slink: WAF: Wrong Approach Firewall

https://media.ccc.de/v/gpn24-385-waf-... Web Application Firewalls (WAFs) for filtering based on HTTP and payload are omnipresent. In this talk an argument will be made that, in many cases, the wrong approach for implementing WAFs is chosen: They are implemented as "deny firewalls" which specifically forbid "bad" traffic based on pattern rules, while for network security (layers 3/4) professionals would only ever follow an "allow firewall" approach, which explicitly lets "good" traffic pass and denies everything else. "deny WAFs" are oftentimes marketed as simple, easy to use, out-of-the-box solutions, but, by design, they can only prevent known exploits. Also, practical aspects limit their potential, when rulesets breaking functionality have to be disabled. While the "allow WAF" approach presented here implies more effort, its main advantage is protection against new attack vectors ("zero days") and it comes with a lot of side benefits, such as improved performance and resilience through caching. Concepts will be introduced: HTTP Basics Signed URLs / signed requests Regular Expressions HTTP Caching Practical examples with Vinyl Cache will be presented: Rules based on HTTP method and URL Header filtering Regular Expressions on body data slink https://cfp.gulas.ch/gpn24/talk/9TSLFQ/ #gpn24 #CyberSecurity Licensed to the public under https://creativecommons.org/licenses/...