Implementing a WAF

•

2 gostaram•4,242 visualizações

Mark Hillick

Presentation @ local Owasp Ireland Chapter on my experiences of implementing a Web Application Firewall

Tecnologia

TRIALS & TRIBULATIONS OF WAF
MARK HILLICK - @MARKOFU

Thursday 20 May 2010

AWK -F: '/ROOT/ {PRINT $5}' /ETC/PASSWD

Mark Hillick

Thursday 20 May 2010

PHASES

Introduction

Starting Out

Design

Test

Implementation

Post-Implementation

Thursday 20 May 2010

INTRODUCTION - WHAT IS A WAF?

Thursday 20 May 2010

INTRODUCTION - WAF TODAY?

WAF Marketplace

Maturing

Compliance

Boo

Thursday 20 May 2010

INTRODUCTION - WAF TODAY?

WAF deployments were initially propelled by PCI .........
but are now increasingly driven by security best
practices.

Source: Forrester 2010

Thursday 20 May 2010

INTRODUCTION - NUMBERS

$200
million
20%
Thursday 20 May 2010

INTRODUCTION - VENDORS

Software/Hardware

Commercial/Open Source

Thursday 20 May 2010

INTRODUCTION - EH???? WHAT????

XSS XSRF SQL Injection

APT Zero Day

Click Jacking

Cookie/Session Hijacking

Thursday 20 May 2010

INTRODUCTION - COMPETITORS

IDS Reverse Proxy

IPS Network FW

Proxy Secure Code

Thursday 20 May 2010

INTRODUCTION - PRE-SALES

Know your subject

Question, Ask, Query, Demand

Plan, Test, Plan, Test

Thursday 20 May 2010

STARTING OUT - GOAL

Thursday 20 May 2010

STARTING OUT - RESEARCH

Research -> knowledge & understanding

Thursday 20 May 2010

STARTING OUT - SATISTICS

6.5 times more expensive to ﬁx a ﬂaw in
development than during design, 15 times more in

testing, and 100 times more in development.

Source http://2010survey.whitehatimperva.com/

Thursday 20 May 2010

STARTING OUT - INTERNAL SELL (1)

Technical issues in business language (e.g. just-in-
time patching)

and a bit of

Thursday 20 May 2010

STARTING OUT - INTERNAL SELL (2)

Know your costs

Advantages over cheaper alternatives!

Thursday 20 May 2010

STARTING OUT - INTERNAL SELL (4)

There is a disconnect between the
acknowledgement of security issues
and the willingness to ﬁx them.

Source: The HP Security Laboratory Blog

Thursday 20 May 2010

STARTING OUT - INTERNAL SELL (4)

Do not oversell

WAF != unhackable

Thursday 20 May 2010

STARTING OUT - PLAN (1)

I love it when......

Copyright © NBC

Thursday 20 May 2010

STARTING OUT - PLAN (2)

WANTED!!!!

Owner/Champion/Lover

Thursday 20 May 2010

STARTING OUT - PLAN (3)

Thursday 20 May 2010

STARTING OUT - PLAN (4)

UAT & SDLC

Conﬁguration - Delegation?

Alerting

Incident Response Plan

Logging & Analysis

Reporting

Thursday 20 May 2010

TEST - TEST

SOURCE: http://www.ﬂickr.com/photos/
kodomut/

Thursday 20 May 2010

TEST - SDLC

How does it change?

When?

Who?

Thursday 20 May 2010

TEST - OPERATIONAL

Not what you want, is it?

Thursday 20 May 2010

TEST - FUNCTIONAL

Functional

Generic

Speciﬁc

SOURCE: http://www.ﬂickr.com/photos/
54724780@N00/

Thursday 20 May 2010

TEST - STRESS

STRESS == LEARNING

SOURCE: http://www.ﬂickr.com/photos/
54724780@N00/

Thursday 20 May 2010

TEST - THE FUN ‘BIT’

Does it work.......

SOURCE: http://nmap.org/movies.html

Copyright © Warner Bros.

Thursday 20 May 2010

TEST - POLICY

Administration Policy

Who has access?

Delegation?

Change Management - different?

Incident Response Plan?

What is an Incident?

Thursday 20 May 2010

IMPLEMENTATION - PLAN

Plan B?

Copyright © Fox

Thursday 20 May 2010

IMPLEMENTATION - ALMOST

Almost there, don’t cut corners!

COMPLETE TESTING FULLY!!!!!

Thursday 20 May 2010

IMPLEMENTATION - SET-UP

+.ve Security Model

Transparent

Informational Logging

Generic versus Speciﬁc

Analysis

Reporting

Thursday 20 May 2010

IMPLEMENTATION - READ

Check your logs!!!

Thursday 20 May 2010

IMPLEMENTATION - HACK

External Testing

Thursday 20 May 2010

IMPLEMENTATION

Transparent -> Blocking

Generic -> Speciﬁc

Thursday 20 May 2010

POST-IMPLEMENTATION - WAF

Your infrastructure has changed!!

Patching, Policy Changes, Application Upgrades

Thursday 20 May 2010

POST-IMP - STILL, OH YES?

SDLC

Network Firewall & ACLs

Code Analysis

Penetration &Vulnerability Testing

Incident Response Plan???? -> Incident? What?

Thursday 20 May 2010

POST-IMP - TICK TOCK, NO MORE!!

Thursday 20 May 2010

POST-IMP - USE IT!

NO!!!!!!

Thursday 20 May 2010

POST-IMPLEMENTATION - STILL?

As someone-else once said!!

Thursday 20 May 2010

RESOURCES

SANS Reading Room (Scareware via Web App
exploit)

SANS, Owasp, WebAppSec

Web 2.0 -> Blogs, Twitter

Vendor Sites

Thursday 20 May 2010

CONCLUSION - WAF

Extra layer of defence but also admin

Can be an excellent and effective solution

Is it what I need?

Only a part of defence-in-depth!!!!

Thursday 20 May 2010

Mais conteúdo relacionado

Mais procurados

Oracle Data Protection - 2. část

MarketingArrowECS_CZ

An update from Mike Hichwa (Oracle) on the introduction of the "Always Free" Autonomous Database at Oracle Openworld19. See how to sign up for always free Oracle Cloud Infrastructure (OCI) services. Kind of an illustrated quick start. See how to provision an Autonomous Database. See how to use and access Oracle APEX. Learn Oracle APEX architecture overview including the "RAD stack". Also a quick introduction to new APEX 19.2 and faceted search. #ORCLAPEX, #autonomousDB, #OOW19, @oracleapex. ORDS, Oracle REST Data Services.

Oracle APEX, Oracle Autonomous Database, Always Free Oracle Cloud Services

Michael Hichwa

Friedenthal.sandford

NASAPMC

Mapreduce in Search

Amund Tveit

Основы CSS.Позиционирование.

n1zze

Single Client Access Name is a concept that makes database deployment easy on Oracle Database 11g R2 grids and complete the level of abstraction from the application perspective. Starting with the understanding of why this component is vital in the 11g grid infrastructure, this presentation walks through the main concepts of SCAN. You will learn how to plan and implement SCAN, what areas to be careful with, and how to monitor SCAN infrastructure and make sure it works as expected.

Oracle 11G SCAN: Concepts and Implementation Experience Sharing

Yury Velikanov

If you're an experienced Apex developer and have wondered if there?s a better way to manage multi-step logic that involves both DML and callouts to external systems, this session is for you. The Flow Factory is a stateful design pattern that provides structure for processing flowchart style business logic in Apex. This begins with flow-specific inputs and results in a chronological record of executed steps to iterate for final processing. It has roots in both the State pattern and the Factory Method and is particularly useful for managing more than one callout in a single execution context.

Introduction to The Flow Factory Design Pattern

Salesforce Developers

Send email attachment using smtp in mule esb

Sreekanth Kondapalli

NCS: NEtwork Control System Hands-on Labs

Cisco Canada

PostgreSQL em projetos de Business Analytics e Big Data Analytics com Pentaho

Ambiente Livre

Oracle Audit is a well-known and proven database functionality. Or maybe not? What does auditing look like in combination with Oracle Multitenant Databases? Does database and Unified Audit work analogous to existing configurations? In the context of this presentation the auditing in the environment of container databases will be examined more closely. It will be shown what has to be considered and how an auditing concept has to be adapted to the new architecture. With focus on the current versions of the Oracle database, specific problems and workarounds in the area of Unified Audit will be shown. The presentation will be complemented by corresponding examples and live demos.

DOAG Oracle Unified Audit in Multitenant Environments

Stefan Oehrli

대용량 분산 아키텍쳐 설계 #4. soa 아키텍쳐

Terry Cho

Mais procurados (12)

Oracle Data Protection - 2. část

Oracle APEX, Oracle Autonomous Database, Always Free Oracle Cloud Services

Friedenthal.sandford

Mapreduce in Search

Основы CSS.Позиционирование.

Oracle 11G SCAN: Concepts and Implementation Experience Sharing

Introduction to The Flow Factory Design Pattern

Send email attachment using smtp in mule esb

NCS: NEtwork Control System Hands-on Labs

PostgreSQL em projetos de Business Analytics e Big Data Analytics com Pentaho

DOAG Oracle Unified Audit in Multitenant Environments

대용량 분산 아키텍쳐 설계 #4. soa 아키텍쳐

Semelhante a Implementing a WAF

Secure PHP Development with Inspekt

funkatron

台灣／中國網路經濟之社會觀察

Chili Consulting

In this talk in Open Web Asia Conference, we discuss the recent speed on how start-ups like Facebook, Twitter & FourSquare have grown in a rapid pace and also the story on how Chlkboard quickly develop as a start-up to demonstrate three important features before fundraising - (1) demo of prototype and launch to market, (2) getting users and iterate based on feedback and (3) converting customers to pay.

5 Principles for Agile & High Speed Development

Chlkboard

Mtechschedule2010 1117 april

bikram ...

谈一谈HTML5/CSS3 @ WebRebuild 2010

Zi Bin Cheah

How and Why to Use Social Media

Cordell Parvin

Linked Data In Action

Richard Wallis

Refactoring

Caike Souza

Mobile JavaScript Development - QCon 2010

Nikolai Onken

Semelhante a Implementing a WAF (9)

Secure PHP Development with Inspekt

台灣／中國網路經濟之社會觀察

5 Principles for Agile & High Speed Development

Mtechschedule2010 1117 april

谈一谈HTML5/CSS3 @ WebRebuild 2010

How and Why to Use Social Media

Linked Data In Action

Refactoring

Mobile JavaScript Development - QCon 2010

Mais de Mark Hillick

Peeling back your Network Layers with Security Onion

Mark Hillick

Introduction to MongoDB

Mark Hillick

PHP Loves MongoDB - Dublin MUG (by Hannes)

Mark Hillick

HackEire 2009

Mark Hillick

Integrated Cache on Netscaler

Mark Hillick

Scareware - Irisscon 2009

Mark Hillick

Scareware Traversing the World via Ireland

Mark Hillick

CTF: Bringing back more than sexy!

Mark Hillick

MongoDB - Who, What & Where!

Mark Hillick

Mais de Mark Hillick (9)

Peeling back your Network Layers with Security Onion

Introduction to MongoDB

PHP Loves MongoDB - Dublin MUG (by Hannes)

HackEire 2009

Integrated Cache on Netscaler

Scareware - Irisscon 2009

Scareware Traversing the World via Ireland

CTF: Bringing back more than sexy!

MongoDB - Who, What & Where!

Último

MINDCTI Revenue Release Quarter One 2024

MIND CTI

[BuildWithAI] Introduction to Gemini.pdf

Sandro Moreira

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the deployment of external web forms using Jotform for Bonterra Impact Management. This solution can be customized to your organization’s needs and deployed to support the common use cases below: - Intake and consent - Assessments - Surveys - Applications - Program registration Interested in deploying web form automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Jeffrey Haguewood

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

Dubai, often portrayed as a shimmering oasis in the desert, faces its own set of challenges, including the occasional threat of flooding. Despite its reputation for opulence and modernity, the emirate is not immune to the forces of nature. In recent years, Dubai has experienced sporadic but significant floods, testing the resilience of its infrastructure and communities. Among the critical lifelines in this bustling metropolis is the Dubai International Airport, a bustling hub that connects the city to the world. This article explores the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...

Orbitshub

Passkeys: Developing APIs to enable passwordless authentication Cody Salas, Sr Developer Advocate | Solutions Architect - Yubico Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

apidays

DBX First Quarter 2024 Investor Presentation

Dropbox

FWD Group - Insurer Innovation Award 2024

The Digital Insurer

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

MadyBayot

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

Architecting Cloud Native Applications

WSO2

Dubai, known for its towering skyscrapers, luxurious lifestyle, and relentless pursuit of innovation, often finds itself in the global spotlight. However, amidst the glitz and glamour, the emirate faces its own set of challenges, including the occasional threat of flooding. In recent years, Dubai has experienced sporadic but significant floods, disrupting normalcy and posing unique challenges to its infrastructure. Among the critical nodes in this bustling metropolis is the Dubai International Airport, a vital hub connecting the world. This article delves into the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Orbitshub

Exploring Multimodal Embeddings with Milvus

Zilliz

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

CNIC Information System with Pakdata Cf In Pakistan

danishmna97

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

Implementing a WAF

1. TRIALS & TRIBULATIONS OF WAF MARK HILLICK - @MARKOFU Thursday 20 May 2010

2. AWK -F: '/ROOT/ {PRINT $5}' /ETC/PASSWD Mark Hillick Thursday 20 May 2010

3. PHASES Introduction Starting Out Design Test Implementation Post-Implementation Thursday 20 May 2010

4. INTRODUCTION - WHAT IS A WAF? Thursday 20 May 2010

5. INTRODUCTION - WAF TODAY? WAF Marketplace Maturing Compliance Boo Thursday 20 May 2010

6. INTRODUCTION - WAF TODAY? WAF deployments were initially propelled by PCI ......... but are now increasingly driven by security best practices. Source: Forrester 2010 Thursday 20 May 2010

7. INTRODUCTION - NUMBERS $200 million 20% Thursday 20 May 2010

8. INTRODUCTION - VENDORS Software/Hardware Commercial/Open Source Thursday 20 May 2010

9. INTRODUCTION - EH???? WHAT???? XSS XSRF SQL Injection APT Zero Day Click Jacking Cookie/Session Hijacking Thursday 20 May 2010

10. INTRODUCTION - COMPETITORS IDS Reverse Proxy IPS Network FW Proxy Secure Code Thursday 20 May 2010

11. INTRODUCTION - PRE-SALES Know your subject Question, Ask, Query, Demand Plan, Test, Plan, Test Thursday 20 May 2010

12. STARTING OUT - GOAL Thursday 20 May 2010

13. STARTING OUT - RESEARCH Research -> knowledge & understanding Thursday 20 May 2010

14. STARTING OUT - SATISTICS 6.5 times more expensive to ﬁx a ﬂaw in development than during design, 15 times more in testing, and 100 times more in development. Source http://2010survey.whitehatimperva.com/ Thursday 20 May 2010

15. STARTING OUT - INTERNAL SELL (1) Technical issues in business language (e.g. just-in- time patching) and a bit of Thursday 20 May 2010

16. STARTING OUT - INTERNAL SELL (2) Know your costs Advantages over cheaper alternatives! Thursday 20 May 2010

17. STARTING OUT - INTERNAL SELL (4) There is a disconnect between the acknowledgement of security issues and the willingness to ﬁx them. Source: The HP Security Laboratory Blog Thursday 20 May 2010

18. STARTING OUT - INTERNAL SELL (4) Do not oversell WAF != unhackable Thursday 20 May 2010

20. STARTING OUT - PLAN (2) WANTED!!!! Owner/Champion/Lover Thursday 20 May 2010

21. STARTING OUT - PLAN (3) Thursday 20 May 2010

22. STARTING OUT - PLAN (4) UAT & SDLC Conﬁguration - Delegation? Alerting Incident Response Plan Logging & Analysis Reporting Thursday 20 May 2010

23. TEST - TEST SOURCE: http://www.ﬂickr.com/photos/ kodomut/ Thursday 20 May 2010

24. TEST - SDLC How does it change? When? Who? Thursday 20 May 2010

25. TEST - OPERATIONAL Not what you want, is it? Thursday 20 May 2010

26. TEST - FUNCTIONAL Functional Generic Speciﬁc SOURCE: http://www.ﬂickr.com/photos/ 54724780@N00/ Thursday 20 May 2010

27. TEST - STRESS STRESS == LEARNING SOURCE: http://www.ﬂickr.com/photos/ 54724780@N00/ Thursday 20 May 2010

29. TEST - POLICY Administration Policy Who has access? Delegation? Change Management - different? Incident Response Plan? What is an Incident? Thursday 20 May 2010

31. IMPLEMENTATION - ALMOST Almost there, don’t cut corners! COMPLETE TESTING FULLY!!!!! Thursday 20 May 2010

32. IMPLEMENTATION - SET-UP +.ve Security Model Transparent Informational Logging Generic versus Speciﬁc Analysis Reporting Thursday 20 May 2010

33. IMPLEMENTATION - READ Check your logs!!! Thursday 20 May 2010

34. IMPLEMENTATION - HACK External Testing Thursday 20 May 2010

35. IMPLEMENTATION Transparent -> Blocking Generic -> Speciﬁc Thursday 20 May 2010

36. POST-IMPLEMENTATION - WAF Your infrastructure has changed!! Patching, Policy Changes, Application Upgrades Thursday 20 May 2010

37. POST-IMP - STILL, OH YES? SDLC Network Firewall & ACLs Code Analysis Penetration &Vulnerability Testing Incident Response Plan???? -> Incident? What? Thursday 20 May 2010

38. POST-IMP - TICK TOCK, NO MORE!! Thursday 20 May 2010

39. POST-IMP - USE IT! NO!!!!!! Thursday 20 May 2010

40. POST-IMPLEMENTATION - STILL? As someone-else once said!! Thursday 20 May 2010

41. RESOURCES SANS Reading Room (Scareware via Web App exploit) SANS, Owasp, WebAppSec Web 2.0 -> Blogs, Twitter Vendor Sites Thursday 20 May 2010

42. CONCLUSION - WAF Extra layer of defence but also admin Can be an excellent and effective solution Is it what I need? Only a part of defence-in-depth!!!! Thursday 20 May 2010

Implementing a WAF

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (12)

Semelhante a Implementing a WAF

Semelhante a Implementing a WAF (9)

Mais de Mark Hillick

Mais de Mark Hillick (9)

Último

Último (20)

Implementing a WAF