Web Application Firewall Documentation.pdf - محمود وجدي محمد الأحمد

Please enable JavaScript to view the full PDF

Web Application Firewall (WAF) Done by: Ahmad Jehad Haroun 201810732 Mahmoud Wajdi AlAhmad 201811207 Belal Isam Abuyounes 201910186 Abedalfattaah Bassam Aburumman 201920297 Submitted to: Dr. Mahran M. Alzyoud Department of Networks & Information Security Faculty of Information Technology Al - Ahliyya Amman University Submitted in Partial Fulfillment of the Requirements for the Degree of Bachelor of Networks & Information Security in Information Technology Spring - Second Semester – 2022 Acknowledgment It was a great opportunity to gain a lot of experience with real time projects, followed by learning how to design and analyze real projects. Therefore, we would like to thank all the people who made this possible for students like us. Special thanks to the Graduation Project Unit for their efforts in providing us with all useful information and showing the path to students to carry out all education periods in project design and analysis in real time. We would like to express our deepest gratitude to our Graduation Project Supervisor, Dr. Mahra Al Zayoud, for his patience and guidance throughout the semester. Furthermore, we must thank all members of the examination committee for their generous discussions and encouragement. Prof. Musleh Abu Al-Hajj, Prof. Nidal Tarab, Dr. Oraib Abu Al-Ghannam. Lecturer Sumaya Al-Khatib, Dr. Muwaffaq Abu Al-Heija, Dr. Youssef Rabaaneh, Dr. Abdul Rahman Hamza. 2 List of Tables: TABLE 1 TOOLS, APPS AND TECHNOLOGY ..................................................................................................................................... 9 TABLE 2 PRESENTS A COMPARISON BETWEEN WAF AND IPS/IDS ................................................................................................... 14 TABLE 3 DEFESE MECHANISM ................................................................................................................................................... 16 TABLE 4 MANAGMENT INTERFACE ............................................................................................................................................ 16 TABLE 5 DIFFERENCE BETWEEN SQL AND MONGODB (KEYWORDS) ................................................................................................ 23 List of figures: FIGURE 1 PROJECT TIME LINE.................................................................................................................................................... 10 FIGURE 2 HOW WAF FILTER HTTP REQUEST .............................................................................................................................. 13 FIGURE 3 DEFENSE MECHANISM OF VARIOUS WAF ..................................................................................................................... 15 FIGURE 4 HOW THE TOOL INTERACT WITH THE TOPOLOGY............................................................................................................. 21 FIGURE 5 HTTP HEADER ........................................................................................................................................................ 22 FIGURE 6 JSON BASIC FORMAT ................................................................................................................................................ 24 FIGURE 7 HOW REST API WORK ............................................................................................................................................. 25 FIGURE 8 WAF TOOL ARCHITECTURE ......................................................................................................................................... 25 FIGURE 9 RABBITMQ MESSAGE BROKER OPERATION .................................................................................................................... 26 FIGURE 10 MIND MAP OF SECURITY ASPECTS ............................................................................................................................. 28 FIGURE 11 THE NETWORK TOPOLOGY ....................................................................................................................................... 36 FIGURE 12 BASIC WAF USAGE ................................................................................................................................................. 53 FIGURE 13 METHODS OF HOW WAF CAN WORK ......................................................................................................................... 54 FIGURE 14 METHODS OF HOW A WAF CAN BE IMPLEMENTED ....................................................................................................... 54 FIGURE 15 OVERVIEW OF THE TOOL DESIGN ................................................................................................................................ 55 FIGURE 16 DATAFLOW OF THE INTERACTION BETWEEN USER AND DEVICES SECTION IN THE WAF TOOL ................................................... 55 FIGURE 17 WAF TOOL MAIN DASHBOARD .................................................................................................................................. 57 FIGURE 18 UNIT TESTING ON THE DEVICE COMPONENT IN WAF TOOL AND RESULT = OK MEANS SUCCESS............................................... 64 FIGURE 19 REST-API TESTING USING POSTMAN TOOL AS WE SEND GET REQUEST TO THE WAF SERVER TO GET ALL THE CAPTURES STORED IN THE DATABASE, RESULT=200-OK..................................................................................................................................... 65 3 Abstract In the light of the increasing number of Internet users, there has been an increase in cyber-attacks on websites. Also, with the addition of the hacking and penetration testing material that are easy-to-access. Those people called "Script Kiddies" emerged who are DoS-ing and hacking websites and IT infrastructure with already built tools. Therefore, there must be a new technology to solve the problem of security for websites and servers in any industry. A product called Web Application Firewall (WAF) appeared. WAF protects web applications through monitoring and blocking malicious traffic through the “HTTP” and “HTTPS” protocols. WAF is implemented as a software or appliance. In this project, we will humbly try to tackle the problem of application layer security by building a WAF solution as a traffic control and topology monitoring software; by building the basic features of WAF using Python programming language, its libraries and other third-party technologies. Chapter 1: Introduction − 1.1 Problem Statement. − 1.2 Objectives. − 1.3 Overview. − 1.4 Scope. − 1.5 Tools, Apps and technology. − Project Time line. Chapter 2: literature review − 2.1 Q/A overview about WAF. − 2.2 Differences between IPS/IDS and WAF. − 2.3 In-market WAF solutions. − 2.4 OWASP10. − 2.5 Network automation. − 2.6 HTTP (Hypertext Transfer Protocol) and its methods. − 2.7 ASA (Adaptive Security Appliance) Firewall. − 2.8 NoSQL databases, JSONs and REST APIs. 4 − 2.9 Overview of the WAF tool. − 2.10 The security aspects in the project. Chapter 3: Methodology and Proposed Work − 3.1 Planning − 3.2 Design − 3.3 Implementation Chapter 4: Implementation of the Network − 4.1 Preface. − 4.2 The Emulator Environment EVE-NG. − 4.3 design overview. − 4.4 Network topology Configurations. Chapter 5: Implementation of the Code − 5.1 Introduction. − 5.2 Analysis of the Tool. − 5.3 System Design. − 5.4 System Implementation. − 5.5 Testing methodology. − 5.6 Usage manual. Chapter 6: Conclusions and Future Work − 6.1 Conclusions. − 6.2 Future Work. − 6.3 Contribution. − References. 5 Chapter 1 Introduction 6 Chapter 1: Introduction − 1.1 Problem Statement. − 1.2 Objectives. − 1.3 Overview. − 1.4 Scope. − 1.5 Tools, Apps and technology. − Project Time line. 7 1.1 Problem Statement There is no such thing as perfect security in the real world as attempts to hack into company's infrastructure and their services do exist. Although several solutions have been created to end them up, problems such as outdated code, unpatched systems, or difficulty to maintain and fix these IT- related infrastructure issues frequently occur. With the emergence of countless events of penetrating web servers and the application layer, solutions such as "WAF" appeared to reduce and even eliminate some of these problems including "OWASP 10", which is one of the most famous vulnerabilities. Many hackers around the world use these vulnerabilities. To reach their goals and gain access to any infrastructure they want, there is an emerging need for solutions like (WAF) which is important and effective in solving these issues. Companies should apply it rapidly and at any cost to avoid dealing with these issues. 1.2 Objectives The primary goal of this project is to apply the skills, knowledge, and experiences gained during the bachelor's study period in the field of networks and information security, and to integrate this knowledge with the field of web application programming as well as the research field, and to address modern topics that is relevant for the current era. Furthermore, the project is regarded as one of the research tools that aid in increasing the intellectual output of the student. As well as creating a mini-solution for what the WAF can do such as monitoring, blocking, and discovering strange behavior. Specific goals: 1. Our solution should be working and be bug free. 2. Our solution should have good performance. 3. Our solution should be easy to use. 4. Our solution should be updating on any new risks and scalable. 5. Implement the solution using Python language. 6. Implement several concepts such as: − Network programming. − REST APIs. − Flask. − Network Automation libraries. 8 1.3 Overview WAF protects applications from malicious and unwanted internet traffic. WAF can protect any internet-facing endpoint, providing consistent rule enforcement across a Web application. WAF provides you with the ability to create and manage rules for internet threats including Cross-Site Scripting (XSS), SQL Injection, and other OWASP-defined vulnerabilities. 1.4 Scope A computer network that will be created with its basic configuration, a web page and the solution that checks application layer traffic such as HTTP from the network via server and the solution built-in Python programming language. 1.5 Tools, Apps and technology Table 1 Tools, Apps and Technology VMware Virtualization and cloudcomputing software EVE-NG Network EmulationSystem Linux CentOS Linux Server used inboth DC& DMZ Python ProgrammingLanguage Used mainly for oursolution notion Used for project management Postman API testing tool VS Code Multi-purpose IDE, easy to use for Coding Insta-gantt chart An Online tool to make Gantt Charts XMind A useful tool to make Mind Maps RabbitMQ Worker agent for process queuing protocol 9 • Project time line Figure 1 project time line 10 Chapter 2 Literature Review 11 Chapter 2: literature review − 2.1 Q/A overview about WAF. − 2.2 Differences between IPS/IDS and WAF. − 2.3 In-market WAF solutions. − 2.4 OWASP10. − 2.5 Network automation. − 2.6 HTTP (Hypertext Transfer Protocol) and its methods. − 2.7 ASA (Adaptive Security Appliance) Firewall. − 2.8 NoSQL databases, JSONs and REST APIs. − 2.9 Overview of the WAF tool. − 2.10 The security aspects in the project. 12 2.1 Q/A overview about WAF The Web Application Firewall works as the first line of defense against the bad traffic and the web application on the webserver, by monitoring and filtering rules. And it can be so effective against Zero Day and DDoS attacks WAFs may be deployed as Hardware appliance or Software tool operating through rules called policies, these policies allow the WAF to secure the web application from attacks. WAF keeps scanning the web application for the POST and GET requests to identify any anomalies in HTTP traffic or malicious activities. Figure 2 How WAF filter HTTP request The three main security models of WAF: 1. Whitelisting model: a. Allowing only approved traffic by the rules. b. Suitable for internal networks used by small groups. 2. Blacklisting model: a. Blocking known vulnerabilities based on static signatures b. Suitable for web applications on the public internet 3. Hybrid model: a. Configured to apply both Whitelisting and Blacklisting models. b. Can be used on both internal and public networks. 13 2.2 Difference between IPS, IDS and WAF An Intrusion Prevention System (IPS) detects anomalies in network traffic and notifies operations staff of an impending attack (IDS functionality), as well as blocking the traffic (IPS functionality). WAF almost exclusively appears to be working with web applications. WAFs must understand protocol behavior, such as HTTP GET, or FTP in addition to JavaScript, SQL, HTML, XML, Cookies. Table 2 presents a comparison between WAF and IPS/IDS PARAMETER WAF IPS/IDS Intrusion prevention System/Intrusion Abbreviation Web Application firewall Detection System WAFs are designed to protect web Analyze traffic for signatures or policy Functionality applications/servers from web-based violations attacks that IPSs cannot prevent. Placed before Web facing Generally, on the exit entry points i.e., Placement applications in web facing/DMZ perimeter of network zone of network Inspection of Sessions Packets Network protocols and network Scope HTTP/HTTPS applications applications ▪ Protects Application ▪ Protects OS and Application Benefits ▪ Looks for malicious logic ▪ Enforces protocols ▪ Enforces logic and behavior ▪ Looks for malicious payloads Works at Layer 7 Layer 4-7 Explicit reverse proxy, Transparent Transparent mode, connected via TAP Deployment mode, connected via TAP or through or through SPAN port SPAN port ▪ Signature based ▪ Signature based ▪ Protocol based Detection Algorithms ▪ Anomaly detection ▪ Anomaly detection ▪ Heuristics ▪ Heuristics SSL Offload Yes No functionality Perform Server Load Yes No balancing Performs User Yes No authentication DDOS protection At Layer 7 Yes WAF operates at the application layer where HTML, XML, Cookies, Analyze traffic for signatures or policy Functioning JavaScript, ActiveX, Client requests, violations and Server response’s function Encryption/Decryption Supported Not Supported Sessions where HTML, XML, Systems that analyze traffic for Inspection of Cookies, JavaScript, ActiveX, Client signatures or policy violations requests, and Server responses work 14 2.3 In-market WAF solutions 1 1- Mod Security Mod Security is an open source, free web application firewall that works on Apache system. Main features are simple filtering; regular expression-based filtering, URL encoding validation,Unicode encoding validation, auditing, null byte attack prevention, upload memory limits and server identity masking. 2- Imperva’s Secure Sphere Imperva’s Secure Sphere, providing solutions that secure enterprise data centers. Secure Sphere protects proprietary information, custom business applications, and critical servers. It addresses phishing, identity theft, data theft, malicious robots, worms, denial of service, and SQL injection. It reduces web attacks, database breach, and worm infection. According to survey of Information security, Secure Sphere has high availability, preloading polices & signature and regularity compliance features. 3- F5 –Big IP BIG-IP ASM (Application Security Manager) includes comprehensive, built-in authenticated application security policies for frequent applications as well as a regular policy-building engine that can become accustomed to application updates. This Firewall works as an appliance and provides main facilities like traffic monitoring and blocking. This firewall is among the top ten in the web application firewalls solutions. 4- Barracuda Network Application Gateway Barracuda network application gateway is a commercial firewall that presents application ware traffic administration. Typical Barracuda Firewall functions include: a state full packet inspection firewall, IPsec VPN and intelligent traffic flow control. According to research information, Barracuda has higher capability of high availability, SLL acceleration & offloading, connections pooling, coach & compression, preloading polices & signature and regularity compliance features. 15 Table 3 Defense mechanism Table 4 Management Interface 16 2.4 The OWASP Top10 Vulnerabilities2 The OWASP Top 10 is a list of the 10 most common web application security risks. 1: Injection Injection comes in several forms. Fundamentally injection involves inserting information that can be used to break out of the intended context of the input. Common categories of injection include Structured Query Language (SQL), NoSQL (Not only Structured Query Language), Lightweight Directory Access Protocol (LDAP), and operating system (OS) command injection. Injection is interesting and dangerous because it allows an attacker to potentially bypass all existing network, authentication, and authorization controls in place that protect your application. Injection can sometimes lead to data compromise or even system take‐ over. 2: Broken Authentication Broken authentication involves attack vectors such as stolen credentials, brute-force attacks, dictionary attacks, and session management attacks. if one website is hacked and a user’s password is compromised there, an attacker can use that information as part of a credential stuffing attack on different sites via password reuse. Brute-force and dictionary attacks involve repeated attempts at authentication (usually automated via botnets) using passwords from a dictionary list or via brute force. Common compensating controls include the use of Captchas, account lockout after multiple failed attempts, and enforcement of password complexity rules. Compromising session information is a different vector altogether. This might involve the execution of a Man-in-the-Middle attack to capture session data and replay that information as part of a replay attack. In some cases, session IDs are easily predictable. Compensating controls involve the use of less-predictable session identifiers and the use of digital certificates. Digital certificates help to mitigate Man-in-the-Middle attacks through encryption and through browser notifications indicating a spoofed or untrusted certificate. This is one of the reasons why many websites have mandated an all HTTPs strategy when serving content. The technical and business impact of broken authentication can include data compromise, data leakage, or complete system compromise if the account is a privileged system account. 17 3: Sensitive Data Exposure Sensitive data exposure vulnerabilities are a result of poor data protection practices. Sensitive data can be exposed at rest and in transit. Data that is not encrypted at rest (on a drive or tape) is a prime example. Sometimes, this might involve data backups that are not encrypted and the backups fall into the wrong hands. Standard defense-in-depth strategies typically involve the use of encryption depending upon the sensitivity of the data at hand. For instance, if it is Personally Identifiable Information (PII) or PCI (credit card data), you should deploy additional protections such as encryption. Encryption is effective only if you properly manage the keys used to encrypt the data. This means that you need to implement effective key management processes and technologies. From a separation of duties perspective, the team that is responsible for managing the keys should not be directly involved with the operational management of the system itself. By separating these functions, it forces some level of collusion to take place in order to compromise the key procedurally. More modern solutions for key management involve the storage of keys in separate protected key vaults, which allow for only indirect access and usage of the key. These key vaults should be managed by a group of security administrators who are not directly involved with the day-to- day administration of the system (a database is a great example). 4: XML External Entities (XXE) XXE attacks exploit vulnerabilities in XML processing engines. You can consider it to be a form of injection attack. If an unexpected XML entity such as <! UNEXPECTED XXE SYSTEM file:///etc/passwd">]> is passed to the system and proper validation is not in place, that data can be processed in such a way that allows an attacker to break out of the context of the XML processor. Legacy Simple Object Access Protocol (SOAP) web services prior to v1.2 are often susceptible to XXE attacks. OWASP recommends the use of less complex data formats such as JSON. If you absolutely need to use XML processing, you should update the XML processors and libraries to the latest versions. Whitelisting of valid inputs can help to ensure that unexpected inputs are not processed. 18 5: Broken Access Control Access controls imply authorization. In some cases, attackers can bypass application authorization mechanisms via URL manipulation, page manipulation, or custom API attacks. Attackers should not be able to access resources by simply guessing URL strings and patterns. Security through obscurity is not a viable protection pattern. All permutations of URL strings should be protected. Best practices can include the use of deny-all patterns and token invalidation after logout. A deny-all pattern for a firewall for instance might start with a rule statement that denies all Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) traffic with subsequent rules that open specific ports such as port 80 for HTTP. A simple example of this type of attack might involve the manipulation of a URL such as https://mywebsite.com/products Changing this URL to https://mywebsite.com/products?purcha‐ sedby=user@email.com might allow a user to directly access resources not explicitly authorized. For an attacker, this might require only simple trial and error. An attacker can use fuzzing techniques to dis‐ cover unidentified patterns. 6: Security Misconfiguration If your house is equipped with the latest alarm systems and locks but none of them are enabled, you could say they haven’t been con‐figured properly. The same holds true with software security controls. Common attack vectors include the exploitation of known administrative accounts and default passwords, unnecessary services, and unpatched systems. 7: Cross-Site Scripting (XSS) With cross-site scripting, attackers take advantage of APIs and DOM manipulation to retrieve data from or send commands to your application. Cross-site scripting widens the attack surface for threat actors, enabling them to hijack user accounts, access browser histories, spread Trojans and worms, control browsers remotely, and more. Training developers in best practices such as data encoding and input validation reduces the likelihood of this risk. Sanitize your data by validating that it’s the content you expect for that particular field, and by encoding it for the “endpoint” as an extra layer of protection. 19 8: Insecure Deserialization In practice, serialization involves taking data structures and sequencing them into consecutive bytes of data that can be stored in memory or on disk. Deserialization takes the serialized data and reassembles it back into its original data structure. Examples of data structures that are commonly serialized and deserialized include JSON, XML, HTTP cookies, HTML form parameters, API authentication tokens, and Remote Procedure Calls (RPC) communications. If an attacker can influence the way that data is deserialized, they can potentially manipulate the reconstituted data structure in a manner that compromises the integrity of the application. To pre‐ vent deserialization attacks, it is best to not accept serialized objects from untrusted sources. 9: Using Components with Known Vulnerabilities When application developers use code libraries with known vulnerabilities, they are making the application directly vulnerable. Given the exponential increase in the amount of third-party code libraries that developers use, this becomes a nagging issue in development and production environments. A best practice is to continually “repave” or redeploy an application’s micro services on a frequent basis, which incorporate the latest, patched versions of affected libraries. This works great in mature DevOps environments, but many shops have not reached this level of maturity. At a minimum the security operations team should be scanning production applications for vulnerabilities and patching the application on a proactive basis. 10: Insufficient Logging and Monitoring (new) Even though logging is a detective control in nature, its absence leads to a lack of visibility as it relates to threats. Applications should be sufficiently instrumented so that security-related events are captured and logged as needed. This allows security operations teams to monitor and correlate this information with other security and net‐ work events to facilitate proper threat identification and incident response procedures 2.5 Network automation Network programmability is a trend, enhanced and inspired by Software Defined Networks, that are based on scripting methods and standard programming languages used for 20 controlling and monitoring of network elements. Used illustrating some new methods in configuring network devices by using automation, reducing time for equipment configuration and easier maintenance. It also improves network security by recognizing and fixing security vulnerabilities and it increases the network stability. These methods represent the future of networks, allowing the management of an increased number of devices in a unitary way.3 Figure 4 How the Tool interact with the Topology 2.6 HTTP (Hypertext Transfer Protocol) and its methods The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems. The most common HTTP methods are POST, GET, PUT, and PATCH. These are used to create, update, and delete operations. There are also other methods that are less commonly used. The following figure presents HTTP header.4 21 Figure 5 HTTP Header 2.7 ASA Firewall A firewall monitors network traffic and allows or denies particular traffic based on its set of rules. Cisco Adaptive Security Appliance (ASA) 5500 Series Firewalls are one of the most popular and technically advanced firewalls for securing organizational networks and systems. It includes some of the features of antivirus, Intrusion Prevention System (IPS) and Virtual Private Network (VPN). One of the most valuable features of the Cisco ASA Firewall is threat detection that is available on any Cisco ASA Firewall that runs a software version of 8.0 or subsequent versions. Threat detection operates at layers 3 and 4 to determine a baseline for network traffic, analyzing packetdrop statistics and generating threat reports based on traffic patterns.5 2.8 NoSQL databases, JSONs and REST APIs 2.8.1 Relational vs non-Relational Databases Models The Relational Database (RDB) was developed from the 1970s to the present. Through a powerful Relational Database Management System (RDBMS), RDB is easy to use and maintain, and becomes a widely used kind of database. And it uses SQL (Structured Query Language) to do operations on data, executes queries, retrieves data, and edits data by updating, deleting, or creating new records. SQL is a lightweight, declarative language that does the heavy lifting for the relational database, acting as a database’s version of a server- side script. [above] A non-relational database is a database that doesn't use the tabular schema of rows and columns observed in maximum conventional database systems. Instead, non- relational databases use a garage version this is optimized for the unique necessities of the 22 sort of information being saved. For example, information can be saved as easy key/fee pairs, as JSON documents, or as a graph together with edges and vertices. We chose NoSQL non- relational over SQL-relational database because of data requirements aren’t clear at the outset and our data has massive amounts of unstructured data, we used non-relational database because they offer greater flexibility too.6 Types of NoSQL database models: 1. Key-Value store: stores data in a schema-less way that consists of indexed keys and values Example. Azure. 2. Column store: stores data tables as columns rather than rows. Example. HBase. 3. Document: each document in this type of database has its own data and a unique key used to retrieve the data. It’s a great option for storing, retrieving, and managing data that’s document-oriented but still semi-structured. Example. MongoDB. 4. Graph database—have data that is interconnected and best represented as a graph. Example. NEO4J. 2.8.2 NoSQL Document Model Terminology Table 5 Difference between SQL and MongoDB (keywords) SQL MongoDB Database Database Table Collection Row Document Column Field Primary Key _id Field Select [query] from table [table] db.[collection-name].find(query) Index Index 2.8.3 JSON, JavaScript Object Notation json.org definition: “JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.” 23 Figure 6 JSON basic format Example: JSON file in the WAF tool: 1. { 2. "id1": [ 3. { 4. "device_name": "Branch1-Router", 5. "device_type": "ios", 6. "host": "192.168.20.254", 7. "username": "admin", 8. "password": "admin" 9. } 10. ], 11. "id2": [ 12. { 13. "device_name": "Branch1-Distrubution", 14. "device_type": "ios", 15. "host": "192.168.20.238", 16. "username": "admin", 17. "password": "admin" 18. } 19. ] 20. } 24 2.8.4 REST APIs Representational State Transfer (REST) is a software architectural style for web services that provides a standard for data communication between different kinds of systems. In simple terms, REST is a standard for exchanging data over the Web for the sake of interoperability between computer systems. 7 Figure 7 How REST API Work 2.9 Overview of the WAF tool Our WAF tool implementation has a lot of features that truly stand out with other WAF solutions in the market. The main architecture of the WAF implementation is built on Flask web framework as the main server which holds all of the data exchange with the support of opensource libraries and the output of these processes are the responsible of ReactJS GUI. Figure 8 WAF tool architecture As seen in the figure above we have the main components of the WAF tool: 25 1- WAF server, built in Flask upon Python which deals with the controllers and processing the fetched data to GUI. Example of Flask controller “devices” in the WAF Server: 1. @waf_app.route("/devices", methods=["GET", "PUT"]) 2. def devices(): 3. if request.method == "GET": 4. return getDevice() 5. elif request.method == "PUT": 6. device = request.get_json() 7. setDevice(device) 8. return {}, 204 2- Message Broker, we have an unusual approach in small size applications which is the message queueing brokers. We used the RabbitMQ message broker server to send the process to another consumer based on a queue to reduce performance issues. Figure 9 RabbitMQ message broker operation A message can include any kind of information. It could, for example, have information about a process or task that should start on another application (which could even be on another server), or it could be just a simple text message. The queue-manager software stores the messages until a receiving application connects and takes a message off the queue. The 26 receiving application then processes the message. 8 Example of RabbitMQ function start_receiving in RabbitMQ consumer: 1. def start_receiving(): 2. print("Worker: starting rabbitmq, listening for work requests") 3. connection = pika.BlockingConnection( 4. pika.ConnectionParameters("localhost")) 5. channel = connection.channel() 6. worker_queue = "waf" 7. channel.queue_declare(queue=worker_queue, durable=True) 8. print(f"\n\n [*] Worker: waiting for messages on queue: {worker_queue}.") 9. channel.basic_qos(prefetch_count=1) 10. channel.basic_consume( 11. on_message_callback=receive_work_request, queue=worker_queue 12. ) 13. try: 14. channel.start_consuming() 15. except KeyboardInterrupt: 16. print(f"Worker: shutting down") 17. channel.close() 18. connection.close() 19. exit() 3- MongoDB connection Handler, is the main component in the whole database interaction process we used the connection handler to handle the communication between the local mongo database and our tool to store any data we want to. Example of MongoDB setters and getters of the devices in the DB APIs 1. def getDevice(): 2. devices = {device['device_name']: remove_internals( 3. device) for device in db.devices.find()} 4. return devices 5. 6. def setDevice(device): 7. db.devices.insert_one(device) 27 2.10 The security aspects of the tool: Figure 10 Mind Map of Security Aspects . 28 Chapter 3 Methodology and Proposed Work 29 Chapter 3: Methodology and Proposed Work − 3.1 Planning. − 3.2 Design. − 3.3 Implementation. 30 3.1 Planning: In this phase the project roadmap was constructed, including the project plan, project scope, project schedule, project constraints, and work breakdown structure. 3.2 Design: The Network design was based on SOHO (Small Office Home Office) and the Spine- Leaf Architecture which is a two-tier network design in its depth. 3.3 Implementation: At this stage, the project began to take practical curve. − Network Building: The network is built with the appropriate hardware and configuration by the Eve-ng application, so that the network works as it should. − Configuring and installing Linux servers as Network services providers such as DHCP, DNS and Apache web server. − Implementing ASA firewall and configure it using ASDM tool. − Choosing and implementing the right Web-Framework for the tool. Choosing flask, it is a Python module that lets you develop web applications easily. It has a small and easy-to-extend core. Also, it is very suitable for our project and it’s scalable for future concerns. − Choosing and implementing the right Python libraries, Napalm, Scapy and more. − Choosing libraries to automate network operations and to capture packets and to parse them. We used these libraries: 1. Flask. 2. flask-sqlalchemy. 3. flask_cors. 4. net-tools. 5. Tabulate. 6. python_arptable. 7. Napalm. 8. Ntplib. 9. Psutil. 10. Scapy. 11. Pika. 12. python-nmap. 31 − Choosing the right GUI framework to work with. Using the REACTJS library to implement the components of the WAF, because it can be easy to learn and use. We are aware of other GUI framework such as TKinter or to implement the GUI using FLASK SPAs itself. 32 Chapter 4 Implementation of the Network 33 Chapter 4: Implementation of the Network − 4.1 Preface. − 4.2 The Emulator Environment EVE-NG. − 4.3 design overview. − 4.4 Network topology Configurations. 34 4.1 Preface In this project, XYZ corporation was taken as a case study, assuming it is a firewall that monitors network traffic. The XYZ will be referred to in the following pages as the XYZ. In this chapter, we will introduce the topology of the network based on its components which are routers, switches and computers. Moreover, the setup configurations for the network component, the complete topology, and the network security procedures. The emulation has been done using EVE-NG emulator which is installed on VMWare Workstation Pro. 4.2 The Emulator Environment EVE-NG EVE-NG provides tools for interacting with virtual devices and connecting them to each other to build a real network. Also, the EVE-NG ‘s features are considered as simple for accessibility, reusability, manageability, interconnectivity, and distribution of topologies, work, ideas, concepts, or simply "labs," and thus the ability to understand and share them. This could simply mean that it will save cost, resources and time in setting up the physical topology, or it could mean that you will be able to complete tasks you never thought possible. EVE-NG Recommended images: Multicore Switch image: i86bi_linux_l2-adventerprisek9-ms.SSA.high_iron_20190423 Switch image: i86bi-linux-l2-ipbasek9-15.1g.bin Router image: i86bi-linux-l3-adventerprisek9-15.4.2T ASAv Firewall: asav-992 virtioa.qcow2 4.3 design overview Initially, work was done on the appropriate design of the network, based on the concepts of network design, taking into account the three-layered hierarchical model (Core layer, Distribution layer and Access layer), flexibility (Allows intelligent traffic load sharing by using all network resources), redundancy (Which is one of the concepts of high availability that guarantees the permanent availability of the network and helps reduce the risks of the network and its failure) and Modularity (Allowing for future expansion of the network and dividing the network into modules gives a simpler design.). The common approach for designing networks involves three layers which are the 35 Access layer, the Distribution layer, and the Core layer. The Access layer is the level where host computers are connected to the network. The Distribution layer acts as an aggregation point for all the Access layer devices. The Core layer connects all Distribution layer devices and reliably and quickly switches and routes large amounts of traffic. Figure 11 The Network Topology 4.4 Network topology Configurations • Branch1-Access1: In this device, the following configurations are implemented: − SVI − VLAN − SSH 1. Switch>ena 2. Switch#conf t 3. Switch(config)#host Br-Acc1 4. 5. Br-Acc1(config)#int range e1/0-1 6. Br-Acc1(config-if-range)#duplex full 36 7. Br-Acc1(config-if-range)#ex 8. 9. Br-Acc1(config)#vlan 1 10. Br-Acc1(config-vlan)#ex 11. 12. Br-Acc1(config)#int vlan 1 13. Br-Acc1(config-if)#ip add 10.0.1.248 255.0.0.0 14. Br-Acc1(config-if)#no sh 15. Br-Acc1(config-if)#ex 16. 17. Br-Acc1(config)#username admin privilege 15 secret waf 18. Br-Acc1(config)#aaa new-model 19. Br-Acc1(config)#aaa authentication login default local 20. Br-Acc1(config)#enable secret waf 21. Br-Acc1(config)#service password-encryption 22. 23. Br-Acc1(config)#line vty 0 4 24. Br-Acc1(config-line)#transport input ssh 25. Br-Acc1(config-line)#login authentication default 26. Br-Acc1(config-line)#password waf 27. Br-Acc1(config-line)#exit 28. 29. Br-Acc1(config)#ip domain-name waf.com 30. Br-Acc1(config)#crypto key generate rsa 31. 32. Br-Acc1(config)#no cdp run • Branch1-Access2: In this device, the following configurations are implemented: − SVI − VLAN − SSH 1. Switch>ena 2. Switch#conf t 3. Switch(config)#host Br-Acc2 4. 5. Br-Acc2(config)#int range e1/0-1 6. Br-Acc2(config-if-range)#duplex full 7. Br-Acc2(config-if-range)#ex 8. 9. Br-Acc2(config)#vlan 1 10. Br-Acc2(config-vlan)#ex 37 11. 12. Br-Acc2(config)#int vlan 1 13. Br-Acc2(config-if)#ip add 10.0.1.252 255.0.0.0 14. Br-Acc2(config-if)#no sh 15. Br-Acc2(config-if)#ex 16. 17. Br-Acc2(config)#username admin privilege 15 secret waf 18. Br-Acc2(config)#aaa new-model 19. Br-Acc2(config)#aaa authentication login default local 20. Br-Acc2(config)#enable secret waf 21. Br-Acc2(config)#service password-encryption 22. 23. Br-Acc2(config)#line vty 0 4 24. Br-Acc2(config-line)#transport input ssh 25. Br-Acc2(config-line)#login authentication default 26. Br-Acc2(config-line)#password waf 27. Br-Acc2(config-line)#exit 28. 29. Br-Acc2(config)#ip domain-name waf.com 30. Br-Acc2(config)#crypto key generate rsa 31. 32. Br-Acc2(config)#no cdp run • Branch1-Distrubition1: In this device, the following configurations are implemented: − SVI − VLAN − SSH − RIP Protocol − Default route − IP in Interface e0/1 1. Switch>en 2. Switch#conf t 3. Switch(config)#host Br-Dist1 4. 5. Br-Dist1(config)#int e0/1 6. Br-Dist1(config-if)#no switchport 7. Br-Dist1(config-if)#ip add 172.16.10.2 255.255.255.252 8. Br-Dist1(config-if)#duplex full 9. Br-Dist1(config-if)#no sh 38 10. Br-Dist1(config-if)#ex 11. 12. Br-Dist1(config)#vlan 1 13. Br-Dist1(config-vlan)#ex 14. 15. Br-Dist1(config)#int vlan 1 16. Br-Dist1(config-if)#ip add 10.0.1.242 255.0.0.0 17. Br-Dist1(config-if)#no sh 18. Br-Dist1(config-if)#ex 19. 20. Br-Dist1(config)#router rip 21. Br-Dist1(config-router)#ver 2 22. Br-Dist1(config-router)#no au 23. Br-Dist1(config-router)#net 10.0.0.0 24. Br-Dist1(config-router)#net 172.16.0.0 25. Br-Dist1(config-router)#net 192.168.99.0 26. Br-Dist1(config-router)#ex 27. 28. Br-Dist1(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.1 29. Br-Dist1(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.2 30. 31. Br-Dist1(config)#username admin privilege 15 secret waf 32. Br-Dist1(config)#aaa new-model 33. Br-Dist1(config)#aaa authentication login default local 34. Br-Dist1(config)#enable secret waf 35. Br-Dist1(config)#service password-encryption 36. 37. Br-Dist1(config)#line vty 0 4 38. Br-Dist1(config-line)#transport input ssh 39. Br-Dist1(config-line)#login authentication default 40. Br-Dist1(config-line)#password waf 41. Br-Dist1(config-line)#exit 42. 43. Br-Dist1(config)#ip domain-name waf.com 44. Br-Dist1(config)#crypto key generate rsa 45. 46. Br-Dist1(config)#no cdp run • Branch1-Distrubition2: In this device, the following configurations are implemented: 39 − SVI − VLAN − SSH − RIP Protocol − Default route − IP in Interface e0/2 1. Switch>en 2. Switch#conf t 3. Switch(config)#host Br-Dist2 4. 5. Br-Dist2(config)#int e0/2 6. Br-Dist2(config-if)#no switchport 7. Br-Dist2(config-if)#ip add 172.16.10.6 255.255.255.252 8. Br-Dist2(config-if)#duplex full 9. Br-Dist2(config-if)#no sh 10. Br-Dist2(config-if)#ex 11. 12. Br-Dist2(config)#vlan 1 13. Br-Dist2(config-vlan)#ex 14. 15. Br-Dist2(config)#int vlan 1 16. Br-Dist2(config-if)#ip add 10.0.1.246 255.0.0.0 17. Br-Dist2(config-if)#no sh 18. Br-Dist2(config-if)#ex 19. 20. Br-Dist2(config)#router rip 21. Br-Dist2(config-router)#ver 2 22. Br-Dist2(config-router)#no au 23. Br-Dist2(config-router)#net 10.0.0.0 24. Br-Dist2(config-router)#net 172.16.0.0 25. Br-Dist2(config-router)#net 192.168.99.0 26. Br-Dist2(config-router)#ex 27. 28. Br-Dist2(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.2 29. 30. Br-Dist2(config)#username admin privilege 15 secret waf 31. Br-Dist2(config)#aaa new-model 32. Br-Dist2(config)#aaa authentication login default local 33. Br-Dist2(config)#enable secret waf 34. Br-Dist2(config)#service password-encryption 35. 40