Tuesday, December 12, 2017

WAF Helps Keep Your Azure App Available. Mostly.

OWASP 3.0 Rules in Azure Portal
OWASP 3.0 Rules in Azure Portal
Azure Application Gateway has an optional feature called Web Application Firewall (WAF), which affords protection against numerous types of attacks against your Azure web app. The functionality and features of App Gateway and WAF are well documented online, but recently a colleague discovered a less obvious aspect that's worth sharing.

If the WAF feature is enabled in your App Gateway, a set of filtering rules is applied. WAF rules are visible and configurable in the Azure Portal, as seen in the adjacent image. You select either OWASP 2.x or 3.x rule sets. The list of rules is large and detailed, as show in the adjacent image for OWASP 3.0.

The Problem


I always advocate working with technology to discover undocumented aspects, product limits, and the like. This is how you build domain expertise. Jorge Cotillo was doing just that, using WAF Prevention mode with OWASP 3.0, and he stumbled on an interesting issue with a customer.

In Prevention mode, WAF will return HTTP 403 to callers if a rule violation is detected. The customer has a legacy app that uses calls webresource.axd to access resources, and legitimate access attempts ran afoul of those rules. A very important business function was blocked.

The problem was traced by first noticing the broken application functionality, then by looking into the WAF logs to correlate blocked requests to access attempts by the app.

The Solution

Note: Exercise caution before disabling any WAF protection rules, as this can render your web app prone to certain attacks.
OWASP 3.0 Rule 92440
OWASP 3.0 Rule 92440
Access to the .AXD was restored by disabling rule 920440, "URL file extension is restricted by policy".

With .AXD access restored, Jorge then discovered that a WCF service was also blocked. After research, the following rules were disabled and the WCF service became accessible. The service was not using transport security.

  • 920300 - Request Missing an Accept Header
  • 920320 - Missing User Agent Header
  • 920420 - Request content type is not allowed by policy


Conclusion


Security Effectiveness vs. "Tightness"
Security Effectiveness vs. "Tightness"
Security is essential on the internet, and should be part of any internet-facing web app / API from the get-go. But remember that a primary function of security is to keep the business function running and usable by customers. Balance is required to insure that goal is met.

This situation is one I've seen before, where implementing a security technology or policy to safeguard computer-based business function actually prevented its use. Security is not a linear function, it is - as are so many aspects of technology - a bell curve (or approximation of such). Crank up the "security" too far (say, to 11) and business protection actually goes down. The irony is that the business function is very secure, because it's inaccessible.

at 4 comments:
Labels: , ,

Wednesday, December 6, 2017

Certification - The Road to Azure Exams

I've recently completed a long and successful path to an Azure certification, and want to share my experience and anecdotes. Along my journey I found numerous helpful online articles and blogs from individuals, so I'd like to give back to the community to help those headed the same way.

You might also ask why I chose certification at all? Didn't I already know Azure pretty well? Wasn't that enough? I do know numerous Azure technologies and offerings quite well, and could build, deploy, and secure applications and databases. But Azure's a very broad umbrella for many other technologies and I felt it was very worthwhile to insure I'd learned as much as possible and could prove it. Certification was an excellent way to do that, and it also provides a credential to my professional portfolio.


Setting Out


There are a number of exams to consider if you're targeting Azure certification, or any other for that matter. You combine exams several from a defined certification path to earn a particular title, like Azure MCSE. The first step is to see what's available in your chosen path. Second, by reviewing the focus and content of each exam, you get an idea for the level of effort and time it might take to pass each one. It makes sense to start with an exam whose content you know best and with which you are most comfortable.


Two Things


If I boiled-down the arduous task of passing a certification test, it'd come to these two things:

  1. Know the technology well. Practice, experiment, watch videos, get familiar, build, tear down. This implies you'll need all the software & tools, and an Azure account if you'll be doing cloud work. I also recommend a VSTS account (Visual Studio Team Services) so you can work on CI/CD configuration and how to build & publish code to Azure web sites/services. This isn't strictly required, but it can help, particularly for developers. Spend a few hours every week, or better yet, work with Azure every day if possible.
  2. Buy the official Microsoft-sanctioned practice test, and work with it relentlessly. Beware of off-brand tests that make promises; they may be good, but quality can vary widely, and there's only one official practice test vendor at the time of this writing.


Know The Topic


Nothing beats actual experience.

Sounds obvious, and it is. Learn the basics, then advance into harder scenarios. I particularly enjoyed making a web site, or REST API, doing a code check-in and watching it build and deploy automatically to Azure, in just a couple minutes and without having to build or configure infrastructure. That's the promise of cloud computing, and it works really, really well with Microsoft tools and technologies. That's something that would've been impossible just a few years ago.

Another reason to do personal projects is to go beyond the marketing-speak, and find out what doesn't work well, or where limits lay. Trade-show presentations (and the like) get the audience excited about demoware, but rarely tell you where the technology falls down; that'd be silly given that the demo is to promote the technology and get people to use it. That's their agenda; yours is to find how applicable and capable it is, and where the boundaries lay. There might be some "gotcha's" that create dead-ends for an architecture or intended business direction. You can't find all these or even a majority, but you'll find enough to start building your knowledge base and to realize that hey, this thing has aspects that can interfere with your intentions.


About The Practice Test


Oh boy. This is where things got "interesting", and by that I mean problematic.

I bought a  test package that included temporary online access to the practice test, and 2 exam tries. The practice test is supposed to be very similar to the actual test, but after a little experience I was hoping that claim was untrue.

Even though I was quite familiar with Azure's features, my first practice test didn't go so well. Sure, there were a few detail knowledge gaps - an opportunity to shore-up my knowledge in a particular area - but I found it very challenging to solve the impedance mismatch.

Impedance mismatch is a term from electrical engineering referring to two analog electric circuits that do not connect their signals / energy well. In extreme cases it can cause damage. It's important that impedance be matched between the circuits in order to properly and safely operate, and achieve a goal. When used metaphorically, the term refers to how well one party can interact / communicate with another party.

Some of the questions were confusing / unclear / ambiguous as to the desired answer. Upon test completion and review of the "correct" answers, I was bewildered. It was only then that I could reverse-infer what the question wanted. Let me give an [absurd] example that I've made-up:

Question:
You take a train from New York to Chicago. The train averages 50mph, and the distance is 800 miles. Upon arriving, what do you do?
Choose one answer:
  1. Go to a restaurant
  2. Call your mother
  3. Check-in to your hotel
The correct answer is (1), because after 800 miles you're famished, and you can call your mother from the restaurant. Then after satisfying those needs, you can check-in at your hotel later.

Yes, I said it was an absurd example. But that's how some of the questions felt - no way to anticipate the answer they wanted, nor infer something reasonable. The components of the question - transport mode, distance, average speed - were mostly irrelevant in choosing an answer.

It's hard to "win" when that's the game.

After many hours of practice Q & A, and analyzing each provided answer, I began to "tune" the impedance mismatch between my logical, educated brain and the practice test. I learned to make alternate inferences when required information was missing in a scenario question.

When I got to the real certification test, this sort of problem did not materialize. Some inferential thinking was still required, but it was more modest and never absurd nor even a stretch. And that's why I'm glad that the practice test wasn't like the real one.

Thoughts from the Practice and Real Exams


In short form, here are a few notable aspects of the practice and real exams:

  • A few practice answers were just wrong, I was able to confirm.
  • A few practice answers were essentially impossible to get correct.
  • The practice test induces self-doubt as to whether you'll ever be able to pass the real test. You can.
  • Select a modest number of practice test questions for each session. The default was 50 which took hours to complete. I preferred 10-20 to fit my schedule better.
  • Some practice & real exam questions require several correct sub-answers, sometimes in a specific sequence. So to get credit for 1 correct answer, I actually had to make 4-7 correct sub-answers. The worst case was 13 correct sub-answers within a practice test, with no partial credit given. Fortunately the real exam offered partial credit for correct sub-answers, even if the overall question was not answered correctly.
  • Some VM SKU questions required detailed knowledge of what was in each size, such as slots. The real world is open-book, with internet search engines providing just-in-time knowledge, so memorizing such arcane details is not practical in my opinion, but you still have to have some idea of them for the exam.
  • The real exam's case studies were much longer and more detailed than the practice. This is why people recommended reading the questions first, then scanning the case studies for necessary information. It's essential to perform strong time management in this way, or the clock may run-out on you (the real exam is time-limited).
  • To work through all the practice exam questions without them repeating, I had to make specific choices in the online web page's configuration such as number of questions, whether to allow prior correct/incorrect questions, etc. Without doing this, I found myself simply selecting correct answers from memory rather than learning and analyzing new topics.
  • I took the proctored real exam from home. This was convenient and easy to schedule, but be aware that the requirements are very stringent - you can't take a sip of water, the whole room must be close to "sterile", and nobody had better walk in on you. And you can't talk (or mumble?).
  • Some real exam questions had a little ambiguity, and the practice test helped me to prepare for that possibility and know how to deal with it.
  • Unlike the practice exam, the real exam doesn't show you correct answers at the end. You just get a pass/fail, and your numeric score (700 is passing, but don't assume that 1000 is a perfect score).

Certification Isn't Enough


The software industry requires constant learning, and this is especially true of online technologies. Passing a certification test is great, but Azure features change every week and may take a year or more to appear on a test; likewise, features deprecated or removed can remain on the test for the same period. To be an effective architect / developer / administrator of Azure, you need far more knowledge than can be garnered through the test, so keep your eye on the industry. Microsoft has blogs, email push, web sites, and other resources to keep you abreast of larger changes and feature introductions. But even they don't capture everything - I've seen portal page changes that were entirely undocumented.

Nothing beats actual experience.
at 1 comment:
Labels: , ,
Subscribe to: Posts (Atom)