Web Application Security - Cisco · trusted web site. The scripts executes locally on the client. Extremely widespread – some experts estimate 70%-80% of websites are vulnerable

© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 1

Web Application Security

- Cisco ACE Web App FirewallIntroduction

Ong Poh Seng Technical Specialist

14th May 2008


Agenda

Application Security Challenges

Introducing Cisco ACE Application Firewall

Deployment Use Cases

Summary / Q&A


The Evolution of IntentA Shift to Financial Gain

Threats becoming increasingly difficult to detect and mitigateApplications are the primary targets

THR

EAT

SEVE

RIT

Y

1990 1995 2000 2005 WHAT’S NEXT?

FINANCIAL:Theft & Damage

NOTORIETY:Viruses and Malware

VANDALISM:Basic Intrusions and Viruses

2007


Applications: the Weak Link to the Crown Jewels

Customer Confidentiality

Customer Confidentiality

Identity TheftIdentity Theft

Data LeakageData Leakage

Service DisruptionService Disruption

Applications Give Unprecedented Access to Critical Business Data


The Effect of Application Attacks

Web Application Threats• Cross-site scripting• SQL injection• Command injection• Cookie and session poisoning• Parameter and form tampering• Buffer overflow• Directory traversal and forceful

browsing• Cryptographic interception• Cookie snooping• Authentication hijacking• Error-message interception• Attack obfuscation• Application platform exploits• DMZ protocol exploits• Security management attacks• Day-zero attacks

Theft of customer dataAccess to unpublished pagesUnauthorized application

accessPassword theftModification of dataDisruption of service Website defacement Recovery and cleanup


Traditional network firewalls are blind to web application attacks

Firewall

Ports 80 & 443 open

Unfiltered HTTP Traffic

WebClient

WebServer

Application

Application

DatabaseServer


75% of Attacks Focused Here

Custom Web ApplicationsCustomized Packaged AppsInternal and 3rd Party Code

Business Logic & Code

Network

OperatingSystems

DatabaseServers

OperatingSystems

ApplicationServers

OperatingSystems

WebServers

Network Firewall

IDSIPS

No Signatures

or Patches

No magic signatures or patches for your custom PHP script

Focus of today’s attacks


PCI-DSS 6.5 & 6.6

Two sections of Payment Card Industry Data Security Standard focus on web application security: 6.5 and 6.6

Section 6.6 mandates you install a Web App Firewall by end of June 08 to protect your applications against OWASP Top 10 attacks


OWASP - 2007 Top Ten Attack List

Source: WhiteHat Security

OWASP = Open Web App Security Project


Cross-Site Scripting (XSS) attacks

What is it?A malicious script is echoed back into HTML returned from a trusted web site. The scripts executes locally on the client.Extremely widespread – some experts estimate 70%-80% of websites are vulnerable

What are the implications?Web Site DefacementSession IDs stolen (cookies exported to hacker’s site)Browser security compromised – control given to hackerAll data sent between client and server potentially hijacked


The XSS attack process


Why Not Just Fix the Code?

Every 1000 lines of code averages 15 critical security defects.(U.S. Department of Defense)

• Developers typically focus on new functions, not bugs.

• It is too expensive to fix the security bugs.

The average custom business application has 150,000 to 250,000 lines of code.(Software Magazine)

The average security defect takes 75 minutes to diagnose and 6 hours to fix. (5-year Pentagon Study)


Cisco ACE Web Application Firewall


SDN Solutions for Business Security

Cisco SelfCisco Self--Defending Network: Defending Network: Best of Breed Security in a Systems ApproachBest of Breed Security in a Systems Approach

Enforce business policies and protect critical assets

Decrease IT administrative burden and reduce TCO

Reduce security and compliance IT risk

Enforce business policies and protect critical assets

Decrease IT administrative burden and reduce TCO

Reduce security and compliance IT risk

System ManagementPolicy—Reputation—Identity


Advanced Visibility and Control Application Security Enhancements

Cisco SelfCisco Self--Defending Network: Defending Network: Best of Breed Security in a Systems ApproachBest of Breed Security in a Systems Approach

System ManagementPolicy—Reputation—Identity

Web Application FirewallWeb Application Firewall


Bullet-Proof Security for YourCustom ApplicationsOffers an extensive set of Cisco validated signatures for known malicious attack patterns.Provides broad compliance for PCI DSS regulationsUnderstands Web applications to allow only legitimate traffic.Human assisted learning removes the guesswork from your security configuration.

Stop Application HackingDramatically reduce exposure to costly Web attacks.Deploy secure Web projects in a fraction of the time and cost.Simplify ongoing Web security management.

The Industry’s First Integrated Web and XML

Application Firewall

The Cisco ACE Web Application Firewall


ACE Web Application Firewall in a nutshell

• Addresses PCI DSS 6.5 and 6.6 requirements – secure your customers from most OWASP Top 10 attacks

• Signature-based approach: deny all known bad, permit the good

• Factory-shipped default PCI profile for instant deployment

• Ability to switch applications in and out of protection at the flip of a switch thanks to monitor mode

• Builds on top of fully resilient hardware platform (dual PS and disk)

• Comprehensive security for XML and HTML applications

• Heavy focus on ease of use, audit trail and attack forensic

• Aggressive price/performance price point (9000 TPS, 30K concurrent connections)


Network Deployment Examples


The Cisco ACE WAF is a full reverse proxy

This means that you would typically modify your DNS entry for www.site.com to point clients to the IP of the WAF for www.site.com (or better yet, to a virtual IP on your load balancer)

The WAF relies on the network for HA/resiliency

Therefore, a load balancer front-ending the WAF is a really good idea and serves two purposes: scaling WAF is easy as you can “hide” many WAFs behind a VIP on the load balancer; providing resiliency comes naturally with the load balancer

Be aware that the WAF does not handle traffic other than HTTP (HTML + XML). If it receives telnet, ssh, ftp, etc. it will drop that traffic. That makes the role of the load balancer even more important to selectively send traffic to the WAF.

Network Deployment Notes


Typical Network Deployment

Internet

WAF_1 WAF_2

www1 www4…

Clients resolve www.site.com to a VIP residing on the ACEThe ACE picks a WAF and sticks the session to itThe WAF chooses a policy based on the Host headerWhen done with the inspection, the WAF sends the packet out to an internal VIPThat internal VIP represents the actual www servers, ACE performs the LB decision and sticks the WAF session to one real server


Cisco ACE Web Application Firewall Deployment

Web

-Ena

bled

App

licat

ions

Identity Management Systems

Applications

Network Firewall

DMZ Data Center

PortalCisco® ACE Application

Switch

Cisco ACE Web Application

Manager

Internet


Firewall


Firewall

Cisco ACE Application

Switch

Web Client


Cisco ACE XML Firewall DeploymentXM

L Web Services

Aw

are Applications

Identity Mgt Systems

External XMLWeb Services

Consumers

Internet

Network Firewall

ACEXML

Gateway

DMZ DATA CENTER

Portal ACE XMLGateway

ACE XMLGateway

ACE

Key Use Cases: Perimeter Security, XML Acceleration and Offload,Web 2.0, Web Service Integration

ACE XMLManager


Cisco ACE Web Application Firewall SummaryFull-featured Web application firewall with integrated XML firewall

Extend protection for traditional HTML-based Web applications to modern XML-enabled Web services applications.

Access enforcementSecure applications from unauthorized access with AAA enforcement mechanism

Positive and Negative security enforcementEnjoy the best of both worlds by keeping bad traffic patterns out and allowing only good traffic through.

Human assisted learningDeploy policies and profiles in monitoring mode to prevent application downtime due to false positives typical in an automated learning environment.

Policy-based provisioningAchieve increased developer productivity and ease of deployment with sophisticated GUI, rollback, and versioning capabilities.

Defense-in-Depth Should Include a Web Application Firewall that Can Quickly, Effectively, and Cost-Effectively Block Attacks at Layers 5–7.


Documents

Web Application Security - Cisco · trusted web site. The scripts executes locally on the client. Extremely widespread – some experts estimate 70%-80% of websites are vulnerable