1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
|
.. This work is licensed under a Creative Commons Attribution 4.0 International License.
.. http://creativecommons.org/licenses/by/4.0
.. SPDX-License-Identifier CC-BY-4.0
.. (c) Authors of Clover
.. _modsecurity_config_guide:
=========================================
ModSecurity Configuration Guide
=========================================
This document provides a guide to setup the ModSecurity web application firewall
as a security enhancement for the Istio ingressgateway.
ModSecurity Overview
=====================
ModSecurity is an open source web application firewall. Essentially, ModSecurity
is an Apache module that can be added to any compatible version of Apache. To
detect threats, the ModSecurity engine is usually deployed embedded within the
webserver or as a proxy server in front of a web application. This allows the
engine to scan incoming and outgoing HTTP communications to the endpoint.
In Clover, we deploy ModSecurity on an Apache server and running it as a
Kubernetes service that reside in "clover-gateway" namespace.
ModSecurity provides very little protection on its own. In order to become
useful, ModSecurity must be configured with rules. Dependent on the rule
configuration the engine will decide how communications should be handled which
includes the capability to pass, drop, redirect, return a given status code,
execute a user script, and more.
In Clover, we choose the OWASP ModSecurity Core Rule Set (CRS) for use with
ModSecurity.
The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection
rules. The CRS aims to protect web applications from a wide range of attacks,
including the OWASP Top Ten, with a minimum of false alerts.
Ingress traffic security enhancement
======================================
In a typical Istio service mesh, ingressgateway terminates TLS from external
networks and allows traffic into the mesh.
.. image:: imgs/istio_gateway.png
:align: center
:scale: 100%
Clover enhances the security aspect of ingressgateway by redirecting all incoming
HTTP requests through the ModSecurity WAF. To redirect HTTP traffic to the ModSecurity,
Clover enables ext_authz (external authorization) Envoy filter on the ingressgateway.
For all incoming HTTP traffic, the ext_authz filter will authenticate each ingress
request with the ModSecurity service. To perform authentication, an HTTP subrequest
is sent from ingressgateway to ModSecurity where the subrequest is verified. If
the subrequest is clean, ModSecurity will return a 2xx response code, access is
allowed; If it returns 401 or 403, access is denied.
Deploying the ModSecurity WAF
==============================
.. _modsecurity_prerequisites:
Prerequisites
-------------
The following assumptions must be met before continuing on to deployment:
* Installation of Kubernetes has already been performed.
* Installation of Istio and Istio client (istioctl) is in your PATH.
Deploy from source
------------------
Clone the Clover git repository and navigate within the samples directory as
shown below:
.. code-block:: bash
$ git clone https://gerrit.opnfv.org/gerrit/clover
$ cd clover/samples/scenarios
$ git checkout stable/gambia
To deploy the ModSecurity WAF in the "clover-gateway" Kubernetes namespace, use
the following command:
.. code-block:: bash
$ kubectl create namespace clover-gateway
$ kubectl apply -n clover-gateway -f modsecurity_all_in_one.yaml
Verifying the deployment
------------------------
To verify the ModSecurity pod is deployed, executing the command below:
.. code-block:: bash
$ kubectl get pod -n clover-gateway
The listing below must include the following ModSecurity pod:
.. code-block:: bash
$ NAME READY STATUS RESTARTS AGE
modsecurity-crs-cf5fffcc-whwqm 1/1 Running 0 1d
To verify the ModSecurity service is created, executing the command below:
.. code-block:: bash
$ kubectl get svc -n clover-gateway
The listing below must include the following ModSecurity service:
.. code-block:: bash
$ NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
modsecurity-crs NodePort 10.233.11.72 <none> 80:31346/TCP 1d
To verify the ext-authz Envoy filter is created, executing the command below:
.. code-block:: bash
$ istioctl get envoyfilter -n clover-gateway
The listing below must include the following Envoy filter:
.. code-block:: bash
$ NAME KIND NAMESPACE AGE
ext-authz EnvoyFilter.networking.istio.io.v1alpha3 istio-system 1d
ModSecurity configuration
==========================
OWASP ModSecurity CRS mode
---------------------------
The OWASP ModSecurity CRS can run in two modes:
* **Anomaly Scoring Mode** - In this mode, each matching rule increases an
'anomaly score'. At the conclusion of the inbound rules, and again at the
conclusion of the outbound rules, the anomaly score is checked, and the blocking
evaluation rules apply a disruptive action, by default returning an error 403.
* **Self-Contained Mode** - In this mode, rules apply an action instantly. Rules
inherit the disruptive action that you specify (i.e. deny, drop, etc). The first
rule that matches will execute this action. In most cases this will cause evaluation
to stop after the first rule has matched, similar to how many IDSs function.
By default, the CRS runs in Anomally scoring mode.
You can configurate CRS mode by editing the **crs-setup.conf** in the modsecurity-crs
container:
.. code-block:: bash
$ kubectl exec -t -i -n clover-gateway [modsecurity-crs-pod-name] -c modsecurity-crs -- bash
$ vi /etc/apache2/modsecurity.d/owasp-crs/crs-setup.conf
Alert logging
-------------
By default, CRS enables all detailed logging to the ModSecurity audit log.
You can check the audit log using the command below:
.. code-block:: bash
$ kubectl exec -t -i -n clover-gateway [modsecurity-crs-pod-name] -c modsecurity-crs -- cat /var/log/modsec_audit.log
CRS Rules
---------
By default, Clover enables all OWASP CRS rules. Below is a short description of all enabled rules:
* **REQUEST-905-COMMON-EXCEPTIONS**
Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
Some rules are quite prone to causing false positives in well established software,
such as Apache callbacks or Google Analytics tracking cookie. This file offers
rules that will allow the transactions to avoid triggering these false positives.
* **REQUEST-910-IP-REPUTATION**
Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/REQUEST-910-IP-REPUTATION.conf
These rules deal with detecting traffic from IPs that have previously been involved
with malicious activity, either on our local site or globally.
* **REQUEST-912-DOS-PROTECTION**
Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/REQUEST-912-DOS-PROTECTION.conf
The rules in this file will attempt to detect some level 7 DoS (Denial of Service)
attacks against your server.
* **REQUEST-913-SCANNER-DETECTION**
Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
These rules are concentrated around detecting security tools and scanners.
* **REQUEST-920-PROTOCOL-ENFORCEMENT**
Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
The rules in this file center around detecting requests that either violate HTTP
or represent a request that no modern browser would generate, for instance missing
a user-agent.
* **REQUEST-921-PROTOCOL-ATTACK**
Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
The rules in this file focus on specific attacks against the HTTP protocol itself
such as HTTP Request Smuggling and Response Splitting.
* **REQUEST-930-APPLICATION-ATTACK-LFI**
Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
These rules attempt to detect when a user is trying to include a file that would
be local to the webserver that they should not have access to. Exploiting this type
of attack can lead to the web application or server being compromised.
* **REQUEST-931-APPLICATION-ATTACK-RFI**
Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
These rules attempt to detect when a user is trying to include a remote resource
into the web application that will be executed. Exploiting this type of attack can
lead to the web application or server being compromised.
* **REQUEST-941-APPLICATION-ATTACK-SQLI**
Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-SQLI.conf
Within this configuration file we provide rules that protect against SQL injection
attacks. SQL attackers occur when an attacker passes crafted control characters
to parameters to an area of the application that is expecting only data. The
application will then pass the control characters to the database. This will end
up changing the meaning of the expected SQL query.
* **REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION**
Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
These rules focus around providing protection against Session Fixation attacks.
* **REQUEST-949-BLOCKING-EVALUATION**
Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
These rules provide the anomaly based blocking for a given request. If you are in
anomaly detection mode this file must not be deleted.
* **RESPONSE-954-DATA-LEAKAGES-IIS**
Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
These rules provide protection against data leakages that may occur because of Microsoft IIS
* **RESPONSE-952-DATA-LEAKAGES-JAVA**
Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
These rules provide protection against data leakages that may occur because of Java
* **RESPONSE-953-DATA-LEAKAGES-PHP**
Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
These rules provide protection against data leakages that may occur because of PHP
* **RESPONSE-950-DATA-LEAKAGES**
Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf
These rules provide protection against data leakages that may occur genericly
* **RESPONSE-951-DATA-LEAKAGES-SQL**
Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
These rules provide protection against data leakages that may occur from backend
SQL servers. Often these are indicative of SQL injection issues being present.
* **RESPONSE-959-BLOCKING-EVALUATION**
Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
These rules provide the anomaly based blocking for a given response. If you are
in anomaly detection mode this file must not be deleted.
* **RESPONSE-980-CORRELATION**
Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf
The rules in this configuration file facilitate the gathering of data about
successful and unsuccessful attacks on the server.
|
