Web Application Security with the Application Security Manager (ASM)

hotbroodΑσφάλεια

3 Νοε 2013 (πριν από 3 χρόνια και 7 μήνες)

63 εμφανίσεις

1

1

Web Application Security
with the Application
Security Manager (ASM)

Piotr Oleszkiewicz


Zbigniew

Skurczynski


zbig@f5.com


2

2

Agenda

Web

S
ecurity


What are the problems?

Vulnerabilities and protection strategies

Websecurity with a Web Application Firewall
(WAF)

Security Policy Setups

About

us

3

3

Application Security: Trends and
Drivers

“Webification” of applications

Intelligent browsers and applications

Public awareness of data security

Increasing regulatory requirements

The next attackable frontier

Targeted attacks

4

4

The weakest link

DATA


64
% of the
10
million security
incidents tracked
targeted port
80
.”


(Information Week
magazine)




5

5

Why Are Web Applications Vulnerable?

Security officers not involved in software

developement,
while developers are not security conscious

New code written to best
-
practice methodology, but not
tested properly

New type of attack not protected by current methodology

New code written in a hurry due to business pressures

Code written by third parties; badly documented, poorly
tested


third party not available

Flaws in third party infrastructure elements

Session
-
less web applications written with client
-
server
mentality



6

6

Most web application are vulnerable!

70% of websites at immediate risk of being hacked!


-

Accunetix


Jan 2007

http://www.acunetix.com/news/security
-
audit
-
results.htm


“8 out of 10 websites vulnerable to attack”


-

WhiteHat “security report


Nov 2006”

https://whitehatsec.market2lead.com/go/whitehatsec/webappstats1106


“75 percent of hacks happen at the application.”



-

Gartner “Security at the Application Level”


“64 percent of developers are not confident in their
ability to write secure applications.”



-

Microsoft Developer Research


The battle between hackers and security
professionals has moved from the network layer to
the Web applications themselves.


-

Network World



7

7

www.owasp.org Top Ten Project

A1


Cross Site Scripting
(XSS)

XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without
first validating or encoding that content. XSS allows attackers to execute script in the victim’s
browser which can hijack user sessions, deface web sites, etc.

A2


Injection Flaws

Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user
-
supplied data is sent to an interpreter as part of a command or query. The attacker’s hostile data
tricks the interpreter into executing unintended commands or changing data.

A3


Insecure Remote File
Include

Code vulnerable to remote file inclusion allows attackers to include hostile code and data, resulting in
devastating attacks, such as total server compromise.

A4


Insecure Direct Object
Reference

A direct object reference occurs when a developer exposes a reference to an internal implementation
object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers
can manipulate those references to access other objects without authorization.

A5


Cross Site Request
Forgery (CSRF)

A CSRF attack forces a logged
-
on victim’s browser to send a pre
-
authenticated request to a vulnerable
web application, which then forces the victim’s browser to perform a hostile action to the benefit of
the attacker.

A6


Information Leakage
and Improper Error
Handling

Applications can unintentionally leak information about their configuration, internal workings, or violate
privacy through a variety of application problems. Attackers use this weakness to violate privacy,
or conduct further attacks.

A7


Broken Authentication
and Session
Management

Account credentials and session tokens are often not properly protected. Attackers compromise
passwords, keys, or authentication tokens to assume other users’ identities.

A8


Insecure Cryptographic
Storage

Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers
use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.

A9


Insecure
Communications

Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive
communications.

A10


Failure to Restrict URL


Access

Frequently, the only protection for sensitive areas of an application is links or URLs are not presented to
unauthorized users. Attackers can use this weakness to access and perform unauthorized
operations.

8

8

Problems

are growing

Yesterday:




Tens working hours of the
best security specialists




Preparing a successful
attack on the web application
was very expensive, but it
still could bring profit if the
target was interesting
enough


Today:



Automatic and semiautomatic
tools that are user friendly



Fuzzers (more than 20 Open
Source tools alone)



Newest trend: evolutionary
programming



Bottom line


The cost of
preparing a successful attack
has fallen dramaticaly!!

9

9

Most web application are vulnerable!

Practical demonstration:



-

Google



-

Weak application logic



-

web browser is the only tool



we need

10

10

Not enough time!

The time from findin the
vulnerability to launching
an attack is falling.


Are the applications
prepared for ZERO
-
DAY
attacks?

Are your applications
prepared for
ZERO
-
DAY
attacks?


11

11

Web Application Security

PORT
80



PORT
443

Attacks Now Look To

Exploit Application

Vulnerabilities

Perimeter Security

Is Strong

Buffer Overflow

Cross
-
Site Scripting

SQL/OS Injection



Cookie Poisoning

Hidden
-
Field Manipulation

Parameter Tampering

!

Infrastructural

Intelligence

!

Non
-
compliant

Information

High

Information

Density

=

High Value

Attack

!

Forced

Access to

Information

But Is Open

to Web Traffic

12

12

!

Non
-
compliant

Information

Web Application Security with ASM

!

Unauthorised

Access

!

Infrastructural

Intelligence

ASM allows

legitimate requests

Stops bad

requests /

responses

!

Unauthorised

Access

Browser

13

13

Traditional Security Devices vs.

Web Application Firewall (ASM)

Known Web Worms

Unknown Web Worms

Known Web Vulnerabilities

Unknown Web Vulnerabilities

Illegal Access to Web
-
server files

Forceful Browsing

File/Directory Enumerations

Buffer Overflow

Cross
-
Site Scripting

SQL/OS Injection

Cookie Poisoning

Hidden
-
Field Manipulation

Parameter Tampering





























ASM


X

X

X

X

X

X

X

X

Network
Firewall

Limited

Limited

Limited

Limited

Limited

IPS

X

X

X

X



Limited

Partial

X

Limited

Limited

Limited

Limited

Limited

14

14

Security Policy in ASM

Browser

Security Policy

Enforcement


Content Scrubbing

Application Cloaking

Definition of Good

and Bad Behaviour

15

15

Security Policy in ASM

Can be generated automatically or manually

Highly granular on configuration and blocking

Easy to understand and manage

Bi
-
directional:


Inbound:

protection from generalised & targeted attacks


Outbound:

content scrubbing & application cloaking

Application content &
context aware


Browser

Security Policy

Enforcement


Content Scrubbing

Application Cloaking

16

16

Positive Security
-

Example

17

17

Actions not known
to be legal can now
be
blocked


-

Wrong page order


-

Invalid parameter


-

Invalid value


-

etc.

<script>

Positive Security
-

Example

18

18

Negative vs. Positive Security

19

19

Protection for Dynamic Values or
Hidden Field Manipulation

20

20

Selective Application Flow
Enforcement

!

VIOLATION

!

VIOLATION

?


Should this be a violation?


The user may have
bookmarked the page!


Unnecessarily enforcing flow
can lead to false positives.

This part of the site is a
financial transaction that
requires authentication; we
should enforce strict flow
and parameter validation


From Acc.

Transfer

$ Amount

To Acc.

Password

Username

!

ALLOWED

21

21

Flexible Policy Granularity

Generic Policies
-

Policy per object type


Low number of policies


Quick to implement


Requires little change management


Can’t take application flow into account




Specific Policies


Policy per object


High number of policies


More time to implement


Requires change management policy


Can enforce application flow


Tightest possible security


Protects dynamic values


Optimum policy is often a hybrid

22

22

OBJECT TYPES

OBJECT NAMES

PARAMETER NAMES

PARAMETER VALUES

OBJECT FLOWS

Flexible Deployment Options

Policy
-
Building Tools


“Trusted IP” Learning


Live Traffic Learning


Crawler


Negative RegEx


Template

POLICY

TIGHTENING

SUGGESTIONS

Tighter
Security
Posture

Typical
‘standard’
starting point

23

23

Application

Delivery

Network

Users

Data Centre

Oracle

Siebel

SAP

At Home

In the Office

On the Road

Business goal: Achieve these objectives in the most
operationally efficient

manner

F5 is the Global Leader in

Application Delivery Networking

24

24

The F
5
Solution

Applications

Users

Mobile Phone

PDA

Laptop

Desktop

Co
-
location

F
5
’s Comprehensive Single Solution

CRM

Database

Siebel

BEA

Legacy

.NET

SAP

PeopleSoft

IBM

ERP

SFA

Custom

TMOS

Application Delivery Network

25

25

TMOS

The

F5 Products & Modules

WANJet

FirePass

BIG
-
IP Local

Traffic

Manager

BIG
-
IP

Application

Security

Manager

BIG
-
IP
Link

Controller

International

Data Center

BIG
-
IP
Global
Traffic
Manager

BIG
-
IP

Web

Accelerator

Enterprise
Manager

iControl & iRules

HTTP /HTML, SIP, RTP,
SRTP, RTCP, SMTP,
FTP, SFTP, RTSP, SQL,
CIFS, MAPI, IIOP, SOAP,
XML etc…

Microsoft

SAP

Oracle

IBM

BEA

26

26

SSL

Compression

Client

Side

Server

Side

TCP Express

Server

TCP Express

Caching

Microkernel

TMOS Traffic Plug
-
ins

High
-
Performance Networking Microkernel

Powerful Application Protocol Support

iControl


External Monitoring and Control

iRules


Network Programming Language

High Performance HW

iRules

Client

iControl API

TCP Proxy

OneConnect

XML

Rate Shaping

ASM /TrafficShield

Web Accel

3
rd

Party

Unique TMOS Architecture

27

27

BIG
-
IP Software Add
-
On Modules

Quickly Adapt to Changing Application & Business Challenges

Compression Module

Increase performance

Fast Cache Module

Offload servers

Rate Shaping Module

Reserve bandwidth

28

28

Application Security Module

Protect applications and data

SSL Acceleration

Protect data over the Internet

Advanced Client
Authentication Module

Protect against
unauthorised access

BIG
-
IP Security Add
-
On Modules

29

29

Standalone ASM on TMOS


4100

Available as a module with BIG
-
IP LTM


6400/6800


8400/8800




ASM Platform Availability

30

30

Source: Gartner, January 2007

Magic Quadrant for Application
Delivery Products, 2007

F5

Strengths


Offers the most feature
-
rich AP ADC,
combined with excellent performance
and programmability via
iRules

and a
broad product line.


Strong focus on applications,
including long
-
term relationships with
major application vendors, including
Microsoft, Oracle and SAP.


Strong balance sheet and cohesive
management team with a solid track
record for delivering the right
products at the right time.


Strong underlying platform allows
easy extensibility to add features.


Support of an increasingly loyal and
large group of active developers
tuning their applications
environments specifically with F5
infrastructure.



Analyst Leadership Position

Challengers

Leaders

Niche Players

Visionaries

Ability to Execute

Completeness of Vision

F5 Networks

Citrix Systems

Akamai Technologies

Radware

Cresendo

Coyote Point

Zeus

Cisco Systems

Foundry Networks

Nortel Networks

Juniper

NetContinuum

Array Networks

31

31

F
5
Customers in EMEA
(
1
of
2
)

Banking,

Financial

Telco, Service

Providers, Mobile

Insurance,

Investments

32

32

F5 Customers in EMEA
(2 of 2)

Governm.,

Other

Health,

Consumer

Manufact.,

Energy

Transport,

Travel

Media, Technology,

Online

33

33

Summary

Protecting web application is a challenge within many organizations
but attacks against web applications are the hackers favorites


ASM provides easy and very granular configuration options to protect
web applications and to eliminate false positives


ASM combines positive and negative security models to achieve the
optimum security


ASM is an integrated solution and can run as a module on BIG
-
IP or
standalone


ASM is used to provide compliance with various standards


ASM provides hidden parameter protection and selective flow control
enforcement


ASM provides an additional security layer or can be used as central
point for web application security enforcement


34

34

Evaluation

The best way to see how it will perform in Your
environment with Your applications


Soft
-
Tronik can provide you with evaluation
hardware and engineers to help in deployment

35

35

36

36

Back up Sliedes

37

37

Facts

Position

References


Company Snapshot

38

38

F5’s Continued Success


Headquartered in Seattle, WA

F
5
Ensures Applications Running
Over the Network Are Always
Secure, Fast, and Available

Founded
1996
/ Public
1999

Over
10
,
000
customers and
30
,
000
systems installed

Over
1100
Employees

NASDAQ: FFIV


Revenue