Copyright ECSC Group plc 2017 ECSC - UNRESTRICTED

Transcription

1 Copyright ECSC Group plc 2017 ECSC - UNRESTRICTED

2 ECSC - UNRESTRICTED Introduction A Web Application Firewall (WAF) is, in our experience, the most important layer of defence against a wide range of attacks for your Internetfacing websites. This ECSC Management Guide is designed to help you understand the workings of this technology and how to ensure that you develop and maintain and appropriate level of protection for your systems. You are probably familiar with the concept of a firewall as a (usually physical) device that sits between you and the Internet. For a website this is also necessary; however, it is of limited value in blocking attacks. For a website, the firewall simply looks at each request coming in and says does this look like a web request?. So the firewall is useful in blocking unwanted probes against your web server; for example, people trying to log into the server as an administrator. However, those attacks have largely disappeared (as most people have these basic firewalls). Today, most attacks against web servers are through the mechanism of a valid web request but one carefully designed to hack the web server. The normal firewall simply lets them through, as they look like a valid request. The WAF, or as it used to be called, an Intrusion Prevention System (IPS), looks inside each web request and checks against known suspicious content that could indicate a malicious attack. This is much more sophisticated than a traditional firewall, but also (if configured and managed correctly) very effective at blocking attacks. Each ECSC Management Guide is carefully authored for a management audience, and designed for both the technically knowledgeable and also senior managers with an interest, but not necessarily a deep technical background. ECSC Group plc has nearly two decades experience within cyber security. As such, we encounter many examples of failed technologies. Sometimes these technologies are just the wrong idea; however, in many cases, the concept has merit, but is badly implemented and poorly managed. You can benefit from this extensive experience, avoid these mistakes, and ensure your cyber security developments delivery real benefits. This paper is designed to help you start that process. Copyright ECSC Group plc

3 ECSC - UNRESTRICTED In order to get effective cyber security protection from your WAF, there are a few fundamental principles that you need to understand. Firstly, where to put your WAF. This should be inside your firewall (or sometimes integrated within a firewall). However, the important principle is that your WAF should only be looking at traffic that the firewall has already filtered. This is efficient as the WAF has to do more work, so it makes sense to allow it to just concentrate on the things the firewall lets through. The next very important element is if you use SSL (or HTTPS) on your web server this is where the secure padlock symbol appears for the users of your site. While some people think this means the site is secure, it only means the traffic to and from the site is encrypted. However, for the WAF to see attacks, it needs to read this encrypted traffic. This means special configuration to ensure the encryption keys are correctly loaded into the WAF. This is something we often see missed, meaning you give the attacker a secure connection that is invisible to the WAF. Once your WAF is correctly located and can see all your web traffic, the next task is tuning. This means real cyber security intelligence applied to understanding your website, and therefore tuning the WAF to block anything not regarded as normal. This leads us to an important point. If your WAF never accidentally blocks genuine traffic, then your security team aren t trying hard enough. Yes, you have to accept some disruptions as you need the configuration to be as tight as possible. If you don t accept the odd interruption then the security team have no choice but to de-tune the WAF to a level that isn t protecting you enough. This is similar to airport security, it is necessary to have some disruption to ensure the checks are thorough enough to catch the bad guys. Would you feel safe if the airport security checks just waved everyone through without checking anything? Remember, a good WAF management service will be able to correct any disruptions very quickly. Copyright ECSC Group plc

4 ECSC - UNRESTRICTED So, given that you need a really effective configuration, how do you achieve this without too many unnecessary interruptions to normal business? This really depends on how often you change your website. For a relatively static site, a skilled cyber security engineer should be able to develop an effective WAF configuration that blocks attacks without disruption. However, the challenge comes when regular changes are made to the site and these need to be reflected in the WAF configuration. New website features may be blocked as unusual compared with the previous tuning analysis. Therefore, you need close collaboration between the Security Operations team and the web developers. This works both ways; the WAF administrators need to understand changes and major software releases, but can also guide the developers in writing better code that is less prone to causing the WAF to block genuine traffic. It is also important that the security team monitor what is being blocked, as this gives important threat intelligence as to what the hackers are trying to do. This is a critical advantage within an outsourced Security Operations Centre, where multiple client WAFs give much better visibility on the latest attack trends and evolving hacking techniques. However, don t put all your trust in the WAF to protect your Internet-facing web servers; you need to remember the principle of defence in depth. Whilst the WAF is likely to be the best layer of defence, you should not rely on it completely. No protection is 100% effective against all attacks. This means you should also ensure you maintain: 1. System hardening, as a secure platform for your web servers. 2. Effective vulnerability management, and rapid patch management. 3. Secure coding practices, so you don t introduce your own vulnerabilities. Finally, when you do your penetration testing, it can be useful to allow the testers free access through the WAF to check the points above. Then, for high-risk findings, retest with the WAF in place to understand if it is protecting against these attacks (but still fix the problems anyway). Copyright ECSC Group plc

5 ECSC - UNRESTRICTED Where Next? In summary, a Web Application Firewall is a proven, and effective, line of defence for your Internet-facing web servers. However, it needs to be correctly deployed, expertly configured and maintained by specialists to give you maximum protection. You can achieve this by getting the right people to design and manage your WAF and collaborate closely with your web developers, whilst accepting that brief outages are a necessary consequence of effective protection. You mustn t be complacent and trust your WAF 100%. Rather, keep doing other critical security management activities and you ll prevent the next cyber security breach. This ECSC Management Guide has been designed to help you understand the most critical aspects of a key cyber security technology. This knowledge should help you procure, implement, and manage a solution that is right for your organisation and delivers effective cyber security. ECSC can help you, whether through a wide range of consultancy services or with outsourced Security Operations Centre (SOC) provision through our global delivery from the UK and Australia. Copyright ECSC Group plc

6 Copyright ECSC Group plc 2017 ECSC - UNRESTRICTED