Nginx app protect-for-meetup-v1.0-202006_lk
- 1. NGINX AppProtect FINALLY THE WAF FOR NGINX LuboΕ‘ Klokner Sr. Solutions Engineer | F5 June 19, 2020
- 2. | Β©2019 F52 DNS UAC WAF Acceleration ADC VDI WEBAPPS FW β’ Network ACL β’ IP Intelligence β’ IP Lists β’ DDoS Protection β’ Full Proxy DNS β’ Business Continuity β’ GSLB β’ DNS Security / Services β’ DNS Firewall WAF β’ L7 Firewall β’ Positive & Negative Policy β’ API Security β’ BOT Detection β’ Brute Force Protection β’ Credential Stuffing β’ Client Fingerprinting β’ L7 DDoS Mitigation UAC β’ Remote Access β’ Pre-Authentication β’ Multi-factor/SSO/Federation β’ End Point Inspection β’ API GW ADC β’ Full Proxy β’ TLS/SSL Offload β’ Application Awareness β’ Traffic enhancements Acceleration β’ TCP Optimization β’ Caching/Compression β’ End User Experience β’ HTTP/2 FW Users Customers Client Protection β’ Encryption β’ Phishing β’ Malware β’ Automated Transactions Attackers BIG-IPVE VIPRION High Performance Services Fabric Cloud Services
- 3. | Β©2019 F53 Positioning App Super-Net Ops DevOps NetOpsArchitectDevOpsDev SecOps ASM/Advanced WAF NGINX App Protect Infrastructure Code Micro-Services Cloud
- 4. | Β©2019 F54 CONFIDENTIAL Solution Description Stand-Alone premium WAF Annually Subscription based Dynamic Module Lightweight software package Installed on top of NGINX Plus Platform Agnostic Leverage F5's core technology
- 5. | Β©2019 F55 CONFIDENTIAL NGINX App Protect: Customer Value β High performing β Security protection beyond signatures β Trusted Signatures from F5 β Simple CI/CD integration β Designed for modern infrastructures β Rapid feedback loop for security remediations β Uniο¬ed F5 declarative interface β Security statistics via syslog β Backed by F5 Support Manage CI/CD Friendly Secure
- 6. | Β©2019 F56 NGINX App Protect Performance β’ ModSec Configuration: OWASP Top 10 (enable all CRS 3v rules) β’ NGINX App Protect Configuration: OWASP Top 10 (Enable signatures), Evasion technique, Data Guard, Disallowed file types, HTTP protocol compliance NGINX App Protect with a much more comprehensive security policy had no impact on latency, and offered much better throughput and requests/second when compared to ModSec
- 7. | Β©2019 F57 β’ OWASP Top 10 based attack signatures & CVEs β’ Meta characters check β’ HTTP protocol compliance β’ Evasion techniques β’ Disallowed file types (bin, cgi, cmd, com, dll, exe, msi, sys, shtm, shtml, stm & more) β’ Enforcement based on high risk score (Violation Rating) β’ Cookie integrity check β’ JSON & XML well-formedness β’ Sensitive parameters & Data Guard CONFIDENTIAL NGINX App Protect Default Security Policy
- 8. | Β©2019 F58 CONFIDENTIAL NGINX.conf
- 9. | Β©2019 F59 CONFIDENTIAL Default Policy and log-default Policy π https://docs.nginx.com/nginx-app-protect/configuration/
- 10. | Β©2019 F510 Deployment Options CONFIDENTIAL
- 11. | Β©2019 F511 CONFIDENTIAL Consider Two Different WAF User Profiles NetOps/SecOps: β’ Centralized Ops team β’ Set of stable applications β’ Top concern: governance, stability and predictability DevSecOps/DevOps: β’ Democratized, distributed teams β’ Multiple applications, many actively developed β’ Top concern: time-to-market, speed to innovate Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Edge Customer DEVOPS / APPLICATIONS NETOPS / OPERATIONS
- 12. | Β©2019 F512 CONFIDENTIAL Standard App Protect NGINX-proxy deployment Available now Stand-Alone premium WAF module for NGINX Plus Configured using NGINX directives and App Protect policy file / signature database Dynamic module β’ Installed on top of NGINX Plus β’ Connector module, pipe agent, bd agent β’ Limited Platforms (Debian, CentOS at release, others to follow) Released May 15th CustomerCode
- 13. | Β©2019 F513 CONFIDENTIAL WAF Deployment at the Edge DEPLOY WAF POLICIES OUTSIDE KUBERNETES, ON LOCAL BIG-IP OR CLOUD-BASED WAF Available now Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Edge NetOps/SecOps-Centric Approach β’ This is a prime use case for Edge load balancer i.e. outside K8s β’ NetOps/SecOps empower their App/DevOps brethren to consume F5 application services in an automated manner β’ Can also be provided using F5 AWAF Appropriate for NetOps/SecOps-managed WAF
- 14. | Β©2019 F514 CONFIDENTIAL WAF Deployment on the Ingress Controller DEPLOY WAF POLICIES ON THE INGRESS CONTROLLER, CONFIGURED USING KUBERNETES API Available June 2020 Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Edge K8s SecOps/DevSecOps-Centric Approach Appropriate solution when WAF policies are under direction of NetOps or DevOps teams. Policies are defined and associated with services using Kubernetes API. NGINX Ingress Controller RBAC allows: β’ Admin users to enforce policies per listener β’ DevOps users to select policy per Ingress Resource Leverage Container Ingress Services to scale NGINX Ingress Controller and add other application services (LB, DNS, DDoS, IAM). Appropriate for Kubernetes-native SecOps or DevSecOps
- 15. | Β©2019 F515 CONFIDENTIAL WAF Deployment within K8s, for a specific pod DEPLOY WAF POLICIES FOR A SPECIFIC POD/INSTANCE, EMBEDDING NGINX PLUS WITHIN THE POD Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Edge AppOwner-Centric Approach Appropriate solution when App Owner has full control of WAF for their application. WAF is implemented using an embedded proxy for each application pod. β’ Implemented, tested and deployed using CI/CD pipeline β’ WAF updates require re-deployment of application pods Suitable for services that require very close control and testing of WAF configuration. Appropriate when AppOwner has full control over WAF policies Available now Good use case: I have a large legacy application that I have packaged as a container. This application has vulnerabilities
- 17. | Β©2019 F517 o No security expertise required to implement o Customer does not need to know how to write their own signatures o Better performance (up to 20x) o gRPC Support o Response-based security support o Extremely difficult to use in ModSec o Positive security (only attack signatures) o Rich logging available out of the box o Splunk & ArcSight (syslog) easily integrated o Kibana dashboard available o Easy to update/revert signatures CONFIDENTIAL vs ModSec NGINX APP PROTECT HASβ¦
- 18. | Β©2019 F518 CONFIDENTIAL
- 19. | Β©2019 F519 CONFIDENTIAL Arcadia Finance
- 20. | Β©2019 F520 CONFIDENTIAL Arcadia Finance API SCHEMA
- 21. | Β©2019 F521 CONFIDENTIAL Arcadia Finance WITH NGINX APP PROTECT