Ads 468x60px

Featured Posts

15 July 2019

FortiWeb - SQLi Test



I’ve already written a lot about Web Application Firewall (WAF). I think these appliances are useful for securing web applications in layer 7 from sophisticated attacks such as XXE attacks or CSRF attacks. In fact, I’ve already deployed, installed and configured several WAF appliances such as F5 BIG-IP ASM and AWS WAF. However, I had never deployed, installed and configured the Fortinet FortiWeb WAF appliance till last week.

Fortinet FortiWeb is a Web Application Firewall which has many more web security features than Fortinet FortiGate to block Web Application Attacks. For instance, FortiWeb can be configured with Machine Learning to protect web applications from known and unknown exploits. Therefore, FortiWeb defends applications from known vulnerabilities and from zero-day threats. I think, FortiWeb is easy to manage and configure like any other Fortinet family appliance. In addition, Fortinet Security Fabric can also interoperate with FortiWeb.

There are lots of network topologies to deploy a WAF. On one hand, we should always deploy a WAF after the Network Firewall, so that WAF is between the firewall and web servers. WAF and IPS are not the same. Most network firewall have an IPS which is useful to block layer 3 attacks such as IP Spoofing Attacks or DoS Attacks. However, WAF is useful to block layer 7 attacks. Therefore, we should block layer 3 attacks before layer 7 attacks.

FortiGate + FortiWeb

On the other hand, we should deploy a WAF before the load balancer, so that WAF is between the load balancer and the clients. There are two main reasons for this deployment. Firstly, we don’t have to balance WAF devices thus we’ll balance real servers. Secondly, HTTP requests will correctly appear to originate from the real client’s IP address, not (due to SNAT) your load balancer.

FortiWeb + FortiADC
 
These are two recommendations for planning the network topology. However, we have to take into account another one. We should know the router mode and the one-arm mode. The router mode is the topology when real servers gateway is the WAF, therefore, there is no SNAT but we need a new network to deploy the WAF between real servers and the network firewall. The one-arm mode is easier to deploy because we don’t need a new network but SNAT configuration is required, therefore, the X-Forwarder-For (XFF) header have to be enabled to know the client’s IP addresses.

One-arm mode topology
 
FortiWeb is easy to configure and manage. If we want to configure a basic security policy to defend a web application, we’ll have to configure a server pool, a virtual server and a server policy. Firstly, the server pool is the real servers which are going to be defended. Secondly, the virtual server is the WAF IP address which is going to listen HTTP/S requests. Finally, the server policy is the security configuration to defend the server pool in the virtual server IP address. For instance, we can watch a basic security configuration in the next video to defend a web application from a SQLi attack.


select * from users where LAST_NAME = ‘” + userName + “’”;
select * from users where LAST_NAME = ‘Lim’ OR ‘1’=’1’”;

Regards my friends. Have a nice day!

8 July 2019

DNS and Web Filtering



Internet works with IP addresses but nobody learn the web server IP address, instead, we learn the domain name. It’s like the telephone number, nobody learn the number, instead, we search into the contacts list. As a result, the DNS service is very important for most companies. Actually, this service has to be always available and the response time has to be quick. In fact, if the root domain servers were shutdown, most people would think there is no Internet.

The DNS service is used by most people as well as by most computers for machine to machine communications. However, it’s also used by most malware which could request domain names similar to the original one or could request domain names totally different and difficult to remember as DGA malware do. For instance, Zeus and Cryptolocker malware use DGA to connect to the C&C server and, thanks to this algorithm, they can bypass security policies such as IP reputation policies.

Malicious Domain Name

There are lots of security websites which helps us to look for domain names to know if a domain name is malicious or it’s a good one. For example, Open Threat Exchange (OTX) is a website where we can search Indicators of Compromise to have a full description of the attack. VirusTotal is well known by most security engineers where is easy to look for URLs or upload files to know if they are suspicious or infected. Another interesting website is FortiGuard where is also easy to look for domain names and IP address. All of these websites are useful for malware forensics.

Open Threat Exchange (OTX)

The security websites are useful for malware forensics. However, if we are surfing in these websites, maybe, it's because the attack or the infection is already done. It's late. Therefore, companies should install security appliances which are able to analyse DNS requests and responses to look for suspicious domain names. For instance, this kind of service can be configured in FortiGate devices where we can block DNS requests and responses by categories such as malicious domains, phishing domains, social networks domains, etc.

DNS Filter

There are also security appliances which are able to analyse HTTP requests and responses to look for suspicious websites. When the computer requests a website, the computer has already requested the domain name for that website. Therefore, it would be better to block the DNS request because it’s done before the HTTP request. However, web filtering services are also useful because we can analyse the content of a website. We can analyse inside the website to look for downloaded malware. In addition, we can even analyse HTTPS traffic where lots of malware is downloaded or C&C communications are done.

Web Filter

DNS filtering and Web filtering are mandatory for most companies where there are users with Internet access. However, there are medium and big companies where is also useful DDI appliances for a better DNS, DHCP and IPAM management. This kind of appliances are also able to analyse DNS requests to look for malicious domain names. In addition, DDI appliances are able to make reports useful to know what endpoints are infected.

DNS-DHCP-IPAM (DDI)

Regards my friends. Keep studying!!!
Related Posts Plugin for WordPress, Blogger...

Entradas populares