Seeking Guidance on Integrating OWASP Principles into OPNsense Firewall

[vivekmauli14]

Hi there,

I am interested in integrating OWASP principles into my OPNsense firewall setup. Specifically, I am looking for advice or best practices on how to:

./Implement rules or configurations in OPNsense that align with OWASP recommendations.
./Utilize OPNsense features or plugins to mitigate the risks identified in the OWASP Top 10.
./Leverage any available tools or scripts that facilitate the incorporation of OWASP security measures in OPNsense.
./Set up logging and monitoring within OPNsense to detect and respond to the security threats outlined by OWASP.

I believe that by aligning OPNsense with OWASP's best practices, we can significantly enhance the security posture of our web applications and infrastructure.

If any community members have experience or insights on this topic, your guidance would be greatly appreciated. Additionally, if there are any existing resources, or documentation that could assist in this endeavor, kindly point me in the right direction.

Thank you for your time and assistance.

Best regards,
VivekS

[chemlud]

These security experts:

https://owasp.org/blog/2024/03/29/OWASP-data-breach-notification.html

?

[vivekmauli14]

Hii chemlud,

Thank you for your quick response, yes, you are on point with what I'm looking for. The blog post you shared underscores the importance of data breach notifications, which is a critical aspect of web application security.

To build on that, I'm specifically interested in how to integrate OWASP principles directly into the OPNsense firewall.
I would greatly appreciate your guidance.

Thanks,
VivekS

[franco]

Typically OWASP (Top 10-ish) is enforced via Web Application Firewall so you could checkout Nginx plugins (NAXSI in particular) or OPNWAF plugin (which uses Apache/mod_security). Note this pertains to protectable assets, not the firewall itself.


Cheers,
Franco

[chemlud]

The incidence highlights to me that security is not that much a list with checkboxes, but lots of hard work to keep your network closed down and up-to-date.

Avoid the toxic trinity: Windows-Outlook-ActiveDomain and you have a good chance to be safe if you are not a high-value target...

[vivekmauli14]

Hi Franco,

As far as I am aware, NAXSI doesn't cover all OWASP Top 10 security risks comprehensively. I have also tried searching for OPNWAF but couldn't find relevant information.

Could you please guide me or point me in the right direction for setting up similar OWASP Top 10 mitigations for Apache or Nginx within OPNsense? Any recommendations on tools, configurations, or resources would be greatly appreciated.

Thank you for your assistance.

Br,
VivekS

[franco]

"doesn't cover all" sounds like it only requires a bit of effort to me

Well, I noted which tools you can use and the packages are all available in the repository.


Cheers,
Franco

[Patrick M. Hausen]

These "OWASP Top Ten" all apply to applications. Fix your web applications. A firewall is a network security and policy enforcement device, not a silver bullert for broken apps.

[franco]

True, yet to be fair here a WAF allows you to mitigate these problems when you have no direct control over the application / updates / vendor being lazy.


Cheers,
Franco

[vivekmauli14]

Hi,

I understand that a firewall is not a silver bullet for application vulnerabilities and that the OWASP Top 10 primarily applies to web applications. However, considering the necessity of mitigating these risks when direct control over the application is not feasible, I'm ready to put in the effort to configure the OWASP principles in the WAF on OPNsense.

Franco, can you please confirm if installing NAXSI directly from https://github.com/wargio/naxsi on OPNsense is a viable approach? Or would you recommend a different method for integrating this WAF with OPNsense to cover the OWASP Top 10 security risks effectively?

Any guidance you could provide would be greatly appreciated.

Thank you for your assistance.

Best regards,
VivekS

[franco]

NAXSI is built into the nginx binary package and to my knowledge the nginx plugin will also handle a bit of that.


Cheers,
Franco

[vivekmauli14]

Thanks, Franco, for your quick response, Can you give me a breakthrough on how do I get started with implementing this in OPNsense? I am ready to contribute to this in the community If get
Any small point would help me a lot.

Thanks in advance!

Br,
VivekS

[meyergru]

Your approach is way too simplistic:


As for naxsi - the documentation says:

The original project is officially abandoned (and has been archived the 8th Nov 2023)

And BTW: Where does the documentation state that it implements OWASP recommendations? It sure cannot.


On a general note: If you look at the specific rules, you will notice that while they may adress some specific known attack patterns, they may well in turn render some applications unusable. Imagine a website with an URL sporting /mysql/ somewhere in it and lookt at rule #40000034.

Just search this forum for suricata and see how many people have "just" enabled it (with all rules active) and then complained about how something did not work (tm)...

That being said, OWASP recommendations target web applications, not firewalls. If you read them at all, you will notice than almost none of them can even be implemented at the firewall level, some could potentially be mitiigated, but at the cost of indifferently disallowing things that may be needed depending on your specific applications.

Breaking up a TLS connection in order to be able to look at URLs or even content needs a means to either fake (if you want to inspect outgoing connections) or have the certificate of the target (for incoming connections), which is often not viable or poses a risk in itself.

There is always a tradeoff between useability and security - if you cannot implement OSWAP principles in the web application itself and do "other things" that restrict your application, you may put the functionality at risk while not improving security at all.

[franco]

Documentation...

https://docs.opnsense.org/manual/how-tos/nginx_waf.html
https://docs.opnsense.org/vendor/deciso/opnwaf.html

[vivekmauli14]

Thankyou so much guys! You came through. I have successfully added the rules into the Nginx, also Wargio was very kind to help me further for adding more rules into the plugin.

I was wondering if I can also be able to integrate https://github.com/coreruleset/coreruleset
For the mod-security, This will help me cover all the OWASP top 10.

Any idea or suggestion will be very helpful for me. Thanks for your support till date!

Br,
Vivek