Enterprise-wideEnterprise-wideWeb SecurityWeb Security

Res. Assistant Res. Assistant Enis KaraarslanEnis KaraarslanEgeEge Univ. Campus Network Manager Univ. Campus Network Manager

ULAK-CSIRTULAK-CSIRThttp://csirt.ulakbim.gov.trhttp://csirt.ulakbim.gov.tr/eng/eng

CONTENTCONTENT11. . Why web security?Why web security?2. 2. Network / web system AwarenessNetwork / web system Awareness3. Secure Coding3. Secure Coding4. Enterprise Web Security Model4. Enterprise Web Security Model

StandardizationStandardization AwarenessAwareness Training/TestingTraining/Testing DetectionDetection PreventionPrevention Coordination CentreCoordination Centre

CONTENT (cont.)CONTENT (cont.) 4. Implementation4. Implementation 5. Conclusion5. Conclusion

1. Why need web security?1. Why need web security?

Web (server) usage increasesWeb (server) usage increases information systems, devices ...etcinformation systems, devices ...etc

Web incidents increaseWeb incidents increase Zone-HZone-H – 400,000 (%36) increase in– 400,000 (%36) increase in 2004 2004 CSI-FBI – CSI-FBI – ““Computer Crime and Security Computer Crime and Security

SurveySurvey”” - %95 - %95 of the correspondents of the correspondents experienced more than 10 web site incidents experienced more than 10 web site incidents in 2005 in 2005

Why need web security? (contd.)Why need web security? (contd.) Incidents can causeIncidents can cause

Loss of privacy of the customer dataLoss of privacy of the customer data Many results of private data lossMany results of private data loss Damage to the enterprise’s/vendor’s reputationDamage to the enterprise’s/vendor’s reputation Reaching network devices and ...Reaching network devices and ... Etc.Etc.

Major Problems in Web SecurityMajor Problems in Web Security• Not enough importance is

given for the web security• Traditional security

measures are not sufficient• Insufficient web server

security• Lack of secure coding

We We wouldn’t needwouldn’t need so much so much network security,network security,

if we didn’t have such if we didn’t have such bad bad software securitysoftware security..

Bruce SchneierBruce Schneier

To win a war,To win a war,one must know one must know

the waythe way

Sun TzuSun TzuThe Art of WarThe Art of War

2. Network / Web System Awareness2. Network / Web System Awareness

Know your enemy (?)Know your enemy (?)

Know yourself,Know yourself,know your assetsknow your assetsknow what to protectknow what to protect

Know your systems more than the attacker Know your systems more than the attacker

Network / Web System Awareness Network / Web System Awareness (contd.)(contd.)

Network Network AAwareness wareness the ability of knowing what is happening on the ability of knowing what is happening on the netwthe networkork

WWeb eb SSystem ystem AAwarenesswarenessspecialized form of network awarenessspecialized form of network awareness Web System AwarenessWeb System Awareness Vulnerability AnalysisVulnerability Analysis System MonitoringSystem Monitoring

Web System AwarenessWeb System Awareness Web Web InfrastructureInfrastructure AwarenessAwareness

Collect and have current system informationCollect and have current system information

Vulnerability TestingVulnerability TestingKnow your visible weaknessesKnow your visible weaknesses

Monitoring the systemMonitoring the systemSee the current status of the systemSee the current status of the system

Web Web Infrastructure AwarenessInfrastructure Awareness Web server IP addressesWeb server IP addresses Protocols used (https, http)Protocols used (https, http) Site domain names Site domain names

(ex. socrates.ege.edu.tr)(ex. socrates.ege.edu.tr) Web server ports (80, 8080, etc)Web server ports (80, 8080, etc) Operating system (Linux, Windows, etc)Operating system (Linux, Windows, etc) Web server software types and versions Web server software types and versions

(Apache 2.0, IIS 6.0, etc)(Apache 2.0, IIS 6.0, etc)

Web Web Infrastructure Awareness (contd)Infrastructure Awareness (contd) Content Management Systems (CMS), Portals, Content Management Systems (CMS), Portals,

Wikis, Bulletin Boards, discussion forums Wikis, Bulletin Boards, discussion forums Web frameworks (Web frameworks (PHP, .NET, J2EE, Ruby on PHP, .NET, J2EE, Ruby on

Rails, ColdFusion, Perl, etcRails, ColdFusion, Perl, etc) and all types of web ) and all types of web applicationsapplications

Application file namesApplication file names Path to the applications, the directory structuresPath to the applications, the directory structures Application Application parameters and their typesparameters and their types

3.Secure Coding3.Secure Coding Secure coding and vulnerability testing in Secure coding and vulnerability testing in

Software Devolopment Life Cycle (SDLC)Software Devolopment Life Cycle (SDLC) Assurance ModelsAssurance Models

Ex. OWASP Clasp, Microsoft SDLEx. OWASP Clasp, Microsoft SDL OWASP TutorialsOWASP Tutorials

http://www.owasp.orghttp://www.owasp.org

Secure Coding (contd.)Secure Coding (contd.)

Can not be implemented perfectly asCan not be implemented perfectly as Project deadlinesProject deadlines Programmer’s lack of security-awarenessProgrammer’s lack of security-awareness

But should be focused on.But should be focused on.Also network based measures must be Also network based measures must be

considered.considered.

4. Enterprise Wide Web Security Model4. Enterprise Wide Web Security Model

Model consists of sub modules:Model consists of sub modules: StandardizationStandardization AwarenessAwareness Training/TestingTraining/Testing DetectionDetection PreventionPrevention Coordination CentreCoordination Centre

StandardizationStandardization Policy based Policy based

Define what is permitted, what is notDefine what is permitted, what is not Define the preffered systemDefine the preffered system

Supply templates, best practicesSupply templates, best practices Secure codingSecure coding DocumentationDocumentation

TrainingTraining / Test / Testinging WorkshopWorkshop

Show secure coding examples, attack scenariosShow secure coding examples, attack scenarios TrainingTraining Portal Portal

Related secure coding best practices Related secure coding best practices Guidelines, standardsGuidelines, standards

Test Test ServerServer Black box testingBlack box testing Source code analysisSource code analysis

Intrusion DetectionIntrusion Detection Intrusion Detection SystemsIntrusion Detection Systems

Ex.Ex. Snort Snort, Mod Security, Mod Security Log Log ControlControl HoneypotHoneypot, honeynet, honeynet

PreventionPrevention Access ControlAccess Control

Ex.Ex. Network firewallNetwork firewall, , router router ACLACL Server Local SecurityServer Local Security

Ex.Ex. Mod Security Mod Security Reverse Proxy - Web Reverse Proxy - Web Application FirewallApplication Firewall

Ex. Ex. Mod Security – Mod RewriteMod Security – Mod Rewrite

5. Implementation5. Implementation Web Security model on process in Web Security model on process in

Ege University –TurkeyEge University –Turkey

Web Security Group in Ulak-CsirtWeb Security Group in Ulak-Csirt

Focus on Web System awareness Focus on Web System awareness and trainingand training

Open source toolsOpen source tools

Results will be givenResults will be given

5.1. Active/Passive System Awaress5.1. Active/Passive System Awaress Aim is to collect and have the current view Aim is to collect and have the current view

of the web systemof the web system Active ScanActive Scan

NMAP – AMAPNMAP – AMAP Perl Code for the analysis Perl Code for the analysis Open Source Search Engine (future work)Open Source Search Engine (future work)

Passive ScanPassive Scan SnortSnort Mod SecurityMod Security

Active/Passive System Awaress ModelActive/Passive System Awaress Model

Test Deployment SchemaTest Deployment Schema

• IDS configured for web security– WEBIDS – TWEBIDS- knows web system infrastructure

Statistical ResultsStatistical Results

• Alerts collected in one month duration• TWEBIDS which knows the system, has more

specific alerts and less false alarms• More statistics in the paper

WEBIDS TWEBIDS

Total Number of Alerts 902,151 92,046 Source IP Address 79,419 17,010 Destination IP Address 106 106 Unique IP Links 87,062 10,657 Unique Alerts 112 99

Vulnerability AnalysisVulnerability Analysis

Awareness PortalAwareness PortalA web portal for A web portal for web server administrators web server administrators and and

security proffessionals:security proffessionals: DDetailed reports about their web systems etailed reports about their web systems SSummarized information about the vulnerabilitiesummarized information about the vulnerabilities RRecommend actions to solve the problems. ecommend actions to solve the problems. TTrack the changes on the systems.rack the changes on the systems. PPlan to expand this implementation to control the lan to expand this implementation to control the

critical web servers of the universities in the critical web servers of the universities in the Turkish Acedemic Network ULAKNET. Turkish Acedemic Network ULAKNET.

System Database SchemaSystem Database Schema

5.2. Training5.2. Training Workshops, meetings, live demosWorkshops, meetings, live demos

Web server administrators, web application developersWeb server administrators, web application developers Habits can’t change easilyHabits can’t change easily Education is a must!Education is a must! DocumentationsDocumentations

Turkish documents - translationsTurkish documents - translationshttp://websecurity.ege.edu.trhttp://websecurity.ege.edu.trhttp://csirt.ulakbim.gov.tr/dokumanlarhttp://csirt.ulakbim.gov.tr/dokumanlar

İTU-Ninova – İTU-Ninova – Web Security eWeb Security e--learninglearning content content http://ninova.itu.edu.trhttp://ninova.itu.edu.tr

6. Conclusion6. Conclusion For enterprise web security, implement modules For enterprise web security, implement modules

of the Web Security Modelof the Web Security Model Complexity versus protectionComplexity versus protection Select the modules which suite your enterpriseSelect the modules which suite your enterprise

Primary objectives for the enterprise wide web Primary objectives for the enterprise wide web security should be:security should be: Web system awarenessWeb system awareness Training web server administrators, web programmersTraining web server administrators, web programmers

ConclusionConclusion ( (contd.contd.)) Systems should be monitored for Intrusion Systems should be monitored for Intrusion

DetectionDetection Web security firewall implementation if Web security firewall implementation if

possiblepossible Future plans:Future plans:

Fully integrate this modelFully integrate this model Continue to increase web security awareness Continue to increase web security awareness Continue to involve in documentation projects Continue to involve in documentation projects

and translationsand translations

Thanks for your interestThanks for your interest .... ....Any questions?Any questions?

ContactContact: : csirt@ulakbim.gov.trcsirt@ulakbim.gov.trinfo@karaarslan.netinfo@karaarslan.net

ULAK-CSIRTULAK-CSIRThttp://csirt.ulakbim.gov.trhttp://csirt.ulakbim.gov.tr/eng/eng