wafec
TRANSCRIPT
WAFEC, or how to choose WAF technology
RAFAEL SAN MIGUEL CARRASCO
Why I am here
Honestly, I got no better plan for Friday afternoon
I like to play with WAF technology
WAFEC 1.0 has been recently published
I actually belong to the WAFEC Working Group
Let’s talk about WAFEC!
What will we talk about?
Why WAF devices are not so fun?
How to make them be fun
WAFEC sections
WAFEC and common sense together
Introduction and concepts
So, what is a WAF device?
WAF devices protect web applications from specific vulnerabilities that IDS/IPS/FW technology can’t beat
WAF devices address the most attack-prone subsystem within a technology infrastructure: the webserver
WAF devices are complex devices with sophisticated features: actually, they have to be as complex as web applications
Cross-site scripting
SQL Injection
LDAP Injection
XPath Injection
Parameter tampering
Cookie poisoning
HTTP Request Smuggling
HTTP Response Splitting
Cross-site Tracing
Cross-site Request Forgery
Stealth Commanding
Buffer overflows
. . .
Some background about WAF
Negative Security Model Positive Security Model
Concept The WAF knows what traffic is an attack, and allows any other traffic to go through
The WAF learns what traffic profile is legitimate, and blocks anything else
Advantages
• No need for customization• Protection out-of-the-box• Simple, straight-forward
• Accurate detection• Unknown attacks• Not dependant on updates
Disadvantages• Highly dependant on updates• Not very accurate
• Need for learning process• More prone to false positives
Some background about WAF
How are unknown attacks identified with PSM?
Illegal entry point into the site to the .ida file (/get)
Illegal parameter tampering of the .ida file
Buffer overflow attempt on the parameter (240 characters)
Illegal characters within parameter (%)
http://<site>/get/default.ida?<240chars>%9090<…>%u00=a
Nimda was blocked by several WAF devices without a custom signature
Some background about WAF
How is the learning process in PSM?
http://a.com/showarticle?id=278
http://a.com/showarticle?id=345
http://a.com/showarticle?id=12
id parameter in
showarticle is a
numberhttp://a.com/showarticle?id=1’%20OR%201=1--
This looks to be an
attack!
WAF Webserver
So, what is WAFEC?
WAFEC is an ongoing project and stands for Web Application Firewall Evaluation Criteria
WAFEC is promoted by WASC, which in turn stands for Web Application Security Consortium
WAFEC is a document describing WAF capabilities, as an structured checklist of features
WAFEC allows technicians to evaluate WAF devices and decide which one best fits in their environment
So, what is not WAFEC?
WAFEC is not an specification of minimum requirements that a WAF device must comply with
WAFEC is not a tutorial or compendium about WAF technology or web security
WAFEC is not for managers, but for reasonably skilled technicians
Why we think WAFEC is necessary?
Marketing and sales forces are creating confusion
There is not much knowledge about this emerging market
WAF devices and manufacturers are proliferating
Why WAF devices are not son fun?
If not properly administered and integrated, they won’t adapt to application changes
If not properly configured, they can trigger false positives and stop business
The solution: do it properly!
If not properly deployed, they can slow down your transactions and make business staff unhappy
… and make sure the product you choose does support the features you need
… and do it using WAFEC!
How to make them be fun
About false positives and other nightmares
Define detection rules that will alert you of suspicious events without the risk of stopping business
Take your time to refine policies
Teach the WAF device in the development phase; that will let you define more accurate policies in production environment
How to make them be fun
About application changes
Let the WAF device learn from developers in order to enable policy adjustment in production environment
Web applications change very quickly, which means that the WAF behaviour has to change as well
Define granular policies so that the WAF can rebuild policies for updated sections or areas with no impact in those that haven’t changed
How to make them be fun
About application changes
12
3 4
How to make them be fun
About performance, latency and SLA
Define simpler policies for areas or sections subject to SLAs
Use SSL accelerators
Use webcache integrated features
Compress HTML content between the WAF and the browser
WAFEC sections
Deployment and architecture
… there is no rule of thumb: it depends on your network!
Modes of operation
Bridge, router, proxy or plugin
SSL operation
Active, passive or not required (case of plugins)
Technology delivery
Appliance or software-only
Support for non-HTTP traffic
Clear trend: the integration of WAF/IPS capabilities in one device
WAFEC sections
HTML and HTTP support
A rather long and boring checklist of features related to support for protocol and extensions
… but this can drive the decission as well!
Includes length restrictions for every HTTP component
Response filtering or Intellectual Property Firewalling
… I have never seen them in place because they can’t be accurately defined
… this will let you add an extra layer of security if everything else fails
Response filtering
WAFEC sections
We have the following datafile that can be remotely retrieved by means of
an OsCommerce’s vulnerability:
Imagine that every security mechanism
implemented in the WAF device fails!
WAFEC sections
Response filtering
ModSecurity’s response filtering capabilities can be configured this way
to prevent the previous datafile to be effectively retrieved:
Which results in forbiden
access to the malicious URL
… with no previous knowledge
about OsCommerce’s
vulnerability!
WAFEC sections
Detection techniques
Two main groups: positive model and negative model
Negative model: what parameters are important?
Positive model: what parameters are important?
… my best bet is to properly combine both
update frequency, number of products included, customized selection of signatures
basically, effectiveness; if it works, nobody cares about what the core technology is
WAFEC sections
Protection techniques
Brute force attacks mitigation and Automated clients detecion
Strict request flow enforcement
Cryptographic URL and parameter protection
… helpful for websites that track users’ activity
… this feature really annoys malicious users
… nice in theory but difficult to effectively implement if the application changes often
WAFEC sections
Logging
It enumerates support for typical event log and notification mechanisms, found in most widely-accepted technologies
Criteria for log selection and retention
Mechanisms to handle sensitive data
… e-mail, syslog, SNMP traps, OPSEC, etc.
… interesting when legal or regulatory requirements have to be satisfied
… manual or automatic configuration to rewrite sensitive data that would be included in logs
WAFEC sections
Reporting
Report formats
Scheduled reports
Customized reports
Flexible reports
… definitively, reports makes management happy!
But, what else can reports be used for?
Trend analysis
Risks priorization
Attackers’ behaviour
WAFEC sections
Some leftovers: Performance and XML
Support for Web Services, WDSL and XML inspection
Maximum number of simultaneous connections, sessions, SSL resumptions, requests, etc.
Performance under load
… this can also drive the final decission if Web Services need to be protected as well
… this greatly depends on the underlying technology, mainly ASIC (faster) or Linux (slower)
Management is a key element of WAF devices
WAFEC sections
This is mainly because policies become complex and have to
quickly evolve in order to adapt to application changes
We have thought of the following
sections:
Any suggestions about
features that you would
miss?POLICY MANAGEMENT
PROFILE LEARNING
CONFIGURATION MANAGEMENT
LOGS AND MONITORIN
LEFTOVERS
WAFEC sections
Simplicity to manually accept false positives
… think of it: how would you refine policies otherwise?
This is a false positive. Tick to remove it.
WAFEC sections
Ability to define different policies for different applications
… why could this be helpful?
Senior Management
Webmail users
System administrators
Potential customers
HIGH LEVEL
MID LEVEL
HIGH LEVEL
LOW LEVEL
WAFWebserver
WAFEC sections
Support for trusted hosts
… this feature enables ethical hackers to work with no impact in the Incident Management team
Automated signature download and deployment
… otherwise, the protection can arrive too late
Policy rollback mechanism
… otherwise, the WAF device might stop business
Ability to create custom signatures or events… this way I can address custom vulnerabilities that exist in my particular environment
WAFEC sections
Ability to combine detection and prevention
… guess what can this be interesting for?
Ability to manage several devices from one central location… otherwise, management can’t be centralized and policy adjustment becomes a nightmare!
Simplicity to relax default policies
Let me ask you some questions
¿ Quién audita el código proveniente de terceros?
¿Se eliminan en los pasos a producción las porciones
de código para pruebas parciales de desarrollo?
¿Se cumple en todo el código la política de logs?
¿Existe correlación entre los logs y los sucesivos
upgrades de la aplicación?
¿Se hacen pruebas/ataques de
seguridad a las evoluciones del software?
¿Cuanto tiempo se tarda en aplicar las
actualizaciones criticas de seguridad desde que
surgen?
¿Quien y cuando aplica las actualizaciones de seguridad de software funcional/aplicativo?
¿Cual es el camino critico de código que accede a los datos de backend?
¿Existe server side validation para todos los
formularios?
Want to know more?
More info: www.rafaelsanmiguel.com www.webappsec.org/wafec
Contact info: [email protected]
Interesting info: www.empleoenseguridad.com
Attribution. You must give the original author credit.
For any reuse or distribution, you must make clear to others the license terms of this work.
Any of these conditions can be waived if you get permission from the author.
Your fair use and other rights are in no way affected by the above.
This work is licensed under the Creative Commons Attribution-NoDerivs License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nd/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
Creative Commons Attribution-NoDerivs 2.0
You are free:
•to copy, distribute, display, and perform this work
•to make commercial use of this work
Under the following conditions:
No Derivative Works. You may not alter, transform, or build upon this work.