1 / 38

Web Application Security with the Application Security Manager (ASM)

Web Application Security with the Application Security Manager (ASM). Piotr Oleszkiewicz Zbigniew Skurczynski zbig@f5.com . Agenda. Web S ecurity – What are the problems? Vulnerabilities and protection strategies Websecurity with a Web Application Firewall (WAF) Security Policy Setups

fordon
Télécharger la présentation

Web Application Security with the Application Security Manager (ASM)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Application Security with the Application Security Manager (ASM) Piotr Oleszkiewicz ZbigniewSkurczynskizbig@f5.com

  2. Agenda • Web Security – What are the problems? • Vulnerabilities and protection strategies • Websecurity with a Web Application Firewall (WAF) • Security Policy Setups • About us

  3. Application Security: Trends and Drivers • “Webification” of applications • Intelligent browsers and applications • Public awareness of data security • Increasing regulatory requirements • The next attackable frontier • Targeted attacks

  4. The weakest link Firewall Antivirus Host IDS & Secure OS NetworkIDS/IPS Applications System Network Access Computer “64% of the 10 million security incidents tracked targeted port 80.”(Information Week magazine) DATA

  5. Why Are Web Applications Vulnerable? • Security officers not involved in softwaredevelopement, while developers are not security conscious • New code written to best-practice methodology, but not tested properly • New type of attack not protected by current methodology • New code written in a hurry due to business pressures • Code written by third parties; badly documented, poorly tested – third party not available • Flaws in third party infrastructure elements • Session-less web applications written with client-server mentality

  6. Most web application are vulnerable! • 70% of websites at immediate risk of being hacked! - Accunetix – Jan 2007http://www.acunetix.com/news/security-audit-results.htm • “8 out of 10 websites vulnerable to attack” - WhiteHat “security report – Nov 2006”https://whitehatsec.market2lead.com/go/whitehatsec/webappstats1106 • “75 percent of hacks happen at the application.” - Gartner “Security at the Application Level” • “64 percent of developers are not confident in their ability to write secure applications.” - Microsoft Developer Research • The battle between hackers and security professionals has moved from the network layer to the Web applications themselves. - Network World

  7. www.owasp.org Top Ten Project

  8. Problems are growing • Yesterday: • Tens working hours of the best security specialists • Preparing a successful attack on the web application was very expensive, but it still could bring profit if the target was interesting enough • Today: • Automatic and semiautomatic tools that are user friendly • Fuzzers (more than 20 Open Source tools alone) • Newest trend: evolutionary programming • Bottom line – The cost of preparing a successful attack has fallen dramaticaly!!

  9. Most web application are vulnerable! Practical demonstration: - Google - Weak application logic - web browser is the only tool we need

  10. Not enough time! The time from findin the vulnerability to launching an attack is falling. Are the applications prepared for ZERO-DAY attacks? Are your applications prepared for ZERO-DAY attacks?

  11. ! ! ! Infrastructural Intelligence Non-compliant Information Forced Access to Information Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering Web Application Security Attacks Now Look To Exploit Application Vulnerabilities Perimeter Security Is Strong PORT 80 PORT 443 But Is Open to Web Traffic High Information Density = High Value Attack

  12. ! ! ! ! Non-compliant Information Unauthorised Access Infrastructural Intelligence Unauthorised Access Web Application Security with ASM Stops bad requests / responses ASM allows legitimate requests Browser

  13. IPS Network Firewall  Limited Limited Limited Partial Limited X Limited X X X Limited X Limited Limited Limited Limited Limited X X X X X X X Traditional Security Devices vs.Web Application Firewall (ASM) ASM Known Web Worms Unknown Web Worms Known Web Vulnerabilities Unknown Web Vulnerabilities Illegal Access to Web-server files Forceful Browsing File/Directory Enumerations Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering              X

  14. Security Policy Security Policy in ASM Content Scrubbing Application Cloaking Definition of Good and Bad Behaviour Enforcement Browser

  15. Security Policy Security Policy in ASM Content Scrubbing Application Cloaking Enforcement Browser • Can be generated automatically or manually • Highly granular on configuration and blocking • Easy to understand and manage • Bi-directional: • Inbound: protection from generalised & targeted attacks • Outbound: content scrubbing & application cloaking • Application content & context aware

  16. Positive Security - Example

  17. <script> Actions not known to be legal can now be blocked - Wrong page order - Invalid parameter - Invalid value - etc. Positive Security - Example

  18. Negative vs. Positive Security

  19. Protection for Dynamic Values or Hidden Field Manipulation

  20. ! ! ! VIOLATION VIOLATION ALLOWED Selective Application Flow Enforcement Username From Acc. $ Amount Password To Acc. Transfer ? This part of the site is a financial transaction that requires authentication; we should enforce strict flow and parameter validation • Should this be a violation? • The user may have bookmarked the page! • Unnecessarily enforcing flow can lead to false positives.

  21. Optimum policy is often a hybrid Flexible Policy Granularity • Generic Policies - Policy per object type • Low number of policies • Quick to implement • Requires little change management • Can’t take application flow into account • Specific Policies – Policy per object • High number of policies • More time to implement • Requires change management policy • Can enforce application flow • Tightest possible security • Protects dynamic values

  22. POLICY TIGHTENING SUGGESTIONS • Policy-Building Tools • “Trusted IP” Learning • Live Traffic Learning • Crawler • Negative RegEx • Template Flexible Deployment Options OBJECT FLOWS Tighter Security Posture PARAMETER VALUES PARAMETER NAMES Typical ‘standard’ starting point OBJECT NAMES OBJECT TYPES

  23. Application Delivery Network F5 is the Global Leader inApplication Delivery Networking Users Data Centre At Home In the Office On the Road Oracle Siebel SAP Business goal: Achieve these objectives in the most operationally efficient manner

  24. F5’s Comprehensive Single Solution Applications Users The F5 Solution Application Delivery Network CRMDatabaseSiebelBEALegacy.NETSAPPeopleSoftIBMERPSFACustom Mobile Phone PDA Laptop Desktop TMOS Co-location

  25. Microsoft SAP Oracle IBM BEA International Data Center FirePass BIG-IP Global Traffic Manager BIG-IP Application Security Manager BIG-IP Link Controller BIG-IP Web Accelerator BIG-IP Local Traffic Manager WANJet HTTP /HTML, SIP, RTP, SRTP, RTCP, SMTP, FTP, SFTP, RTSP, SQL, CIFS, MAPI, IIOP, SOAP, XML etc… iControl & iRules Enterprise Manager TheF5 Products & Modules TMOS

  26. Unique TMOS Architecture ASM /TrafficShield Web Accel 3rd Party Microkernel TCP Proxy Rate Shaping TCP Express SSL Caching XML Compression OneConnect TCP Express Client Side Server Side Client Server iRules High Performance HW iControl API • TMOS Traffic Plug-ins • High-Performance Networking Microkernel • Powerful Application Protocol Support • iControl – External Monitoring and Control • iRules – Network Programming Language

  27. Compression Module Increase performance Fast Cache Module Offload servers Rate Shaping Module Reserve bandwidth BIG-IP Software Add-On ModulesQuickly Adapt to Changing Application & Business Challenges

  28. Application Security Module Protect applications and data SSL Acceleration Protect data over the Internet Advanced Client Authentication Module Protect against unauthorised access BIG-IP Security Add-On Modules

  29. ASM Platform Availability • Standalone ASM on TMOS • 4100 • Available as a module with BIG-IP LTM • 6400/6800 • 8400/8800

  30. Analyst Leadership Position Challengers Leaders Ability to Execute Niche Players Visionaries Completeness of Vision Magic Quadrant for Application Delivery Products, 2007 F5 Networks • F5 Strengths • Offers the most feature-rich AP ADC, combined with excellent performance and programmability via iRules and a broad product line. • Strong focus on applications, including long-term relationships with major application vendors, including Microsoft, Oracle and SAP. • Strong balance sheet and cohesive management team with a solid track record for delivering the right products at the right time. • Strong underlying platform allows easy extensibility to add features. • Support of an increasingly loyal and large group of active developers tuning their applications environments specifically with F5 infrastructure. Citrix Systems Cisco Systems Akamai Technologies Foundry Networks Cresendo Nortel Networks Radware Juniper Coyote Point Zeus NetContinuum Array Networks Source: Gartner, January 2007

  31. F5 Customers in EMEA (1 of 2) Banking, Financial Insurance, Investments Telco, Service Providers, Mobile

  32. F5 Customers in EMEA (2 of 2) Transport, Travel Media, Technology, Online Manufact., Energy Governm., Other Health, Consumer

  33. Summary • Protecting web application is a challenge within many organizations but attacks against web applications are the hackers favorites • ASM provides easy and very granular configuration options to protect web applications and to eliminate false positives • ASM combines positive and negative security models to achieve the optimum security • ASM is an integrated solution and can run as a module on BIG-IP or standalone • ASM is used to provide compliance with various standards • ASM provides hidden parameter protection and selective flow control enforcement • ASM provides an additional security layer or can be used as central point for web application security enforcement

  34. Evaluation • The best way to see how it will perform in Your environment with Your applications • Soft-Tronik can provide you with evaluation hardware and engineers to help in deployment

  35. Back up Sliedes

  36. Company Snapshot FactsPositionReferences

  37. F5’s Continued Success Revenue • Headquartered in Seattle, WA • F5 Ensures Applications Running Over the Network Are Always Secure, Fast, and Available • Founded 1996 / Public 1999 • Over 10,000 customers and 30,000 systems installed • Over 1100 Employees • NASDAQ: FFIV

More Related