Scribd
Upload
94 views12 pages

GWAF Crash Course

GWAF is a bundle that includes Apache httpd, Mod_ssl, Mod_proxy, Mod_security, and the OWASP Core Rule Set (CRS). It analyzes requests before passing them to backend solutions. GWAF acts as an SSL termination point and creates new connections to backends. It provides features like load balancing, DDoS protection, and protection from robots. Modsecurity and the CRS provide intrusion detection and prevention via a deny list of rules to detect attacks. Troubleshooting involves reviewing GWAF splunk logs. Risk assessments are done when updating GWAF rules to understand any false positives or risks to backend services if rules are removed.

Uploaded by

Arshad Khan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
94 views12 pages

GWAF Crash Course

GWAF is a bundle that includes Apache httpd, Mod_ssl, Mod_proxy, Mod_security, and the OWASP Core Rule Set (CRS). It analyzes requests before passing them to backend solutions. GWAF acts as an SSL termination point and creates new connections to backends. It provides features like load balancing, DDoS protection, and protection from robots. Modsecurity and the CRS provide intrusion detection and prevention via a deny list of rules to detect attacks. Troubleshooting involves reviewing GWAF splunk logs. Risk assessments are done when updating GWAF rules to understand any false positives or risks to backend services if rules are removed.

Uploaded by

Arshad Khan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 12

GWAF Crash Course

• What is GWAF?
• modsecurity and OWASP Core Rule Set(CRS)
• GWAF basic usage
• SecRule
• Troubleshooting : Gwaf splunk logs
• ISRA – Risk assessment on gwaf rules update
What is GWAF ? (1/3)
• GWAF is a bundle including:
• Apache httpd
• Mod_ssl
• Mod_proxy
• Mod_security
• Owasp CRS
• GWAF analyze requests before passed to the solution backend.
• Main filtering rules is OWASP CRS
What is Gwaf? (2/3)
• GWAF is an SSL termination point.
• Has access to the request content in plain text.
• Creates new connection to the backend.
• Other features
• Forward proxy, a server receives requests from your web browser and makes the
request to the Internet on your behalf.
• Reverse proxy, accepts requests from external clients on behalf of servers behind
GWAF.
• Gwaf hide the internal server characteristics, protects from unintentional disclosure.
• Mutual authentication
• Provides load balancing
• Decrease the risk of DDoS
• Protection from robots
What is Gwaf? (3/3)
modsecurity and OWASP CRS
• mod_security
• provides intrusion detection and prevention for web applications, shielding
web applications from known and unknown attacks.
• OWASP CRS
•  is a set of applicative firewall rules (layer 7 of OSI model).
• based on negative security model, deny list.
• Detects generic signatures for a common attack category, such as SQL
Injection, Cross Site Scripting, remote code execution, etc.
• Located at https://github.com/coreruleset/coreruleset
• Drawback may block legitimate request, false positive.
• GWAF_paranoia_level, default value is 4
Gwaf basic usage (1/2)
• Gwaf directory structure
• conf/vhost-enable
• conf/vhost-available
• conf/vhost-cluster
• conf/conf.d
• conf/modsecurity
• bin/gwaf_add_instance
• Gwaf templates
• json-https
• webui-https
Gwaf basic usage (2/2)
• Gwaf docker
• Found in Gwaf Docker.
• Quick demo using my docker-compose of Gwaf Docker.
• Describes the setup
• Gwaf edge
• Prepared and setup by Platform team
• with configuration based on IdCloud needs.
• Guide running gwaf edge locally
• Quick demo using my Gwaf edge package.
• Describes the setup
SecRule and SecAction
• SecRule
• See definition and syntax on SecRule

• SecAction
• See definition and See syntax on SecAction

• Processing Phases
• See Processing phases.
Troubleshooting : Gwaf Splunk Logs
• See details on Troubleshooting gwaf splunk logs
ISRA - Risk assessment on Gwaf rules
update(1/2)

• R&D gwaf update workflow

• Why do we need gwaf ?


• SOC2 compliance and PADSS for CAS side.
• SLA
• Thales reputation
ISRA - Risk assessment on Gwaf rules
update(2/2)

• How I do the risk assessment?


• Understand the false positive case (what is causing the false positive)
• Understand the SecRule (what it does, what is the purpose)
• Is the request acceptable/expected by backend service ?
• Manage the false positive and validate.
• If FP was managed by removing the SecRule based on rule recreation or removed by whitelisting,
make sure the backend service is well protected even if the SecRule was removed or backend
service is not affected by the said attack vector.
• If backend service lacks the protection provided by the removed SecRule, ISRA will be done.
• Can used the attack vectors from OWASP SecLists for validation.
• ISRA will determine the severity and impact on confidentiality, integrity and availability of the
solution.

You might also like