C WAF POC RESEARCH REPORT - WordPress.com · Incapsula / Imperva Cloud WAF POC & Research Report -...

INCAPSULA / IMPERVA

CLOUD WAF POC

&

RESEARCH REPORT

Michael Kaishar | Security Consultant

April, 2013: Version 1.0

Incapsula / Imperva Cloud WAF POC & Research Report - version 1.0

April 2013

2

Table of Contents

Introduction .................................................................................................. 3

POC Objective ......................................................................................................... 3

POC Design ............................................................................................................. 3

POC Limitations ....................................................................................................... 3

POC High Level Solution Architecture ................................................................ 4

Traditional Firewall Configuration ............................................................................... 4

Incapsula/Imperva Cloud WAF Configuration ............................................................... 4

POC Implementation ...................................................................................... 5

Configuring the Cloud WAF to Ignore Malicious Traffic .................................................. 5

Set up and Configuration of the Cloud WAF Managed Service Solution ............................ 7

Demonstrating website protection using the Cloud WAF .............................................. 11

Additional Features and Benefits .............................................................................. 12

Conclusion .................................................................................................. 13


April 2013

3

Introduction

Being connected to the Internet, and having a web presence in order to conduct business is potentially

risky due to the fact that web attacks are constant threats to any organization. Realistically, given

today’s emerging threats, how can organizations maintain and protect their websites from hackers,

malicious bots, scrapers, comment spammers, and denial of service attacks, and, at the same time be

able to allow legitimate traffic to pass through, while complying with regulatory mandates?

There are numerous solutions, but the smartest, fastest, and easiest solution is to implement Web

Application Firewalls as security measures. The following research report documents the results and

recommendations for the Cloud Web Application Firewall (WAF) Managed Service provided by

Incapsula/Imperva.

POC Objective

The aim for this POC is to illustrate the functionality of the Incapsula/Imperva Cloud WAF Managed

Service, and to provide with sufficient information in order to determine whether the

Incapsula/Imperva Cloud WAF Managed Service is a viable security solution.

POC Design

The Team has created an intentionally vulnerable website running in the

environment. The website URL is: The idea is to implement the

Incapsula/Imperva Cloud WAF Managed Service and to illustrate the successful protection of the

vulnerable website without fixing any of the application code. The POC demonstrates before and after

situations where the website is not protected at first, and then later, when the website is being

protected by the Incapsula/Imperva Cloud WAF Managed Service.

POC Limitations

Typically organizations should follow industry best practices in securing any devices and applications.

The scope of the following research is limited to a high-level technical implementation, evaluation, and

demonstration of the Incapsula/Imperva Cloud WAF Managed Service and does not attempt to offer

any detailed or in-depth information on network security and secure coding practices.


April 2013

4

POC High Level Solution Architecture

Traditional Firewall Configuration

Figure 1 illustrates a typical network architecture where a traditional firewall is configured as a

security measure. Traditional firewalls are not capable of preventing malicious http(s) level attacks

such as: SQL Injection, Cross-Site Scripting, Cross-Site Request Forgery, Illegal Resource Access, and

Remote File Inclusion. The is an intentionally vulnerable web application for

the purposes of this POC. The traditional firewall will not block any malicious http(s) requests.

Examples of some of these http(s) level attacks are demonstrated later in this report.

Figure 1: Traditional Firewall Configuration

Incapsula/Imperva Cloud WAF Configuration

Figure 2 illustrates the addition of the Incapsula/Imperva Cloud WAF Managed Service. All traffic

flows through the Incapsula/Imperva cloud WAF. The malicious-traffic is detected and blocked, while

non-malicious legitimate traffic is passed through to the client. The cloud WAF is implemented

through a DNS change. Instead of resolving directly to the original IP Address of the website, the DNS

is changed to point to the cloud WAF IP Address.

Figure 2: Incapsula/Imperva Cloud WAF Configuration


April 2013

5

POC Implementation

Configuring the Cloud WAF to Ignore Malicious Traffic

The following is a demonstration of malicious attacks that hackers might use. These attacks are for

demonstration purposes only and were carried out against the test website

In order to simulate the non-existence of the cloud WAF Managed

Solution, the cloud WAF was configured to ignore malicious traffic. This was done in order to illustrate

what a successful attack looks like. The Appendix section in this report defines cross-site scripting and

SQL injection attacks.

Figure 3 illustrates a successful cross-site scripting injection attack that was not blocked due to the

fact that the web application is vulnerable to such attacks as well as the ‘simulated’ non-existence of

the cloud WAF to block such malicious requests. This is a simple basic attack where a hacker would

test if a site is vulnerable or not.

Figure 3: Successful cross-site scripting attack


April 2013

6

Figure 4 illustrates a very simple SQL injection attack using ‘ or ‘1’=’1 to successfully login to the

site without creating any account and therefore bypassing any application requirements.

Figure 4: Successful SQL Injection attack


April 2013

7

Set up and Configuration of the Cloud WAF Managed Service Solution

Setting up and configuring the Incapsula/Imperva Cloud WAF Managed Service is extremely easy and

straight-forward.

1. Sign up at https://my.incapsula.com/sign-up. Once the registration is completed an email is

sent to the email address used during the registration process.

2. Once registered and validated, browse to https://my.incapsula.com and enter the username

and password to Sign-in to the service.


April 2013

8

3. Now it’s time to activate the Incapsula/Imperva Cloud WAF by adding a domain address to be

protected and clicking NEXT>. In this case the domain has already

been added and configured.

4. Once a website is added it goes through an automatic configuration process as illustrated.


April 2013

9

5. Once the automated process is completed, a simple change to the domain’s DNS records will

have to be made in order to point the website to the Incapsula/Imperva Cloud WAF Managed

Service. Step by Step instructions are sent out on how to complete this task. The DNS

transition phase can take up to several hours. Once the DNS changes take effect, an email

notification is sent out.

6. The image below illustrates that the DNS changes have taken effect.


April 2013

10

7. The image below illustrates the current as being effectively

protected by the Incapsula/Imperva Cloud WAF Managed Service.

8. Configuring the Cloud WAF is simple. Choose Block Request for all the different attacks.


April 2013

11

Demonstrating website protection using the Cloud WAF

Previously it was demonstrated that the website was successfully

attacked and compromised using very simple cross-site scripting and SQL injection attack methods

without having the Incapsula/Imperva Cloud WAF Managed Service protecting the site.

Figure 5 illustrates that the Incapsula/Imperva Cloud WAF has successfully protected the

website from a cross-site scripting attack. In addition an email alert

is sent out to the respective parties configured to receive the notifications.

Figure 5: Unsuccessful cross-site scripting attack


April 2013

12

Additional Features and Benefits

There are many more features to the Incapsula/Imperva Cloud WAF Managed Service offering in

addition to the protection from SQL Injection, Cross-Site Scripting, and Illegal Resource Access. The

additional features include the following:

• Backdoor Protect: Currently in BETA mode is used to detect and quarantine backdoors

uploaded to a protected website.

• DDoS Mitigation: Used to detect and stop distributed denial of service attacks on a

protected website.

• PCI 6.6 Compliance: According to Incapsula/Imperva “the PCI DSS offers two alternatives

for meeting requirement 6.6. Either Install a WAF in front of your website or perform an

application code review. For most merchants, application code reviews are costly, impractical

and therefore out of the question. A WAF is clearly preferable, but traditional WAF solutions

require in-depth IT and security knowledge and resources that not all companies have.”

• Website Performance Enhancement: According to Incapsula/Imperva “on average,

websites using Incapsula are 40% faster and consume 50% less bandwidth.”

• Analytics and Monitoring: Real time analytics for website traffic, performance and threats.


April 2013

13

Conclusion

The Incapsula/Imperva Cloud WAF Managed Service offers an easy and robust solution to protect

websites. In addition to the ease-of-use and great dashboard design, the solution also provides a

powerful reporting feature that gives detailed information as well as attack analytics. Although the

testing and evaluation was carried out at a high level for this POC; the Incapsula/Imperva Cloud WAF

Managed Service solution would be a welcomed addition to the The

Incapsula/Imperva Cloud WAF solution is a great product.

C WAF POC RESEARCH REPORT - WordPress.com · Incapsula / Imperva Cloud WAF POC & Research Report -...

Documents

Transcript of C WAF POC RESEARCH REPORT - WordPress.com · Incapsula / Imperva Cloud WAF POC & Research Report -...