1
Securing Web Applications at the Network Layer v.1.5
WebSec 2006 – 15thFebruary – México D.F.
Carlos Fragoso Mariscal
Supercomputing Center of Catalunya (CESCA)
<[email protected]> Internet
2
Who’s Carlos Fragoso ?
Networking Systems and Security Engineer at Supercomputing Center of Catalunya (CESCA)
Responsible for proactive, reactive and value-added security services on Anella Científica RREN and CATNIX IXP:
• Perimeter protection, infrastructure hardening, intrusion and anomaly detection, incident handling, malware analysis, etc. • ERIAC Incident Response Team Incident Handling Manager • Involved in several IR communities and security workgroups:
TF-CSIRT, EURO-IX, ABUSE-ES, UNISOG and NSP-SEC
Guest speaker at several national and international security conferences, workshops and master degree courses
Bachelor’s Degree on Computer Science (UAB)
Master on Networking and Telecommunication Services (URL) Cisco Systems Certified Engineer (CCNA, CCNP*)
SANS GIAC Certified (GSEC, GCFW, GCIH, GHTQ, GREM) Jessland Community Core Member
Spanish Honeynet Project (SHP) member
Fields of interest: IPv6, multicast, routing, traffic engineering, MPLS, QoS, WLANs, VPNs, firewalls, IDS/IPS, honeypots/nets, incident handling, forensics, etc.
3
Table of Contents Overview
Security Architecture
• Design parameters and procedure • Security areas
• Devices
– Network Firewalls
– Network Intrusion Prevention/Detection Systems
Security Architecture Case Study ☺ Conclusion
4
Overview
Network security is usually not considered in web application security as part of a defense-in-depth approach
Security architecture could provide a robust topology to enforce security in web services environments
This talk focuses on how to increase web services security through network security architecture protection and detection
5
Web application clients interface
Web application clients mainly use HTTP protocol as their interface to the application
Users (B2C) and hosts (B2B) reside on external or business partners networks
6
Web application layered model
Some web applications are not able to separate interface and application layers so they are just one Data layer is commonly a filesystem or a database
Interface
Application
7
Web application layers segregation
First operational and security approach is to separate the different layers on different hosts
Interface
Application
8 Summary Client networks • External • Business partners Interface • HTTP/S protocol • ...
Web Application Services
• Interface (web) • Application
9
Design parameters
Defense-in-depth Technology balance Least privilege principle Simplicity Biodiversity Access control Operational/Risk balance Escalability Redundancy
10
11
Design procedure
Security policy
Security levels classification Deploy network devices Segmentation with firewalls
Deploy additional security devices
• IDS/IPS
• Content inspection • VPNs
12
Security Areas
Internet Extranets
• Business partner or remote sites
DMZ’s • External • Internal Intranets • Users network • Protected network
13
Devices
Firewalls Routers Switches
Intrusion Detection/Prevention Systems Honeypots and Honeynets
Security Event Managers Servers
Desktop and mobile end-user systems Wireless Access Points
Hybrids ...
14
Network Firewalls
Interconnects different security level networks providing traffic access control
Technology:
• Stateless: each packet handled individually • Stateful: keeps state of network flows
• Stateful Inspection: understand application layer protocols
Value-added features:
• Load balancing, failover, address translation, VPNs, packet normalization, content inspection, etc.
Ruleset:
• Firewall lockdown • No logging • Log denied • Sneaky rule
15
Network Intrusion/Prevention Detection Systems (NIDS/NIPS)
Their job is to provide network audit features and intrusion detection and prevention over the network Types: network, node (IDS) and in-line (IDS, IPS) Traffic capture: taps, hubs, span ports, balancing... Advantages: • Easy to deploy • Effective • Good scalability Disadvantages • False positives • False negatives • Non-textual alarms • High-volume of data • Ciphered traffic
16
Tips’n’hints
Critical information must be placed far away from possible risky areas
Network security does not patch your hosts for you!
Some critical services have a low rate of possible vulnerabilities because they have been heavily tested
Sometimes information must be replicated to give a limited-scope view
17
Security Architecture Case Study
WebSec Enterprises Inc (WEI)
Clueless to smart admin 3l33t to
18
WebSec Enterprises Inc (WEI)
Intranet Intranet Internet External Servers Workstations Internal Server
WEI’s network grew without a security-minded approach Several incidents lead to a security architecture redesign Let’s follow together how to face common issues on the new architecture deployment
19
Identifying Systems Relationship
External users access external servers
Some external servers (web, app, dns, smtp) need to access internal server
Workstation users manage servers and have Internet access Intranet Intranet Internet External Servers Workstations Internal Server
20
Identifying Security Areas
Intranet Intranet Internet External Servers Workstations Internal Server
Internal server contains WEI “jewels of the crown” Workstation users manage WEI infrastructure External servers provide services to the outside Internet is a public, least-secure, network
21
Step 0 – Plain network - Weaknesses
Intranet Intranet Internet External Servers Workstations Internal Server Lack of firewalling
Different security areas in the same network
22
Step 0 – Plain network – Abuse
t00 e9sy f0r m3! Intranet Intranet Internet External Servers Workstations Internal Server
1. Reconaissance and exploit launch to compromise WEI external web server
2. Internal reconaissance attack trying to compromise internal workstations or servers
23
Step 1 – DMZ deployment - Weaknesses
Sharing the DMZ between critical services (dns, smtp) and the web server
Still a lot to do ! External Servers Internal Servers Workstations DMZ DMZ Intranet Intranet Internet Internet Internet
24
Step 1 – DMZ deployment - Abuse
External Servers Internal Servers Workstations DMZ DMZ Intranet Intranet Internet Internet Internet P1nch3 9dm1n !
1. Reconaissance and exploit launch to compromise WEI external web server
2. Firewall allows web server to download hacking tools 3. Local layer-3 compromise or DoS attack against DNS and
25
Step 2 – VLAN-based DMZ - Weaknesses
DMZ
VLAN 3VLAN 4
DMZ
VLAN 2 VLAN 3VLAN 4
External Servers Internal Servers Workstations Intranet Intranet Internet Internet Internet Looks better ! Logical isolation (VLAN) on the same physical switch could encourage the hacker to perform Layer-2 DoS or VLAN hopping attacks
Same software vendor could ease multilayer compromise
26
Step 2 – VLAN-based DMZ - Abuse
DMZ
VLAN 3VLAN 4
DMZ
VLAN 2 VLAN 3VLAN 4
External Servers Internal Servers Workstations Intranet Intranet Internet Internet Internet
a) Compromise webserver and perform layer-2 vlan hopping in order to try to breach the other servers
b) Launch exploit against smtp or dns server and relaunch it again to get internal access (nicer if possible)
27
Step 3 – Dual Public DMZ - Weaknesses
DMZ VLAN 3VLAN 4 DMZ-2 VLAN 3VLAN 4 External Servers Internal Servers Workstations Intranet Internet Internet Internet
I’m doing my best! Vulnerability over the single firewall could allow direct communication to WEI intranet
Malware injection could compromise workstations
DMZ-1
External Server
28
Step 3 – Dual Public DMZ - Abuse
DMZ VLAN 3VLAN 4 DMZ-2 VLAN 3VLAN 4 External Servers Internal Servers Workstations Intranet Internet Internet Internet
a) Specially crafted packets are sent so that filtering is overcomed and sent directly to internal server b) Malware is injected through a URL (malware site) on
fake email
DMZ-1
Br3ak d9 p3r1m1t3r
External Server
29
Step 4 – Multilayered service-leg-based double-DMZ
Paranoia is your friend Vulnerabilities such as SQLInjection on AppServer or Internal Server database could compromise the boxes and probably disclose sensitive information VLAN 3VLAN 4 DMZ-2 VLAN 3VLAN 4 External Servers Database Server Workstations Intranet Internet Internet Internet Proxy DMZ-1 Internal Servers Web
30
Step 4 – Multilayered service-leg-based double-DMZ
1. Reconaissance against web/app server to identify database internal server
2. Perform SQL Injection in order to get sensitive data back to the hacker VLAN 3VLAN 4 DMZ-2 VLAN 3VLAN 4 External Servers Database Server Intranet Internet Internet Internet Proxy DMZ-1 Internal Servers Web
Server ServerApp
W0w, th9t’s n0t 39sy
31
Step 5 – Protected network with data replication
GREEEEAAAAT !!! VLAN 3VLAN 4 DMZ-2 VLAN 3VLAN 4 External Servers Database Server Workstations Intranet Internet Internet Internet Proxy DMZ-1 Internal Servers Web
Server ServerApp
Internal Database
Necessary content database replication
32
Some remarkable security issues
Lack of multilayer firewalling
Network sharing of different security areas Outbound traffic control on DMZ areas “Relaxed” server patching policy
Shared resource used for critical information Logical vs physical isolation
OS, Software and hardware biodiversity Sensitive data access
33
Long life to the new WEI network! ☺
Intranet Intranet Internet External Servers Workstations Internal Server VLAN 3VLAN 4 DMZ-2 VLAN 3VLAN 4 External Servers Database Server Intranet Internet Internet Internet Proxy DMZ-1 Internal Servers Web
Server ServerApp
Internal Database Protected Network
34
Security Architecture Case Study:
Prevention is IDEAL but detection is a MUST!
VLAN 3VLAN 4 DMZ-2 VLAN 3VLAN 4 External Servers Database Server Workstations Intranet Internet Internet Internet Proxy DMZ-1 Internal Servers Web
Server ServerApp
Internal Database
35
Conclusion
Security architecture definitively helps to improve the global state of security for web services
It is highly recommended to separate interface, application and data layers
Knowing your environment is half-the-battle in order to choose a good topology approach Place hosts in the infrastructure according to their data security level, sometimes splitting or replicating the information is necessary
What has been described makes thing more difficult to the hacker but not impossible!
36
Coming Soon ...
“Router Infrastructure Hardening”
Talleres WebSec 2006 “Monitoreo y Defensa”
37 Carlos Fragoso Mariscal
335C CB9F 84E8 85E9 A62B EF3A 102F 01FF 0E4E DE07 Thank you for your time !!!
Special greetings to CESCA workmates, Jess García, Victor Chapela and his team, and of course ... to WebSec Padawans !!!
