1
Before we begin, this is the high level overview of the Application Security solution.
Before we begin, this is the high level overview of the Application Security solution.
Let's get started
Note: Click on the hotspots to clickthrough the guide.
Let's get started
Note: Click on the hotspots to clickthrough the guide.
A successful SQL injection attack can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. It is not that hard to pull it off if the attacker knows who and where to look. Here is a simplistic example of such an attack.
A successful SQL injection attack can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. It is not that hard to pull it off if the attacker knows who and where to look. Here is a simplistic example of such an attack.
That could prove very costly!
90% of companies do not use WAF for its complexity. What if the complexity in using WAF were to disappear?
That could prove very costly!
90% of companies do not use WAF for its complexity. What if the complexity in using WAF were to disappear?
Keeping the SQLi scenario in mind, lets us now look at the WAF. First up is the Dashboard which easy and very intuitive.
We notice all the applications in the tenant "admin" being listed here. It is important to note that NSX ALB provides WAF protection to every single application as desired.
The first order of business is to ensure we are subscribed to the latest Bot and DDoS management updates. To do so, click on the Administration tab.
Keeping the SQLi scenario in mind, lets us now look at the WAF. First up is the Dashboard which easy and very intuitive.
We notice all the applications in the tenant "admin" being listed here. It is important to note that NSX ALB provides WAF protection to every single application as desired.
The first order of business is to ensure we are subscribed to the latest Bot and DDoS management updates. To do so, click on the Administration tab.
Click on the Cloud Services
Click on the Edit option
Click to enable the Cloud Services WAF management option
Click to save the service settings
Click to save the service settings
Click here to navigate to the applications view for the chosen tenant.
Click here to navigate to the applications view for the chosen tenant.
The shield over the Virtual Service indicates it being protected by the WAF. Click on the Plus icon to view in more detail.
The shield over the Virtual Service indicates it being protected by the WAF. Click on the Plus icon to view in more detail.
Here we notice the IP pool being load balanced along with the actual load balancer. For the purpose of this clickthrough demo, we will double click on the virtual service to take a closer look at the application and the WAF policies.
Here we notice the IP pool being load balanced along with the actual load balancer. For the purpose of this clickthrough demo, we will double click on the virtual service to take a closer look at the application and the WAF policies.
The dashboard provides quick overview of the application performance. We will cover this section is more depth in a different clickthrough demo. For now, please note the entire application end-to-end timing is captured here which helps the IT teams understand the RTT, response and latency timing and quickly pin point the area of the issue, be it the client, the server or the application itself. Let us now click on the logs which if of significance to us from a security standpoint for the purpose of this demo.
The dashboard provides quick overview of the application performance. We will cover this section is more depth in a different clickthrough demo. For now, please note the entire application end-to-end timing is captured here which helps the IT teams understand the RTT, response and latency timing and quickly pin point the area of the issue, be it the client, the server or the application itself. Let us now click on the logs which if of significance to us from a security standpoint for the purpose of this demo.
NSX ALB provides a full log analytics system where by every application transaction log is captured. We notice the first transcation was rejected by WAF citing SQLi issue with a 403 response. Given SQLi is a very common issue for modern day web applications, this is of interest to us. So let us see how easily Avi can help us understand the reason for rejecting this transaction.
NSX ALB provides a full log analytics system where by every application transaction log is captured. We notice the first transcation was rejected by WAF citing SQLi issue with a 403 response. Given SQLi is a very common issue for modern day web applications, this is of interest to us. So let us see how easily Avi can help us understand the reason for rejecting this transaction.
It appears that request that originated from Mexico from a Mac OS based device on a Chrome browser was rejected because the transaction matched a security rule. Let us scroll down further to see which rule that was.
It appears that request that originated from Mexico from a Mac OS based device on a Chrome browser was rejected because the transaction matched a security rule. Let us scroll down further to see which rule that was.
The CRS signature match for an SQLi type attack was triggered as indicated. Let us dig a bit deeper into this.
The CRS signature match for an SQLi type attack was triggered as indicated. Let us dig a bit deeper into this.
Notice Avi is able to provide the exact reason for the transaction to be rejected. In this case it happens to be the CRS rule 942100 which is the SQL Injection attack via libinjection.
Notice Avi is able to provide the exact reason for the transaction to be rejected. In this case it happens to be the CRS rule 942100 which is the SQL Injection attack via libinjection.
Notice the exact reason for the transaction to be rejected
Here you can find more information onthe SSL profile, the TLS profile and the the SSL score itself. Notice the score is a bit lower here because of a self-signed certificate.
Please note these scores contribute to the overall health score of the application. It is also worthwhile to know that the weight of the score for a particular attribute can be changed. For example if it is known that application latency time is more that what Avi determines, then the weight of the latency score can be lowered and will not affect the overall health score.
Here you can find more information onthe SSL profile, the TLS profile and the the SSL score itself. Notice the score is a bit lower here because of a self-signed certificate.
Please note these scores contribute to the overall health score of the application. It is also worthwhile to know that the weight of the score for a particular attribute can be changed. For example if it is known that application latency time is more that what Avi determines, then the weight of the latency score can be lowered and will not affect the overall health score.
This dashboard quickly summarizes the WAF analytics inclduing the top attack groups, the top rules that were triggered for a specific time, the top tags as well as the client IP addresses and the paths or application areas that were accessed the most.
This dashboard quickly summarizes the WAF analytics inclduing the top attack groups, the top rules that were triggered for a specific time, the top tags as well as the client IP addresses and the paths or application areas that were accessed the most.
Now that we have seen how easy it is to understand some of the high level application health and security metrics, we will now see how to configure the WAF policy itself that protects the application.
We will derive comparison with the TSA security model. Just as the TSA authority does not pat down every single passenger at the airport, Avi also has a three core functions approach that reduces complexity and deliver enhanced web application security: the whitelist engine, the positive security engine, and the signature engine. Together, they comprise Avi’s optimized security pipeline
Now that we have seen how easy it is to understand some of the high level application health and security metrics, we will now see how to configure the WAF policy itself that protects the application.
We will derive comparison with the TSA security model. Just as the TSA authority does not pat down every single passenger at the airport, Avi also has a three core functions approach that reduces complexity and deliver enhanced web application security: the whitelist engine, the positive security engine, and the signature engine. Together, they comprise Avi’s optimized security pipeline
Click on the edit icon to view the virtual service details
Let us edit the WAF policy
Avi monitors over 700 application performance metrics, delivering insights into applications, end-users, and infrastructure, all in real-time.
Avi optimizes the security pipeline in the following fashion
Learning: Helps understand normal, expected, healthy traffic and behavior at a deeper level. Think of this as a child seat that is ok to go through with a parent or a guardian with a child.
Allowlist: In the TSA screening analogy these are the pilots, cabin staff and pre-screened passengers
Positive security: This is akin to regular TSA screening procedures. Anyone not on the Allow List heads to the regular screening line and follows standard security procedures.
Application rules: What behavior is ok and what is not. For example, carrying a big bottle of soda is not acceptable and hence deposited in the trash can.
Signatures: This is the pat down and individual screening at the airport. Takes a lot of time but is necessary and can often hold the line.
Avi monitors over 700 application performance metrics, delivering insights into applications, end-users, and infrastructure, all in real-time.
Avi optimizes the security pipeline in the following fashion
Learning: Helps understand normal, expected, healthy traffic and behavior at a deeper level. Think of this as a child seat that is ok to go through with a parent or a guardian with a child.
Allowlist: In the TSA screening analogy these are the pilots, cabin staff and pre-screened passengers
Positive security: This is akin to regular TSA screening procedures. Anyone not on the Allow List heads to the regular screening line and follows standard security procedures.
Application rules: What behavior is ok and what is not. For example, carrying a big bottle of soda is not acceptable and hence deposited in the trash can.
Signatures: This is the pat down and individual screening at the airport. Takes a lot of time but is necessary and can often hold the line.
The learning capability of NSX ALB positive security engine protects applications against not only known threats, but also against new, malicious behavior hackers engage in as they attempt to breach the system. The best way to defend the application is to understand normal, expected, healthy traffic and behavior at a deeper level. This enables the system to detect anomalies and reduce false positives itself without waiting for some authority to identify known threats on a list.
The learning capability of NSX ALB positive security engine protects applications against not only known threats, but also against new, malicious behavior hackers engage in as they attempt to breach the system. The best way to defend the application is to understand normal, expected, healthy traffic and behavior at a deeper level. This enables the system to detect anomalies and reduce false positives itself without waiting for some authority to identify known threats on a list.
The Allow List is for a select few who we know are safe and can immediately pass through in our analogy here, perhaps pilots, cabin staff and pre-screened passengers. They do not receive intensive screening, like a pat-down, nor do they even pass through the regular security line. They just rapidly move through to the gates.
The Allow List is for a select few who we know are safe and can immediately pass through in our analogy here, perhaps pilots, cabin staff and pre-screened passengers. They do not receive intensive screening, like a pat-down, nor do they even pass through the regular security line. They just rapidly move through to the gates.
Positive Security traffic can be much faster than signatures as it does not have to check against the whole list. And this majority of normal traffic allows the TSA to hone its procedures and learn what is normal and what is not.
Positive Security traffic can be much faster than signatures as it does not have to check against the whole list. And this majority of normal traffic allows the TSA to hone its procedures and learn what is normal and what is not.
Application Rules are specifically designed to block attacks on known application vulnerabilities (many of them with CVEs). They are automatically updated using the Application Rules of the NSX ALB Console.
When the admin enables this protection, more than 5000 applications can be selected, thereby activating the specific application rules for that application in the WAF Policy guide
Application Rules are specifically designed to block attacks on known application vulnerabilities (many of them with CVEs). They are automatically updated using the Application Rules of the NSX ALB Console.
When the admin enables this protection, more than 5000 applications can be selected, thereby activating the specific application rules for that application in the WAF Policy guide
Click on the edit button. Note that transction in the earlier step was rejected because of this rule. We will verify the rule here.
Click on the edit button. Note that transction in the earlier step was rejected because of this rule. We will verify the rule here.
Verify the rule
Save the policy
Remember at the begining of the clickthrough, we noticed how things went wront pretty quickly.
With the WAF protection in place, let us try again!
Remember at the begining of the clickthrough, we noticed how things went wront pretty quickly.
With the WAF protection in place, let us try again!
Voila...Complete peace of mind !
Voila...Complete peace of mind !
End
Welcome! Click to start the walkthrough
You have reached the end of this walkthrough. Thank you!
- Before we begin, this is the high level overview of the Application Security solution.
- Let's get started Note: Click on the hotspots to clickthrough the guide.
- A successful SQL injection attack can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. It is not that hard to pull it off if the attacker knows who and where to look. Here is a simplistic example of such an attack.
- That could prove very costly! 90% of companies do not use WAF for its complexity. What if the complexity in using WAF were to disappear?
- Keeping the SQLi scenario in mind, lets us now look at the WAF. First up is the Dashboard which easy and very intuitive. We notice all the applications in the tenant "admin" being listed here. It is important to note that NSX ALB provides WAF protection to every single application as desired. The first order of business is to ensure we are subscribed to the latest Bot and DDoS management updates. To do so, click on the Administration tab.
- Click on the Cloud Services
- Click on the Edit option
- Click to enable the Cloud Services WAF management option
- Enable to receive the CRS and WAF signatures updates
- Let us now continue and dig a bit deeper into the WAF policies
- The shield over the Virtual Service indicates it being protected by the WAF. Click on the Plus icon to view in more detail.
- Here we notice the IP pool being load balanced along with the actual load balancer. For the purpose of this clickthrough demo, we will double click on the virtual service to take a closer look at the application and the WAF policies.
- The application overview
- Understanding the rejected transaction
- Why did the request end abnormally
- Pin pointing the reason for rejection
- Moving on to the Security tab
- The security overview dashboard
- WAF analytics overview
- Moving to the WAF policy editor
- Click on the edit icon to view the virtual service details
- Let us edit the WAF policy
- Avi monitors over 700 application performance metrics, delivering insights into applications, end-users, and infrastructure, all in real-time. Avi optimizes the security pipeline in the following fashion Learning: Helps understand normal, expected, healthy traffic and behavior at a deeper level. Think of this as a child seat that is ok to go through with a parent or a guardian with a child. Allowlist: In the TSA screening analogy these are the pilots, cabin staff and pre-screened passengers Positive security: This is akin to regular TSA screening procedures. Anyone not on the Allow List heads to the regular screening line and follows standard security procedures. Application rules: What behavior is ok and what is not. For example, carrying a big bottle of soda is not acceptable and hence deposited in the trash can. Signatures: This is the pat down and individual screening at the airport. Takes a lot of time but is necessary and can often hold the line.
- The learning capability of NSX ALB positive security engine protects applications against not only known threats, but also against new, malicious behavior hackers engage in as they attempt to breach the system. The best way to defend the application is to understand normal, expected, healthy traffic and behavior at a deeper level. This enables the system to detect anomalies and reduce false positives itself without waiting for some authority to identify known threats on a list.
- The Allow List is for a select few who we know are safe and can immediately pass through in our analogy here, perhaps pilots, cabin staff and pre-screened passengers. They do not receive intensive screening, like a pat-down, nor do they even pass through the regular security line. They just rapidly move through to the gates.
- Positive Security traffic can be much faster than signatures as it does not have to check against the whole list. And this majority of normal traffic allows the TSA to hone its procedures and learn what is normal and what is not.
- Application Rules are specifically designed to block attacks on known application vulnerabilities (many of them with CVEs). They are automatically updated using the Application Rules of the NSX ALB Console. When the admin enables this protection, more than 5000 applications can be selected, thereby activating the specific application rules for that application in the WAF Policy guide
- Click on the edit button. Note that transction in the earlier step was rejected because of this rule. We will verify the rule here.
- Verify the rule
- Save the policy
- Remember at the begining of the clickthrough, we noticed how things went wront pretty quickly. With the WAF protection in place, let us try again!
- Voila...Complete peace of mind !