Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Due to the wide functional scopeof both solutions tested, we hadto divide the test into two sections. This section deals with theWeb Application Firewall(WAF); its functions and administration. Section two looks atthe Identity and Access Management (IAM) solution.
Airlock WAFThe Airlock WAF works as a reverse proxy and terminatesHTTP(S) connections. It is controlled via a central managementinterface, providing a centralpoint for implementing application access policies. It also provides a large number of powerfulfilter functions, including ICAPcontent filtering and SOAP/XM,AMF and JSON filters. One ofthe top features of the AirlockWAF 7 is API security, with protection of SOAP and REST webservices. Other functions includepolicy learning, dynamic whitelisting, smart form protection,cookie protection and URL encryption.
Many functions can also be incorporated in existing security infrastructures: Malware scannersfrom thirdparty providers can beintegrated via ICAP, HSM devices can be added and WAF notifications can be sent to SIEM installations. Load balancing andfailover features can also be provided. Ergon Informatik also hasan appliance for companies wanting to implement their WAF inhardware form.
FunctionalityIn operating mode the WAFworks between the regular company firewall and the applications. Production environments,therefore, need interfaces in orderto maintain clearcut separationbetween incoming and outgoingdata traffic. This is not essentialin test environments. Data transfer protection configuration happens via mapping. This is set up
using a clear page within the management tool, where the virtualhosts, that represent the protectedapplications to the outside, arelocated on the one side and theapplications to be protected arelocated on the other, in the DMZ.Only ports 80 and 443 are opento the outside.
To secure the application, withthe mouse, users drag lines between the virtual host, the mapping and the application requiringprotection, thus configuring thedata transfer routes. Theseconnections can be cut or diverted at any time as the need arises.For security reasons, when newmapping is installed, all associated rules are active, initially, toprevent any unwanted data transfers. To carry mapping over intoregular operating mode, administrators need to adapt the configuration in the next step to ensure
Test subject: Airlock Web Application Firewall 7.0
Powerful protection for
Dr. Götz Güttich
With Airlock Web Application Firewall, Ergon Informatik offers a powerful solution forsecuring web applications. As a general rule, these applications don’t just needprotection from hacking and security breaches, we also need to ensure that only
authorised users have access to the data within them. This is why the manufacturercombines its Web Application Firewall with the ‘Airlock Identity and Access
Management’ authentication solution. Working together, these tools secure the datatraffic between users and applications and also ensure that there is absolute clarity asto which users have access to which applications and functions. This also means that
a central single signon infrastructure can be set up. We took a close look at bothproducts in the test lab.
1
web applications
that the desired information canpass through.
Threat handling establishes howthe system deals with policy infringements. For example, if theWAF establishes that a user is attempting to tamper with the datain a web form, the solution caneither simply generate a log entry
to block the request or end thesession completely.
‘Deny rules’ are a core component of the Airlock WAF securityconcept. They create a negativesecurity model, operating asblacklists. In the configurationinterface, every denyrule entry,i.e. every line, represents a groupof rules. However, each groupaddresses a specific hacking attempt. The ‘exceptions’ entry encompasses acquired and manually created rules.
When the administrators open agroup in the deny rule configuration they will see the various filters. They have different securitylevels. As strict filters generatemore false positives than filtersthat are not, it makes sense for
operational purposes only to setthe security level very high where absolutely necessary. Securitylevels are therefore dependent onthe application requiring protection and individual data protectionrequirements. It is also importantto know whether hacking can come anonymously from the Internet, on a login page, for example,
or if there has already been a login and the user is known to thesystem. The manufacturer has already predefined a large numberof rule groups for all types ofhacking. If the need arises, userscan add their own custom rules atany time.
The testTo run the test we installed Airlock WAF in our test lab, linkedit up to the IAM solution mentioned before and set both productsrunning. For the purposes of thetest we used the WAF to secureaccess to the web interface of thePaessler PRTG network monitoring solution we use here in thetest lab. We also used a test environment provided by the manufacturer with a bookshop as theapplication needing to be secured
in order to take a close look at thefunctionality of the WAF.
InstallationThe Airlock WAF is based onCentOS 7. After downloadingthe installation ISO file from themanufacturer’s website we integrated it as a boot medium in avirtual machine running withVmware ESXi 6.5 Update 1.The virtual machine had a CPUwith a 2.6 GHz cycle frequencyand four cores, eight gigabytes ofRAM and 60 gigabytes of harddisk space. After the system started from the ISO image we selected the ‘Install Airlock WAF’boot menu item. As is usual withCentos, the ‘Anaconda’ installation manager came up right away.Before the actual installation began we had the option to adaptthe configuration to suit the management interface. The systemdid take a functioning configuration from our DHCP server but itwould be sensible in most casesto give the WAF to a dedicated IPaddress, which we did here. Wethen specified the destinationdisk for the installation, whichwas easy, as our VM only had avirtual hard disk, and acceptedthe predefined partitioning – thiscan also be adapted as required.Finally, we set the time zone andthe root password and defined auser for the configuration tool.The installation then started, andthe whole process took aroundten minutes in all. When the setup was complete, we importedthe latest updates to bring our installation completely up to date.
Initial configuration stepsAfter running through the setup,we accessed the WAF management tool via the URL: https://IP adress of the management interface. We then logged in with
2
Installing the WAF should not present IT administrators with any insurmoun
table obstacles
our pregenerated credentials andwent to ‘System Setup’ to uploadour licence.
We were then ready to secure access to our first web application.All we needed to do was to go tothe management tool in the ‘Application Firewall’ menu on the‘Reverse Proxy’ page and enterthe application server with its IPaddress and a port number as the‘backend server’. If DNS nameresolution already exists on thenetwork, you can enter the system name instead of the IP address.
As soon as the ‘Reverse Proxy’has been defined, it’s time to setup a new virtual host to receiveincoming requests. Definition isvia a fully qualified domain name and an IP address with network mask. To encrypt data traffic via HTTPS, relevant employees can also add a certificate atthis point.
Having done that, we configuredthe mapping between the virtualhost and the backend server. Asalready mentioned, this takesover the link between the virtualhost and the backend application,implementing the security logic.It must include an entry and a backend path. The entry path is thepath that users access via theirbrowser and the backend path isthe path via which the WAFsends requests. This leaves a lotof configuration options open. Soyou could have symmetricalmapping, where an entry path takes data to an application or partof one, in order that you can secure whole applications or justcertain subpages. Alternatively,you can also have asymmetricalmapping, where a virtual host takes different entry paths such as
‘/Application1’, ‘/Application2’and similar data, which are thensent on to various backend servers with different applications.In the test we first configuredsymmetrical mapping with themanufacturer’s default details.To ensure that data transferswouldn’t be blocked we set thepreviously mentioned threathandling at ‘Log only’. This is agood idea for new mapping, asthe relevant employees can thenanalyse what would happen if theWAF blocking rules were, in fact,active. This prevents unwantedactivity and the necessary adaptations can be made.
Finally, we used the mouse tocreate the said links between themapping, server and host. Oncewe had activated our changes onthe WAF, the system was readyto go and we were able toconnect to the virtual host.
Important functionsBefore we look at how the WAFworks in practice, let’s take another quick look at the product’smajor features. It’s opportune totalk about protection against injection hacking like SQL injection and XSS protection againsthacking in the form of forcefulbrowsing. Forceful browsing iswhen the hacker tries to gain access to protected pages or obtainsensitive information by enteringyour URL directly into theirbrowser’s address list. Unprotected systems provide an opportunity to use this method to gainaccess to content that would normally only be available after authentication, or acquire detailedinformation about the configuration of the web server in question. The Airlock WAF offers aURL encryption function for preventing forceful browsing. This
means that, in operating mode,encrypted URLs are only valid inthe current session when in operation mode. We will look at thisfeature in more detail later in ause case.
On the other hand, smart formprotection secures web application forms against tampering during runtime. The WAF also ensures that user data matches thedetails on the application’s original form. This prevents hackersfrom adding a fifth parameterwhen hoping to tamper with aninput form that only requiresfour. This feature also protectspreset values from tampering. Wewill also look at this again in ause case.
DyVEDynamic Value Endorsement(DyVE) is a function that searches dynamically through JSONobjects delivered by backends forvalues permitted for the currentuser session. The parameters orJSON attributes of any subsequent requests, such as RESTAPI calls, can then be checkedfor the use of reliable values.DyVE can also stop hackerschanging an account number in atransfer and tampering with online banking. Session fingerprinting notices changes in browsersand IP addresses used. Combined with login information andthe like that the system obtainsfrom the IAM solution, it is flagged in operating mode if a logincomes from say Frankfurt at 9.00am and then Bangkok at 9:12 am.In this scenario, the system canbe configured so that a secondauthentication factor, such as asecurity question, is added automatically for the second login,ensuring that unauthorised userscan’t gain application access.
3
Policy LearningIf the policy learning function isactivated the WAF checks andanalyses data traffic and indicateswhat has been sent, from whereand to which location. It alsosuggests which rules should beimplemented to increase the security level. Administrators canthen accept, modify or rejectthem. This function is useful foradapting the configuration to detailed requirements.
Allow RulesAllow rules in operating modedetermine which requests arepermitted. They therefore constitute white lists. Allow rules areused for analysing HTTP requests. Deny rules are usedwhen an allow rule has permitteda request. The Airlock WAF alsooffers an allow rule learningfunction which can be used to record all details during a loginprocedure and converts them intorules that IT managers can thenaccept.
Working with labelsIn practice most companies use alarge number of the said mappings – this can exceed 500 inmany environments – in theirconfiguration for controlling datatransfer between the virtual hostsand the applications that need securing. IT staff have the option oflabelling them to obtain a clearview of the mapping and makeinput configuration easier.
For example, there is the optionto label an Exchange or SharePoint input with ‘Microsoft’ oran Exchange 2016 input with‘test environment’ and an Exchange 2013 input with ‘productenvironment’. When an administrator enters the label in theoverview search line the system
shows them the relevant mapping. The labels can be combinedin all sorts of ways, making this avery powerful feature for IT managers as it makes configurationhighly transparent. For example,if an IT person wants to changethe security level for all Microsoft applications within a company, all they need to do is enter theMicrosoft label in the search fieldand then change the security level once for all entries. We hadno problems with this functionduring the test.
MonitoringWhen it comes to reporting andlogging, as already mentioned,the Airlock WAF not only manages the transmission of information to SIEM solutions, with logformats JSON and CEF, but alsooffers a log viewer with filters,and dynamic display of relevantand predefined searches. Thiscomes with various dashboardsand the option to run your ownevaluations. Once in the logviewer, you can also run drilldown procedures right down toactual log entries. A map is alsoincluded in the monitoring tools.When administrators zoom in onit they will see further details of
the regions accessed, tellingthem, for example, if most of thehacking attempts in the last hourcame from a particular country orcity.
The Airlock WAF in practiceFor the next part of the test weused the demo environment withthe bookstore, as previouslymentioned. It was called ‘BuggyBook’ and, as the name suggests,has a large number of differentsecurity breaches. We startedwith a close look at the form pro
tection function. We logged intothe unprotected bookstore asusers and bought a book. Therewas a minus in our account. Torectify the minus, we switched toaccount management and entereda voucher code in ‘Voucher’ thatwas worth 50 euros in the bookstore. The online applicationthen showed us a confirmationpage with the amount of creditthat the voucher would give usand enabled us to add it to ouraccount by clicking ‘Confirm’.This worked perfectly.
At the next stage we repeated thisprocedure but did not click ‘Confirm’ on the confirmation page
4
Mapping configuration defines data flow between the virtual host and the app
lication requiring protection
but went to the developmenttools in our browser and lookedfor the value in the source codethat determined the voucheramount. We used the development tool to change this from 50to 5,000 euros and then clicked‘Confirm’.
The browser then sent this valueto the application. Where it hadno protection mechanism forcomparing the confirmed valuewith the original voucher value,it credited our account with 5,000euros without any problem at all.The ‘BuggyBook’ test application was therefore in urgent needof the security functions providedby the WAF.
To plug up the security breach revealed in this way without modifying the store application weactivated form protection in theWAF that prevents precisely thiskind of activity. When we repeated our attempt at fraud with active WAF protection in place, theWAF blocked the transfer of theincorrect parameter and recordedthe whole procedure in its log files.
In the next use case we appliedthe Cross Site Scripting protection function. We also sent a message to another user from ourbookstore user account via theinternal message function.
When we sent the message, weentered a script in the subjectfield for selecting the user’s session cookie information. Whenwe then logged in as the otheruser and accessed the message apopup appeared with the user’ssession information. Scripts areoften used for hacking unsecuresystems like this. The WAF repels scripting hackers via its de
ny rules. So, in the next stage, weactivated a deny rule configuration that would recognise suspicious patterns in data transfers.The configuration then analysedthe transmitted fields and the parameters contained in them. If adeny rule recognises a pattern,for example JavaScript, it blocks
the request immediately. This also works for JSON structures.
Once our new configuration wasactive, we attempted the samehack again. The WAF blockedthe request and recorded the activity in the log files.
We then attempted a forcefulbrowsing hack via the browser.We entered the URL: “https://IP adress of the server /Bookstore / help / index.html?page=../ ../ WEBINF /web.xml;.The browser provided us with various details about the systemconfiguration that we might usefor further hacking attempts.
The WAF URL encryption function prevents this type ofhacking, encrypting target URLsat session level and ensuring thatnobody can access specific tar
gets on the server. After we hadactivated this feature, the systemdiverted our attempt at access tothe web shop home page, so nodamage was done.
ConclusionWe were very impressed with thewide range of functions offered
by the Airlock WAF during thetest. When configured correctly,it ensures that everything arrivingat the application requiring protection has been filtered and allpotential threats have been removed.
This means that hackers don’t getanything at all from protectedapplications. In spite of the widerange of functions the management interface was relativelystraightforward, enabling securityadministrators to get to grips withthe solution quickly. While running the test we were particularlyimpressed by the comprehensivereporting and logging, API security, smart form protection andURL encryption. Administratorswho have an urgent need to secure their applications from theoutside really ought to take alook at the Airlock product.
5
Individual deny rule filters were assembled in groups. A specific security level
can be set for each group.