Skip to content
This repository has been archived by the owner on Jan 24, 2018. It is now read-only.

[RFC] Web Application Firewall #206

Open
lasley opened this issue Jan 16, 2017 · 6 comments
Open

[RFC] Web Application Firewall #206

lasley opened this issue Jan 16, 2017 · 6 comments

Comments

@lasley
Copy link
Contributor

lasley commented Jan 16, 2017

Another nail in the security shield for us should be a Web Application Firewall.

I'm thinking something like ModSecurity built as a module & included into our proxy would be the best bet here.

Alternatively we could run the firewall as its own service, and proxy desired traffic through it.

Benefits of the former method is security by default, for everything. Downfall is that opt-out would be at the proxy image level, so you're either fully secure or fully insecure - no middle ground.

If we go the route of the secondary proxy, we would gain the benefit of opt-in/out security at the application level. The downfall of this method is that our network architecture will explode in terms of difficulty. We also still wouldn't be able to run secure & insecure on the same port - because the two proxy listeners would conflict.

Thoughts? Other techs/strategies?

cc @LasLabs @YannickB

@YannickB
Copy link
Owner

That's a hard question, I already though many times about this topic.

At first, I wanted to explore the possibilities to have firewall for all expose ports at the Docker level, so we can control access to applications themselves. But I'm not sure this is possible if the firewall is in a container (or maybe with a privileged or pid=host container ?), and I really don't want to install a firewall in the node itself.

You suggest firewall in the proxy, I didn't though about that but I believe this is an excellent idea. This is the easiest way to control access to all web applications and Clouder is mostly designed toward them.
But with this we will not be able to easily control access to non web application, for example we will not be able to restrict access to odoo-ssh containers per IPs.

The way I see it, we should have a firewall, in a container, with a web access so non-technical people can easily administer and grant access, which can control access to containers exposed ports, and url forwarded by the proxy. I do believe I'm asking too much...

@lasley
Copy link
Contributor Author

lasley commented Jan 18, 2017

We're actually talking about two different types of firewalls here, although I agree on the need for the other too. Honestly I've been able to make IpTables meet all my needs for port/IP based rules with proper config. Interestingly enough, I also made a ghetto web UI for the managing of IP Tables rules in some disparate routers which I could probably adapt for us fairly easily.

What I'm referring to is a Web Application Firewall. This sits in front of HTTP applications & packet sniffs in order to provide an extra layer of security. This is to circumvent active exploit attempts such as SQL Injection probing, XSS, RCE, RFI, protocol violations, etc.

ModSecurity implements all of OWASP's Core Rule sets, which are described here and here in more detail.

@YannickB
Copy link
Owner

Oh ok I understand better now.

As a first step, I believe we shall keep it simple and implement it at the proxy level then.

@lasley
Copy link
Contributor Author

lasley commented Jan 18, 2017

Step at a time! I'll toss this on our internal dev board, we should see some code soon 😄

@lasley
Copy link
Contributor Author

lasley commented Jan 18, 2017

Any thoughts on whether this should be an option or just built in (mandatory)?

@YannickB
Copy link
Owner

Hum good question... For now I'd say built in, let's keep it simple we'll see later if the need arise for insecure.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants