Transcript Document
1
Web Application Security
with the Application
Security Manager (ASM)
Piotr Oleszkiewicz
Zbigniew Skurczynski
[email protected]
1
2
Agenda
Web Security – What are the problems?
Vulnerabilities and protection strategies
Websecurity with a Web Application Firewall
(WAF)
Security Policy Setups
About us
2
3
Application Security: Trends and
Drivers
“Webification” of applications
Intelligent browsers and applications
Public awareness of data security
Increasing regulatory requirements
The next attackable frontier
Targeted attacks
3
4
The weakest link
“64% of the 10
million security
incidents tracked
targeted port 80.”
DATA
(Information Week
magazine)
4
5
Why Are Web Applications Vulnerable?
Security officers not involved in software developement,
while developers are not security conscious
New code written to best-practice methodology, but not
tested properly
New type of attack not protected by current methodology
New code written in a hurry due to business pressures
Code written by third parties; badly documented, poorly
tested – third party not available
Flaws in third party infrastructure elements
Session-less web applications written with client-server
mentality
5
6
Most web application are vulnerable!
70% of websites at immediate risk of being hacked!
- Accunetix – Jan 2007 http://www.acunetix.com/news/security-audit-results.htm
“8 out of 10 websites vulnerable to attack”
- WhiteHat “security report – Nov 2006”
https://whitehatsec.market2lead.com/go/whitehatsec/webappstats1106
“75 percent of hacks happen at the application.”
- Gartner “Security at the Application Level”
“64 percent of developers are not confident in their
ability to write secure applications.”
- Microsoft Developer Research
The battle between hackers and security
professionals has moved from the network layer to
the Web applications themselves.
- Network World
6
7
www.owasp.org
Top Ten Project
A1 – Cross Site Scripting
(XSS)
XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without
first validating or encoding that content. XSS allows attackers to execute script in the victim’s
browser which can hijack user sessions, deface web sites, etc.
A2 – Injection Flaws
Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when usersupplied data is sent to an interpreter as part of a command or query. The attacker’s hostile data
tricks the interpreter into executing unintended commands or changing data.
A3 – Insecure Remote File
Include
Code vulnerable to remote file inclusion allows attackers to include hostile code and data, resulting in
devastating attacks, such as total server compromise.
A4 – Insecure Direct Object
Reference
A direct object reference occurs when a developer exposes a reference to an internal implementation
object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers
can manipulate those references to access other objects without authorization.
A5 – Cross Site Request
Forgery (CSRF)
A CSRF attack forces a logged-on victim’s browser to send a pre-authenticated request to a vulnerable
web application, which then forces the victim’s browser to perform a hostile action to the benefit of
the attacker.
A6 – Information Leakage
and Improper Error
Handling
Applications can unintentionally leak information about their configuration, internal workings, or violate
privacy through a variety of application problems. Attackers use this weakness to violate privacy,
or conduct further attacks.
A7 – Broken Authentication
and Session
Management
Account credentials and session tokens are often not properly protected. Attackers compromise
passwords, keys, or authentication tokens to assume other users’ identities.
A8 – Insecure Cryptographic
Storage
Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers
use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.
A9 – Insecure
Communications
Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive
communications.
A10 – Failure to Restrict URL
Access
Frequently, the only protection for sensitive areas of an application is links or URLs are not presented to
unauthorized users. Attackers can use this weakness to access and perform unauthorized
7
operations.
8
Problems are growing
Yesterday:
Today:
• Tens working hours of the
best security specialists
•Automatic and semiautomatic
tools that are user friendly
• Preparing a successful
attack on the web application
was very expensive, but it
still could bring profit if the
target was interesting
enough
•Fuzzers (more than 20 Open
Source tools alone)
•Newest trend: evolutionary
programming
•Bottom line – The cost of
preparing a successful attack
has fallen dramaticaly!!
8
9
Most web application are vulnerable!
Practical demonstration:
- Google
- Weak application logic
- web browser is the only tool
we need
9
10
Not enough time!
The time from findin the
vulnerability to launching
an attack is falling.
Are the applications
prepared for ZERO-DAY
attacks?
Are your applications
prepared for ZERO-DAY
attacks?
10
11
Web Application Security
!
Noncompliant
Information
Perimeter Security
Is Strong
Buffer Overflow
Cross-Site Scripting
SQL/OS Injection
Cookie Poisoning
Hidden-Field Manipulation
Parameter Tampering
!
Infrastructural
Intelligence
Attacks Now Look To
Exploit Application
Vulnerabilities
PORT 80
PORT 443
But Is Open
to Web Traffic
!
Forced
Access to
Information
High
Information
Density
=
High Value
Attack
11
12
Web Application Security with ASM
!
Unauthorised
Access
Browser
!
Stops bad
requests /
responses
ASM allows
legitimate requests
Unauthorised
Access
!
Noncompliant
Information
!
Infrastructural
Intelligence
12
13
Traditional Security Devices vs.
Web Application Firewall (ASM)
Known Web Worms
Unknown Web Worms
Known Web Vulnerabilities
Unknown Web Vulnerabilities
Illegal Access to Web-server files
Forceful Browsing
File/Directory Enumerations
Network
Firewall
IPS
ASM
Limited
X
Limited
Limited
Partial
X
Limited
X
X
Limited
X
X
Limited
Buffer Overflow
Limited
Limited
Cross-Site Scripting
Limited
Limited
SQL/OS Injection
Cookie Poisoning
Hidden-Field Manipulation
Parameter Tampering
X
X
X
X
Limited
X
X
X
13
14
Security Policy in ASM
Security Policy
Content Scrubbing
Application Cloaking
Enforcement
Browser
Definition of Good
and Bad Behaviour
14
15
Security Policy in ASM
Security Policy
Enforcement
Browser
Content Scrubbing
Application Cloaking
Can be generated automatically or manually
Highly granular on configuration and blocking
Easy to understand and manage
Bi-directional:
–
–
Inbound:
Outbound:
protection from generalised & targeted attacks
content scrubbing & application cloaking
Application content & context aware
15
16
Positive Security - Example
16
17
Positive Security - Example
<script>
Actions not known
to be legal can now
be blocked
- Wrong page order
- Invalid parameter
- Invalid value
- etc.
17
18
Negative vs. Positive Security
18
19
Protection for Dynamic Values or
Hidden Field Manipulation
19
20
Selective Application Flow
Enforcement
!
ALLOWED
Username
Password
?
!
From Acc.
$ Amount
To Acc.
Transfer
!
VIOLATION
VIOLATION
• Should this be a violation?
• The user may have
bookmarked the page!
• Unnecessarily enforcing flow
can lead to false positives.
This part of the site is a
financial transaction that
requires authentication; we
should enforce strict flow
and parameter validation
20
21
Flexible Policy Granularity
Generic Policies - Policy per object type
–
–
–
–
Low number of policies
Quick to implement
Requires little change management
Can’t take application flow into account
Optimum policy is often a hybrid
Specific Policies – Policy per object
–
–
–
–
–
–
High number of policies
More time to implement
Requires change management policy
Can enforce application flow
Tightest possible security
Protects dynamic values
21
22
Flexible Deployment Options
Tighter
Security
Posture
POLICY
TIGHTENING
SUGGESTIONS
OBJECT FLOWS
PARAMETER VALUES
PARAMETER NAMES
Typical
‘standard’
starting point
OBJECT NAMES
Policy-Building Tools
• “Trusted IP” Learning
•
•
•
•
Live Traffic Learning
Crawler
Negative RegEx
Template
OBJECT TYPES
22
23
F5 is the Global Leader in
Application Delivery Networking
Users
Data Centre
At Home
In the Office
On the Road
Application
Delivery
Network
Oracle
Siebel
SAP
Business goal: Achieve these objectives in the most
operationally efficient manner
23
24
F5’s Comprehensive Single Solution
Users
The F5 Solution
Applications
Application Delivery Network
CRM
Mobile Phone
Database
Siebel
BEA
PDA
Legacy
.NET
SAP
Laptop
PeopleSoft
IBM
ERP
Desktop
TMOS
SFA
Custom
Co-location
24
25
The F5 Products & Modules
Microsoft
SAP
Oracle
IBM
BEA
International
Data Center
TMOS
BIG-IP
Global
Traffic
Manager
BIG-IP
Link
Controller
WANJet
BIG-IP
BIG-IP Local
Web
Traffic
Accelerator
Manager
FirePass
BIG-IP
Application
Security
Manager
iControl & iRules
Enterprise
Manager
HTTP /HTML, SIP, RTP,
SRTP, RTCP, SMTP,
FTP, SFTP, RTSP, SQL,
CIFS, MAPI, IIOP, SOAP,
XML etc…
25
26
TCP Express
OneConnect
Compression
Server
Side
3rd Party
Web Accel
TCP Proxy
Client
Side
XML
Caching
SSL
TCP Express
Client
Rate Shaping
Microkernel
ASM /TrafficShield
Unique TMOS Architecture
Server
iRules
High Performance HW
iControl API
TMOS Traffic Plug-ins
High-Performance Networking Microkernel
Powerful Application Protocol Support
iControl – External Monitoring and Control
iRules – Network Programming Language
26
27
BIG-IP Software Add-On Modules
Quickly Adapt to Changing Application & Business Challenges
Compression Module
Fast Cache Module
Increase performance
Offload servers
Rate Shaping Module
Reserve bandwidth
27
28
BIG-IP Security Add-On Modules
Application Security Module
SSL Acceleration
Protect applications and data
Protect data over the Internet
Advanced Client
Authentication Module
Protect against
unauthorised access
28
29
ASM Platform Availability
Standalone ASM on TMOS
– 4100
Available as a module with BIG-IP LTM
– 6400/6800
– 8400/8800
29
30
Analyst Leadership Position
Challengers
Leaders
Magic Quadrant for Application
Delivery Products, 2007
Ability to Execute
F5 Networks
F5 Strengths
• Offers the most feature-rich AP ADC,
combined with excellent performance
and programmability via iRules and a
broad product line.
Citrix Systems
Cisco Systems
Akamai Technologies
Foundry Networks
Nortel Networks
Juniper
Cresendo
Radware
• Strong balance sheet and cohesive
management team with a solid track
record for delivering the right
products at the right time.
Zeus
• Strong underlying platform allows
easy extensibility to add features.
Coyote Point
NetContinuum
Array Networks
Niche Players
Visionaries
Completeness of Vision
Source: Gartner, January 2007
• Strong focus on applications,
including long-term relationships with
major application vendors, including
Microsoft, Oracle and SAP.
• Support of an increasingly loyal and
large group of active developers
tuning their applications
environments specifically with F5
infrastructure.
30
31
F5 Customers in EMEA (1 of 2)
Banking,
Financial
Insurance,
Investments
Telco, Service
Providers, Mobile
31
32
F5 Customers in EMEA (2 of 2)
Transport,
Travel
Media, Technology,
Online
Manufact.,
Energy
Governm.,
Other
Health,
Consumer
32
33
Summary
Protecting web application is a challenge within many organizations
but attacks against web applications are the hackers favorites
ASM provides easy and very granular configuration options to protect
web applications and to eliminate false positives
ASM combines positive and negative security models to achieve the
optimum security
ASM is an integrated solution and can run as a module on BIG-IP or
standalone
ASM is used to provide compliance with various standards
ASM provides hidden parameter protection and selective flow control
enforcement
ASM provides an additional security layer or can be used as central
point for web application security enforcement
33
34
Evaluation
The best way to see how it will perform in Your
environment with Your applications
Soft-Tronik can provide you with evaluation
hardware and engineers to help in deployment
34
35
35
36
Back up Sliedes
36
37
Company Snapshot
Facts
Position
References
37
38
F5’s Continued Success
Over 1100 Employees
NASDAQ: FFIV
100,1
94,1
88,1
80,6
73,1
67,7
60,0
50,2
44,2
40,6
36,1
31,6
29.2
Over 10,000 customers and
30,000 systems installed
28.0
Founded 1996 / Public 1999
$ Millions
F5 Ensures Applications Running
Over the Network Are Always
Secure, Fast, and Available
120,0
120
110
100
90
80
70
60
50
40
30
20
27,1
Headquartered in Seattle, WA
111,7
Revenue
03 03 03 03 04 04 04 04 05 05 05 05 06 06 06 06 07
Q
1 2Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q
38