "block-response-code": 403, "captcha-footer": "Enter the letters and numbers as they are shown in image above.", "captcha-header": "We have detected an increased number of attempts to access this website. To help us keep this site secure, please let us know that you are not a robot by entering the text from the image below.", "captcha-submit-label": "Yes, I am human.", "captcha-title": "Are you human?" }, "failure-threshold": 10, "failure-threshold-expiration-in-seconds": 60, "interaction-threshold": 3, "is-enabled": true, "recording-period-in-seconds": 15, "set-http-header": null } } (Bot Management) Copyright © 2021, Oracle and/or its affiliates 20 (Human Interacion Challenge)

50 ( ) [root@web01 opc]# oci waas device-fingerprint-challenge get --waas- policy-id ocid1.waaspolicy.oc1..aaaaaaaa4cfdrmewdfoz4v63zibycdoukag4eoyvn3dmexl5kc 7hvykuo5fq { "data": { "action": "DETECT", "action-expiration-in-seconds": 60, "challenge-settings": { "block-action": "SHOW_ERROR_PAGE", "block-error-page-code": "DFC", "block-error-page-description": "Access blocked by website owner. Please contact support.", "block-error-page-message": "Access to the website is blocked.", "block-response-code": 403, "captcha-footer": "Enter the letters and numbers as they are shown in image above.", "captcha-header": "We have detected an increased number of attempts to access this website. To help us keep this site secure, please let us know that you are not a robot by entering the text from the image below.", "captcha-submit-label": "Yes, I am human.", "captcha-title": "Are you human?" }, "failure-threshold": 10, "failure-threshold-expiration-in-seconds": 60, "is-enabled": true, (Bot Management) Copyright © 2021, Oracle and/or its affiliates 21 (Device Fingerprint Challenge)

(Access Rate Limiting) IP IP (Bot Management) [root@web01 opc]# oci waas address-rate-limiting get-waf --waas-policy- id ocid1.waaspolicy.oc1..aaaaaaaa4cfdrmewdfoz4v63zibycdoukag4eoyvn3dmexl5kc 7hvykuo5fq { "data": { "allowed-rate-per-address": 1, "block-response-code": 503, "is-enabled": true, "max-delayed-count-per-address": 10 }, "etag": "2019-02-22T07:21:12.383Z" } [root@web01 opc]# Copyright © 2021, Oracle and/or its affiliates 22

CAPTCHA (CAPTCHA Challenge) • URL • (Bot Management) Copyright © 2021, Oracle and/or its affiliates 23

1. • IP • Bot • IP 2. 3. JavaScript (Bot ) 4. (Bot ) 5. (Bot ) 6. CAPTCHA (Bot ) 7. 8. (Bot ) OCI Web Application Firewall Copyright © 2021, Oracle and/or its affiliates 24

Copyright © 2021, Oracle and/or its affiliates 25 OCI Web Application Firewall 運⽤の考え⽅

u False Positive ( ) ü ü u False Negative ( ) ü ü Hacker User User Hacker False Positive False Negative Copyright © 2021, Oracle and/or its affiliates 26

Copyright © 2021, Oracle and/or its affiliates 27 Bot / IP IP IP IP IP Webアプリの特性に合わせて、 必要なBot対策を有効化。 ü JavaScriptチャレンジ ü ヒューマン・インタラクション・チャレンジ ü ジフィンガープリントチャレンジ ü CAPTCHAチャレンジ Bot Bot Bot OCI - Web Application Firewall - Bot Management

3 Copyright © 2021, Oracle and/or its affiliates 28 OWASP CRS3 3.0 CRS3 2.2.9 OWASP Top10 A1 PCI SQL SQL Injection SQLi SQL Injection Character Anomaly Usage A1~A10 CAPEC OWASP CRS3 CVE WASCTC CC Leakage Wordpress Server Webapp PCI SharePoint Apps SQL Injection Cross-site Scripting Local File Inclusion PHP Injection Remote File Inclusion HTTP Exploit kit

OWASP-* CRS CRS3 OWASP ModSecurity Core Rule Set(CRS)& Top 10 OWASP Core Rule Set(CRS) Top10 CAPEC Common Attack Pattern Enumeration & Classification(CAPEC) CAPEC→MITRE CVE-* Common Vulnerabilities and Exposures(CVE) CVE→MITRE WASCTC WASC Threat Classification WASCTC Web Application Security Consortium(WASC) Oracle Copyright © 2021, Oracle and/or its affiliates 29

– (SQL Injections) 30 1 - Ctrl+F "SQL Injections" 2 - OCI ID ID

CRS CRS3 ( CRS v2.2.9) – CRS Copyright © 2021, Oracle and/or its affiliates 31 https://github.com/SpiderLabs/owasp-modsecurity- crs/blob/v3.2/master/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf GitHub Core Rule Set

Ø OCI Web Application Firewall OWASP Core Rule Set CRS ü CRS 2.2.9 (False Positive) ü CRS 3.0 ver. 2.2.9 (False Positive) ü CRS 3.1 ü CRS 3.2 Copyright © 2021, Oracle and/or its affiliates 32 https://github.com/SpiderLabs/owasp-modsecurity-crs/releases CRS CRS 3.0 False Positive : CRS

n OCI Web Application Firewall https://docs.cloud.oracle.com/ja-jp/iaas/Content/WAF/Reference/protectionruleids.htm n OWASP ModSecurity Core Rule Set CRS OWASP GitHub https://coreruleset.org n Common Attack Pattern Enumeration & Classification CAPEC https://capec.mitre.org n Common Vulnerabilities and Exposures CVE https://cve.mitre.org n WASC Threat Classification WASCTC http://projects.webappsec.org/w/page/13246927/FrontPage Copyright © 2021, Oracle and/or its affiliates 33

Copyright © 2021, Oracle and/or its affiliates 34 Web

Thank you 35 Copyright © 2021, Oracle and/or its affiliates

No content

Our mission is to help people see data in new ways, discover insights, unlock endless possibilities.