Best Practices Guide: Introducing Web Application Firewalls

5,277 views
5,068 views

Published on

Web applications of all kinds, whether online shops or partner portals, have in recent years increasingly become the target of hacker attacks. The attackers are using methods which are specifically aimed at exploiting potential weak spots in the web application software itself – and this is why they are not detected, or are not detected with sufficient accuracy, by traditional IT security systems such as network firewalls or IDS/IPS systems. OWASP develops tools and best practices to
support developers, project managers and security testers in the development and operation of secure
web applications. Additional protection against attacks, in particular for already productive web applications, is offered by what is still a emerging category of IT security systems, known as Web Application Firewalls (hereinafter referred to simply as WAF), often also called Web Application Shields or Web Application Security Filters.

Published in: Technology
1 Comment
10 Likes
Statistics
Notes
  • mail me the file please.. thanks..
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
5,277
On SlideShare
0
From Embeds
0
Number of Embeds
59
Actions
Shares
0
Downloads
400
Comments
1
Likes
10
Embeds 0
No embeds

No notes for slide

Best Practices Guide: Introducing Web Application Firewalls

  1. 1. OWASP Asia 2008 Best Practices Guide: Web Application Firewalls Alexander Meisel CTO art of defence OWASP German Chapter Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  2. 2. OWASP 2
  3. 3. What is this? OWASP 2
  4. 4. What is this? OWASP 2
  5. 5. What is this? OWASP 2
  6. 6. What is this? OWASP 2
  7. 7. What is this? Security Hole in our Web App!!! OWASP 2
  8. 8. What is this? Security Hole in our Web App!!! Let’s fix it using a Web Application Firewall (WAF)! ;-) OWASP 2
  9. 9. What is this? Security Hole in our Web App!!! Let’s fix it using a Web Application Firewall (WAF)! ;-) But HOW ON EARTH do I deploy a WAF correctly? OWASP 2
  10. 10. Big “Thank you!!!” to the Authors  Maximilian Dermann  Lufthansa Technik AG  Mirko Dziadzka  art of defence GmbH  Boris Hemkemeier  OWASP German Chapter  Achim Hoffmann  SecureNet GmbH  Alexander Meisel  art of defence GmbH  Matthias Rohr  SecureNet GmbH  Thomas Schreiber  SecureNet GmbH OWASP 3
  11. 11. Contents Introduction and aim Characteristics of web apps with regards to security Overview of what WAFs can do Benefits and risks of WAFs Protection against the OWASP TOP 10 (App vs. WAF vs. Policy) Criteria for deciding whether or not to use WAFs Best practices for introduction and operation of WAFs OWASP
  12. 12. Introduction and aim Introduction Online Businesses Weak spot HTTP Reference to PCI DSS Definition of the term “Web Application Firewall” NOT a Network Firewall Not only Hardware Targeted audience Technical decision-makers People responsible for operations and security Application Owners OWASP 5
  13. 13. Characteristics of web applications with regards to security Higher level aspects in the company Prioritizing Web Apps in regard to their importance  Access to personal customer data  Access to (confidential) company information – Image loss  Certifications Technical Aspects Test and quality assurance Documentation Vendor-Contracts OWASP 6
  14. 14. Overview of what WAFs can do Where do WAFs fit into the Web App Sec field WAFs are part of a solution Main benefits of a WAF Additional functionality What can be archived with WAFs Table with (wanted) functionality  examples: CSRF, Session fixation, *-Injection Rating / Evaluation:  + can be very well implemented using a WAF  - can not be implemented  ! dependents on the WAF/application/requirements  = can partly be implemented with a WAF OWASP 7
  15. 15. Table (Just a small example) OWASP 8
  16. 16. Benefits and risks of WAFs (I) Main benefits of WAFs Base line security Compliance Just-in-time patching of problems Additional benefits of (depending on functionality) Central reporting and error logging SSL termination URL-Encryption .... OWASP 9
  17. 17. Benefits and risks of WAFs (II) Risks involved using WAFs False positives Increased complexity Yet another proxy Potential side effects if the WAF terminates the application OWASP 10
  18. 18. Protection against the OWASP TOP 10 App vs. WAF vs. Policy Three types of applications: T1: Web application in design phase T2: Already productive app which can easily be changed (e.g. with MVC architecture) T3: Productive app which cannot be modified or only with difficulty Table of OWASP TOP 10 in regards to work required with the 3 types of application to fix the problem in the application itself using a WAF using a policy OWASP 11
  19. 19. OWASP Top 10 (Example) OWASP 12
  20. 20. Criteria for deciding whether or not to use Web Application Firewalls (I) Company wide criteria: Importance of the app for the success of the company Number of web applications Complexity Operational costs Performance and scalability OWASP 13
  21. 21. Criteria for deciding whether or not to use Web Application Firewalls (II) Criteria with regard to the web application Changeability of the application Documentation Maintenance contracts Time required fixing bugs in third-party products Consideration of financial aspects Avoidance of financial damage via successful attacks Costs of using a WAF  License costs  Update costs  Project costs for evaluation and introducing a WAF  Volume of work required / Personnel costs OWASP 14
  22. 22. Criteria for deciding whether or not to use Web Application Firewalls (II) Evaluation and Summary OWASP 15
  23. 23. Best practices for introduction and operation of Web Application Firewalls (I) Infrastructure Central or decentralized infrastructure  central proxy application  host based - plug-in approach  virtualization !!???!!! Performance  GBits/Second throughput on hardware does NOT matter  HTTP requests processed per second is important  Simultaneous web application users  Think of peak load times (pre Christmas rush) OWASP 16
  24. 24. Best practices for introduction and operation of Web Application Firewalls (II) Organizational aspects Security Policies  Try not to change security policies already in place Suggestion of new job position  WAF application manager – One-off task of commissioning a WAF – In-depth knowledge of WAF capabilities – Alarm and Error management – Changes to the rule-set – Talking to the development department(s) OWASP 17
  25. 25. Best practices for introduction and operation of Web Application Firewalls (III) Iterative procedure Step 1  Definition of the people responsible for security – ideally the “WAF application manager” Step 2  Baseline security for all web applications – mostly blacklisting using vendor signatures – monitor for false positives/negatives and get rid of them Step 3  Prioritized list of all web applications which need to be secured – Use the checklist (attached to the paper) Further Steps:  Work through the list and systematically secure the app OWASP 18
  26. 26. Appendices Checklist to define the ‘accessibility’ of the web application The more points you score the, the better is the access to web application Job descriptions for the ‘new guys’ WAF platform manager  needed in really complex/big environments WAF application manager (per application) Application manager OWASP 19
  27. 27. Where to find on the net? OWASP Wiki of course https://www.owasp.org/index.php/ Best_Practices:_Web_Application_Firewalls OWASP 20
  28. 28. Hot Fix Patch Thank you! Questions? Alexander Meisel alexander.meisel@artofdefence.com OWASP 21
  29. 29. Hot Fix Patch Thank you! Questions? Alexander Meisel alexander.meisel@artofdefence.com OWASP 21
  30. 30. Hot Fix Patch BTW: I love Taiwan!!! ;-) Thank you! Questions? Alexander Meisel alexander.meisel@artofdefence.com OWASP 21

×