Forum Systems Quarterly Company Update - IBM Institute for ...

clappingknaveΛογισμικό & κατασκευή λογ/κού

14 Δεκ 2013 (πριν από 3 χρόνια και 4 μέρες)

40 εμφανίσεις

1

XML & Web Services Threats & Countermeasures

Mamoon Yunus, CTO


2

Agenda



XML Web Services Threat and Trust



Popular Trust Use
-
cases



Popular Threat Scenarios



Forum Systems Integration with TAM



Forum Systems


TAM


IBM MQ Series



Q&A


3

Threat Management

Trust Management

Popular Web Services Security Policies: Trust and Threat
Policies



Filter all SOAP/XML Messages for Threats/Information Leak



Attack Prevention


Denial of Service



Web Services Authentication and Access Control



Interoperability


WSI
-
BP




Message Integrity


Sign & Verify



Message Privacy


Encrypt & Decrypt



Identity Management


4

Web Services

Security Management

Protected

Web Services

and Content

XML

SOAP

Internet

Web Services Security Gateway

Management & Acceleration of XML Web Services


Sign, Verify, Encrypt, Decrypt, Validate, Transform XML messages


Support HTTP(s) to JMS gateway functionality
-

protocol mixing


Accelerated SSL connections


Content based routing


Message authentication via Sign
-
On (SSO) tokens: CA/Netegrity, IBM Tivoli,
Oblix COREid, RSA ClearTrust


Certification of Appliance

5

Web Services

Security Management

Protected

Web Services

and Content

XML

SOAP

Internet

Web Services Security Gateway

Management & Acceleration of XML Web Services


Message
-
Queue Integration


Tibco Rendezvous


Tibco EMS (Tibco's JMS Product)


IBM MQ (via JMS)


JMS compliant implementation e.g. Sonic


Government Certifications


JITC DoD PKI Certification


FIPS 140
-
2 LEVEL III Hardware Security Module


FIPS Certification of Appliance


EAL4+ Common Criteria Certification of Appliance

6

Popular Trust Policies


Signatures


Sign All out
-
bound documents



Optionally Sign inbound document before archiving



E
-
Notary Service



Shared Signature Service



SOAP with Attachments Signatures (DIME & MIME)

7

Popular Trust Policies


Identity


Protocol
-
based Identity



Message
-
based Identity



Identity Transformation


HTTP(S)


SAML


Kerberos


SAML



Identity Management


LDAP


IBM Tivoli, CA/Netegrity SiteMinder

8

Web Services

Security Management

XML

SOAP

Internet

Admission Control & Threat Protection

• XML Web services Authentication and Access Control

• XML Schema Validation and XML Intrusion Prevention

• Standards Support


WS
-
I, WS
-
Security

• Attack Prevention


Denial of Service, Virus, Probe &
Extract, XML/XSD Schema & WSDL Breaches

• WSDL Aggregation and Obfuscation

Protected

Web Services

and Content

Web Services Firewall

9

Introduction to Web Services Threats

1.
Legacy Attacks have been focused on Disruption


DoS, DDoS, or Buffer Overflow type exploits


Primitive Techniques: Brute force port scanning


2.
Web Services offer new “vector of attack” for information disruption & theft


Modern Techniques: Wealth of information in WSDL files


Operation names


Ports


Data types


3.
Information theft undetected is more $lucrative$ than detected service
disruption


SQL Injection over Web Services Channel


Viruses, Spy
-
ware & Malicious Code over Web Services Channel


4.
Legacy Firewalls are blind to XML


Specialized WS Firewalls are required


Port 443 & 80 let HTTP traffic right through



10

Top 10 Vulnerabilities


1.
SwA


with Malicious Attachments

2.
SQL Injection

3.
Large Buffer Attack

4.
Parameter Tampering


5.
Coercive Parsing

6.
Recursive Payloads

7.
WSDL Scanning

8.
Schema Poisoning

9.
External Entity Attacks

10.
SOAP Routing Detours

11

Test Setup

Client

Web Service

Application

localhost:9090

1.
Mime
-
echo.asmx

2.
StringService.asmx

3.
MathService.asmx

4.
PurchaseOrderInfo.asmx

Database

1.
POInfo.mdb

12

1. Sample Threat: Virus Attack via SwA

Malicious Attachment

SOAP Message

HTTP Header

13

1. Sample Threat: Virus Attack


Countermeasure Policies


1.
Need to Decrypt before scan


SSL termination required AND SwA Decryption required

2.
Block Offending client IP addresses and users


Setup alerts for notifying administrator


Automatically THROTTLE or BLOCK SOAP traffic from IP addresses and/or users

14

2. SQL Injection:

PurchaseOrderInfo


GetPurchaseOrders Operation

<?xml version="1.0" encoding="utf
-
8"?>

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema
-
instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">


<soap:Body>


<GetPurchaseOrdersResponse xmlns="http://tempuri.org/">


<GetPurchaseOrdersResult>


<PurchaseOrderInformation>


<po>1000</po>


<name>XYZ Corp</name>


<address>123 AnyStreet</address>


<city>Anytown</city>


<state>MA</state>


<zipcode>10267</zipcode>


<country>US</country>


<amount>$243,253.98</amount>


<salesRepID>bob</salesRepID>


</PurchaseOrderInformation>


</GetPurchaseOrdersResult>


</GetPurchaseOrdersResponse>


</soap:Body>

</soap:Envelope>

1.
SOAP Request: uid=“bob” and password=“bob”

2.
SOAP Response

15

2. SQL Injection: Force & Analyze Faults

<?xml version="1.0" encoding="utf
-
8"?>

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema
-
instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">


<soap:Body>


<soap:Fault>


<faultcode>soap:Server</faultcode>


<faultstring>System.Web.Services.Protocols.SoapException: Server was unable to process request.
---
&gt;
System.Data.OleDb.OleDbException:
Syntax error in string in query expression 'SalesRepID = ''' AND password =
'''.


at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(Int32 hr)


at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object&amp;
executeResult)


at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object&amp; executeResult)


at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object&amp; executeResult)


at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)


at System.Data.OleDb.OleDbCommand.ExecuteReader(CommandBehavior behavior)


at System.Data.OleDb.OleDbCommand.System.Data.IDbCommand.ExecuteReader()


at PurchaseOrderInfo.PurchaseOrderDBAccess.VerifyAuthentication(String uid, String password)


at PurchaseOrderInfo.PurchaseOrderDBAccess.GetPurchaseOrders(String uid, String password)


at PurchaseOrderInfo.PurchaseOrderInfo.GetPurchaseOrders(String uid, String password)


---

End of inner exception stack trace
---
</faultstring>


<detail />


</soap:Fault>


</soap:Body>

</soap:Envelope>

1.
SOAP Request: uid=‘ and password=

2.
SOAP Response


SOAP Fault

Information:

1.
.NET is being used

2.
2 Classes: PurchaseOrderInfo and PurchaseOrderDBAccess


VerifyAuthentication Method

3.
SQL Hints: ‘SalesRepID=‘’’ AND password=‘’’



16

2. SQL Injection Attack

1.
SELECT * FROM <sometable> WHERE SalesRepID=‘’or ‘’=‘ AND password=‘’ or ‘’=‘’


2.
‘’=‘’ is always true


3.
SOAP Request:


uid: ‘ or ‘’=‘


password: ‘ or ‘’=‘

SOAP Request

SOAP Response

SQL
Injected

17

2. SQL Injection Attack: Countermeasures

1.
Suppress Stack Trace within SOAP Faults


Filter Response Processing Through WS Firewall


Stealth Mode


Consider Suppressing SOAP Faults @ runtime


2.
Character Control


Limit parameters to alpha
-
numeric


Allow only RegEx [a
-
zA
-
Z0
-
9]*


Block characters & keywords


Disallow Characters RegEx: [
\
<
\
>
\
"
\
'
\
%
\
;
\
)
\
(
\
&
\
+]


Disallow Keywords RegEx: select, insert, drop, exec(
\
s|
\
+)+(s|x)p
\
w+


3.
Restrict Data and Information Leaks through tight response processing


Restrict SOAP Response Message Size


Restrict SOAP Response Message Elements


4.
Block Offending client IP addresses and users


Setup alerts for notifying administrators


Automatically THROTTLE OR BLOCK SOAP traffic from IP addresses and/or users

18

3. Large Buffer DoS:

StringService


Echo & Reverse Operation


Echo Request: s= Random BUFFER (10KB


100KB)


All responses are successful


Response time approx linear ranges from 3.2 ms


48 ms


Chewing memory and CPU cycles


Reverse Request: s= Random BUFFER (10KB

100KB)


Only first 4 request successful. All others TIMEOUT


Response time pegged to ~10,000 ms


Chewing CPU cycles heavily as well as memory

Significant DoS exposure


Echo

Reverse

19

3. Large Buffer DoS


Countermeasures

1.
Define & Enforce Data type limits


Schema tightening through WS Firewall



2.
Restrict Overall Data size


Message Size tightening through WS Firewall



3.
Block Offending client IP addresses and users


Setup alerts for notifying administrators


Automatically THROTTLE OR BLOCK SOAP traffic from IP addresses
and/or users

20

4. Parameter Tampering: MathService


Divide Operation


Divide Request: a= 1

to

10,000,000,000; b=7


All but last responses are SUCCESSFUL


Ave 1.87 ms


Overflow happened for value > 2,147,483,647


Response time for Overflow data point: 46.50ms


Divide Request: a= RANDOM BUFFER 10K
-
100K; b=7


All responses FAIL


Min 6.9 ms


Max 46.90 ms


Ave 23.42 ms

~ 2400% increase in response time for Overflow Value

DoS through Data Type Tampering

21

4. Parameter Tampering


Countermeasures

1.
Control SOAP Responses


Information Leak


Filter Response Processing Through WS Firewall


Stealth Mode


Consider Suppressing SOAP Faults @ runtime


2.
Prevent Invalid Data from reaching target servers


Schema tightening through WS Firewalls


3.
Block Offending client IP addresses and users


Setup alerts for notifying administrators


Automatically THROTTLE OR BLOCK SOAP traffic from IP addresses
and/or users

22

Best Practices for Countermeasures

Information Control


Outbound


Restrict SOAP Faults


Stack Traces are
dangerous


Sensitive Information


Credit Cards, SSN




Deploy A Web Services Firewall


Forum Systems XWall


NetContinuum


MSFT ISA 2004 with XWall


Network Engines


Oracle/Oblix

Information Control


Inbound


Tighten Payloads


Tighten String Lengths


Disallow SQL, Virus, Malicious Code


23

Requirements for Countermeasures

1.
Securing Web Services requires secure Web Service Firewalls



FIPS 140
-
2 Level II


Common Criteria EAL 4+


2.
Flexible


Hardware and Software for wide coverage


OEM
-
ed/Integrated into other products


NetContinuum


MSFT ISA 2004 Firewall


Oblix/Oracle


Network Engines


3.
Performance & Scalability


64
-
bit platform


Multi
-
thousand TPS for security operations


4.
Security Pure
-
play


XWALL

24

FS
-
Sentry/XWall


IBM TAM Integration


Integrated & Certified with TAM 5.1



Integrated Via WebSEAL Junction


Protects URIs


Native Load
-
balancing



HTTP & HTTPS support for WebSEAL


HTTP


PD
-
H
-
SESSION
-
ID


HTTPS


PD
-
S
-
SESSION
-
ID



Sentry/XWALL can consume previously acquired WebSEAL Sessions

TAM

LDAP

WebSEAL

FS

Client

Protected HTTP

Resource

Protected HTTPS

Resource

Unprotected

HTTP(S)

IBM MQSeries

25

FS
-
Sentry/XWall


WebSEAL

26

FS
-
Sentry/XWall


IBM TAM Integration

27

Mamoon Yunus, CTO

Tel: (781)
-
788
-
4205

Email:
myunus@forumsys.com


1.
IBM TAM

2.
IBM MQ Series

3.
IBM DB2

4.
AIX P5 eBlade