hello welcome everyone thank you for joining us for today's webinar web application firewall 101 what is a waff my name is evan flugrad and i am joined by today's presenter morris mcmullen before we begin i want to draw to your attention the questions panel which you should see on the right hand side of your screen you may need to expand the panel by clicking the plus sign or down arrow for full view morris will take questions at the end of this walk through you are encouraged to submit your questions at any time today's webinar is being recorded and will be made available after its conclusion i'll now hand it over to morris for the demonstration portion of this webinar thanks so much for joining us today hello and welcome my name is morris mcmullen and i'm a product manager at progress with responsibility for loadmaster load balancing products today i'm going to do an introduction to what a web application firewall or waff is i'll take a look at some of the attacks that a waft can prevent and also do a quick run through how easy it is to set up waff on load master the fundamental challenge that we face is that web applications have vulnerabilities and that vulnerabilities are not limited to homegrown applications we regularly see reporting of vulnerabilities and market-leading applications as well as we can see from the industry analysis the number of apps with vulnerabilities is significant and nobody can be complacent about how secure their application is you may ask the question why would hackers attack me i'm not a mega corp i don't hold state secrets i don't have anything of value for them well it's more complex than that um yes extraction the the stealing of data is a key motivator for hackers while you know items like credit card details are obviously of value hackers can also see value in stealing information such as lists of username as this can be used to craft other attacks extortion via ransomware or threatening to publicly sensitive information is also a motivator again the sizer type of organization is not necessarily significant to make these attempts financially worthwhile for the hackers vectoring is where your compromised web application is used to deliver deliver malware to visiting clients while no actual damage is done to your application on on the surface there is the potential for reputational damage and potentially even having your website blocked by search engines and client protection software let's look at the topology of a waft solution protecting against vulnerabilities is a multi-layer challenge and one of the most significant layers is the web application firewall so how does a waff help well a waffle is a proxy that sits between users and a web application and inspects all traffic for malicious attempts to exploit vulnerabilities and it can block such attempts from getting to the web application as part of a layered security approach load master waft can deliver logging and event information to external security and monitoring services the waff uses a set of rules to provide protection against a wide range of attacks this set of rules has evolved over the years to provide coverage for new and emerging chats and is updated automatically on a regular basis but by the load master the loadmaster waffles provide protection against the major vulnerabilities identified in the wasp top ten o ashburn independent industry supported group who focus on application security and who annually conduct research into application security over the years the vulnerabilities and the oasp top 10 have changed as new exploits become more common and older exploits have been mitigated over the years as application vendors fixed vulnerabilities the rules provided by loadmaster include these older vulnerabilities alongside application specific protection we'll take a look at some of these vulnerabilities and how they are exploited let's have a look at what an sql injection attack might look like this is a very very simplified example just to illustrate the attack an sql injection attack will attempt to modify the behavior of an sql statement at the back end server by injecting additional sql commands or doing some modification to the s sql command so in this example we have a form that takes in some variables and an sql statement is constructed based on the values in the form fields in normal use the form is completed by the user and the sql statement is constructed as shown the user that matches on both john and smith is selected and returned to the user however if a malicious actor injects some additional sql via the surname field the results returned are completely different as one equals one is always true then the r statement with family name will always return true as a result the sql statement is actually selecting all users with the first name john not exactly what was originally intended by the developer this is a simplistic example in extreme cases it shows how a web application may be exploited to deliver more than was intended variants of this attack could actually execute sql drop statements for example to the parts of a database so protecting against injection is still one of the top vulnerabilities and has been for many years another type of vulnerability is broken access control where a user can act on resources outside their intended permissions in this example we see a normal axis where a user accesses their own account however if we modify the parameter on the http request allowed to access someone else's account again not exactly a desirable outcome the examples shown here are very simplistic applications should be coded much better than this but they still may be susceptible to well-crafted attacks designed to exploit a very specific weakness application weaknesses they may be inherited from third-party or open source components which when updated may introduce new vulnerabilities this is why application protection should be ongoing and not just based on periodical security checks such as application penetration tests the cve.meter.org site provides a searchable list of discovered vulnerabilities that you can use to see what weaknesses may be in your applications or in the components that they use a lot of these vulnerabilities may be historical and may already have been fixed by updates from the developer even before the cve notice was published interestingly i had a quick look on the cve list and did a search on sql and this was in september 2022 and there at the top of the list was an application that had the one equals one sql vulnerability so some of these old vulnerabilities are still hanging around in applications these vulnerabilities do exist they exist in all types of applications and application components and are constantly being discovered and exploited by hackers now let's look at how to set up waff on load master and what of options are available to fine-tune the waff for your application we'll assume that the virtual service for the application is already configured on load master from there enabling raf on the load master is easy it's just a tick box uh one thing to note is that waff is cpu intensive and may require additional resources you know in a virtual environment assigning more memory more cpu uh on a hardware platform you may need to size for a bigger appliance you can fine-tune how sensitive the waff is by setting the anomaly scoring threshold each trigger detection and request raises the anomaly score most detections will add approximately five to the overall score it's good to leave it at this default value for a while to assess how the waff and your application are interacting the paranoia level defines how strict the raf engine implements the rules you can raise the paranoia level and advanced settings and also test for higher levels of paranoia without actually block any uh traffic as part of the refinement of the the waf implementation by adjusting the paranoia level and the anomaly scoring threshold you can get to that desired point of not blocking legitimate traffic yet providing sufficient protection to detect and prevent attacks which sets of rules to implement are selectable so if for example you don't use php you can disable the php rules the rules are grouped around specific wasp vulnerabilities and common development tool sets and deployment frameworks there are also groups of rules focused on enforcing best security practices for example for the http protocol in each of the rule categories you can enable and disable specific rules providing further granular control you can also augment the provided rules with your own custom rules to address specific application scenarios there is documentation on the loadmaster support site and how to write custom rules and of course our support team are always there to assist as well the provided rules also include some application specific rule sets that are fine-tuned to simplify deployment of waff for these workloads another very useful feature included with the loadmaster waff is ip reputation blocking as part of the standard waft route set we include an ip reputation list this list includes ip addresses that have been identified as sources of bad actors by enabling this all these bad actor ips are blocked from establishing connections this list gets the same regular updates alongside the rules you can do further i p blocking by country under the advanced graph settings as part of the ip reputation update i p address list by country are provided to allow blocking of a complete region simply select the countries from the list and traffic from known ip address ranges in that country will be blocked it's not 100 foolproof as it won't detect vpn usage and some ip blocks such as let's say a large carpet network over there may span multiple countries i hope that this introduction to waff in general and specifically on how loadmaster delivers advanced web protection was useful and showed how loadmaster makes waff easy and provides the ongoing protection for all your application workloads the easiest way to get started is to download a loadmaster trial from chemtechnologies.com and to deploy it and configure the waff uh this can easily be done in parallel to your live traffic so you won't have any impact on your existing users [Music] all right thank you so much uh morris we will now be taking questions so i ask you to please submit your questions in the panel on the right hand side of your screen and we will get to those as they are received morris i will invite you to come back on for some questions that we had pre-submitted i'll start with a question here this is more of a two-part question but can you summarize and review the different attack types that a waff can prevent likewise give us a little bit of a summary of laugh protection against a wasp top 10 attacks and for our viewers who might not be familiar could you explain a little bit more about owasp how often that is updated and just more background there okay um oh quite a long question uh the types of attacks that are protected against um again we look at the the oh wasp top ten and there's no that's constantly changing a lot of these are uh no let's say exploitations of potentially a bad implementation okay so things like uh you know broken access controls uh that idea that you can just change your url and move across those type of things but there's other things in there as well within the uh wasp top 10 where people have you know misconfigured some security parameters they're using a mixture of http and https uh providing you know ways for hackers to exploit that there's uh one of the uh the security risks is the using no vulnerable or outdated components uh you know somebody decides to build a website using a component and suddenly the developer decides to move on to something else you're left with something that's not maintained it's got vulnerabilities in there that is seen as something that gets exploited within again it's it's there on the uh oh wasp top 10 left list so i get those it's a lot of it is uh providing that layer of protection through looking at known patterns that are attacks on various applications and providing that protection against them uh the second part of that question uh it's now skipped my mind it's quite a long question uh uh can you just repeat it for me yeah it was more that the uh how often is updated et cetera right right yeah just more generalized insight into oh um yeah how often that list is updated and right yeah so the list is updated every year and it's a reflection of what the u.s organization have discovered through their research and okay the latest version is the 2021 list 2022 will come out uh after they've completed their research for for uh this year and the oasp.org website is actually very very comprehensive that's o w a p asp.org okay it'll give you the list etc but it'll also give you a deep dive into uh the vulnerabilities and whether that's from you know the statistics there to show you the prevalence of those vulnerabilities or to look at the actual technical exploits uh that uh you know how they actually work you know what a hacker may do to actually uh to exploit the vulnerability so there's quite a lot of information there uh if anybody wants to go there okay that's great thank you um so much i know that was a longer question there and yeah thanks to everybody that's submitted questions so far um continue to send those in and we'll get to them um i see there's a question i have a loadmaster 3000 virtual load balancer how do i activate waff on that if you could maybe share on kind of a high level their initial steps to get started okay so on the virtual load balancer the uh first of all uh the uh raft capability depends on uh the support subscription that you have so you need to have an enterprise plus subscription there and it is as simple as uh as i showed there if you already have your virtual service enabled you can just click on the the laugh button to enable laugh now my suggestion would be rather than going in there and doing that is to download a trial deploy it in parallel do your laugh uh experiment and tuning there out of band so you're not impacting on existing traffic so but once you're happy with it you understand your environment you can see how the wife can provide protection without impacting on regular traffic then it's simply a case of you know you can if you don't have an enterprise plus subscription currently you can upgrade to that and that will enable the tick box to enable waff and from there you can proceed thank you um okay so i i sorry i just i can see some of the questions coming in here now as well so what is the risk for false part positives and how is it log and troubles uh troubleshooting so yeah there's there's always a risk of uh false positives uh just by the nature you know uh all applications you know have their own little quirks and uh what works for one may not work for another so you have that challenge of you know not interrupting normal business there is in the the user interface and uh you may have noticed it there in one of the screenshots that there is a troubleshooting uh guide there so you can see uh the latest um uh runes that have been fired what caused them etc and that gives you insight into uh how you can fine tune uh the the uh the way i have to reduce that uh false positive okay and there's another question here how do we uh are able to detect attacks when the traffic is encrypted addressing okay if the traffic is encrypted end-to-end from the client to the web server then we cannot see inside it and therefore we can't apply any waft controls however the normal way that the load balancer works is it's providing ssl offloads so that the traffic's been decrypted at the load balancer and it's in the clear within the load balancer and can be uh inspected uh by the waff engine at that stage and then optionally re-encrypted and sent to the the application servers all right uh and there's a question here on my loadmaster i see two wrath options uh uh one is legacy and one is wow what is the difference uh there the legacy raf used a rule set a that was produced commercially by an organization that has now stopped doing that so it behaved in a slightly different way so that is being deprecated there uh in terms of uh ongoing updates to that rule set so that provides a way for customers to still use the legacy system but have a way as well of looking at the the new way of implementing life so that's the difference and there's also a question uh can the default rules pair the paranoia setting be adjusted in any way or do you have to create exceptions uh the yeah the the impact of any rule can be uh adjusted by the paranoia setting so within the default rules the parallelo setting is saying how aggressively the engine is going to apply that rule so at a lower parallel setting something might get true and a higher paradigm setting it might get blocked so it's a matter of fine-tuning that and you may have to create rules to have exceptions to get around that because something may get triggered at a very low paranoia level uh with your application so it's uh this is part of the that fine-tuning and refinement that you would do prior to deployment to get that balance between providing maximum protection but still allowing your your users to access the application and there's a question what is the better practice rising on the scoring threshold or the paranoia level i will uh hold my hands up and say i am not 100 sure of which is the uh the best way to do that so i apologize but i we will try and get something uh back on that there every mechanism for adding comments on this year evan afterwards yeah yeah we can we can come back to that i i i honestly i i can't under answer that there with any authority sure so thank you for that question and any more questions that anybody has feel free to continue to add those and we will take a few more minutes here to answer those questions i know we have a few more that were pre-submitted that we can roll through um one morris is um are any application modifications required to achieve wag protection using the the load master uh no is that probably the this short answer but again uh there may be some oddball applications out there that have uh you know something that does work but in general there's no it is a case of dropping the wife in front of your web application and proxying your client traffic through the loadmaster through the web application firewall to your uh your web application so no changes required on the application side perfect a uh another question there is for organizations who are looking to deploy the loadmaster's wife what are their deployment options the lav is available on all of the the load master platforms uh with the exception of the loadmaster x1 hardware platform the reason for that is that uh waft does consume additional resources it's a little bit more cpu intensively needs a bit more memory but it's available on uh all the the hardware platforms apart from the x1 all the virtual platforms that's either on a local hypervisor or in the any of the supported cloud platforms as well so it's available everywhere and again it's on whether you're on a a perpetual license or you're on a subscription page you go for example in the cloud that's available there as well thank you um one more that we have here is can you have different waff configurations for different applications um on the same load master uh yes is the the short answer uh the raf is implemented on a a pair virtual service uh basis so for example you could have uh an application that has a web app aspect to it and an api and you can set up two virtual services one for the web part one for the api part and each could have a different wav configuration because you're trying to protect against different things on both potentially so yes uh absolutely uh we can have multiple lap configurations on a single load master great to hear one more that we have here is uh if you can add to the list of blocked ip addresses is that a possibility with the load master waff yeah um yes is a short yes is a short answer there's a couple of different ways to create uh custom blocking uh of ip addresses or or even subnets one way is using the wife and creating a custom rule uh another is to define a custom acl or access control list either way works it's just their matter of preference uh the acls are defined uh via the the user interface and it makes it better for somebody not familiar with the syntax of waff rules uh but the loadmaster supports site provides guidance on creating custom rules uh for the the wife and if my memory serves me correctly there's actually some examples there of creating waff rules for blocking specific ip addresses or a range of ip addresses so there's different ways of doing it either using the wife or with acls sure and two more questions that we have here and i'd remind everyone that if you have any questions go ahead and submit those we'll continue to take questions for a few more minutes here morris could you share what the primary source of attacks on web applications what that is okay so i'm not sure what people made by source but if we look at uh in general the source a generally they're bot networks uh so uh you know it's a case off you've got the bots are calling the internet looking for victims and being randomly picked by a bot is normally the reason for an attack you know if somebody wanted to do a targeted attack it's probably going to be a bit more finessed a bit more manual a bit more focused on uh your particular application so in general it's like it's a drive by you're you're just getting caught by the bot uh doing it so it's bot based uh you know and in terms of source that that could be from anywhere no it's not just the usual suspects off you know in north korea or russia that maybe the the actual source of your your uh your attack in terms of where the the traffic is coming from because bots will use compromised home computers and you know they pick them up all around the world globally so you could have an attack that is you know predominantly coming from the us the uk germany other regions it's not necessarily where the hackers are physically located but it's more where the compromised uh devices are okay so in terms of the source you know it's bots and it can be from absolutely anywhere so for example if you decide to block oh if you're running let's say a a site and you know that all your your customers are within your own country blocking all the other countries and just to learn your own may not give you that protection because compromised devices in your own country could potentially attack you that's great and i see another question popped into the chat there can we combine waff with duo do oh with you for uh for authentication yeah uh i'm not overly familiar or familiar with sorry i'm not familiar with uh what i mean there by jewel auth but uh we do provide uh authentication on uh the loadmaster uh it works you know we can authenticate uh once authenticated all traffic is you know subjected to the wife as well so in that sense they're combined i'm not sure if you're looking for something a bit uh deeper on that uh in terms of combining well with you sure yeah um one other question here so you mentioned as one layer of security to achieve layered security for web applications what other layers should one consider beyond the laugh itself oh that's a that's a another leading question yeah how long is a piece of string and there's a couple of basic things you know like security is that multiple layers and you know it's it's a lot of different things but just focusing on let's say that the application security part i would say that regular patching of applications to later data versions is good practice and you know generally vendors are doing some sort of penetration testing attack testing on their own applications they're discovering vulnerabilities whether they get introduced by you know a new bit of functionality has been developed or they've got an updated library whether it's an open source or from a third party so they'll discover those they'll patch them up the etc so uh that's the the first thing uh to to say you know do your patching regularly uh looking at a sort of a a bigger picture ways off sort of preventing uh attacks or you know minimizing the chances of attack uh sometimes something as simple as a capture can work now again uh some people think that they're very annoying but providing a captcha so that uh people have to solve the problem whether it's a simple taking i'm not a robot or it's searching for traffic lights or whatever it might be that can be enough to uh to be a barrier for these bot based attacks where you know either they they they can't solve the the capture or they made a decision that okay we can't be bothered solving captures we're good no it's back to that thing about uh you know you don't have to outrun the the the lion that's chasing you you just have to outrun the the other guy so that can provide uh the protection um potentially you could look at using authentication there i know we mentioned uh somebody mentioned tool auth there but using authentication pre-authentication is a good idea so that stops anybody from getting near any of your web properties until they've successfully uh authenticated and then you can you know have all sorts of authentication schemes there with two-factor authentication and then get into you know zero trust network access where etc so you can do a lot to with authentication to make sure that you know somebody doesn't get make it as difficult for somebody to get through to exploit your application but in terms of layers you know we can then start going out and looking at you know all sorts of other layers in there in terms of uh you know there's client side security there's you know uh ddos there's a lot of protections and layers of security in there and some of it is uh as well when you know if you're developing applications in-house there are tool sets there to test application security and there's also actually on the owasp website they provide a tool called zap which allows you to actually uh do your own testing against your your own web properties as well so that may be a useful thing to use as well that's fantastic so i'd give one final opportunity for anybody to ask any final questions here before we wrap up morris i thought while we um allow another minute or two you could maybe share um next steps for anybody interested in deploying a waff and then also um steps they might take to test the wife yeah the simplest way is as i mentioned is if you don't load a trial the trial version includes uh on the wav functionality in there and just to place it let's say on a virtual machine on your desktop you know wherever and point that at your web application the configure the web see how your application behaves using the web use tools like the zap tool that i mentioned or there's there's quite a number of other uh testing tools out there that will uh you know try to to attack your website so you can use those to do a test to see how the the wife is performing and that'll allow you to you know adjust all all the parameters to to get you the maximum amount of protection there uh while still allowing the application to function so that will give you that sort of confidence that hey this will work for me okay so the simplest way is just to as you say get the trial run it up and then when you're happy with that you'll be able to take your your uh knowledge into a production environment all right well thank you so much for joining us and morris thank you for taking the time to answer all our questions today if no more questions we will conclude today's webinar thanks all for attending video of this webinar will be available on demand to you shortly so thank you so much and have a great day you