1 / 23

Web Application Firewall

Web Application Firewall. 9-20-13 Tony Ganzer F5 SE. Who Is Responsible for Application Security?. Storage. Applications. Infrastructure. Clients. Network. Engineering services. Developers. DBA. How D oes It Work ? Security at application , protocol and network level.

rupert
Télécharger la présentation

Web Application Firewall

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Application Firewall 9-20-13 Tony Ganzer F5 SE

  2. Who Is Responsible for Application Security? Storage Applications Infrastructure Clients Network Engineering services Developers DBA

  3. How Does It Work?Security at application, protocol and network level Request made Security policy checked Server response Content scrubbing Application cloaking Enforcement Response delivered Security policy applied Actions: Log, block, allow BIG-IP enabled us to improve security instead of having to invest time and money to develop a new, more secure application.

  4. Start by checking RFC compliance Start by checking RFC compliance Start by checking RFC compliance Start by checking RFC compliance Start by checking RFC compliance Start by checking RFC compliance Start by checking RFC compliance 1 1 1 1 1 1 1 Then check for various length limits in the HTTP Then check for various length limits in the HTTP Then check for various length limits in the HTTP Then check for various length limits in the HTTP Then check for various length limits in the HTTP Then check for various length limits in the HTTP Then check for various length limits in the HTTP 2 2 2 2 2 2 2 GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: 172.29.44.44\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\r\nReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: 172.29.44.44\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\r\nReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: 172.29.44.44\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\r\nReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: 172.29.44.44\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\r\nReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: 172.29.44.44\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\r\nReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: 172.29.44.44\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\r\nReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: 172.29.44.44\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\r\nReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n Then we can enforce valid types for the application Then we can enforce valid types for the application Then we can enforce valid types for the application Then we can enforce valid types for the application Then we can enforce valid types for the application Then we can enforce valid types for the application Then we can enforce valid types for the application 3 3 3 3 3 3 3 Then we can enforce a list of valid URLs Then we can enforce a list of valid URLs Then we can enforce a list of valid URLs Then we can enforce a list of valid URLs Then we can enforce a list of valid URLs Then we can enforce a list of valid URLs Then we can enforce a list of valid URLs 4 4 4 4 4 4 4 Then we can check for a list of valid parameters Then we can check for a list of valid parameters Then we can check for a list of valid parameters Then we can check for a list of valid parameters Then we can check for a list of valid parameters Then we can check for a list of valid parameters Then we can check for a list of valid parameters 5 5 5 5 5 5 5 Then for each parameter we will check for max value length Then for each parameter we will check for max value length Then for each parameter we will check for max value length Then for each parameter we will check for max value length Then for each parameter we will check for max value length Then for each parameter we will check for max value length Then for each parameter we will check for max value length 6 6 6 6 6 6 6 Then scan each parameter, the URI, the headers Then scan each parameter, the URI, the headers Then scan each parameter, the URI, the headers Then scan each parameter, the URI, the headers Then scan each parameter, the URI, the headers Then scan each parameter, the URI, the headers Then scan each parameter, the URI, the headers 7 7 7 7 7 7 7

  5. Scope of Problem • Website Proliferation • Vulnerabilities introduced • Automated attacks • Changing the attack patterns • Risk of brand, $ and IP losses high

  6. How long to resolve a vulnerability? Website Security Statistics Report

  7. Unknown Vulnerabilities in Web Apps • Unable to find or mitigate vulnerabilities • Very expensive to fix by recoding • Difficult to include scanner assessments • Need assurance that app sec. is deployed properly Web Application Vulnerabilitiesas a percentage of all disclosuresin 2011 H1 Web Applications: 37 percent Others: 63 percent Source: 1BM X-Force Research and Development

  8. Customers want…… • Reduce Window of Exposure • Reduce Operational Cost • Assured Security real-time assessments & patching • Integrated with SDLC processes

  9. Recent Application and Network Attacks • And the hits keep coming: Source: http://spectrum.ieee.org/static/hacker-matrix

  10. Concept– Simple as your ABCs

  11. Traditional Security Devices vs. WAF Network Firewall IPS WAF-ASM Known Web Worms Unknown Web Worms Known Web Vulnerabilities Unknown Web Vulnerabilities Illegal Access to Web-server files Forceful Browsing Look into the SSL traffic Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering Layer 7 DoS Attacks Brute Force Login Attacks App. Security and Acceleration Limited                 Limited  X Limited Partial Limited X Limited X X X Limited X Limited Limited Limited Limited Limited X X X X X X X X X X X X X

  12. Identify, Virtually Patch, and Mitigate Vulnerabilities • Scan applications with: • WhiteHat Sentinel (F5 Free Scan Partner) • Cenzic Hailstorm (F5 Free Scan Partner) • QualysGuard Web App. Scanning • IBM Rational AppScan • Configure vulnerability policy in BIG-IP ASM • Mitigate web app. attacks Internet Hacker Data Center BIG-IP Application Security Manager Web 2.0 Apps BIG-IP Application Security Manager Clients Private Cloud Apps

  13. Protection from Vulnerabilities Enhanced Integration: BIG-IP ASM and DAST Customer Website White Hat Sentinel • Findsa vulnerability • Virtual-patching with one-click on BIG-IP ASM • Vulnerability checking, detection and remediation • Complete website • protection BIG-IP Application Security Manager • Verify, assess, resolve and retest in one UI • Automatic or manual creation of policies • Discovery and remediation in minutes

  14. Benefits of Assessments with WAF Narrows window of exposure and reduces operational costs: Real-time assessments and virtual patching Operationalizes admin. and simplifies mitigation Assures app security, availability and compliance: Assurance no matter vulnerabilities or policies built OWASP protection, compliance, geo blocking Improves app performance: Availability improves cost effectiveness Low risk of false positives: Laser focused rules are generated automatically Easily integrates with SDLC practices: Ongoing website security program

  15. WAF and the Software Development Lifecycle • Policy Tuning • Pen tests • Performance Tests • Incorporate vulnerability assessment into the SDLC • Use business logic to address known vulnerabilities • Allow resources to create value • WAF “offload” features: • Cookies • Brute Force • DDOS • Web Scraping • SSL, Caching, Compression • Final PolicyTuning • Pen Tests

  16. Multiple Security Layers RFC enforcement • Various HTTP limits enforcement Profiling of good traffic • Defined list of allowed file types, URIs, parameters Each parameter is evaluated separately for: • Predefined value • Length • Character set • Attack patterns • Looking for pattern matching signatures Responses are checked as well

  17. Three Ways to Build a Policy Security policy checked Integration with app scanners • Virtual patching with continuous application scanning Security policy applied Dynamic policy builder • Automatic – • No knowledge of the app required • Adjusts policies if app changes • Manual – • Advanced configuration for custom policies

  18. Detailed Logging with Actionable Reports At-a-glance PCI compliance reports Drill-down for information on security posture

  19. DDoS MITIGATION Increasing difficulty of attack detection OSI stack Physical (1) Data Link (2) Network (3) Transport (4) Session (5) Presentation (6) Application (7) OSI stack Network attacks Session attacks Application attacks SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation OWASP Top 10 (SQL Injection, XSS, CSRF, etc.), Slowloris, Slow Post, HashDos, GET Floods F5 mitigation technologies F5 mitigation technologies BIG-IP AFM SynCheck, default-deny posture, high-capacity connection table, full-proxy traffic visibility, rate-limiting, strict TCP forwarding. Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above software-only solutions. BIG-IP LTM and GTM High-scale performance, DNS Express, SSL termination, iRules, SSL renegotiation validation BIG-IP ASM Positive and negative policy reinforcement, iRules, full proxy for HTTP, server performance anomaly detection

  20. RAPID VIRTUAL PATCHING SOFTWARE DEV. LIFECYCLE (SDLC) Project planning Requirements definition Installation & acceptance • Incorporate vulnerability assessment into the SDLC • Use business logic to address known vulnerabilities • Allow resources to create value Design Integration & test Development • Decouple security from the SDLC • Address new vulnerabilities immediately • Ensure PCI compliance

  21. Conjecture of relative breach impact is based on publicly disclosed information regarding leaked records and financial losses 2011 Sampling of Security Incidents by attack type, time and impact 178.com Size of circle estimates relative impact of breach in terms of cost to business Bethesda Software Finnish Government Sites PCS Consulting Duowan Epson Korea Norway MSN Italy PM Site Nortrop Grunman Fox News X-Factor IMF Attack type Hemmelig.com Italian Ministry Citigroup CSDN Valve Steam Sega Trion SQL injection Diginotar Mitsubishi Heavy Industries Epsilon Spanish Nat Police URL tampering Gmail Accounts 7K7K.com Booz Allen Hamilton Spear phishing Sony Nexon PBS Third-party software Vanguard Defense TGKK HB Gary SOCA PBS DDoS Monsanto Stratfor Malaysian Gov Site SecureID Adidas Sony NetNames DNS Service Peru Special Police Hong Kong Stock Exchange RSA United Nations Lockheed Martin Trojan software Nintendo SK Communications Korea Brazil Gov Unknown US Law Enforcement Tian.ya L3 Communications Sony BMG Greece Israeli and Palestinian Sites Turkish Government NetNames DNS Service AZ Police US Senate NATO Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Figure 1: 2011 Sampling of Security Incidents by Attack Type, Time and Impact Source: IBM X-Force 2011 Trend and Risk Report March 2012

  22. Thank You!

  23. www.F5.com

More Related