Security’s Gaping Hole
DATA
“64% of the 10 million security incidents tracked targeted port 80.”
Web Application Security
PORT 80
PORT 443
Attacks Now Look To Exploit Application Vulnerabilities Perimeter Security Is Strong Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering
!
Infrastructural Intelligence!
Non-compliant Information High Information Density = High Value Attack!
Forced Access to Information But Is Open to Web TrafficWhy Are Web Applications
Vulnerable?
New code written to best-practice methodology, but not
tested properly
New type of attack not protected by current methodology
New code written in a hurry due to business pressures
Code written by third parties; badly documented, poorly
tested – third party not available
Flaws in third party infrastructure elements
Session-less web applications written with client-server
mentality
Who is responsible for application
security?
Network Security? Web developers? DBA? Engineering services?Traditional Alternative: Rely Exclusively on the
Developer
Application Logic Application Security Application Integration Application Performance Application Availability Application Scalability Application Patching Application Optimization 1+1=2Web Application Protection Strategy
Only protects against known vulnerabilities Difficult to enforce; especially with sub-contracted code
Only periodic updated; large exposure window
Web Apps Best Practice Design Methods Automated & Targeted Testing
Done periodically; only as good as the last test Only checks for known vulnerabilities
Challenges of traditional solutions
HTTP attacks are valid requestsHTTP is stateless, application is stateful Web applications are unique
– there are no signatures for YOUR web application Good protection has to inspect the response as well Encrypted traffic facilitates attacks…
Organizations are living in the dark
Traditional Scan and Fix and Audits
Scan and Fix– Scanners can’t find all vulnerabilities – Scanners can’t reverse engineer the code
– Scanners can’t find business logic vulnerabilities
– When something is detected, it requires an immediate code change – Not a pro-active solution
Security Code Audits
– Extremely expensive ($25,000 for medium to small app) – Requires preparation and availability of the dev team. – Requires iterations of audit and fix
– Each fix may add more bugs to current application or may add another vulnerability…
“we only protect from what we know,
we never protect from what we don’t know”
Web Application Protection Strategy
Only protects against known vulnerabilities Difficult to enforce; especially with sub-contracted code
Only periodic updated; large exposure window
Web Apps Web Application Firewall Best Practice Design Methods Automated & Targeted Testing
Done periodically; only as good as the last test Only checks for known vulnerabilities
Does it find everything?
Real-time 24 x 7 protection
Enforces Best Practice Methodology Allows immediate protection against new vulnerabilities
OWASP Top 10 / January 2007
A1 – Cross Site Scripting (XSS) XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim’s browser which can hijack user sessions, deface web sites, etc. A2 – Injection Flaws Injection flaws, particularly SQL injection, are common in web applications. Injection occurs
when user-supplied data is sent to an interpreter as part of a command or query. The attacker’s hostile data tricks the interpreter into executing unintended commands or changing data.
A3 – Insecure Remote File Include Code vulnerable to remote file inclusion allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise.
A4 – Insecure Direct Object Reference A direct object reference occurs when a developer exposes a reference to an internal
implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.
A5 – Cross Site Request Forgery (CSRF) A CSRF attack forces a logged-on victim’s browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim’s browser to perform a hostile action to the benefit of the attacker.
A6 – Information Leakage and Improper Error Handling
Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to violate privacy, or conduct further attacks.
A7 – Broken Authentication and Session Management
Account credentials and session tokens are often not properly protected. Attackers
compromise passwords, keys, or authentication tokens to assume other users’ identities. A8 – Insecure Cryptographic Storage Web applications rarely use cryptographic functions properly to protect data and credentials.
Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.
A9 – Insecure Communications Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications.
A10 – Failure to Restrict URL Access Frequently, the only protection for sensitive areas of an application is links or URLs are not presented to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations.
Traditional Security Devices vs. WAF
Known Web Worms Unknown Web Worms Known Web Vulnerabilities Unknown Web Vulnerabilities Illegal Access to Web-server files
Forceful Browsing File/Directory Enumerations Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering Layer 7 DoS Attacks Brute Force Login Attacks App. Security and Acceleration
ASM X X X X X X X X Network Firewall Limited Limited Limited Limited Limited IPS Limited Partial Limited Limited Limited Limited Limited X X X X X X X X X X X
Application Security Lacks Test
...or: „The Point of Truth“
Simple Version:
– Does your WAF discover that the Price of an Item on an Online Shop was changed ?
Application Security Lacks Test
...or: „The Point of Truth“
Simple Version:
– Does your WAF discover that the Price of an Item on an Online Shop was changed ?
Technical Version:
– OWASP
(http://www.owasp.org/index.php/OWASP_Top_Ten_Project )
1. Unvalidated Input 2. Broken Access Control
3. Broken Authentication and Session Management 4. Cross Site Scripting
5. Buffer Overflow 6. Injection Flaws
7. Emproper Error Handling 8. Insecure Storage
9. Application Denial of Service
Traditional Security Doesn’t Protect Web
Applications
Known Web Worms Unknown Web Worms Known Web Vulnerabilities Unknown Web Vulnerabilities Illegal Access to Web-server files Forceful Browsing File/Directory Enumerations Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering Application Firewall X X X Network Firewall IPS X X X Present
Looking at the wrong thing in the wrong place
Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present
Negative vs. Positive Security Model
Negative Security Model
– Lock Known Attacks
– Everything else is Allowed
– Patches implementation is quick and easy (Protection against Day Zero Attacks)
Positive Security Model
– (Automatic) Analysis of Web Application – Allow wanted Transactions
– Everything else is Denied
– Implicit Security against New, yet Unknown Attacks (Day Zero Attacks)
!
Non-compliant Information
Application Security with a WAF
!
Unauthorised Access!
Infrastructural Intelligence Bi-directional:– Inbound: protection from generalised & targeted attacks – Outbound: content scrubbing & application cloaking
Application content & context aware
High performance, low latency, high availability, high security
Policy-based full proxy with deep inspection & Java support Positive security augmenting negative security
Central point of application security enforcement WAF Allows Legitimate Requests And Stops Bad Requests
!
Unauthorised Access BrowserApplication Security with a WAF
Intelligent Decisions Allow Only Good Application Behaviour;
Positive Security
Definition of Good and Bad Behaviour Browser
Selective Application Flow
Enforcement
!
VIOLATION!
VIOLATION?
• Should this be a violation? • The user may have
bookmarked the page!
• Unnecessarily enforcing flow can lead to false positives.
This part of the site is a financial transaction that requires authentication; we should enforce strict flow and parameter validation From Acc. Transfer $ Amount To Acc. Password Username
!
ALLOWEDOBJECT TYPES OBJECT NAMES PARAMETER NAMES PARAMETER VALUES
OBJECT FLOWS
Flexible Deployment Options
Tighter Security Posture Typical ‘standard’ starting point
How does it work?
Security at Application, Protocol and Network Level
“BIG-IP enabled us to improve security instead of having to invest time and money to develop a new more secure application”
Application Manager Global 5000 Media and Entertainment Company TechValidate 0C0-126-2FB
Enforcement
Content Scrubbing Application Cloaking
Request made Security Policy checked
Server response
Security policy applied Response delivered
Multiple security layers
RFC enforcement
Various HTTP limits enforcement Profiling of good traffic:
– Defined list of allowed file types, URI’s, parameters Each parameter is evaluated separately for:
– Pre defined value – Length
– Character set – Attack patterns
Flexible Policy Granularity
Generic Policies - Policy per object type
– Low number of policies – Quick to implement
– Requires little change management – Can’t take application flow into account
Specific Policies – Policy per object
– High number of policies – More time to implement
– Requires change management policy – Can enforce application flow
– Tightest possible security – Protects dynamic values
OBJECT TYPES OBJECT NAMES PARAMETER NAMES PARAMETER VALUES
OBJECT FLOWS
Flexible Deployment Options
Policy-Building Tools
• “Trusted IP” Learning • Live Traffic Learning • Crawler • Negative RegEx • Template POLICY TIGHTENING SUGGESTIONS Tighter Security Posture Typical ‘standard’ starting point
Deployment without False positives
Easy web application implementation
– Rapid deployment policy
– Pre-configured application policies
Learning mode
– Gradual deployment
Layer 7 DOS/DDOS
DOS/DDOS attacks are on the increase
The wide spread of malware is providing much more
tools/means to execute these attacks via BOTnets
Danger of DOS:
– Service availability
– Resource cost optimization
– Stability of the security state
Two main scenarios
– Network pipe is saturated
– Server resources are saturated
An ideal solution will stop the malicious traffic, allowing
legitimate end users to get service – Automatically!!!
Layer 7 DoS and Brute Force
Unique Attack Detection and Protection
Unwanted clients are remediated and desired clients are serviced Improved application availability
Hacking Automation
Attackers are using commercial scanners to find
vulnerabilities
Automated attack BOTS/ Worms randomly scan
the internet for vulnerabilities and exploit them
What is the probably the most difficult BOT
activity to detect ?
– Web Scraping : “Stealing” IP content from a website,
harvesting its database
Automated scanner and bot programs
Web Scraping a Real Problem
Frankfurt datacenter Dublin datacenter Web IT Staff Domino Network Web IT Staff Domino Automated scraper Remote users ADC ADC Network
Entire web site is being scraped of valuable IP information Scrapers fail to provide company’s terms and updates
Sites copying content end up ranking above company’s for keywords Need logging and reporting on Web scraping
Problem
Legitimate user and web scraping traffic
copying or requesting data Scraping a public
page or requesting private data behind
Ryanair – Forbids screen-scraping as commercial use. Major business problem
Unister online travel site: Duesseldorf to London
– Ryanair 93.25 Euros vs. Unister 111.86 Euros, a 20% increase in price easyJet warns Expedia: 'Hands off our flights‘
– Tried to block IP address but Expedia uses millions of IP addresses Alternatives: Litigation and legal letters
– Ryanair sent cease and desist letters to 300 sites – Ryanair wins injunction against Vtours GmBH
Protects valuable intellectual property
Prices are controlled and users see airline approved inventory Integrated scrape reporting for PCI compliance
Avoid litigation drastically reducing legal costs
Solution
Protection from Web Scraping
Frankfurt Datacenter Dublin Datacenter Web IT Staff Domino Network Web IT Staff Domino Automated scraper Remote users Network BIG-IP 8900 LTM/ASM LTM/ASM BIG-IP 6900 Comprehensive reporting on scraping attacks Legitimate users see
data while scrapers are remediated
Detect requests and determine web
site is being scraped
Control Over Bots and Scanners
Protection from Web Scraping
Design rate shaping and interval requests before blocking Add IP addresses to Whitelist for allowable scrapers
OWASP Top 5: CSRF Attack
What is a Cross Site Request Forgery (CSRF) attack?
– In a CSRF attack a hacker is forcing the browser to send a stealth valid request which the attacker created to a website in which the victim has a session
What are the dangers?
– Attackers can execute full transactions that can be used for finance fraud, DOS – anything)
– Hard for victims to prove that they didn’t commit the transactions – Hard to trace the origin
CSRF Attack example
1. Mobile user logs in to a
trusted site
2. Session is authenticated
3. User opens a new tab
e.g., chat
4. Hacker embeds a
request in the chat
5. The trusted link asks
the browser to send a
request to the hacked
site
OWASP Top 5: CSRF Attack
Trusted
Web Site
Trusted ActionASM: Attack Protection from Rogue Users
Only vendor with checkbox functionality for easy protection of
ASM: ICAP support
Extract every file upload and send them to
AntiVirus scan over Internet Content Adaptation
Protocol (ICAP)
Web Services-encryption and
digital signature support
ASM can cover a basic use case of message
level encryption
WS-Security standard was implemented*
Limitations
– Encryption card isn’t being used
– Requires the user to manage certificates in both ASM
AND LTM
XML Firewall
Well formatted validation
Schema/WSDL validation
Methods selection
Attack signatures for XML platforms
Backend Parser protection
XML islands application protection
Full request Logging
IP “penalties”
IP Penalty Enforcer
– Regular and repeatable attacks from reported IPs are
mitigated
– A policy in ASM allows only a designated number of
violations blocked per minute
– Upon threshold the IP session is blocked
– Tighter security coverage for IP violators
Secerno DataWall
Real-Time database activity monitoring and blocking
Responds to each type of threat via either logging, monitoring, alerting, blocking or substituting.
Enables rapid application development by reducing the need for intensive security code development
Enforces a positive-security model: Only approved behavior is allowed
The Integration:
F5 ASM+Secerno DataWall
Monitor & Block traffic at the web and database layers
Application sessions tracked from client to database and back.
When anomalies are detected by ASM, they are logged to both the ASM & Secerno DataWall logs.
– ASM provides user and web context of the attack to Secerno enabling complete visibility of attack from source IP address, through HTTP page and session to SQL transaction.
– Secerno can analyse the full SQL transaction to see if the query is out of policy, rather than just a fragment.
Ensures that administrators are always able to get consistent, correlated application monitoring data.
Web tier attacks are blocked by ASM
Undetected attacks that get to the database are blocked by Secerno DataWall
Users who do not access the database via the web application (DBA’s, consultants, and operations staff) are still controlled by Secerno, whether the access is made over then network, remote session, SSH or keyboard.
How The Integration Works
Web traffic is secured with BIG-IP ASM, and database traffic with Secerno DataWall
When a user logs into an application, BIG-IP passes their identity to Secerno DataWall.
If a SQL attack takes place, then all context of the attack is sent to Secerno DataWall, and user
identity is associated with the attack in reports, based on session and the ASM cookie.
Integrated Platform to Secure Application Traffic
– Protects HTTP(s), FTP, and SMTP at BIG-IP System
Speeds
Application Security Accessible for the Network
Guy
– Application Protocol, Not Application Logic
– Fully Configured after Installation
Easy Introduction to Application Security
– First Step Toward a true Application Firewall
BIG-IP Protocol Security Module
(PSM)
Simplified Security - PSM
Enforces Mandatory Headers Length Checks Data Guard Protocol Anomaly Exploits White-List Server Commands Mitigates Brute-Force Attacks Length Checks RFC Compliance Mitigates Directory Harvesting Rate Limits Anti-SPAM Grey-Listing Augments MSM L4 w/ L7BI
G
-I
P
L
TM
Network
Transport
Data Link
App. Protocol
BI
G
-I
P
P
SM
Application
BI
G
-I
P
A
SM
“Stepping-Stone” Security
Only Completely Integrated
Security Solution
“Stepping Stone” Security
– TMOS/LTM Provides L2-L4
– PSM Provides L4-L7 Protocol Security
– ASM Provides Application Security
Builds on ADN Functionality
– SSL Termination
– Caching/Compression
– IPv6 Gateway
Attack Expert System in ASM v10.1
Attack Type Details
Improved PCI Compliance Reporting
New PCI reporting:
• Details security measures required by PCI DSS 1.2 • Compliancy state
Application visibility and reporting
Monitor URIs for server latency
Reporting Features Executive View
HTTP Response Splitting Command Execution Detection Evasion Parameter Tampering SQL –Injection Cross Site Scripting (XSS) XML ParserCentralized Advanced Reporting with
Splunk
Centralized reporting with Splunk’s large-scale, high-speed indexing and search solution
Packaged 15 different ASM specific reports
Provide visibility into attack trends and traffic trends
Identify unanticipated threats before exposure occurs
Sample Reports with Splunk
– Top violations
– Top violations by protocol (HTTP, FTP, SMTP) – Top HTTP violations by web application
– Top attackers
– Top attackers by protocol (HTTP, FTP, SMTP) – Top web applications attacked, alerted or blocked – Top web applications alerted by IP address
– Attacks by location
– Top response codes by web application
– Top alerted or blocked web application requests by time period – Web application requests by method
F5 Application Security Manager (ASM) and
WhiteHat Sentinel partnership
ASM + Sentinel Benefits
Discovery and remediation within minutes
Single click policy rules (XSS, SQLi)
Targeted laser focused policy rules
No false positives
Third party policy validation
ASM vs. competition
Features F5 Barracuda Breach Citrix Imperva
Signature-based Security X
Policy-based Security
Staging area for new signatures X X X X
Human Readable Policies X X X X
Pre-configured policies X X
XML Schema validation X X X
Integration with Vuln. Scanners X X X (1)
Data center security in one unit X X X X
Monitor URIs for server latency X X X X
Web scraping protection X (2) (2) X
Encrypted cookie support X X X X
Rate limiting X X X
Geolocation reporting X X X X
Layer 7 DoS attack protection X X X X
Brute Force attack protection X X X
Overall www.f5.com Technical ask.f5.com
devcentral.f5.com F5 University www.f5university.com/
» Login: your email » Password: adv5tech
Partner Informaiotn
www.f5.com/partners
www.f5.com/training_services/certification/certFAQ.html
Gartner Report http://mediaproducts.gartner.com/reprints/f5networks/article1/article1.html
Important deployment information is available at http://www.f5.com/solutions/deployment/
Data Center Virtualization http://www.f5.com/solutions/technology/pdfs/dc_virtualization_wp.pdf Application Traffic Management http://www.f5.com/solutions/technology/pdfs/atm_wp.pdf
Application Briefs http://www.f5.com/solutions/applications/ Solution Briefs http://www.f5.com/solutions/sb/
F5 Compression and Cache Test http://www.f5demo.com/compression/index.php F5 iControl Alliance Partners http://www.f5.com/solutions/partners/iControl/ F5 Technology Alliance Partners http://www.f5.com/solutions/partners/tech/ Let us know if you need any clarification or you have any further questions.
Application
Delivery
Network
Users Data Centre
SAP Microsoft Oracle At Home In the Office On the Road
