Transcript Slide 1
Enterprise-wide Web Security Res. Assistant Enis Karaarslan Ege Univ. Campus Network Manager ULAK-CSIRT http://csirt.ulakbim.gov.tr/eng CONTENT 1. Why web security? 2. Network / web system Awareness 3. Secure Coding 4. Enterprise Web Security Model Standardization Awareness Training/Testing Detection Prevention Coordination Centre CONTENT (cont.) 4. Implementation 5. Conclusion 1. Why need web security? Web information systems, devices ...etc Web (server) usage increases incidents increase Zone-H – 400,000 (%36) increase in 2004 CSI-FBI – “Computer Crime and Security Survey” - %95 of the correspondents experienced more than 10 web site incidents in 2005 Why need web security? (contd.) Incidents can cause Loss of privacy of the customer data Many results of private data loss Damage to the enterprise’s/vendor’s reputation Reaching network devices and ... Etc. Major Problems in Web Security • Not enough importance is given for the web security • Traditional security measures are not sufficient • Insufficient web server security • Lack of secure coding We wouldn’t need so much network security, if we didn’t have such bad software security. Bruce Schneier To win a war, one must know the way Sun Tzu The Art of War 2. Network / Web System Awareness Know your enemy (?) Know yourself, know your assets know what to protect Know your systems more than the attacker Network / Web System Awareness (contd.) Network Awareness the ability of knowing what is happening on the network Web System Awareness specialized form of network awareness Web System Awareness Vulnerability Analysis System Monitoring Web System Awareness Web Infrastructure Awareness Collect and have current system information Vulnerability Testing Know your visible weaknesses Monitoring the system See the current status of the system Web Infrastructure Awareness Web server IP addresses Protocols used (https, http) Site domain names (ex. socrates.ege.edu.tr) Web server ports (80, 8080, etc) Operating system (Linux, Windows, etc) Web server software types and versions (Apache 2.0, IIS 6.0, etc) Web Infrastructure Awareness (contd) Content Management Systems (CMS), Portals, Wikis, Bulletin Boards, discussion forums Web frameworks (PHP, .NET, J2EE, Ruby on Rails, ColdFusion, Perl, etc) and all types of web applications Application file names Path to the applications, the directory structures Application parameters and their types 3.Secure Coding Secure coding and vulnerability testing in Software Devolopment Life Cycle (SDLC) Assurance Models Ex. OWASP Clasp, Microsoft SDL OWASP Tutorials http://www.owasp.org Secure Coding (contd.) Can not be implemented perfectly as Project deadlines Programmer’s lack of security-awareness But should be focused on. Also network based measures must be considered. 4. Enterprise Wide Web Security Model Model consists of sub modules: Standardization Awareness Training/Testing Detection Prevention Coordination Centre Standardization Policy based Define what is permitted, what is not Define the preffered system Supply templates, best practices Secure coding Documentation Training / Testing Workshop Show secure coding examples, attack scenarios Training Portal Related secure coding best practices Guidelines, standards Test Server Black box testing Source code analysis Intrusion Detection Intrusion Detection Systems Ex. Snort, Mod Security Log Control Honeypot, honeynet Prevention Access Control Ex. Network firewall, router ACL Server Local Security Ex. Mod Security Reverse Proxy - Web Application Firewall Ex. Mod Security – Mod Rewrite 5. Implementation Web Security model on process in Ege University –Turkey Web Security Group in Ulak-Csirt Focus on Web System awareness and training Open source tools Results will be given 5.1. Active/Passive System Awaress Aim is to collect and have the current view of the web system Active Scan NMAP – AMAP Perl Code for the analysis Open Source Search Engine (future work) Passive Scan Snort Mod Security Active/Passive System Awaress Model Test Deployment Schema • IDS configured for web security – WEBIDS – TWEBIDS- knows web system infrastructure Statistical Results WEBIDS Total Number of Alerts Source IP Address Destination IP Address Unique IP Links Unique Alerts TWEBIDS 902,151 92,046 79,419 17,010 106 106 87,062 10,657 112 99 • Alerts collected in one month duration • TWEBIDS which knows the system, has more specific alerts and less false alarms • More statistics in the paper Vulnerability Analysis Awareness Portal A web portal for web server administrators and security proffessionals: Detailed reports about their web systems Summarized information about the vulnerabilities Recommend actions to solve the problems. Track the changes on the systems. Plan to expand this implementation to control the critical web servers of the universities in the Turkish Acedemic Network ULAKNET. System Database Schema 5.2. Training Workshops, meetings, live demos Web server administrators, web application developers Habits can’t change easily Education is a must! Documentations Turkish documents - translations http://websecurity.ege.edu.tr http://csirt.ulakbim.gov.tr/dokumanlar İTU-Ninova – Web Security e-learning content http://ninova.itu.edu.tr 6. Conclusion For enterprise web security, implement modules of the Web Security Model Complexity versus protection Select the modules which suite your enterprise Primary objectives for the enterprise wide web security should be: Web system awareness Training web server administrators, web programmers Conclusion (contd.) Systems should be monitored for Intrusion Detection Web security firewall implementation if possible Future plans: Fully integrate this model Continue to increase web security awareness Continue to involve in documentation projects and translations Thanks for your interest .... Any questions? Contact: [email protected] [email protected] ULAK-CSIRT http://csirt.ulakbim.gov.tr/eng