1. Web Application Firewall
Tony Ganzer
F5 SE

2. Who Is Responsible for Application Security?
Clients
Infrastructure
Applications
Storage
Network
Engineering services
Developers
DBA

3. How Does It Work? Security at application, protocol and network level
Request made
Security policy checked
Server response
Enforcement
Content scrubbing
Application cloaking
When you’re delivering an application, you also have to worry about security. Again you have a few options – you can try to modify the application, you can put in point solutions, or you can use your ADC as a strategic point of control to secure both your applications and your data.
BIG-IP LTM has a number of features that provide security at the application level.
Resource cloaking and content security – Prevent error codes and sensitive content from being presented to hackers
Customized application attack filtering – search for and apply rules to block known application level attacks
Packet filtering – L4 based filtering rules to protect at the network level
Network attack prevention – protect against DoS, SYN floods, and other network attacks while delivering uninterrupted service for legitimate connections.
Message Security Module (add-on module)
Protocol Security Module (add-on module)
Application Security Manager (add-on module)
Response delivered
Security policy applied
Actions: Log, block, allow
BIG-IP enabled us to improve security instead of having to
invest time and money to develop a new, more secure application.

4. Then we can enforce a list of valid URLs (/search.php) 1
Start by checking RFC compliance 2
Then check for various length limits in the HTTP 3
Then we can enforce valid types for the application 4
Then we can enforce a list of valid URLs 5
Then we can check for a list of valid parameters
Then for each parameter we will check for max value length 7
Then scan each parameter, the URI, the headers 6
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: \r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n Referer: Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO ,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed a339ffef9226; \r\n
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: \r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n Referer: Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO ,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed a339ffef9226; \r\n 1
Start by checking RFC compliance 2
Then check for various length limits in the HTTP 3
Then we can enforce valid types for the application 4
Then we can enforce a list of valid URLs 5
Then we can check for a list of valid parameters
Then for each parameter we will check for max value length 7
Then scan each parameter, the URI, the headers 6 1
Start by checking RFC compliance 2
Then check for various length limits in the HTTP 3
Then we can enforce valid types for the application 4
Then we can enforce a list of valid URLs 5
Then we can check for a list of valid parameters
Then for each parameter we will check for max value length 7
Then scan each parameter, the URI, the headers 6
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: \r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n Referer: Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO ,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed a339ffef9226; \r\n 1
Start by checking RFC compliance 2
Then check for various length limits in the HTTP 3
Then we can enforce valid types for the application 4
Then we can enforce a list of valid URLs 5
Then we can check for a list of valid parameters
Then for each parameter we will check for max value length 7
Then scan each parameter, the URI, the headers 6
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: \r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n Referer: Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO ,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed a339ffef9226; \r\n 1
Start by checking RFC compliance 2
Then check for various length limits in the HTTP 3
Then we can enforce valid types for the application 4
Then we can enforce a list of valid URLs 5
Then we can check for a list of valid parameters 6
Then for each parameter we will check for max value length 7
Then scan each parameter, the URI, the headers
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: \r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n Referer: Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO ,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed a339ffef9226; \r\n 1
Start by checking RFC compliance 2
Then check for various length limits in the HTTP 3
Then we can enforce valid types for the application 4
Then we can enforce a list of valid URLs 5
Then we can check for a list of valid parameters
Then for each parameter we will check for max value length 7
Then scan each parameter, the URI, the headers 6
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: \r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n Referer: Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO ,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed a339ffef9226; \r\n 1
Start by checking RFC compliance 2
Then check for various length limits in the HTTP 3
Then we can enforce valid types for the application 4
Then we can enforce a list of valid URLs 5
Then we can check for a list of valid parameters
Then for each parameter we will check for max value length 7
Then scan each parameter, the URI, the headers 6
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: \r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n Referer: Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO ,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed a339ffef9226; \r\n
This is a high level overview… I thought we could highlight each area in the request when explaining what we do…
Start by checking RFC compliance – for example, that there is a method like GET/POST in the beginning of the message, or that every line ends with \r\n , or that the protocol version is valid (HTTP/1.1), that there is HOST header, that the straucture of the header is good (every header has a value).
Then we check for various Length limits on the HTTP message, for example, the full HTTP message length , or the URI length (/search.php) or the query string length (name=Mc’donalds&admin=1), we count the number of headers, we check for cookie max size and header max size
Then we can enforce valid types for the application, for example, only php, jpeg, doc and pdf.
Then we can enforce a list of valid URLs (/search.php)
Then we can check for a list of valid parameters (name and admin)
Then for each parameter we will check for max value length (data and 1 in this case) valid metacharacters in the value for each paramater (in this example the ‘ metacharacter needs to be allowed in the name parameter. We could also scan the
Then before we serve the request to the web server, we will scan each parameter , the URI, the headers with attack signatures

5. Scope of Problem Website Proliferation Vulnerabilities introduced
Automated attacks
Changing the attack patterns
Risk of brand, $ and IP losses high
SMB and Large Enterprises have anywhere from 10s to 1000s of websites. Recent high-profile events have made them acutely aware of the damage caused by a breach. Failure to test and remediate serious vulnerabilities, on all websites, can result in security breaches imposing significant financial loss, brand damage, legal fees and potential loss of intellectual property. However, many have done little to address website security and those that have tried, simply do not have the resources (time or skilled personnel) to test and secure all their websites or remediate all the security vulnerabilities that are currently in production. Additionally, they continue to update many of these websites in 3-6 week cycles using Agile development methods, increasing the likelihood of security vulnerabilities and the pressure to fix them.
[Ido]Over the last two years there were a lot of automated attacks, these are bots who spider the web randomly looking for application layer holes to take advantage of, the driver behind it is mainly to find malware distribution points, it means to you that you don’t have to own a high profile website to experience attacks and that every web presence is being attacked, no matter how known it is.
Organizations want assurance that their internal and external applications are available and secure. To assure their perimeter is safe and brand is protected, they need to:
Have a clear understanding of their current security posture through continuous monitoring of all websites.
Mitigate vulnerabilities based on severity, business impact, and business priorities.
Reduce the complexity, time, and costs associated with protecting their applications.
Adopt technology that is reliable and easy to set up and support.
Obtain maximum value out of limited budget resources.

6. How long to resolve a vulnerability?
Spring 2009 Website Security Statistics Report from WhiteHat Security
82% of websites have had a HIGH, CRITICAL, or URGENT issue
63% of websites currently have a HIGH, CRITICAL, or URGENT issue
60% vulnerability resolution rate among sample with 7,157 (out of 17,888 historical vulnerabilities) unresolved issues remaining as of 3/31/09
Vulnerability time-to-fix metrics are not changing substantively, typically requiring weeks to months to achieve resolution.
Average # of HIGH, CRITICAL, or URGENT severity vulnerabilities per website during the vulnerability assessment lifetime: 17
Average number of serious unresolved vulnerabilities per website: 7
Average number of inputs (attack surface) per website: 227
Average ratio of vulnerability count / number of inputs: 2.58%
Website Security Statistics Report

7. Unknown Vulnerabilities in Web Apps
Unable to find or mitigate vulnerabilities
Very expensive to fix by recoding
Difficult to include scanner assessments
Need assurance that app sec. is deployed properly
Web Application Vulnerabilities as a percentage of all disclosures in 2011 H1
Web Applications: 37 percent
Others: 63 percent
Source: 1BM X-Force Research and Development

8. Customers want…… Reduce Window of Exposure Reduce Operational Cost
Assured Security real-time assessments & patching
Integrated with SDLC processes
Desired Perception
Reduce Window of Exposure by provide full external and internal site assessements in a continuous fashion.
Reduce Operational Cost by providing a simple automated persistent scan process integrated with one-click virtual patching
Assure Security through combination of real-time websites assessments and automated virtual patching
Easily integrated with SDLC processes and an assured security blanket for all code that is dropping or being modified.
F5 and DASTs deliver the next generation of website security with a simple, accurate and automated solution to protect business assets in a dynamic threat environment.. Organizations can dramatically reduce their window of exposure to security breaches through comprehensive assessments, zero false positives, and automated virtual patching . The WhiteHat Sentinel and F5 ASM integration can reduce operational costs by reporting only Sentinel-verified vulnerabilities, automatically generating WAF rules, and instantly mitigating 80% of the vulnerabilities through one-click virtual patching. This enables development and security teams to focus their time and resources on the 20% of remaining security issues and other critical business needs.

9. Recent Application and Network Attacks
And the hits keep coming:
International Monetary Fund – Phishing attack
Citibank – Credit Card info - Parameter Tampering
Malaysian Government – 51 sites: DoS attack
Sony – User/passwords – Brute Force, DoS attacks
FBI affiliate Infragard – /state secrets – SQL Injection
Brazilian government and Petrobras latest LulzSec victims – Sites down: DDoS attacks
The Two Faces of Hacking
Some hackers use software and hardware to express themselves creatively—either solving entirely novel technical challenges or finding new ways to skin the same old cats. Others are motivated by money, power, politics, or pure mischief. They steal identities, deface Web sites, and break into supposedly secure and certainly sensitive databases.
We at IEEE Spectrum have written dozens of stories about both—the Steampunkers and Arduino do-it-yourselfers, on the one hand, the Anonymous and Lulzsec ne’er-do-wells on the other. We took 25 of the biggest and best stories and assessed them along two dimensions: innovation and impact. Whether you agree with our assessments or not, we'd like to hear what you think.
Show only hacks that are: Good Bad Neutral
Source:

10. Concept– Simple as your ABCs
Assess (VA Partner)
Persistent Assessment vs 1/yr.
Mission Critical+
All External
All Internal
Block (F5)
80% of Vulns
Remediate all Technical Vulns
Correct (Customer, SI or VAR)
20% Vluns fix
Fix via iRules
Code correction
WAS Lifecycle Mgnt.
Cenzic and/or WhiteHat Sentinel and F5 Application Security Manager integration enables (channel partners to provide their) customers an operationalized approach to WAF management  that increases their protection.  Customers will be encouraged to protect more of their applications with the ASM, leading to additional sales.  The combined solution uses a continuous assessment approach to maintaining up-to-date rule sets, resulting in the mitigation of an average of 80% of vulnerabilities on customer websites through push-button automation. The integration also allows channel partners to aid customers in building irule  solutions for the remaining 20% of the vulnerabilities. F5 DAST Partners has the ability to assess and show risk posture on thousands of websites simultaneously without  requiring any additional customer resources. 

11. Traditional Security Devices vs. WAF
Network Firewall
IPS
WAF-ASM
Known Web Worms
Unknown Web Worms
Known Web Vulnerabilities
Unknown Web Vulnerabilities
Illegal Access to Web-server files
Forceful Browsing
Look into the SSL traffic
Buffer Overflow
Cross-Site Scripting
SQL/OS Injection
Cookie Poisoning
Hidden-Field Manipulation
Parameter Tampering
Layer 7 DoS Attacks
Brute Force Login Attacks
App. Security and Acceleration
Limited X   X
Limited
Limited
Partial X
Limited
Limited X X
Limited
Limited
Limited
Limited
Limited X
Limited
These are the names of the attacks people generally refer to when they talk about Application Security. Note that it’s all just jargon; everyone has the same list and will claim that they can prevent it all. The real question is: HOW do they prevent it, and can they really prevent these things from happening in real life, in the ways that your applications are vulnerable to?
Let me give you a small example… X X X X X X X

12. Identify, Virtually Patch, and Mitigate Vulnerabilities
Scan applications with:
WhiteHat Sentinel (F5 Free Scan Partner)
Cenzic Hailstorm (F5 Free Scan Partner)
QualysGuard Web App. Scanning
IBM Rational AppScan
Configure vulnerability policy in BIG-IP ASM
Mitigate web app. attacks
Hacker
Data Center
BIG-IP Application
Security Manager
Scanner scans applications to identify vulnerabilities and directly configures BIG-IP ASM policies to implement a virtual patch that blocks web app attacks
BIG-IP ASM is now importing vulnerabilities – not patches – (in v11), it effectively becomes a Vulnerability Management Tool along with being WAF.  Obviously, the net effect is enabling very rapid response, particularly in the instance where you're waiting for the third-party vendor to patch the vulnerability.
Clients
Internet
Web 2.0 Apps
Private Cloud Apps
BIG-IP Application
Security Manager

13. BIG-IP Application Security Manager
Protection from Vulnerabilities Enhanced Integration: BIG-IP ASM and DAST
Customer Website
White Hat Sentinel
Finds a vulnerability
Virtual-patching with one-click on BIG-IP ASM
Vulnerability checking, detection and remediation
Complete website
protection
BIG-IP Application Security Manager
Verify, assess, resolve and retest in one UI
Automatic or manual creation of policies
Discovery and remediation in minutes

14. Benefits of Assessments with WAF
Narrows window of exposure and reduces operational costs:
Real-time assessments and virtual patching
Operationalizes admin. and simplifies mitigation
Assures app security, availability and compliance:
Assurance no matter vulnerabilities or policies built
OWASP protection, compliance, geo blocking
Improves app performance:
Availability improves cost effectiveness
Low risk of false positives:
Laser focused rules are generated automatically
Easily integrates with SDLC practices:
Ongoing website security program
Narrow your window of exposure and reduce operational costs for businesses of all sizes: On average, serious vulnerabilities take 60+ days to remediate by applying a fix in the code. Virtual patching with Cenzic or WH results and the F5 ASM can automatically mitigating vulnerabilities instantaneously, narrowing your window of exposure to minutes and buying your developers precious time.
Ensure app security and availability: Get comprehensive geolocation attack protection from OWASP Top Ten attacks while assisting with compliance (including PCI 6.6).
Improve app security and performance: Enable advanced application security while accelerating performance and improving cost effectiveness.
[Ido] Low risk of false positives: the rules are “laser focused” rules, meaning that they only touch the vulnerable parameter or URL and only include specific mitigation rules for the vulnerability
Deploy flexibly with increased agility: Focus on fast application development and flexible deployment in virtual and cloud environments with the assurance that F5 and our partners continuous monitoring and virtual patching will identify and mitigate exposed risks.
Easy Integration with SDLC practices: Easily create an ongoing website security program to enable near-instantaneous mitigation response and application protection as part of your software development lifecycle (SDLC).

15. WAF and the Software Development Lifecycle
Policy Tuning
Pen tests
Performance Tests
WAF “offload” features:
Cookies
Brute Force
DDOS
Web Scraping
SSL, Caching, Compression
Best scenario: Add ASM into SDLC in Design, Integration/Test , and Installation and Acceptance phase. Some customer unable to make that investment. For these customers we offer an alternative: vulnerability assessment on production environment followed a quick ASM mitigation. Essentially this is the White Hat integration giving them assurance of no open vulnerabilities.
Final Policy Tuning
Pen Tests
Incorporate vulnerability assessment into the SDLC
Use business logic to address known vulnerabilities
Allow resources to create value

16. Multiple Security Layers
RFC enforcement
Various HTTP limits enforcement
Profiling of good traffic
Defined list of allowed file types, URIs, parameters
Each parameter is evaluated separately for:
Predefined value
Length
Character set
Attack patterns
Looking for pattern matching signatures
Responses are checked as well

17. Three Ways to Build a Policy
Security policy checked
Security policy applied
At the heart of BIG-IP ASM is dynamic policy builder engine, which is responsible for automatic self-learning and creation of security policies. Can learn automatically or manually.
Automatic learning (policy builder): no knowledge of the app required. If app changes, policy builder can automatically adjust policy.
Manual learning: for more advanced users.
Dynamic policy builder
Automatic –
No knowledge of the app required
Adjusts policies if app changes
Manual –
Advanced configuration for custom policies
Integration with app scanners
Virtual patching with continuous application scanning

18. Detailed Logging with Actionable Reports
Full Visibility with BIG-IP ASM
Terminates http traffic and logs the full http message – enabling forensics
Identifies and logs all web application attacks, including requests that cause web server errors
Easy to deliver to application team for troubleshooting
Equipped with high speed and customized syslog logging
Integrates with leading SIEM vendors such as ArcSight, Splunk, RSA Envision, Nitro Security, and more
At-a-glance PCI compliance reports
Drill-down for information on security posture

19. F5 mitigation technologies F5 mitigation technologies
DDoS MITIGATION
Increasing difficulty of attack detection
OSI stack
Physical (1)
Data Link (2)
Network (3)
Transport (4)
Session (5)
Presentation (6)
Application (7)
OSI stack
Network attacks
Session attacks
Application attacks
SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks
DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation
OWASP Top 10 (SQL Injection, XSS, CSRF, etc.), Slowloris, Slow Post, HashDos, GET Floods
F5 mitigation technologies
BIG-IP AFM
SynCheck, default-deny posture, high-capacity connection table, full-proxy traffic visibility, rate-limiting, strict TCP forwarding.
Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above software-only solutions.
BIG-IP LTM and GTM
High-scale performance, DNS Express, SSL termination, iRules, SSL renegotiation validation
BIG-IP ASM
Positive and negative policy reinforcement, iRules, full proxy for HTTP, server performance anomaly detection
F5 mitigation technologies

20. RAPID VIRTUAL PATCHING SOFTWARE DEV. LIFECYCLE (SDLC)
Project planning
Requirements
definition
Installation
& acceptance
Incorporate vulnerability assessment into the SDLC
Use business logic to address known vulnerabilities
Allow resources to create value
Design:
WAF “offload” features:
Cookies
Brute Force
DDOS
Web Scraping
SSL, Caching, Compression
Integration & Test:
Policy Tuning
Pen tests
Performance Tests
Installation & Acceptance
Final Policy Tuning
Pen Tests
Design
Integration
& test
Development
Decouple security from the SDLC
Address new vulnerabilities immediately
Ensure PCI compliance

21. 2011 Sampling of Security Incidents by attack type, time and impact
Conjecture of relative breach impact is based on publicly disclosed information regarding leaked records and financial losses
2011 Sampling of Security Incidents by attack type, time and impact
178.com
Size of circle estimates relative impact of breach in terms of cost to business
Bethesda
Software
Finnish
Government
Sites
PCS
Consulting
Duowan
Epson
Korea
Norway
MSN
Fox News
X-Factor
Nortrop
Grunman
Italy
PM Site
Attack type
IMF
Italian
Ministry
Hemmelig.com
Citigroup
CSDN
Valve
Steam
Sega
Trion
SQL injection
Epsilon
Diginotar
Mitsubishi
Heavy Industries
Spanish
Nat Police
URL tampering
Gmail
Accounts
Booz
Allen
Hamilton
7K7K.com
Spear phishing
Sony
PBS
Nexon
Third-party software
HB Gary
Vanguard
Defense
TGKK
PBS
SOCA
DDoS
Monsanto
Stratfor
SecureID
Malaysian
Gov Site
Peru
Special
Police
Hong Kong
Stock Exchange
NetNames
DNS Service
Sony
Adidas
IBM X-Force 2011 Trend and Risk Report March 2012
RSA
Trojan software
Lockheed
Martin
United
Nations
Nintendo
Brazil
Gov
SK Communications
Korea
Unknown
L3 Communications
US Law
Enforcement
Tian.ya
Sony BMG
Greece
Turkish
Government
NetNames
DNS Service
Israeli and
Palestinian Sites
AZ Police
US Senate
NATO
Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
Nov
Dec
Figure 1: 2011 Sampling of Security Incidents by Attack Type, Time and Impact
Source: IBM X-Force 2011 Trend and Risk Report March 2012

22. Thank You!