CNAF can secure both containerized and non-containerized web apps. The deployment method varies slightly depending on the type of entity you’re protecting.
To deploy CNAF, create a new rule, and declare the entity to protect. Sometimes you’ll want to completely bypass CNAF’s filters. To allow known good clients to bypass CNAF, go to the Advanced tab in the CNAF rule, and enter values for Explicitly allowed inbound IP sources and Explicitly allowed paths.
CNAF capabilities that are disabled by default are set that way to optimize performance. |
To deploy CNAF for a containerized web-app, create a new rule, specify the image name, and declare the ports where it listens.
Applying a rule to all images using a wild card (*
) is invalid and a waste of resources.
CNAF only needs to be applied to images that transmit and receive HTTP/HTTPS traffic.
To protect against this type of misconfiguration, Defender enforces a limit. Each CNAF firewall runs as a Defender subprocess, and each instance of Defender supports a maximum of five CNAF firewalls. If your node launches a sixth container that’s configured for CNAF protection, Defender prints a message to its log that the limit has been reached.
Open Console, and go to Defend > Firewalls > Cloud Native App Firewall.
Click Add rule.
Enter a rule name.
Specify the ports where the container listens for web traffic.
If your app uses TLS, set TLS to True, and upload your server’s certificate and private key. CNAF must be able to decrypt and inspect HTTPS traffic to function properly.
In the Images filter, specify the name of your app’s image.
Select the protections to enable.
Click Save.
To deploy CNAF to protect a host running a non-containerized web app, create a new rule, and specify the host(s) where it runs.
Applying a rule to all hosts using a wild card (*
) is invalid and a waste of resources.
CNAF only needs to be applied to hosts that run apps that transmit and receive HTTP/HTTPS traffic.
Open Console, and go to Defend > Firewalls > CNAF for Hosts.
Click Add rule.
Enter a rule name.
Specify the ports where the host listens for web traffic.
If your app uses TLS, set TLS to True, and upload your server’s certificate and private key. CNAF must be able to decrypt and inspect HTTPS traffic to function properly.
In the Hosts filter, specify the host(s) where your web app runs.
Select the protections to enable.
Click Save.
In some environments, Twistlock Defender must be be embedded directly in the container it’s protecting. This type of Defender is known as RASP Defender. RASP Defender can secure these types of containers with all of CNAF’s protection capabilities.
The only difference is that RASP Defender runs as a reverse proxy to the container it’s protecting. As such, when you set up CNAF for RASP, you must specify the exposed external port where RASP Defender can listen, and the port (not exposed to the Internet) where your web application listens. CNAF for RASP forwards the filtered traffic to your application’s port - unless an attack is detected and you chose Prevent in your CNAF for Fargate rule.
For more information on the type of attacks that Twistlock detects and prevents, see Twistlock CNAF.
Embed RASP Defender into your container or Fargate task.
Go to Defend > Firewalls > CNAF for RASP.
Click Add rule.
Enter a rule name.
Select Alert or Prevent.
Enter a port number for External Port, and one for the web container’s Application Port. The external port is typically 80 for HTTP and 443 for HTTPS. For this example, enter 443 for the External Port and 8080 for the Application Port.
If your app uses TLS, set TLS to True, and upload your server’s certificate and private key. CNAF must be able to decrypt and inspect HTTPS traffic to function properly.
Enter the Defender ID you specified when embedding RASP Defender.
Click Save.
All traffic to your web container is now be examined and protected by the embedded RASP Defender.
To test your CNAF-protected container, browse to its public IP address. Specify the external port as defined in your CNAF rule.
Before launching your Twistlock protected container, be sure you update the security group’s inbound rules to permit TCP connections on the external port you entered in the CNAF rule. This is the exposed port that allows you to access your web container. To disable CNAF protection, disable the CNAF rule, and re-expose the application’s real port by modifying the security group’s inbound rule.
The following procedures show you how to quickly test CNAF.
CNAF lets you block web requests that contain specific strings in the header. You can add any of the common headers used in web requests and specify the value to match on. The value can be a full or partial string. For partial strings, use pattern matching
The following example uses the User-Agent
header field and block access to all web requests whose user-agent field contains all extensions of string 'Moz'.
Open Console.
Go to Defend > Firewalls > CNAF.
Click on Add rule.
In the Create a New CNAF Rule dialog:
In Rule name, enter a name for the rule.
Click on the Advanced tab.
As seen in the figure, we set the action in Twistlock to Deny HTTP headers with field value User-Agent and all matches of Moz value.
Open a Firefox Mozilla web browser and try to navigate to Jenkins’ address. You will see the following response:
Go to Monitor > Events to see alerts logged by Twistlock relating to this policy violation.
You will see an event of type header, with a message that looks like:
Header 'User-Agent'='Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) Gecko/20100101 Firefox/54.0' is forbidden
SQL Injection attack is an injection technique where the attacker injects malicious SQL statements against a database server in an attempt to bypass application’s authentication and authorization mechanisms.
The procedure below shows how Twistlock can help protect your application against SQL injection attacks. Consider a wordpress application hosted in your environment.
Create a CNAF policy.
Enter a rule name, such as wordpress.
Set the Action to Prevent.
Check Enable SQLi attack protection.
In the Images filter, enter wordp*
Open the application in web browser and attempt an SQL injection attack.
Response:
Go to Monitor > Events to see the alerts logged for this event.
You will see an event of type sqli, with a message that looks like:
Detected SQLi using libinjection in html query. "1" and 1 union select.