490 likes | 932 Vues
Web Application Security with the Application Security Manager (ASM). Piotr Oleszkiewicz Zbigniew Skurczynski zbig@f5.com . Agenda. Web S ecurity – What are the problems? Vulnerabilities and protection strategies Websecurity with a Web Application Firewall (WAF) Security Policy Setups
E N D
Web Application Security with the Application Security Manager (ASM) Piotr Oleszkiewicz ZbigniewSkurczynskizbig@f5.com
Agenda • Web Security – What are the problems? • Vulnerabilities and protection strategies • Websecurity with a Web Application Firewall (WAF) • Security Policy Setups • About us
Application Security: Trends and Drivers • “Webification” of applications • Intelligent browsers and applications • Public awareness of data security • Increasing regulatory requirements • The next attackable frontier • Targeted attacks
The weakest link Firewall Antivirus Host IDS & Secure OS NetworkIDS/IPS Applications System Network Access Computer “64% of the 10 million security incidents tracked targeted port 80.”(Information Week magazine) DATA
Why Are Web Applications Vulnerable? • Security officers not involved in softwaredevelopement, while developers are not security conscious • New code written to best-practice methodology, but not tested properly • New type of attack not protected by current methodology • New code written in a hurry due to business pressures • Code written by third parties; badly documented, poorly tested – third party not available • Flaws in third party infrastructure elements • Session-less web applications written with client-server mentality
Most web application are vulnerable! • 70% of websites at immediate risk of being hacked! - Accunetix – Jan 2007http://www.acunetix.com/news/security-audit-results.htm • “8 out of 10 websites vulnerable to attack” - WhiteHat “security report – Nov 2006”https://whitehatsec.market2lead.com/go/whitehatsec/webappstats1106 • “75 percent of hacks happen at the application.” - Gartner “Security at the Application Level” • “64 percent of developers are not confident in their ability to write secure applications.” - Microsoft Developer Research • The battle between hackers and security professionals has moved from the network layer to the Web applications themselves. - Network World
Problems are growing • Yesterday: • Tens working hours of the best security specialists • Preparing a successful attack on the web application was very expensive, but it still could bring profit if the target was interesting enough • Today: • Automatic and semiautomatic tools that are user friendly • Fuzzers (more than 20 Open Source tools alone) • Newest trend: evolutionary programming • Bottom line – The cost of preparing a successful attack has fallen dramaticaly!!
Most web application are vulnerable! Practical demonstration: - Google - Weak application logic - web browser is the only tool we need
Not enough time! The time from findin the vulnerability to launching an attack is falling. Are the applications prepared for ZERO-DAY attacks? Are your applications prepared for ZERO-DAY attacks?
! ! ! Infrastructural Intelligence Non-compliant Information Forced Access to Information Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering Web Application Security Attacks Now Look To Exploit Application Vulnerabilities Perimeter Security Is Strong PORT 80 PORT 443 But Is Open to Web Traffic High Information Density = High Value Attack
! ! ! ! Non-compliant Information Unauthorised Access Infrastructural Intelligence Unauthorised Access Web Application Security with ASM Stops bad requests / responses ASM allows legitimate requests Browser
IPS Network Firewall Limited Limited Limited Partial Limited X Limited X X X Limited X Limited Limited Limited Limited Limited X X X X X X X Traditional Security Devices vs.Web Application Firewall (ASM) ASM Known Web Worms Unknown Web Worms Known Web Vulnerabilities Unknown Web Vulnerabilities Illegal Access to Web-server files Forceful Browsing File/Directory Enumerations Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering X
Security Policy Security Policy in ASM Content Scrubbing Application Cloaking Definition of Good and Bad Behaviour Enforcement Browser
Security Policy Security Policy in ASM Content Scrubbing Application Cloaking Enforcement Browser • Can be generated automatically or manually • Highly granular on configuration and blocking • Easy to understand and manage • Bi-directional: • Inbound: protection from generalised & targeted attacks • Outbound: content scrubbing & application cloaking • Application content & context aware
<script> Actions not known to be legal can now be blocked - Wrong page order - Invalid parameter - Invalid value - etc. Positive Security - Example
! ! ! VIOLATION VIOLATION ALLOWED Selective Application Flow Enforcement Username From Acc. $ Amount Password To Acc. Transfer ? This part of the site is a financial transaction that requires authentication; we should enforce strict flow and parameter validation • Should this be a violation? • The user may have bookmarked the page! • Unnecessarily enforcing flow can lead to false positives.
Optimum policy is often a hybrid Flexible Policy Granularity • Generic Policies - Policy per object type • Low number of policies • Quick to implement • Requires little change management • Can’t take application flow into account • Specific Policies – Policy per object • High number of policies • More time to implement • Requires change management policy • Can enforce application flow • Tightest possible security • Protects dynamic values
POLICY TIGHTENING SUGGESTIONS • Policy-Building Tools • “Trusted IP” Learning • Live Traffic Learning • Crawler • Negative RegEx • Template Flexible Deployment Options OBJECT FLOWS Tighter Security Posture PARAMETER VALUES PARAMETER NAMES Typical ‘standard’ starting point OBJECT NAMES OBJECT TYPES
Application Delivery Network F5 is the Global Leader inApplication Delivery Networking Users Data Centre At Home In the Office On the Road Oracle Siebel SAP Business goal: Achieve these objectives in the most operationally efficient manner
F5’s Comprehensive Single Solution Applications Users The F5 Solution Application Delivery Network CRMDatabaseSiebelBEALegacy.NETSAPPeopleSoftIBMERPSFACustom Mobile Phone PDA Laptop Desktop TMOS Co-location
Microsoft SAP Oracle IBM BEA International Data Center FirePass BIG-IP Global Traffic Manager BIG-IP Application Security Manager BIG-IP Link Controller BIG-IP Web Accelerator BIG-IP Local Traffic Manager WANJet HTTP /HTML, SIP, RTP, SRTP, RTCP, SMTP, FTP, SFTP, RTSP, SQL, CIFS, MAPI, IIOP, SOAP, XML etc… iControl & iRules Enterprise Manager TheF5 Products & Modules TMOS
Unique TMOS Architecture ASM /TrafficShield Web Accel 3rd Party Microkernel TCP Proxy Rate Shaping TCP Express SSL Caching XML Compression OneConnect TCP Express Client Side Server Side Client Server iRules High Performance HW iControl API • TMOS Traffic Plug-ins • High-Performance Networking Microkernel • Powerful Application Protocol Support • iControl – External Monitoring and Control • iRules – Network Programming Language
Compression Module Increase performance Fast Cache Module Offload servers Rate Shaping Module Reserve bandwidth BIG-IP Software Add-On ModulesQuickly Adapt to Changing Application & Business Challenges
Application Security Module Protect applications and data SSL Acceleration Protect data over the Internet Advanced Client Authentication Module Protect against unauthorised access BIG-IP Security Add-On Modules
ASM Platform Availability • Standalone ASM on TMOS • 4100 • Available as a module with BIG-IP LTM • 6400/6800 • 8400/8800
Analyst Leadership Position Challengers Leaders Ability to Execute Niche Players Visionaries Completeness of Vision Magic Quadrant for Application Delivery Products, 2007 F5 Networks • F5 Strengths • Offers the most feature-rich AP ADC, combined with excellent performance and programmability via iRules and a broad product line. • Strong focus on applications, including long-term relationships with major application vendors, including Microsoft, Oracle and SAP. • Strong balance sheet and cohesive management team with a solid track record for delivering the right products at the right time. • Strong underlying platform allows easy extensibility to add features. • Support of an increasingly loyal and large group of active developers tuning their applications environments specifically with F5 infrastructure. Citrix Systems Cisco Systems Akamai Technologies Foundry Networks Cresendo Nortel Networks Radware Juniper Coyote Point Zeus NetContinuum Array Networks Source: Gartner, January 2007
F5 Customers in EMEA (1 of 2) Banking, Financial Insurance, Investments Telco, Service Providers, Mobile
F5 Customers in EMEA (2 of 2) Transport, Travel Media, Technology, Online Manufact., Energy Governm., Other Health, Consumer
Summary • Protecting web application is a challenge within many organizations but attacks against web applications are the hackers favorites • ASM provides easy and very granular configuration options to protect web applications and to eliminate false positives • ASM combines positive and negative security models to achieve the optimum security • ASM is an integrated solution and can run as a module on BIG-IP or standalone • ASM is used to provide compliance with various standards • ASM provides hidden parameter protection and selective flow control enforcement • ASM provides an additional security layer or can be used as central point for web application security enforcement
Evaluation • The best way to see how it will perform in Your environment with Your applications • Soft-Tronik can provide you with evaluation hardware and engineers to help in deployment
Company Snapshot FactsPositionReferences
F5’s Continued Success Revenue • Headquartered in Seattle, WA • F5 Ensures Applications Running Over the Network Are Always Secure, Fast, and Available • Founded 1996 / Public 1999 • Over 10,000 customers and 30,000 systems installed • Over 1100 Employees • NASDAQ: FFIV