Securing your web stack with Varnish

Author	Kacper Wysocki
Contact	kwy@redpill-linpro.com
Date	March 22, 2012

The Who's

Edward B. Fjellskål, security analyst
Kacper Wysocki, security consultant
Kristian Lyngstøl, Varnish (was security analyst)
Eduardo Scarpellini, OWASP, Masters student @ ITA

img/frying.jpg

The Idea

Varnish has

sweet architecture
really REALLY high loads
flexible control and transparency
can make things more secure too

img/invaders.gif

LOLBUNNY

img/lolbunny.jpg

There are no silver bullets

Usually we use varnish to:

scale a website
hack around application issues

img/notbutter.jpg

The Story

DDoS mitigation..
Project started in 2008
XSS/hole mitigation
Can we do better?

img/fight-club-soap.jpg

The Approach

security rule framework in VCL
PoC Breach rule translator
expert rules for GET
POST handling

img/shipping.jpg

Thwarting attacks

what we do today:

common malicious access
SQL injection
Cross site scripting
Cloaking

img/truck.jpg

Security handlers

reject, alert
redirect
g-line / offensive script
honeypot

img/bike.jpg

VFW - Varnish FireWall

Eduardo Scarpellini's VFW master thesis
Varnish 2 with inline C for POST
Testing of effectiveness
Web GUI

img/pat.jpg

Future work

POST access
normalization
merge VFW and Sec.vcl

img/energy.jpg

Questions?

http://kacper.blog.linpro.no

kwy@redpill-linpro.com

6BD0 3F9C 5F77 AD24 F60A
86EC FD82 7E34 674A 506F

References:

http://www.varnish-cache.org/trac/wiki

http://github.com/comotion/security.vcl

http://github.com/scarpellini/VFW