SlideShare a Scribd company logo

WAF 101

Null Bhubaneswar
Null Bhubaneswar

Web application firewall 101

Technology
1 of 20
Download to read offline
1 Web Application Firewall Null Bhubaneswar 18 March 2023 Sampad Rout
SAMPAD ROUT CISSP® Security Architect | Microsoft A little about me 2
3 GE Industrial R&D security ( Aviation, Power and Water, Renewable Energy, Appliances, Transportation) Royal Bank Of Scotland Securing banking platform mostly mortgage division of Coutts AT&T Securing the Media division HBO, Warner Media Microsoft Securing the Ad Platform Outside Org Reviewer for ISC2, Contribution to Opensource (Virtual Patch / IaC), Trainer EXPERIENCES SO FAR What do I do in Spare time XBOX | BLOG | Stories and Movies Subject Matter Expert on AppSec | Data Protection | Secure Architecture | Container Security | API Security
Firewall - Definition, Nomenclature and History, WAF, Difference between Firewall and WAF What is what 01. Pattern Identifiers, Default mechanism, Template rules, Advanced rules, IP reputation CONTENTS 101 Demo How a WAF works 4 03. Look and feel of the rules , Signals and GUI 02. 04. & If Something I left covering which I should have + Q&A Architecture & Placements
What is What Firewall, Nomenclature & History, WAF, Difference between Firewall and WAF 01. 5
What is a Firewall 6 The name firewall : It came from similar in purpose to physical firewalls designed to contain fires and keep them from spreading. ● Firewalls established a barrier between a network that was internal to a company and considered trusted, and an external network, that was considered untrusted. ● In a simple sense a Firewall controls what traffic should be allowed and what to be blocked into your system based on defined rules & patterns.
7
8 A Firewall is a network security device, may come in as a software, a hardware device or a SaaS model, that monitors and filters incoming and outgoing network traffic based on an organization’s previously established security policies. — Common Definition
Firewall Evolution 9 How firewall was enhanced through out Firewall Generations First Generation Second Generation 2.5 Generation Stateless Stateful, Bidirectional Targeted / Specialized Firewalls Packet Filters based on IP and Ports / L3 or L4 Connection / Session based IP , Ports / L3 or L4 IPS, UTM,URL Filtering IP Tables, OS firewall, Basic Switches Usage : ACLs Advanced Switches Usage : ACLs , DMZ Up to L5-L7, Scaling and Performance IP Spoofing, Valid return traffic vs Imposter Good traffic vs Bad Traffic Signature oriented, No Dynamisms
Firewall Evolution Cont.. 10 How firewall was enhanced through out Firewall Generations Third Generation Next-Gen Stateful, Scalable Stateful, Hybrid, RBAC, User grp identify HTTP conversation & apps specific attacks/ L7 Deep packet inspection, Adv threat protection/L7 Host based Application firewalls, WAF Performance, QoS, non- Disruptive Vendor issued NGFW Juniper, CISCO, Checkmarx etc
Web Application Firewall A web application firewall (WAF) protects web applications (hosted in any platform)from a variety of application layer attacks such as cross-site scripting (XSS), SQL injection etc (OWASP Top 10) and beyond. 11 Port / OSI ref model Layer 2 DataLink Layer 3 Network Layer 4 Transport Layer 5 Session Layer 6 Presentation Layer 7 Application Layer 1 Physical WEB APP FIREWALL NETWORK FIREWALL
12 How a WAF works 02. Pattern Identifiers, Default mechanism, Template rules, Advanced rules, IP reputation
Based on Actions / Perform Traffic Pattern Audit/ Monitor Block Allow (Supersedes) Defined Set Whitelist(Supersedes) Blacklist Handle / Gauge True Positives False Positives True Negatives False Negatives RBAC Read-only (Most) App based (App Owners) Admin (Ops) Super User / God mode (Improvements) Action Matrix 13
PREVENTIVE & TECHNICAL CONTROL 14 Basic Model DESCRIPTION EXAMPLE Happened nth time If a malicious event happens for nth number of time with in a defined period from a particular IP/user. XSS/ Inj attack / Failed login pattern detected 50 times in a minute - Block Reputation WAF’s global analysis engine IP, DCs gets flagged as bad actors for 24 hrs globally Templated rules Supports zero-days and virtual patching If there is no patch released or You are not able to patch Complex and Adv rules Complex rules, Combination of rules Whitelist ~ Blacklisted, Allowed ~Blocked and track~ discover
15 LET’S SEE HOW IT LOOKS 03. Enough Talk, Let’s see it in action
Start from the basic: ● OWASP / Port Swigger XSS Cheat sheet. ● Analyzing your app environment and traffic pattern. ● Any Zero-day ● How a IaC rule look like. HOW TO RULE 101 16 scope = "global" group_operator = "all" expiration = "" conditions { type = "single" field = ”domains" operator = "inList" value = "instances-scw-cloud" } actions { type = ”Whitelist" marking = "scw-cloud" } conditions { field = "method" operator = "doesNotEqual" type = "single" value = "DELETE” || value = "PATCH” || value = "GET” || value = "POST” || value = "OPTIONS” || value = "HEAD” || value = "PUT” || } actions { marking = "wrong- http-method" type = "block" } •
Architecture 17 04. How the WAF Functionally and Logically placed in Network
Functional Architecture 18
Where you should Place it 19 1 Reverse Proxy 2 Side Car 3 On the Frontend 4 SaaS Model 5 Customized requirement (Istio, Envoy, Serverless, Agent Only) 6 PaaS Model WAF Strategic Placement
Q&A

Recommended

Compliance and Zero Trust Ambient Mesh
Compliance and Zero Trust Ambient MeshCompliance and Zero Trust Ambient Mesh
Compliance and Zero Trust Ambient Mesh
Christian Posta
 
Secure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAltoSecure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAlto
Prime Infoserv
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Vaticle
 
What You're Missing With Your Current WAF Provider
What You're Missing With Your Current WAF ProviderWhat You're Missing With Your Current WAF Provider
What You're Missing With Your Current WAF Provider
Cloudflare
 
Yazılım Güvenliği Temelleri
Yazılım Güvenliği TemelleriYazılım Güvenliği Temelleri
Yazılım Güvenliği Temelleri
BGA Cyber Security
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİGÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
BGA Cyber Security
 

Recommended

Compliance and Zero Trust Ambient Mesh
Compliance and Zero Trust Ambient MeshCompliance and Zero Trust Ambient Mesh
Compliance and Zero Trust Ambient Mesh
Christian Posta
 
Secure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAltoSecure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAlto
Prime Infoserv
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Vaticle
 
What You're Missing With Your Current WAF Provider
What You're Missing With Your Current WAF ProviderWhat You're Missing With Your Current WAF Provider
What You're Missing With Your Current WAF Provider
Cloudflare
 
Yazılım Güvenliği Temelleri
Yazılım Güvenliği TemelleriYazılım Güvenliği Temelleri
Yazılım Güvenliği Temelleri
BGA Cyber Security
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİGÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
BGA Cyber Security
 
12 palo alto app-id concept
12 palo alto app-id concept12 palo alto app-id concept
12 palo alto app-id concept
Mostafa El Lathy
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
Ulisses Albuquerque
 
CNIT 124 Ch 13: Post Exploitation (Part 1)
CNIT 124 Ch 13: Post Exploitation (Part 1)CNIT 124 Ch 13: Post Exploitation (Part 1)
CNIT 124 Ch 13: Post Exploitation (Part 1)
Sam Bowne
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon Intro
MITRE ATT&CK
 
ClearPass Overview
ClearPass OverviewClearPass Overview
ClearPass Overview
JoAnna Cheshire
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAM
BGA Cyber Security
 
Automating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorAutomating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections Collector
MITRE ATT&CK
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
Michael Gough
 
WAFs.pptx
WAFs.pptxWAFs.pptx
WAFs.pptx
HamzaJamil41
 
Aruba ClearPass Guest 6.3 User Guide
Aruba ClearPass Guest 6.3 User GuideAruba ClearPass Guest 6.3 User Guide
Aruba ClearPass Guest 6.3 User Guide
Aruba, a Hewlett Packard Enterprise company
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introduction
Jimmy Saigon
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Scott Hurrey
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Threat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxThreat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptx
Infosec
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
Inon Shkedy
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
MITRE ATT&CK
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)
Anwesh Dixit
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality
Priyanka Aash
 
Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loop
David Sweigert
 
AWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and ComplianceAWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and Compliance
Gaurav "GP" Pal
 

More Related Content

What's hot

Automating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorAutomating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections Collector
MITRE ATT&CK
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introduction
Jimmy Saigon
 
Threat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxThreat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptx
Infosec
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
MITRE ATT&CK
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 

What's hot (20)

12 palo alto app-id concept
12 palo alto app-id concept12 palo alto app-id concept
12 palo alto app-id concept
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
 
CNIT 124 Ch 13: Post Exploitation (Part 1)
CNIT 124 Ch 13: Post Exploitation (Part 1)CNIT 124 Ch 13: Post Exploitation (Part 1)
CNIT 124 Ch 13: Post Exploitation (Part 1)
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon Intro
 
ClearPass Overview
ClearPass OverviewClearPass Overview
ClearPass Overview
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAM
 
Automating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorAutomating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections Collector
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
WAFs.pptx
WAFs.pptxWAFs.pptx
WAFs.pptx
 
Aruba ClearPass Guest 6.3 User Guide
Aruba ClearPass Guest 6.3 User GuideAruba ClearPass Guest 6.3 User Guide
Aruba ClearPass Guest 6.3 User Guide
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introduction
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Threat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxThreat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptx
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality
 

Similar to WAF 101

SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
Rod Soto
 
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
Chrysostomos Christofi
 

Similar to WAF 101 (20)

Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loop
 
AWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and ComplianceAWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and Compliance
 
Why Its time to Upgrade a Next-Generation Firewall
Why Its time to Upgrade a Next-Generation FirewallWhy Its time to Upgrade a Next-Generation Firewall
Why Its time to Upgrade a Next-Generation Firewall
 
Sophos Day Belgium - What's cooking in Sophos' Network Security Group?
Sophos Day Belgium - What's cooking in Sophos' Network Security Group?Sophos Day Belgium - What's cooking in Sophos' Network Security Group?
Sophos Day Belgium - What's cooking in Sophos' Network Security Group?
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application Firewall
 
Day4
Day4Day4
Day4
 
Architecting Secure Web Systems
Architecting Secure Web SystemsArchitecting Secure Web Systems
Architecting Secure Web Systems
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
 
Advanced threat security - Cyber Security For The Real World
Advanced threat security - Cyber Security For The Real WorldAdvanced threat security - Cyber Security For The Real World
Advanced threat security - Cyber Security For The Real World
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gpos
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
 
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
 
Infrastructure security & Incident Management
Infrastructure security & Incident Management Infrastructure security & Incident Management
Infrastructure security & Incident Management
 
Sourcefire Webinar - NEW GENERATION IPS
Sourcefire Webinar - NEW GENERATION IPSSourcefire Webinar - NEW GENERATION IPS
Sourcefire Webinar - NEW GENERATION IPS
 
Intelligent adware blocker symantec
Intelligent adware blocker symantecIntelligent adware blocker symantec
Intelligent adware blocker symantec
 
ANET SureLog SIEM IntelligentResponse
ANET SureLog SIEM IntelligentResponseANET SureLog SIEM IntelligentResponse
ANET SureLog SIEM IntelligentResponse
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security Presentation
 
security onion
security onionsecurity onion
security onion
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
 
Cloud Security:Threats & Mitgations
Cloud Security:Threats & MitgationsCloud Security:Threats & Mitgations
Cloud Security:Threats & Mitgations
 

More from Null Bhubaneswar

More from Null Bhubaneswar (16)

Online_financial_fraud3
Online_financial_fraud3Online_financial_fraud3
Online_financial_fraud3
 
Web App Pen Test
Web App Pen TestWeb App Pen Test
Web App Pen Test
 
BurpSuiteOverview
BurpSuiteOverviewBurpSuiteOverview
BurpSuiteOverview
 
Blue Team
Blue TeamBlue Team
Blue Team
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
 
Linux Basic Commands
Linux Basic CommandsLinux Basic Commands
Linux Basic Commands
 
Intro to Reverse Engineering
Intro to Reverse EngineeringIntro to Reverse Engineering
Intro to Reverse Engineering
 
Lightweight static code analysis with semgrep
Lightweight static code analysis with semgrepLightweight static code analysis with semgrep
Lightweight static code analysis with semgrep
 
Saying Hello to Bug Bounty
Saying Hello to Bug BountySaying Hello to Bug Bounty
Saying Hello to Bug Bounty
 
Information Security 201
Information Security 201Information Security 201
Information Security 201
 
Online_financial_fraud Episode 2
Online_financial_fraud Episode 2Online_financial_fraud Episode 2
Online_financial_fraud Episode 2
 
Information Security 101
Information Security 101Information Security 101
Information Security 101
 
Cloud_PT
Cloud_PT Cloud_PT
Cloud_PT
 
Online Financial Fraud
Online Financial FraudOnline Financial Fraud
Online Financial Fraud
 
Introduction_to_Cloud
Introduction_to_CloudIntroduction_to_Cloud
Introduction_to_Cloud
 
how_to_get_into_infosec
how_to_get_into_infosechow_to_get_into_infosec
how_to_get_into_infosec
 

Recently uploaded

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 

Recently uploaded (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 

WAF 101

  • 1. 1 Web Application Firewall Null Bhubaneswar 18 March 2023 Sampad Rout
  • 2. SAMPAD ROUT CISSP® Security Architect | Microsoft A little about me 2
  • 3. 3 GE Industrial R&D security ( Aviation, Power and Water, Renewable Energy, Appliances, Transportation) Royal Bank Of Scotland Securing banking platform mostly mortgage division of Coutts AT&T Securing the Media division HBO, Warner Media Microsoft Securing the Ad Platform Outside Org Reviewer for ISC2, Contribution to Opensource (Virtual Patch / IaC), Trainer EXPERIENCES SO FAR What do I do in Spare time XBOX | BLOG | Stories and Movies Subject Matter Expert on AppSec | Data Protection | Secure Architecture | Container Security | API Security
  • 4. Firewall - Definition, Nomenclature and History, WAF, Difference between Firewall and WAF What is what 01. Pattern Identifiers, Default mechanism, Template rules, Advanced rules, IP reputation CONTENTS 101 Demo How a WAF works 4 03. Look and feel of the rules , Signals and GUI 02. 04. & If Something I left covering which I should have + Q&A Architecture & Placements
  • 5. What is What Firewall, Nomenclature & History, WAF, Difference between Firewall and WAF 01. 5
  • 6. What is a Firewall 6 The name firewall : It came from similar in purpose to physical firewalls designed to contain fires and keep them from spreading. ● Firewalls established a barrier between a network that was internal to a company and considered trusted, and an external network, that was considered untrusted. ● In a simple sense a Firewall controls what traffic should be allowed and what to be blocked into your system based on defined rules & patterns.
  • 7. 7
  • 8. 8 A Firewall is a network security device, may come in as a software, a hardware device or a SaaS model, that monitors and filters incoming and outgoing network traffic based on an organization’s previously established security policies. — Common Definition
  • 9. Firewall Evolution 9 How firewall was enhanced through out Firewall Generations First Generation Second Generation 2.5 Generation Stateless Stateful, Bidirectional Targeted / Specialized Firewalls Packet Filters based on IP and Ports / L3 or L4 Connection / Session based IP , Ports / L3 or L4 IPS, UTM,URL Filtering IP Tables, OS firewall, Basic Switches Usage : ACLs Advanced Switches Usage : ACLs , DMZ Up to L5-L7, Scaling and Performance IP Spoofing, Valid return traffic vs Imposter Good traffic vs Bad Traffic Signature oriented, No Dynamisms
  • 10. Firewall Evolution Cont.. 10 How firewall was enhanced through out Firewall Generations Third Generation Next-Gen Stateful, Scalable Stateful, Hybrid, RBAC, User grp identify HTTP conversation & apps specific attacks/ L7 Deep packet inspection, Adv threat protection/L7 Host based Application firewalls, WAF Performance, QoS, non- Disruptive Vendor issued NGFW Juniper, CISCO, Checkmarx etc
  • 11. Web Application Firewall A web application firewall (WAF) protects web applications (hosted in any platform)from a variety of application layer attacks such as cross-site scripting (XSS), SQL injection etc (OWASP Top 10) and beyond. 11 Port / OSI ref model Layer 2 DataLink Layer 3 Network Layer 4 Transport Layer 5 Session Layer 6 Presentation Layer 7 Application Layer 1 Physical WEB APP FIREWALL NETWORK FIREWALL
  • 12. 12 How a WAF works 02. Pattern Identifiers, Default mechanism, Template rules, Advanced rules, IP reputation
  • 13. Based on Actions / Perform Traffic Pattern Audit/ Monitor Block Allow (Supersedes) Defined Set Whitelist(Supersedes) Blacklist Handle / Gauge True Positives False Positives True Negatives False Negatives RBAC Read-only (Most) App based (App Owners) Admin (Ops) Super User / God mode (Improvements) Action Matrix 13
  • 14. PREVENTIVE & TECHNICAL CONTROL 14 Basic Model DESCRIPTION EXAMPLE Happened nth time If a malicious event happens for nth number of time with in a defined period from a particular IP/user. XSS/ Inj attack / Failed login pattern detected 50 times in a minute - Block Reputation WAF’s global analysis engine IP, DCs gets flagged as bad actors for 24 hrs globally Templated rules Supports zero-days and virtual patching If there is no patch released or You are not able to patch Complex and Adv rules Complex rules, Combination of rules Whitelist ~ Blacklisted, Allowed ~Blocked and track~ discover
  • 15. 15 LET’S SEE HOW IT LOOKS 03. Enough Talk, Let’s see it in action
  • 16. Start from the basic: ● OWASP / Port Swigger XSS Cheat sheet. ● Analyzing your app environment and traffic pattern. ● Any Zero-day ● How a IaC rule look like. HOW TO RULE 101 16 scope = "global" group_operator = "all" expiration = "" conditions { type = "single" field = ”domains" operator = "inList" value = "instances-scw-cloud" } actions { type = ”Whitelist" marking = "scw-cloud" } conditions { field = "method" operator = "doesNotEqual" type = "single" value = "DELETE” || value = "PATCH” || value = "GET” || value = "POST” || value = "OPTIONS” || value = "HEAD” || value = "PUT” || } actions { marking = "wrong- http-method" type = "block" } •
  • 17. Architecture 17 04. How the WAF Functionally and Logically placed in Network
  • 19. Where you should Place it 19 1 Reverse Proxy 2 Side Car 3 On the Frontend 4 SaaS Model 5 Customized requirement (Istio, Envoy, Serverless, Agent Only) 6 PaaS Model WAF Strategic Placement
  • 20. Q&A