secure your apps with nginx plus and the modsecurity waf

MORE INFORMATION AT NGINX.COM

NGINX Plus with ModSecurity WAFProtect your applications


Faisal MemonProduct Marketer at NGINX, Inc.

Formerly:- Technical Marketing Engineer, Riverbed- Software Developer, Cisco Systems

Eric LugoTechnical Solutions Architect at NGINX, Inc.

Formerly:- Solutions Engineer, Cloudflare


• First OSS release in 2004• Company founded in 2011• VC-backed by industry

leaders• 190+ million open source

users• 1,000+ customers• 120+ employees

Igor Sysoev, NGINX creator and founder


The Current Security Climate• 50% increase in web app attacks and 125% increase in DDoS in the

past year

• Krebs on Security – 620 Gbps DDoS attack using hacked IoT devices• Mirai source code released• Dyn hit with DDoS using Mirai

• Adult Friend Finder – User data compromised by LFI attack

• Democratic National Committee (DNC) – Emails hacked and released• Conspiracy against Bernie Sanders revealed• Head of DNC and 3 others forced to resign

• Code Spaces – Went out of business after data deleted by attacker


Protecting Yourself• Restrict recursive DNS requests to local hosts only

• Proactively keep PCs and endpoints patched and up-to-date

• Change all passwords to something not in a dictionary

• Don’t use the same password for everything

• Sanitize all input to web apps

• Use two-factor authentication


Protecting Yourself• CDN services that can absorb large scale DDoS attacks

• Akamai, Cloudflare, Google Shield, etc.

• Network firewall• Palo Alto, Check Point, Cisco, pfSense, etc.

• Intrusion Prevention/Detection Systems (IPS/IDS)

• Security Information and Event Management (SIEM)

• Secure Web Gateway

• Web application firewall (WAF)


Comprehensive Protection for Critical Apps and Data

• SQL injection (SQLi)• Local file inclusion

(LFI)• Remote file inclusion

(RFI)• Remote code

execution (RCE)• Cross-site request

forgery (CSRF)• Cross-site scripting

(XSS)• Credit card leakages• HTTP protocol

violations


ModSecurity Background“...even when you understand web security it is difficult to produce secure code, especially when working under the pressure so common in today’s software development projects.”

—Ivan Ristic, ModSecurity creator

• Initial open source release in 2002

• Used by tens of thousands of websites today

• Over 3,000 downloads/month

• Large, active, and enthusiastic community backing


Why NGINX Plus with ModSecurity WAF?• Cut costs

• Over 66% savings in 5 year TCO vs. Imperva

• Software flexibility• Deploy on bare metal, containers, and public cloud

• Easy Deployment• Install on standard Linux servers• Application delivery and security in one place

• Open platform• Standard PCRE regex based rules language

• PCI-DSS Requirement 6.6 compliance


How to get ModSecurity WAF?• Currently for non-production usage only

• Based on early ModSecurity 3.0 release candidate

• Email [email protected] for access


ModSecurity Processing Phases


OWASP• “Open Web Application Security Project”

• Non-profit organization, providing OpenSource Tools• Core Rule Set (CRS)

• Generic Rules• Base line for any app server• Low risk of False-Positives

• Protects• SQL Injection (SQLi)• Cross Site Scripting (XSS)• Many other attacks

• Last update 2013 • Researching for 2017 list• Support for CRS included with subscription


Performance• Only run ModSecurity for Dynamic content• Bypass OWASP security rules for static assets and Cache them!

• Images, CSS, JS, PDF, and other Media files• Use NGINX Rate-limiting


Caveats, Current State, and Missing Pieces• Public Blacklist

• IP Reputation, Spamhaus, Project Honeypot, etc.• Response/Request Body Stream

• On the fly HTML/json/xml body Rewriting• DoS protection

• ModSecurity for NGINX does not include DoS protection• NGINX can already do this with limit_req_zone


Demo


Summary• All applications are now targets for attackers

• NGINX Plus with ModSecurity WAF protects against a broad range of attacks

• Cut costs and gain flexibility compared to other leading WAFs

• ModSecurity has 5 processing phases and is anchored by the OWASP Core rule set

• Improve performance by bypassing static content

• Email [email protected] to get early access