AVI / NSX ALB WAF POC

AVI / NSX ALB WAF POC

Introduction

Recently there have been a few customers who wanted to test out the AVI WAF and so I thought it would be great to document down some of the testing and learnings.

Pre-requisite

I would assume you already understand the AVI architecture and iWAF architecture. If not, there are some good videos on AVI Networks explaining these concepts. Application Delivery How-To Videos: App Security / WAF

Lab Setup

Installation of Kubernetes Node for DVWA

We will be going to use DVWA as the testing and to make the installation simplier, we going to make use of the containerized version of it. I will be listing down two options here in the guide, one would be using a single kubernetes node of which we will be using labops to build the node, the other would TKG-multicloud cluster and AKO. The reason I mentioned both of these options would be depending on your use case. The first option would probably if you just like to test out the WAF features as not so much on the container ingress services. This is because the labops build, we will be using Nodeport to expose the container service. The second option would probably you like to also test using AKO Hostrule to enable WAF services for your applications which were exposed using AKO Ingresses.

Using LabOps single node.

Software Versions

Software Versions
AVI Controller 2.1.1
  1. Create a new VM - 4 vCPU, 8GB RAM and mount the boot.iso. You will need DHCP with Internet Access for this automatically bring up of the Kubernetes node. If you need more information, refer to Andrew github - https://github.com/apnex/labops

  1. Once the node is up and running. Find out the IP address and SSH to the node.
kubectl get nodes
kubectl get svc
kkubectl apply -f https://raw.githubusercontent.com/vincenthanjs/kubernetes-apps-demo/master/demo-03-dvwa-app/dvwa-apps-lb-nodeport.yaml
kubectl get svc
kubectl get pods

  1. You can access to the DVWA appliance on your VM IP with port 31000. In my case http://10.114.1.34:31000

Username: admin Password: password to login.

Create the database and afterwhich, re-login again.

  1. Create a Virtual Service in AVI Controller and use the DVWA appliance as pool member.

  2. Enable WAF. Edit the Virtual Service. Under WAF Policy, Select ‘System-WAF-Policy’.

You will see there is a shield on the virtual service.

Under the virtual service, you will see a WAF tab as well.

Under the virtual service, you will also find the IP address for the virtual service.

Now you can access the DVWA Appliance using the Virtual Service. In this case, the DVWA is so called protected by the WAF. In my case, http://10.112.1.51/.

Using TKG-M Clusters with AKO.

Software Versions

Software Versions
AVI Controller 20.1.6
AKO 1.5.2
TKG-Multicloud 1.4
  1. Install TKG-M using Tanzu CLI. You will need to create a bootstrap management cluster and subsequently a workload cluster.

  2. Prepare the AVI Environement such as DNS and IPAM Profile, DNS Virtual Service. Install AKO.

  3. Deploy the DVWA manifest with Secured Ingress.

git clone https://github.com/vincenthanjs/kubernetes-apps-demo.git
cd kubernetes-apps-demo/apps.acepod.com/demo-03-dvwa-app

In this folder, I have created a few scripts to make the deployment simplier. Essentially, you will need to create a namespace, create the certs required for the secrets to be used by Ingress. Due to docker limits, I also created a script to login to dockerhub and create a ServiceAccount in the namespace with the ImagePullSecrets.

./create-tls-cert.sh
./create-regcred.sh
kubectl apply -f dvwa-app.yaml

kubectl get ingress -n dvwa-apps

In the AVI Controller, you will be able to see the Ingress created.

Open a browser and access the ingress. In my case, https://dvwa.apps.acepod.com

Username: admin Password: password to login. Create the database and afterwhich, re-login again.

  1. Apply the WAF Hostrule [root@localhost demo-03-dvwa-app]# cat dvwa-hostrule.yaml apiVersion: ako.vmware.com/v1alpha1 kind: HostRule metadata: name: dvwa-hostrule namespace: dvwa-apps spec: virtualhost: fqdn: dvwa.apps.acepod.com enableVirtualHost: true wafPolicy: System-WAF-Policy
kubectl apply -f dvwa-hostrule.yaml

  1. At the AVI Controller, you can see the Ingress with WAF enabled. You will notice there is a shield on the virtual service where WAF is enabled.

WAF Testing

Now with DVWA setup and the AVI WAF enabled, we will proceed to do some testing. As above, you can use either deployment option to perform the test. In my case, I will be using Option 1.

Test Case 01 - SQL Injection

%' or 0=0 union select null, version() #

Results:

Test Case 02 - Cross Site Scripting

<script>alert("XSS Exploit Test")</script>

Results:

Test Case 03

More tests coming soon…

Conclusion

Thanks for reading this guide. I hope that this guide will give you some ideas on how to easily set up DVWA and run a AVI WAF POC. Do let me know what you think. Feel free to ping me on YouTube, Twitter or LinkedIn.