Deploying CNAF

CNAF can secure both containerized and non-containerized web apps. The deployment method varies slightly depending on the type of entity you’re protecting.
To deploy CNAF, create a new rule, and declare the entity to protect. Sometimes you’ll want to completely bypass CNAF’s filters. To allow known good clients to bypass CNAF, go to the
Advanced
tab in the CNAF rule, and enter values for
Explicitly allowed inbound IP sources
and
Explicitly allowed paths
.
CNAF capabilities that are disabled by default are set that way to optimize performance.

Deploying CNAF for containers

To deploy CNAF for a containerized web-app, create a new rule, specify the image name, and declare the ports where it listens.
Applying a rule to all images using a wild card (
*
) is invalid and a waste of resources. CNAF only needs to be applied to images that transmit and receive HTTP/HTTPS traffic.
To protect against this type of misconfiguration, Defender enforces a limit. Each CNAF firewall runs as a Defender subprocess, and each instance of Defender supports a maximum of five CNAF firewalls. If your node launches a sixth container that’s configured for CNAF protection, Defender prints a message to its log that the limit has been reached.
  1. Open Console, and go to
    Defend > Firewalls > Cloud Native App Firewall
    .
  2. Click
    Add rule
    .
  3. Enter a rule name.
  4. Specify the ports where the container listens for web traffic.
  5. If your app uses TLS, set
    TLS
    to
    True
    , and upload your server’s certificate and private key. CNAF must be able to decrypt and inspect HTTPS traffic to function properly.
  6. In the
    Images
    filter, specify the name of your app’s image.
  7. Select the protections to enable.
  8. Click
    Save
    .

Deploying CNAF for hosts

To deploy CNAF to protect a host running a non-containerized web app, create a new rule, and specify the host(s) where it runs.
Applying a rule to all hosts using a wild card (
*
) is invalid and a waste of resources. CNAF only needs to be applied to hosts that run apps that transmit and receive HTTP/HTTPS traffic.
  1. Open Console, and go to
    Defend > Firewalls > CNAF for Hosts
    .
  2. Click
    Add rule
    .
  3. Enter a rule name.
  4. Specify the ports where the host listens for web traffic.
  5. If your app uses TLS, set
    TLS
    to
    True
    , and upload your server’s certificate and private key. CNAF must be able to decrypt and inspect HTTPS traffic to function properly.
  6. In the
    Hosts
    filter, specify the host(s) where your web app runs.
  7. Select the protections to enable.
  8. Click
    Save
    .

Deploying CNAF for containers (App Embedded Defender)

In some environments, Prisma Cloud Defender must be be embedded directly in the container it’s protecting. This type of Defender is known as App Embedded Defender. App Embedded Defender can secure these types of containers with all of CNAF’s protection capabilities.
The only difference is that App Embedded Defender runs as a reverse proxy to the container it’s protecting. As such, when you set up CNAF for App Embedded, you must specify the exposed external port where App Embedded Defender can listen, and the port (not exposed to the Internet) where your web application listens. CNAF for App Embedded forwards the filtered traffic to your application’s port - unless an attack is detected and you chose
Prevent
in your CNAF for Fargate rule.
For more information on the type of attacks that Prisma Cloud detects and prevents, see Prisma Cloud CNAF.
When testing your Prisma Cloud-protected container, be sure you update the security group’s inbound rules to permit TCP connections on the external port you entered in the CNAF rule. This is the exposed port that allows you to access your web container. To disable CNAF protection, disable the CNAF rule, and re-expose the application’s real port by modifying the security group’s inbound rule.
  1. Embed App Embedded Defender into your container or Fargate task.
  2. Go to
    Defend > Firewalls > CNAF for App Embedded
    .
  3. Click
    Add rule
    .
  4. Enter a rule name.
  5. Select
    Alert
    or
    Prevent
    .
  6. Enter a port number for
    External Port
    , and one for the web container’s
    Application Port
    . The external port is typically 80 for HTTP and 443 for HTTPS. For this example, enter
    443
    for the
    External Port
    and
    8080
    for the
    Application Port
    .
  7. If your app uses TLS, set
    TLS
    to
    True
    , and upload your server’s certificate and private key. CNAF must be able to decrypt and inspect HTTPS traffic to function properly.
  8. Enter the Defender ID you specified when embedding App Embedded Defender.
  9. Click
    Save
    .
    All traffic to your web container is now be examined and protected by the embedded App Embedded Defender.
  10. Test your CNAF-protected container, browse to its public IP address.
    Specify the external port as defined in your CNAF rule.

Deploying CNAF for serverless functions

When Serverless Defender is embedded in a function, it offers built-in web application firewall (WAF) capabilities, including protection against:
  • SQL injection (SQLi) attacks
  • Cross-site scripting (XSS) attacks
  • Command injection (CMDi) attacks
  • Local file system inclusion (LFI) attacks
  • Code injection attacks
Prerequisites:
You’ve already embedded Serverless Defender into your function.
  1. Open Console and go to
    Defend > Firewalls > Cloud Native App Firewall > Serverless
    .
  2. Click
    Add rule
    .
  3. Enter a rule name.
  4. Select
    Alert
    or
    Prevent
    .
  5. Select the protections to enable.
  6. Enter the functions to protect.
    Use pattern matching to precisely target your rule.

Test string matching against HTTP headers

CNAF lets you block web requests that contain specific strings in the header. You can add any of the common headers used in web requests and specify the value to match on. The value can be a full or partial string. For partial strings, use pattern matching
The following example uses the
User-Agent
header field and block access to all web requests whose user-agent field contains all extensions of string 'Moz'.
  1. Open Console.
  2. Go to
    Defend > Firewalls > CNAF
    .
  3. Click on
    Add rule
    .
  4. In the
    Create a New CNAF Rule
    dialog:
    1. In
      Rule name
      , enter a name for the rule.
  5. Click on the
    Advanced
    tab.
    cnaf_793462.png
  6. As seen in the figure, we set the action in Prisma Cloud to Deny HTTP headers with field value
    User-Agent
    and all matches of
    Moz
    value.
  7. Open a Firefox Mozilla web browser and try to navigate to Jenkins’ address. You will see the following response:
    cnaf_793458.png
  8. Go to
    Monitor > Events
    to see alerts logged by Prisma Cloud relating to this policy violation.
    You will see an event of type header, with a message that looks like:
    Header 'User-Agent'='Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) Gecko/20100101 Firefox/54.0' is forbidden

Test protection from SQLi

SQL Injection attack is an injection technique where the attacker injects malicious SQL statements against a database server in an attempt to bypass application’s authentication and authorization mechanisms.
The procedure below shows how Prisma Cloud can help protect your application against SQL injection attacks. Consider a wordpress application hosted in your environment.
  1. Create a CNAF policy.
    1. Enter a rule name, such as
      wordpress
      .
    2. Set the
      Action
      to
      Prevent
      .
    3. Check
      Enable SQLi attack protection
      .
    4. In the
      Images
      filter, enter
      wordp*
  2. Open the application in web browser and attempt an SQL injection attack.
    cnaf_791468.png
    Response:
    cnaf_793458.png
  3. Go to
    Monitor > Events
    to see the alerts logged for this event.
    You will see an event of type sqli, with a message that looks like:
    Detected SQLi using libinjection in html query. "1" and 1 union select.

Recommended For You