Taking the Fear out of WAF
-
Upload
brian-a-mchenry -
Category
Technology
-
view
252 -
download
3
Transcript of Taking the Fear out of WAF
© F5 Networks, Inc 2
Who is this guy?
• Brian A. McHenry, Sr. Security Solutions Architect, F5 Networks
• 9 years at F5, focused on application security solutions
• Regular contributor on DevCentral.f5.com & InformationSecurityBuzz.com
• Follow me on twitter @bamchenry
© F5 Networks, Inc 3
Who Owns the WAF?
Network Team App Dev TeamSecurity Team
© F5 Networks, Inc 4
Not Us!
© F5 Networks, Inc 5
My kingdom for a WAF admin!
WAF Administrator
© F5 Networks, Inc 6
With Great Power…
• Each web application is a snowflake!
• Application deploys can be too frequent for WAF policy tweaks to keep up.
• In DevOps environments, continuous delivery enables rapid vulnfixes in code.
WAF Administrator
© F5 Networks, Inc 7
© F5 Networks, Inc 8
Automated Traffic Consumes 50% of Resources
Typical Web Traffic
Humans Good Bots Bad Bots
https://www.incapsula.com/blog/bot-traffic-report-2015.html
• Roughly 50% of traffic is human
• About 20% is good bots• Remaining 30% is
malicious bots
© F5 Networks, Inc 9
What’s a Heavy URI?
• Any URI inducing greater server load upon request
• Requests that take a long time to complete
• Requests that yield large response sizes
© F5 Networks, Inc 10CONFIDENTIAL
• Attackers are proficient at network reconnaissance• They obtain a list of site URIs• Sort by time-to-complete (CPU cost)• Sort list by megabytes (Bandwidth)
• Spiders (bots) available to automate• Though they are often known by the security
community• Can be executed with a simple wget script, or
OWASP HTTP Post tool
Tools and Methods of L7 DoS Attacks
Exploiting POST for Fun & DoS•Determine:
• URL’s accepting POST• Max size for POST
•Bypass CDN protections (POST isn’t cache-able)
•Fingerprint both TCP & app at the origin
Attackers work to identify weaknesses in application infrastructure
Network Reconnaissance Example
© F5 Networks, Inc 12
Detection and Mitigation Challenges
• Source IP address mostly ineffective for detection
• Geo-fencing impractical for most sites
• Recent brute force attack sourced from 1M IP addresses
• Endless supply of IP addresses• Compromised routers, cable
modems, proxies, and more.
Web Application
DETECTING & STOPPING AUTOMATED TRAFFIC
© F5 Networks, Inc 14
Classifying the Bad BOTS…
• Most attacks are automated, whether DoS, Brute Force, or data breach
• Many reconnaissance tools available• WGET, SQLMap, etc.• Headless browsers (e.g. Phantom.js, et al)
• Attackers must automate to find weaknesses for manual probing
© F5 Networks, Inc 15
…from the Good BOTS
• Search-bots have unique capabilities• Reverse lookup should tell you if the IP is from the search provider
• Other bots, such as scrapers and aggregators may need to be allowed.• Determine unique characteristics• Signature-based bypass• Still may need to throttle benign bots
© F5 Networks, Inc 16
Bot Signatures
Known maliciousbots, blocked by default
Known “safe”bots, no action by default
© F5 Networks, Inc 17
Behavioral Analysis & Fingerprinting
• Detect GET flood attacks against Heavy URI’s
• Identify non-human surfing patterns
• Fingerprinting to identify beyond IP address• Identify fake User Agents• Track fingerprinted sessions• Assign risk scores to sessions • Detect known malicious browser extensions
• https://PanOpticlick.eff.org for a primer on the topic
© F5 Networks, Inc 18
• WAF injects a JS challenge with obfuscated cookie
• Legitimate browsers resend the request with cookie
• WAF checks and validates the cookie
• Requests with valid signed cookie are then passed through to the server
• Invalidated requests are dropped or terminated
• Cookie expiration and client IP address are enforced –no replay attacks
• Prevented attacks will be reported and logged w/o detected attack
1st time request to web server
JavaScript-based Bot Detection
Internet
Web Application
Legitimate browser verification
No challenge response from bots
BOTS ARE DROPPED
WAF responds with injected JS challenge. Request is not passed to server
1
JS challenge placed in browser
2
- WAF verifies response authenticity
- Cookie is signed, time stamped and finger printed
4
Valid requests are passed to the
server
5
Browser responds to challenge &
resends request
3
Continuous invalid bot attempts are blocked
Valid browser requests bypass challenge w/
future requests
© F5 Networks, Inc 19
• When checked, ASM will fingerprint and score the browser and check multiple variables to determine if it is a bot
Detecting bots and blocking
HIGHSCORE
AVERAGESCORE
WORST SCORE
Fingerprint
PASS! EVALUATE BLOCKCAPTCHA
ORJS CHALLENGE
© F5 Networks, Inc 20
Detecting bots and blocking
CAPTCHAOR
CHALLENGE
If “Block Suspicious Browsers” is unchecked à send CS challenge (like 11.6)
If “Block Suspicious Browsers” is checked à send Client Capabilities Challengeand if average score returned, send CAPCHA
If “CAPTCHA Challenge” is unchecked à Block
Charts and GraphsThe following slides are examples of how to present statistics and data in visual formats.
ASM’s unique Proactive Bot Defense and L7 DoSMitigating 30-40% across entire airline booking site
Two- to three-line summary of findings. Further detail in the right hand column below.
Proactive Bot DetectionConsistently protecting applications from another 30% of bot requests across airline booking site
• The following slides are examples of how to present statistics and data in visual formats.
Two- to three-line summary of findings. Further detail in the right hand column below.
Mitigated over 90% of bot traffic during peak times for target URL.As bot activity rises, Server Latency decreases with valid requests
© F5 Networks, Inc 24
Imagine: an Internet free of Bots.
© F5 Networks, Inc 25
Deep Thoughts
• Eliminating 30% of web traffic has serious impact• Capacity and performance improvements are measurable• Budget is always more available than for a security project
• Bot detection requires less per-application customization• Increases operational scale for application security
• Reduces threat model by eliminating most opportunistic attackers• Focus other defenses on vectors for directed attackers
© F5 Networks, Inc 26
Greatly Improve App Security Posture, Quickly and Easily…
Block Known Bad Requests1
Stop Talking to (Bad) Bots2
Stop Talking to Bad IPs3
Hide Details Nobody Needs4
Mask Sensitive Data5
See the Hostile Traffic6
Defend Against L7 DoS Attacks7
Web Application Security can be complicated.
However a well-designed Web Application Firewall, such as ASM, can provide substantial security benefit “out of the box”.
By making the simple things simple, ASM enables the security team to focus energy on critical tasks.
© F5 Networks, Inc 27
Block Known Bad RequestsBlock Known Bad Requests1
Stop Talking to (Bad) Bots2
Stop Talking to Bad IPs3
Hide Details Nobody Needs4
Mask Sensitive Data5
See the Hostile Traffic6
Defend Against L7 DoS Attacks7
Even with a very simple-to deploy-policy ASM can block a host of known bad traffic:
• SQL Injection• CMD Injection• Cross-Site Scripting• Known Evasions and Encoded Attacks• Malformed Requests• Directory Traversal• Cookie Manipulation• Buffer Overflows• HPP Tampering• Parameter Tampering• Security Misconfiguration Attacks• Cross-Site Request Forgery• And much, much more….
© F5 Networks, Inc 28
Stop Talking to (Bad) BotsBlock Known Bad Requests1
Stop Talking to (Bad) Bots2
Stop Talking to Bad IPs3
Hide Details Nobody Needs4
Mask Sensitive Data5
See the Hostile Traffic6
Defend Against L7 DoS Attacks7
Google, Bing, Yahoo, Ask, a couple others are ‘Friendly’… and whitelisted.
You don’t want to talk to any other bots:• Scrapers• DDoS Botnets• Scanners• Recon Bots• Malware Droppers & Worms
ASM Identifies Bots and Blocks Them:• Blocking Malformed Requests• Blocking ‘Friendly’ Bot Imposters• Blocking the Exploits that enable Malware Droppers• Bot Identification• Proactive Bot Defense
Bots are bad, M’kay?
THE VAST MAJORITY OF HITS ON THE
AVERAGE WEBSITE ARE
BOTS
>90%
© F5 Networks, Inc 29
Stop Talking to Bad IPsBlock Known Bad Requests1
Stop Talking to (Bad) Bots2
Stop Talking to Bad IPs3
Hide Details Nobody Needs4
Mask Sensitive Data5
See the Hostile Traffic6
Defend Against L7 DoS Attacks7
There are millions of IP addresses in use on the Internet that produce nothing but hostile requests, all day long:
• Scanners• Botnets• Malware Hosts• Compromised Hosts• Phishing Sites• Recent Hacking Activity• DoS Activity• Cloud Hosting Networks• Anonymous Proxies
Additionally, many organizations will have known geo-locations that they have no reason to interact with—or for whom they would like to escalate visibility and inspection.
Block or track these in ASM with built-in Geo-Location enforcement and integration with F5’s IP Intelligence Services subscription.
© F5 Networks, Inc 30
Hide Details Nobody NeedsBlock Known Bad Requests1
Stop Talking to (Bad) Bots2
Stop Talking to Bad IPs3
Hide Details Nobody Needs4
Mask Sensitive Data5
See the Hostile Traffic6
Defend Against L7 DoS Attacks7
© F5 Networks, Inc 31
Mask Sensitive DataBlock Known Bad Requests1
Stop Talking to (Bad) Bots2
Stop Talking to Bad IPs3
Hide Details Nobody Needs4
Mask Sensitive Data5
See the Hostile Traffic6
Defend Against L7 DoS Attacks7
Using ASM’s DataGuard™ scan and automatically mask or block:
• Credit Card Numbers• Account Numbers• Social Security Numbers• Custom Defined Fields (for example: PHI detaisl)• Accidental Leakage of Office Documents
© F5 Networks, Inc 32
See the Hostile TrafficBlock Known Bad Requests1
Stop Talking to (Bad) Bots2
Stop Talking to Bad IPs3
Hide Details Nobody Needs4
Mask Sensitive Data5
See the Hostile Traffic6
Defend Against L7 DoS Attacks7
© F5 Networks, Inc 33
Defend Against L7 DDoS AttacksBlock Known Bad Requests1
Stop Talking to (Bad) Bots2
Stop Talking to Bad IPs3
Hide Details Nobody Needs4
Mask Sensitive Data5
See the Hostile Traffic6
Defend Against L7 DoS Attacks7
ASM Website
ApplicationSecurity
Web Bot
User
These are the hardest attacks to identify and mitigate without blocking the good traffic that drives your business.
• ASM tracks app performance all the time: it knows when you are being attacked.
• It tracks URLs for utilization and resource requirements.• It can block the bots and let your users through.• Run the DoS protection continuously, or flip it on during an
attack.
© F5 Networks, Inc 34
Change the Way We Deploy WAF
Traditional WAF• Signatures (OWASP Top 10)
• DAST Integration
• Site Learning
• File/URL/Parameter/Header/Cookie Enforcement
• Protocol Enforcement
• Login Enforcement / Session Tracking
• Data Leak Prevention
• Flow Enforcement
Advanced WAF• BOT Detection
• Web scraping Prevention
• Brute Force Mitigation
• L7 DDoS Protection
• Heavy URL Detection & Protection
• Captcha Challenges
• CSRF Token Injection
• Client fingerprinting
© F5 Networks, Inc 35
Web Firewall on BIG-IP is strong. Because, full proxy…
And a fully programmable
data plane at all layers with f5
iRules™ TCP
SSL
HTTP
TCP
SSL
HTTP
ICMP floodSYN flood
SSL renegotiation
DataleakageSlowloris attackXSS
NetworkFirewall
WAF WAF
THANK YOU!
@bamchenryhttp://www.slideshare.net/bamchenryhttps://www.linkedin.com/in/bamchenry