Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web Application Firewall


Published on

Web Application Firewall and introduction to ModSecurity

Published in: Technology
  • Login to see the comments

Web Application Firewall

  1. 1. Web Application Firewall Introduction to ModSecurity
  2. 2. $ whoami - Chandrapal - Security Enthusiast - Maintainer of @HackwithGithub Contact: - @bnchandrapal - @HackwithGithub
  3. 3. Overview - Introduction to WAF - Different WAFs - Implementation Models - Mode of Action - Pros - Introduction to ModSecurity - ModSecurity Concepts - Cons
  4. 4. Introduction to WAF  Internet - created for sharing resources - without security concern  It was static and lots of blogs, manuals and images  No logins - even if present it was easy to bruteforce  Dynamic websites with logins evolved and HTTPS was introduced  HTTPS prevents MitM not logical errors
  5. 5. Introduction to WAF  Firewalls -> IDS -> IPS  Firewalls - work at network level - scanning each and every packet makes the network slow  WAF : Web Application Firewall  Deals with web applications only - logical level
  6. 6. Different WAF - Appliance-based Web application firewalls : Mostly hardware Ex: Netscaler MPX WAF by Citrix - Cloud and hybrid Web application firewalls : Entire infrastructure shared with WAF providers, DDoS protection. Hybrid solutions are great for distributed environments (such as multiple business locations) or when virtual deployments make sense for an organization. Ex: Cloud WAF: Incapsula's industry-leading WAF service WAF product from Qualys exemplifies a hybrid virtual appliance/cloud approach.
  7. 7. Implementation Models  Positive Model: Focuses on what content should be allowed i.e. whitelisting technique  Negative Model: Focuses on what should not be allowed i.e. blacklisting technique  Mixed Model: Combination of both positive and negative models
  8. 8. Positive Model A positive security model enforces positive behavior by learning the application logic and then building a security policy of valid known requests as a user interacts with the application. Example: Page news.jsp, the field id could only accept characters [0-9] and starting at number 0 until 65535.
  9. 9. Positive Model Pros:  Better performance (less rules).  Less false positives. Cons:  Much more time to implement.  Some vendors provide “automatic learning mode”, they help, but are far from perfect, in the end, you always need a skilled human to review the policies.
  10. 10. Negative Model A negative security model recognize attacks by relying on a database of expected attack signatures. Example: Do not allow in any page, any argument value (user input) which match potential XSS strings like <script>, </script> , String.fromCharCode, etc.
  11. 11. Negative Model Pros:  Less time to implement Cons:  More false positives.  More processing time.  Less protection.
  12. 12. Mode of Action Based on the mode of action taken by firewalls: Passive mode: If any suspicious activity detected, it gets logged and a message is sent to the admin for manual action Reactive mode: If any suspicious activity detected, it automatically blocks / resets the connection
  13. 13. Deployment Options - Embedded
  14. 14. Deployment Options - Reverse Proxy WAF goes here
  15. 15. Deployment Options - Port Mirroring
  16. 16. Pros Virtual Patching : security policy enforcement layer which prevents the exploitation of known vulnerability Authenticate users directly : allow or deny a specific incoming telnet command from a particular user Better content filtering capabilities : ability to examine the payload of packet Stops Data Leakage *
  17. 17. ModSecurity  13 years old  Protects millions of websites  Community Support  Open source license (Apache Software License v2) for OWASP Core Rule Set  Commercial Rule Set by Trustwave Spiderlabs  OWASP Core Rule Set providing general protection  One config to rule them all (Apache, IIS, nginx)
  18. 18. Why ModSecurity ? *
  19. 19. ModSecurity Concepts Processing Phases:  Request Headers  Request Body  Response Headers  Response Body  Logging / Action
  20. 20. ModSecurity Concepts Transformations  Can be nested / run in serial  Replace Comments (SQLi)  URL Encode / Decode  Hex Encode / Decode  JavaScript Decode  HTML Entity Decode  Uppercase / Lowercase
  21. 21. Cons  False Positives  Packets should pass 7 layers of OSI - consumes a lot of CPU cycle  vulnerable to the security loopholes of the underlying operating system - susceptible to DDoS  reduced scalability of web apps **  positive model : Model are generally more expensive and sophisticated  negative model : Protects known vulnerabilities - not 0days
  22. 22. Cons  False positives BEST PART - 56.0% companies get fp less than 25% WORST PART - 4.0% companies get false positives more than 95% [not well verse in regex] [ Could be corrected with manual log inspection ]  Not user-friendly
  23. 23. THANK YOU Any Questions
  24. 24. Resources Official website: [Defcon ] [BlackHat]