On-demand recording: https://nginx.webex.com/nginx/lsr.php?RCID=e62ece89fb21133d312f02af7be8e2c0
The NGINX Plus with ModSecurity WAF (web application firewall) protects your applications from a wide variety of threats, including DDoS and Layer 7 attacks. Improve application uptime, block malicious users, and log crucial data about suspicious transactions with this new offering from NGINX.
The NGINX Plus with ModSecurity WAF is built on a new architecture, offered first to NGINX Plus customers. Our new WAF will help you protect your site against top threats and comply with PCI-DSS Requirement 6.6.
Join us in this webinar to learn:
* The top security attacks against websites
* How much attacks are increasing and why
* How a WAF adds to your site's security protection
* How NGINX Plus with ModSecurity WAF works, in a live demo
Secure Your Apps with NGINX Plus and the ModSecurity WAF
1. MORE INFORMATION AT NGINX.COM
NGINX Plus with
ModSecurity WAF
Protect your applications
2. MORE INFORMATION AT NGINX.COM
Faisal Memon
Product Marketer at NGINX, Inc.
Formerly:
- Technical Marketing Engineer, Riverbed
- Software Developer, Cisco Systems
Eric Lugo
Technical Solutions Architect at NGINX, Inc.
Formerly:
- Solutions Engineer, Cloudflare
3. MORE INFORMATION AT NGINX.COM
• First OSS release in 2004
• Company founded in 2011
• VC-backed by industry leaders
• 190+ million open source users
• 1,000+ customers
• 120+ employees
Igor Sysoev, NGINX creator and founder
4. MORE INFORMATION AT NGINX.COM
The Current Security Climate
• 50% increase in web app attacks and 125% increase in DDoS in the past year
• Krebs on Security – 620 Gbps DDoS attack using hacked IoT devices
• Mirai source code released
• Dyn hit with DDoS using Mirai
• Adult Friend Finder – User data compromised by LFI attack
• Democratic National Committee (DNC) – Emails hacked and released
• Conspiracy against Bernie Sanders revealed
• Head of DNC and 3 others forced to resign
• Code Spaces – Went out of business after data deleted by attacker
5. MORE INFORMATION AT NGINX.COM
Protecting Yourself
• Restrict recursive DNS requests to local hosts only
• Proactively keep PCs and endpoints patched and up-to-date
• Change all passwords to something not in a dictionary
• Don’t use the same password for everything
• Sanitize all input to web apps
• Use two-factor authentication
6. MORE INFORMATION AT NGINX.COM
Protecting Yourself
• CDN services that can absorb large scale DDoS attacks
• Akamai, Cloudflare, Google Shield, etc.
• Network firewall
• Palo Alto, Check Point, Cisco, pfSense, etc.
• Intrusion Prevention/Detection Systems (IPS/IDS)
• Security Information and Event Management (SIEM)
• Secure Web Gateway
• Web application firewall (WAF)
7. MORE INFORMATION AT NGINX.COM
Comprehensive Protection for Critical Apps and Data
• SQL injection (SQLi)
• Local file inclusion (LFI)
• Remote file inclusion
(RFI)
• Remote code execution
(RCE)
• Cross-site request forgery
(CSRF)
• Cross-site scripting (XSS)
• Credit card leakages
• HTTP protocol violations
8. MORE INFORMATION AT NGINX.COM
ModSecurity Background
“...even when you understand web security it is difficult to produce secure
code, especially when working under the pressure so common in today’s
software development projects.”
—Ivan Ristic, ModSecurity creator
• Initial open source release in 2002
• Used by tens of thousands of websites today
• Over 3,000 downloads/month
• Large, active, and enthusiastic community backing
9. MORE INFORMATION AT NGINX.COM
Why NGINX Plus with ModSecurity WAF?
• Cut costs
• Over 66% savings in 5 year TCO vs. Imperva
• Software flexibility
• Deploy on bare metal, containers, and public cloud
• Easy Deployment
• Install on standard Linux servers
• Application delivery and security in one place
• Open platform
• Standard PCRE regex based rules language
• PCI-DSS Requirement 6.6 compliance
10. MORE INFORMATION AT NGINX.COM
How to get ModSecurity WAF?
• Currently for non-production usage only
• Based on early ModSecurity 3.0 release candidate
• Email sales@nginx.com for access
12. MORE INFORMATION AT NGINX.COM
OWASP
• “Open Web Application Security Project”
• Non-profit organization, providing OpenSource Tools
• Core Rule Set (CRS)
• Generic Rules
• Base line for any app server
• Low risk of False-Positives
• Protects
• SQL Injection (SQLi)
• Cross Site Scripting (XSS)
• Many other attacks
• Last update 2013
• Researching for 2017 list
• Support for CRS included with subscription
13. MORE INFORMATION AT NGINX.COM
Performance
• Only run ModSecurity for Dynamic content
• Bypass OWASP security rules for static assets and Cache them!
• Images, CSS, JS, PDF, and other Media files
• Use NGINX Rate-limiting
14. MORE INFORMATION AT NGINX.COM
Caveats, Current State, and Missing Pieces
• Public Blacklist
• IP Reputation, Spamhaus, Project Honeypot, etc.
• Response/Request Body Stream
• On the fly HTML/json/xml body Rewriting
• DoS protection
• ModSecurity for NGINX does not include DoS protection
• NGINX can already do this with limit_req_zone
16. MORE INFORMATION AT NGINX.COM
Summary
• All applications are now targets for attackers
• NGINX Plus with ModSecurity WAF protects against a broad range of
attacks
• Cut costs and gain flexibility compared to other leading WAFs
• ModSecurity has 5 processing phases and is anchored by the OWASP Core
rule set
• Improve performance by bypassing static content
• Email sales@nginx.com to get early access
Editor's Notes
NGINX the popular open source web server, load balancer, content, and just a great multi purpose tool
Used by 169 million websites today and has seen growth of 37% in just the past year
Originally created by Igor Sysoev to help handle the onslaught of new users he and other website owners were experiencing in the late 90’s and early 2000’s as the internet really became more mainstream.
Company founded in 2011
Over $40 million total funding
$8 million series B in April
From here, we'll go more into the high-level technical features of ModSecurity. First is how ModSecurity process each request.
The first two phases are part of the HTTP Request; Request Headers, and Request Body.
Phase 1 rule would be useful for blocking referers, host, or even exceptions for specific host headers. For example, you didn't want a rule to run for your internal qa testing domain, but all other rules needed to run.
Phase 2 looks at the request body, such as form fields, or json and xml request.
A lot of the OWASP Top 10 rules will be processed here, such as SQL injection, and Cross Site Scripting rules. Most if not all of your rules will be processed at phase 2, and since phases are cumulative, Request Headers are included in Phase 2.
Phase 3 and 4 are part of the response processes. Phase 4 allows ModSecurity to inspect outgoing traffic, such as monitoring Password dumps, Social Security or Credit Card numbers. And again, since phases are cumulative, Phase 3 and 4, run phase 1 and 2 as well.
Phase 5 allows you to modify how/where modsecurity is logged
OWASP or Open Web Application Security Project is a non-profit organization that provide Open Source and free to use tools from a large community of users.
OWASP has a list of top 10 common vulnerabilities,which is updated every couple of years. The last time the list was updated was 2013.
A survey was conducted earlier this year to compile a new list for 2017, which is currently in the researching phase.
OWASP has a rule set to protect your application from these common vulnerabilities called CRS or “Core Ruleset”
This ruleset is a base line for any app server, with low risk of false positives.
These rules include protection against SQL Injection, Cross Site Scripting, and other common vulnerabilities
A ModSecurity subscription with nginx plus includes support for the OWASP CRS.
ModSecurity, specifically the Core Ruleset can cause performance degradation. These rules may run through lots or Regular Expression for each request, because of this, you should only run ModSecurity for you dynamic assets, HTML, PHP, files. And bypass ModSecurity for your static assets, such as your images, css, js, fonts, and videos. Because NGINX also has caching feature, you should also be caching these assets.
This following example shows a configuration for security and performance.
The first block shows ModSecurity being turned on for all request, and it’s using the limit_req zone dynamic, more on this in the next slide.
The second block is an exception to the first block, which is using the limit_req zone static, uses caching, and does not have ModSecurity enabled.
ModSecurity for NGINX plus is currently in a Preview mode, and is using the latest version of ModSecurity, version 3.
It has several feature parity pieces that are not included in the latest version 3 release. This include featuressuch as public blacklist, like Spamhaus or Project Honeypot.
Body Streaming, currently the body will need to be fully blocked. In a future release, this will allow for on the fly rewriting without blocking the entire response, such as modifying a credit card number.
DoSprotection, which can be done with nginx's limit_req_zone.
From our previous configuration, this is where we would set the threshold for our rate limiting. The following example allows a single IP address to request a dynamic file 50 times per second and static files (images, js, css, etc) at 1000 times per second, on average.
Because of the missing feature parity and ModSecurity has the ability to block legitimate traffic we recommend that you test ModSecurity out in a staging environment for at least one month before going live to verify there are no anomalies or false positives. We also recommend that you test out any custom rules you may be porting over from an older version of ModSecurity during this time.
Installation and Configuration
https://docs.google.com/document/d/1h-5y_gEAdfrcJJK3kdCJzlp-zYL1hc8Ejy2hqKpkb4c/edit#
https://raw.githubusercontent.com/SpiderLabs/ModSecurity/master/modsecurity.conf-recommended
OWASP Rulesets
https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/v3.0.0-rc2
I’ve created a couple of Custom Rulesets to give you an idea of how
Query String
Bad Referrers
User-Agents
Show:
Let’s see how these would work in the real world
http://mywaf.com/?query=bad
http://badsite.xyz/bad/
curl -sv '127.0.0.1' -H 'User-Agent:’
curl -sv '127.0.0.1' -H 'User-Agent: 1' -H 'User-Agent: 2'
Nitkos Tool
Nitkos tool is a tool used for common vulnerabilities. This can run for a bit of time, so I’ll only run the top ones.
perl program/nikto.pl -h localhost -Tuning 1234567890abcdex -C none
Alerting Logging
Before we go to our Q&A, In summary we went over
How ModSecurity processes a request, in phases
ModSecurity and The Core rulesets supported by NGINX plus
Being mindful of performance
And before going live, modsecurity is ran through intensive QA for the core rule sets and your custom rules.