Environment Support - The Web Application Security Consortium

yompmulligrubsInternet and Web Development

Oct 31, 2013 (3 years and 11 months ago)

117 views

4

Environment Support

To be effective the

WAF has to work well in your

env
ironment. The following section

describe
s

aspects of a
WAF
required to support
your environment.
It is split into [two] sections. The first describes the options for
deployment and
the requirements your organization might have regarding those options and the impact to
the environment. The second aspect is the support offered for the elements of the target environment. This
further includes 2 aspects, support for protected applicati
ons support for environment options and ability to
implement en
vironment options. [MK: The example

here is support for various authentication options vs.
implementation of those options.
]

Evaluation guideline
s
:
unless described otherwise,
for each criteri
a group below select and evaluate only the
criteria that are relevant to your organization. Keep in mind that requiring unneeded criteria may lead to
higher cost and complexity in the solution selected.

4.1

Deployment

Model

4.1.1

Packaging

Packaging

is often a matte
r of corporate culture and
usually
do
es

not have significant effect on the quality of
the solution. Verify that the WAF supports
the packaging method your organization

prefer
s
. Note that
m
ethod of delivery
will limit the
deployment architecture options
ava
ilable
and vice versa.


Delivery
Method

Description

Deployment Architecture
Options

A.

Appliance

Software bundled with hardware. Appliances are usually
highly optimized and may contain specialized hardware
components to increase performance

(e.g. SSL
processors), availability (e.g. “fail
-
open” network
inW敲fac敳) or p敲form oWh敲 sp散ializ敤 funcWions (攮g.
LighWs
-
Out Management, or “LOM”, interfaces.


R敶敲s攠ProxX

Transpar敮W ProxX

Transpar敮W
Bridge

Non
-
inline


B.

Virtual
Appliance

WAF i
s delivered as s
oftware packaged as an installable
virtual instance for a specific hypervisor, e.
g an .OVF file
for VMWare ESX.

Often a specific minimum configuration
of resources (memory, disk, etc.) is required.

Reverse Proxy

Transparent Proxy

Transparent
Bridge

Non
-
inline

C.

Software

WAF is delivered a
s an application that can
be installed
on a generic computer.

Often a specific reference
configuration of hardware and operating system is
required.

Reverse Proxy

Transparent Proxy

Transparent
Bridge

Non
-
inline

Embedded

D.

Soft
ware
as a
S
ervice

(SaaS)

The WAF is provided to the user as a service. In this
scenario the physical delivery model
for the software can
be

hidden from the user. This model is t
ypical for
”Cloud”

mod敬s, buW can also b攠r敬敶anW in hosW敤
敮vironm敮W
s

or 敶敮 for on
-
pr敭is攠 d数loXm敮Ws
manag敤 bX a manag敤 s敲vic攠provid敲.

R敶敲s攠ProxX

Transpar敮W ProxX


4.1.2

Deployment

Architecture

Depending on size your organization may need just one deployment
option. For large organizations with a
variety of applications and environments, more than one option may be needed. Verify that the WAF
supports the deployment mode or modes you prefer:


Deployment
Architecture

Description

Delivery Model Options

A.

Reve
rse
Proxy

Application traffic is re
-
directed through the
WAF, typically using

DNS
re
configuration

or
networking changes. The WAF terminates the
HTTP session with the browser and opens a
separate session to the application server.

Appliance

Virtual Applianc
e

Software

SaaS


Transparent
Proxy

"A 'transparent proxy' is a proxy that does
not modify the request or response beyond
what is required for proxy authentication and
identification".
i

Typically, this means that the
client IP appears to the server to be the same
as the true source IP of the client.

Appliance

Virtual Appliance

Software

SaaS


Transparent
Bridge

Application traffic is intercepted by the WAF
at layer 2. This is typically
accomplished by
deploying the device at a network location
through which user sessions normally flow,
but in some cases can be accomplished via
routing or other networking changes. The
WAF does not terminate the user session,
allowing the traffic to pass
unaltered from
browser to server.

Appliance

Virtual Appliance

Software

D.

Non
-
inline


Application traffic is forwarded “off
-
line” to
Wh攠WAF d敶ic攠Whrough a SPAN porW or oWh敲
n整睯rk moniWoring m散hanism. Th攠WAF is
WXpicallX looking aW onlX a
copX of Wh攠Wraffic,
so no s敳sions ar攠W敲minaW敤 or oWh敲睩s攠
aff散W敤. If d敳ir敤, blocking musW b攠
accomplish敤 via an indir散W m散hanism.


M数loXing WAFs in non
-
inlin攠mod攠
significanWlX r敤uc敳 Wh攠possibiliWX of
blocking and is mosWlX valuabl攠for
proof of
conc数W, l敡rning mod攬 or for informaWion
c敮Wric d数loXm敮Ws. 䵡k攠sur攠WhaW Wh攠
sniff敲 supporWs passiv攠d散rXpWion of SSL
Wraffic.

Appliance

VirWual Appliance

SofW睡re




Embedded

Application traffic is intercepted by
embedding a WAF as a software module on
the web server.

Offers horizontal scalability with the number
of Web Servers used but may affect web
Software

server performance. You will need to verify
that the WAF supports your web s
erver.


4.1.3

High Availability and Clustering

Depending on the availability requirements of your organization you may want to select one of these

high
availability strategies. Depending on the characteristics of your WAF and your environment, high av
ailability
may be achieved “natively” meaning that the WAF itself provides the high availability mechanism or
externally, meaning that the infrastructure of the environment provides the mechanism.

A.

Fail Open

Upon failure, traffic is forwarded directly to

the application, bypassing the WAF. In this
scenario, application up time is preserved, but
security functionality is lost during the down
time of the WAF solution.

Does fail open apply both to physical
(e.g., loss of power) and software
(e.g., software
hang) failures?

B.

Fail Over

Upon failure, control transfers from a primary
WAF to a backup system. Fail over systems
should ensure minimal disruption of service
during fail over.

What is the latency of switching
nodes?


What is the affect

on sessions and
session security when switching
nodes? For many applications
resetting sessions will be acceptable
and can reduce the complexity of
configuration of fail over.


Can nodes be geographically
distributed across data centers? How
does this aff
ect failover and state?

C.

Clustering

An implementation in which multiple systems
work simultaneously to increase performance
and provide fail over between nodes.

Can nodes be geographically
distributed across data centers? How
does this affect failover
and state?

For performance related aspects of high availability, refer to the “performance” section [XXX].

4.2

Application Support

It is extremely important that the WAF works
seamlessly
with your application
s
.
This will ensure the
availability and
functionality of your application as well as allow the WAF to protect it effectively.

This
section lists a selection of the possible requirements related to application support. It would be impossible to
list all of the possibilities and many smaller org
anizations will require only a subset of the items listed in this
section. Larger organizations, with a more diverse application portfolio are more likely to require a broader
set of supported technologies.

Evaluation guideline
s
:
The best method to
ensure

a WAF works with you
r

applicatio
n is to test it, i.e. to
run an

acceptance test with the WAF

deployed and configured.

4.2.1

Specific Application Support

For many organizations the applications in scope for WAF protection will be limited to a specific set of
app
lications. In this case the best option is to list these specific applications and evaluate whether the WAF
works well with them.

4.2.2

Application
Protocol

Support

For organizations with a broader application base or that anticipate the need to support a broad

range of
application technologies, the following is a li
st of
potential

application technologies that a WAF may or may
not support. Its importance to your organization depends on whether you use the technology or not.

A.

HTTP

HTTP is the fundamental
underlying
protocol for many web applications. Verify
that WAF supports the version(s) in use by
your application portfolio.






Verify support for relev
a
n
t versions:


1.HTTP/0.9


2. HTTP/1.0


3. HTTP/1.1


Verify support for encoding types in

use. Widely
-
used encoding types are
below (yours may vary)
:

1. application/x
-
www
-
form
-
urlencoded encoding

2. multipart/form
-
data encoding

3. v0 cookies

4. v1 cookies

5. chunked encoding in requests and
responses.

6. request compression

7. response compres
sion

B.

JSON

JSON is a protocol often used for modern
and “mobile” web applications.

If iW is in
us攠bX Xour applicaWion porWfolio v敲ifX WhaW
Wh攠WAF supporWs Whis us攮

[䵋: looking for inpuW as Wo 睨aW Wo
puW in h敲攠as sWandard supporW
iW敭s r敬aW敤 Wo

JSON]

C.

Other

[MK Are there other application protocols
we would want to include as “standard

ones to look at? In some of the comments
on WAFEC v1, HTML5 was mentioned
which doesn’t quite fit this section on
protocols…does it justify a separate
sectio
n?]



4.2.3

SSL Support

SSL is often used to
encrypt the communications between the browser and the applications. In order to
inspect and protect the application a WAF must be able to get access to the unencrypted stream.


A.

Access

How does

the WAF
access SSL
Terminates SSL. The network needs to be re
-
encrypted communication?

configured to move the SSL operations to the
WAF itself. WAF decrypts the encrypted traffic
to get access to the HTTP data. The
communication between the WAF and the web
server
can be in plain
-
text, or SSL
-
encrypted.


Passively decrypts SSL. Configured with a copy
of the web server's SSL private key WAF
decrypts the SSL traffic. The original data
stream travels unaffected to the web servers,
where it is separately decrypted and
p
rocessed.


Embedded. Working embedded in a web
server, a WAF can be positioned to work after
the SSL data is decrypted on the server.

B.

Cipher Suites

A Cipher suite refers to the
encryption algorithms used to
encrypt and decrypt data.

Does the WAF
support the cipher suites that
are in use by the applications?

[MK do we want to list ciphers here
? We had a
list in WAFEC v1 and resulted in a lot of
misguided check box evaluations
]


Some servers allow negotiation of cipher suites
based on support by the

browser. This may
result in an unacceptable cipher suite to be
used either unintentionally or via a crafted
attack. Can the WAF enforce a minimum or
specific cipher suite.

C.

Client
Certificates

Client certificate


D.

Implementation
Security

Some environments require
special certification of the
handling of private encryption
keys and/or certification of the
underlying encryption software.

Can the WAF retrieve SSL k
eys from an
external key storage

facility (e.g.
local or
network
-
based Hardwa
re Security Module)?


Is the SSL implementation FIPS 140
-
2 certified?
Which FIPS levels
are supported (level II and/or
III)?


4.2.4

Authentication Support

Many applications that warrant the protection of a WAF are authenticated applications. As such it is
important that the WAF can support the authentication methods in use for your applications.

For all modes, verify the following for all relevant authentication schemes:

1.

Application functionality and authentication continues to operate with WAF in place?

2.

WA
F can identify users for policies?

[MK In some cases, users will want the WAF to be the point of authentication, I feel this should be in “other
functionality” do others agree?


Authentication
Scheme

Considerations

A.

Client Side
Certificates

Are client
certificates supported in all relevant modes for the
deployment?


For termination mode, can the content from client
certificates be sent to the application using some alternative
transport method (e.g. request headers).

B.

Basic
Authentication


C.

Digest

Authentication


D.

NTLM
Authentication


E.

Other

Many applications use an outside software or service for
authentication. For example, higher security environments
might require a two
-
factor authentication for users. These
solutions might use a combina
tion of the above methods in
combination with proprietary capabilities. Verify the WAF
supports the specific authentication product or service in
use.





Reverse
proxy

Tra
nsparent
reverse
proxy

Transparent
bridge

Out of
line

Embedded

Network
architecture
changes

Yes

No

No

No

No

Software
configuration
changes

Yes (1)

No

No

No

Yes
-

requires
installation
on each

web server
that needs
protection

Site/application
changes

In some
cases (1
)


In some
cases (1
)

No

No

No

Network point
of failure

Yes, but can
be

deployed
in HA
configuration

Yes
,
can be
when fitted
with a fail
-
open card

or
configured
for high
availability

Yes, but can
be
fitted
with a fail
-
open card

or
configured
for high
availability

No

No

Change to
traffic dynamics

Yes.

Traffic
redirected to
proxy via
DNS or
routing
changes.

Yes
.

Traffic
redirected
to proxy via
DNS or
routing
changes.

No

No

No
.

Negative web
server

performance

impact

None

None

None

None

Competes
for server
resources;
can affect
server on
malfunction

Network
separation

Yes

Yes

Yes

No

No

Scaling

TODO

TODO

TODO

TODO

Easy; scales
implicitly
with web
servers

SSL

Termination

Termination

Passive
decryption

Passive
decryption

Not
applicable

Changes client
IP Address

Yes

.

No

No

No

No

Response
Options (see
section

3.2 for
definitions)

Passive

Active

Intrusive

Passive

Active

Intrusive

Passive

Active

Intrusive

Passive

Passive

Active

Intrusive

Content
rewriting

Yes

Yes

Limited

No

Yes

Notes:

1.


There are two cases when application changes may be required:

1.


If the site requires cl ient IP address to operate correctly and it is not possible to modify the configuration of the
web server "fake" this information, then the only other solution is to modify the application to take the client
IP address information fr
om somewhere else (typically request headers)

2.


If the site relies on the SSL private certificates to operate correctly then it will have to modify to retri eve this
i nformation from somewhere else (typically request headers).




i

RFC 2616

(Hypertext Transfer Protocol

HTTP/1.1)
http://tools.ietf.org/html/rfc2616