Mais conteúdo relacionado

Apresentações para você(20)

Similar a WAF 101(20)


WAF 101

  1. 1 Web Application Firewall Null Bhubaneswar 18 March 2023 Sampad Rout
  2. SAMPAD ROUT CISSP® Security Architect | Microsoft A little about me 2
  3. 3 GE Industrial R&D security ( Aviation, Power and Water, Renewable Energy, Appliances, Transportation) Royal Bank Of Scotland Securing banking platform mostly mortgage division of Coutts AT&T Securing the Media division HBO, Warner Media Microsoft Securing the Ad Platform Outside Org Reviewer for ISC2, Contribution to Opensource (Virtual Patch / IaC), Trainer EXPERIENCES SO FAR What do I do in Spare time XBOX | BLOG | Stories and Movies Subject Matter Expert on AppSec | Data Protection | Secure Architecture | Container Security | API Security
  4. Firewall - Definition, Nomenclature and History, WAF, Difference between Firewall and WAF What is what 01. Pattern Identifiers, Default mechanism, Template rules, Advanced rules, IP reputation CONTENTS 101 Demo How a WAF works 4 03. Look and feel of the rules , Signals and GUI 02. 04. & If Something I left covering which I should have + Q&A Architecture & Placements
  5. What is What Firewall, Nomenclature & History, WAF, Difference between Firewall and WAF 01. 5
  6. What is a Firewall 6 The name firewall : It came from similar in purpose to physical firewalls designed to contain fires and keep them from spreading. ● Firewalls established a barrier between a network that was internal to a company and considered trusted, and an external network, that was considered untrusted. ● In a simple sense a Firewall controls what traffic should be allowed and what to be blocked into your system based on defined rules & patterns.
  7. 7
  8. 8 A Firewall is a network security device, may come in as a software, a hardware device or a SaaS model, that monitors and filters incoming and outgoing network traffic based on an organization’s previously established security policies. — Common Definition
  9. Firewall Evolution 9 How firewall was enhanced through out Firewall Generations First Generation Second Generation 2.5 Generation Stateless Stateful, Bidirectional Targeted / Specialized Firewalls Packet Filters based on IP and Ports / L3 or L4 Connection / Session based IP , Ports / L3 or L4 IPS, UTM,URL Filtering IP Tables, OS firewall, Basic Switches Usage : ACLs Advanced Switches Usage : ACLs , DMZ Up to L5-L7, Scaling and Performance IP Spoofing, Valid return traffic vs Imposter Good traffic vs Bad Traffic Signature oriented, No Dynamisms
  10. Firewall Evolution Cont.. 10 How firewall was enhanced through out Firewall Generations Third Generation Next-Gen Stateful, Scalable Stateful, Hybrid, RBAC, User grp identify HTTP conversation & apps specific attacks/ L7 Deep packet inspection, Adv threat protection/L7 Host based Application firewalls, WAF Performance, QoS, non- Disruptive Vendor issued NGFW Juniper, CISCO, Checkmarx etc
  11. Web Application Firewall A web application firewall (WAF) protects web applications (hosted in any platform)from a variety of application layer attacks such as cross-site scripting (XSS), SQL injection etc (OWASP Top 10) and beyond. 11 Port / OSI ref model Layer 2 DataLink Layer 3 Network Layer 4 Transport Layer 5 Session Layer 6 Presentation Layer 7 Application Layer 1 Physical WEB APP FIREWALL NETWORK FIREWALL
  12. 12 How a WAF works 02. Pattern Identifiers, Default mechanism, Template rules, Advanced rules, IP reputation
  13. Based on Actions / Perform Traffic Pattern Audit/ Monitor Block Allow (Supersedes) Defined Set Whitelist(Supersedes) Blacklist Handle / Gauge True Positives False Positives True Negatives False Negatives RBAC Read-only (Most) App based (App Owners) Admin (Ops) Super User / God mode (Improvements) Action Matrix 13
  14. PREVENTIVE & TECHNICAL CONTROL 14 Basic Model DESCRIPTION EXAMPLE Happened nth time If a malicious event happens for nth number of time with in a defined period from a particular IP/user. XSS/ Inj attack / Failed login pattern detected 50 times in a minute - Block Reputation WAF’s global analysis engine IP, DCs gets flagged as bad actors for 24 hrs globally Templated rules Supports zero-days and virtual patching If there is no patch released or You are not able to patch Complex and Adv rules Complex rules, Combination of rules Whitelist ~ Blacklisted, Allowed ~Blocked and track~ discover
  15. 15 LET’S SEE HOW IT LOOKS 03. Enough Talk, Let’s see it in action
  16. Start from the basic: ● OWASP / Port Swigger XSS Cheat sheet. ● Analyzing your app environment and traffic pattern. ● Any Zero-day ● How a IaC rule look like. HOW TO RULE 101 16 scope = "global" group_operator = "all" expiration = "" conditions { type = "single" field = ”domains" operator = "inList" value = "instances-scw-cloud" } actions { type = ”Whitelist" marking = "scw-cloud" } conditions { field = "method" operator = "doesNotEqual" type = "single" value = "DELETE” || value = "PATCH” || value = "GET” || value = "POST” || value = "OPTIONS” || value = "HEAD” || value = "PUT” || } actions { marking = "wrong- http-method" type = "block" } •
  17. Architecture 17 04. How the WAF Functionally and Logically placed in Network
  18. Functional Architecture 18
  19. Where you should Place it 19 1 Reverse Proxy 2 Side Car 3 On the Frontend 4 SaaS Model 5 Customized requirement (Istio, Envoy, Serverless, Agent Only) 6 PaaS Model WAF Strategic Placement
  20. Q&A