Terry Beavis | Wednesday, August 5th, 2020
A government client is required to validate every incoming request from external systems to prevent attacks. The existing system:
- Only provided token validation for incoming requests.
- Did not support attack detection or encryption in transit for legacy internal applications.
- Allowed incorrect requests to pass through the system because it does not validate incoming JSON/SOAP/XMLpayloads.
- Does not filter or check HTTP Headers.
- Does not implement antivirus validation on files embedded in the payload of some HTTP calls.
- Must be cloud-agnostic.
- Must be open source, minimise licence costs and avoid vendor lock-in.
- Must store secrets in a central Hashicorp Vault solution; adhering to corporate policies.
After some research and proof of concepts we selected NGINX server with ModSecurity(WAF) as a foundation to build the new security solution. We redesigned the flow to use the fail-safe approach to optimize the performance and reduce resource contention.
The new solution reduced licencing costs as it works with the open source and commercial versions, allowing the client to select either depending on project requirements.
The new system implemented a HTTP whitelisting capability, to avoid leaking any type of information in HTTP Headers and preventing attacks with undesirable HTTP Headers.
The modsecurity module gives the capacity to validate the payloads to detect XSS, SQL-Injection and other attacks, as well as validating HTTP Headers out of the box. In addition, the solution has the flexibility to create and use custom security rules; including OWASP.
We extended NGINX to use the tokens within Hashicorp Vault and implement a custom functionality to validate the different incoming formats against JSON/XML/WSDL schemas and validate files embedded using anti-virus solutions.
We had a number of challenges; including:
- Many open source products to integrate in a single solution.
- Lots of round-trips/hops across the security solution.
- Integrating the security layer with Hashicorp Vault to manage the secrets (tokens).
- We delivered a secure system addressing all business requirements and security problems.
- The solution can be deployed with any cloud provider without requiring changes.
- Licencing costs reduced/eliminated depending on project requirements.
- Performance of the system improved (reducing the latency and resource contention).