Endpoint Security vs Cloud Security And The Cloud WAF Bypass Problem ::
Earlier this year at DEFCON in Nevada, amd also at Black Hat, there was a lot of buzz around “endpoint security”. In this cybersecurity article, we are going to explain a few issues with a cloud approach to web firewalls. Then weâ€™ll explain the benefits of endpoint security and why Pelstar Computer Systems Inc, takes an endpoint approach to protecting your investment.
The Cloud WAF Bypass Problem ::
Famous Cloud firewall providers, such as Sucuri and Cloudflare, have servers that live out on the internet. When you configure a cloud firewall (or cloud WAF), the provider will ask you to point your website at their servers by making a DNS change. Once youâ€™ve done that, the cloud provider configures their servers so that when your web traffic arrives there, it is filtered using their firewall rules.
Once filtered, the traffic is forwarded over the public Internet to your website. In this configuration your original website is known as the “origin” or your “origin server”. That is where your site originates from and is actually hosted.
Your origin server may be hosted at Bluehost, Hostgator, Godaddy, on your own server, or with one of the many other major hosting providers.
In theory once you have configured your website with a cloud firewall (or cloud WAF) you are protected by it. The expectation is that attackers will try to access your website using your domain name of www.example.com, they will be pointed to the cloud WAF and their attacks will be filtered out.
In reality, if an attacker can discover your origin IP address, they can simply bypass the cloud WAF as the diagram below shows:
In the case of a cloud WAF, you arenâ€™t actually “behind” a firewall because the server is still on the public internet. Anyone on the net can access your server directly if they discover your origin server IP address. Knowing your origin server IP allows them to simply go around the cloud firewall provider and attack your origin server.
Cloudflare have acknowledged this problem in a blog post and they provide various suggestions on how to keep your origin server IP address “secret”. They also explain how to access your origin server directly for testing if you have the IP address.
We refer to this problem as the “Cloud WAF Bypass Problem”, cause it’s just that.. a huge Problem.
The Cloud WAF Bypass Problem is Well Documented ::
This issue is well documented by many security bloggers. Tools like CloudPiercer.org and CrimeFlare exist to help attackers bypass a Cloud WAF.
CrimeFlare lets you look up a Cloudflare customerâ€™s origin IP address or download an entire database of 1.5 million Cloudflare customers and what CrimeFlare detected as their origin IP address.
CloudPiercer uses an array of techniques to reveal a targets real IP address. They estimate that 70% of sites protected by cloud WAF providers have their origin IP address exposed. More detailed stats and our own data is included below.
Keeping the Origin IP Address Secret is a Challenge ::
There are many ways to discover a siteâ€™s origin IP address ::
- Look up the IP address of subdomains like mail.example.com and ssh.example.com. In many cases they point to the origin IP address.
- Use an IP history database like viewdns.info to look up where the origin IP was hosted, before the website started using a cloud WAF.
- Use the site certificate and a search engine like Censys.io or Shodan.io to locate the origin IP address where the certificate is installed.
- Perform an action that gets the site to connect somewhere, revealing its origin IP address. For example, on WordPress you can initiate a pingback to a site which will cause it to connect back to you, revealing its origin IP address.
- Use DNS records like SPF which might reveal the origin IP or adjacent addresses.
- Examine site HTML source which may include subdomains that point to the origin IP address.
- Examine public source or log files which may include the origin IP address or subdomains pointing to the origin.
The original designers of the net never intended IP addresses to be secret. There are no standards or conventions on the net that describe how an IP address might stay secret. In fact standards like SSL certificates and de facto standards like WordPress Pingback make it virtually impossible to keep an IP address hosting a website secret.
Search engines like Censys.io and Shodan, well known in the hacker community, go around and index the internet at a network level, indexing SSL certificates and network service information. They provide a treasure trove of information to attackers who are looking for targets.
Censys.io lets you easily search for the origin IP of any website by using that sites certificate. The results below are from a search on Censys using the certificate common name (website hostname) of Reddit.com which is behind Fastly and Cloudflare. An attacker would use the origin server addresses to launch an attack that bypasses the cloud WAF.
To perform the audit on a subdomain, you can:
- Verify the customer is using Cloudflare and store a copy of their website home page. We checked HTTP and HTTPS and the site with and without the www. prefix to locate it.
- Look up common subdomain IP addresses.
- Verify the subdomain IPs donâ€™t point to Cloudflare.
- Remove duplicate IPs.
- Try to fetch the site from the origin IPs directly by connecting directly and specifying a â€˜Hostâ€™ header in the HTTP request.
- Where we received a response, compare the original page title and first asset (first item in a src= attribute) with the page we just fetched directly.
- If they match, then count it as a successful bypass.
As you can see, looking up the IP address using the â€˜mailâ€™ subdomain is by far the most successful technique. Over 50% of cloud WAF customers that reveal their origin IP, do so through the â€˜mailâ€™ subdomain. The â€˜sshâ€™ domain is also a common culprit, likely because Cloudflareâ€™s own documentation uses it to illustrate, how you can connect directly to your own origin IP address.
The Fix: Protect the Endpoint and Prevent Bypass ::
Endpoint protection has taken the industry by storm during the past year. Almost every major vendor is providing some form of endpoint security. So what is the endpoint exactly? An endpoint can be defined simply as: the final target a hacker is after. In the case of desktop security, it is the workstation a user works on. In the case of mobile platforms, itâ€™s the smartphone a user has in their hand.
In the case of the world-famous WordPress CMS, the endpoint is the actual WordPress installation, that the attacker is trying to compromise. We believe that to best protect a website, you need to protect the endpoint first and foremost.
The first benefit of protecting a website at the endpoint, is that there is no way for an attacker, to bypass the security mechanisms. They canâ€™t go around the Pelstar Computer Systems Inc, Firewall because, quite frankly typing, it is an integral part of the endpoint. To use the endpoint application, you have to interact with our firewall and if you’re a hacker, good luck with that.
The second major benefit is that, by protecting the endpoint, you can get an extra, usability boost and a much higher performing web applaication as a result.
In closing ::
NOTHING IS 100% SECURE!! NOTHING!! PERIOD.
However, to protect your investment, you need to implement an endpoint strategy, that takes a defense first, approach to cybersecurity and Pelstar Computer Systems Inc, takes this approach.
As our company has evolved we have had to consider whether we would invest in a managed cloud security solution provider, or focus on protecting our own and our customers, where their websites and web apps reside. We chose to stay on the endpoint and the industry has now also has shifted their focus to protecting the endpoint.
So, doesn’t make complete sense to implement an Endpoint Cybersecurity strategy?
Contact Us to learn more about what we can do for your web app or website or custom CMS.
In our opinion, using a cloud WAF is like hiring a security firm in Los Angeles and asking all of your visitors to go through their Los Angeles offices before visiting you in New York. We believe in posting guards where the assets are and putting additional defenses behind that first layer of security. This proven approach works for the over 1.5 million sites we protect and it is where the industry is headed.