+ All Categories
Home > Technology > WAFEC

WAFEC

Date post: 15-Jun-2015
Category:

Technology
Upload: conferencias-fist
View: 386 times
Download: 0 times
Download Report this document
Share this document with a friend
Popular Tags:
waf capabilities
waf devices anddecide
fun wafec sections wafec
wafec sections html
wafec sections deployment
complex devices
beatinjectionwaf devices
id id parameter
32
WAFEC, or how to choose WAF technology RAFAEL SAN MIGUEL CARRASCO
Transcript
Page 1: WAFEC

WAFEC, or how to choose WAF technology

RAFAEL SAN MIGUEL CARRASCO

Page 2: WAFEC

Why I am here

Honestly, I got no better plan for Friday afternoon

I like to play with WAF technology

WAFEC 1.0 has been recently published

I actually belong to the WAFEC Working Group

Let’s talk about WAFEC!

Page 3: WAFEC

What will we talk about?

Why WAF devices are not so fun?

How to make them be fun

WAFEC sections

WAFEC and common sense together

Introduction and concepts

Page 4: WAFEC

So, what is a WAF device?

WAF devices protect web applications from specific vulnerabilities that IDS/IPS/FW technology can’t beat

WAF devices address the most attack-prone subsystem within a technology infrastructure: the webserver

WAF devices are complex devices with sophisticated features: actually, they have to be as complex as web applications

Cross-site scripting

SQL Injection

LDAP Injection

XPath Injection

Parameter tampering

Cookie poisoning

HTTP Request Smuggling

HTTP Response Splitting

Cross-site Tracing

Cross-site Request Forgery

Stealth Commanding

Buffer overflows

. . .

Page 5: WAFEC

Some background about WAF

Negative Security Model Positive Security Model

Concept The WAF knows what traffic is an attack, and allows any other traffic to go through

The WAF learns what traffic profile is legitimate, and blocks anything else

Advantages

• No need for customization• Protection out-of-the-box• Simple, straight-forward

• Accurate detection• Unknown attacks• Not dependant on updates

Disadvantages• Highly dependant on updates• Not very accurate

• Need for learning process• More prone to false positives

Page 6: WAFEC

Some background about WAF

How are unknown attacks identified with PSM?

Illegal entry point into the site to the .ida file (/get)

Illegal parameter tampering of the .ida file

Buffer overflow attempt on the parameter (240 characters)

Illegal characters within parameter (%)

http://<site>/get/default.ida?<240chars>%9090<…>%u00=a

Nimda was blocked by several WAF devices without a custom signature

Page 7: WAFEC

Some background about WAF

How is the learning process in PSM?

http://a.com/showarticle?id=278

http://a.com/showarticle?id=345

http://a.com/showarticle?id=12

id parameter in

showarticle is a

numberhttp://a.com/showarticle?id=1’%20OR%201=1--

This looks to be an

attack!

WAF Webserver

Page 8: WAFEC

So, what is WAFEC?

WAFEC is an ongoing project and stands for Web Application Firewall Evaluation Criteria

WAFEC is promoted by WASC, which in turn stands for Web Application Security Consortium

WAFEC is a document describing WAF capabilities, as an structured checklist of features

WAFEC allows technicians to evaluate WAF devices and decide which one best fits in their environment

Page 9: WAFEC

So, what is not WAFEC?

WAFEC is not an specification of minimum requirements that a WAF device must comply with

WAFEC is not a tutorial or compendium about WAF technology or web security

WAFEC is not for managers, but for reasonably skilled technicians

Page 10: WAFEC

Why we think WAFEC is necessary?

Marketing and sales forces are creating confusion

There is not much knowledge about this emerging market

WAF devices and manufacturers are proliferating

Page 11: WAFEC

Why WAF devices are not son fun?

If not properly administered and integrated, they won’t adapt to application changes

If not properly configured, they can trigger false positives and stop business

The solution: do it properly!

If not properly deployed, they can slow down your transactions and make business staff unhappy

… and make sure the product you choose does support the features you need

… and do it using WAFEC!

Page 12: WAFEC

How to make them be fun

About false positives and other nightmares

Define detection rules that will alert you of suspicious events without the risk of stopping business

Take your time to refine policies

Teach the WAF device in the development phase; that will let you define more accurate policies in production environment

Page 13: WAFEC

How to make them be fun

About application changes

Let the WAF device learn from developers in order to enable policy adjustment in production environment

Web applications change very quickly, which means that the WAF behaviour has to change as well

Define granular policies so that the WAF can rebuild policies for updated sections or areas with no impact in those that haven’t changed

Page 14: WAFEC

How to make them be fun

About application changes

12

3 4

Page 15: WAFEC

How to make them be fun

About performance, latency and SLA

Define simpler policies for areas or sections subject to SLAs

Use SSL accelerators

Use webcache integrated features

Compress HTML content between the WAF and the browser

Page 16: WAFEC

WAFEC sections

Deployment and architecture

… there is no rule of thumb: it depends on your network!

Modes of operation

Bridge, router, proxy or plugin

SSL operation

Active, passive or not required (case of plugins)

Technology delivery

Appliance or software-only

Support for non-HTTP traffic

Clear trend: the integration of WAF/IPS capabilities in one device

Page 17: WAFEC

WAFEC sections

HTML and HTTP support

A rather long and boring checklist of features related to support for protocol and extensions

… but this can drive the decission as well!

Includes length restrictions for every HTTP component

Response filtering or Intellectual Property Firewalling

… I have never seen them in place because they can’t be accurately defined

… this will let you add an extra layer of security if everything else fails

Page 18: WAFEC

Response filtering

WAFEC sections

We have the following datafile that can be remotely retrieved by means of

an OsCommerce’s vulnerability:

Imagine that every security mechanism

implemented in the WAF device fails!

Page 19: WAFEC

WAFEC sections

Response filtering

ModSecurity’s response filtering capabilities can be configured this way

to prevent the previous datafile to be effectively retrieved:

Which results in forbiden

access to the malicious URL

… with no previous knowledge

about OsCommerce’s

vulnerability!

Page 20: WAFEC

WAFEC sections

Detection techniques

Two main groups: positive model and negative model

Negative model: what parameters are important?

Positive model: what parameters are important?

… my best bet is to properly combine both

update frequency, number of products included, customized selection of signatures

basically, effectiveness; if it works, nobody cares about what the core technology is

Page 21: WAFEC

WAFEC sections

Protection techniques

Brute force attacks mitigation and Automated clients detecion

Strict request flow enforcement

Cryptographic URL and parameter protection

… helpful for websites that track users’ activity

… this feature really annoys malicious users

… nice in theory but difficult to effectively implement if the application changes often

Page 22: WAFEC

WAFEC sections

Logging

It enumerates support for typical event log and notification mechanisms, found in most widely-accepted technologies

Criteria for log selection and retention

Mechanisms to handle sensitive data

… e-mail, syslog, SNMP traps, OPSEC, etc.

… interesting when legal or regulatory requirements have to be satisfied

… manual or automatic configuration to rewrite sensitive data that would be included in logs

Page 23: WAFEC

WAFEC sections

Reporting

Report formats

Scheduled reports

Customized reports

Flexible reports

… definitively, reports makes management happy!

But, what else can reports be used for?

Trend analysis

Risks priorization

Attackers’ behaviour

Page 24: WAFEC

WAFEC sections

Some leftovers: Performance and XML

Support for Web Services, WDSL and XML inspection

Maximum number of simultaneous connections, sessions, SSL resumptions, requests, etc.

Performance under load

… this can also drive the final decission if Web Services need to be protected as well

… this greatly depends on the underlying technology, mainly ASIC (faster) or Linux (slower)

Page 25: WAFEC

Management is a key element of WAF devices

WAFEC sections

This is mainly because policies become complex and have to

quickly evolve in order to adapt to application changes

We have thought of the following

sections:

Any suggestions about

features that you would

miss?POLICY MANAGEMENT

PROFILE LEARNING

CONFIGURATION MANAGEMENT

LOGS AND MONITORIN

LEFTOVERS

Page 26: WAFEC

WAFEC sections

Simplicity to manually accept false positives

… think of it: how would you refine policies otherwise?

This is a false positive. Tick to remove it.

Page 27: WAFEC

WAFEC sections

Ability to define different policies for different applications

… why could this be helpful?

Senior Management

Webmail users

System administrators

Potential customers

HIGH LEVEL

MID LEVEL

HIGH LEVEL

LOW LEVEL

WAFWebserver

Page 28: WAFEC

WAFEC sections

Support for trusted hosts

… this feature enables ethical hackers to work with no impact in the Incident Management team

Automated signature download and deployment

… otherwise, the protection can arrive too late

Policy rollback mechanism

… otherwise, the WAF device might stop business

Ability to create custom signatures or events… this way I can address custom vulnerabilities that exist in my particular environment

Page 29: WAFEC

WAFEC sections

Ability to combine detection and prevention

… guess what can this be interesting for?

Ability to manage several devices from one central location… otherwise, management can’t be centralized and policy adjustment becomes a nightmare!

Simplicity to relax default policies

Page 30: WAFEC

Let me ask you some questions

¿ Quién audita el código proveniente de terceros?

¿Se eliminan en los pasos a producción las porciones

de código para pruebas parciales de desarrollo?

¿Se cumple en todo el código la política de logs?

¿Existe correlación entre los logs y los sucesivos

upgrades de la aplicación?

¿Se hacen pruebas/ataques de

seguridad a las evoluciones del software?

¿Cuanto tiempo se tarda en aplicar las

actualizaciones criticas de seguridad desde que

surgen?

¿Quien y cuando aplica las actualizaciones de seguridad de software funcional/aplicativo?

¿Cual es el camino critico de código que accede a los datos de backend?

¿Existe server side validation para todos los

formularios?

Page 31: WAFEC

Want to know more?

More info: www.rafaelsanmiguel.com www.webappsec.org/wafec

Contact info: [email protected]

Interesting info: www.empleoenseguridad.com

Page 32: WAFEC

Attribution. You must give the original author credit.

         

For any reuse or distribution, you must make clear to others the license terms of this work.

Any of these conditions can be waived if you get permission from the author.

Your fair use and other rights are in no way affected by the above.

This work is licensed under the Creative Commons Attribution-NoDerivs License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nd/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.

Creative Commons Attribution-NoDerivs 2.0

You are free:

•to copy, distribute, display, and perform this work

•to make commercial use of this work

Under the following conditions:

No Derivative Works. You may not alter, transform, or build upon this work.