Presentation is loading. Please wait.

Presentation is loading. Please wait.

WEB APPLICATION FIREWALL 9-20-13 Tony Ganzer F5 SE.

Similar presentations


Presentation on theme: "WEB APPLICATION FIREWALL 9-20-13 Tony Ganzer F5 SE."— Presentation transcript:

1 WEB APPLICATION FIREWALL Tony Ganzer F5 SE

2 2© F5 Networks, Inc. Who Is Responsible for Application Security? Clients Network Applications Developers Infrastructure Engineering services Storage DBA

3 3© F5 Networks, Inc. How Does It Work? Security at application, protocol and network level Request made Enforcement Content scrubbing Application cloaking Security policy checked Server response Response delivered Security policy applied BIG-IP enabled us to improve security instead of having to invest time and money to develop a new, more secure application. Actions: Log, block, allow

4 4© F5 Networks, Inc. Start by checking RFC compliance 2 Then check for various length limits in the HTTP 3 Then we can enforce valid types for the application 4 Then we can enforce a list of valid URLs 5 Then we can check for a list of valid parameters Then for each parameter we will check for max value length 7 Then scan each parameter, the URI, the headers 6 GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: \r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n Referer: Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO ,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed a339ffef9226; \r\n Start by checking RFC compliance 2 Then check for various length limits in the HTTP 3 Then we can enforce valid types for the application 4 Then we can enforce a list of valid URLs 5 Then we can check for a list of valid parameters 6 Then for each parameter we will check for max value length 7 Then scan each parameter, the URI, the headers GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: \r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n Referer: Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO ,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed a339ffef9226; \r\n Start by checking RFC compliance 2 Then check for various length limits in the HTTP 3 Then we can enforce valid types for the application 4 Then we can enforce a list of valid URLs 5 Then we can check for a list of valid parameters Then for each parameter we will check for max value length 7 Then scan each parameter, the URI, the headers 6 GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: \r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n Referer: Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO ,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed a339ffef9226; \r\n Start by checking RFC compliance 2 Then check for various length limits in the HTTP 3 Then we can enforce valid types for the application 4 Then we can enforce a list of valid URLs 5 Then we can check for a list of valid parameters Then for each parameter we will check for max value length 7 Then scan each parameter, the URI, the headers 6 GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: \r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n Referer: Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO ,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed a339ffef9226; \r\n Start by checking RFC compliance 2 Then check for various length limits in the HTTP 3 Then we can enforce valid types for the application 4 Then we can enforce a list of valid URLs 5 Then we can check for a list of valid parameters Then for each parameter we will check for max value length 7 Then scan each parameter, the URI, the headers 6 GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: \r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n Referer: Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO ,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed a339ffef9226; \r\n Start by checking RFC compliance 2 Then check for various length limits in the HTTP 3 Then we can enforce valid types for the application 4 Then we can enforce a list of valid URLs 5 Then we can check for a list of valid parameters Then for each parameter we will check for max value length 7 Then scan each parameter, the URI, the headers 6 GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: \r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n Referer: Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO ,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed a339ffef9226; \r\n Start by checking RFC compliance 2 Then check for various length limits in the HTTP 3 Then we can enforce valid types for the application 4 Then we can enforce a list of valid URLs 5 Then we can check for a list of valid parameters Then for each parameter we will check for max value length 7 Then scan each parameter, the URI, the headers 6

5 5© F5 Networks, Inc. Scope of Problem Website ProliferationWebsite Proliferation Vulnerabilities introducedVulnerabilities introduced Automated attacksAutomated attacks Changing the attack patternsChanging the attack patterns Risk of brand, $ and IP losses highRisk of brand, $ and IP losses high

6 6© F5 Networks, Inc. How long to resolve a vulnerability? Website Security Statistics Report

7 7© F5 Networks, Inc. Unknown Vulnerabilities in Web Apps Web Application Vulnerabilities as a percentage of all disclosures in 2011 H1 Unable to find or mitigate vulnerabilitiesUnable to find or mitigate vulnerabilities Very expensive to fix by recodingVery expensive to fix by recoding Difficult to include scanner assessmentsDifficult to include scanner assessments Need assurance that app sec. is deployed properlyNeed assurance that app sec. is deployed properly Source: 1BM X-Force Research and Development Web Applications: 37 percent Others: 63 percent

8 8© F5 Networks, Inc. Reduce Window of ExposureReduce Window of Exposure Reduce Operational CostReduce Operational Cost Assured Security real-time assessments & patchingAssured Security real-time assessments & patching Integrated with SDLC processesIntegrated with SDLC processes Customers want…… 8

9 9© F5 Networks, Inc. And the hits keep coming:And the hits keep coming: Recent Application and Network Attacks Source:

10 10© F5 Networks, Inc. A ssess (VA Partner) Persistent Assessment vs 1/yr. Mission Critical+ All External All Internal B lock (F5) 80% of Vulns Remediate all Technical Vulns C orrect (Customer, SI or VAR) 20% Vluns fix Fix via iRules Code correction WAS Lifecycle Mgnt. Concept– Simple as your ABCs

11 11© F5 Networks, Inc. Traditional Security Devices vs. WAF Known Web Worms Unknown Web Worms Known Web Vulnerabilities Unknown Web Vulnerabilities Illegal Access to Web-server files Forceful Browsing Look into the SSL traffic Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering Layer 7 DoS Attacks Brute Force Login Attacks App. Security and Acceleration WAF-ASM X X X X X X X X Network Firewall Limited IPS Limited Partial Limited X X X X X X X X X X X

12 12© F5 Networks, Inc. Scan applications with:Scan applications with: –WhiteHat Sentinel (F5 Free Scan Partner) –Cenzic Hailstorm (F5 Free Scan Partner) –QualysGuard Web App. Scanning –IBM Rational AppScan Configure vulnerability policy in BIG-IP ASMConfigure vulnerability policy in BIG-IP ASM Mitigate web app. attacksMitigate web app. attacks Identify, Virtually Patch, and Mitigate Vulnerabilities Hacker Clients Private Cloud Apps Data Center Web 2.0 Apps BIG-IP Application Security Manager BIG-IP Application Security Manager Internet

13 13© F5 Networks, Inc. Customer Website Protection from Vulnerabilities Enhanced Integration: BIG-IP ASM and DAST White Hat Sentinel Finds a vulnerability Virtual-patching with one-click on BIG-IP ASM BIG-IP Application Security Manager Verify, assess, resolve and retest in one UI Automatic or manual creation of policies Discovery and remediation in minutes Vulnerability checking, detection and remediation Complete website protection

14 14© F5 Networks, Inc. Narrows window of exposure and reduces operational costs:Narrows window of exposure and reduces operational costs: –Real-time assessments and virtual patching –Operationalizes admin. and simplifies mitigation Assures app security, availability and compliance:Assures app security, availability and compliance: –Assurance no matter vulnerabilities or policies built –OWASP protection, compliance, geo blocking Improves app performance:Improves app performance: –Availability improves cost effectiveness Low risk of false positives:Low risk of false positives: –Laser focused rules are generated automatically Easily integrates with SDLC practices:Easily integrates with SDLC practices: –Ongoing website security program Benefits of Assessments with WAF

15 15© F5 Networks, Inc. Policy Tuning Pen tests Performance Tests Policy Tuning Pen tests Performance Tests Final Policy Tuning Pen Tests Final Policy Tuning Pen Tests Incorporate vulnerability assessment into the SDLCIncorporate vulnerability assessment into the SDLC Use business logic to address known vulnerabilitiesUse business logic to address known vulnerabilities Allow resources to create valueAllow resources to create value WAF and the Software Development Lifecycle WAF “offload” features: Cookies Brute Force DDOS Web Scraping SSL, Caching, Compression WAF “offload” features: Cookies Brute Force DDOS Web Scraping SSL, Caching, Compression

16 16© F5 Networks, Inc. Multiple Security Layers RFC enforcement Various HTTP limits enforcementVarious HTTP limits enforcement Profiling of good traffic Defined list of allowed file types, URIs, parametersDefined list of allowed file types, URIs, parameters Each parameter is evaluated separately for: Predefined valuePredefined value LengthLength Character setCharacter set Attack patternsAttack patterns Looking for pattern matching signaturesLooking for pattern matching signatures Responses are checked as well

17 17© F5 Networks, Inc. Three Ways to Build a Policy Dynamic policy builder Automatic – No knowledge of the app requiredNo knowledge of the app required Adjusts policies if app changesAdjusts policies if app changes Manual – Advanced configuration for custom policiesAdvanced configuration for custom policies Integration with app scanners Virtual patching with continuous application scanning Security policy checked Security policy applied

18 18© F5 Networks, Inc. Detailed Logging with Actionable Reports At-a-glance PCI compliance reports Drill-down for information on security posture

19 19© F5 Networks, Inc. Application attacksNetwork attacksSession attacks OWASP Top 10 (SQL Injection, XSS, CSRF, etc.), Slowloris, Slow Post, HashDos, GET Floods SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks BIG-IP ASM Positive and negative policy reinforcement, iRules, full proxy for HTTP, server performance anomaly detection DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation BIG-IP LTM and GTM High-scale performance, DNS Express, SSL termination, iRules, SSL renegotiation validation BIG-IP AFM SynCheck, default-deny posture, high-capacity connection table, full- proxy traffic visibility, rate-limiting, strict TCP forwarding. Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above software-only solutions. F5 mitigation technologies Application (7)Presentation (6)Session (5)Transport (4)Network (3)Data Link (2)Physical (1) Increasing difficulty of attack detection F5 mitigation technologies OSI stack DDoS MITIGATION

20 20© F5 Networks, Inc. Project planning Requirements definition Design Development Integration & test Installation & acceptance Decouple security from the SDLCDecouple security from the SDLC Address new vulnerabilities immediatelyAddress new vulnerabilities immediately Ensure PCI complianceEnsure PCI compliance Incorporate vulnerability assessment into the SDLC Use business logic to address known vulnerabilities Allow resources to create value RAPID VIRTUAL PATCHING SOFTWARE DEV. LIFECYCLE (SDLC)

21 21© F5 Networks, Inc. Conjecture of relative breach impact is based on publicly disclosed information regarding leaked records and financial losses 2011 Sampling of Security Incidents by attack type, time and impact Figure 1: 2011 Sampling of Security Incidents by Attack Type, Time and Impact Source: IBM X-Force 2011 Trend and Risk Report March 2012 Fox News X-Factor Citigroup Bethesda Software Italy PM Site Epsilon Sony RSA HB Gary Nortrop Grunman Spanish Nat Police Sega Gmail Accounts PBS SOCA Malaysian Gov Site Nintendo Peru Special Police NATO Turkish Government US Senate AZ Police Lockheed Martin Sony BMG Greece L3 Communications Booz Allen Hamilton Monsanto Diginotar Vanguard Defense Hong Kong Stock Exchange Brazil Gov SK Communications Korea NetNames DNS Service NetNames DNS Service US Law Enforcement TGKK Mitsubishi Heavy Industries Epson Korea PCS Consulting Valve Steam Finnish Government Sites 178.com Duowan CSDN Trion Nexon 7K7K.com Tian.ya Adidas Israeli and Palestinian Sites Stratfor United Nations Sony Norway MSN Italian Ministry Hemmelig.com SQL injection URL tampering Spear phishing Third-party software DDoS SecureID Trojan software Unknown IMF JanFebMarAprMayJunJulAugSepOctNovDec Size of circle estimates relative impact of breach in terms of cost to business Attack type

22 22© F5 Networks, Inc. Thank You!

23 23© F5 Networks, Inc. devcentral.f5.com facebook.com/f5networksinc linkedin.com/companies/f5-networks twitter.com/f5networks youtube.com/f5networksinc


Download ppt "WEB APPLICATION FIREWALL 9-20-13 Tony Ganzer F5 SE."

Similar presentations


Ads by Google