Tweet
Tweet

Slide 1

Slide 1 text

TRIALS & TRIBULATIONS OF WAF MARK HILLICK - @MARKOFU Thursday 20 May 2010

Slide 2

Slide 2 text

AWK -F: '/ROOT/ {PRINT $5}' /ETC/PASSWD Mark Hillick Thursday 20 May 2010

Slide 3

Slide 3 text

PHASES Introduction Starting Out Design Test Implementation Post-Implementation Thursday 20 May 2010

Slide 4

Slide 4 text

INTRODUCTION - WHAT IS A WAF? Thursday 20 May 2010

Slide 5

Slide 5 text

INTRODUCTION - WAF TODAY? WAF Marketplace Maturing Compliance Boo Thursday 20 May 2010

Slide 6

Slide 6 text

INTRODUCTION - WAF TODAY? WAF deployments were initially propelled by PCI ......... but are now increasingly driven by security best practices. Source: Forrester 2010 Thursday 20 May 2010

Slide 7

Slide 7 text

INTRODUCTION - NUMBERS $200 million 20% Thursday 20 May 2010

Slide 8

Slide 8 text

INTRODUCTION - VENDORS Software/Hardware Commercial/Open Source Thursday 20 May 2010

Slide 9

Slide 9 text

INTRODUCTION - EH???? WHAT???? XSS XSRF SQL Injection APT Zero Day Click Jacking Cookie/Session Hijacking Thursday 20 May 2010

Slide 10

Slide 10 text

INTRODUCTION - COMPETITORS IDS Reverse Proxy IPS Network FW Proxy Secure Code Thursday 20 May 2010

Slide 11

Slide 11 text

INTRODUCTION - PRE-SALES Know your subject Question, Ask, Query, Demand Plan, Test, Plan, Test Thursday 20 May 2010

Slide 12

Slide 12 text

STARTING OUT - GOAL Thursday 20 May 2010

Slide 13

Slide 13 text

STARTING OUT - RESEARCH Research -> knowledge & understanding Thursday 20 May 2010

Slide 14

Slide 14 text

STARTING OUT - SATISTICS 6.5 times more expensive to fix a flaw in development than during design, 15 times more in testing, and 100 times more in development. Source http://2010survey.whitehatimperva.com/ Thursday 20 May 2010

Slide 15

Slide 15 text

STARTING OUT - INTERNAL SELL (1) Technical issues in business language (e.g. just-in- time patching) and a bit of Thursday 20 May 2010

Slide 16

Slide 16 text

STARTING OUT - INTERNAL SELL (2) Know your costs Advantages over cheaper alternatives! Thursday 20 May 2010

Slide 17

Slide 17 text

STARTING OUT - INTERNAL SELL (4) There is a disconnect between the acknowledgement of security issues and the willingness to fix them. Source: The HP Security Laboratory Blog Thursday 20 May 2010

Slide 18

Slide 18 text

STARTING OUT - INTERNAL SELL (4) Do not oversell WAF != unhackable Thursday 20 May 2010

Slide 19

Slide 19 text

STARTING OUT - PLAN (1) I love it when...... Copyright © NBC Thursday 20 May 2010

Slide 20

Slide 20 text

STARTING OUT - PLAN (2) WANTED!!!! Owner/Champion/Lover Thursday 20 May 2010

Slide 21

Slide 21 text

STARTING OUT - PLAN (3) Thursday 20 May 2010

Slide 22

Slide 22 text

STARTING OUT - PLAN (4) UAT & SDLC Configuration - Delegation? Alerting Incident Response Plan Logging & Analysis Reporting Thursday 20 May 2010

Slide 23

Slide 23 text

TEST - TEST SOURCE: http://www.flickr.com/photos/ kodomut/ Thursday 20 May 2010

Slide 24

Slide 24 text

TEST - SDLC How does it change? When? Who? Thursday 20 May 2010

Slide 25

Slide 25 text

TEST - OPERATIONAL Not what you want, is it? Thursday 20 May 2010

Slide 26

Slide 26 text

TEST - FUNCTIONAL Functional Generic Specific SOURCE: http://www.flickr.com/photos/ 54724780@N00/ Thursday 20 May 2010

Slide 27

Slide 27 text

TEST - STRESS STRESS == LEARNING SOURCE: http://www.flickr.com/photos/ 54724780@N00/ Thursday 20 May 2010

Slide 28

Slide 28 text

TEST - THE FUN ‘BIT’ Does it work....... SOURCE: http://nmap.org/movies.html Copyright © Warner Bros. Thursday 20 May 2010

Slide 29

Slide 29 text

TEST - POLICY Administration Policy Who has access? Delegation? Change Management - different? Incident Response Plan? What is an Incident? Thursday 20 May 2010

Slide 30

Slide 30 text

IMPLEMENTATION - PLAN Plan B? Copyright © Fox Thursday 20 May 2010

Slide 31

Slide 31 text

IMPLEMENTATION - ALMOST Almost there, don’t cut corners! COMPLETE TESTING FULLY!!!!! Thursday 20 May 2010

Slide 32

Slide 32 text

IMPLEMENTATION - SET-UP +.ve Security Model Transparent Informational Logging Generic versus Specific Analysis Reporting Thursday 20 May 2010

Slide 33

Slide 33 text

IMPLEMENTATION - READ Check your logs!!! Thursday 20 May 2010

Slide 34

Slide 34 text

IMPLEMENTATION - HACK External Testing Thursday 20 May 2010

Slide 35

Slide 35 text

IMPLEMENTATION Transparent -> Blocking Generic -> Specific Thursday 20 May 2010

Slide 36

Slide 36 text

POST-IMPLEMENTATION - WAF Your infrastructure has changed!! Patching, Policy Changes, Application Upgrades Thursday 20 May 2010

Slide 37

Slide 37 text

POST-IMP - STILL, OH YES? SDLC Network Firewall & ACLs Code Analysis Penetration &Vulnerability Testing Incident Response Plan???? -> Incident? What? Thursday 20 May 2010

Slide 38

Slide 38 text

POST-IMP - TICK TOCK, NO MORE!! Thursday 20 May 2010

Slide 39

Slide 39 text

POST-IMP - USE IT! NO!!!!!! Thursday 20 May 2010

Slide 40

Slide 40 text

POST-IMPLEMENTATION - STILL? As someone-else once said!! Thursday 20 May 2010

Slide 41

Slide 41 text

RESOURCES SANS Reading Room (Scareware via Web App exploit) SANS, Owasp, WebAppSec Web 2.0 -> Blogs, Twitter Vendor Sites Thursday 20 May 2010

Slide 42

Slide 42 text

CONCLUSION - WAF Extra layer of defence but also admin Can be an excellent and effective solution Is it what I need? Only a part of defence-in-depth!!!! Thursday 20 May 2010