Web Application Security with the Application Security Manager (ASM). Piotr Oleszkiewicz Zbigniew Skurczynski firstname.lastname@example.org . Agenda. Web S ecurity What are the problems? Vulnerabilities and protection strategies Websecurity with a Web Application Firewall (WAF) Security Policy Setups - PowerPoint PPT Presentation
Web Application Security with the Application Security Manager (ASM)
##1We recognize that the biggest challenge of any security device is to provide false positives free deployment. When we designed ASM this was a guiding principle. There several factors which provide an easy and smooth deployment:ASM can be deployed in a gradual way, start with a simple policy with low granularity which provide high value from day1, then move to advanced policies with more granularity which provide higher protection levelASM can be loaded with a pre configured security policy which will then could be customized with further application knowledgeASM can run in transparent mode, providing logging for what if policy was applied, it can also run in semi transparent mode, where some of the violations categories are in blocking mode and some not (for example, it is very easy to turn on blocking for categories as Non_RFC requests Illegal HTTP response code this happens when an application is throwing an error; illegal file types)
AgendaWeb Security What are the problems?Vulnerabilities and protection strategiesWebsecurity with a Web Application Firewall (WAF)Security Policy SetupsAbout us##
Application Security: Trends and DriversWebification of applicationsIntelligent browsers and applicationsPublic awareness of data securityIncreasing regulatory requirementsThe next attackable frontierTargeted attacks##3Lets start with trends. We see that many applications today are using HTTP as a way to exchange information, these can be legacy client server appliaction in which the clienr is replaced with a web front or these can be new appliactions who would like to take advantage of the new platforms and browsers which are ofering a fast way to develop and a good user experience and accessibility from many devices.On the other hand, as more data is being exposed, the public who uses those web applications is becoming more suspicios to the security aspect of of this accessibility.That leads to governments and other organizations to enfoce standards in which security plays a key aspect, HIPPA, PCI, SOX, The TCP stack and the 100% deployment of network firewalls caused the hackers community to move up the OSI model to layer 7, hackers today attack the web application itself.We see a new trend - Trageted attacks the revolution which passed on the .com industry is happening today on the security market, if in the past a succesfull attack was to create a worm which will infect millions on web servers in a few hours, or to deface yahoo.com, today, succefull attack will be done under the surface which no one can track or be allerted and there is money behind it. Crime organization are hiring the best hackers.
The weakest linkDATA Host IDS & Secure OS Network IDS/IPS Firewall Antivirus Applications System Network Access Computer 64% of the 10 million security incidents tracked targeted port 80.
(Information Week magazine)
##Why Are Web Applications Vulnerable?Security officers not involved in software developement, while developers are not security consciousNew code written to best-practice methodology, but not tested properlyNew type of attack not protected by current methodologyNew code written in a hurry due to business pressuresCode written by third parties; badly documented, poorly tested third party not availableFlaws in third party infrastructure elementsSession-less web applications written with client-server mentality
##Most web application are vulnerable!70% of websites at immediate risk of being hacked! - Accunetix Jan 2007 http://www.acunetix.com/news/security-audit-results.htm
8 out of 10 websites vulnerable to attack- WhiteHat security report Nov 2006 https://whitehatsec.market2lead.com/go/whitehatsec/webappstats1106
75 percent of hacks happen at the application. - Gartner Security at the Application Level
64 percent of developers are not confident in their ability to write secure applications. - Microsoft Developer Research
The battle between hackers and security professionals has moved from the network layer to the Web applications themselves.- Network World
##6www.owasp.org Top Ten ProjectA1 Cross Site Scripting (XSS)XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victims browser which can hijack user sessions, deface web sites, etc.A2 Injection FlawsInjection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attackers hostile data tricks the interpreter into executing unintended commands or changing data.A3 Insecure Remote File IncludeCode vulnerable to remote file inclusion allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. A4 Insecure Direct Object ReferenceA direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.A5 Cross Site Request Forgery (CSRF)A CSRF attack forces a logged-on victims browser to send a pre-authenticated request to a vulnerable web application, which then forces the victims browser to perform a hostile action to the benefit of the attacker.A6 Information Leakage and Improper Error HandlingApplications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to violate privacy, or conduct further attacks. A7 Broken Authentication and Session ManagementAccount credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users identities.A8 Insecure Cryptographic StorageWeb applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.A9 Insecure CommunicationsApplications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications.A10 Failure to Restrict URL AccessFrequently, the only protection for sensitive areas of an application is links or URLs are not presented to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations.##Problems are growingYesterday:
Tens working hours of the best security specialists
Preparing a successful attack on the web application was very expensive, but it still could bring profit if the target was interesting enough
Automatic and semiautomatic tools that are user friendly
Fuzzers (more than 20 Open Source tools alone)
Newest trend: evolutionary programming
Bottom line The cost of preparing a successful attack has fallen dramaticaly!!##Most web application are vulnerable!Practical demonstration:
- Weak application logic
- web browser is the only tool we need##Not enough time!The time from findin the vulnerability to launching an attack is falling.
Are the applications prepared for ZERO-DAY attacks?
Are your applications prepared for ZERO-DAY attacks?
##Web Application Security
PORT 443Attacks Now Look ToExploit ApplicationVulnerabilitiesPerimeter SecurityIs StrongBuffer OverflowCross-Site ScriptingSQL/OS Injection
Cookie Poisoning Hidden-Field ManipulationParameter Tampering!InfrastructuralIntelligence!Non-compliantInformationHighInformationDensity=High ValueAttack!ForcedAccess toInformationBut Is Opento Web Traffic##Going back - castle11!Non-compliantInformation
Web Application Security with ASM
!UnauthorisedAccess!InfrastructuralIntelligenceASM allowslegitimate requestsStops badrequests /responses!UnauthorisedAccessBrowser##
Traditional Security Devices vs.Web Application Firewall (ASM)Known Web WormsUnknown Web WormsKnown Web VulnerabilitiesUnknown Web VulnerabilitiesIllegal Access to Web-server filesForceful BrowsingFile/Directory EnumerationsBuffer OverflowCross-Site ScriptingSQL/OS InjectionCookie Poisoning Hidden-Field ManipulationParameter Tampering
ASM XXXXXXXXNetwork FirewallLimitedLimitedLimitedLimitedLimitedIPSXXXXLimitedPartialXLimitedLimitedLimitedLimitedLimited##13These are the names of the attacks people generally refer to when they talk about Application Security. Note that its all just jargon; everyone has the same list and will claim that they can prevent it all. The real question is: HOW do they prevent it, and can they really prevent these things from happening in real life, in the ways that your applications are vulnerable to?
Let me give you a small example
Security Policy in ASM
Security PolicyEnforcement Content ScrubbingApplication Cloaking
Definition of Goodand Bad Behaviour##
Security Policy in ASM
Can be generated automatically or manuallyHighly granular on configuration and blockingEasy to understand and manageBi-directional:Inbound:protection from generalised & targeted attacksOutbound:content scrubbing & application cloakingApplication content & context aware
Security PolicyEnforcement Content ScrubbingApplication Cloaking
Positive Security - Example##16
Actions not known to be legal can now be blocked - Wrong page order - Invalid parameter - Invalid value - etc.
Positive Security - Example##17
Negative vs. Positive Security
##18Why is an application firewall able to block a broader range of attacks and do it proactively? The answer is within a positive security model. The reason traditional network security models fail to adequately secure application traffic is their reliance on signatures. Using a bouncer as an example, this is equivalent to given him directions to block people who exhibit attributes meeting known bad behavior. Things such as backwards baseball caps, gang colors, guns, etc. The problem with this approach is that the list must constantly evolve to account for all of the known bad in the world. Every time a new attack or bad behavior is discovered the list must be extended. This approach is always reactionary and always follows the discovery of attacks.The alternative approach to security is to equip the same bouncer with a guest list. Only those people on the guest list are invited in. This is positive security. Positive security learns the application itself and establishes a policy of known-good behavior. Only those things marked as good behavior are allowed in. This list is much shorter and does not need to grow unless the application changes. This prevents any Zero-Day attacks from making it through your defenses.In addition to utilizing positive security, the TrafficShield is also stateful. This means if someone attempts to enter the application by changing their id the application will recognize this change and block access. Once the authentication has taken place the positive security model will ensure that no user is able to change their user credentials.Protection for Dynamic Values or Hidden Field Manipulation
##Selective Application Flow Enforcement!VIOLATION!VIOLATION?Should this be a violation?The user may have bookmarked the page!Unnecessarily enforcing flow can lead to false positives.This part of the site is a financial transaction that requires authentication; we should enforce strict flow and parameter validation
From Acc.Transfer$ AmountTo Acc.PasswordUsername!ALLOWED##Flexible Policy GranularityGeneric Policies - Policy per object typeLow number of policiesQuick to implementRequires little change managementCant take application flow into account
Specific Policies Policy per objectHigh number of policiesMore time to implementRequires change management policyCan enforce application flowTightest possible securityProtects dynamic values
Optimum policy is often a hybrid##OBJECT TYPESOBJECT NAMESPARAMETER NAMESPARAMETER VALUESOBJECT FLOWSFlexible Deployment OptionsPolicy-Building ToolsTrusted IP LearningLive Traffic LearningCrawlerNegative RegExTemplatePOLICY TIGHTENING SUGGESTIONSTighter Security PostureTypical standard starting point##22TrafficShield offers flexible deployment options to provide the security posture demanded by your business requirements. Our standard implementation can be done in as little as one day, providing protection from the most common application attacks, and locking down particular objects or directories which are at risk.
TrafficShields Learning mechanism leverages a suite of tools to provide suggestions for a tighter security policy, allowing customers to increase their security posture only when they are confident that the policy is accurate enough to support it.
OracleSiebelSAPAt HomeIn the OfficeOn the RoadBusiness goal: Achieve these objectives in the most operationally efficient mannerF5 is the Global Leader inApplication Delivery Networking##23Basic Network does not exist for ist own sick. Network exists solely to support application running on the top of it We as a network company what can we do to make those apps running better, means faster, secure, available. Because everything is summing to 3 issues: xxx I think nobody will dispute that ????
Looking at any of these topics, issues, problems in separation is falling because what if I xxx
This is our unique value proposition: performance, functionality, unique integration
The F5 Solution
Mobile PhonePDALaptopDesktopCo-locationF5s Comprehensive Single SolutionCRMDatabaseSiebelBEALegacy.NETSAPPeopleSoftIBMERPSFACustom
TMOSApplication Delivery Network##24Message If you do not address this issue effectively with the big picture in mind, you are setting yourself up for failure down the road.Youve got this incredible demand for applications. Not only more applications but more ways to reach them. In trying to satisfy these demands, enteprises are taking shortsighted approaches. As a result, networks are becoming increasingly more complex and the problem is just getting worse.
TMOSThe F5 Products & Modules
BIG-IP LinkControllerInternationalData Center
BIG-IP Global Traffic Manager
iControl & iRulesHTTP /HTML, SIP, RTP, SRTP, RTCP, SMTP, FTP, SFTP,...