Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Use Wasm to Deploy WAF Deeper in the Service Me...

Use Wasm to Deploy WAF Deeper in the Service Mesh for Zero Trust and Compliance

In today's complex cybersecurity landscape, it is increasingly challenging to protect against sophisticated attacks. WAF is already critical to application security when deployed at the edge, including as a fast patch mechanism for zero-day exploits. But it's now possible, using Wasm plugins in the data plane, to inject WAF transparently at PEPs around individual services as part of a Zero Trust Architecture where security policy is enforced at every hop. Deploying WAF close to workloads can help organizations improve their overall security posture and reduce the likelihood of successful cyberattacks. In this talk, I will explore how Wasm can be used to deploy WAF deeper in the network, not just at the application edge. We'll also discuss compliance requirements for sensitive applications, such as PCI DSS which will demand WAF deployment by 2025. We'll explain how open-source WAFs can help meet these requirements and provide peace of mind for organizations handling sensitive data.

José Carlos Chávez

March 19, 2024
Tweet

More Decks by José Carlos Chávez

Other Decks in Programming

Transcript

  1. © Okta and/or its affiliates. All rights reserved. Highly sensitive

    information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED © Okta and/or its affiliates. All rights reserved. Highly sensitive information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED Use Wasm to Deploy WAF Deeper in the Service Mesh for Zero Trust and Compliance José Carlos Chávez Security Software Engineer @ okta
  2. © Okta and/or its affiliates. All rights reserved. Highly sensitive

    information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED What is a Web Application Firewall (WAF)? • WAF is a proxy-based tool that inspect incoming/outgoing HTTP traffic. • Analyses traffic looking for malicious/unwanted content and blocking requests/responses accordingly. • Can be based on predefined rulesets describing well-known attacks. • Produces audit logs for every request that matched one of the rules for further analysis.
  3. © Okta and/or its affiliates. All rights reserved. Highly sensitive

    information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED Why using a WAF? • Request/response inspection to avoid zero-day attacks, client-side attacks, bot attacks, etc. • Security rules: SQL Injection, XSS Attacks, Local/Remote File Inclusion, Size Restrictions, etc. • Anomaly scoring: assigns score to malformed/suspicious traffic and blocks based on thresholds. • Virtual patching: security patches at HTTP traffic level to skip CVEs • Audit logs for security analysis.
  4. © Okta and/or its affiliates. All rights reserved. Highly sensitive

    information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED But… why using a WAF in service mesh? • Zero trust • Lift and shift • PCI DSS 4.0 compliance • Biggest hack of 2023 was SQL injection (MoveIt) • Robust Cybersecurity program
  5. © Okta and/or its affiliates. All rights reserved. Highly sensitive

    information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED Crossing paths Istio Service mesh running envoy based sidecars as policy enforcers and allowing WebAssembly plugins filtering content at ingress or workload Envoy Proxy/Gateway allowing filters written in one language and compiled into WebAssembly (proxy-wasm ABI) WebAssembly Portable binary-code format for high performance executable programs. Coraza WAF Fast Web Application Firewall compilable to WebAssembly and supporting Coreruleset 4.0.
  6. © Okta and/or its affiliates. All rights reserved. Highly sensitive

    information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED But how? SPOILER: In the sidecar At ingress: apiVersion: extensions.istio.io/v1alpha1 kind: WasmPlugin metadata: name: coraza-ingressgateway namespace: istio-ingress spec: phase: AUTHN # before auth priority: 10000 # the bigger the safer pluginConfig: default_directives: default directives_map: default: - Include @demo-conf - Include @crs-setup-conf - Include @owasp_crs/*.conf - SecRuleEngine On selector: matchLabels: app: istio-ingressgateway istio: ingressgateway url: oci://ghcr.io/corazawaf/coraza-proxy-wasm:0.5.0 Each namespace individually: apiVersion: extensions.istio.io/v1alpha1 kind: WasmPlugin metadata: name: coraza-crs namespace: my-namespace spec: phase: AUTHN # before auth pluginConfig: default_directives: default directives_map: default: - Include @demo-conf - Include @crs-setup-conf - Include @owasp_crs/*.conf - SecRuleEngine On selector: matchLabels: app: my-app url: oci://ghcr.io/corazawaf/coraza-proxy-wasm:0.5.0
  7. © Okta and/or its affiliates. All rights reserved. Highly sensitive

    information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED Thank you! © Okta and/or its affiliates. All rights reserved. Highly sensitive information; do not distribute. DATA CLASSIFICATION: OKTA RESTRICTED References: • https://github.com/corazawaf/coraza-proxy-wasm • https://github.com/tetratelabs/proxy-wasm-go-sdk • https://coreruleset.org/