360 likes | 517 Vues
Application Security tech talk. Paul Deakin Federal Field Systems Engineer. Welcome!. Overview Introduction What does F5 have to do with Security ? . Audience Participation is ENCOURAGED! Ask questions, I’ll do my best to answer them. What’s Our Motivation?.
E N D
Application Securitytech talk Paul Deakin Federal Field Systems Engineer
Welcome! • Overview • Introduction • What does F5 have to do with Security?
Audience Participation is ENCOURAGED! • Ask questions, I’ll do my best to answer them
What is a Web Application vulnerability? “A vulnerability is a weakness or hole in the application, which can be a design flaw or an implementation bug, that allows an attacker to cause harm to the stakeholders of an application.” - owasp.org
Application Layer Attacks • OWASP Top 10 • Injection • Cross Site Scripting (XSS) • Broken Authentication and Session Management • Insecure Direct Object References • Cross Site Request Forgery • Security Misconfiguration • Insecure Cryptographic Storage • Failure To Restrict URL Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards
Web Application Security Concepts • Term “Vulnerability” often used too loosely, should be distinguished from: • Threats: Worms, Viruses, Bots, Trojans, Sniffers, Key Loggers, Back Doors • Attacks: SQL Injection, XSS, CSRF, DOS, Command Injection • Counter-Measures: Detect, Deter, Deny – Authentication, Access Control, Session Management, Input Validation, Error Handling, Logging, Cryptography
HOW F5 CAN HELP YOU • OWASP Top 10 compliant • Integration with vulnerability assessment vendors WhiteHat and Cenzic enable custom ASM policies based on findings. • Both signature and non-signature (zero day) based security. WhiteHat Sentinel integrated for further signature based protection. • Support for Positive (whitelist) and Negative (blacklist) security models. • A/V Scan capable via integrated ICAP client for file uploads. • Learning mode allows transparent observation of Web App to distinguish actual violations from false positives.
HOW F5 CAN HELP YOU • PCI compliant (with integrated checklist) • ASM DataGuard blocks SS/CC numbers and features custom pattern matching • Enforces limits: URL/I lengths, message length, query-string length, char set • Police fields for inputs and output, both legal and illegal. • ASM eliminates the need for expensive re-coding of the Web App to patch urgent vulnerabilities.
Have You been Hacked?
Have you been hacked? • Tell me about it… • What does “Hacked” mean to you? • The best Security Analysis teams in the world often find inconclusively. • Real-Time monitoring is paramount. • Real-Time alerting is critical.
HOW F5 CAN HELP YOU • Logging
HOW F5 CAN HELP YOU • SNMP Alerting • Email Alerting
So where do we sit in the network?
DDOS: Are you ready? • Tell me about it… • Denial of Service attacks ARE NOT always malicious. • Traditionally DOS attacks have taken place at L3/L4. • L7 DOS attacks much harder to ID.
DDOS: Are you ready? • Must be careful mitigating L7 DOS attacks by simple source IP • To properly mitigate L7 DOS attacks, need to inspect either request frequency rate or server response time and take a close look at Latency. • As many DOS attacks are scripted, can inject a small amount of code (Java Script) in the server response via BIG-IP ASM.
DDOS: Are you ready? • Can protect back-end Web App by throttling request per second (RPS) to an object or number • Can set criteria for response latency and TPS. • The key is combining multiple L7 DOS prevention methods • Reporting page for DOS engine will provide values detected
HOW F5 CAN HELP YOU • F5 BIG-IP Local Traffic Manager (LTM) L3/4 DOS prevention • F5 BIG-IP Application Security Manager (ASM) provides customizable multifaceted L7 DOS prevention . • F5 BIG-IP Global Traffic Manager (GTM) with DNS Express provides DNS DDOS prevention • Deploy many GTMs using a single IP address and single namespace to mitigate DNS DDOS attacks using IP Anycast.
HOW F5 CAN HELP YOU • VDI is still a server based computing (SBC) model susceptible to DOS. • Multiple VDIs can be placed behind BIG-IP for intrinsic resource cloaking and advanced network access control (e.g., subnet, geo-location). • Allow remote VDI clients access to VDIs based on context (e.g., AD username/group). • F5 has partnered with mulitple MDM vendors to pair APM network access control with MDM security.
HOW F5 CAN HELP YOU • Secure FAT clients with APM end-point inspection. • Windows FAT clients can be placed into “Windows Protected Workspace” restricting USB, CD-ROM, VOLUME, and APP access. • Can secure VMware View Security Server from unauthorized access. • TLS security to View client for enhanced security and performance (DTLS UDP transport vs encapsulated UDP into TCP as with SSL) • Centralized AAA to multiple auth realms for multiple VDIs. Support CAC w/XenApp as Citrix AGEE solution.
HOW F5 CAN HELP YOU • APM Visual Policy Editor (VPE)
Do you know your users?: End-Point Inspection
Do you know your users? • Enterprises still face numerous challenges with end-point compliance (disparate clients, data leakage, OS Patch level). • End-points often not updated to the latest personal security signatures (firewall, AV, Spyware, etc). • Anonymous proxies cloak the true source IP of the client, networks continue to struggle with this. • Guest/contractor access difficult to establish without end-point inspection.
HOW F5 CAN HELP YOU • Inspect system registry to determine if client is a corporate asset. • Grant access based on AD context (username/security group). • Enforce Windows Protected Workspace for Windows clients; lockdown access to USB ports, HDD Volumes, Optical Drives, and Applications. • Extend GPOs to any client (does not have to be a member of an AD domain) with GPAnywhere. • Allow/Deny access based on AV signature version (support for over 100+ personal security clients) • Erase all session related data upon session termination (browser history, forms, cookies, etc)
HOW F5 CAN HELP YOU • Enforce CAPTCHA support on logon to mitigate script based brute force attacks. • SSL VPN soft virtual interface and route table wiped upon session termination. • On systems where clean-up controls can’t be enforced, block access to all file downloads to avoid temporary internet files from being stored or data leakage. • Combine end-point inspection with ASM and iRules to block access to file types based on extension and block access to sensitive information such as Social Security Numbers and Credit Card Numbers.
Network Access Control & AAA
HOW F5 CAN HELP YOU • Network Access Control (NAC) limits clients to specific subnets. • Client soft virtual interface and route table entries are wiped upon session termination. • Support for split tunnel VPN • APM Dynamic Webtop provides client context based resource assignments • APM AAA provides central point of authentication (AD, LDAP, Radius, SecureID, OAM) and certificate authentication (CAC/PIV, OCSP/CRLDP). • APM provides advanced Kerberos authentication (KPT, KCD).