Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (17)
Similar to Secure Your Apps with NGINX Plus and the ModSecurity WAF
Similar to Secure Your Apps with NGINX Plus and the ModSecurity WAF (20)
More from NGINX, Inc.
More from NGINX, Inc. (20)
Recently uploaded
Recently uploaded (20)
Secure Your Apps with NGINX Plus and the ModSecurity WAF
- 1. MORE INFORMATION AT NGINX.COM NGINX Plus with ModSecurity WAF Protect your applications
- 2. MORE INFORMATION AT NGINX.COM Faisal Memon Product Marketer at NGINX, Inc. Formerly: - Technical Marketing Engineer, Riverbed - Software Developer, Cisco Systems Eric Lugo Technical Solutions Architect at NGINX, Inc. Formerly: - Solutions Engineer, Cloudflare
- 3. MORE INFORMATION AT NGINX.COM • First OSS release in 2004 • Company founded in 2011 • VC-backed by industry leaders • 190+ million open source users • 1,000+ customers • 120+ employees Igor Sysoev, NGINX creator and founder
- 4. MORE INFORMATION AT NGINX.COM The Current Security Climate • 50% increase in web app attacks and 125% increase in DDoS in the past year • Krebs on Security – 620 Gbps DDoS attack using hacked IoT devices • Mirai source code released • Dyn hit with DDoS using Mirai • Adult Friend Finder – User data compromised by LFI attack • Democratic National Committee (DNC) – Emails hacked and released • Conspiracy against Bernie Sanders revealed • Head of DNC and 3 others forced to resign • Code Spaces – Went out of business after data deleted by attacker
- 5. MORE INFORMATION AT NGINX.COM Protecting Yourself • Restrict recursive DNS requests to local hosts only • Proactively keep PCs and endpoints patched and up-to-date • Change all passwords to something not in a dictionary • Don’t use the same password for everything • Sanitize all input to web apps • Use two-factor authentication
- 6. MORE INFORMATION AT NGINX.COM Protecting Yourself • CDN services that can absorb large scale DDoS attacks • Akamai, Cloudflare, Google Shield, etc. • Network firewall • Palo Alto, Check Point, Cisco, pfSense, etc. • Intrusion Prevention/Detection Systems (IPS/IDS) • Security Information and Event Management (SIEM) • Secure Web Gateway • Web application firewall (WAF)
- 7. MORE INFORMATION AT NGINX.COM Comprehensive Protection for Critical Apps and Data • SQL injection (SQLi) • Local file inclusion (LFI) • Remote file inclusion (RFI) • Remote code execution (RCE) • Cross-site request forgery (CSRF) • Cross-site scripting (XSS) • Credit card leakages • HTTP protocol violations
- 8. MORE INFORMATION AT NGINX.COM ModSecurity Background “...even when you understand web security it is difficult to produce secure code, especially when working under the pressure so common in today’s software development projects.” —Ivan Ristic, ModSecurity creator • Initial open source release in 2002 • Used by tens of thousands of websites today • Over 3,000 downloads/month • Large, active, and enthusiastic community backing
- 9. MORE INFORMATION AT NGINX.COM Why NGINX Plus with ModSecurity WAF? • Cut costs • Over 66% savings in 5 year TCO vs. Imperva • Software flexibility • Deploy on bare metal, containers, and public cloud • Easy Deployment • Install on standard Linux servers • Application delivery and security in one place • Open platform • Standard PCRE regex based rules language • PCI-DSS Requirement 6.6 compliance
- 10. MORE INFORMATION AT NGINX.COM How to get ModSecurity WAF? • Currently for non-production usage only • Based on early ModSecurity 3.0 release candidate • Email sales@nginx.com for access
- 11. MORE INFORMATION AT NGINX.COM ModSecurity Processing Phases
- 12. MORE INFORMATION AT NGINX.COM OWASP • “Open Web Application Security Project” • Non-profit organization, providing OpenSource Tools • Core Rule Set (CRS) • Generic Rules • Base line for any app server • Low risk of False-Positives • Protects • SQL Injection (SQLi) • Cross Site Scripting (XSS) • Many other attacks • Last update 2013 • Researching for 2017 list • Support for CRS included with subscription
- 13. MORE INFORMATION AT NGINX.COM Performance • Only run ModSecurity for Dynamic content • Bypass OWASP security rules for static assets and Cache them! • Images, CSS, JS, PDF, and other Media files • Use NGINX Rate-limiting
- 14. MORE INFORMATION AT NGINX.COM Caveats, Current State, and Missing Pieces • Public Blacklist • IP Reputation, Spamhaus, Project Honeypot, etc. • Response/Request Body Stream • On the fly HTML/json/xml body Rewriting • DoS protection • ModSecurity for NGINX does not include DoS protection • NGINX can already do this with limit_req_zone
- 15. MORE INFORMATION AT NGINX.COM Demo
- 16. MORE INFORMATION AT NGINX.COM Summary • All applications are now targets for attackers • NGINX Plus with ModSecurity WAF protects against a broad range of attacks • Cut costs and gain flexibility compared to other leading WAFs • ModSecurity has 5 processing phases and is anchored by the OWASP Core rule set • Improve performance by bypassing static content • Email sales@nginx.com to get early access
Editor's Notes
- NGINX the popular open source web server, load balancer, content, and just a great multi purpose tool Used by 169 million websites today and has seen growth of 37% in just the past year Originally created by Igor Sysoev to help handle the onslaught of new users he and other website owners were experiencing in the late 90’s and early 2000’s as the internet really became more mainstream. Company founded in 2011 Over $40 million total funding $8 million series B in April
- From here, we'll go more into the high-level technical features of ModSecurity. First is how ModSecurity process each request. The first two phases are part of the HTTP Request; Request Headers, and Request Body. Phase 1 rule would be useful for blocking referers, host, or even exceptions for specific host headers. For example, you didn't want a rule to run for your internal qa testing domain, but all other rules needed to run. Phase 2 looks at the request body, such as form fields, or json and xml request. A lot of the OWASP Top 10 rules will be processed here, such as SQL injection, and Cross Site Scripting rules. Most if not all of your rules will be processed at phase 2, and since phases are cumulative, Request Headers are included in Phase 2. Phase 3 and 4 are part of the response processes. Phase 4 allows ModSecurity to inspect outgoing traffic, such as monitoring Password dumps, Social Security or Credit Card numbers. And again, since phases are cumulative, Phase 3 and 4, run phase 1 and 2 as well. Phase 5 allows you to modify how/where modsecurity is logged
- OWASP or Open Web Application Security Project is a non-profit organization that provide Open Source and free to use tools from a large community of users. OWASP has a list of top 10 common vulnerabilities,which is updated every couple of years. The last time the list was updated was 2013. A survey was conducted earlier this year to compile a new list for 2017, which is currently in the researching phase. OWASP has a rule set to protect your application from these common vulnerabilities called CRS or “Core Ruleset” This ruleset is a base line for any app server, with low risk of false positives. These rules include protection against SQL Injection, Cross Site Scripting, and other common vulnerabilities A ModSecurity subscription with nginx plus includes support for the OWASP CRS.
- ModSecurity, specifically the Core Ruleset can cause performance degradation. These rules may run through lots or Regular Expression for each request, because of this, you should only run ModSecurity for you dynamic assets, HTML, PHP, files. And bypass ModSecurity for your static assets, such as your images, css, js, fonts, and videos. Because NGINX also has caching feature, you should also be caching these assets. This following example shows a configuration for security and performance. The first block shows ModSecurity being turned on for all request, and it’s using the limit_req zone dynamic, more on this in the next slide. The second block is an exception to the first block, which is using the limit_req zone static, uses caching, and does not have ModSecurity enabled.
- ModSecurity for NGINX plus is currently in a Preview mode, and is using the latest version of ModSecurity, version 3. It has several feature parity pieces that are not included in the latest version 3 release. This include featuressuch as public blacklist, like Spamhaus or Project Honeypot. Body Streaming, currently the body will need to be fully blocked. In a future release, this will allow for on the fly rewriting without blocking the entire response, such as modifying a credit card number. DoSprotection, which can be done with nginx's limit_req_zone. From our previous configuration, this is where we would set the threshold for our rate limiting. The following example allows a single IP address to request a dynamic file 50 times per second and static files (images, js, css, etc) at 1000 times per second, on average. Because of the missing feature parity and ModSecurity has the ability to block legitimate traffic we recommend that you test ModSecurity out in a staging environment for at least one month before going live to verify there are no anomalies or false positives. We also recommend that you test out any custom rules you may be porting over from an older version of ModSecurity during this time.
- Installation and Configuration https://docs.google.com/document/d/1h-5y_gEAdfrcJJK3kdCJzlp-zYL1hc8Ejy2hqKpkb4c/edit# https://raw.githubusercontent.com/SpiderLabs/ModSecurity/master/modsecurity.conf-recommended OWASP Rulesets https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/v3.0.0-rc2 I’ve created a couple of Custom Rulesets to give you an idea of how Query String Bad Referrers User-Agents Show: Let’s see how these would work in the real world http://mywaf.com/?query=bad http://badsite.xyz/bad/ curl -sv '127.0.0.1' -H 'User-Agent:’ curl -sv '127.0.0.1' -H 'User-Agent: 1' -H 'User-Agent: 2' Nitkos Tool Nitkos tool is a tool used for common vulnerabilities. This can run for a bit of time, so I’ll only run the top ones. perl program/nikto.pl -h localhost -Tuning 1234567890abcdex -C none Alerting Logging
- Before we go to our Q&A, In summary we went over How ModSecurity processes a request, in phases ModSecurity and The Core rulesets supported by NGINX plus Being mindful of performance And before going live, modsecurity is ran through intensive QA for the core rule sets and your custom rules.