Containers based Web Application Firewall
Table of Contents
This project describes a web application firewall designated to identify and block attacks on websites and web applications. The system is designed to answer cyber security risks in web servers, and prevent business and image related damage, or sensitive information leaks and other dangers related to cyber attacks. The system contains three subsystems, it is container based (docker) and supports running on Linux operating systems. The three subsystems are a client-side system responsible for transferring all communication, analysis system which is responsible for identifying attacks and a management system. In this project, the client-side, working as a reverse-proxy, and the management system, allowing system deployment and status updates, were developed. As the analysis system is not a part of this project, a mock-system was developed in order to execute operations that require integration with the analysis system.
The client-side system is a reverse-proxy server, accepting all communication intended for the client’s server. This course of action is a primary defence circle, as all requests are intended for the proxy, which leaves the server’s address hidden. The system allows working on blocking mode - malicious requests will be blocked, or not-blocking mode - transferring all the communication and monitoring the requests. After receiving a request, the proxy sends the request for analysis and waits for the results. In case the analysis passes the request, or while working in not-blocking mode, the proxy will forward the request to the server and will wait for response. Malicious requests will be blocked if it has been set to do so. The server’s response will be forwarded back to the request sender. Furthermore, a “rules” module exists, allowing to manipulate the server’s response, like adding or editing http headers. The system also contains a fail-safe mechanism, triggered on connection loss from the analysis system. It will deploy a local analysis system, and forward the requests waiting for analysis. The client-side is container based, so fast deployment is available, and no environment setup or installations are required.
The Management system allows users to execute actions or to receive updates on the system’s status, and is responsible for managing users, authenticating users using tokens, and users permissions enforcement. The management system allows adding new client servers, and configuring them. For existing servers, it is possible to deploy client-side and analysis systems, or “kill” running deployment. The system receives reports on requests that were identified as malicious, and saves them. Malicious reports status is available in order to monitor the server. The system has a web user interface that can be used in any browser.
The analysis system job as mentioned, is to analyze http requests and classifying them as innocents or malicious. Implementation of the analysis system is not in this project scope, and in order to use other parts of the system that requires integration, a mock-system has been developed. The mock-system receives requests for analysis, and every pre-defined number of requests it sends a malicious request analysis results, and reports the management system. This mock-server can be run as a container.
All communication between the subsystems are implemented with a cross-platform external library called gRPC which gives flexibility in sending messages between client and server and is easy to use. NodeJS, a Javascript runtime environment, was chosen to be used for client-side and management systems implementation, after taking under consideration that NodeJS is a designated platform for web applications development, and is suitable for writing asynchronous code. Also, the client-side is not extensively using the CPU or running many I/O operations, as single-threaded server will allow many concurrent connections without overloading the memory, and so reaching better performance then a multi-threaded server when there are many concurrent connections.
Major platforms and frameworks used in this project:
The System contains three subsystems:
- Client-Side - Container based Reverse Proxy
- Core - Container Based Analysis System
- Managment - Web Application for managing services.
- Ubuntu 18.04
- Node.js V10
- MongoDB 4.2
- Docker Engine 19.09.9
- Git
- Clone the repo or download the source code.
- Open the terminal at '/management' an run:
npm install
node index.js
- create an admin user in the db.
Open the browser at http://localhost:5000 and sign in.
Click New Project and fill in your web app details (you can use WebGoat 8.0):
Choose the created project in the Project page:
Click Deploy:
To stop the service click Kill:
Any found threads and blocked requests will appear in the Messages page:
Distributed under the MIT License. See LICENSE for more information.
Daniel Sason - [email protected]
Project Link: https://github.com/danielsason112/protective-edge/