• Edward B. Fjellskål, analyst

• Kacper Wysocki, consultant

• Kristian Lyngstøl, developer

• Eduardo Scarpellini, master student

Varnish got prod ready.

• sweet architecture

• good acceleration

• flexible control and transparency

• security barriers

I fear not the man
who has practiced 10,000 kicks
once,
but I fear the man who has
practiced one kick
10,000 times.

• simple hackable rules

• block webscanners etc

• insignificant performance penalty

Usually we use varnish to:

• scale a website

• hack around application issues

we were under siege!

• Arab News DDoS

• with a clever caching hack

if(req.http.attack ~ "pattern"){
   set resp.http.Cache-Control =
                "max-age=3312315123166";
}

• tomcat

• varnish

• add another service? no

• needs monitoring, support, integration

• moar $$$!

• overkill?

• wouldn't save us from the DDoS

• not impressed, but why?

• too expensive

• not flexible enough

• no custom app rules

• write rules

• in varnish..

• write rules

• in varnish..where

• the ops can get at it

• write rules

• in varnish..where

• the ops can get at it

• without hurting feelings

• write rules

• in varnish..where

• the ops can get at it

• without hurting feelings

• and breaking things

• small rulesets

• custom rules for apps

• customer still up

• customer still up

• running f!$#% code

• customer still up

• running f!$#% code

• hack quick hotfixes

• security rule framework in VCL

• expert rules for GET

• POST handling

what we do today:

• common malicious access

• SQL injection

• Cross site scripting

• Cloaking

• cloak web stack

• cloak client

• example: http://u.delta9.pl

• yes we hate the word

• easy deploy VSF

• enforce rules and ACLs

• push firewall nearer user

• we show you the diff

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|
REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*
"http:\/\/[\w\.]+?\/.*?\.pdf\b[^\x0d\x0a]*#" \
  "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',
  accuracy:'9',capture,t:none,t:htmlEntityDecode,
  t:compressWhiteSpace,t:lowercase, ctl:auditLogParts=+E,block,
  id:'950018', setvar:'tx.msg=%{rule.msg}',
  setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},
  setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/UPDF_XSS-%{matched_var_name}=%{tx.0}"

if (req.url ~ "(?i)(S|%[57]3)(\s|%20|\t|%09|\+)*(C|%[46]3)
     (\s|%20|\t|%09|\+)*(R|%[57]2)(\s|%20|\t|%09|\+)*
     (I|%[46]9)(\s|%20|\t|%09|\+)*(P|%[57]0)(\s|%20|\t|%09|\+)*
     (T|%[57]4)(\s|%20|\t|%09|\+)*(>|%3E)") {
   set req.http.X-VFW-Threat = "Cross-site Scripting";
   set req.http.X-VFW-RuleID = "xss.xss-2";
   call vfw_main;
}

completely unreadable

• and these are the short ones!

if (req.url ~ "(SHOW|DROP|CREATE) (DATABASES|TABLES|PROCESSLIST)") {
  set req.http.X-SEC-RuleName = "SQL Injection";
  set req.http.X-SEC-RuleId = "sql-15"
  call sec_sql_sev1;
}

• reject, alert

• redirect

• g-line / offensive script

• honeypot

• block

• WAF evasion

• WAF fingerprinting

• WAF spray

All fixed set patterns
are incapable
of adaptability or pliability.
The truth is outside of
all fixed patterns.

  -- Bruce, again.

• Unicode normalization

• Fuzzing!

• Better GUI

http://github.com/comotion/VSF

edwardfjellskaal@gmail.com kwy@redpill-linpro.com