improving web application firewall testing (waf) for ... · caching, tcp connection multiplexing,...
TRANSCRIPT
![Page 1: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/1.jpg)
Improving Web Application Firewall Testing (WAF)
for better Deployment in Production Networks
January 2009 – OWASP Israel
Gregory Fresnais
Director of International Business Development
Email: [email protected], Tel: +33672510922
![Page 2: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/2.jpg)
BreakingPoint Systems
• Founded September 2005
• Management track record
• Deep networking, security,
& performance assurance expertise
• Breakthrough, award-winning products
• Privately held and based in Austin, TX
– Sales & Support: US, Canada, UK, France, Italy, Spain, Netherlands,
Belgium, Israel, China, Japan, Korea, Taiwan, Malaysia, New Zeeland,
Australia. Represented by WebHouse Technologies in Israel.
![Page 3: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/3.jpg)
What Does BreakingPoint Deliver?
• Comprehensive Layer 2-7 testing for network equipment and
application servers
• High-performance, compact, flexible and easy-to-use products
• Realistic performance and security validation using stateful
application protocols and live security attacks
3
![Page 4: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/4.jpg)
Realistic Traffic Emulation: Layer 2-7
Malicious Traffic Simulation Layer 2-7
Examples of BreakingPoint Tests
4
Layer
4-7
Bit Blaster - Generates Ethernet frames (L2 Tests)
Routing Robot - Generates IP packets (L3 Tests)
Session Sender - Generates valid TCP sessions (L4 Tests)
App Sim – Generates 70+ realistic application flows (L7 Tests)
Capture and Recreate - Capture and playback PCAP
Security Module – 3,700+ unique attacks, 80+ evasion types
Stack Scrambler – Protocol fuzzing
![Page 5: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/5.jpg)
70+ Client and Server Protocols Supported
• HTTP
• HTTPS
• POP3
• IMAP
• Finger
• RTMP
• MAPI
• Yahoo! Messenger
• Informix Database
• MSN Messenger
• Jabber ICQ
• QOTD
• Gopher
• DNS
• RTP
• SIP TCP/UDP
5
• SMTP
• RTSP
• SNMP
• FTP
• RLogin
• Rshell
• QQ Messenger
• RSync
• DB2 Database
• AOL IM
• BOOTPS
• DCE/RPC
• LDAP
• NFSD
• NTP
• SSH
• Postgres Database
• FIX
• FIXT
• CIFS SMB
• BitTorrent
• eDonkey
• NetBIOS
• RADIUS Accounting
• RADIUS Access
• Gnutella
• VMware VMotion
• Telnet
• Sybase Database
• MM4
• Oracle Database
• Microsoft SQL Server
• World of Warcraft
• …
![Page 6: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/6.jpg)
Web Application Firewall
Deployment Scenarios
6
![Page 7: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/7.jpg)
Simple Web Service Infrastructure
• Topology:
– Client
– Web Server
– Application Server
– Database Server
7
![Page 8: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/8.jpg)
Different Protocols to Exchange Information
• Communication between Client and Web Server over HTTP
• Communication between Web and Application Servers over HTTP
• Communication between Application and Database Server over SQL
8
![Page 9: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/9.jpg)
Different Types of WAF
• Deploy WAFs between Client and Server, Web Server and
Application Server, and Application Server and Database
Server
9
![Page 10: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/10.jpg)
Network Topologies
for Deploying
Web Application Firewall
10
![Page 11: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/11.jpg)
Transparent Bridge Deployment
• WAF deployed in Transparent Bridge
• Client and Server in same subnet
11
![Page 12: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/12.jpg)
Router/NAT Deployment
• WAF deployed in Router/NAT
• Client and Server in different subnet
• Server IP address abstracted
12
![Page 13: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/13.jpg)
Reverse Proxy Deployment
• WAF deployed in Reverse Proxy
• Client and Server in different subnet
• Server IP address abstracted
• L7 features enabled like Load Balancing, Compression,
Caching, TCP Connection Multiplexing, URL Rewriting, etc …
13
![Page 14: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/14.jpg)
Configuration Options
for Deploying
Web Application Firewall
14
![Page 15: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/15.jpg)
Communication Via HTTP
• Communication between the Client and the WAF over HTTP
• Communication between the WAF and the Server over HTTP
15
![Page 16: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/16.jpg)
Communication Via HTTPS and HTTP
• Communication between the Client and the WAF over HTTPS
• Communication between the WAF and the Server over HTTP
16
![Page 17: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/17.jpg)
Communication Via HTTPS
• Communication between the Client and the WAF over HTTPS
• Communication between the WAF and the Server over HTTPS
17
![Page 18: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/18.jpg)
Communication Via SQL
• Communication between the Client and the WAF over SQL
• Communication between the WAF and the Server over SQL
18
![Page 19: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/19.jpg)
Testing Web Application
Firewalls Before Deployment
19
![Page 20: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/20.jpg)
WAF Vendor Comparison
20
Vs.
• Cannot make the right decision with the limited information on
vendor datasheets
• What are the HTTP Transactions per Second?
• HTTP 1.0 vs. HTTP 1.1, Object Size, TCP Close RST vs. FIN, …
• What are the HTTPS Transaction per Second?
• HTTP 1.0 vs. HTTP 1.1, Object Size, Key Size, Cipher, SSL Re-use ID, …
• What is the HTTPS Bandwidth?
• HTTP 1.0 vs. HTTP 1.1, Object Size. Key Size, Cipher, SSL Re-use ID, …
![Page 21: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/21.jpg)
Testing
Web Application Firewalls
21
![Page 22: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/22.jpg)
Web Application Firewall Testing Infrastructure
Test Equipment Capabilities:
• Simulate a large number of different Clients and Servers
• Simulate different application protocols and define a variety of
settings to validate the WAF under different configurations
• Reach the limitation of WAF
22
![Page 23: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/23.jpg)
Types of Tests
Required to Validate
Web Application Firewalls
23
![Page 24: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/24.jpg)
Lab Test Scenario – WAF Test Methodology
• Test executed on several Web Application Vendor products
• Web Application Firewall Performance with Good Traffic
– Maximum HTTP Transaction per Second
– Maximum SQL Queries per Second
– Maximum Concurrent TCP Connections
– Maximum HTTP Bandwidth
– Maximum SQL Bandwidth
• Web Application Firewall Performance with Security Attacks
– Maximum HTTP Attacks per Second
– Maximum SQL Attacks per Second
• Web Application Firewall Performance Blended Traffic
– Maximum HTTP Transaction per Second with Attacks
– Maximum SQL Queries per Second with Attacks
24
![Page 25: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/25.jpg)
Real-World Test Scenario - WAF Test Methodology
• Test executed on one Web Application Vendor product
• Web Service Performance Without the Web Application Firewall
– Maximum New Users per Second
– Maximum Concurrent Users
– Maximum Bandwidth
• Web Service Performance With the Web Application Firewall
– Maximum New Users per Second
– Maximum Concurrent Users
– Maximum Bandwidth
• Web Service Security with Web Application Firewall
– Mix Good Traffic and Security Attacks
25
![Page 26: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/26.jpg)
Maximum
WAF Performance
“Lab Test Scenario”
26
![Page 27: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/27.jpg)
Web Application Firewall
Performance for
“Good Traffic”
27
![Page 28: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/28.jpg)
Maximum HTTP
Transactions per Second
Supported by WAF
“Worst Case”
28
![Page 29: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/29.jpg)
Maximum HTTP 1.0 Transactions per Second
• Test Objective
– Find the Maximum HTTP Transactions per Second in worst case where
1 HTTP transaction is sent over one TCP Connection.
• Breaking Point
– Low HTTP Transaction Response Time
– Low Number of Concurrent TCP Connections
– 100% of HTTP Transaction Successful
• Performance Measurement
– Maximum HTTP Transaction per Second
– Average HTTP Transaction Response Time
– Maximum Concurrent TCP Connections
– Bandwidth
29
![Page 30: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/30.jpg)
Communication Via HTTP
• Check performance using different Oobject sizes: 1024, 5120,
10240 and 51200
30
![Page 31: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/31.jpg)
Communication Via HTTPS and HTTP
31
• Check performance using different object size
• Check performance using different key size: 512, 1024 and 2048
• Check performance using different Cipher RC4-MD5, AES, …
![Page 32: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/32.jpg)
Communication Via HTTPS
32
• Check performance using different object size
• Check performance using different key size: 512, 1024 and 2048
• Check performance using different Cipher RC4-MD5, AES, …
![Page 33: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/33.jpg)
Maximum HTTP
Transactions per Second
Supported by WAF
“Best Case”
33
![Page 34: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/34.jpg)
Maximum HTTP 1.1 Transaction per Second
• Test Objective
– Find the Maximum HTTP Transactions per Second in best case where
several HTTP transactions are sent over 1 TCP Connection.
• Breaking Point
– Low HTTP Transaction Response Time
– Low Number of Concurrent TCP Connections
– 100% of HTTP Transaction Successful
• Performance Measurement
– Maximum HTTP Transaction per Second
– Average HTTP Transaction Response Time
– Maximum Concurrent TCP Connections
– Bandwidth
34
![Page 35: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/35.jpg)
Communication Via HTTP
35
• Check performance using different object sizes: 1024, 5120,
10240 and 51200
![Page 36: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/36.jpg)
Communication Via HTTPS and HTTP
36
• Check performance using different object sizes
• Check performance using different key sizes: 512, 1024 and 2048
• Check performance using different Cipher RC4-MD5, AES, …
![Page 37: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/37.jpg)
Communication Via HTTPS
37
• Check performance using different object Sizes
• Check performance using different key sizes: 512, 1024 and 2048
• Check performance using different Cipher RC4-MD5, AES, …
![Page 38: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/38.jpg)
Maximum Concurrent
TCP Connections
Supported by
WAF
38
![Page 39: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/39.jpg)
Maximum Concurrent TCP Connections
• Test Objective
– Find the maximum concurrent TCP connections where several HTTP
transactions are sent over one TCP connection.
– Client Think Time is inserted between each client request to keep the TCP
connection open.
• Breaking Point
– Low HTTP Transaction Response Time
– 100% of HTTP Transaction Successful
• Performance Measurement
– Maximum Concurrent TCP Connections
– Maximum HTTP Transaction per Second
– Average HTTP Transaction Response Time
– Bandwidth
39
![Page 40: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/40.jpg)
Communication Via HTTP
40
• Check performance using different small object sizes: 1024
![Page 41: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/41.jpg)
Communication Via HTTPS
41
• Check performance using different object sizes: 1024
• Check performance using different key sizes: 512, 1024 and 2048
• Check performance using different Cipher RC4-MD5, AES, …
![Page 42: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/42.jpg)
Communication Via HTTPS
42
• Check performance using different object sizes: 1024
• Check performance using different key sizes: 512, 1024 and 2048
• Check performance using different Cipher RC4-MD5, AES, …
![Page 43: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/43.jpg)
Maximum HTTP Bandwidth
Supported by WAF
43
![Page 44: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/44.jpg)
Maximum HTTP Bandwidth
• Test Objective
– Find the maximum HTTP bandwidth using several HTTP transactions over
one TCP connection.
• Breaking Point
– 100% of HTTP Transactions Successful
• Performance Measurement
– Bandwidth
– Maximum Concurrent TCP Connections
– Average HTTP Transaction Response Time
44
![Page 45: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/45.jpg)
Communication Via HTTP
45
• Check performance using large object sizes like 1Mb
![Page 46: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/46.jpg)
Communication Via HTTPS and HTTP
46
• Check performance using large object sizes like 1 Mb
• Check performance using different key sizes: 512, 1024 and 2048
• Check performance using different Cipher RC4-MD5, AES, …
![Page 47: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/47.jpg)
Communication Via HTTPS
47
• Check performance using large object sizes like 1 Mb
• Check performance using different key sizes: 512, 1024 and 2048
• Check performance using different Cipher RC4-MD5, AES, …
![Page 48: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/48.jpg)
Maximum Single
SQL Queries per Second
Supported by WAF
48
![Page 49: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/49.jpg)
Maximum Single SQL Queries per Second
• Test Objective
– Find the maximum SQL Queries per Second where one SQL query is
sent over one TCP connection.
• Breaking Point
– Low SQL Query Response Time
– Low Number of Concurrent TCP Connections
– 100% of SQL Queries Successful
• Performance Measurement
– Maximum SQL Queries per Second
– Average SQL Query Response Time
– Maximum Concurrent TCP Connections
– Bandwidth
49
![Page 50: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/50.jpg)
Maximum Single SQL Queries per Second
50
• Check performance using different query responses: 1024,
5120, 10240 and 51200
![Page 51: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/51.jpg)
Maximum Multiple
SQL Queries per Second
Supported by WAF
51
![Page 52: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/52.jpg)
Maximum Multiple SQL Queries per Second
• Test Objective
– Find the maximum SQL Queries per Second where several SQL queries
are sent over one TCP connection
• Breaking Point
– Low SQL Query Response Time
– Low Number of Concurrent TCP Connections
– 100% of SQL Queries Successful
• Performance Measurement
– Maximum SQL Queries per Second
– Average SQL Query Response Time
– Maximum Concurrent TCP Connections
– Bandwidth
52
![Page 53: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/53.jpg)
Maximum Multiple SQL Queries per Second
53
• Check performance using different query responses: 1024,
5120, 10240 and 51200
![Page 54: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/54.jpg)
Maximum SQL Bandwidth
Supported by WAF
54
![Page 55: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/55.jpg)
Maximum SQL Bandwidth
• Test Objective
– Find the maximum SQL bandwidth.
– Several SQL queries are sent over one TCP connection
• Breaking Point
– 100% of SQL Queries Successful
• Performance Measurement
– Bandwidth
– Maximum SQL Queries per Second
– Maximum Concurrent TCP Connections
55
![Page 56: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/56.jpg)
Maximum SQL Bandwidth
56
• Check performance using large response like 1Mb
![Page 57: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/57.jpg)
WAF Performance
“Security Attacks”
57
![Page 58: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/58.jpg)
Performance Security Testing
• Used attacks for performance testing under CVE-ID, OSVDB and
BugTrag
• Ensure attack is detected before executing performance test
• Used attacks under the TOP 10 OWASP
– A1 – Cross Site Scripting (XSS)
– A2 – Injection Flaws
– A3 – Malicious File Execution
– A4 – Insecure Direct Object Reference
– A5 – Cross Site Request Forgery (CSRF)
– A6 – Information Leakage and Improper Error Handling
– A7 – Broken Authentication and Session Management
– A8 – Insecure Cryptographic Storage
– A9 – Insecure Communications
– A10 – Failure to Restrict URL Access
58
![Page 59: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/59.jpg)
Maximum Single Type of
HTTP Attacks per Second
Detected by WAF
59
![Page 60: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/60.jpg)
Maximum Single HTTP Attacks per Second
• Test Objective
– Find the Maximum Attacks per Second detected.
– The same attack is used during entire test.
• Breaking Point
– Number of Attacks per Second sent doesn’t match with number of
Attacks detected
• Performance Measurement
– Maximum Attacks per Second detected
60
![Page 61: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/61.jpg)
Communication Via HTTP
61
• Check number of attacks detected versus the number of
attacks of attacks sent
![Page 62: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/62.jpg)
Communication Via HTTPS
62
• Check number of attacks detected versus the number of attacks
of attacks sent
![Page 63: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/63.jpg)
Communication Via HTTPS
63
• Check number of attacks detected versus the number of attacks
of attacks sent
![Page 64: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/64.jpg)
Maximum Multiple Types of
HTTP Attacks per second
Detected by WAF
64
![Page 65: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/65.jpg)
Maximum HTTP Attack per Second
• Test Objective
– Find the Maximum Attacks per Second detected.
– Mix of different types of attacks (TOP 10 OWASP) are used during the
entire test.
• Breaking Point
– Number of Attacks per Second Send doesn’t match with number of
Attacks Detected
• Performance Measurement
– Maximum Attacks per Second detected
65
![Page 66: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/66.jpg)
Communication Via HTTP
66
• Check number of attacks detected versus the number of
attacks of attacks sent
![Page 67: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/67.jpg)
Communication Via HTTPS and HTTP
67
• Check number of attacks detected versus the number of attacks
of attacks sent
![Page 68: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/68.jpg)
Communication Via HTTPS
68
• Check number of attacks detected versus the number of
attacks of attacks sent
![Page 69: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/69.jpg)
Maximum Single
SQL Attacks per second
Detected by WAF
69
![Page 70: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/70.jpg)
Maximum SQL Attacks per Second
• Test Objective
– Find the Maximum Attacks per Second detected.
– The same SQL attacks are used during the entire test.
• Breaking Point
– Number of Attacks per Second sent doesn’t match with number of
Attacks Detected
• Performance Measurement
– Maximum Attacks per Second detected
70
![Page 71: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/71.jpg)
Maximum SQL Attacks per Second
71
• Check number of attacks detected versus the number of
attacks of attacks sent
![Page 72: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/72.jpg)
Maximum Multiple Type
SQL Attacks per second
Detected by WAF
72
![Page 73: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/73.jpg)
Maximum SQL Attacks per Second
• Test Objective
– Find the Maximum Attacks per Second detected.
– Mix of different types attacks are used during the entire test.
• Breaking Point
– Number of Attacks per Second Sent doesn’t match with number of
Attacks Detected
• Performance Measurement
– Maximum Attacks per Second Detected
73
![Page 74: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/74.jpg)
Maximum SQL Attacks per Second
74
• Check number of attacks detected versus the number of
attacks of attacks sent
![Page 75: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/75.jpg)
WAF Performance
Good Traffic
and Security Attacks
75
![Page 76: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/76.jpg)
Communication Via HTTP
76
• Check performance in terms of Transactions per Second
• Check number of attacks detected versus the number of
attacks sent
![Page 77: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/77.jpg)
Communication Via HTTPS and HTTP
77
• Check performance in terms of Transactions per
Second
• Check number of attacks detected versus the number
of attacks of attacks sent
![Page 78: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/78.jpg)
Communication Via HTTPS
78
• Check performance in terms of Transactions per Second
• Check number of attacks detected versus the number of
attacks of attacks sent
![Page 79: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/79.jpg)
Maximum Single SQL Queries per Second
79
• Check performance in terms of SQL Queries per Second
• Check number of attacks detected versus the number of
attacks of attacks sent
![Page 80: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/80.jpg)
Maximum
WAF Performance
“Real-World Test Scenario”
80
![Page 81: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/81.jpg)
Real-World Test Scenario - WAF Test Methodology
• Test is performed on WAF Vendor selected
• Web Service Performance without WAF
– Maximum New Users per Second
– Maximum Concurrent Users
– Maximum Bandwidth
• Web Service Performance with WAF
– Maximum New Users per Second
– Maximum Concurrent Users
– Maximum Bandwidth
• Web Service Performance and Security with WAF
– Mix Good Traffic and Security Attacks
81
![Page 82: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/82.jpg)
Web Service Performance Without WAF
82
• Check Maximum New Users per Second of Web Service
• Check Maximum Concurrent Users of Web Service
• Check Maximum Bandwidth of Web Service
![Page 83: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/83.jpg)
Web Service Performance With WAF
83
• Check Maximum New Users per Second of Web Service
• Check Maximum Concurrent Users of Web Service
• Check Maximum Bandwidth of Web Service
![Page 84: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/84.jpg)
Web Service Performance and Security With WAF
84
• Check Maximum New Users per Second of Web Service
• Check Maximum Concurrent Users of Web Service
• Check Maximum Bandwidth of Web Service
• Check All Attacks Sent are Detected by WAF
![Page 85: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/85.jpg)
Key Benefits of
Web Application Firewall
Testing
85
![Page 86: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/86.jpg)
Better Visibility of WAF Performance
• Know the real performance of your WAF – Performance Matrix
– Maximum HTTP Transactions per Second
– Maximum HTTPS Transactions per Second
– Maximum SQL Queries per Second
– Maximum Concurrent TCP Connections
– Maximum Concurrent SSL Sessions
– Maximum HTTP Bandwidth
– Maximum HTTPS Bandwidth
– Maximum SQL Bandwidth
• You know the real capacity of your WAF – Performance Matrix
– Maximum New Users per Second
– Maximum Concurrent Users
86
![Page 87: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/87.jpg)
Better Visibility of WAF Performance
• Choose the best WAF for your needs
• Deploy your WAF in the right configuration for optimal
performance
• Be more proactive because you know how your WAF will behave
under load and attacks
87
![Page 88: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/88.jpg)
Contact Information
For more Information for Israel contact WebHouse:
Alon Refaeli: [email protected] +972525873337
Amir Pled: [email protected] +972542489595
For more information outside of Israel contact BreakingPoint Systems:
Gregory Fresnais: [email protected] +33672510922
88
![Page 89: Improving Web Application Firewall Testing (WAF) for ... · Caching, TCP Connection Multiplexing, ... • Web Service Performance With the Web Application Firewall –Maximum New](https://reader033.vdocuments.us/reader033/viewer/2022052009/601f27fa65f8aa096707f121/html5/thumbnails/89.jpg)
Thank Youwww.breakingpoint.com
89