Successfully reported this slideshow.

Web Application Firewall

3

Share

1 of 25
1 of 25

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Related Audiobooks

Free with a 14 day trial from Scribd

See all

Web Application Firewall

  1. 1. Web Application Firewall Introduction to ModSecurity
  2. 2. $ whoami - Chandrapal - Security Enthusiast - Maintainer of @HackwithGithub Contact: - @bnchandrapal - @HackwithGithub
  3. 3. Overview - Introduction to WAF - Different WAFs - Implementation Models - Mode of Action - Pros - Introduction to ModSecurity - ModSecurity Concepts - Cons
  4. 4. Introduction to WAF  Internet - created for sharing resources - without security concern  It was static and lots of blogs, manuals and images  No logins - even if present it was easy to bruteforce  Dynamic websites with logins evolved and HTTPS was introduced  HTTPS prevents MitM not logical errors
  5. 5. Introduction to WAF  Firewalls -> IDS -> IPS  Firewalls - work at network level - scanning each and every packet makes the network slow  WAF : Web Application Firewall  Deals with web applications only - logical level
  6. 6. Different WAF - Appliance-based Web application firewalls : Mostly hardware Ex: Netscaler MPX WAF by Citrix - Cloud and hybrid Web application firewalls : Entire infrastructure shared with WAF providers, DDoS protection. Hybrid solutions are great for distributed environments (such as multiple business locations) or when virtual deployments make sense for an organization. Ex: Cloud WAF: Incapsula's industry-leading WAF service WAF product from Qualys exemplifies a hybrid virtual appliance/cloud approach.
  7. 7. Implementation Models  Positive Model: Focuses on what content should be allowed i.e. whitelisting technique  Negative Model: Focuses on what should not be allowed i.e. blacklisting technique  Mixed Model: Combination of both positive and negative models
  8. 8. Positive Model A positive security model enforces positive behavior by learning the application logic and then building a security policy of valid known requests as a user interacts with the application. Example: Page news.jsp, the field id could only accept characters [0-9] and starting at number 0 until 65535.
  9. 9. Positive Model Pros:  Better performance (less rules).  Less false positives. Cons:  Much more time to implement.  Some vendors provide “automatic learning mode”, they help, but are far from perfect, in the end, you always need a skilled human to review the policies.
  10. 10. Negative Model A negative security model recognize attacks by relying on a database of expected attack signatures. Example: Do not allow in any page, any argument value (user input) which match potential XSS strings like <script>, </script> , String.fromCharCode, etc.
  11. 11. Negative Model Pros:  Less time to implement Cons:  More false positives.  More processing time.  Less protection.
  12. 12. Mode of Action Based on the mode of action taken by firewalls: Passive mode: If any suspicious activity detected, it gets logged and a message is sent to the admin for manual action Reactive mode: If any suspicious activity detected, it automatically blocks / resets the connection
  13. 13. Deployment Options - Embedded
  14. 14. Deployment Options - Reverse Proxy WAF goes here
  15. 15. Deployment Options - Port Mirroring
  16. 16. Pros Virtual Patching : security policy enforcement layer which prevents the exploitation of known vulnerability Authenticate users directly : allow or deny a specific incoming telnet command from a particular user Better content filtering capabilities : ability to examine the payload of packet Stops Data Leakage *
  17. 17. ModSecurity  13 years old  Protects millions of websites  Community Support  Open source license (Apache Software License v2) for OWASP Core Rule Set  Commercial Rule Set by Trustwave Spiderlabs  OWASP Core Rule Set providing general protection  One config to rule them all (Apache, IIS, nginx)
  18. 18. Why ModSecurity ? * www.zeroscience.mk
  19. 19. ModSecurity Concepts Processing Phases:  Request Headers  Request Body  Response Headers  Response Body  Logging / Action
  20. 20. ModSecurity Concepts Transformations  Can be nested / run in serial  Replace Comments (SQLi)  URL Encode / Decode  Hex Encode / Decode  JavaScript Decode  HTML Entity Decode  Uppercase / Lowercase
  21. 21. Cons  False Positives  Packets should pass 7 layers of OSI - consumes a lot of CPU cycle  vulnerable to the security loopholes of the underlying operating system - susceptible to DDoS  reduced scalability of web apps **  positive model : Model are generally more expensive and sophisticated  negative model : Protects known vulnerabilities - not 0days
  22. 22. Cons  False positives BEST PART - 56.0% companies get fp less than 25% WORST PART - 4.0% companies get false positives more than 95% [not well verse in regex] [ Could be corrected with manual log inspection ]  Not user-friendly
  23. 23. THANK YOU Any Questions
  24. 24. Resources Official website: https://modsecurity.org/ https://github.com/SpiderLabs/owasp-modsecurity-crs http://www.slideshare.net/zeroscience/cloudflare-vs-incapsula-vs-modsecurity https://www.trustwave.com/Resources/SpiderLabs-Blog/OWASP-Virtual-Patching-Surv https://www.youtube.com/watch?v=HkA_YRSb3jU [Defcon ] https://www.youtube.com/watch?v=208bFToRJqo [BlackHat] https://www.youtube.com/watch?v=pKGdIxArlKU

×