Web Application Firewalls

Copyright 2006 - The OWASP Foundation
Permission is granted to copy, distriute and!or modi"y this document

under the terms o" the #$% Free &ocumentation 'icense(
The OWASP Foundation
OWASP
AppSec
Europe
)ay 2006
http*!!+++(o+asp(org!
Web Application Firewalls:
When Are They Useful?
Ian !istic
Thin"in# Stone
i,anr-+e.reator(com
/00 1166 203 240
$ OWASP AppSec Europe $%%&
Ian !istic
We App5ication Security
specia5ist6 &e,e5oper(
Author o" Apache Security(
Founder o" Thin"in# Stone(
Author o" 'odSecurity(

( OWASP AppSec Europe $%%&
Why Use Web Application Firewalls?
7n the nutshe55*
4( We app5ications are dep5oyed terri5y insecure(
2( &e,e5opers shou5d, o" course, continue to stri,e to
ui5d etter!more secure so"t+are(
8( 9ut in the meantime, sysadmins must do something
aout it( :Or, as 7 5i.e to say* We need ery help
we can #et(;
)* Insecure applications aside+ WAFs are an
i,portant buildin# bloc" in eery -TTP
networ"*
) OWASP AppSec Europe $%%&
.etwor" Firewalls /o .ot Wor" For -TTP
Firewall
Port 80
HTTP Traffic
Web
Client
Web
Server
Application
Application
Database
Server
0 OWASP AppSec Europe $%%&
WAFE1 234
Web Application Firewall Ealuation

1riteria(
Pro<ect o" the We App5ication Security

Consortium :+eappsec(org;(
7t=s an open pro<ect(
$ine WAF ,endors on oard, ut I5d li"e to see

,ore users on the list*
WAF>C ,4(0 pu5ished in ?anuary(
We are aout to start +or. on ,4(4(

& OWASP AppSec Europe $%%&
WAFE1 2$4
$ine sections*
3* /eploy,ent Architecture
$* -TTP and -T'6 Support
(* /etection Techni7ues
)* Preention Techni7ues
0* 6o##in#
6( @eporting
1( )anagement
3( Per"ormance
A( B)'
WAFE1 2(4
WAF>C is not "or
the ,endors(
It5s for the users*
2So please oice your opinions94
http:::www*webappsec*or#:pro;ects:wafec:
< OWASP AppSec Europe $%%&
WAF Identity Proble, 234
There is a 5ong-standing WAF identity pro5em(
With the na,e, "irst o" a55C*

We Adapti,e Fire+a55
Web Application Firewall
We App5ication Security &e,ice
We App5ication ProDy
We App5ication Shie5d
We Shie5d
We Security Fire+a55
We Security #ate+ay
We Security ProDy
We 7ntrusion &etection System
We 7ntrusion Pre,ention System
Adapti,e Fire+a55
Adapti,e ProDy
Adapti,e #ate+ay
App5ication Fire+a55
App5ication-5e,e5 Fire+a55
App5ication-5ayer Fire+a55
App5ication-5e,e5 Security #ate+ay
App5ication 'e,e5 #ate+ay
App5ication Security &e,ice
App5ication Security #ate+ay
State"u5 )u5ti5ayer 7nspection
Fire+a55
List compiled by Achim Hoffmann.
= OWASP AppSec Europe $%%&
WAF Identity Proble, 2$4
There are "our aspects to consider*

3* Audit deice
$* Access control deice
(* 6ayer 8 router:switch
)* Web Application -ardenin# tool
These are a55 ,a5id reEuirements ut the name

Web Application Firewall is not suita5e(
On the 5o+er net+or. 5ayers +e ha,e a

di""erent name "or each "unction(
3% OWASP AppSec Europe $%%&
WAF Identity Proble, 2(4
App5iance-oriented +e app5ication "ire+a55s

clash +ith the Application Assurance
,ar"et(
Pro5ems so5,ed 5ong time ago*
'oad a5ancing
C5ustering
SS' termination and acce5eration
Caching and transparent compression
%@' re+riting
Fand so on
WAF Identity Proble, 2)4
Gey "actors*
4( App5ication Assurance ,endors are ,ery strong(
2( We App5ication Fire+a55 ,endors not as much(
@esu5t*
Appliance>oriented WAFs are bein#

assi,ilated by the Application Assurance
,ar"et*
7n the meantime*
E,bedded WAFs are left alone because they

are not an all>or>nothin# proposition*
3$ OWASP AppSec Europe $%%&
WAF Functionality
Overview
3( OWASP AppSec Europe $%%&
The Essentials 234
Full support for -TTP*
Access to indi,idua5 "ie5ds :"ie5d content, 5ength, "ie5d

count, etc;(
>ntire transaction :oth reEuest and response;(
%p5oaded "i5es(
Anti>easion features :a5so .no+n as

norma5isation!canonica5isation!trans"ormation
"eatures;(
3) OWASP AppSec Europe $%%&
The Essentials 2$4
?loc"in# features*
Transaction
Connection
7P Address
Session
%ser
Honeypot redirection
TCP!7P resets :connection;
95oc.ing ,ia eDterna5 de,ice
What happens upon detection?

Fancy Features
Stateful operation:
7P Address data
Session data
%ser data
Eent 1orrelation
-i#h aailability:
Fai5o,er
'oad-a5ancing
C5ustering
State rep5ication
3& OWASP AppSec Europe $%%&
-ard>1oded Protection Techni7ues 234
1oo"ie protection
Sign!encrypt!,irtua5ise
-idden field protection
Sign!encrypt!,irtua5ise
Session ,ana#e,ent protection
>n"orce session duration timeout, inacti,ity timeout(
Pre,ent "iDation(
Iirtua5ise session management(
Pre,ent hi<ac.ing or at 5east +arn aout it(

-ard>1oded Protection Techni7ues 2$4
?rute>force protection
6in" alidation
Signing
Iirtua5isation
!e7uest flow enforce,ent
Statica55y
&ynamica55y
3< OWASP AppSec Europe $%%&
Other Thin#s To 1onsider 234
'ana#e,ent*
7s it possi5e to manage mu5tip5e sensors "rom one p5aceJ
Support "or administrati,e accounts +ith di""erent pri,i5eges

:oth horisonta5 and ,ertica5;(
!eportin# :gi,ing )anagement +hat it +ants;*
On-demand and schedu5ed reports +ith support "or cus
@'6*
WAFs are eDpected to pro,ide asic support "or B)' parsing

and ,a5idation(
Fu55 B)' support is usua55y a,ai5a5e as an option, or as a

comp5ete5y separate product(
3= OWASP AppSec Europe $%%&
Other Thin#s To 1onsider 2$4
EAtensibility*
7s it possi5e to add custom "unctiona5ity to the

"ire+a55J
7s the source code a,ai5a5eJ :9ut not as a

rep5acement "or a proper AP7(;
Perfor,ance*
$e+ connections per second(
)aDimum concurrent connections(
Transactions per second(
Throughput(
'atency(
$% OWASP AppSec Europe $%%&
Sinatures and
!ules
$3 OWASP AppSec Europe $%%&
Si#natures or !ules?
3* Si#natures
Simp5e teDt strings or regu5ar eDpression patterns

matched against input data(
$ot ,ery "5eDi5e(

$* !ules
4( F5eDi5e(
2( )u5tip5e operators(
8( @u5e groups(
0( Anti-e,asion "unctions(
2( 'ogica5 eDpressions(
6( Custom ,aria5es(
$$ OWASP AppSec Europe $%%&
Three Protection Strate#ies
3* EAternal patchin#
A5so .no+n as K<ust-in-time patchingK or K,irtua5 patchingK;(

$* .e#atie security ,odel
'oo.ing "or ad stu""(
Typica55y used "or We 7ntrusion &etection(
>asy to start +ith ut di""icu5t to get right(

(* Positie security ,odel
Ieri"ying input is correct(
%sua55y automated, ut ,ery di""icu5t to get right +ith

app5ications that change(
7t=s ,ery good ut you need to set your eDpectations

according5y(
$( OWASP AppSec Europe $%%&
Auditin and H""#
"raffic $onitorin
$) OWASP AppSec Europe $%%&
Web Intrusion /etection
O"ten "orgotten ecause o" mar.eting

pressures*
/etection is so 5ast year :decade;(
Preention sounds and se55s much etterL
The pro5em +ith pre,ention is that it is bound

to fail gi,en su""icient5y determined attac.er
:or ineDperienced WAF operator;(
'onitorin# :5ogging and detection; is actua55y

more important as it a55o+s you to
independent5y audit tra""ic, and go ac. in
time(
'onitorin# !e7uire,ents
Centra5isation(
Transaction data storage(
Contro5 o,er which transactions are lo##ed

and which parts of each transaction are
5ogged, dyna,ically on the per>transaction
asis(
)inima5 in"ormation :session data;(
Partia5 transaction data(
Fu55 transaction data(
Support "or data sanitisation(
Can imp5ement your retention po5icy(

$& OWASP AppSec Europe $%%&
Deployment
/eploy,ent
Three choices +hen it comes to

dep5oyment*
3* .etwor">leel deice(
$* !eerse proAy(
(* E,bedded in web serer(
$< OWASP AppSec Europe $%%&
/eploy,ent 2$4
4( $et+or.-5e,e5 de,ice
Does not re%uire networ& re'confiuration.
$= OWASP AppSec Europe $%%&
/eploy,ent 2(4
2( @e,erse proDy
"ypically re%uires networ& re'confiuration.
(% OWASP AppSec Europe $%%&
/eploy,ent 2)4
8( >medded
Does not re%uire networ& re'confiuration.
(3 OWASP AppSec Europe $%%&
/eploy,ent 204
4( $et+or. passi,e
&oes not a""ect per"ormance(
>asy to add(
$ot a ott5enec. or a point o" "ai5ure(
'imited pre,ention options(
)ust ha,e copies o" SS' .eys(

2( $et+or. in-5ine
A potentia5 ott5enec.(
Point o" "ai5ure(
)ust ha,e copies o" SS' .eys(
>asy to add(
($ OWASP AppSec Europe $%%&
/eploy,ent 2&4
8( @e,erse proDy
A potentia5 ott5enec.(
Point o" "ai5ure(
@eEuires changes to net+or. :un5ess it=s a

transparent re,erse proDy;(
)ust terminate SS' :can e a pro5em i" app5ication

needs to access c5ient certi"icate data;(
It5s a separate architecture:security layer*

0( >medded
>asy to add :and usua55y much cheaper;(
$ot a point o" "ai5ure(
%ses +e ser,er resources(

(( OWASP AppSec Europe $%%&
!eerse ProAy As a ?uildin# ?loc"
@e,erse proDy patterns*

4( Front door
2( 7ntegration re,erse proDy
8( Protection re,erse proDy
0( Per"ormance re,erse proDy
2( Sca5ai5ity re,erse proDy
'ogica5 patterns, orthogona5 to

each other(
O"ten dep5oyed as a sing5e physica5

re,erse proDy(
() OWASP AppSec Europe $%%&
Front /oor 23:04
)a.e a55 HTTP tra""ic go through the proDy
Centra5isation ma.es access contro5,

5ogging, and monitoring easier
Inte#ration !eerse ProAy 2$:04
Comine mu5tip5e +e ser,ers into one
Hide the interna5s
&ecoup5e inter"ace "rom imp5ementation

(& OWASP AppSec Europe $%%&
Protection !eerse ProAy 2(:04
Oser,es tra""ic in and out
95oc.s in,a5id reEuests and attac.s
Pre,ents in"ormation disc5osure

Perfor,ance !eerse ProAy 2):04
Transparent caching
Transparent response compression
SS' termination
(< OWASP AppSec Europe $%%&
Scalability !eerse ProAy 20:04
'oad a5ancing
Fau5t to5erance
C5ustering
(= OWASP AppSec Europe $%%&
Open Source
Approach( Apache
) $odSecurity
)% OWASP AppSec Europe $%%&
Apache
One o" the most used open source products(
A,ai5a5e on many p5at"orms(
Free, "ast, sta5e and re5ia5e(
>Dpertise +ide5y a,ai5a5e(
Apache 2(2(D :"ina55yL; re5eased +ith many

impro,ements*
7mpro,ed authentication(
7mpro,ed support "or caching(
Signi"icant impro,ements to the modMproDy code

:and 5oad a5ancing support;(
Ideal reerse proAy*

)3 OWASP AppSec Europe $%%&
'odSecurity
Adds WAF "unctiona5ity to Apache(
7n the )
th
year o" de,e5opment(
Free, open source, commercia55y supported(
7mp5ements most WAF "eatures :and the

remaining ones are coming soon;(
Popu5ar and ,ery +ide5y used(
Fast, re5ia5e and predicta5e(

)$ OWASP AppSec Europe $%%&
Apache B 'odSecurity
&ep5oy as reerse proAy*
Pic. a nice ser,er :7 am Euite

"ond o" Sun=s hard+are
o""erings myse5";(
7nsta55 Apache 2(2(D(
Add )odSecurity(
Add SS' acce5eration card

:optiona5;(
Or simp5y run )odSecurity

in e,bedded ,ode(
)( OWASP AppSec Europe $%%&
'odSecurity
Strong areas*
Auditin#:lo##in# support*
!eal>ti,e traffic ,onitorin#*
Cust>in>ti,e patchin#*
Preention*
Dery confi#urable:pro#ra,,able*
Wea. areas*
.o auto,ation of the positie security ,odel

approach yet*
)) OWASP AppSec Europe $%%&
Than" you9
&o+n5oad this presentation "rom
http:::www*thin"in#stone*co,:tal"s:
*uestions+

Web Application Firewalls

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Web Application Firewalls

Uploaded by

Copyright:

Available Formats

Copyright 2006 - The OWASP Foundation

Permission is granted to copy, distriute and!or modi"y this document

Author o" Apache Security(

Founder o" Thin"in# Stone(

Author o" 'odSecurity(

Web Application Firewall Ealuation

Pro<ect o" the We App5ication Security

7t=s an open pro<ect(

$ine WAF ,endors on oard, ut I5d li"e to see

WAF>C ,4(0 pu5ished in ?anuary(

We are aout to start +or. on ,4(4(

There is a 5ong-standing WAF identity pro5em(

With the na,e, "irst o" a55C*

There are "our aspects to consider*

These are a55 ,a5id reEuirements ut the name

On the 5o+er net+or. 5ayers +e ha,e a

App5iance-oriented +e app5ication "ire+a55s

Pro5ems so5,ed 5ong time ago*

SS' termination and acce5eration

Caching and transparent compression

Appliance>oriented WAFs are bein#

E,bedded WAFs are left alone because they

Full support for -TTP*

Access to indi,idua5 "ie5ds :"ie5d content, 5ength, "ie5d

>ntire transaction :oth reEuest and response;(

Anti>easion features :a5so .no+n as

TCP!7P resets :connection;

95oc.ing ,ia eDterna5 de,ice

What happens upon detection?

-idden field protection

Session ,ana#e,ent protection

>n"orce session duration timeout, inacti,ity timeout(

Iirtua5ise session management(

Pre,ent hi<ac.ing or at 5east +arn aout it(

!e7uest flow enforce,ent

7s it possi5e to manage mu5tip5e sensors "rom one p5aceJ

Support "or administrati,e accounts +ith di""erent pri,i5eges

!eportin# :gi,ing )anagement +hat it +ants;*

On-demand and schedu5ed reports +ith support "or cus

WAFs are eDpected to pro,ide asic support "or B)' parsing

Fu55 B)' support is usua55y a,ai5a5e as an option, or as a

7s it possi5e to add custom "unctiona5ity to the

7s the source code a,ai5a5eJ :9ut not as a

$e+ connections per second(

)aDimum concurrent connections(

Transactions per second(

Simp5e teDt strings or regu5ar eDpression patterns

$ot ,ery "5eDi5e(

A5so .no+n as K<ust-in-time patchingK or K,irtua5 patchingK;(

'oo.ing "or ad stu""(

Typica55y used "or We 7ntrusion &etection(

>asy to start +ith ut di""icu5t to get right(

Ieri"ying input is correct(

%sua55y automated, ut ,ery di""icu5t to get right +ith

7t=s ,ery good ut you need to set your eDpectations

O"ten "orgotten ecause o" mar.eting

/etection is so 5ast year :decade;(

Preention sounds and se55s much etterL

The pro5em +ith pre,ention is that it is bound

'onitorin# :5ogging and detection; is actua55y

Transaction data storage(

Contro5 o,er which transactions are lo##ed

)inima5 in"ormation :session data;(

Partia5 transaction data(