Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Application Firewalls Revisited

Web Application Firewalls Revisited

Security has been a concern since the dawn of the internet, and today's threats are more prevalent and sophisticated than ever. Success in security today means more mechanisms to protect not just the edge of your network, but every component from attacks. In this talk we go through the Zero-Trust principles and how they play a fundamental role in the design of secure modern systems. Then, we’ll review how the Web Application Firewall concept has evolved to the point no user, device, or network traffic is trusted by default. We’ll also then meet Coraza, a modern WAF library that embraces OWASP CoreRuleSet, and how together they protect web applications from a wide range of attacks.

José Carlos Chávez

November 09, 2023
Tweet

More Decks by José Carlos Chávez

Other Decks in Programming

Transcript

  1. SOFTWARE ENGINEER @ TETRATE José Carlos Chávez • Open source

    & Security enthusiast • OWASP Coraza WAF Co-leader • Zipkin core member • Loving father @jcchavezs November 2023
  2. WEB APPLICATION FIREWALL Traditionally a WAF: • Helps to protect

    web applications by filtering and monitoring HTTP traffic between a web application and the *Internet*. • Protects web applications from malicious traffic. • It is a protocol layer 7 defense (OSI model) acting as a reverse-proxy having clients pass through the WAF before reaching the server. • Produces audit logging with more detailed information about the requests made to your server (request/response headers and body) @jcchavezs November 2023
  3. WEB APPLICATION FIREWALL: FEATURES 1. IP-fencing through a denylist 2.

    Geo-fencing and geo-blocking through a virtual perimeter 3. Request/response inspection to avoid zero-day attacks, client-side attacks, bot attacks, virus files, etc. 4. Security rules: SQL Injection, XSS Attacks, Local and Remote File Inclusion, Size Restrictions, etc. 5. Anomaly scoring for matching rules 6. DDoS rate limiting for IPs 7. Bot mitigation by analyzing the cookie sent by the browser @jcchavezs November 2023
  4. “ There was a time when security was easy. “I

    need more security – I will just buy another firewall” @jcchavezs OH November 2023
  5. PERIMETER SECURITY CHALLENGES • There is no single, easily identifiable

    perimeter for the enterprise: cloud, on-prem, multi-cloud, third-party services, FaaS, artifact registries, etc. • In the era of microservices the majority of the traffic is East-West whereas perimeter security focus on North-South. • Ingress has to carry knowledge about the upstream components (more security policies on the perimeter firewall), leading to operational complexity, misconfigurations, change management, timely policy updates, etc. • The guiding principle of perimeter security is "Trust but Verify" @jcchavezs November 2023
  6. ZERO TRUST enabling the right user under the right conditions

    to gain the right access to the right data @jcchavezs November 2023
  7. ZERO (implicit) TRUST enabling the right user under the right

    conditions to gain the right access to the right data @jcchavezs November 2023
  8. “ Zero trust (ZT) is the term for an evolving

    set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources @jcchavezs NIST 800-207 Zero Trust Architecture November 2023
  9. ZERO TRUST DRIVER ASSUMPTIONS • Trust can no longer be

    based on a network perimeter as perimeters can always be breached. • Policies have to be defined based on the assumption that the attacker is already inside of the network. • All access decisions have to rely on least-privilege, per-request, and context-based principles and on identities associated with users, services, and devices. • Security and access state constantly change over time. @jcchavezs November 2023
  10. ZERO TRUST TENETS 1. All data sources and computing services

    are resources: Switching from static servers and endpoints to dynamic cloud computing services such as Pods or FaaS 2. Communications are secured regardless of location: The access policy should be a default-to-deny. Explicit access must be granted to specific resources. 3. Access to individual resources is granted on a per-session basis: Trust should not extend beyond a single session, each session should involve the same rigor to resolve access and permissions. 4. Access to resources is determined by dynamic policies and context: several attributes come into play when evaluating access. @jcchavezs November 2023
  11. ZERO TRUST TENETS 5. Monitor and measure integrity and security

    posture of assets: every resource request should trigger a security posture evaluation. Continuously monitoring the state of system assets that have access. 6. Dynamic resource authN and authZ strictly enforced before access allowed: Constant cycle of obtaining access, scanning and assessing threats, adapting, and continually re evaluating trust in ongoing communications. 7. Collect info on current state of asset, network infrastructure, and communications to improve security posture: Continuously monitoring capabilities to ensure awareness of what is occurring in the system over the time and take actions when identify risky patterns. @jcchavezs November 2023
  12. Security is a combination of multiple protection mechanism on multiple

    levels Logical Components of Zero Trust Architecture @jcchavezs Source: NIST 800-207, Zero Trust Architecture November 2023
  13. ZERO TRUST WEB APPLICATION FIREWALL • Protects workloads by filtering

    and monitoring traffic between workloads at PEPs. • Leverages wide network patches for zero day vulnerabilities (e.g. log4shell). • Allows to on-board legacy applications in a lift & shift fashion. • Flexible ruleset based on the applications internals and security posture. • Provides audit logs for further analysis and improve security posture through adaptive rulesets. @jcchavezs November 2023
  14. CORAZA WEB APPLICATION FIREWALL • Open source Web Application Firewall

    • Written in Go • Inspired by modsecurity and supports seclang: modsec EOL is July 2024 • Focused on OWASP Core Rule Set v4: Newest and shiniest ruleset from OWASP (currently RC2). • Version 3.0 received the Production Flagship from OWASP. @jcchavezs November 2023
  15. CORAZA WEB APPLICATION FIREWALL • Multiplatform connectors: ◦ Native Go,

    Caddy, Traefik (WIP) ◦ Envoy, Istio, Kong using proxy-wasm spec ◦ Fully compatible with Webassembly which allows to run it in different stacks. • Pluggable Architecture: Experimental Plugins API for extending functionality and write custom WAF features e.g. Rate limiting and Geo IP • High throughput: Performance driven, aimed to be run in critical path (e.g. PEP). • Portable and easily distributable. @jcchavezs November 2023
  16. CONCLUSIONS • Zero trust isn’t incompatible with network/perimeter based security

    approaches. Both are needed. • Web Application Firewalls are still relevant to achieve inter resource communication. • Security is a dynamic process not an static attribute. @jcchavezs November 2023
  17. For any further queries, feel free to contact me at

    [email protected] Thank you everyone. jcchavezs jcchavezs www.tetrate.io
  18. References PCI Web Application Security Requirements https://pcidssguide.com/pci-web-application-security-requirements/ NIST SP 800-207A:

    A Zero Trust Architecture (ZTA) Model for Access Control in Cloud Native Applications in Multi-Location Environments @jcchavezs NIST 800-207: Zero Trust Architecture WHAT YOU NEED TO KNOW ABOUT CLOUD LIFT & SHIFT MIGRATIONS https://f.hubspotusercontent10.net/hubfs/423210/cloud-lift-and-shift-migrations-whitepape r.pdf