SlideShare a Scribd company logo

Advanced security in Barracuda WAF

Download as PPTX, PDF
Aravindan A, profile picture
Aravindan A

The document provides information on advanced security topics in Barracuda Web Application Firewall including: - URL policies and modules like bruteforce prevention and antivirus that can be activated in policies - Allow/deny rules for URLs and headers to control access and enforce limitations - Website profiles that apply fine-grained security settings through URL and parameter profiles - Tools for tuning security rules like web firewall logs, trusted hosts, and exception profiling - URL encryption to encrypt URLs in requests and responses for added protection - Defenses against application DDoS attacks using IP reputation filtering and DDoS policies

Technology
1 of 37
Downloaded 16 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
Advanced Security Topics Covered: • URLPolicies • Bruteforce Prevention • Antivirus Module 4–Chapter 3
URL Policies • Automatically createdforeachService • Additional URL Policies can be created forspecific partsof aWeb App • Modulesthatcanbeactivated in URLPolicies: • DataTheftPrevention • Bruteforce Prevention • Antivirus • RateControl (alsoavailableatService level) • 4.3 – Advanced Security
Advanced Security • 4.3 – Advanced Security Response Application Server Tommy Request
Antivirus • Virusscanningisenabled ona per-URLbasis • ShouldonlybeenabledforURLswhich allowfile uploadsanddownloads • Clam AV • Barracudacreatesthe AVsignatures pushedthrough Energize Updates • 4.3 – Advanced Security Eisenberg WAF Web Server Request blocked EU
Bruteforce Protection • Maximumnumberof requeststo aURLwithinaconfigured interval • Allrequests oronlyinvalidrequests • From asingle clientorfromallsources • 4.3 – Advanced Security WAF Web Server Bruteforce tommy/password 2 1 Requests 1 2 Request blocked Eisenberg 1.1.1.1 tommy/123456 3 tommy/qwerty 4 tommy/abc123 360s1.1.1.1
Session Tracking • Limits thenumberof sessions originating from aparticularclientIP addressina given interval • Helps prevent session-based Denial of Service(DoS) attacks • 4.3 – Advanced Security WAF Web Server Session Trck. Request blocked Eisenberg 1.1.1.1 60s1.1.1.1 Request3 Request2 SessionID2 Request1 SessionID1 Request2 SessionID2 Request1 SessionID1
Advanced Security Configuration • WEBSITES> AdvancedSecurity • Edit thedefault-URL-policy • Enable Data Theft Protection • Enable AV • Enable Bruteforce Protection • Enable Rate Control • Session Trackingwalkthrough • EnableClickjackingProtection • 4.3 – Advanced Security Live Demo
Allow/Deny Rules Topics Covered: • Overview • Allow/Deny RulesTypes • ExtendedMatchRules • RuleEvaluation Order Module 4–Chapter 4
Allow/Deny Rules • Define strictaccesscontrol rulesforthe services • Rulesareservice-specific andcannotbeshared • Two typesof rules: • Allow/Deny rulesforURLs • Allow/Denyrulesforheaders • 4.4 – Allow/Deny Rules
Allow/Deny Rules • 4.4 – Allow/Deny Rules Response Application Server Tommy Request
Allow/Deny Rules for URLs • Control accessto certainportionsto theWeb Applicationbasedon a set of matchingcriteria • WithoutchanginganyconfigurationontheWebApplicationitself • Extendedmatchcanbeused • Configurableactionsare the same asglobal ACLs • 4.4 – Allow/Deny Rules Web Application Public Private Payments Access Control
Allow/Deny Rules for Headers • Enforcestrictlimitations onincoming headers • Sanitize HTTP headerscontaining • Sensitive informationidentifyingthe client • Someapplication-specificstateinformation • Prevent configured attacktypes • Stop potentially malicious metacharactersandkeywords • 4.4 – Allow/Deny Rules
Extended Match Rules • Specifically define whichrequests/responsesneedtherule applied • Conditionscanbe based on foundparametersor elements • Used acrossmultiple modules (notonly Allow/Denyrules) • 4.4 – Allow/Deny Rules Tommy Firefox 16 WAF USER-Agent co Firefox/16 Application Server URL Allow/Deny Rule Request Response 301 - Update_your_browser.html
Extended Match Rules Configuration • 4.4 – Allow/Deny Rules 1 2 3 4 5 Extended Match Widget 1. OpentheExtendedMatchwidget 2. Configurewhattointercept 3. InsertconditionintheHeader Expressionfield 4. Apply/Closewidget 5. 1=highestpriority
Rule Evaluation Order • The policies of the“bestmatching”ruleareapplied • Hierarchical match • ComparestheHostheader.Ifthereisnomatch,comparestheURLpath • Ifmultiple ACLsmatch,eachextendedmatchruleisevaluatedinascending orderofextendedmatchsequence • Sequential match • IgnorestheHostheaderandURLpath • Eachextendedmatchruleisevaluatedinsequentialorder basedonthe extendedmatchsequence • 4.4 – Allow/Deny Rules
Allow/Deny Rules • WEBSITES> Allow/DenyRules • CreateaURLAllow/Deny rule • CreateaHeadersAllow/Denyrule • 4.4 – Allow/Deny Rules Live Demo
Website Profiles Topics Covered: • Overview • URLProfiles • ParameterProfiles • AdaptiveProfiling • URLEncryption Module 4–Chapter 5
Website Profiles Overview • Specific rules tofine-tunethesecuritysettingsof a service • URLprofiles • Parametersprofiles Tommy Reed WAF /cgi-bin/reg.cgi URL Profile /cgi-bin/reg.cgi Request Parameters Profile First Name • Input Field • Type Alpha • Max Char 16 Last Name • Input Field • Type Alpha • Max Char 16 /cgi-bin/reg.cgi Request Application Server Tommy Reed • 4.5 – Website Profiles
Website Profiles • 4.5 – Website Profiles Response Application Server Tommy Request
Website Profiles Modes • Active - Validates requests,blocks, andlogs requestsviolations • UseURLprofileandcorresponding parameterprofile(s) settings • Passive - Validates the requestsand logs violations • Learning- LearnstheWeb Application structure… • 4.5 – Website Profiles
Website Profiles - Strict Profile Check • Enforcethepositiveornegativesecuritymodel • StrictProfileCheckenabled: • ValidatesrequestsanddeniestherequeststhatdonotmatchtheURLprofilesandparameter profiles • StrictProfileCheckdisabled: • Validatesrequests,andiftheydonotmatchtheURLprofilesandparameterprofiles,therequests arevalidatedagainsttheglobalsecuritypolicy. • 4.5 – Website Profiles
Adaptive Profiling • Automatically learnsthestructureof aWeb Application • Basedonrequests and/orresponses • Available onmodel660+ • Creates the website profile based on thelearnedstructure • 4.5 – Website Profiles Tommy Reed WAF /cgi-bin/reg.cgi URL Profile /cgi-bin/reg.cgi Request Parameters Profile First Name • Input Field • Type Alpha Last Name • … /cgi-bin/reg.cgi Request Application Server Tommy Reed ResponseResponse
Adaptive Profiling Configuration 1. Configure theservice in Learningmode 2. Startthelearningprocess • GeneratetraffictotheWebApplication 3. Stop thelearningprocess 4. Review and Lock theURL Profiles ConfigurationsettingsinWEBSITES>WebsiteProfiles • 4.5 – Website Profiles 2 3 1 2 4
Website Profiles Configuration • WEBSITES> Websites Profiles • CreateanewURLprofile • Createanewparameterprofile • WEBSITE >Adaptive Profiling • Addanadaptiveprofiling rule • WEBSITES> Websites Profiles • Configure thewebsiteprofiletolearn • 4.5 – Website Profiles Live Demo
Tuning Security Rules Topics Covered: • Web Firewall Logs • TrustedHosts • ExceptionProfiling Module 4–Chapter 6
Web Firewall Logs • Traffic violations arelogged in theWeb Firewall Log • Canbeusedto mitigate false positives • Suggeststhe recommended “Fix” • Acceptinga recommendation could have thefollowing impact: • Localized-Website profilemodification(URLorparameter) • Global- Securitypolicymodification • 4.6 – Tuning Security Rules
Trusted Hosts • Hosts whose trafficis assumed tobe safe • DefinedbyIPaddress/network • Configured ingroups • Use cases • Exemptspecific trafficfromsecuritychecksorauthentication • TraintheAdaptiveProfiling engine • TraintheExceptionProfiling engine • 4.6 – Tuning Security Rules
Exception Profiling • Fine-tunessecuritypolicies associated witha service • Uses a heuristics-basedstrategy to refine securitysettingsinresponse to logged traffic Tommy WAF Service Security Settings Exception Profiling Max File size Upload - 5 Mb 6 Mb7 Mb8 Mb Request blocked Increase by 100% Max File size Upload - 10 Mb Level LOW - Trigger Count: 3 - New Value: +100% • 4.6 – Tuning Security Rules
Exception Profiling Heuristics • Changescanbesuggestedorapplied automatically • Trustedtraffic • Trusted(Hosts) • Untrustedtraffic • Low • Medium • High • Untrustedtraffic levels are shared among services • 4.6 – Tuning Security Rules
Tuning Security Rules Configuration • BASIC >Web Firewall Logs • Reviewfalsepositives andapplythefix • WEBSITES> TrustedHosts • Configure anewgroup andapplyittoaservice • WEBSITES> ExceptionProfiling • Assign ExceptionProfile leveltoaservice • WEBSITES> ExceptionHeuristics • Levelswalkthrough • 4.6 – Tuning Security Rules Live Demo
URL Encryption • TheWAF encryptsall URLsassociated withtherequestedpage • Requiresnochangesto the application • If encryptedURLsare manipulatedor tamperedwithinsubsequent requests,therequestsare blockedandlogged • 4.3 – Advanced Security WAF Tommy Application Server http://bn.com Request http://bn.com Request http://bn.com/index.php?include=a.txt Response http://bn.com/d098duj0 Response
URL Encryption Configuration • WEBSITES> URLEncryption • Activate URLencryptiononaservice • Addanewencryptionrule • BASIC >AccessLogs • VerifyencryptedURLs • 4.3 – Advanced Security Live Demo
Application DDoS Attack Protection Topics Covered: • IP Reputation Filter • DDoSPolicies • Slow Client AttackPrevention Module 4–Chapter 7
IP Reputation Filter • Filters trafficfrom specific geographic regions / categories to aservice • GeoPool • BarracudaReputation • TORNodes • AnonymousProxy • SatelliteProvider WAF Requests Requests blocked Backend Servers • 4.7 – Application DDoS Attack Protection
DDoS Policies • Passively evaluate theclientsto determineif theyare suspiciousor not • The client taggedas suspiciouswill be forcedto answera CAPTCHA • Thesuspicious clientIPaddresses will beremembered for900seconds BOT Request WAF Web Server Request ResponseResponse JS Request Request blocked Response C4PtcH4 • 4.7 – Application DDoS Attack Protection
Slow Client Attack Prevention • Enforcesrequests/ responsestimeouts • Enforcesrequests/ responsesminimumdata transferrates • Prevents: • SlowHTTPheadersvulnerability(Slowloris) • SlowHTTPPOSTvulnerability(R-U-Dead-YetorRUDY) • SlowreadDoSattack • 4.7 – Application DDoS Attack Protection
Application DDoS Attack Protection • WEBSITES> IP Reputation • Configuration walkthrough • WEBSITES> DDoSPrevention • CreateanewDDoSpolicy • Edit theSlow ClientAttackPreventionsettings • 4.7 – Application DDoS Attack Protection Live Demo

More Related Content

PPTX
Fortinet Icon Library
Fortinet
 
PPTX
WAF deployment
Aravindan A
 
PDF
What You Should Know About WebLogic Server 12c (12.2.1.2) #oow2015 #otntour2...
Frank Munz
 
PPT
Fortinet
Petre-doru Dragus
 
PDF
01- intro to firewall concepts
Mostafa El Lathy
 
PDF
Linux Servers
Ranjith Siji
 
PPTX
負荷軽減!整合性もバッチリ!Veeamのストレージ連携セミナー!!
株式会社クライム
 
PDF
OAuth and STUN, TURN in WebRTC context RFC7635
Mihály Mészáros
 
Fortinet Icon Library
Fortinet
 
WAF deployment
Aravindan A
 
What You Should Know About WebLogic Server 12c (12.2.1.2) #oow2015 #otntour2...
Frank Munz
 
Fortinet
Petre-doru Dragus
 
01- intro to firewall concepts
Mostafa El Lathy
 
Linux Servers
Ranjith Siji
 
負荷軽減!整合性もバッチリ!Veeamのストレージ連携セミナー!!
株式会社クライム
 
OAuth and STUN, TURN in WebRTC context RFC7635
Mihály Mészáros
 

What's hot (20)

PDF
Web Socket ASM support lior rotkovitch
Lior Rotkovitch
 
PDF
Fortinet security fabric
ANSItunCERT
 
PPTX
Forti web
Lan & Wan Solutions
 
PPTX
Technical Tips: Visual Regression Testing and Environment Comparison with Bac...
Building Blocks
 
PPTX
OTG - Practical Hands on VAPT
shiriskumar
 
PPTX
Network Monitoring Basics
Rob Dunn
 
DOC
Basic command to configure mikrotik
Tola LENG
 
PPTX
Addressing the OWASP Mobile Security Threats using Xamarin
Alec Tucker
 
PPTX
OpenNMS introduction
Guider Lee
 
PPTX
OWASP Top 10 2021 What's New
Michael Furman
 
PDF
Routed networks sydney
Miguel Lavalle
 
PPTX
Nginx
Dhrubaji Mandal ♛
 
PDF
Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
NSConclave
 
PDF
F5 ASM v12 DDoS best practices
Lior Rotkovitch
 
PDF
Java Concurrency - Quiz Questions
Ganesh Samarthyam
 
PPT
Firewalls
University of Central Punjab
 
PDF
Vpn ppt
Nikhila Pothukuchi
 
PPTX
Extreme fabric connect
MUK Extreme
 
PPTX
Akamai waf
Aysegul Ekinci
 
ODP
Introduction to Nginx
Knoldus Inc.
 
Web Socket ASM support lior rotkovitch
Lior Rotkovitch
 
Fortinet security fabric
ANSItunCERT
 
Forti web
Lan & Wan Solutions
 
Technical Tips: Visual Regression Testing and Environment Comparison with Bac...
Building Blocks
 
OTG - Practical Hands on VAPT
shiriskumar
 
Network Monitoring Basics
Rob Dunn
 
Basic command to configure mikrotik
Tola LENG
 
Addressing the OWASP Mobile Security Threats using Xamarin
Alec Tucker
 
OpenNMS introduction
Guider Lee
 
OWASP Top 10 2021 What's New
Michael Furman
 
Routed networks sydney
Miguel Lavalle
 
Nginx
Dhrubaji Mandal ♛
 
Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
NSConclave
 
F5 ASM v12 DDoS best practices
Lior Rotkovitch
 
Java Concurrency - Quiz Questions
Ganesh Samarthyam
 
Firewalls
University of Central Punjab
 
Vpn ppt
Nikhila Pothukuchi
 
Extreme fabric connect
MUK Extreme
 
Akamai waf
Aysegul Ekinci
 
Introduction to Nginx
Knoldus Inc.
 
Ad

Similar to Advanced security in Barracuda WAF (20)

PPTX
Basic security and Barracuda VRS
Aravindan A
 
PPTX
Barracuda WAF Deployment in Microsoft Azure
Aravindan A
 
PDF
Обход файрволов веб-приложений
Positive Hack Days
 
PDF
WAF protections and bypass resources
Antonio Costa aka Cooler_
 
PPTX
Waf bypassing Techniques
Avinash Thapa
 
PDF
Advanced web application hacking and exploitation
Rafel Ivgi
 
PPT
Securing Windows web servers
Information Technology
 
PPTX
Forti web
Lan & Wan Solutions
 
PDF
How to Ensure You're Launching the Most Secure Website - Michael Tremante
WP Engine
 
PPT
Protecting web aplications with machine learning and security fabric
DATA SECURITY SOLUTIONS
 
PPTX
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Distil Networks
 
PPTX
The Power of Web Application Firewalls (WAFs) in Protecting Your Web App.pptx
BluechipComputerSyst
 
PDF
Taking the Fear out of WAF
Brian A. McHenry
 
PPTX
Web application vulnerability assessment
Ravikumar Paghdal
 
PPT
Hacking web applications
phanleson
 
PPTX
Radware - WAF (Web Application Firewall)
Deivid Toledo
 
PPT
Net scaler appfw customer technical presentation dec 2012f
xKinAnx
 
PPT
Hacking web applications
Adeel Javaid
 
PPTX
Splunk Enterpise for Information Security Hands-On
Splunk
 
PDF
DSS ITSEC Conference 2012 - Radware WAF
Andris Soroka
 
Basic security and Barracuda VRS
Aravindan A
 
Barracuda WAF Deployment in Microsoft Azure
Aravindan A
 
Обход файрволов веб-приложений
Positive Hack Days
 
WAF protections and bypass resources
Antonio Costa aka Cooler_
 
Waf bypassing Techniques
Avinash Thapa
 
Advanced web application hacking and exploitation
Rafel Ivgi
 
Securing Windows web servers
Information Technology
 
Forti web
Lan & Wan Solutions
 
How to Ensure You're Launching the Most Secure Website - Michael Tremante
WP Engine
 
Protecting web aplications with machine learning and security fabric
DATA SECURITY SOLUTIONS
 
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Distil Networks
 
The Power of Web Application Firewalls (WAFs) in Protecting Your Web App.pptx
BluechipComputerSyst
 
Taking the Fear out of WAF
Brian A. McHenry
 
Web application vulnerability assessment
Ravikumar Paghdal
 
Hacking web applications
phanleson
 
Radware - WAF (Web Application Firewall)
Deivid Toledo
 
Net scaler appfw customer technical presentation dec 2012f
xKinAnx
 
Hacking web applications
Adeel Javaid
 
Splunk Enterpise for Information Security Hands-On
Splunk
 
DSS ITSEC Conference 2012 - Radware WAF
Andris Soroka
 
Ad

More from Aravindan A (13)

PPTX
Application delivery
Aravindan A
 
PPTX
Barracuda WAF deployment in AWS
Aravindan A
 
PPTX
Api sec demo_updated_v2
Aravindan A
 
PPTX
WAF CC Introduction
Aravindan A
 
PPTX
System administration
Aravindan A
 
PPTX
Devops
Aravindan A
 
PPTX
Advanced networking
Aravindan A
 
PPTX
Reporting
Aravindan A
 
PPTX
Logging intro
Aravindan A
 
PPTX
Application delivery
Aravindan A
 
PPTX
Access control
Aravindan A
 
PPTX
application security basics
Aravindan A
 
PPTX
general protocol basics
Aravindan A
 
Application delivery
Aravindan A
 
Barracuda WAF deployment in AWS
Aravindan A
 
Api sec demo_updated_v2
Aravindan A
 
WAF CC Introduction
Aravindan A
 
System administration
Aravindan A
 
Devops
Aravindan A
 
Advanced networking
Aravindan A
 
Reporting
Aravindan A
 
Logging intro
Aravindan A
 
Application delivery
Aravindan A
 
Access control
Aravindan A
 
application security basics
Aravindan A
 
general protocol basics
Aravindan A
 

Recently uploaded (20)

PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPT
Teaching material agriculture food technology
LiaRayya
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Approach and Philosophy of On baking technology
30anthuong17
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Teaching material agriculture food technology
LiaRayya
 

Advanced security in Barracuda WAF

  • 1. Advanced Security Topics Covered: • URLPolicies • Bruteforce Prevention • Antivirus Module 4–Chapter 3
  • 2. URL Policies • Automatically createdforeachService • Additional URL Policies can be created forspecific partsof aWeb App • Modulesthatcanbeactivated in URLPolicies: • DataTheftPrevention • Bruteforce Prevention • Antivirus • RateControl (alsoavailableatService level) • 4.3 – Advanced Security
  • 3. Advanced Security • 4.3 – Advanced Security Response Application Server Tommy Request
  • 4. Antivirus • Virusscanningisenabled ona per-URLbasis • ShouldonlybeenabledforURLswhich allowfile uploadsanddownloads • Clam AV • Barracudacreatesthe AVsignatures pushedthrough Energize Updates • 4.3 – Advanced Security Eisenberg WAF Web Server Request blocked EU
  • 5. Bruteforce Protection • Maximumnumberof requeststo aURLwithinaconfigured interval • Allrequests oronlyinvalidrequests • From asingle clientorfromallsources • 4.3 – Advanced Security WAF Web Server Bruteforce tommy/password 2 1 Requests 1 2 Request blocked Eisenberg 1.1.1.1 tommy/123456 3 tommy/qwerty 4 tommy/abc123 360s1.1.1.1
  • 6. Session Tracking • Limits thenumberof sessions originating from aparticularclientIP addressina given interval • Helps prevent session-based Denial of Service(DoS) attacks • 4.3 – Advanced Security WAF Web Server Session Trck. Request blocked Eisenberg 1.1.1.1 60s1.1.1.1 Request3 Request2 SessionID2 Request1 SessionID1 Request2 SessionID2 Request1 SessionID1
  • 7. Advanced Security Configuration • WEBSITES> AdvancedSecurity • Edit thedefault-URL-policy • Enable Data Theft Protection • Enable AV • Enable Bruteforce Protection • Enable Rate Control • Session Trackingwalkthrough • EnableClickjackingProtection • 4.3 – Advanced Security Live Demo
  • 8. Allow/Deny Rules Topics Covered: • Overview • Allow/Deny RulesTypes • ExtendedMatchRules • RuleEvaluation Order Module 4–Chapter 4
  • 9. Allow/Deny Rules • Define strictaccesscontrol rulesforthe services • Rulesareservice-specific andcannotbeshared • Two typesof rules: • Allow/Deny rulesforURLs • Allow/Denyrulesforheaders • 4.4 – Allow/Deny Rules
  • 10. Allow/Deny Rules • 4.4 – Allow/Deny Rules Response Application Server Tommy Request
  • 11. Allow/Deny Rules for URLs • Control accessto certainportionsto theWeb Applicationbasedon a set of matchingcriteria • WithoutchanginganyconfigurationontheWebApplicationitself • Extendedmatchcanbeused • Configurableactionsare the same asglobal ACLs • 4.4 – Allow/Deny Rules Web Application Public Private Payments Access Control
  • 12. Allow/Deny Rules for Headers • Enforcestrictlimitations onincoming headers • Sanitize HTTP headerscontaining • Sensitive informationidentifyingthe client • Someapplication-specificstateinformation • Prevent configured attacktypes • Stop potentially malicious metacharactersandkeywords • 4.4 – Allow/Deny Rules
  • 13. Extended Match Rules • Specifically define whichrequests/responsesneedtherule applied • Conditionscanbe based on foundparametersor elements • Used acrossmultiple modules (notonly Allow/Denyrules) • 4.4 – Allow/Deny Rules Tommy Firefox 16 WAF USER-Agent co Firefox/16 Application Server URL Allow/Deny Rule Request Response 301 - Update_your_browser.html
  • 14. Extended Match Rules Configuration • 4.4 – Allow/Deny Rules 1 2 3 4 5 Extended Match Widget 1. OpentheExtendedMatchwidget 2. Configurewhattointercept 3. InsertconditionintheHeader Expressionfield 4. Apply/Closewidget 5. 1=highestpriority
  • 15. Rule Evaluation Order • The policies of the“bestmatching”ruleareapplied • Hierarchical match • ComparestheHostheader.Ifthereisnomatch,comparestheURLpath • Ifmultiple ACLsmatch,eachextendedmatchruleisevaluatedinascending orderofextendedmatchsequence • Sequential match • IgnorestheHostheaderandURLpath • Eachextendedmatchruleisevaluatedinsequentialorder basedonthe extendedmatchsequence • 4.4 – Allow/Deny Rules
  • 16. Allow/Deny Rules • WEBSITES> Allow/DenyRules • CreateaURLAllow/Deny rule • CreateaHeadersAllow/Denyrule • 4.4 – Allow/Deny Rules Live Demo
  • 17. Website Profiles Topics Covered: • Overview • URLProfiles • ParameterProfiles • AdaptiveProfiling • URLEncryption Module 4–Chapter 5
  • 18. Website Profiles Overview • Specific rules tofine-tunethesecuritysettingsof a service • URLprofiles • Parametersprofiles Tommy Reed WAF /cgi-bin/reg.cgi URL Profile /cgi-bin/reg.cgi Request Parameters Profile First Name • Input Field • Type Alpha • Max Char 16 Last Name • Input Field • Type Alpha • Max Char 16 /cgi-bin/reg.cgi Request Application Server Tommy Reed • 4.5 – Website Profiles
  • 19. Website Profiles • 4.5 – Website Profiles Response Application Server Tommy Request
  • 20. Website Profiles Modes • Active - Validates requests,blocks, andlogs requestsviolations • UseURLprofileandcorresponding parameterprofile(s) settings • Passive - Validates the requestsand logs violations • Learning- LearnstheWeb Application structure… • 4.5 – Website Profiles
  • 21. Website Profiles - Strict Profile Check • Enforcethepositiveornegativesecuritymodel • StrictProfileCheckenabled: • ValidatesrequestsanddeniestherequeststhatdonotmatchtheURLprofilesandparameter profiles • StrictProfileCheckdisabled: • Validatesrequests,andiftheydonotmatchtheURLprofilesandparameterprofiles,therequests arevalidatedagainsttheglobalsecuritypolicy. • 4.5 – Website Profiles
  • 22. Adaptive Profiling • Automatically learnsthestructureof aWeb Application • Basedonrequests and/orresponses • Available onmodel660+ • Creates the website profile based on thelearnedstructure • 4.5 – Website Profiles Tommy Reed WAF /cgi-bin/reg.cgi URL Profile /cgi-bin/reg.cgi Request Parameters Profile First Name • Input Field • Type Alpha Last Name • … /cgi-bin/reg.cgi Request Application Server Tommy Reed ResponseResponse
  • 23. Adaptive Profiling Configuration 1. Configure theservice in Learningmode 2. Startthelearningprocess • GeneratetraffictotheWebApplication 3. Stop thelearningprocess 4. Review and Lock theURL Profiles ConfigurationsettingsinWEBSITES>WebsiteProfiles • 4.5 – Website Profiles 2 3 1 2 4
  • 24. Website Profiles Configuration • WEBSITES> Websites Profiles • CreateanewURLprofile • Createanewparameterprofile • WEBSITE >Adaptive Profiling • Addanadaptiveprofiling rule • WEBSITES> Websites Profiles • Configure thewebsiteprofiletolearn • 4.5 – Website Profiles Live Demo
  • 25. Tuning Security Rules Topics Covered: • Web Firewall Logs • TrustedHosts • ExceptionProfiling Module 4–Chapter 6
  • 26. Web Firewall Logs • Traffic violations arelogged in theWeb Firewall Log • Canbeusedto mitigate false positives • Suggeststhe recommended “Fix” • Acceptinga recommendation could have thefollowing impact: • Localized-Website profilemodification(URLorparameter) • Global- Securitypolicymodification • 4.6 – Tuning Security Rules
  • 27. Trusted Hosts • Hosts whose trafficis assumed tobe safe • DefinedbyIPaddress/network • Configured ingroups • Use cases • Exemptspecific trafficfromsecuritychecksorauthentication • TraintheAdaptiveProfiling engine • TraintheExceptionProfiling engine • 4.6 – Tuning Security Rules
  • 28. Exception Profiling • Fine-tunessecuritypolicies associated witha service • Uses a heuristics-basedstrategy to refine securitysettingsinresponse to logged traffic Tommy WAF Service Security Settings Exception Profiling Max File size Upload - 5 Mb 6 Mb7 Mb8 Mb Request blocked Increase by 100% Max File size Upload - 10 Mb Level LOW - Trigger Count: 3 - New Value: +100% • 4.6 – Tuning Security Rules
  • 29. Exception Profiling Heuristics • Changescanbesuggestedorapplied automatically • Trustedtraffic • Trusted(Hosts) • Untrustedtraffic • Low • Medium • High • Untrustedtraffic levels are shared among services • 4.6 – Tuning Security Rules
  • 30. Tuning Security Rules Configuration • BASIC >Web Firewall Logs • Reviewfalsepositives andapplythefix • WEBSITES> TrustedHosts • Configure anewgroup andapplyittoaservice • WEBSITES> ExceptionProfiling • Assign ExceptionProfile leveltoaservice • WEBSITES> ExceptionHeuristics • Levelswalkthrough • 4.6 – Tuning Security Rules Live Demo
  • 31. URL Encryption • TheWAF encryptsall URLsassociated withtherequestedpage • Requiresnochangesto the application • If encryptedURLsare manipulatedor tamperedwithinsubsequent requests,therequestsare blockedandlogged • 4.3 – Advanced Security WAF Tommy Application Server http://bn.com Request http://bn.com Request http://bn.com/index.php?include=a.txt Response http://bn.com/d098duj0 Response
  • 32. URL Encryption Configuration • WEBSITES> URLEncryption • Activate URLencryptiononaservice • Addanewencryptionrule • BASIC >AccessLogs • VerifyencryptedURLs • 4.3 – Advanced Security Live Demo
  • 33. Application DDoS Attack Protection Topics Covered: • IP Reputation Filter • DDoSPolicies • Slow Client AttackPrevention Module 4–Chapter 7
  • 34. IP Reputation Filter • Filters trafficfrom specific geographic regions / categories to aservice • GeoPool • BarracudaReputation • TORNodes • AnonymousProxy • SatelliteProvider WAF Requests Requests blocked Backend Servers • 4.7 – Application DDoS Attack Protection
  • 35. DDoS Policies • Passively evaluate theclientsto determineif theyare suspiciousor not • The client taggedas suspiciouswill be forcedto answera CAPTCHA • Thesuspicious clientIPaddresses will beremembered for900seconds BOT Request WAF Web Server Request ResponseResponse JS Request Request blocked Response C4PtcH4 • 4.7 – Application DDoS Attack Protection
  • 36. Slow Client Attack Prevention • Enforcesrequests/ responsestimeouts • Enforcesrequests/ responsesminimumdata transferrates • Prevents: • SlowHTTPheadersvulnerability(Slowloris) • SlowHTTPPOSTvulnerability(R-U-Dead-YetorRUDY) • SlowreadDoSattack • 4.7 – Application DDoS Attack Protection
  • 37. Application DDoS Attack Protection • WEBSITES> IP Reputation • Configuration walkthrough • WEBSITES> DDoSPrevention • CreateanewDDoSpolicy • Edit theSlow ClientAttackPreventionsettings • 4.7 – Application DDoS Attack Protection Live Demo