Because threats are constantly evolving, network security technologies and methods must evolve also. One of the most important points about application security is that threats—including such evils as Bots, Ransomware, Advanced Persistent Threats (APT), Viruses, and Spam, to name some recent prevalent threats—have a heavy content component and not just focused on the physical and data layers. In this context, content refers to packet payload analysis and how they are transported—in particular, layers 3- 7 of the OSI Model (Table 3) [13].
Table 3. Comparative models for layers, protocols, and devices.
Because of the focus of these threats on the application content component and transport rather than link and physical components, firewalls designed to protect, load balance, and accelerate content between web servers are necessary. This type of appliance is the Web Application Firewall (WAF), designed to provide protection for web applications and related database content [8]. In order to understand better the type of threats that the WAF faces in protecting networks, an examination of the vulnerable areas targeted by application threats provides the necessary context.
Application Challenges to Meeting User Needs
With increased reliance of businesses on cloud-based applications, focus on the vulnerabilities of web- based applications is essential to system and network security. These applications reside deep in layer 7 of the OSI Model, which will be discussed further in this module, but remain vulnerable to targeted attacks. Of these attacks, Denial of Service (DoS)—or more importantly, Distributed Denial of Service
(DDoS)—attacks designed to inhibit use of such applications have evolved as technology evolved,
becoming much more sophisticated than early hacker methods.
The mobility of modern business, combined with distributed enterprise networking, demands VPNs with secure access to resources. SSL VPNs establish connectivity at L4 & L5; information is encapsulated at L6 & L7. So, these VPNs—and other remote accessing sites to network resources—function in the top tiers of the OSI Model, known as the Application Layers when translated into the broader TCP/IP Model.
Modern Network Security: Study Guide for NSE 1
2015
52
Table 4. Translation of ISO/OSI layers to TCP/IP model.
Secure Socket Layer (SSL) traffic poses a challenge because legacy servers and load balancers cannot manage increased loads caused by increased SSL traffic requiring decryptionscanreencryption in order to detect potential malicious code attempting to sneak into the network in encrypted data packets.
Scalability is the concept of enabling a system, network, or application to handle a growing volume of work in an efficient manner or, if necessary, to be enlarged to accommodate growth. Scalability may be accomplished through the use of hardware, software, or a combination of both, in order to improve availability and reliability by:
Managing data flow and workload across multiple servers to increase capacity
Improve application response times by either hardware upgrades or software solutions Reducing costs by optimizing resources through improved allocation
Allocating data across multiple data centers to facilitate redundancy and recovery Application Layers: The OSI Model
The Open Systems Interconnection (OSI) model defines computer networks by functional levels. As the level increases, so also increases the complexity and critical nature of the data contained therein. A description of the OSI layers and their functions appear in Table 4.
Table 5. Function of network layers in OSI model.
7 Application Application and end-user processes. Application-specific data. 6 Presentation Translates between application and network formats (syntax layer). 5 Session Establishes, manages, terminates connections between applications. 4 Transport Transfer of data between end systems, error recovery, flow control. 3 Network Switching and routing—virtual circuits to transmit between nodes. 2 Data Link Data packets are encoded and decoded, transmission protocols. 1 Physical The bit stream mechanical and electrical level.
Modern Network Security: Study Guide for NSE 1
2015
53
Applications are what allow users to accomplish tasks using computer systems and networks without having to learn the complex languages of writing their own code. Many common applications include word processing, spreadsheet, and graphics design programs, email applications, games, and media, and may apply across platforms from wired desktop systems to smartphones and myriad others. Many of these applications are now web-based, as discussed in the Module 1 section on Application Services such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
Application Vulnerabilities
Because threats are constantly evolving, network security technologies and methods must evolve also. An important point about modern and emerging threats is that they have a heavy content component focused beyond physical and data link layers (L1 & L2). These threats focused on content include such current challenges as:
Bots Ransomware Advanced Persistent Threats (APT)
Viruses Spam …and others…
In this context, “content” refers to packet payload analysis and how they are transported, particularly focusing on layers 3, 4, & 7 of the OSI Model.
Widespread use of applications provides commonality between business users and private consumers, making application threats a problem with the potential for repeated instances if such a threat infects the systems of multiple private users who interface with organizational networks. This may occur from innocuous sources such as customers, clients, or those using a BYOD model who fail to accomplish regular security screenings on their equipment. They may also occur as a dedicated effort to adversely affect the success of the organization by an outside competitor, malcontent, or hacker.
OWASP
Fortunately, a global project exists that assists application developers and system/network security administrators in identifying and understanding the prevalent and emerging application security threats. This project is the Open Web Application Security Project (OWASP) and is also supported by an OWASP
Foundation in the United States.
OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security… Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. [14]
One of the primary studies accomplished by OWASP is cataloging and ranking of the most prevalent threats in web applications. A comparative analysis between the 2010 and 2013 findings appears in Table 6 [27].
Modern Network Security: Study Guide for NSE 1
2015
54
Table 6. OWASP top 10 2010 vs. 2013 comparison.
Over the prior four years, OWASP found consistency among the top four application threats to system and network security:
SQL Injection Cross-site Scripting (XSS)
Broken Authentication & Session Mgmt Insecure Direct Object References Of note, the OWASP analysis also provides information on which threats have increased and declined, indicating trends that may assist security administrators in determining the most effective system and network configurations.
SQL Injection. Insertion or injection of an SQL query via input data from the client to the application. This type of attack may allow attackers to spoof identities, tamper with or delete data, change or void transactions of various types, enable complete disclosure of the system’s database—or destroy it or make it unavailable, or even become a new database server administrator. Common with PHP and ASP applications, less likely with J2EE and ASP.NET applications. Severity depends on the attacker’s creativity and computer skills, but have the potential to be devastating. SQL Injection is a high impact threat. Cross-site Scripting (XSS). Also referred to as XSS Injection, malicious scripts are injected into otherwise benign and trusted web sites, generally used in the form of browser side scripts to be transmitted to end users. Because the end user’s browser regards the site as trusted, it will execute the script, allowing access to any cookies, session tokens, or other information retained by the browser and used with the site. Some of these scripts are even capable of rewriting content on HTML pages.
Modern Network Security: Study Guide for NSE 1
2015
55
Broken Authentication & Session Management. This area includes all aspects of user authentication and active session management handling. Even robust authentication protocols may be undermined by flawed credential management functions, such as password changing, “forgot my password” and
“remember my password” options, account update options, and other functions. The complexity for this issue comes with the fact that many developers prefer to create their own session tokens—which may not be properly protected, depending on the skill of the creator, steps may not be in place to protect them throughout the application’s life cycle, and if not protected with SSL and against other flaws (such as XSS), an attacker may hijack the user’s session and assume their identity.
Insecure Direct Object References. When an application provides direct access to objects because of user-based inputs, attackers may bypass authorization and access resources in the system directly. These resources may include valuable data such as databases and organizational files. Insecure Direct
Object References allow attackers to bypass authorization and gain access to resources by modifying
parameter values used to point directly to objects. These resources may be any type of information stored on the system. This method simply takes the user’s supplied input and uses it to retrieve data as though the attacker were the authorized user.
Individual, targeted attacks are often manageable and, in many cases, traceable. These attacks aim increasingly at denying use of a network to outside users, known as Denial of Service (DoS). However, with continued evolution of networking for both productive purposes as well as malicious intentions, the prospect for coordinated networks attacks from multiple sources present an even more critical challenge for continued secure and uninterrupted network operations. These simultaneous coordinated attacks target a network from a number of outside systems, referred to as a Distributed Denial of Service
(DDoS), which will be addressed in the following section.
Distributed Denial of Service (DDoS)
A malicious act designed to deny access to a system, network, application, or information to a legitimate user is called Denial-of-Service (DoS). In a Distributed Denial-of-Service (DDoS) attack, the malicious act originates from a large number of systems. DDoS are most often launched from a single system, using a large remote network to actually conduct the attack [15]. A basic DDoS method is called the Smurf
Attack, where the hacker sends a ping packet to a large network while spoofing the target system’s
source address to overload the target system. A more sophisticated DDoS method is the Low-Orbit Ion
Cannon (LOIC) that allows hackers to allow others to use their own systems temporarily as a slave in a
DDoS attack. More detailed discussion of DDoS attacks appear following the notional DDoS architecture illustration in Figure 45.
Referring back to the classifications illustrated in Table 3 (page 50), attacks focusing on content components of systems and networks focus on ISO/OSI Model layers 3, 4, and 7 application services. Although layers 3, 4, and 7 are at risk from DDoS attacks, the attacks against layer 7 are often detected through actions affecting the associated port in layer 4 as a method by which to sneak undetected into layer 7 to accomplish its malicious task. As an analogy, one may think of it as the attack on layer 7 riding
Modern Network Security: Study Guide for NSE 1
2015
56
like a signal on the carrier wave into layer 4. As a result, most recommended parameter adjustments focus on layers 3 and 4, while events to watch include a broader range of indicators.
Figure 45. DDoS architecture.
DDoS attacks have a wide range of methods, from simple to complex, from a single hacker using a single system to a network of hackers coordinating multiple systems. Common types of DDoS attacks include the SYN flood, ICMP flood, and Zombie attack. In each case, the DDoS relies on overloading network capability to process seemingly valid traffic, resulting in denial of service. These attacks are referred to as volumetric attacks because of their focus on overloading the network in order to deny service.
SYN Flood. This attack consists of an excessive number of packets directed to a specific TCP port. In most cases, the source address is spoofed (Figure 46).
Modern Network Security: Study Guide for NSE 1
2015
57
ICMP Flood. This attack results from an
excessive number of ICMP packets targeting the network (Figure 47).
Figure 47. ICMP Flood DDoS attack.
Zombie Attack. This attack results when too many legitimate IP sources send valid TCP packets to the network (Figure 48).
Figure 48. Zombie DDoS attack.
The common thread in each of these DDoS attacks is the flooding of the network with seemingly valid inputs in a way that slows, stalls, or shuts down the network’s ability to operate. For each of these attacks, threshold monitoring and adjustments at layer 3 and 4 protocols, ports, and SYN may allow network administrators to detect and counter DDoS efforts against layers 3, 4, and 7 and keep the network from extended down times.
Even with the global trend toward increasing IPv6 traffic, DDoS attacks above the 50 Mbps benchmark are rare. South Korea’s average network speed leads the world with 24.6 Mbps, with Hong Kong a distant second at 15.7 Mbps. The US ranks 14th at 11.4 Mbps. As the shift from IPv4 to IPv6 traffic moves
forward, the incidences of DDoS attacks appear to be inversely proportional to IPv6 network growth [16]. This may be an indicator that average network speeds available through IPv6 are making the cost and coordination of DDoS more difficult—or prohibitively costly, in some cases.
Modern Network Security: Study Guide for NSE 1
2015
58
Application Security Solutions
The Next Generation Firewall (NGFW) [Module 2] and Unified Threat Management (UTM) [Module 3] brought enhanced capabilities to network security.
An important tool in protecting the network is Intrusion Prevention System (IPS), which looks beyond port and protocol to examine the signature—or actual content—of network traffic to identify and stop threats. FortiGate NGFW and UTM appliances, using enhanced capabilities such as Advanced Threat Protection (ATP), protect the L3 & L4 regions of the network against DDoS attacks by combining hardware and programmable software solutions to target modern and emerging threats. In addition to protection against L3 & L4 threats, the enhanced NGFW and UTM capabilities also include L4 routing and load balancing to increase efficiency and availability of application traffic in the network. Beyond NGFW and UTM as stand-alone capabilities, using these appliances in concert with other network security capabilities presents additional end-to-end protection that is both scalable and future- ready. The capabilities discussed in the following sections add critical security solutions to protect against DDoS attacks and protect L3, L4, and L7 functions.
Application Delivery Controllers (ADC)
Application Delivery Controllers (ADC) are network devices that manage client interfaces to complex Web and enterprise applications—beyond the scope of SMB and home office applications. An ADC functions primarily as a server load balancer, resulting in optimized end-user system performance and reliability by increased Gbps of L4 throughput, accessibility to data center resources, and enterprise application security. ADC controllers are deployed in data centers, strategically placed behind the firewall and in front of application server(s), acting as the point of control for application security and providing authentication, authorization, and accounting (AAA) [17].
Figure 49. Application Delivery Controller (ADC).
The ADC is part of a larger process that makes applications available, responsive, and secure for users. This end-to-end model is called the Application Delivery Network (ADN), consisting of an application delivery controller, firewall, and link load balancer. Figure 50 illustrates a typical ADN infrastructure.
Modern Network Security: Study Guide for NSE 1
2015
59
Application Delivery Network (ADN)
The ADN is divided into three elements—a server side, security, and an outer perimeter. Each of these elements performs functions that enable user access to applications (Figure 50):
Figure 50. Typical Application Delivery Network (ADN) infrastructure.
Server Side. When applications outgrow a single server, an ADC manages multiple servers to enable applications beyond a single server—essentially creating a single virtual server. Once the ADC selects the best server for the application, the ADC uses Connection Persistence to maintain a connection back to the original server where the transaction began. The ADC routes traffic to the best available server based on configurable rules, as well as providing options to offload encrypted traffic and conduct HTTP compression for bandwidth reduction. SSL offloading does not protect against DDoS attacks; however, the ADC may reduce the need for additional servers by as much as 25%.
Security Core. This element is where the tools and services to defend applications from threats reside. Capabilities include a strong firewall, VPN, AV/antimalware scanning, and other security features, which may include NGFW with IPS and deep packet scanning, application control, and user access policies to enhance protection.
Outer Perimeter. Basic Link Load Balancing (LLB) manages bandwidth and redundancy using multiple WAN links. If application use includes multiple data center access for operations such as disaster recovery, Global Server Load Balancing (GSLB) uses a DNS-based resolution platform to route traffic between multiple data centers, allowing either automatic or programmable data center routing based on infrastructure performance needs.
Modern Network Security: Study Guide for NSE 1
2015
60
ADC: Solutions and Benefits Part I
An advanced, modern ADC provides enhanced capabilities that provide both security and efficiency to networks. The capabilities brought by ADCs to the Server Side of the ADN include:
Server Load Balancing. The ADC allows the use of software-based intelligent load balancing to enhance performance over hardware-based simple load balancing. This not only provides a path to open server capability, but also matches the best server for the incoming traffic based on programmed policies and application-layer knowledge that supports business requirements (Figure 51).
Benefits. Because the ADC conducts continuous health checks of network servers, only routes traffic to online devices, and routes to the best performing devices using intelligent load balancing capability, Server Load Balancing provides a 25% increase in capacity and reduces servers hardware requirements by 25% over traditional DNS round-robin configurations.
Figure 51. Intelligent Load Balancing.
L7 Content Routing. By designating different servers for different types of data functions, the ADC may be configured to route traffic to the server(s) best configured to process applications based on their specific needs (Figure 51).
Benefits. By using L7 content routing, the ADC can optimize data center resources while protecting the network and applications from security threats.
Connection Persistence. This capability is critical to transaction-based applications. For example, if you begin a transaction, add an item to your virtual shopping cart, and are then load balanced to a different server for checkout without a persistent connection back to the original server, your cart will be empty at checkout. The ADC uses session state with HTTP headers and cookies to ensure that users and servers remain persistent throughout the transaction.
Benefits. By maintaining a persistent connection to the original server that started the transaction, the transaction may be completed without loss of data or loss of connection.
Modern Network Security: Study Guide for NSE 1
2015
61
SSL Offloading/Acceleration. SSL traffic may result in overloading servers, reducing capacity to a range in the 100’s TPS. By offloading and accelerating SSL encryption, decryption, and certificate management from servers, the ADC enables web and application servers to focus CPU and memory resources to