Deploying WAF

Hands-On Training Based on Apache / Reverse Proxy

and Mod Security / OWASP-CRS
Adzmely Mansor
adzmely@gmail.com

Facts in a Nutshell

Facts in a Nutshell
published on March 2012 by security vendor Cenzic - most
common application vulnerabilties:
XSS - 37%
SQL Injection - 16%
Path Disclosure - 5%
Denial of Service - 5%

Facts in a Nutshell
Code Execution - 4%
Memory Corruption - 4%
Cross Site Request Forgery (CSRF) - 4%
Information Disclosure - 3%
Arbitrary File - 3%

Facts in a Nutshell
Local File Inclusion - 2%
Remote File Inclusion - 1%
Overflow - 1%
Other - 15%

Facts in a Nutshell
some web applications coded/deployed badly with unaware
exploitable vulnerabilities
SQL Injections
Cross Site Scripting - XSS
LFI / 00% - Null byte exploit
via File Upload, WSIWYG editor, etc

Facts in a Nutshell
Developers they should look at their code
code review
defensive programming - write better code
schedule for security assessment before deployment
etc

Facts in a Nutshell
NULL / VOID / Nobody
Nobody is doing it
(most of the time)

Facts in a Nutshell
Even if everybody, every single deployed web apps, with pre
deployment code review, security assessment, etc
there might be some slips / un-noticeable exploitable
vulnerable mistakes
present
future - new modules / enhancements

Facts in a Nutshell
Firewall

Web
Client

HTTP Traffic

Web
Server

Port 80

Application
Application

Database
Server

Facts in a Nutshell
WAF to the Rescue
an important additional preventive layer to every HTTP/
HTTPS Network

Blind Spot
HTTP Traffic Logging
web server - well equipped to log traffic
but most not able to log request bodies
making attacks via POST request - undetectable

Blind Spot
HTTP Traffic Logging
Possible to log POST data in apache using dumpio
module
big log file / consume space
images/binary files are logs/stored too
not practical in long run

Blind Spot
HTTP Traffic Logging
Possible to log POST data in apache using dumpio
module
actual facts - mostly nobody ever heard of it or
even knows bout the module
as debugging tools for developers

Core Components of a
WAF

Open Source Approach

via Apache/ModSecurity

Apache 2.x
One of the most used open source product
Available on many platforms
Free, fast, stable and reliable
Expertise widely available
mod_proxy - use as reverse proxy module for WAF building
block with integrated LB

Mod Security
Add WAF functionality to Apache
Free, open source, commercially supported
Implement most WAF features
Popular and very widely used
Fast, reliable and predictable

Mod Security
Intrusion Detection / Prevention for Web Applications
Operate as Apache Module
Open Source and GPL
increase web application security by protecting know and
unknown attacks (0day exploits)

Mod Security : use case

legacy applications - cant modify / encoded (ioncube / zend
encoder / byte code / etc)
temporary protection for newly discovered vulnerabilities
0 day exploits - un-notice/unknown
etc

OWASP CRS
in order for ModSecurity become useful:
must be configured with rules
rules for various different type of attacks
SQL Injection / XSS / LFI / RMI / etc

OWASP CRS
OWASP community has developed and maintain a set of
rules called OWASP CRS
CRS provides generic protection from unknown
vulnerabilities often found in web applications

Type of Deployments

Type of Deployment
Network-level device
Reverse Proxy
Embedded in web server

Type of Deployment
Network-level device
Reverse Proxy
Embedded in web server

Type of Deployment
Reverse-Proxy
a potential bottleneck
SPOF
some minor changes to network/DNS/etc
SSL/443 - termination required

Type of Deployment
Embedded in web server
Easy to add
Not a point of failure
use same web server resources

Reverse Proxy
Deployment

Reverse Proxy
Building Block
Main entrance to all backend servers
all http requests forced to go through the proxy
centralization - ease management
access control / logging / monitoring

Reverse Proxy
Building block
possibilities of combining multiple backend web servers
into one
hide the internals

Reverse Proxy
Building block
performance by providing transparent caching
CSS/JS/Images/etc - static contents can easily cached
response compression

Reverse Proxy
Building block
SSL termination
HTTPS/Encrypted session between client/browser and
reverse proxy
HTTP/Un-encrypted session between reverse proxy
and backend servers

Reverse Proxy
Building block
Scalability / High Availability
Load Balance - multiple reverse proxies
Active - Passive cluster providing HA

Reverse Proxy
Building block compressed into a single solution
Centralize Cluster
Integration
Performance
High Scalability / Availability

Reverse Proxy Model

www.acme.com
Apache

email.acme.com
Web
Client

ModSecurity

Nginx

dev.acme.com
IIS

Reverse Proxy Model

192.168.1.111
Apache

LoadBalance
www.acme.com
Web
Client

ModSecurity

192.168.1.112
Apache

192.168.1.113
Apache

Reverse Proxy Model

/images => http://192.168.1.111/images

Apache

Integration Mapping
www.acme.com
Web
Client

ModSecurity

/exam => http://192.168.1.112/exam

Apache

/tutorial => http://192.168.1.113

Apache

Lab Session
Installations

ModSecurity Installation
# Download and extract
#

wget http://www.modsecurity.org/download/modsecurity-apache_2.7.4.tar.gz
tar xzf modsecurity-apache_2.7.4.tar.gz
# Intallation
#
cd modsecurity-apache_2.7.4
./configure
make install
cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf

ModSecurity Configuration
# Modify Apache configuration in order to load mod security module
#
vi /etc/httpd/conf/httpd.conf
# search for the line LoadModule in apache configuration file and add
# following:
LoadModule security2_module modules/mod_security2.so
# modsecurity required mod_unique_id make sure it is un-commented
LoadModule unique_id_module modules/mod_unique_id.so

OWASP CRS Installation

# Download OWASP-CRS and install
#
cd /etc/httpd/
wget wget --output-document=owasp-crs.tgz https://github.com/SpiderLabs/
owasp-modsecurity-crs/tarball/master
tar xzf owasp-crs.tgz
mv SpiderLabs-owasp-modsecurity-crs-0f07cbb /etc/httpd/modsecurity-crs
cd /etc/httpd/modsecurity-crs
cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf

OWASP CRS Installation

# Load base rules in /etc/httpd/conf/httpd.conf
#
<IfModule security2_module>
Include modsecurity-crs/modsecurity_crs_10_setup.conf
Include modsecurity-crs/base_rules/*.conf
</IfModule>
# restart your httpd service
service httpd restart

Installation Test
Open you browser
point to your WAF-VM IP address as your URL
you should get default Centos Welcome
page
try to put some SQL injection in the URI of
the Welcome Page
/?id=1 and 1=2 union select 1,2--%20

OWASP-CRS
/etc/httpd/conf.d/modsecurity.conf
default CRS engine rule: DetectionOnly
SecRuleEngine On|Off|DetectionOnly

Deploying Reverse
Proxy WAF

Apache Proxy Module

mod_proxy.so
main module providing proxy and reverse proxy features
mod_proxy_balancer.so
load balancing module proxy / reverse proxy

Apache Proxy Module

mod_http_proxy.so
module providing HTTP/HTTPS proxy requests
make sure all three modules are loaded in httpd.conf

Reverse Proxy
by Name

VirtualHost Reverse Proxy

when u have multiple backend domain/URL
name to single backend reverse proxy
name to multi load balance backend reverse proxy

VirtualHost Reverse Proxy

organize virtual hosts in one configuration folder
# Create mod security virtual host configuration folder
#
mkdir /etc/httpd/conf.d/modsecVHosts
# Master configuration file to load all virtual host configuration
# in newly created folder : /etc/httpd/conf.d/modsecVHosts.conf
#
vi /etc/httpd/conf.d/modsecVHosts.conf
# edit and add as follow
#
Include conf.d/modsecVHosts/*.conf

VirtualHost Reverse Proxy

sample VirtualHost by name reverse proxy configuration
# Create mod security virtual host configuration
#
<VirtualHost *:80>
ServerName backend.com
ErrorLog logs/modsecurity/backend.com-error_log
CustomLog logs/modsecurity/backend.com-access_log common
ProxyRequests off
ProxyPass
/
http://backend.com/
ProxyPassReverse
/
http://backend.com/
ProxyPreserveHost On
#ProxyPassReverseCookieDomain
</VirtualHost>

VirtualHost Reverse Proxy

sample VirtualHost load balance reverse proxy configuration
# Create mod security virtual host configuration
#
<Proxy balancer://backend1Cluster>
BalancerMember
http://192.168.1.111:80
BalancerMember
http://192.168.1.112:80
BalancerMember
http://192.168.1.113:80
</Proxy>
<VirtualHost *:80>
ServerName backend.com
ErrorLog logs/modsecurity/backend.com-error_log
#CustomLog logs/modsecurity/backend.com-access_log common
ProxyRequests off
ProxyPass
/ balancer://backend1Cluster
ProxyPassReverse
/ balancer://backend1Cluster
ProxyPreserveHost On
#ProxyPassReverseCookieDomain
</VirtualHost>

Central Logging with

WAF-FLE and mlogc

ModSec Logging

ModSec Logging
http://www.waf-fle.org
PHP/MySQL web based application
current latest version 0.6.0 final (ly)
# Download and extract waf-fle
#
cd ~
wget http://www.waf-fle.org/wp-content/uploads/2013/04/waf-fle_0.6.0.tar.gz
tar zxf waf-fle_0.6.0.tar.gz
mv waf-fle /var/www/

ModSec Logging
http://www.waf-fle.org
# Install waf-fle requirements
#
yum
yum
yum
yum
yum

install
install
install
install
install

php
php-mysql
mysql-server mysql-devel
php-pecl-geoip
php-pecl-apc

# Install MAXMind GEOIP

#
mkdir /usr/share/GeoIP/
cd /usr/share/GeoIP/
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
wget http://geolite.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz
gunzip *.gz
mv GeoLiteCity.dat GeoIPCity.dat
cp GeoIPASNum.dat GeoIPISP.dat

ModSec Logging
http://www.waf-fle.org
# WAF-Fle configuration and virtual host setup
#
cp extra/waf-fle.conf /etc/httpd/conf.d
vi /etc/httpd/conf.d/waf-file.conf
# edit according to your WAF-FLE installation under a dedicated virtualhost
# DB Setup
#
mysqladmin create waffle
mysql -p
mysql> CREATE USER 'waffle'@'localhost' IDENTIFIED BY 'password';
mysql> GRANT SELECT , INSERT , UPDATE , DELETE, CREATE TEMPORARY TABLES
ON `waffle` . * TO 'waffle'@'localhost';
mysql -p waffler extra/waffle.mysql

ModSec Logging
http://yourWAFFLEname/waf-fle
login/pass - admin/admin
you need to change admin password and just follow
the page instruction after that

Open Proxy HoneyPot

Open Proxy HoneyPot

Setup a Apache Open Proxy (public)
install mod security with :
SecRuleEngine DetectionOnly
conduct real time traffic analysis on the HTTP traffic
study internal user behavior

Content Injection with

Mod Security