best practices guide: introducing web application firewalls
DESCRIPTION
Web applications of all kinds, whether online shops or partner portals, have in recent years increasingly become the target of hacker attacks. The attackers are using methods which are specifically aimed at exploiting potential weak spots in the web application software itself – and this is why they are not detected, or are not detected with sufficient accuracy, by traditional IT security systems such as network firewalls or IDS/IPS systems. OWASP develops tools and best practices to support developers, project managers and security testers in the development and operation of secure web applications. Additional protection against attacks, in particular for already productive web applications, is offered by what is still a emerging category of IT security systems, known as Web Application Firewalls (hereinafter referred to simply as WAF), often also called Web Application Shields or Web Application Security Filters.TRANSCRIPT
![Page 1: Best Practices Guide: Introducing Web Application Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022052523/555a4d44d8b42a47748b46d5/html5/thumbnails/1.jpg)
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP German Chapter
http://www.owasp.org
OWASP Asia 2008
Alexander MeiselCTO art of defence
Best Practices Guide:Web Application Firewalls
![Page 2: Best Practices Guide: Introducing Web Application Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022052523/555a4d44d8b42a47748b46d5/html5/thumbnails/2.jpg)
OWASP 2
![Page 3: Best Practices Guide: Introducing Web Application Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022052523/555a4d44d8b42a47748b46d5/html5/thumbnails/3.jpg)
OWASP 2
What is this?
![Page 4: Best Practices Guide: Introducing Web Application Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022052523/555a4d44d8b42a47748b46d5/html5/thumbnails/4.jpg)
OWASP 2
What is this?
![Page 5: Best Practices Guide: Introducing Web Application Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022052523/555a4d44d8b42a47748b46d5/html5/thumbnails/5.jpg)
OWASP 2
What is this?
![Page 6: Best Practices Guide: Introducing Web Application Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022052523/555a4d44d8b42a47748b46d5/html5/thumbnails/6.jpg)
OWASP 2
What is this?
![Page 7: Best Practices Guide: Introducing Web Application Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022052523/555a4d44d8b42a47748b46d5/html5/thumbnails/7.jpg)
OWASP 2
What is this?
Security Hole inour Web App!!!
![Page 8: Best Practices Guide: Introducing Web Application Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022052523/555a4d44d8b42a47748b46d5/html5/thumbnails/8.jpg)
OWASP 2
What is this?
Security Hole inour Web App!!!
Let’s fix it using a Web Application Firewall (WAF)! ;-)
![Page 9: Best Practices Guide: Introducing Web Application Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022052523/555a4d44d8b42a47748b46d5/html5/thumbnails/9.jpg)
OWASP 2
What is this?
Security Hole inour Web App!!!
Let’s fix it using a Web Application Firewall (WAF)! ;-)
But HOW ON EARTH do I deploy a WAF correctly?
![Page 10: Best Practices Guide: Introducing Web Application Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022052523/555a4d44d8b42a47748b46d5/html5/thumbnails/10.jpg)
OWASP
Big “Thank you!!!” to the Authors
Maximilian Dermann Lufthansa Technik AG
Mirko Dziadzka art of defence GmbH
Boris Hemkemeier OWASP German Chapter
Achim Hoffmann SecureNet GmbH
Alexander Meisel art of defence GmbH
Matthias Rohr SecureNet GmbH
Thomas Schreiber SecureNet GmbH
3
![Page 11: Best Practices Guide: Introducing Web Application Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022052523/555a4d44d8b42a47748b46d5/html5/thumbnails/11.jpg)
OWASP
Contents
Introduction and aimCharacteristics of web apps with regards to
securityOverview of what WAFs can doBenefits and risks of WAFsProtection against the OWASP TOP 10 (App vs.
WAF vs. Policy)Criteria for deciding whether or not to use WAFsBest practices for introduction and operation of
WAFs
![Page 12: Best Practices Guide: Introducing Web Application Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022052523/555a4d44d8b42a47748b46d5/html5/thumbnails/12.jpg)
OWASP
Introduction and aim
Introduction Online BusinessesWeak spot HTTPReference to PCI DSS
Definition of the term “Web Application Firewall”NOT a Network FirewallNot only Hardware
Targeted audienceTechnical decision-makersPeople responsible for operations and securityApplication Owners
5
![Page 13: Best Practices Guide: Introducing Web Application Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022052523/555a4d44d8b42a47748b46d5/html5/thumbnails/13.jpg)
OWASP
Characteristics of web applications with regards to security
Higher level aspects in the companyPrioritizing Web Apps in regard to their importance
Access to personal customer data Access to (confidential) company information
– Image loss Certifications
Technical AspectsTest and quality assuranceDocumentationVendor-Contracts
6
![Page 14: Best Practices Guide: Introducing Web Application Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022052523/555a4d44d8b42a47748b46d5/html5/thumbnails/14.jpg)
OWASP
Overview of what WAFs can do
Where do WAFs fit into the Web App Sec fieldWAFs are part of a solutionMain benefits of a WAFAdditional functionality
What can be archived with WAFsTable with (wanted) functionality
examples: CSRF, Session fixation, *-Injection
Rating / Evaluation: + can be very well implemented using a WAF - can not be implemented ! dependents on the WAF/application/requirements = can partly be implemented with a WAF
7
![Page 15: Best Practices Guide: Introducing Web Application Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022052523/555a4d44d8b42a47748b46d5/html5/thumbnails/15.jpg)
OWASP
Table (Just a small example)
8
![Page 16: Best Practices Guide: Introducing Web Application Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022052523/555a4d44d8b42a47748b46d5/html5/thumbnails/16.jpg)
OWASP
Benefits and risks of WAFs (I)
Main benefits of WAFsBase line securityComplianceJust-in-time patching of problems
Additional benefits of (depending on functionality)Central reporting and error loggingSSL terminationURL-Encryption....
9
![Page 17: Best Practices Guide: Introducing Web Application Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022052523/555a4d44d8b42a47748b46d5/html5/thumbnails/17.jpg)
OWASP
Benefits and risks of WAFs (II)
Risks involved using WAFsFalse positivesIncreased complexityYet another proxyPotential side effects if the WAF terminates the
application
10
![Page 18: Best Practices Guide: Introducing Web Application Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022052523/555a4d44d8b42a47748b46d5/html5/thumbnails/18.jpg)
OWASP
Protection against the OWASP TOP 10App vs. WAF vs. Policy
Three types of applications:T1: Web application in design phaseT2: Already productive app which can easily be
changed (e.g. with MVC architecture)T3: Productive app which cannot be modified or only
with difficultyTable of OWASP TOP 10 in regards to work
required with the 3 types of application to fix the problem in the application itselfusing a WAFusing a policy 11
![Page 19: Best Practices Guide: Introducing Web Application Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022052523/555a4d44d8b42a47748b46d5/html5/thumbnails/19.jpg)
OWASP
OWASP Top 10 (Example)
12
![Page 20: Best Practices Guide: Introducing Web Application Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022052523/555a4d44d8b42a47748b46d5/html5/thumbnails/20.jpg)
OWASP
Criteria for deciding whether or not to use Web Application Firewalls (I)
Company wide criteria:Importance of the app for the success of the
companyNumber of web applicationsComplexityOperational costsPerformance and scalability
13
![Page 21: Best Practices Guide: Introducing Web Application Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022052523/555a4d44d8b42a47748b46d5/html5/thumbnails/21.jpg)
OWASP
Criteria for deciding whether or not to use Web Application Firewalls (II)
Criteria with regard to the web applicationChangeability of the applicationDocumentationMaintenance contractsTime required fixing bugs in third-party products
Consideration of financial aspectsAvoidance of financial damage via successful attacksCosts of using a WAF
License costs Update costs Project costs for evaluation and introducing a WAF Volume of work required / Personnel costs
14
![Page 22: Best Practices Guide: Introducing Web Application Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022052523/555a4d44d8b42a47748b46d5/html5/thumbnails/22.jpg)
OWASP
Criteria for deciding whether or not to use Web Application Firewalls (II)
Evaluation and Summary
15
![Page 23: Best Practices Guide: Introducing Web Application Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022052523/555a4d44d8b42a47748b46d5/html5/thumbnails/23.jpg)
OWASP
Best practices for introduction and operation of Web Application Firewalls (I)
InfrastructureCentral or decentralized infrastructure
central proxy application host based - plug-in approach virtualization !!???!!!
Performance GBits/Second throughput on hardware does NOT matter HTTP requests processed per second is important Simultaneous web application users Think of peak load times (pre Christmas rush)
16
![Page 24: Best Practices Guide: Introducing Web Application Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022052523/555a4d44d8b42a47748b46d5/html5/thumbnails/24.jpg)
OWASP
Best practices for introduction and operation of Web Application Firewalls (II)
Organizational aspectsSecurity Policies
Try not to change security policies already in place
Suggestion of new job position WAF application manager
– One-off task of commissioning a WAF– In-depth knowledge of WAF capabilities– Alarm and Error management– Changes to the rule-set– Talking to the development department(s)
17
![Page 25: Best Practices Guide: Introducing Web Application Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022052523/555a4d44d8b42a47748b46d5/html5/thumbnails/25.jpg)
OWASP
Best practices for introduction and operation of Web Application Firewalls (III)
Iterative procedureStep 1
Definition of the people responsible for security– ideally the “WAF application manager”
Step 2 Baseline security for all web applications
– mostly blacklisting using vendor signatures– monitor for false positives/negatives and get rid of them
Step 3 Prioritized list of all web applications which need to be secured
– Use the checklist (attached to the paper)
Further Steps: Work through the list and systematically secure the app 18
![Page 26: Best Practices Guide: Introducing Web Application Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022052523/555a4d44d8b42a47748b46d5/html5/thumbnails/26.jpg)
OWASP
Appendices
Checklist to define the ‘accessibility’ of the web applicationThe more points you score the, the better is the
access to web applicationJob descriptions for the ‘new guys’
WAF platform manager needed in really complex/big environments
WAF application manager (per application)Application manager
19
![Page 27: Best Practices Guide: Introducing Web Application Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022052523/555a4d44d8b42a47748b46d5/html5/thumbnails/27.jpg)
OWASP
Where to find on the net?
OWASP Wiki of coursehttps://www.owasp.org/index.php/
Best_Practices:_Web_Application_Firewalls
20