delivery-ch-open-waf-v1.0
Upcoming SlideShare
Loading in...5
×
 

delivery-ch-open-waf-v1.0

on

  • 952 views

 

Statistics

Views

Total Views
952
Views on SlideShare
952
Embed Views
0

Actions

Likes
0
Downloads
10
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

delivery-ch-open-waf-v1.0 delivery-ch-open-waf-v1.0 Presentation Transcript

  • Open Source Apache <WAF> Web Application Firewall Ivan Bütler - E1 Compass Security AG | ivan.buetler@csnc.ch Switzerland - Germany Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • E1 - Who am I ^ Ivan Bütler, Uznach ^ Speaker at Blackhat 2008 Las Vegas ^ Born 31.12.1970 ^ Founder of Compass Security AG ^ Founder of Swiss Cyber Storm II ^ Passionate Security Researcher ^ Husband of Cornelia and father of Tim and Nick (6 & 8) ^ Proud Swiss Citizen © Compass Security AG www.csnc.ch Seite 2
  • Compass Security AG - Team © Compass Security AG www.csnc.ch Seite 3 View slide
  • Compass Security - Overview . . . . © Compass Security AG www.csnc.ch Seite 4 View slide
  • Goals of this Talk Understanding the demand for a Web App Firewall Howto build an Open Source Apache Entry Server Understanding the Components Understanding Pros & Cons Understanding Pitfalls © Compass Security AG www.csnc.ch Seite 5
  • Attacking for Fun and Profit Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • Direct Attacks Where do you expect the attackers? BLOCKED PASSED BLOCKED © Compass Security AG www.csnc.ch Seite 7
  • Indirect Attacks (I) Man in the Middle – Phishing © Compass Security AG www.csnc.ch Seite 8
  • Indirect Attacks (II) Malware – Mobile Devices – W-LAN Bypassing Perimeter Protection © Compass Security AG www.csnc.ch Seite 9
  • Level 1: Reverse Proxy Level 2: Web Application Firewall Level 3: Entry Server Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • Situations without a Reverse Proxy Direct Access to the Public Web Applications More firewall ports opened Applications directly accessible © Compass Security AG www.csnc.ch Seite 11
  • Reverse Proxy Setup Reverse Proxy Access to Public Web Applications Reverse Proxy Applications „protected“ © Compass Security AG www.csnc.ch Seite 12
  • Reverse Proxy Setup Reverse Proxy Allow to hide different applications behind a single server Single point of entry WebSphere http https Reverse http Browser IIS Proxy http Server WebLogic Cert © Compass Security AG www.csnc.ch Seite 13
  • OWASP Top 10 (Q4 2007) A1 Cross Site Scripting A2 Injection Flaws (SQLi) A3 Malicious File Execution (RFI) A4 Insecure Direct Object Reference A5 Cross Site Request Forgery A6 Information Leakage A7 Broken Auth & Session Management A8 Insecure Cryptographic Storage A9 Insecure Communications A10 Failure to restrict URL Access © Compass Security AG www.csnc.ch Seite 14
  • Commercial Products? United Security Providers (USP) SES Phion/Visonys AirLock AdNovum Nevis Web IBM Tivoli Access Manager (a.k.a. WebSEAL) NetContinuum Application Security Gateway Cisco ACE Web Application Firewall Microsoft ISA Server ... (this is not a complete list!) Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • Open Source Entry Server Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • Cooking Recipe Apache Core Web Server http://httpd.apache.org Apache Firewall Module mod_security http://www.modsecurity.org Apache Content Rewriting Module mod_replace Visit Swiss Cyber Storm (www.hacking-lab.com) Apache Entry Server Module mod_but Visit Swiss Cyber Storm (www.hacking-lab.com) Apache Forensic Module Within Apache Core: mod_forensic & mod_unique_id © Compass Security AG www.csnc.ch Seite 17
  • Demo „Setup Reverse Proxy“ Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • Reverse Proxy Small Feature List SSL Termination Content Rewriting Intrusion Detection & Prevention Forensic Logging Secure Session Management Pre-Authentication & Single-Sign On Service Authorization © Compass Security AG www.csnc.ch Seite 19
  • Reverse Proxy: SSL Termination Apache mod_ssl & mod_proxy SSLEngine On SSLProxyEngine On SSLCertificateFile conf/server.crt SSLCertificateKeyFile conf/server.key SSLProtocol +TLSv1 +SSLv3 -SSLv2 SSLCipherSuite RC4-SHA:RC4-MD5:AES256-SHA:AES128- SHA:DES-CBC3-SHA:!SSLv2:!EXP SSLOptions +StdEnvVars +ExportCertData SSLSessionCache shm:ssl/ssl_scache(512000) SSLSessionCacheTimeout 18000 © Compass Security AG www.csnc.ch Seite 20
  • Reverse Proxy: SSL Termination Apache mod_ssl & mod_proxy ProxyPass /app1 http://10.1.200.34:8899/ ProxyPassReverse /app1 http://10.1.200.34:8899/ ProxyPass /app2 http://10.1.200.77:8080/ ProxyPassReverse /app2 http://10.1.200.77:8080/ © Compass Security AG www.csnc.ch Seite 21
  • Reverse Proxy: SSL Termination How do you deny weak browsers from your application? Hardenend Cipher Suite Within Application Hardening CipherSuite in httpd.conf SSLCipherSuite RC4-SHA:RC4-MD5:AES256-SHA:AES128- SHA:DES-CBC3-SHA:!SSLv2:!EXP I do not recommend hardened Cipher Suites! Error messages on SSL are not user friendly! Therefore.. I recommend application level checks using mod_headers Human friendly error message generated by the backend application when the browser does not fulfill the cipher strength RequestHeader append SSL_CIPHER "%{SSL_CIPHER}e“ Evaluate the SSL_CIPHER within the application „behind“ the proxy © Compass Security AG www.csnc.ch Seite 22
  • Reverse Proxy: SSL Termination RequestHeader append SSL_PROTOCOL "%{SSL_PROTOCOL}e“ RequestHeader append SSL_SESSION_ID "%{SSL_SESSION_ID}e“ RequestHeader append SSL_CIPHER "%{SSL_CIPHER}e“ RequestHeader append SSL_CIPHER_ALGKEYSIZE "%{SSL_CIPHER_ALGKEYSIZE}e“ RequestHeader append SSL_CIPHER_EXPORT "%{SSL_CIPHER_EXPORT}e“ RequestHeader append SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}e“ RequestHeader append SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}e" © Compass Security AG www.csnc.ch Seite 23
  • Reverse Proxy: Content Rewriting Problem Backend Application includes absolute href links Example: http://backend/index.html Backend Application secures the cookies Domain restrictions Path restrictions Expiration restrictions Backend Application other protocol than reverse proxy Fixup http to https links Absolute url‘s Redirections, Location headers (302 Temporary Moved) Why not using mod_rewrite? Because mod_rewrite does not allow to parse and search/replace the body of a http request or response © Compass Security AG www.csnc.ch Seite 24
  • Reverse Proxy: Content Rewriting Why not using mod_substitute? Within apache core since 2.2.7 Perform search and replace operations on response bodies but does not have support for response headers, request headers or request bodies Therefore, I recommend mod_replace Request Header Replacement Request Body Replacement Response Header Replacement Response Body Replacement ReplaceFilterDefine myproxy1 CaseIgnore ReplacePattern myproxy1 "glocken.hacking-lab.com" "192.168.200.130" ReplacePattern myproxy1 "https" "http" HeaderReplacePattern myproxy1 Location "glocken.hacking-lab.com" "192.168.200.130" HeaderReplacePattern myproxy1 Location "https" "http" HeaderReplacePattern myproxy1 Set-Cookie "Secure" "" SetOutputFilter myproxy1 © Compass Security AG www.csnc.ch Seite 25
  • Demo „Web Firewall“ mod_security Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • Reverse Proxy Small Feature List SSL Termination Content Rewriting Intrusion Detection & Prevention Forensic Logging Secure Session Management Pre-Authentication & Single-Sign On Service Authorization © Compass Security AG www.csnc.ch Seite 27
  • Reverse Proxy: Intrusion Detection Apache mod_security2 LoadModule security2_module modules/mod_security2.so Basic configuration options SecRuleEngine On SecRequestBodyAccess On SecResponseBodyAccess Off .. .. Include conf/modsecurity2/*.conf Configure SecDefaultAction SecDefaultAction "phase:2,log,deny,status:403,t:lowercase,t:replac eNulls,t:compressWhitespace" © Compass Security AG www.csnc.ch Seite 28
  • Reverse Proxy: Forensic Logging Correlation across tier (Simplified illustration) © Compass Security AG www.csnc.ch Seite 29
  • Reverse Proxy: Forensic Logging Who generates the Request ID (alias Unique_ID)? Apache mod_unique_id Default Log Option in httpd.conf (without mod_unique_id) LogFormat "%h %l %u %t "%r" %>s %b" common Web Application Firewall Log Option (with mod_unique_id) LogFormat "%{forensic-id}n %h %l %u %t "%r" %>s %b" common ForensicLog logs/forensic.log Sending the Unique_ID as HTTP Request Header to Backend! RequestHeader append UNIQUE_ID "%{UNIQUE_ID}e" © Compass Security AG www.csnc.ch Seite 30
  • Reverse Proxy: Forensic Logging Unique ID in access.log SYq7yX8AAQEAAGOqIicAAAAA 192.168.200.10 - - [05/Feb/2009:11:13:29 +0100] "GET /webapp/but/EchoRequest HTTP/1.1" 404 329 Unique ID in forensic.log grep SYq7yX8AAQEAAGOqIicAAAAA forensic.log ========================================================================= +SYq7yX8AAQEAAGOqIicAAAAA|GET /webapp/but/EchoRequest HTTP/1.1|Host:192.168.200.130|User-Agent:Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv%3a1.8.0.4) Gecko/20060508 Firefox/1.5.0.4|Accept:text/xml,application/xml,application/xhtml+xml,text/html;q= 0.9,text/plain;q=0.8,image/png,*/*;q=0.5|Accept-Language:en-us,en;q=0.5|Accept- Encoding:gzip,deflate|Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.7|Keep- Alive:300|Connection:keep- alive|Cookie:MOD_BUT=wCUN+1DgcvG7qDM+KI+9YXveU+5bwygb|Cache-Control:max-age=0 -SYq7yX8AAQEAAGOqIicAAAAA © Compass Security AG www.csnc.ch Seite 31
  • Demo „Session Management“ mod_but Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • Reverse Proxy Small Feature List SSL Termination Content Rewriting Intrusion Detection & Prevention Forensic Logging Secure Session Management Pre-Authentication & Single-Sign On Service Authorization © Compass Security AG www.csnc.ch Seite 33
  • Reverse Proxy: Session Management Without a Session Store (Cookie Store) Reverse Proxy Applications „protected“ © Compass Security AG www.csnc.ch Seite 34
  • Reverse Proxy: Session Management With Session Store (Session Hiding) Reverse Proxy Applications „protected“ © Compass Security AG www.csnc.ch Seite 35
  • Reverse Proxy: Pre-Authentication Zones Public Zone: Login Server (anonymous access) Private Zone: E-Business Applications (authentication is required) FW FW Authenticated requests only Internet Entry Tier Application Not authenticated requests Login Service © Compass Security AG www.csnc.ch Seite 36
  • Reverse Proxy: Pre-Authentication DLS (Delegated Login Client MOD_BUT LDAP Backend Application Service) /application Redirect Login Page POST LOGIN DATA authenticate() get LOGIN DATA for Backend App Username/Password for Backend App LOGIN into Backend App Login ok LOGON=ok OK © Compass Security AG www.csnc.ch Seite 37
  • MOD_BUT Logon Cookie Messages from Login Server to MOD_BUT LOGON=ok MOD_BUT_USERNAME=<$user> MOD_BUT_AUTH_STRENGTH=0,1,2 MOD_BUT_SERVICE_LIST=regexp MOD_BUT_BACKEND_SESSION bname=a; bvalue=b; bclearance=c; © Compass Security AG www.csnc.ch Seite 38
  • Reverse Proxy: Service Authorization Service Authorization The user grants permission for certain, but not all URL‘s behind the Reverse Proxy Example User is authorized for /upload User is authorized for /admin User is not authorized for /enterpriseadmin Login Server sends a control cookie to the Reverse Proxy Set-Cookie: LOGON=ok Set-Cookie: MOD_BUT_USERNAME=$username Set-Cookie: MOD_BUT_SERVICE_LIST=(^/12001(.*)) Set-Cookie: MOD_BUT_AUTH_STRENGTH=0,1,2 © Compass Security AG www.csnc.ch Seite 39
  • Reverse Proxy: DLS DLS = Delegated Login Service Some applications have their own login component Outlook Web Access Wiki The „DLS“ authenticates on behalf of the user © Compass Security AG www.csnc.ch Seite 40
  • MOD_BUT Features Session Store Pre-Authentication Step-Up Authentication (Authorization Level) Service Authorization Delegated Login Server Support Cookie Pass Through © Compass Security AG www.csnc.ch Seite 41
  • The Secure Document Exchange Solution Who uses mod_but? © Compass Security AG www.csnc.ch Seite 42
  • MOD_BUT TODO [ ] Rewrite SHM handling and data structures, eliminate SHM stuff from callers mod_but_cookiestore.c mod_but_session.c mod_but_shm.c Goals: increased performance, lower shared memory usage, more robust interfaces, thread-safety © Compass Security AG www.csnc.ch Seite 43
  • Some differences to Airlock? Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • Airlock URL Encryption URL-Encryption… Effective against Forceful Browsing URLs and parameters are protected Hides Technology and Topology Works dynamically, no specific configuration necessary GET https://web.server.com/home/MDNCIGBPCEDDNKBMMOCNGDLHBEOJJE MCHJOIAODKJPNOPOEPOBJONBPFCFCNBOEIPICACIPNAKIIKLFMEIM EGBFGFGMIBDLEipe4PixkUbKsXFBnb6YodmYPJyK66k1Ochxjrr6+Zaziy20 FxB+Sz1hUm8OchL/IREKvKVzlNKSRuiig7sh7jwI4y2xFNltX98GQFYkGq7fb HtzBKtOCQtQ0AviT1pJlP1I+xG5baW/3zx/IuHD9dpJ4I0J92oN9wa5gcs8JXQ 7lkcG2HsV8EiPKbt7wFR2h HTTP/1.1 © Compass Security AG www.csnc.ch Seite 45
  • Airlock Smart Form Protection Smart Form Protection … Cryptographic protection of HTML forms Only allowed input is accepted (Airlock “remembers” form fields”) Automatic protection of hidden and selection fields © Compass Security AG www.csnc.ch Seite 46
  • Load Balancing High Availability Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • Failover (London – New York) Central Session Store (High Availability) Login Service London Backend Application London Entry Server London Central Session Store Login Service New York Entry Server New York Backend Application New York © Compass Security AG www.csnc.ch Seite 48
  • Entry Server & AJAX Security Implications Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • AJAX Request/Response New engine built-in newer browsers! Interactive GUI Asynchronous processing ; not every action needs to be started by pressing the submit button Asynchronous processing ; AJAX updates the browser window (content) Source: Wikipedia © Compass Security AG www.csnc.ch Seite 50
  • XMLHttpRequest (XHR) XmlHttpRequest is a browser API to perform background HTTP requests from JavaScript Invented by Microsoft in 2000 IE 5.0 / 6.0: COM/ActiveX object „Microsoft.XmlHttp“ ActiveX must be enabled IE 7.0, Firefox, Opera, Safari and other browsers: Native JavaScript object „XmlHttpRequest“ ActiveX not required Portable © Compass Security AG www.csnc.ch Seite 51
  • XMLHttpRequest (XHR) © Compass Security AG www.csnc.ch Seite 52
  • Data Exchange Formats Upstream Data Format Downstream Data Format © Compass Security AG www.csnc.ch Seite 53
  • Upstream Data Formats Possible data formats: GET parameters POST parameters XML SOAP Some server-side API is provided Often maps to server-side objects and their functions AJAX calls in this case are like remote method invocations © Compass Security AG www.csnc.ch Seite 54
  • Upstream: HTTP GET Parameters HTTP GET GET /dyn/req?call=foo&arg=bar HTTP/1.1 ... © Compass Security AG www.csnc.ch Seite 55
  • Upstream: HTTP POST Parameters HTTP POST POST /dyn/req HTTP/1.1 Content-Type: application/x-www-form-urlencoded ... call=foo&arg=bar © Compass Security AG www.csnc.ch Seite 56
  • Upstream: XML HTTP POST POST /dyn/req HTTP/1.1 Content-Type: text/xml ... <?xml version="1.0" encoding="utf-8"?> <request connectionId="cxooiqM"> <call type="foo"> <argument name="bar">true</argument> </call> </request> © Compass Security AG www.csnc.ch Seite 57
  • Upstream: SOAP HTTP POST POST /dyn/req HTTP/1.1 Content-Type: application/soap-xml ... <?xml version="1.0" encoding="utf-8"?> <Envelope xmlns="http://schemas.xmlsoap.org /soap/envelope"> <Body> ... </Body> </Envelope> © Compass Security AG www.csnc.ch Seite 58
  • Downstream: XML HTTP/1.1 200 OK Content-Type: text/xml ... <?xml version="1.0" encoding="utf-8"?> <response> <result type="login"> <status>false</status> <msg>Username or password invalid.</msg> </result> </response> © Compass Security AG www.csnc.ch Seite 59
  • Downstream: JavaScript HTTP/1.1 200 OK Content-Type: text/javascript ... LibJs.user='nobody'; LibJs.groups=['member','nobody','wnc5Xh']; $L('kYP64i').__render([$E('h1',{className: 'Compiled',attributes:{},children:[$T(LibJ s.Compiler.fromAscii('Hello world!'))] ... LibJs.Server.__onComplete(1664); © Compass Security AG www.csnc.ch Seite 60
  • Downstream: JSON HTTP/1.1 200 OK Content-Type: text/x-json ... {"menu": { "id": "file", "popup": { "menuitem": [ {"value": "New", "onclick": "NewDoc()"}, {"value": "Open", "onclick": "OpenDoc()"}, {"value": "Close", "onclick": "CloseDoc()"} ]}}} © Compass Security AG www.csnc.ch Seite 61
  • Downstream: Custom HTTP/1.1 200 OK Content-Type: text/x-gwt ... {OK}["53723","84268","78357","27843"] © Compass Security AG www.csnc.ch Seite 62
  • New: The Entry Server Problem What is a valid request? Look at JavaScript code and guess what it might call and what the parameters might be Infeasible! JavaScript way too dynamic! Filter patterns and AJAX How to detect HTML injection in XML? How to detect XSS in JavaScript/JSON? How to sign an AJAX response? Every AJAX application is very different No "standard" like HTML <form> Impossible without support from application! © Compass Security AG www.csnc.ch Seite 63
  • Appendix Compass Security AG Tel.+41 55-214 41 60 Glärnischstrasse 7 Fax+41 55-214 41 61 Postfach 1628 team@csnc.ch CH-8640 Rapperswil www.csnc.ch
  • Apache Compilation with mod_replace Copy Module into Filters Directory cp mod_replace.c ./httpd-2.2.10/modules/filters Add the following line to ./httpd-2.2.11/modules/filters/config.m4 APACHE_MODULE(replace, replace filter module, , , most) Change to $APACHE_SRC and to a „autoconf“ cd ./httpd-2.2.10/ autoconf Check if the –enable-replace is available cd ./httpd-2.2.10/ ./configure –-help | grep replace © Compass Security AG www.csnc.ch Seite 65
  • Apache Compilation Compile Apache with mod_replace cd ./httpd-2.2.10/ ./configure --prefix=/opt/applic/http-2.2.10 --enable-so --enable-ssl --enable-proxy --enable-rewrite --enable-substitute --enable-replace --enable-headers --enable-unique-id --enable-log-forensic --enable-expire --enable-replace © Compass Security AG www.csnc.ch Seite 66