Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

(1)

Web Application Security

Radovan Gibala

Senior Field Systems Engineer

F5 Networks

(2)

Security’s Gaping Hole

DATA

“64% of the 10 million security

incidents tracked targeted port 80.”

(3)

Web Application Security

PORT 80

PORT 443

(4)

(5)

Who is responsible for application security?

Network Security?

Web developers?

DBA?

(6)

Web Application Protection Strategy

• Only protects against known vulnerabilities

• Difficult to enforce; especially with sub-contracted code

• Only periodic updated; large exposure window Web Apps Web Application Firewall Best Practice Design Methods Automated & Targeted Testing

Done periodically; only as good as the last test

Only checks for known vulnerabilities

Does it find everything?

Real-time 24 x 7 protection

(7)

(8)

Common attacks on web applications

BIG-IP ASM delivers comprehensive protection against critical web attacks

CSRF

Cookie manipulation

OWASP top 10

Brute force attacks

Forceful browsing

Buffer overflows

Web scraping

Parameter tampering

SQL injections

information leakage

Field manipulation

Session high jacking

Cross-site scripting

Zero-day attacks

Command injection

ClickJacking

(9)

Traditional Security Devices vs. WAF

Known Web Worms Unknown Web Worms Known Web Vulnerabilities Unknown Web Vulnerabilities Illegal Access to Web-server files Forceful Browsing File/Directory Enumerations Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering Layer 7 DoS Attacks

Brute Force Login Attacks

App. Security and Acceleration

(10)

(11)

Full-proxy architecture

iRule

TCP

SSL

HTTP

TCP

SSL

HTTP

iRule

(12)

Application

Access

Network

Access

Network

Firewall

Network DDoS

Protection

SSL DDoS

Protection

DNS DDoS

Protection

Application

DDoS Protection

Web Application

Firewall

Fraud

Protection

F5 provides comprehensive application security

(13)

(14)

BIG-IP

®

_{Application Security Manager™}

Dynamic Multi-Layered

Security

• Turn-on with license key or standalone

• Caching, compression and SSL acceleration included in standalone

BIG-IP Local Traffic Manager BIG-IP Application Security Manager

Secure response delivered Request made

BIG-IP ASM security policy checked

Server response generated

BIG-IP ASM applies security policy

Vulnerable application

• Provides transparent protection from ever changing threats

• Ensure application availability while under attack

• Deployed as a full proxy or transparent full proxy (bridge mode)

• Minimal impact on application performance

• Drop, block or forward request

• Application attack filtering & inspection

• SSL , TCP, HTTP DoS mitigation

• Response inspection for errors and leakage of sensitive information

(15)

BIG-IP Application Security Manager

Multiple deployment

options

Visibility and

analysis

Comprehensive

protections

• Standalone or ADC add-on • Appliance or Virtual edition • Manual or automatic policy

building

• 3rd party DAST integration

• Visibility and analysis

• High speed customizable syslog • Granular attack details

• Expert attack tracking and profiling

• Policy & compliance reporting • Integrates with SIEM software • Full HTTP/S request logging • Protection web app vulnerabilities

including L7 DDoS

• Advanced anti-BOT mitigation • Integrated XML firewall

(16)

(17)

L7 DDOS

Web Scraping

Web bot

identification

XML filtering,

validation &

mitigation

ICAP anti-virus

Integration

XML Firewall

Geolocation

blocking

Comprehensive Protections

BIG-IP ASM extends protection to more than application vulnerabilities

(18)

Fraud Protection

Sit

e V

is

it

_Device

Fingerprinting

Sit

e Lo

g

In

Geo-location

Brute Force

Detection

Behavioral

Analysis

Us

er Na

viga

tion

Behavioral

_{and Click}

Analysis

Transa

cti

on

s

_Abnormal

Money

Movement

Analysis

Transa

cti

on

E

xecut

ion

Customer

_{Fraud Alerts}

Phishing Threats

Credential

Grabbing Malware Injections

Automatic Transactions PII and CC

(19)

(20)

Different ways to build a policy

Security policy checked

Security policy applied

DYNAMIC POLICY BUILDER INTEGRATION WITH APP SCANNERS PRE-BUILT POLICIES

Automatic • No knowledge of the app required • Adjusts policies if app changes Manual • Advanced configuration for custom policies

• Virtual patching with continuous application scanning

• Out-of-the-box

• Pre-configure and validated • For mission-critical apps

(21)

Identify, virtually patch, mitigate vulnerabilities

Import vulnerabilities

into BIG-IP ASM

Mitigate web app attacks

Scan application with a

(22)

(23)

Detailed logging with actionable reports

(24)

Enhanced visibility and analysis

Statistics collected

URLs Methods

Server/client latency Client IPs and geos Throughput User agents

Response codes User sessions

Views

Virtual server Pool member Response codes

URLs and HTTP methods

Application analytics for assured

availability

• ASM logs provide deeper intelligence

grouped by application and user

• Rules can be applied based on user

behavior

• Latency monitoring provides:

• Business intelligence/capacity planning

• Troubleshooting and performance

tuning

(25)