• No results found

Cloud-Based dwaf A Real World Deployment Case Study. OWASP 5. April The OWASP Foundation

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Cloud-Based dwaf A Real World Deployment Case Study. OWASP 5. April The OWASP Foundation"

Copied!
20
0
0

Loading.... (view fulltext now)

Download now ( 20 Page )

Full text

(1)

Copyright © The OWASP Foundation

Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

OWASP

Cloud-Based dWAF

A Real World Deployment Case Study

Alexander Meisel

Riverbed Technology

alex AT meisel DOT cc

(2)

Alexander Meisel

 Director Engineering WAF @ Riverbed Technology

 Former founder and CTO of ‘art of defence’

 OWASP Germany (Paper on Best Practices WAF)

 Likes Performance, Scalability and Security

 Email: alex

AT

meisel

DOT

cc

(3)

Agenda

 The Cloud … Infinite Space in front of us

 WAF vs. dWAF vs. cloud based WAF

 Customer expectations / operations

 Step One: Datacenter (home ground)

 Step Two: Cloud deployment

(4)

The Cloud … Infinite Space in front of us

“Space, the final frontier. These are the voyages of the starship Enterprise. Her five-year mission: to explore strange new worlds, to seek out new life and new

civilizations, to boldly go where no man has gone before.”

(Star Trek NG opening lines)

“Cloud, the current frontier. These are the voyages of the distributed web application firewall. The mission: to explore strange deployments, to seek out new deployment

scenarios and (cloud) platforms, to boldly go where no web security software has gone before.”

(5)

Cloud space

 Virtualization

 OS: Full virtualization, partial virtualization, Paravirutalization

§  Enabling technology for Cloud

 Storage:

§  Traditional Filesystem: Host-, Device-, Network-based §  New: Object-based with HTTP interface

 IAAS, PAAS, SAAS

 Boring, you heard all of this.

 Pricing, CapEx, etc.

(6)

Cloud space (Pro’s and Con’s)

 Con:

 Most Apps are not developed for the cloud  Availability is an issue (SLAs don’t solve this!)

 Persistent performance of virtual infrastructure is not guaranteed

§  Latency §  Bandwidth §  CPU time

§  I/O local and remote

 Shared infrastructure with complete strangers  No inter-cloud-vendor API standard

(7)

Cloud space (Pro’s and Con’s)

 Pro:

 Money (paid incrementally)

 Scalability (Reacting to business velocity)

§  Unlimited capacity (at a price ;-) )

 Agility (be closer to the customer)

§  Business expansion on a budget

 Flexibility

§  But ONLY when App’s are developed with cloud in mind

 Highly Automated (using APIs)

(8)

Cloud space (Applications)

 Traditional (local)

 Server based (Web and others)

 Client Front-End

 (potentially) multiple Back-Ends like DBs and Disks

 Cloud based

 Multiple Client Front-Ends

§  SOAP, XMLRPC, WEB, REST

 Distributed Architecture

§  Program blocks are split up and distributed over several systems communicating over APIs

 Multiple Back-Ends via distributed program blocks

(9)

Cloud Space (App Deployment)

 Apps get installed on (versioned) images of systems.

 The new image get deployed into the cloud in

parallel to the current image

 Once deployment is complete, traffic gets moved

(migrated) to the systems with the new image

 After some ‘burn-in time’ the systems with the old

image get shutdown and deleted

(10)

WAF vs. dWAF vs. WAF in the cloud

 Traditional WAF

 Box or monolithic Software

 In front of the App (Load Balancer, Proxy, etc)  Near the App on the Web or Application-Server

 WAF in the cloud

 Traffic is being redirected (via DNS for e.g.) to traffic scrubbing and protecting proxy farm of WAFs

 dWAF

 WAF software divided into is parts made to scale over several systems (policy engine, client agents,

(11)

Case Study: The Customer

 Has highly agile development department

 They live DevOps because business is changing

very fast and growth is exponentially

 They host apps in their own data center but the

data center is limited in space

 They realized that the move to cloud in

inevitable, but they want to do “the Right Way”

(12)

The Customer

 They realized that the application needs to be

reengineered and made it cloud ready by

re-writing it completely

 They wanted to automate as much as possible

using APIs and services of the cloud provider(s)

 They wanted to be compliant, audible, scalable

(13)

The Customer

(14)

The Customer

 The traffic growth (last year) looks like this:

Data Center Capacity Limit Cloud Test Ballon

(15)

The customer

(16)

Test Deployment in (own) Data Center

 Challenges

 A dWAF deployment is very different from traditional a WAF. Engineers tried it on their own without

reading the manual

 Testing the system under load

 Solutions

 Explain the architecture and help the engineers on their first install of the software

(17)

Cloud Deployment and Rollout

 Challenges

 Networking between own Data Center and Cloud Provider and NAT

 Cloud Provider inter Data Center networking  Cloud Provider IP address assignments

 Reduced Load Balancer functionality in Cloud

 Automated Scaling of Policy Nodes based on some key metrics acquired through dWAF and

Cloud-Provider APIs

 Licensing options with Vendors are limited and not Cloud-Aware/Friendly

(18)

Cloud Deployment and Rollout

 Solutions

 Applications should never use IP addresses to tag sub parts of the system. In order to find new sub systems a service discovery service has been developed and deployed.

 WAF sub-systems need to register with the service discovery system

 Communication between WAF parts need to one way to get through NATed networks.

 WAF components use a generic HTTP based

LB-Service to distributed workload and make the overall system more fault-tolerant

(19)

Cloud Deployment

 So what does it look like?

Load Balancer Web Server Decider / Enforcer Load Balancer Enforc er Web Server Network Firewall Web Server Decider /

Web Server Web Server Web Server Enforc er Web Server Enforc er Web Server Enforc er Web Server Enforc er Web Server Enforc er Web Server Enforc er Web Server Enforc er Web Server Enforc er Web Server Enforc er Web Server Enforc er Web Server Enforc er Web Server

Load Balancer Load Balancer

Enforc er Web Server Enforc er Web Server Enforc er Web Server Enforc er Web Server Enforc er Web Server Enforc er Web Server Enforc er Web Server Enforc er Web Server Enforc er Web Server Enforc er Web Server Enforc er Web Server Enforc er Web Server

Load Balancer Load Balancer

Enforc er Web Server Enforc er Web Server Enforc er Web Server Enforc er Web Server Enforc er Web Server Enforc er Web Server Enforc er Web Server Enforc er Web Server Enforc er Web Server Enforc er Web Server Enforc er Web Server Enforc er Web Server Load Balancer Cluster Management Cluster Management

Data Center 1 Data Center 2

Data Center 3

Load Balancer Load Balancer Load Balancer

Policy Engine Policy Engine Policy Engine Policy Engine Policy Engine Policy Engine Policy Engine r Policy Engine Policy Engine Policy Engine Policy Engine r Policy Engine Policy Engine Policy Engine Policy Engine r CLOUD PROVIDER PRIVATE DATA CENTER Network Firewall

(20)

References

Download now ( PDF - 20 Page - 382.24 KB )

Related documents

Diabetes Patient Education in The Office Setting

Physicians are involved in the delivery of hospital-based diabetes patient education about half the time in small hospitals and a quarter of the time. in large

: Sander Pol Consultancy B.V.

Development for PCUI (People centric user interface) Making screen adjustments, put in the user authorization in the screen layout. Several BADI

Globes on the Web – The Technical Background and the First Items of the Virtual Globes Museum

The plan is to create a digital model after taking a complete photo series of the globe and redrawing the whole surface in the virtual space.. As this will be a huge project,

Competition and quality indicators in the health care sector: empirical evidence from the Dutch hospital sector

For the cataract and bladder tumor diagnosis groups, we can show how to interpret the magnitude of the estimated relationship between quality scores and market share through

Course in Time Travel 2

Let us travel with our hypothetical Cosmic conscious time traveler as he travels back billions of years into the past, and watch through his eyes, and understand through his mind,

Weight loss interventions for adults with overweight/obesity and chronic musculoskeletal pain: a mixed methods systematic review.

function. However, the review focused on pain and functional outcomes rather than weight loss itself as.. an outcome measure. Additionally, the review was restricted to RCTs

Pre Treatment Air Gambut dengan Lempung Cengar dan Penyisihan Zat Organik dan Kekeruhan dengan Membran Ultrafiltrasi Sistem Aliran Cross-Flow

Hal ini disebabkan karena penambahan koagulan Tanah Lempung Cengar pada pre treatment koagulasi- flokulasi telah menyisihkan partikel- partikel koloid yang terdapat

MuhamadHandiGunawan

If we don’t understand the non-verbal communication from different culture, it is possible If we don’t understand the non-verbal communication from different culture, it is