Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Seeking Guidance on Integrating OWASP Principles into OPNsense Firewall
« previous
next »
Print
Pages: [
1
]
Author
Topic: Seeking Guidance on Integrating OWASP Principles into OPNsense Firewall (Read 1634 times)
vivekmauli14
Newbie
Posts: 43
Karma: 0
Seeking Guidance on Integrating OWASP Principles into OPNsense Firewall
«
on:
May 28, 2024, 02:17:58 pm »
Hi there,
I am interested in integrating OWASP principles into my OPNsense firewall setup. Specifically, I am looking for advice or best practices on how to:
./Implement rules or configurations in OPNsense that align with OWASP recommendations.
./Utilize OPNsense features or plugins to mitigate the risks identified in the OWASP Top 10.
./Leverage any available tools or scripts that facilitate the incorporation of OWASP security measures in OPNsense.
./Set up logging and monitoring within OPNsense to detect and respond to the security threats outlined by OWASP.
I believe that by aligning OPNsense with OWASP's best practices, we can significantly enhance the security posture of our web applications and infrastructure.
If any community members have experience or insights on this topic, your guidance would be greatly appreciated. Additionally, if there are any existing resources, or documentation that could assist in this endeavor, kindly point me in the right direction.
Thank you for your time and assistance.
Best regards,
VivekS
«
Last Edit: May 28, 2024, 02:22:15 pm by vivekmauli14
»
Logged
chemlud
Hero Member
Posts: 2485
Karma: 112
Re: Seeking Guidance on Integrating OWASP Principles into OPNsense Firewall
«
Reply #1 on:
May 28, 2024, 02:20:58 pm »
These security experts:
https://owasp.org/blog/2024/03/29/OWASP-data-breach-notification.html
?
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
vivekmauli14
Newbie
Posts: 43
Karma: 0
Re: Seeking Guidance on Integrating OWASP Principles into OPNsense Firewall
«
Reply #2 on:
May 28, 2024, 02:38:50 pm »
Hii chemlud,
Thank you for your quick response, yes, you are on point with what I'm looking for. The blog post you shared underscores the importance of data breach notifications, which is a critical aspect of web application security.
To build on that, I'm specifically interested in how to integrate OWASP principles directly into the OPNsense firewall.
I would greatly appreciate your guidance.
Thanks,
VivekS
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: Seeking Guidance on Integrating OWASP Principles into OPNsense Firewall
«
Reply #3 on:
May 28, 2024, 02:43:45 pm »
Typically OWASP (Top 10-ish) is enforced via Web Application Firewall so you could checkout Nginx plugins (NAXSI in particular) or OPNWAF plugin (which uses Apache/mod_security). Note this pertains to protectable assets, not the firewall itself.
Cheers,
Franco
Logged
chemlud
Hero Member
Posts: 2485
Karma: 112
Re: Seeking Guidance on Integrating OWASP Principles into OPNsense Firewall
«
Reply #4 on:
May 28, 2024, 03:10:03 pm »
The incidence highlights to me that security is not that much a list with checkboxes, but lots of hard work to keep your network closed down and up-to-date.
Avoid the toxic trinity: Windows-Outlook-ActiveDomain and you have a good chance to be safe if you are not a high-value target...
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
vivekmauli14
Newbie
Posts: 43
Karma: 0
Re: Seeking Guidance on Integrating OWASP Principles into OPNsense Firewall
«
Reply #5 on:
May 29, 2024, 06:51:20 am »
Hi Franco,
As far as I am aware, NAXSI doesn't cover all OWASP Top 10 security risks comprehensively. I have also tried searching for OPNWAF but couldn't find relevant information.
Could you please guide me or point me in the right direction for setting up similar OWASP Top 10 mitigations for Apache or Nginx within OPNsense? Any recommendations on tools, configurations, or resources would be greatly appreciated.
Thank you for your assistance.
Br,
VivekS
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: Seeking Guidance on Integrating OWASP Principles into OPNsense Firewall
«
Reply #6 on:
May 29, 2024, 08:28:23 am »
"doesn't cover all" sounds like it only requires a bit of effort to me
Well, I noted which tools you can use and the packages are all available in the repository.
Cheers,
Franco
Logged
Patrick M. Hausen
Hero Member
Posts: 6812
Karma: 572
Re: Seeking Guidance on Integrating OWASP Principles into OPNsense Firewall
«
Reply #7 on:
May 29, 2024, 09:28:07 am »
These "OWASP Top Ten" all apply to applications. Fix your web applications. A firewall is a network security and policy enforcement device, not a silver bullert for broken apps.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: Seeking Guidance on Integrating OWASP Principles into OPNsense Firewall
«
Reply #8 on:
May 29, 2024, 09:33:26 am »
True, yet to be fair here a WAF allows you to mitigate these problems when you have no direct control over the application / updates / vendor being lazy.
Cheers,
Franco
Logged
vivekmauli14
Newbie
Posts: 43
Karma: 0
Re: Seeking Guidance on Integrating OWASP Principles into OPNsense Firewall
«
Reply #9 on:
May 29, 2024, 10:57:12 am »
Hi,
I understand that a firewall is not a silver bullet for application vulnerabilities and that the OWASP Top 10 primarily applies to web applications. However, considering the necessity of mitigating these risks when direct control over the application is not feasible, I'm ready to put in the effort to configure the OWASP principles in the WAF on OPNsense.
Franco, can you please confirm if installing NAXSI directly from
https://github.com/wargio/naxsi
on OPNsense is a viable approach? Or would you recommend a different method for integrating this WAF with OPNsense to cover the OWASP Top 10 security risks effectively?
Any guidance you could provide would be greatly appreciated.
Thank you for your assistance.
Best regards,
VivekS
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: Seeking Guidance on Integrating OWASP Principles into OPNsense Firewall
«
Reply #10 on:
May 29, 2024, 11:02:44 am »
NAXSI is built into the nginx binary package and to my knowledge the nginx plugin will also handle a bit of that.
Cheers,
Franco
Logged
vivekmauli14
Newbie
Posts: 43
Karma: 0
Re: Seeking Guidance on Integrating OWASP Principles into OPNsense Firewall
«
Reply #11 on:
May 29, 2024, 12:31:56 pm »
Thanks, Franco, for your quick response, Can you give me a breakthrough on how do I get started with implementing this in OPNsense? I am ready to contribute to this in the community If get
Any small point would help me a lot.
Thanks in advance!
Br,
VivekS
Logged
meyergru
Hero Member
Posts: 1687
Karma: 165
IT Aficionado
Re: Seeking Guidance on Integrating OWASP Principles into OPNsense Firewall
«
Reply #12 on:
May 29, 2024, 12:38:41 pm »
Your approach is way too simplistic:
As for naxsi - the documentation says:
Quote
The original project is officially abandoned (and has been archived the 8th Nov 2023)
And BTW: Where does the documentation state that it implements OWASP recommendations? It sure cannot.
On a general note: If you look at the specific rules, you will notice that while they may adress
some
specific known attack patterns, they may well in turn render some applications unusable. Imagine a website with an URL sporting /mysql/ somewhere in it and lookt at rule #40000034.
Just search this forum for suricata and see how many people have "just" enabled it (with all rules active) and then complained about how something did not work (tm)...
That being said,
OWASP recommendations
target
web applications
, not
firewalls
. If you read them at all, you will notice than almost none of them can even be implemented at the firewall level, some could potentially be mitiigated, but at the cost of indifferently disallowing things that may be needed depending on your specific applications.
Breaking up a TLS connection in order to be able to look at URLs or even content needs a means to either
fake
(if you want to inspect outgoing connections) or
have
the certificate of the target (for incoming connections), which is often not viable or poses a risk in itself.
There is always a tradeoff between useability and security - if you cannot implement OSWAP principles in the web application itself and do "other things" that restrict your application, you may put the functionality at risk while not improving security at all.
«
Last Edit: May 29, 2024, 12:44:47 pm by meyergru
»
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: Seeking Guidance on Integrating OWASP Principles into OPNsense Firewall
«
Reply #13 on:
May 29, 2024, 01:21:03 pm »
Documentation...
https://docs.opnsense.org/manual/how-tos/nginx_waf.html
https://docs.opnsense.org/vendor/deciso/opnwaf.html
Logged
vivekmauli14
Newbie
Posts: 43
Karma: 0
Re: Seeking Guidance on Integrating OWASP Principles into OPNsense Firewall
«
Reply #14 on:
May 30, 2024, 11:49:49 am »
Thankyou so much guys! You came through. I have successfully added the rules into the Nginx, also Wargio was very kind to help me further for adding more rules into the plugin.
I was wondering if I can also be able to integrate
https://github.com/coreruleset/coreruleset
For the mod-security, This will help me cover all the OWASP top 10.
Any idea or suggestion will be very helpful for me. Thanks for your support till date!
Br,
Vivek
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Seeking Guidance on Integrating OWASP Principles into OPNsense Firewall