1

1

Web Application Security with the Application Security Manager (ASM)

Piotr Oleszkiewicz

Zbigniew Skurczynskizbig@f5.com

2

2

Agenda

Web Security – What are the problems?Vulnerabilities and protection strategiesWebsecurity with a Web Application Firewall (WAF)Security Policy SetupsAbout us

3

3

Application Security: Trends and Drivers

“Webification” of applicationsIntelligent browsers and applicationsPublic awareness of data securityIncreasing regulatory requirementsThe next attackable frontierTargeted attacks

4

4

The weakest link

DATA“64% of the 10 million security incidents tracked targeted port 80.”

(Information Week magazine)

5

5

Why Are Web Applications Vulnerable?

Security officers not involved in software developement, while developers are not security consciousNew code written to best-practice methodology, but not tested properlyNew type of attack not protected by current methodologyNew code written in a hurry due to business pressuresCode written by third parties; badly documented, poorly tested – third party not availableFlaws in third party infrastructure elementsSession-less web applications written with client-server mentality

6

6

Most web application are vulnerable!70% of websites at immediate risk of being hacked!

- Accunetix – Jan 2007 http://www.acunetix.com/news/security-audit-results.htm

“8 out of 10 websites vulnerable to attack”- WhiteHat “security report – Nov 2006” https://whitehatsec.market2lead.com/go/whitehatsec/webappstats1106

“75 percent of hacks happen at the application.” - Gartner “Security at the Application Level”

“64 percent of developers are not confident in their ability to write secure applications.” - Microsoft Developer Research

The battle between hackers and security professionals has moved from the network layer to the Web applications themselves.- Network World

7

7

www.owasp.org Top Ten ProjectA1 – Cross Site Scripting

(XSS)XSS flaws occur whenever an application takes user supplied data and sends it to a web browser

without first validating or encoding that content. XSS allows attackers to execute script in the victim’s browser which can hijack user sessions, deface web sites, etc.

A2 – Injection Flaws Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker’s hostile data tricks the interpreter into executing unintended commands or changing data.

A3 – Insecure Remote File Include

Code vulnerable to remote file inclusion allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise.

A4 – Insecure Direct Object Reference

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.

A5 – Cross Site Request Forgery (CSRF)

A CSRF attack forces a logged-on victim’s browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim’s browser to perform a hostile action to the benefit of the attacker.

A6 – Information Leakage and Improper Error Handling

Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to violate privacy, or conduct further attacks.

A7 – Broken Authentication and Session Management

Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users’ identities.

A8 – Insecure Cryptographic Storage

Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.

A9 – Insecure Communications

Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications.

A10 – Failure to Restrict URL Access

Frequently, the only protection for sensitive areas of an application is links or URLs are not presented to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations.

8

8

Problems are growingYesterday:

• Tens working hours of the best security specialists

• Preparing a successful attack on the web application was very expensive, but it still could bring profit if the target was interesting enough

Today:

• Automatic and semiautomatic tools that are user friendly

• Fuzzers (more than 20 Open Source tools alone)

• Newest trend: evolutionary programming

• Bottom line – The cost of preparing a successful attack has fallen dramaticaly!!

9

9

Most web application are vulnerable!

Practical demonstration:

- Google

- Weak application logic

- web browser is the only tool we need

10

10

Not enough time!

The time from findin the vulnerability to launching an attack is falling.

Are the applications prepared for ZERO-DAY attacks?

Are your applications prepared for ZERO-DAY attacks?

11

11

Web Application Security

PORT 80

PORT 443

Attacks Now Look ToExploit Application

VulnerabilitiesPerimeter Security

Is StrongBuffer Overflow

Cross-Site ScriptingSQL/OS Injection

Cookie Poisoning Hidden-Field Manipulation

Parameter Tampering

!InfrastructuralIntelligence

!Non-

compliantInformation

HighInformation

Density=

High ValueAttack

!Forced

Access toInformation

But Is Opento Web Traffic

12

12

!Non-

compliantInformation

Web Application Security with ASM

!Unauthorised

Access

!InfrastructuralIntelligence

ASM allowslegitimate requests

Stops badrequests /responses

!Unauthorised

Access

Browser

13

13

Traditional Security Devices vs.Web Application Firewall (ASM)

Known Web WormsUnknown Web WormsKnown Web VulnerabilitiesUnknown Web VulnerabilitiesIllegal Access to Web-server filesForceful BrowsingFile/Directory EnumerationsBuffer OverflowCross-Site ScriptingSQL/OS InjectionCookie Poisoning Hidden-Field ManipulationParameter Tampering

ASM

X

X

XX

XXXX

Network FirewallLimited

Limited

Limited

Limited

Limited

IPS

X

XXX

Limited

Partial

XLimited

Limited

Limited

LimitedLimited

14

14

Security Policy in ASM

Browser

Security Policy

Enforcement

Content ScrubbingApplication Cloaking

Definition of Goodand Bad Behaviour

15

15

Security Policy in ASM

Can be generated automatically or manuallyHighly granular on configuration and blockingEasy to understand and manageBi-directional:– Inbound: protection from generalised & targeted attacks– Outbound: content scrubbing & application cloaking

Application content & context aware

Browser

Security Policy

Enforcement Content ScrubbingApplication Cloaking

16

16

Positive Security - Example

17

17

Actions not known to be legal can now be blocked - Wrong page order - Invalid parameter - Invalid value - etc.

<script>

Positive Security - Example

18

18

Negative vs. Positive Security

19

19

Protection for Dynamic Values or Hidden Field Manipulation

20

20

Selective Application Flow Enforcement

!VIOLATION!

VIOLATION

?

• Should this be a violation?• The user may have

bookmarked the page!• Unnecessarily enforcing flow

can lead to false positives.

This part of the site is a financial transaction that requires authentication; we should enforce strict flow and parameter validation

From Acc.

Transfer

$ Amount

To Acc.Password

Username

!ALLOWED

21

21

Flexible Policy GranularityGeneric Policies - Policy per object type– Low number of policies– Quick to implement– Requires little change management– Can’t take application flow into account

Specific Policies – Policy per object– High number of policies– More time to implement– Requires change management policy– Can enforce application flow– Tightest possible security– Protects dynamic values

Optimum policy is often a hybrid

22

22

OBJECT TYPES

OBJECT NAMES

PARAMETER NAMES

PARAMETER VALUES

OBJECT FLOWS

Flexible Deployment Options

Policy-Building Tools• “Trusted IP” Learning• Live Traffic Learning• Crawler• Negative RegEx• Template

POLICY TIGHTENING

SUGGESTIONS

Tighter Security Posture

Typical ‘standard’ starting point

23

23

ApplicationDeliveryNetwork

Users Data Centre

OracleSiebelSAP

At HomeIn the OfficeOn the Road

Business goal: Achieve these objectives in the most operationally efficient manner

F5 is the Global Leader inApplication Delivery Networking

24

24

The F5 Solution ApplicationsUsers

Mobile Phone

PDA

Laptop

Desktop

Co-location

F5’s Comprehensive Single Solution

CRM

Database

Siebel

BEA

Legacy

.NET

SAP

PeopleSoft

IBM

ERP

SFA

CustomTMOS

Application Delivery Network

25

25

TMOS

The F5 Products & Modules

WANJet FirePassBIG-IP LocalTraffic

Manager

BIG-IPApplication

SecurityManager

BIG-IP Link

Controller

InternationalData Center

BIG-IP Global Traffic

Manager

BIG-IPWeb

Accelerator

Enterprise Manager

iControl & iRulesHTTP /HTML, SIP, RTP, SRTP, RTCP, SMTP, FTP, SFTP, RTSP, SQL, CIFS, MAPI, IIOP, SOAP, XML etc…

MicrosoftSAP

OracleIBMBEA

26

26

SSL

Com

pres

sion

ClientSide

ServerSide

TCP

Expr

ess

ServerTCP

Expr

ess

Cac

hing

Microkernel

TMOS Traffic Plug-insHigh-Performance Networking MicrokernelPowerful Application Protocol SupportiControl – External Monitoring and ControliRules – Network Programming Language

High Performance HW

iRules

Client

iControl API

TCP Proxy

One

Con

nect

XML

Rat

e Sh

apin

g ASM

/Tra

fficS

hiel

d

Web

Acc

el

3rd P

arty

Unique TMOS Architecture

27

27

BIG-IP Software Add-On ModulesQuickly Adapt to Changing Application & Business Challenges

Compression ModuleIncrease performance

Fast Cache ModuleOffload servers

Rate Shaping ModuleReserve bandwidth

28

28

Application Security ModuleProtect applications and data

SSL AccelerationProtect data over the Internet

Advanced Client Authentication ModuleProtect against unauthorised access

BIG-IP Security Add-On Modules

29

29

Standalone ASM on TMOS– 4100

Available as a module with BIG-IP LTM – 6400/6800– 8400/8800

ASM Platform Availability

30

30Source: Gartner, January 2007

Magic Quadrant for Application Delivery Products, 2007

F5 Strengths• Offers the most feature-rich AP ADC,

combined with excellent performance and programmability via iRules and a broad product line.

• Strong focus on applications, including long-term relationships with major application vendors, including Microsoft, Oracle and SAP.

• Strong balance sheet and cohesive management team with a solid track record for delivering the right products at the right time.

• Strong underlying platform allows easy extensibility to add features.

• Support of an increasingly loyal and large group of active developers tuning their applications environments specifically with F5 infrastructure.

Analyst Leadership PositionChallengers Leaders

Niche Players Visionaries

Abi

lity

to E

xecu

te

Completeness of Vision

F5 Networks

Citrix Systems

Akamai Technologies

RadwareCresendo

Coyote PointZeus

Cisco Systems

Foundry Networks

Nortel Networks

Juniper

NetContinuumArray Networks

31

31

F5 Customers in EMEA (1 of 2)Banking,Financial

Telco, ServiceProviders, Mobile

Insurance,Investments

32

32

F5 Customers in EMEA (2 of 2)Governm.,

OtherHealth,

ConsumerManufact.,

EnergyTransport,

TravelMedia, Technology,

Online

33

33

SummaryProtecting web application is a challenge within many organizations but attacks against web applications are the hackers favorites

ASM provides easy and very granular configuration options to protect web applications and to eliminate false positives

ASM combines positive and negative security models to achieve the optimum security

ASM is an integrated solution and can run as a module on BIG-IP or standalone

ASM is used to provide compliance with various standards

ASM provides hidden parameter protection and selective flow control enforcement

ASM provides an additional security layer or can be used as central point for web application security enforcement

34

34

Evaluation

The best way to see how it will perform in Your environment with Your applications

Soft-Tronik can provide you with evaluation hardware and engineers to help in deployment

35

35

36

36

Back up Sliedes

37

37

FactsPositionReferences

Company Snapshot

38

38

F5’s Continued Success

Headquartered in Seattle, WA

F5 Ensures Applications Running Over the Network Are Always Secure, Fast, and Available

Founded 1996 / Public 1999

Over 10,000 customers and 30,000 systems installed

Over 1100 Employees

NASDAQ: FFIV

Revenue

27,1 36

,1

50,2 60

,0 67,7 73

,1

94,1 10

0,1 11

1,7 12

0,0

28.0

29.2 31,6 40

,6 44,2

88,1

80,6

20 30 40 50 60 70 80 90

100 110 120

$ M

illio

ns