Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

WAF in Scale

1,851 views

Published on

Zeronighst 2014. Defensive Track. Few words about WAF integration and support.

Published in: Software
  • Be the first to comment

WAF in Scale

  1. 1. WAF in scale Zeronights 0x04 Prepared by Alexey Sintsov Principal Security Engineer 14.11.2014
  2. 2. 2 Intro . . . AWS EU SPC Engineering Attack Surface (Internet/WEB) Team Product team 1 Product team 2 Product team 3 © 2014 HERE | Security Monitoring System | SPC Engineering team AWS US Product team 3 Data Center 1 Data Center 2 - A lot of different teams - Many different data centers (even AWS) - Only few security engineers - A lot of WEB attacks…
  3. 3. 3 Targets What we want: • We want to monitor WEB attacks, like IDS for WEB • We won’t review all script-kiddie/bot scans, we want auto confirmation and correlation • We want to be able to do fast ‘virtual’ fixes in critical situations • We want SOC to be contacted when attack is confirmed (auto mode)  We want WAF, but in monitor mode (until blocking is needed) Additional needs: • We want to deploy and configure on all (if possible) FE - all products and DataCenters • We want to control and update rules for those installations in “one way” • We want to make it “transparent” to avoid dependency on them • We do not want big performance impact on our services © 2014 HERE | Security Monitoring System | SPC Engineering team
  4. 4. 4 Mod Security • Detection Only mode • Only SPC rules for less time CPU impact Response based alerts: 1. Attack signature 2. Response Signature • Parse response only if attack signature fired • If response signature fired -> True Positive alert! © 2014 HERE | Security Monitoring System | SPC Engineering team
  5. 5. SecRule REQUEST_BODY|REQUEST_URI|REQUEST_HEADERS "/+etc/+passwd“ "t:none,ctl:ResponseBodyAccess=On,msg:‘/etc/passwd request found…', phase:2,pass,nolog,auditlog,id:'950002',setvar:TX.ATTACK_ZLO=1, ctl:auditLogParts=+I,t:urlDecode,t:lowercase,severity:1“ 5 Mod Security - simple example of rule: © 2014 HERE | Security Monitoring System | SPC Engineering team … SecRule RESPONSE_BODY "root:x:0:0" "id:'950015',ctl:auditLogParts=+E, msg:'Content of /etc/passwd! (Rise incident to SOC)',phase:4, allow,nolog,auditlog,t:lowercase,severity:0"
  6. 6. 6 Our Splunk app • Correlation, analyses (we can code that!) • Search tool (incident analyses/analytics) • Alerting Mail to 24/7 SOC Call to oncall Security Engineer (Wake up!) © 2014 HERE | Security Monitoring System | SPC Engineering team
  7. 7. Attacks 7 Design HERE servers Splunk server Splunk forwarder Apache - ModSecurity audit logs - SPC Rules © 2014 HERE | Security Monitoring System | SPC Engineering team index-security SPC Splunk app Search tool SPC Engineer
  8. 8. 1 HERE Rules Apache 8 THOR Integration THOR repo … THOR: • Puppet as a service • Extensible & integration • Standard & building blocks © 2014 HERE | Security Monitoring System | SPC Engineering team HERE server Puppet agent yum install … HERE Rules Apache Mod Security Splunk forwarder Configure all… [1] http://www.netways.de/uploads/media/Pascal_Hahn_End_to_End_continuous_integration_of_deplayment-code_in_a_multi-tenant_puppet_setup.pdf
  9. 9. 9 How it looks like for a product team • Ask for a new server with: Apache, MySQL, PHP (not real case, just example) • Customer provides Puppet recipes of desired env. (Import MySQL schema, .htaccess rules, PHP script deployment and etc)  these two steps, THOR API and framework  RPM • After deployment – our hardened server with configured Splunk, Apache and ModSecurity and customer’s application, configs. • Customer’s tests (QA), including performance/stress • If our ModSec provides not acceptable delay, than it will be found there • Ready to go! (with some minimal Security by default!) - Customer does not have to think about WAF, configuration of logs and monitoring - If (s|)he adds new server, it will be automatically configured and will be under our monitoring (in Splunk) © 2014 HERE | Security Monitoring System | SPC Engineering team
  10. 10. 10 Support • Build server for ModSecurity rules (into RPM) • Automated unit tests for each rule • Works as expected • Not blocking normal requests • No performance impact • Version control via THOR API => If new rule needs to be distributed, new RPM with new version will be tested and built (auto. mode). Then it can be updated via THOR API to new version for specific service or for whole env. © 2014 HERE | Security Monitoring System | SPC Engineering team
  11. 11. 11 Summary • Maximum automation: • Build new rules • Test new rules • Versioning • Auto Deploy • Auto alerting for REAL cases • Easy to investigate (evil POST requests) • Good coverage: • All Apache (nginx) services – FE, WEB, RP, PVP • No dependencies on many different teams • Most common attacks and patterns – easy to do signatures, even for 0days - If we do not use Apache/Nginx? - If performance impact is too high for the service? - If it is not a WEB attack (HeartBleed)? © 2014 HERE | Security Monitoring System | SPC Engineering team
  12. 12. 12 THE FIN twitter.com/asintsov alexey.sintsov@here.com WEB: https://www.here.com http://company.nokia.com/en/our-businesses#here © 2014 HERE | Security Monitoring System | SPC Engineering team

×