Open Source Apache <WAF> Web Application Firewall

Transcription

1 Open Source Apache <WAF> Web Application Firewall Ivan Bütler - E1 Compass Security AG ivan.buetler@csnc.ch Switzerland - Germany Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel Fax team@csnc.ch

2 E1 - Who am I ^ Ivan Bütler, Uznach ^ Speaker at Blackhat 2008 Las Vegas ^ Born ^ Founder of Compass Security AG ^ Founder of Swiss Cyber Storm II ^ Passionate Security Researcher ^ Husband of Cornelia and father of Tim and Nick (6 & 8) ^ Proud Swiss Citizen Seite 2

3 Compass Security AG - Team Seite 3

4 Compass Security - Overview.... Seite 4

5 Goals of this Talk Understanding the demand for a Web App Firewall Howto build an Open Source Apache Entry Server Understanding the Components Understanding Pros & Cons Understanding Pitfalls Seite 5

6 Attacking for Fun and Profit Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel Fax team@csnc.ch

7 Direct Attacks Where do you expect the attackers? BLOCKED PASSED BLOCKED Seite 7

8 Indirect Attacks (I) Man in the Middle Phishing Seite 8

9 Indirect Attacks (II) Malware Mobile Devices W-LAN Bypassing Perimeter Protection Seite 9

10 Level 1: Reverse Proxy Level 2: Web Application Firewall Level 3: Entry Server Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel Fax team@csnc.ch

11 Situations without a Reverse Proxy Direct Access to the Public Web Applications More firewall ports opened Applications directly accessible Seite 11

12 Reverse Proxy Setup Reverse Proxy Access to Public Web Applications Reverse Proxy Applications protected Seite 12

13 Reverse Proxy Setup Reverse Proxy Allow to hide different applications behind a single server Single point of entry WebSphere http Browser https Reverse Proxy http IIS Server Cert http WebLogic Seite 13

14 OWASP Top 10 (Q4 2007) A1 A2 A3 A4 A5 A6 A7 A8 A9 A10 Cross Site Scripting Injection Flaws (SQLi) Malicious File Execution (RFI) Insecure Direct Object Reference Cross Site Request Forgery Information Leakage Broken Auth & Session Management Insecure Cryptographic Storage Insecure Communications Failure to restrict URL Access Seite 14

15 Commercial Products? United Security Providers (USP) SES Phion/Visonys AirLock AdNovum Nevis Web IBM Tivoli Access Manager (a.k.a. WebSEAL) NetContinuum Application Security Gateway Cisco ACE Web Application Firewall Microsoft ISA Server... (this is not a complete list!) Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel Fax team@csnc.ch

16 Open Source Entry Server Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel Fax team@csnc.ch

17 Cooking Recipe Apache Core Web Server Apache Firewall Module mod_security Apache Content Rewriting Module mod_replace Visit Swiss Cyber Storm ( Apache Entry Server Module mod_but Visit Swiss Cyber Storm ( Apache Forensic Module Within Apache Core: mod_forensic & mod_unique_id Seite 17

18 Demo Setup Reverse Proxy Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel Fax team@csnc.ch

19 Reverse Proxy Small Feature List SSL Termination Content Rewriting Intrusion Detection & Prevention Forensic Logging Secure Session Management Pre-Authentication & Single-Sign On Service Authorization Seite 19

20 Reverse Proxy: SSL Termination Apache mod_ssl & mod_proxy SSLEngine On SSLProxyEngine On SSLCertificateFile SSLCertificateKeyFile SSLProtocol conf/server.crt conf/server.key +TLSv1 +SSLv3 -SSLv2 SSLCipherSuite RC4-SHA:RC4-MD5:AES256-SHA:AES128- SHA:DES-CBC3-SHA:!SSLv2:!EXP SSLOptions +StdEnvVars +ExportCertData SSLSessionCache shm:ssl/ssl_scache(512000) SSLSessionCacheTimeout Seite 20

21 Reverse Proxy: SSL Termination Apache mod_ssl & mod_proxy ProxyPass /app1 ProxyPassReverse /app1 ProxyPass /app2 ProxyPassReverse /app2 Seite 21

22 Reverse Proxy: SSL Termination How do you deny weak browsers from your application? Hardenend Cipher Suite Within Application Hardening CipherSuite in httpd.conf SSLCipherSuite RC4-SHA:RC4-MD5:AES256-SHA:AES128- SHA:DES-CBC3-SHA:!SSLv2:!EXP I do not recommend hardened Cipher Suites! Error messages on SSL are not user friendly! Therefore.. I recommend application level checks using mod_headers Human friendly error message generated by the backend application when the browser does not fulfill the cipher strength RequestHeader append SSL_CIPHER "%{SSL_CIPHER}e Evaluate the SSL_CIPHER within the application behind the proxy Seite 22

23 Reverse Proxy: SSL Termination RequestHeader append SSL_PROTOCOL "%{SSL_PROTOCOL}e RequestHeader append SSL_SESSION_ID "%{SSL_SESSION_ID}e RequestHeader append SSL_CIPHER "%{SSL_CIPHER}e RequestHeader append SSL_CIPHER_ALGKEYSIZE "%{SSL_CIPHER_ALGKEYSIZE}e RequestHeader append SSL_CIPHER_EXPORT "%{SSL_CIPHER_EXPORT}e RequestHeader append SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}e RequestHeader append SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}e" Seite 23

24 Reverse Proxy: Content Rewriting Problem Backend Application includes absolute href links Example: Backend Application secures the cookies Domain restrictions Path restrictions Expiration restrictions Backend Application other protocol than reverse proxy Fixup http to https links Absolute url s Redirections, Location headers (302 Temporary Moved) Why not using mod_rewrite? Because mod_rewrite does not allow to parse and search/replace the body of a http request or response Seite 24

25 Reverse Proxy: Content Rewriting Why not using mod_substitute? Within apache core since Perform search and replace operations on response bodies but does not have support for response headers, request headers or request bodies Therefore, I recommend mod_replace Request Header Replacement Request Body Replacement Response Header Replacement Response Body Replacement ReplaceFilterDefine myproxy1 CaseIgnore ReplacePattern myproxy1 "glocken.hacking-lab.com" " " ReplacePattern myproxy1 "https" "http" HeaderReplacePattern myproxy1 Location "glocken.hacking-lab.com" " " HeaderReplacePattern myproxy1 Location "https" "http" HeaderReplacePattern myproxy1 Set-Cookie "Secure" "" SetOutputFilter myproxy1 Seite 25

26 Demo Web Firewall mod_security Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel Fax team@csnc.ch

27 Reverse Proxy Small Feature List SSL Termination Content Rewriting Intrusion Detection & Prevention Forensic Logging Secure Session Management Pre-Authentication & Single-Sign On Service Authorization Seite 27

28 Reverse Proxy: Intrusion Detection Apache mod_security2 LoadModule security2_module modules/mod_security2.so Basic configuration options SecRuleEngine On SecRequestBodyAccess On SecResponseBodyAccess Off.... Include conf/modsecurity2/*.conf Configure SecDefaultAction SecDefaultAction "phase:2,log,deny,status:403,t:lowercase,t:replac enulls,t:compresswhitespace" Seite 28

29 Reverse Proxy: Forensic Logging Correlation across tier (Simplified illustration) Seite 29

30 Reverse Proxy: Forensic Logging Who generates the Request ID (alias Unique_ID)? Apache mod_unique_id Default Log Option in httpd.conf (without mod_unique_id) LogFormat "%h %l %u %t \"%r\" %>s %b" common Web Application Firewall Log Option (with mod_unique_id) LogFormat "%{forensic-id}n %h %l %u %t \"%r\" %>s %b" common ForensicLog logs/forensic.log Sending the Unique_ID as HTTP Request Header to Backend! RequestHeader append UNIQUE_ID "%{UNIQUE_ID}e" Seite 30

31 Reverse Proxy: Forensic Logging Unique ID in access.log SYq7yX8AAQEAAGOqIicAAAAA [05/Feb/2009:11:13: ] "GET /webapp/but/echorequest HTTP/1.1" Unique ID in forensic.log grep SYq7yX8AAQEAAGOqIicAAAAA forensic.log ========================================================================= +SYq7yX8AAQEAAGOqIicAAAAA GET /webapp/but/echorequest HTTP/1.1 Host: User-Agent:Mozilla/5.0 (Windows; U; Windows NT 5.1; en-us; rv%3a ) Gecko/ Firefox/ Accept:text/xml,application/xml,application/xhtml+xml,text/html;q= 0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language:en-us,en;q=0.5 Accept- Encoding:gzip,deflate Accept-Charset:ISO ,utf-8;q=0.7,*;q=0.7 Keep- Alive:300 Connection:keepalive Cookie:MOD_BUT=wCUN+1DgcvG7qDM+KI+9YXveU+5bwygb Cache-Control:max-age=0 -SYq7yX8AAQEAAGOqIicAAAAA Seite 31

32 Demo Session Management mod_but Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel Fax team@csnc.ch

33 Reverse Proxy Small Feature List SSL Termination Content Rewriting Intrusion Detection & Prevention Forensic Logging Secure Session Management Pre-Authentication & Single-Sign On Service Authorization Seite 33

34 Reverse Proxy: Session Management Without a Session Store (Cookie Store) Reverse Proxy Applications protected Seite 34

35 Reverse Proxy: Session Management With Session Store (Session Hiding) Reverse Proxy Applications protected Seite 35

36 Reverse Proxy: Pre-Authentication Zones Public Zone: Login Server (anonymous access) Private Zone: E-Business Applications (authentication is required) FW FW Internet Entry Tier Authenticated requests only Application Not authenticated requests Login Service Seite 36

37 Reverse Proxy: Pre-Authentication Client MOD_BUT DLS (Delegated Login Service) LDAP Backend Application /application Redirect Login Page POST LOGIN DATA authenticate() get LOGIN DATA for Backend App Username/Password for Backend App LOGIN into Backend App Login ok LOGON=ok OK Seite 37

38 MOD_BUT Logon Cookie Messages from Login Server to MOD_BUT LOGON=ok MOD_BUT_USERNAME=<$user> MOD_BUT_AUTH_STRENGTH=0,1,2 MOD_BUT_SERVICE_LIST=regexp MOD_BUT_BACKEND_SESSION bname=a; bvalue=b; bclearance=c; Seite 38

39 Reverse Proxy: Service Authorization Service Authorization The user grants permission for certain, but not all URL s behind the Reverse Proxy Example User is authorized for /upload User is authorized for /admin User is not authorized for /enterpriseadmin Login Server sends a control cookie to the Reverse Proxy Set-Cookie: LOGON=ok Set-Cookie: MOD_BUT_USERNAME=$username Set-Cookie: MOD_BUT_SERVICE_LIST=(^/12001(.*)) Set-Cookie: MOD_BUT_AUTH_STRENGTH=0,1,2 Seite 39

40 Reverse Proxy: DLS DLS = Delegated Login Service Some applications have their own login component Outlook Web Access Wiki The DLS authenticates on behalf of the user Seite 40

41 MOD_BUT Features Session Store Pre-Authentication Step-Up Authentication (Authorization Level) Service Authorization Delegated Login Server Support Cookie Pass Through Seite 41

42 The Secure Document Exchange Solution Who uses mod_but? Seite 42

43 MOD_BUT TODO [ ] Rewrite SHM handling and data structures, eliminate SHM stuff from callers mod_but_cookiestore.c mod_but_session.c mod_but_shm.c Goals: increased performance, lower shared memory usage, more robust interfaces, thread-safety Seite 43

44 Some differences to Airlock? Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel Fax team@csnc.ch

45 Airlock URL Encryption URL-Encryption Effective against Forceful Browsing URLs and parameters are protected Hides Technology and Topology Works dynamically, no specific configuration necessary GET MCHJOIAODKJPNOPOEPOBJONBPFCFCNBOEIPICACIPNAKIIKLFMEIM EGBFGFGMIBDLEipe4PixkUbKsXFBnb6YodmYPJyK66k1Ochxjrr6+Zaziy20 FxB+Sz1hUm8OchL/IREKvKVzlNKSRuiig7sh7jwI4y2xFNltX98GQFYkGq7fb HtzBKtOCQtQ0AviT1pJlP1I+xG5baW/3zx/IuHD9dpJ4I0J92oN9wa5gcs8JXQ 7lkcG2HsV8EiPKbt7wFR2h HTTP/1.1 Seite 45

46 Airlock Smart Form Protection Smart Form Protection Cryptographic protection of HTML forms Only allowed input is accepted (Airlock remembers form fields ) Automatic protection of hidden and selection fields Seite 46

47 Load Balancing High Availability Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel Fax team@csnc.ch

48 Failover (London New York) Central Session Store (High Availability) Login Service London Backend Application London Entry Server London Central Session Store Entry Server New York Login Service New York Backend Application New York Seite 48

49 Entry Server & AJAX Security Implications Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel Fax team@csnc.ch

50 AJAX Request/Response New engine built-in newer browsers! Interactive GUI Asynchronous processing ; not every action needs to be started by pressing the submit button Asynchronous processing ; AJAX updates the browser window (content) Source: Wikipedia Seite 50

51 XMLHttpRequest (XHR) XmlHttpRequest is a browser API to perform background HTTP requests from JavaScript Invented by Microsoft in 2000 IE 5.0 / 6.0: COM/ActiveX object Microsoft.XmlHttp ActiveX must be enabled IE 7.0, Firefox, Opera, Safari and other browsers: Native JavaScript object XmlHttpRequest ActiveX not required Portable Seite 51

52 XMLHttpRequest (XHR) Seite 52

53 Data Exchange Formats Upstream Data Format Downstream Data Format Seite 53

54 Upstream Data Formats Possible data formats: GET parameters POST parameters XML SOAP Some server-side API is provided Often maps to server-side objects and their functions AJAX calls in this case are like remote method invocations Seite 54

55 Upstream: HTTP GET Parameters HTTP GET GET /dyn/req?call=foo&arg=bar HTTP/ Seite 55

56 Upstream: HTTP POST Parameters HTTP POST POST /dyn/req HTTP/1.1 Content-Type: application/x-www-form-urlencoded... call=foo&arg=bar Seite 56

57 Upstream: XML HTTP POST POST /dyn/req HTTP/1.1 Content-Type: text/xml... <?xml version="1.0" encoding="utf-8"?> <request connectionid="cxooiqm"> <call type="foo"> <argument name="bar">true</argument> </call> </request> Seite 57

58 Upstream: SOAP HTTP POST POST /dyn/req HTTP/1.1 Content-Type: application/soap-xml... <?xml version="1.0" encoding="utf-8"?> <Envelope xmlns=" /soap/envelope"> <Body>... </Body> </Envelope> Seite 58

59 Downstream: XML HTTP/ OK Content-Type: text/xml... <?xml version="1.0" encoding="utf-8"?> <response> <result type="login"> <status>false</status> <msg>username or password invalid.</msg> </result> </response> Seite 59

60 Downstream: JavaScript HTTP/ OK Content-Type: text/javascript... LibJs.user='nobody'; LibJs.groups=['member','nobody','wnc5Xh']; $L('kYP64i'). render([$e('h1',{classname: 'Compiled',attributes:{},children:[$T(LibJ s.compiler.fromascii('hello world!'))]... LibJs.Server. oncomplete(1664); Seite 60

61 Downstream: JSON HTTP/ OK Content-Type: text/x-json... {"menu": { "id": "file", "popup": { "menuitem": [ {"value": "New", "onclick": "NewDoc()"}, {"value": "Open", "onclick": "OpenDoc()"}, {"value": "Close", "onclick": "CloseDoc()"} ]}}} Seite 61

62 Downstream: Custom HTTP/ OK Content-Type: text/x-gwt... {OK}["53723","84268","78357","27843"] Seite 62

63 New: The Entry Server Problem What is a valid request? Look at JavaScript code and guess what it might call and what the parameters might be Infeasible! JavaScript way too dynamic! Filter patterns and AJAX How to detect HTML injection in XML? How to detect XSS in JavaScript/JSON? How to sign an AJAX response? Every AJAX application is very different No "standard" like HTML <form> Impossible without support from application! Seite 63

64 Appendix Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel Fax team@csnc.ch

65 Apache Compilation with mod_replace Copy Module into Filters Directory cp mod_replace.c./httpd /modules/filters Add the following line to./httpd /modules/filters/config.m4 APACHE_MODULE(replace, replace filter module,,, most) Change to $APACHE_SRC and to a autoconf cd./httpd / autoconf Check if the enable-replace is available cd./httpd /./configure -help grep replace Seite 65

66 Apache Compilation Compile Apache with mod_replace cd./httpd /./configure \ --prefix=/opt/applic/http \ --enable-so \ --enable-ssl \ --enable-proxy \ --enable-rewrite \ --enable-substitute \ --enable-replace \ --enable-headers \ --enable-unique-id \ --enable-log-forensic \ --enable-expire \ --enable-replace Seite 66