Evaluation Criteria for Web Application Firewalls

Similar documents
Positive Security Model for Web Applications, Challenges. Ofer Shezaf OWASP IL Chapter leader CTO, Breach Security

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

GOING WHERE NO WAFS HAVE GONE BEFORE

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Configuring BIG-IP ASM v12.1 Application Security Manager

Presenting the VMware NSX ECO System May Geert Bussé Westcon Group Solutions Sales Specialist, Northern Europe

Key Considerations in Choosing a Web Application Firewall

Security

Pulse Secure Application Delivery

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

F5 Application Security. Radovan Gibala Field Systems Engineer

WEBSCALE CONVERGED APPLICATION DELIVERY PLATFORM

Cyber Attacks and Application - Motivation, Methods and Mitigation. Alfredo Vistola Solution Architect Security, EMEA

How to Render SSL Useless. Render SSL Useless. By Ivan Ristic 1 / 27

Breaking SSL Why leave to others what you can do yourself?

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Certified Secure Web Application Engineer

"The Core Rule Set": Generic detection of application layer attacks. Ofer Shezaf OWASP IL Chapter leader CTO, Breach Security

CIH

SOLUTION BRIEF FPO. Imperva Simplifies and Automates PCI DSS Compliance

DenyAll Protect. accelerating. Web Application & Services Firewalls. your applications. DenyAll Protect

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

10 FOCUS AREAS FOR BREACH PREVENTION

Solutions Business Manager Web Application Security Assessment

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

SSL/TLS Deployment Best Practices

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

Securing Apache Tomcat. AppSec DC November The OWASP Foundation

Citrix NetScaler AppFirewall and Web App Security Service

CSWAE Certified Secure Web Application Engineer

PT Unified Application Security Enforcement. ptsecurity.com

WTF. Amichai Shulman, CTO Yaniv Azaria, Security Research TL

Palo Alto Networks Stallion Spring Seminar -Tech Track. Peter Gustafsson, June 2010

F5 Big-IP Application Security Manager v11

Web Application Penetration Testing

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

How to Configure IPS Policies

Architecture: Consolidated Platform. Eddie Augustine Major Accounts Manager: Federal

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Application Layer Introduction; HTTP; FTP

About DPI-SSL. About DPI-SSL. Functionality. Deployment Scenarios

Maximum Security, Zero Compromise in Availability and Performance

Corrigendum 3. Tender Number: 10/ dated

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

How to configure the UTM Web Application Firewall for Microsoft Lync Web Services connectivity

SHA-1 to SHA-2. Migration Guide

1. APPLICATION SECURITY: KEY CHALLENGES

What to Look for When Evaluating Next-Generation Firewalls

Snapt WAF Manual. Version 1.2. February pg. 1

haltdos - Web Application Firewall

Security Enhancements

Turn-key Vulnerability Management

303 BIG-IP ASM SPECIALIST

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

F5 Networks Defence Methodiken auf Transportund Applikationsebene. Specialist SE - Security

Best Practices in Securing Your Customer Data in Salesforce, Force.com & Chatter

Turn-key Vulnerability Management

This ethical hacking course puts you in the driver's seat of a hands-on environment with a systematic process.

Connection Logging. Introduction to Connection Logging

ADC im Cloud - Zeitalter

PrecisionAccess Trusted Access Control

What is an application delivery controller?

1.0 High Availability (HA) Firewall Module Lab Report. Elitecore Technologies Ltd. Cyberoam CR50i Version build 25.

Integrated Web Application Firewall & Distributed Denial of Service (DDoS) Mitigation Solution

Introduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable?

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Implementing Cisco Network Security (IINS) 3.0

Connection Logging. About Connection Logging

Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,

Next-Generation Firewall Overview

Web Application Firewall Subscription on Cyberoam UTM appliances

Rethinking Security: The Need For A Security Delivery Platform

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

InterCall Virtual Environments and Webcasting

Radware's Application Front End solution for Microsoft Exchnage 2003 Outlook Web Access (OWA)

Deploying the BIG-IP System with HTTP Applications

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

Vidder PrecisionAccess

Mobile Payment Application Security. Security steps to take while developing Mobile Application s. SISA Webinar.

Shortcut guide to Web application firewall deployment

Web Application Firewall

Barracuda Web Application Firewall Foundation - WAF01. Lab Guide

Who am I? Sandro Gauci and EnableSecurity Over 8 years in the security industry Published security research papers Tools - SIPVicious and SurfJack

Web Application Firewall Getting Started Guide. September 7, 2018

White Paper February McAfee Network Protection Solutions. Encrypted Threat Protection Network IPS for SSL Encrypted Traffic.

APP-ID. A foundation for visibility and control in the Palo Alto Networks Security Platform

Paperspace. Security Primer & Architecture Overview. Business Whitepaper. 20 Jay St. Suite 312 Brooklyn, NY 11201

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Advanced Diploma on Information Security

Load Balancing Nginx Web Servers with OWASP Top 10 WAF in Azure

Scan Report Executive Summary. Part 2. Component Compliance Summary Component (IP Address, domain, etc.):

The Next Generation Security Platform. Domenico Stranieri Pre- Sales Engineer Palo Alto Networks EMEA Italy

Brocade Application Delivery

Transcription:

Evaluation Criteria for Web Application Firewalls Ivan Ristić VP Security Research Breach Security 1/31

Introduction Breach Security Global headquarters in Carlsbad, California Web application security provider for over six years Led by experienced security executives Trusted by large enterprise customers Next-generation web application security solutions for protecting business-critical applications transmitting privileged information. Resolve security challenges such as identity theft, information leakage, regulatory compliance, and insecurely coded applications. Best threat detection in the industry and the most flexible deployment options available. 2/31

Introduction Ivan Ristić Web application security and web application firewall specialist Author of Apache Security Author of ModSecurity OWASP London Chapter leader Officer of the Web Application Security Consortium WAFEC project leader 3/31

1. Seeing 4/31

A variety of deployment options 5/31

What you really care about Key questions: 1. How easy is it to install? 2. What happens when it breaks? 3. How will it impact my stuff? Performance Traffic modification SSL handling 4. How does it block? 6/31

Do not forget to look within Internal influencing factors are often stronger than the external ones: Legacy Internal and external deadlines Resources (installation and maintenance) Architecture Growth (scaling) Will Organisational boundaries 7/31

Capability matrix 8/31

Impact Internal influencing factors: 1. Performance 2. Traffic modification 3. SSL handling, which can impact applications that are using private certificates 9/31

Impact: Performance Performance: 1. Out-of-line - no impact 2. Inline devices can go either way: Added latency Performance decrease under load Reverse proxy performance improvements (compression, caching, etc...) 3. Embedded solutions compete for web server resources 10/31

Impact: Traffic Traffic modification: 1. Change of IP address by reverse proxies Can be mitigated with a web server module Or by using a transparent reverse proxy 2. Changes to dynamics due to use of buffering for blocking 1. 2. 11/31 Problems with very large requests Problems with applications that expect instant data delivery

Impact: SSL SSL: 1. Products that passively decrypt SSL will not cause any impact 2. SSL termination might: 1. 12/31 If you are using private SSL certificates you will have to reconfigure the web server or the application

Blocking Blocking options: 1. TCP resets (out of line) 2. Packet blocking (inline layer 2) 3. Intermediation w/buffering (inline layer 7 and embedded) 13/31 Can be mitigated with a web server module Or by using a transparent one Orchestration of external blocking architecture (e.g. firewalls, apps)

2. Understanding 14/31

Building blocks of understanding 3 2 1 15/31 Learning Data model Coverage

Coverage 1 Ability to peel through layers of data: 1. Access to the entire data stream (in & out) 2. Complete HTTP parsing, including: Chunked encoding Compression 3. 16/31 Various request body formats application/x-www-form-urlencoded multipart/form-data XML Complete character encoding support Ability to handle non-standard traffic Strong counter-evasion facilities

Data model 2 Data model requires stateful operation, and consists of the following elements: 1. Location GeoIP lookups IP address blocks 2. Application 3. Session 4. User 17/31 1. Sign in 2. Sign out

Learning 3 What you really want is for someone else to do the hard work: 1. WAFs can create a (positive-security) model of your application by monitoring traffic Not all products support learning A few claim they do but don't work well 2. Try it out before you commit 18/31 It's the single best time saver And make sure it's continuous

3. Doing 19/31

Doing: Overview 20/31

Logging Full transaction logging is key: Very resource intensive: Classify information Remove sensitive data, then index and store data Keep transaction around, and report on it Delete transaction 2. Logging choices: 1. Logging everything is rarely an option Ability to choose exactly what to log is very handy! 21/31 Log only relevant transactions Log all transactions except static ones Smart logging?

Detection 1. Detection ability comes from several places: Signature database Custom-rule writing Learning Hard-coded functionality 2. The two most important aspects: 1. 2. 22/31 False positives False negatives

Signature database Negative security model is the foundation: 1. Scope Generic web application attacks Platform issues (e.g. Apache, IIS) Product issues (e.g. WordPress) 2. Update frequency 3. Quality 1. 2. 3. 23/31 Exploit or vulnerability based Low rate of false positives Low rate of false negatives

Custom rule writing Just-in-time patching is an important WAF use case: 24/31 1. Very narrow scope: just one problem 2. Approaches: Negative model Positive model (preferred) 3. May require complex logic 4. May require custom normalisation 5. Ideally, a programming language

Learning Contributing factors: Speed Accuracy Granularity Adaptation to changes 25/31 Partial learning/re-learning support Manual Change detection Continuous learning Support for manual tweaking Adaptability

Packaged functionality Some things just need to be hardcoded. For example: 1. Brute force attack detection 2. Cookie signing & encryption 3. PDF Universal XSS defence 26/31

Blocking 1. Block requests 2. Block responses 3. Persistent blocking IP address/block Session User 4. Custom error page 1. 27/31 With unique transaction ID embedded

Decision time 28/31

Parting thoughts Things we didn't mention are equally important: 1. Configuration granularity 2. Robust policy management 3. Usability 4. Management features 5. Reporting 6. Enterprise features 29/31

Resources For further information: WAFEC - http://www.wafec.com WAFEC v1 published in 2006 WAFEC v2 will be published soon Join the group! ICSA Labs - http://www.icsalabs.com WAF Certification Criteria PCI Security Council - https://www.pcisecuritystandards.org 1. 30/31 Requirement 6.6 Supplement

Questions? Thank you! Ivan Ristić ivan.ristic@breach.com 31/31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback