Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Application Protection Against Hackers and Vulnerabilities

Published byLynn Nash Modified over 8 years ago

Similar presentations

Presentation on theme: "Web Application Protection Against Hackers and Vulnerabilities"— Presentation transcript:

1 Web Application Protection Against Hackers and Vulnerabilities
Barracuda Web Application Controllers Web Application Protection Against Hackers and Vulnerabilities Barracuda Networks Confidential 1 1

2 Agenda Introductions Barracuda Networks Company Overview
Barracuda Web Application Controller Deployment Options Detection / Protection Methods Profiling – Positive vs. Negative Security Model Authentication Traffic Management Logging and Reporting Performance Roadmap Q&A

3 Company Information Mission Leader in Email and Web Security
Deliver comprehensive mid-market appliance-based solutions Leader in and Web Security Company started in late 2003 Headquarters in Campbell, California Sales and support presence in Australia, Brazil, Belgium, Canada, China, France, Germany, India, Japan, Spain, Taiwan, UK and USA 400+ employees worldwide Privately Funded Cash flow positive for more than 4 years First outside investment $40 million: Sequoia Capital & Francisco Partners (January 2006) Market Leader 70,000 customers worldwide Barracuda Networks Confidential

4 Barracuda Networks Management Team
Dean Drako, President & CEO – Velosel, Boldfish, Design Acceleration, 3DO, Apple Michael Perone, Executive VP & CMO – Address.com, Spinway, GE, JPL Zach Levow, CTO – Affinity Path, Spinway, Sun, Cadence David Faugno, CFO – Cisco Systems, AT&T Blair Hankins, VP Engineering – Nokia, Intellisync, Lotus Stephen Pao, VP Product Management – Cisco Systems, Nuance, Oracle Sales Management Ezra Hookano, VP Sales North America – SonicWALL, U4EA José Luis Sanchez, VP Sales Latin America – Netscreen Paul Thackeray, VP & Managing Director EMEA – SonicWALL Peter He, Managing Director China – Pandaguard, PricewaterhouseCoopers Niall King, VP Sales APAC – Neoteris, Cacheflow Barracuda Networks Confidential

5 Barracuda Networks Company Strategy
Powerful, easy-to-use hardware solutions Simple sales process Aggressive price point No per user licensing fees Yearly subscription Energize Updates Enterprise and SMB market Great customer service and technical support Streamlined manufacturing and delivery Barracuda Networks Confidential

6 Barracuda Networks Product Strategy
Integrated hardware and software solutions Comprehensive products Complete problem solutions in a single product No “options” to add extra charges Ease of use Flexible deployment options Easy to use interfaces Single vendor for service and support No per user license fees Ongoing security services Barracuda Networks Confidential

7 Products For All Parts of the Network
DMZ Barracuda Spam Firewall Barracuda IM Firewall Inside the Network Barracuda Web Filter Barracuda Message Archiver Data Center Barracuda Load Balancer Barracuda Web Site Firewall Barracuda Networks Confidential

8 Barracuda Networks Worldwide
Products in multiple languages Offices in more than 10 countries Distributors in more than 80 countries Barracuda Networks Confidential

9 USA Customers Barracuda Networks Confidential

10 Vertical Customers Education Government Financial Technology /
Internet Corporate Barracuda Networks Confidential

11 Worldwide Customers (70,000 +)
APAC EMEA Latin America Barracuda Networks Confidential

12 Award-Winning Products
“(The Barracuda Web Filter is) an attractive proposition for the enterprise market, designed for simple administration and high throughput.” -SC Magazine, February 2007 “Despite being heavy on the features, (Barracuda) Web Filter 310 remains easy to use and fully customizable.” -CRN, June 2007 Barracuda Networks Confidential

13 Barracuda Networks & NetContinuum
NetContinuum acquired in July 2007 Leading provider of Web Application Firewall and Application Gateway appliances Ranked No. 1 in Forrester Research WAVE Report 2006 Strategic acquisition puts Barracuda Networks in strong position to expand Web Application Firewall market Barracuda Networks support and product investment Building upon existing NetContinuum products Additional plans to address needs of smaller customers Increasing investment in Web Application Firewall product category Barracuda Networks Confidential

14 Web Application Controllers Major Features
Comprehensive Web site protection Attacks Unauthorized access Data theft Web site defacement Web XML services protection Application access control Application delivery and acceleration Logging, monitoring and reporting Barracuda Networks Confidential

15 Web Application Controllers Detailed Features
Web site protection HTTP protocol compliance SQL injection blocking OS command injection protection XSS protection Form/cookie tampering defense Online form field validation Denial of Service Protection Outbound packet scanning Web site cloaking Anti-crawling Advanced learning modes XML services security XML attack prevention Validation of XML schema, SOAP envelopes and XML content WS-I profile validation Web services cloaking XML DoS attack protection Application access control SSO portal LDAP and RADIUS integration PKI support Web access management CA Siteminder RSA Access Manager Application delivery and acceleration Caching Compression Connection pooling Load balancing SSL acceleration High availability Plus much, much more... Barracuda Networks Confidential

16 Integrates easily into existing systems
Authentication LDAP RADIUS X509 / CRL – for two factor authentication with client certificates Logging Syslog FTP - standardized transport for log storage W3C Extended logging – standardized log format to integrate with generic access log parsers

17 Barracuda Web Site Firewall Product Line
NC2000 AG 1 Gbps NC1100 AG Barracuda Application Gateway NC500 AG Enterprise Barracuda Web Site Firewall 660 SMB Barracuda Web Site Firewall 460 Barracuda Web Site Firewall 360 25 Mbps Barracuda Networks Confidential 17 17

18 Barracuda Web Application Controllers Satisfy Major PCI DSS requirements
Credit card companies increase pressure on merchants Must be PCI compliant by June 30, 2008 Acts as both network firewall and Web Application Firewall Proxies Web traffic and insulates Web servers from direct attacks Provides SSL encryption Blocks top 10 most common application vulnerabilities Provides role-based administration LDAP integration and unique ID support Provides application access logging and interacts with AAA systems Barracuda Networks Confidential

19 Web Application Controllers Architecture
Single point of protection for inbound and outbound Web traffic Barracuda Networks Confidential

20 Terminate Secure Accelerate Centralized Control
Session Control TCP Session Termination SSL Termination HTTP Protocol Normalization & Compliance FTP Compliance HTTP Header Re-Write URL Translation URL Rate Control Security Assurance Application Cloaking AAA White List Forms Protection Cookie Protection Data Theft Protection Dynamic Learning SQL & OS CMD Injection XSS Attack Protection Custom Black List: REGEX Availability Assurance Caching GZIP Compression TCP Connection Pooling SSL Cryptographic Offload, Backend Encryption Layer 7 Content Switching Load Balancing Server & App Health Checking with Failover Terminate Secure Accelerate Centralized Control Users Web Applications

21 Deployment Options Full reverse proxy One-armed proxy Normal bridged
Fail open bridged

22 Proxy vs. Non-proxy: Fundamental Difference in Security Capabilities
Non-proxy WAFs expose server operating systems and TCP stacks directly to the Internet You need a proxy based WAF to: Web Address Translation – Non-proxies can not re-write URLs Cloaking – Non-proxies do not Cloak SSL – Non-proxies SSL is VERY slow Cookie security – Non-proxies do not protect against ID theft L7 Rate Control – Non-proxies do not protect against DoS Authentication and Authorization – Non-proxies can not do AAA Data Theft Protection – Non-proxies can not mask outbound data Response time acceleration – Non-proxies can not accelerate

23 Flexible HTTP / HTTPS deployments
Front end SSL (Offload SSL) Front and back end SSL Enforced SSL : automatic redirect of HTTP to HTTPS

24 Client SSL certificates support
The WAC can support client certificates for authentication to an application/VIP. In addition, the WAC can support client certificates for backend communication. Client Certificates for authentication to an application/VIP Client Certificates for backend communication.

25 Security: Web Site Cloaking
Attackers first task: Reconnaissance of network for weakness What Web, database, application servers are being used? What versions, patches or known vulnerabilities are there? Cloaking makes enterprise Web resources invisible to hackers and worms Hides all error codes, HTTP headers, IP addresses

26 Security: Inbound Attacks Protocol sanitization
Injection – SQL, OS commands Scripting – XSS, CSRF Cookie/session poisoning Parameter/form tampering Protocol sanitization Validation Request limit checks Zero-day attacks via Web site profiles Web Applications Port 80/443 traffic goes through 26

27 Cookie and Session Protection
Cookie Protection Session ID Tracking

28 Security: Outbound Deep inspection of outgoing content blocks
Credit cards Social security numbers Custom patterns Web Applications

29 Brute Force Prevention & Rate Control
Slow down attackers via Rate Control

30 Top 10 threats … Threat Protection Mechanism 1 Un-validated Input
Learns accepted application logic to validate incoming and outgoing session content for legitimate application behavior 2 Broken Access Control Sets up and enforces authorization and access control policies to authenticate user access 3 Broken Authentication and Session Management Automatically encrypts session cookies and assigns unique session-IDs to ensure secure user sessions 4 Cross-Site Scripting (XSS) Attacks Validates user input by terminating session and inspecting incoming requests 5 Buffer Overflows Rejects any file from in invalid Web page and limits total Web request length across applications 6 Injection Flaws Inspects each request to the Web application for malicious code and blocks the request prior to reaching 7 Improper Error Handling Cloaks details of Web application infrastructure 8 Insecure Storage Filters and intercepts outbound traffic and also blocks or masks attempts to access sensitive information. 9 Application Denial of Service (DoS) Monitors and controls the amount of queries to the same URL from a single user and queues the requests while allowing legitimate Web site Access 10 Insecure Configuration Management Acts as the DMZ to proxy inbound and outbound Web traffic to neutralize any configuration vulnerabilities White paper with more details available at :

31 Web Address Translation
URL Translations Request Rewrites Response Rewrites Response Body Rewrites

32 Real-world WAF deployment experience …
Multiple geographically distributed deployments Multiple customers with over 5 years of experience – using reverse proxy protection Multiple customers with over 15 Web Application controllers Customers protecting THOUSANDS of Web applications Wide variety of applications – enterprise, government, telecom, energy, e-commerce providers

33 WAC Customers Bank

34 Proven WAF Success Model
Default Security Policy with Exceptions Negative Security Model Broad based protection Application Templates (OWA, SharePoint, etc.) Positive Security Model Targeted applications Hand Coded Protection Barracuda Networks Confidential

35 Best Practice – Mix Security Models
Positive versus Negative security models Positive: Define the “good” behavior and assume all other traffic is attack traffic Negative: Insulate against “bad” behavior Don’t over-apply positive security model Difficult to understand and maintain profiles Applications change frequently Only provides cost/benefit for certain applications Target specific applications for positive security model Most companies aim for broad protection through negative security model Barracuda Networks Confidential

36 Is this Madness? NO! Most “real world” security is “negative security model” Spam filters profile spam and viruses and let other traffic flow Web filters categorize bad sites and let unknown sites pass The same should apply to Web application security Why? Most bad traffic is usually easy to identify False positives are costly and defeat the purpose of security Good traffic changes frequently with new business partners, new business trends, and new applications Barracuda Networks Confidential

37 Most Bad Traffic is Easy to Identify
Do not need a detailed application profile to: Cloak the Web site to hide known areas of vulnerability Digitally sign or encrypt cookies to prevent cookie and session tampering Identify or block common attack types SQL injections, OS command injections Cross-Site Scripting attacks Remote file inclusions Directory traversals Filter outbound content for credit card, SSN, etc. Barracuda Networks Confidential

38 Defining Policy Exceptions
Start with conservative policies to provide protection Can optionally start with passive monitoring Interactive log view differentiates attacks from potential policy problems In many cases, can mitigate issues with a single click Then, enable active protection Priority should be on providing broad-based protection to avoid the majority of attack types upfront and early Barracuda Networks Confidential

39 Fine grained control … The Barracuda Web Application Controller can be deployed in either active or passive modes for each application/VIP (virtual IP). In addition the following can individually be set to passive mode for further granularity. Header ACLs URL Policies URL Profiles Parameter Profiles Application/VIP:

40 Easy to use Feedback loop
Policy Tuning wizard to make it simple to relax rules and accept false positives.

41 Full flexibility for power users …
The Barracuda Web Application Controller allows a user to create custom signatures via a regular expression wizard.

42 SharePoint 2007 Deployment with Barracuda Web Application Controller
Website Cloaking Request Lengths URL Normalization URL Protection Enhanced Application Profiles Session protection Data/Identity Theft Deployment Scenarios SSL Load balancing and Application monitoring Authentication and Access Control Compression and caching Content Routing Other Ongoing Efforts Virus Protection for uploaded files Enhanced URL protection in the path itself

43 Learning Mode Ease of configuring the learning mode

44 Learning Mode : Flexible Deployment …
Can deploy in Active OR Passive mode while learning

45 Avoid Common Pitfalls Take care not to over-apply positive security model Be wary of relying heavily on automated “learning” Learning technology has some “sizzle” with new customers Useful in certain cases (particularly response-based learning on very simple applications) Experienced WAF users prefer implementing broad-based protections early and hand coding targeted application areas Problems Hard to generate complete test traffic cases Can “learn” bad behavior if used against real-world traffic Automated profiles are hard to maintain Analogy: think about automated HTML generators Does not learn “structure” from a human point of view Hard to go “half way” – usually not worth waiting for Barracuda Networks Confidential

46 Authentication, Authorization & Single Sign On
Provides front-end authentication for Web applications Integrates with popular authentication servers Supports two-factor authentication schemes Web Applications Authentication Server

47 Authentication Service Support
Authentication Support Basic Digest Authentication Client Certificate Authentication. Integration with the following authentication services Internal LDAP RADIUS CA SiteMinder RSA Access Manager

48 Traffic Management Content Switching Load Balancing Caching
Server Health monitoring Layer 7 persistence Fall back servers Content Switching Caching Compression Image Server Content Switching HR Server Partner Portal Cache

49 Application Delivery and Acceleration
SSL Offloading/Acceleration, Backend Encryption Internet High Availability minimizes downtime of critical business Apps Application Health Monitoring ensures optimal Load Balancing TCP Pooling - Multiple requests use same connection Improved Performance

50 Extensive Logging Capabilities
- Audit logs, Web firewall logs, Web logs, System logs, and Network Firewall logs.

51 Comprehensive reporting and scheduling

52 Performance Performance Metric Transaction Rates and Throughput
NC R Proven through testing NC-2000 R Proven through testing L2-L4 Maximum Concurrent TCP Connections 400,000 conns 1,400,000 conns Maximum Throughput 1 Gbps Maximum TCP Connections/sec 6,000 cps 23,000 cps TCP Multiplexing Ratio 7:1 10:1 L7 HTTP HTTP 1.1 Transactions/Requests/sec 12,000 tps 44,000 tps HTTP 1.1 Trans/sec - Security Features - Turned ON 6,000 tps 30,000 tps HTTP 1.1 Trans/sec - Security + Acceleration Features - Turned ON 5,000 tps 28,000 tps Latency during HTTP 1.1 testing <1 ms conns=total simultaneous connections cps=new L4 connections per second tps=new L7 transactions per second Mbps=Megabits per second Gbps=Gigabits per second kbps=kilobits per second ms=milliseconds s=seconds *Transaction Rate tests measured using 1024 byte objects, except for TCP and SSL Bulk Throughput test using 1Mb object. *Latency testing performed against 5 popular websites (Yahoo.com, Amazon.com, BBC.com, UCLA.edu, Whitehouse.gov), totaling 1,262,608 bytes of data, sustaining 2048 transactions/second unless otherwise stated.

53 Performance L7 HTTPS HTTPS 1.1 Transactions/Requests/sec 9,000 tps
HTTPS 1.1 Trans/sec - Security Features - Turned ON 6,000 tps 15,000 tps HTTPS 1.1 Trans/sec - Security + Acceleration Features - Turned ON 4,000 tps 10,000 tps Latency during HTTPS 1.1 testing <5 ms <10 ms SSL Maximum Concurrent SSL Connections 100,000 conns Maximum SSL Throughput - Bulk Transfer of 1Mb File 1 Gbps Maximum SSL Transaction Rate with No Session Re-Use 8,000 tps conns=total simultaneous connections cps=new L4 connections per second tps=new L7 transactions per second Mbps=Megabits per second Gbps=Gigabits per second kbps=kilobits per second ms=milliseconds s=seconds *Transaction Rate tests measured using 1024 byte objects, except for TCP and SSL Bulk Throughput test using 1Mb object. *Latency testing performed against 5 popular websites (Yahoo.com, Amazon.com, BBC.com, UCLA.edu, Whitehouse.gov), totaling 1,262,608 bytes of data, sustaining 2048 transactions/second unless otherwise stated.

54 Road Ahead : Barracuda Control Center
London, DC New York, DC California, DC Mumbai, DC

55 Barracuda Control Center

56 Barracuda Control Center: Features
Status See all the devices Check on: Hardware Connectivity Subscription Traffic Firmware Reporting Aggregated reporting Restrict data based on user groups Configurations Standardize configuration of multiple appliances Create exceptions for individual appliance Multiple administrators Provide access to a subset of appliances Set permissions 56

57 Other Roadmap Items Security Authentication Performance
Virus Checking for file uploads Automated attack definitions Authentication Built-in single sign-on across Web applications SAML Performance Caching improvements Virus checking for file upload Performance Improved caching / content optimization Scalability Global server load balancing for N-way clustering Larger hardware platform – model 1060 based on model 1000 hardware

Download ppt "Web Application Protection Against Hackers and Vulnerabilities"

Similar presentations

1 Effective, secure and reliable hosted email security and continuity solution.

1 Effective, secure and reliable hosted security and continuity solution.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Introduction to ISA 2004 Dana Epp Microsoft Security MVP.

Introduction to ISA 2004 Dana Epp Microsoft Security MVP.
Barracuda Web Application Firewall

Barracuda Web Application Firewall
Blue Coat Systems Securing and accelerating the Remote office Matt Bennett.

Blue Coat Systems Securing and accelerating the Remote office Matt Bennett.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.

Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
CONFIDENTIAL & PROPRIETARY 1 WAF and Identity and Access Management Integration The Next Step in the Evolution of Application Security Best Practices Jan.

CONFIDENTIAL & PROPRIETARY 1 WAF and Identity and Access Management Integration The Next Step in the Evolution of Application Security Best Practices Jan.
Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.

Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Firewall Slides by John Rouda

Firewall Slides by John Rouda
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Barracuda Networks Steve Scheidegger Commercial Account Manager 734-887-2422

Barracuda Networks Steve Scheidegger Commercial Account Manager
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Cisco PIX 515E Firewall. Overview What a PIX Firewall can do Adaptive Security Algorithm Address Translation Cut-Through Proxy Access Control Network.

Cisco PIX 515E Firewall. Overview What a PIX Firewall can do Adaptive Security Algorithm Address Translation Cut-Through Proxy Access Control Network.
JVM Tehnologic Company profile & core business Founded: February 1992; –Core business: design and implementation of large software applications mainly.

JVM Tehnologic Company profile & core business Founded: February 1992; –Core business: design and implementation of large software applications mainly.

Similar presentations

Ads by Google