application firewall
Download
Report
Transcript application firewall
Traffic Shield
Rainer Singer
Field Systems Engineer
F5 Networks Central Europe
TrafficShield™
• Web application security gateway
– Protects Web site servers and Web applications against known and
unknown security threats
– Advanced application security policy generation and management
• Appliance-based approach
– Acts as an application firewall by offloading application servers
– Provides high-performance and high-availability
• Proxy-based, positive security model
– True Layer 7 security
• Goes beyond “packet inspection” to “application content and context” inspection
– Protects against “Zero-Day” attacks
– Examines application requests and replies and verifies that they
conform to the application’s security policy
– No need for signature databases and patching
2
TrafficShield Solution
TrafficShield™
Web Servers
Intranet/
Extranet
Legitimate Traffic
Malicious Application Activity
Application Floods
Internet
Network Attacks & Floods
Unsupported Services
Application Servers
Databases
3
Web servers and Web applications are
the prime targets for attacks
The challenge:
Ensuring Web application security
and availability
4
What are the Risks?
• Brand and reputation damage
• Financial loss as a result of fraud, transaction
losses, attack clean-up costs
• Theft of sensitive corporate information
• Violation of customer privacy and theft of
customer data
• Example: Code Red estimated cost $2.6B
(Computer Economics)
5
Reasons for Web Application Vulnerabilities
• Applications were written according to client-server
security standards
• Complexity of platforms and environments makes secure
coding very difficult
• Web developers focus on functionality and performance,
not on security, they’re not trained for secure programming
• Bugs in OS, web platforms and web applications
• Web sites are changed and updated frequently
Threat is exacerbated by the availability of:
– Web application client-side source code (hackers gain
information for planning attacks)
– Widely available, free, easy to use hacking tools
6
Attacks on Web Applications
Known and Unknown Web Worms
Known and Unknown Web Vulnerabilities
Illegal Access to Web-server files
Forceful Browsing
File/Directory Enumerations
Brute Force attacks
Buffer Overflow
Cross-Site Scripting
SQL/OS Injection
Cookie Poisoning
Hidden-Field Manipulation
Parameter Tampering
Flood attacks (GET, 404)
SSL Flooding
7
Traditional Security Solutions Don’t
Protect Web Applications
Firewalls:
“Firewalls offer little protection at the application
layer because ports within the firewall have to
be left open for communication”
(IDC 2002)
Network IDS:
“Intrusion detection systems are a market
failure, and vendors are now hyping intrusion
prevention systems, which have also stalled."
(Gartner, 2003)
8
The Fundamental Problem with IPS/IDS
• Negative security logic
– Lets everything through, except what can be identified as
malicious traffic
– Based on attack signatures and traffic characteristics
• Problems
–
–
–
–
Protects only against known attacks
Requires constant updating of signatures and characteristics
Doesn’t protect against “Zero Day” attacks
Doesn’t protect against attacks based on illegal user input
•
•
•
•
Cookie poisoning and hidden-field manipulation
Parameter (form-field) tampering
Forceful browsing
Backdoors and debug-option exploitation
9
Current Approach: Scan-and-Fix
• Scanning HTML code for known breaches and
then rewriting it
–
–
–
–
–
–
Ineffective and costly
Time-consuming due to high rate of false positives
Doesn’t find all vulnerabilities, requiring manual code review
Requires expensive code rewrites
Slows down product development
Defenseless against new threats, since it only looks for
known vulnerabilities
10
Positive Security Logic: A Better Way
• All traffic is illegal unless known to be legal
– Verifies that the user interacts with the Web application in
exactly the way designed by the developer
– Like a firewall; minimal ongoing policy management since it
does not need to look for specific attack patterns
11
Every Web Application is Exposed
Web Browser
Applications
at Risk
Web Browser
Web Browser
Current Network Perimeter Security
(Firewall, Virus Scan, IDS, etc.)
•
•
•
•
Source code is in browser – can be tampered with!
Firewalls can’t stop them
IPS can’t detect them
Scanning can’t patch them
12
Example: Parameter Tampering
13
Example: Parameter Tampering
14
Traditional Security Solutions Don’t
Protect Web Applications
Application
Firewall
Known Web Worms
Unknown Web Worms
Known Web Vulnerabilities
Unknown Web Vulnerabilities
Illegal Access to Web-server files
Forceful Browsing
File/Directory Enumerations
Buffer Overflow
Cross-Site Scripting
SQL/OS Injection
Cookie Poisoning
Hidden-Field Manipulation
Parameter Tampering
Network
Firewall
IPS
Limited
X
Limited
X
Limited
X
X
Limited
Partial
Limited
X
X
Limited
Limited
Limited
Limited
Limited
X
X
X
X
Limited
X
X
X
15
TrafficShield Application Firewall
16
TrafficShield Application Firewall
1. Web application firewall
-
Protect web applications against known & unknown attacks
Uses positive security logic – All traffic is illegal unless known to be legal
2. Content scrubbing
-
Prohibit delivery of sensitive data
3. Application cloaking
-
Hide the identity of web applications from outside probing
17
Protecting Web-based Applications
CONTENT
SCRUBBING
ATTACK
FILTERING
APPLICATION
FIREWALL
Social Security Numbers
Scrubbed
Credit Card Numbers
Blocked
Out-of-box Protection
Included
Scrubbed
Unvalidated Input
Manipulation
Blocked
Account Numbers
Scrubbed
Script Kiddies, Known Worms
& Vulnerabilities
Blocked
Broken Access Control
(Forceful Browsing)
Patient Health ePHI
Scrubbed
Buffer Overflow
Blocked
Requests for Restricted
Object and File Types
Blocked
Phone Numbers
Scrubbed
Cross-Site Scripting
Blocked
Non-RFC-Compliant Traffic
Blocked
Any other identifiable
text pattern
Scrubbed
SQL/OS Injection
Blocked
Illegal HTTP Format, Method
Blocked
Cookie Poisoning
Blocked
Unknown Worms and
Vulnerabilities
Blocked
15 min
Set-Up Time
SSL ACCELERATION &
KEY MANAGEMENT
CLOAKING
NETWORK
FIREWALL
OS and Web Server
Fingerprinting
Blocked
HTTP Error Messages
Blocked
IP/Port Filtering
Included
Application Error Messages
Blocked
Securing TCP/IP Session
Included
Leakage of Server Code
Blocked
Reverse Proxy
Included
SSL Accelerator
Included
Key Management &
Failover Handling
Included
SSL Termination and
Re-encryption to Servers
Included
18
TrafficShield™ Web Application Firewall
Targeted Attacks
–Unvalidated Input Manipulation
–Broken Access Control (Forceful Browsing)
–Buffer Overflow
–Cross-Site Scripting
–SQL/OS Injection
–Cookie Poisoning
Random Attacks
–Script Kiddies
–Known Worms & Vulnerabilities
–Requests for Restricted Object and File Types
–Non-RFC-Compliant Traffic
–Illegal HTTP format, method
Application
Servers
19
TrafficShield™ Content Scrubbing
Sensitive Data
–Social Security Numbers
–Credit Card Numbers
–Account Numbers
–Patient Health ePHI
–Phone Numbers
–Any other identifiable text pattern
Application
Servers
20
TrafficShield™ Cloaking And Security
Services
SSL
HTTP
Application
Servers
Security Services
Application Cloaking
•SSL Accelerator
•Key Management & Failover Handling
•SSL Termination and Re-encryption
•IP/Port filtering
•Reverse proxy
•OS and Web Server Fingerprinting
•HTTP error messages
•Application Error Messages
•Leakage of server code
21
The Application Flow Model
Web
Application
Flow Model
Actions not known
to be legal can
now be blocked.
CHANGE
USER ID
- wrong page order
- invalid parameter
- invalid value
- etc.
22
The Application Flow Model
Application
Flow Model
The only way to
provide total
security in front of
Web applications
(the only way to
replace embedded
security code)
– Stateful - Tracks which pages a user is coming from,
and the specific permissions associated with that
context.
» A request which is perfectly legal within the context of one
page might be inappropriate for a user on another page
– Bidirectional - Looks at server responses to the client
as well as client requests to the server.
» Essential to verify that the user hasn’t attempted to tamper
with the credentials sent to him in his response
– Granular – Complete logical rendering of the transitions
between every page, including every object, every
parameter of each object, and every legal value within
each object parameter.
23
Building a Security Policy: How Does It Work?
LEARNING
Recommends
policy updates
based on traffic
CRAWLER
‘Maps the App’
HTML
JavaScript
80-99% Mapping of:
• Accessible objects
• Flows between objects
• Request structure
(GET/POST)
• Parameter characteristics
VISUAL
POLICY
AUDITING
Granular control
• Significantly increases
policy accuracy
– Parameter value ranges,
dynamic parameters
• Trusted IP
• Provides confidence
that no legal traffic is
blocked
• Intuitive map of each
application
– Delegated approval
support
• Policy auditing at
parameter level
24
Single Unit Deployment
Web Servers
Firewall
TrafficShield
LB Switch
Internet
Management Access
(browser)
25
Redundant Deployment
Web Servers
Firewall
TrafficShield
LB Switch
Internet
Active
Backup
Management Access
(browser)
26
Load Balanced Deployment
Web Servers
TrafficShield
Firewall
LB Switch
LB Switch
Internet
Management Access
(browser)
27
New Enterprise Hardware Platform
TrafficShield™ 4100
Best in Class Security, Performance and Management
Secure:
• Hardened Appliance
• Secure O/S
• Tested for Vulnerabilities
• Avoids Configuration/
Compatibility Issues
Manageability:
Performance:
• LCD for Simplified
Management
• Hot-Swappable Power
and Cooling
• Redundant Power/Fans
• Unique Hardware
Acceleration Support
• 4x Performance Increase
• Dual Processor
28
Summary
• Web Applications leave sensitive data exposed
• TrafficShield provides comprehensive protection
for Web Applications
– Granular
– Manageable
• Flexible deployment options ensure low TCO
29