Building Your Own WAF as a Service and Forgetting about False - - PowerPoint PPT Presentation

building your own waf as a service and forgetting about
SMART_READER_LITE
LIVE PREVIEW

Building Your Own WAF as a Service and Forgetting about False - - PowerPoint PPT Presentation

Jun 21, 2023 209 likes •786 views

Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner 1 About me Lead security developer @Booking.com Twitter: @89berner medium.com/@89berner 2 Building Your Own WAF as a Service and Forgetting

slide-1
SLIDE 1

Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

1

slide-2
SLIDE 2

About me

  • Lead security developer @Booking.com
  • Twitter: @89berner
  • medium.com/@89berner

2 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-3
SLIDE 3

WAF?

  • Web Application Firewall
  • Mainly used to protect against Application Attacks
  • SQLi, RCE, Protocol Violations, Rate Limiting ...

3 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-4
SLIDE 4

Deployment mode - Inline

  • Pros:

○ Traffic inspection ○ Ability to block ○ Transparent for web servers

  • Cons:

○ Network placement ○ Latency

4 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-5
SLIDE 5

Deployment mode - Out of band

  • Pros:

○ Traffic inspection ○ Transparent for web servers ○ Simpler network placement

  • Cons:

○ Can’t block attacks ○ PFS

5 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-6
SLIDE 6

Deployment mode - Agent

  • Pros:

○ Easier network placement ○ Simple to scale

  • Cons:

○ More invasive on deployment environment ○ Can be less efficient on resource allocation

6 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-7
SLIDE 7

Deployment mode - Cloud

  • Pros:

○ Simple to setup and scale ○ Network effect

  • Cons:

○ Out of your control ○ Latency

7 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-8
SLIDE 8

Caveats with typical WAF Solutions

  • Network placement
  • False positive rate
  • Lack of control from developers

8 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-9
SLIDE 9

A challenging environment

  • No acceptance for false positives
  • Reluctance towards commercial appliances
  • Blocking could only happen through the

Application

  • Latency would not be acceptable

9 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-10
SLIDE 10

Building the WAF as a Service

  • Removes false positives by having an

understanding of the application context

  • No need for an appliance, just add an API call
  • Blocking behaviour is decided by the application
  • Ability to avoid latency for regular users

10 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-11
SLIDE 11

How could you build one?

  • Open source components already exist
  • Creating a log processing pipeline
  • Building a WAF API
  • Library for logs and calling API

11 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-12
SLIDE 12

Study case: Simple web application

  • Setup in Google Cloud
  • Simple Flask Application
  • Code available in github

12 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-13
SLIDE 13

Deployment mode?

  • Let’s compare

13 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-14
SLIDE 14

Out of band mode

14 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-15
SLIDE 15

Inline mode

15 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-16
SLIDE 16

Every application is different

  • Threat model
  • FP tolerance
  • Risk acceptance

16 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-17
SLIDE 17

Finding a middle ground

  • Out of band mode removes latency concerns on

users

  • Inline mode provides security by blocking attacks
  • Could we get the best of both worlds?

17 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-18
SLIDE 18

Hybrid mode

18 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-19
SLIDE 19

Components - Web application

  • Can decide which mode to work on

○ Inline ○ Out of band

  • Sends logs with partial request data encrypted

Example: Flask API

19 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-20
SLIDE 20

Components - Agent

  • Acts as a proxy to Web Application
  • Minimal footprint
  • Application agnostic
  • Gets settings from application

20 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-21
SLIDE 21

Components - Agent

21 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-22
SLIDE 22

Components - Library

  • Simpler to implement
  • Will be tied to Application framework
  • Inherent risks
  • Strategy for this talk

22 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-23
SLIDE 23

Components - Historical database

  • Historical activity
  • Business value
  • Patterns of behaviour for FP

23 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-24
SLIDE 24

Components - State store

  • Allows to store configuration
  • Ideally fast lookup for caching

24 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-25
SLIDE 25

Components - Log streaming

  • Streaming pipeline
  • Web requests are encapsulated and sent through it

25 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

Google PusbSub

slide-26
SLIDE 26

Components - Log processing

  • Replays events not in line against WAF
  • Calculates scores through windows of time

26 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

Google Dataflow

slide-27
SLIDE 27

Components - Log processing

27 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-28
SLIDE 28

Components - Log processing

28 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-29
SLIDE 29

Components - Log processing

29 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-30
SLIDE 30

Components - WAF service

  • Pluggable architecture
  • Parallel nature of their components
  • Applications can decide how to react

30 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-31
SLIDE 31

Components - WAF service

  • Open source components

○ Modsecurity ○ Naxsi

31 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-32
SLIDE 32

Components - WAF service

  • Custom modules

○ Apply custom business logic ○ Implement simple services ■ Rate limiting ■ Rule engine for blocking ○ ML models

32 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-33
SLIDE 33

Components - WAF service

  • Proprietary software or appliances

○ Reduced complexity of installation ○ Simple way of evaluation

33 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-34
SLIDE 34

WAF service - Example: Modsecurity

  • Could be made api driven through libModSecurity
  • Can run on Apache HTTP Server or NGINX
  • Results are written as logs

34 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-35
SLIDE 35

WAF service - Modsecurity as an API

  • SecRule REMOTE_ADDR "@unconditionalMatch"

"phase:4,id:999434,prepend: ...

35 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-36
SLIDE 36

WAF service - Modsecurity as an API

  • Implementing response body analysis
  • Body is sent to CGI for replay

36 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-37
SLIDE 37

WAF service

37 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-38
SLIDE 38

How to block?

  • We decide when to send traffic to the WAF
  • Manually or automatically decided

38 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-39
SLIDE 39

Traffic routing

  • Fingerprint based routing

○ Blocks based on scores ○ IP, client_id, combinations, 0day fingerprints.. ○ Added automatically or manually

39 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-40
SLIDE 40

Traffic routing

  • Net block based routing

○ ISP ○ Hosting providers ○ Tor exit nodes / Proxies

40 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-41
SLIDE 41

Traffic routing

  • Virtual Patching

○ Always route particular vulnerable endpoints ○ Select for combination of parameters if needed ○ Example: website.com/?vuln_param=

41 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-42
SLIDE 42

FP rate management

  • Detection FP vs blocking FP
  • Key to allow blocking without impacting users
  • Acceptable rate might change per application

42 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-43
SLIDE 43

FP rate management

  • Business logic

○ How trustworthy is a user/ip? ○ Key business activity ○ What would be the impact on blocking them

43 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-44
SLIDE 44

FP rate management

  • Historical Analysis

○ How normal is this type of request for this endpoint? ○ How does this user compare with others ○ How common are detection FP in this endpoint

44 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-45
SLIDE 45

FP rate management

  • Context analysis

○ How many times have they triggered a FP ○ How many requests have they sent

45 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-46
SLIDE 46

FP rate management

  • Example: Sleep(

○ message=“I sleep(1 or 2 days)” ■ Might be detected as SQLI ■ Probability of FP is independent from each

  • ther

46 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-47
SLIDE 47

FP rate management

  • Independant SQLI FP rate: 0.1%
  • Our aim, 0.00001% (0.01^5) => Score 5
  • Block can happen only for SQLis
  • Aimed at attacks that need volume

47 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-48
SLIDE 48

Components - Visualisation

  • Easily understand activity
  • Visibility on attacks
  • Performance metrics

Example: ELK

48 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-49
SLIDE 49

Components - Visualisation

49 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-50
SLIDE 50

Components - Visualisation

50 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-51
SLIDE 51

Components - Visualisation

51 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-52
SLIDE 52

Components - Visualisation

52 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-53
SLIDE 53

Hybrid mode

  • Benefits

○ Can reduce latency ○ Flexibility ○ FP rate can be decided

53 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-54
SLIDE 54

Hybrid mode

  • Caveats

○ Delayed response time for blocking ○ Complexity

54 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-55
SLIDE 55

55 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner

slide-56
SLIDE 56

What now?

  • Try it!
  • https://github.com/89berner/waf-api-talk
  • git clone https://github.com/89berner/waf-api-talk

&& cd waf-api-talk; ./setup $YOUR_GCP_PROJECT

  • Questions?

56 Building Your Own WAF as a Service and Forgetting about False Positives Juan Berner