3. Overview
- Introduction to WAF
- Different WAFs
- Implementation Models
- Mode of Action
- Pros
- Introduction to ModSecurity
- ModSecurity Concepts
- Cons
4. Introduction to WAF
Internet - created for sharing resources - without
security concern
It was static and lots of blogs, manuals and images
No logins - even if present it was easy to bruteforce
Dynamic websites with logins evolved and HTTPS was
introduced
HTTPS prevents MitM not logical errors
5. Introduction to WAF
Firewalls -> IDS -> IPS
Firewalls - work at network level - scanning each and
every packet makes the network slow
WAF : Web Application Firewall
Deals with web applications only - logical level
6.
7. Different WAF
- Appliance-based Web application firewalls : Mostly hardware
Ex: Netscaler MPX WAF by Citrix
- Cloud and hybrid Web application firewalls : Entire infrastructure shared
with WAF providers, DDoS protection. Hybrid solutions are great for distributed
environments (such as multiple business locations) or when virtual deployments
make sense for an organization.
Ex: Cloud WAF: Incapsula's industry-leading WAF service
WAF product from Qualys exemplifies a hybrid virtual appliance/cloud approach.
8. Implementation Models
Positive Model: Focuses on what content should be
allowed i.e. whitelisting technique
Negative Model: Focuses on what should not be
allowed i.e. blacklisting technique
Mixed Model: Combination of both positive and negative
models
9. Positive Model
A positive security model enforces positive behavior by
learning the application logic and then building a security
policy of valid known requests as a user interacts with the
application.
Example:
Page news.jsp, the field id could only accept characters [0-9]
and starting at number 0 until 65535.
10. Positive Model
Pros:
Better performance (less rules).
Less false positives.
Cons:
Much more time to implement.
Some vendors provide “automatic learning mode”, they
help, but are far from perfect, in the end, you always need
a skilled human to review the policies.
11. Negative Model
A negative security model recognize attacks by relying on a
database of expected attack signatures.
Example:
Do not allow in any page, any argument value (user input)
which match potential XSS strings like <script>, </script> ,
String.fromCharCode, etc.
13. Mode of Action
Based on the mode of action taken by firewalls:
Passive mode: If any suspicious activity detected, it gets
logged and a message is sent to the admin for manual
action
Reactive mode: If any suspicious activity detected, it
automatically blocks / resets the connection
17. Pros
Virtual Patching : security policy enforcement layer which
prevents the exploitation of known vulnerability
Authenticate users directly : allow or deny a specific
incoming telnet command from a particular user
Better content filtering capabilities : ability to examine
the payload of packet
Stops Data Leakage *
18. ModSecurity
13 years old
Protects millions of websites
Community Support
Open source license (Apache Software License v2) for
OWASP Core Rule Set
Commercial Rule Set by Trustwave Spiderlabs
OWASP Core Rule Set providing general protection
One config to rule them all (Apache, IIS, nginx)
21. ModSecurity Concepts
Transformations
Can be nested / run in serial
Replace Comments (SQLi)
URL Encode / Decode
Hex Encode / Decode
JavaScript Decode
HTML Entity Decode
Uppercase / Lowercase
22. Cons
False Positives
Packets should pass 7 layers of OSI - consumes a lot of CPU
cycle
vulnerable to the security loopholes of the underlying operating
system - susceptible to DDoS
reduced scalability of web apps **
positive model : Model are generally more expensive and
sophisticated
negative model : Protects known vulnerabilities - not 0days
23. Cons
False positives
BEST PART - 56.0% companies get fp less than 25%
WORST PART - 4.0% companies get false positives more than 95%
[not well verse in regex]
[ Could be corrected with manual log inspection ]
Not user-friendly
