• No results found

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect"

Copied!
32
0
0

Loading.... (view fulltext now)

Download now ( 32 Page )

Full text

(1)

STOPPING LAYER 7 ATTACKS

with F5 ASM

Sven Müller

(2)

Agenda

• Who is targeted

• How do Layer 7 attacks look like

• How to protect against Layer 7 attacks

• Building a security policy

• Layer 7 DDOS protection

(3)

© F5 Networks, Inc 3

Cyber-attacks in the News for 2011

(4)

© F5 Networks, Inc 4

Cyber-attacks in the News for 2012

(5)

© F5 Networks, Inc 5

(6)
(7)

© F5 Networks, Inc 7

Example: SQL-Injection

$id = $_GET['id'];

$result = "SELECT first_name, last_name FROM users WHERE user_id = '$id'";

(8)

© F5 Networks, Inc 8

$id = $_GET['id'];

$result = "SELECT first_name, last_name FROM users WHERE user_id = '$id'";

Attacker inserts : ' or 1=1 #

This results into: SELECT first_name, last_name FROM users WHERE user_id = ‘’ or 1=1#

1=1 is always true, so all entries will be returned 

(9)

© F5 Networks, Inc 9 L7-DDOS: Valid requests, but unfortunately way too many 

Tools and Bot-networks make it easy for attackers to generate a huge amount of requests. Interesting DDOS example: Facebook hosted DDOS with notes app

Facebook Notes allows users to include <img> tags.

Whenever a <img> tag is used, Facebook crawls the image from the external server and caches it. Facebook will only cache the image once. However, using random get parameters, the cache can be by-passed and the feature can be abused to cause a huge HTTP GET flood.

<img src=http://targetname/file?r=1></img> <img src=http://targetname/file?r=1></img>

...

<img src=http://targetname/file?r=1000></img>

(10)

© F5 Networks, Inc 10 http://chr13.com/2014/04/20/using-facebook-notes-to-ddos-any-website/

Number of involved Facebook servers: 112

Example: L7-DDOS

Or use Google to do DDOS attacks:

(11)

© F5 Networks, Inc 11

Network Security does not help against Application attacks (Layer 7)

PORT 80 PORT 443

Attacks Now Look To Exploit Application Vulnerabilities Perimeter Security Is Strong Forceful Browsing Cross-Site Scripting Cookie Poisoning SQL/OS Injection Hidden-Field Manipulation Parameter Tampering Buffer Overflow Brute force attacks Layer 7 DOS Webscraping CSRF Viruses Botnets Fishing Proxies ! Infrastructural Intelligence ! Non-compliant Information High Information Density = High Value Attack ! Forced Access to Information But Is Open to Web Traffic

(12)
(13)

© F5 Networks, Inc 13

!

Non-compliant Information

Webapplication Firewall (WAF) protects on Layer 7

! Unauthorised Access ! Infrastructural Intelligence

WAF allows only legitimate requests

WAF Stops bad requests and responses ! Unauthorised Access Browser

(14)

© F5 Networks, Inc 14 F5 Full-proxy architecture iRule iRule iRule TCP SSL HTTP TCP SSL HTTP iRule iRule iRule

ICMP flood SYN flood SSL renegotiation Data leakage Slowloris attack XSS Network Firewall WAF WAF

(15)

© F5 Networks, Inc 15

Common attacks on web applications

BIG-IP ASM delivers comprehensive protection against critical web attacks

CSRF Cookie manipulation

OWASP top 10 Brute force attacks

Forceful browsing Buffer overflows

Web scraping Parameter tampering SQL injections Information leakage

Field manipulation Session high jacking

Cross-site scripting Zero-day attacks

Command injection ClickJacking

(16)

© F5 Networks, Inc 16

Protect web applications and data from layer 7 attacks, and enable compliance, such as PCI DSS, with the Silverline Web Application Firewall service which is built on BIG-IP Application Security Manager and backed by 24x7x365 support from F5 experts.

Silverline Web Application Firewall (WAFaaS)

Proven security effectiveness as a convenient cloud-based service

Legitimate User

L7 Protection:

Geolocation attacks, DDoS, SQL injection, OWASP Top Ten attacks, zero-day threats, AJAX

applications, JSON payloads

Public Cloud Hosted Web App

Private Cloud Hosted Web App

VA/DAST Scans

Policy can be built from 3rd Party DAST

Web Application Firewall Services WA F Cloud Physical Hosted Web App Attackers F5 Silverline WAF

(17)
(18)

© F5 Networks, Inc 18

Different ways to build a policy

Security policy checked

Security policy applied

DYNAMIC POLICY BUILDER INTEGRATION WITH APP SCANNERS PRE-BUILT POLICIES

Automatic • No knowledge of the app required • Adjusts policies if app changes Manual • Advanced configuration for custom policies

• Virtual patching with continuous application scanning

• Out-of-the-box

• Pre-configure and validated • For mission-critical apps

including: Microsoft, Oracle, PeopleSoft

(19)

Policy Builder Deployment Wizard

(20)

© F5 Networks, Inc 20

Identify, virtually patch, mitigate vulnerabilities

Import vulnerabilities into BIG-IP ASM

Mitigate web app attacks Scan application with a

web application security scanner: Hacker Clients • Generic Scanner • Qualys • IBM • WhiteHat • Cenzic • HP WI

(21)

© F5 Networks, Inc 21

F5 security experts proactively monitor, and fine-tune policies to protect web applications and data from new and emerging threats.

• Expert policy setup • Policy fine-tuning

• Proactive alert monitoring • False positives tuning

• Detection tuning

• Whitelist / Blacklist Set up and monitoring

Availability & Support Expert Policy Setup and Management

Active Threat Monitoring

Reduce operating costs

by outsourcing WAF policy management to F5 SOC experts

(22)
(23)

© F5 Networks, Inc 23

Automatic HTTP/S DoS attack detection and protection

• Accurate detection technique—based on latency and/or transaction per second (TPS) • Three different mitigation techniques escalated serially

• Focus on higher value productivity while automatic controls intervene

IDENTIFY POTENTIAL ATTACKERS DROP ONLY THE ATTACKERS

(24)

© F5 Networks, Inc 24

Highly accurate anti-bot and scanner protection

• Differentiate between script and browser • Inspection of user interaction with browser • Distinguish real-user from bot

• Mitigate automated attacks, scanners, botnets and intellectual property scrappers

• Detect a persistent scrapper that uses multiple ip addresses or a single request session

ASM Website

Application Security Web Bot

(25)

© F5 Networks, Inc 25

Browser Fingerprinting

• Uniquely identify browsers by their customized attributes such as • Screen resolution • Time zone • Default fonts • User agent • Installed plug-ins • http://browserspy.dk/

• Statistical method – however strong enough • https://panopticlick.eff.org/

(26)

© F5 Networks, Inc 26

IP intelligence service

IP address feed updates every 5 min

Geolocation database Botnet Anonymous requests Anonymous proxies Scanner Restricted region or country Attacker Custom application Financial application

Internally infected devices and servers

(27)
(28)

© F5 Networks, Inc 28

Detailed logging with actionable reports

(29)

© F5 Networks, Inc 29

Attack Expert System in ASM

1. Click on info tooltip

Attack expert system makes responding to vulnerabilities

faster and easier: Violations are represented graphically, with a tooltip to

(30)

© F5 Networks, Inc 30

Enhanced visibility and analysis

Statistics collected

URLs Methods

Server/client latency Client IPs and geos Throughput User agents

Response codes User sessions

Views

Virtual server Pool member Response codes

URLs and HTTP methods

Application analytics for assured availability

• ASM logs provide deeper intelligence grouped by application and user

• Rules can be applied based on user behavior

• Latency monitoring provides:

• Business intelligence/capacity planning

• Troubleshooting and performance tuning

(31)

© F5 Networks, Inc 31

• Securely communicate with Silverline SOC experts

• View centralized attack and threat monitoring reports with details

including:

• source geo-IP mapping

• blocked vs. alerted attacks

• blocked traffic and attack types • alerted attack types

• Threats*

• bandwidth used • hits/sec*

• type of traffic and visits (bots v. humans)*

WAFaaS: Gain attack insights and intelligence

F5 Customer Portal

Customer Portal Compliance Visibility & Attack Reports

(32)

References

Download now ( PDF - 32 Page - 1.86 MB )

Related documents

The Untold Secret of the Moors

Although, there are many documented evidences from early European settlers, authors and United States presidents such as George Washington, all confirming the presence of

PCI-DSS Solutions from Novell

PCI-DSS requires retailers to protect card- holder data from external attacks. This involves establishing a secure infrastructure of firewalls, firewall management processes

NSFOCUS Web Application Firewall

The NSFOCUS Web Application Firewall (WAF) protects your business-critical web applications and information against web attacks, data breaches, and downtime by shielding

Kona Site Defender. Product Description

Kona Site Defender includes the following: Mitigation of Distributed Denial of Service (DDoS) attacks at the network and application layer; a full-featured Web Application

Deflection and cracking

The code states that the basic span-to-effective depth ratios given in Table 3.10 for The code states that the basic span-to-effective depth ratios given in

FortiWeb Web Application Firewall. Ensuring Compliance for PCI DSS requirement 6.6 SOLUTION GUIDE

FortiWeb is the only WAF that provides a Vulnerability Scanner module within the web application firewall that completes a comprehensive solution for PCI DSS requirement 6.6

WEB APPLICATION FIREWALL

Kaapagam Technologies 3 | P a g e VALARI is a Web Application Firewall &amp; Security Management System designed to secure your web applications from attacks and provide a layer

01 Case Ch02

However, the blockbuster motion pictures in this category showed extremely high total gross sales for the number of theaters where the motion picture was shown. Number of Weeks in