Docstoc

F5 - PowerPoint

Document Sample
F5 - PowerPoint Powered By Docstoc
					                               1




Web Application Security
with the Application
Security Manager (ASM)

Piotr Oleszkiewicz

Zbigniew Skurczynski
zbig@f5.com



                           1
                                                  2




                   Agenda

Web Security – What are the problems?
Vulnerabilities and protection strategies
Websecurity with a Web Application Firewall
(WAF)
Security Policy Setups
About us



                                              2
                                              3




Application Security: Trends and
Drivers
  “Webification” of applications
  Intelligent browsers and applications
  Public awareness of data security
  Increasing regulatory requirements
  The next attackable frontier
  Targeted attacks


                                          3
                                  4



The weakest link




  “64% of the 10
  million security
  incidents tracked    DATA
  targeted port 80.”
  (Information Week
  magazine)




                              4
                                                                5




Why Are Web Applications Vulnerable?


 Security officers not involved in software developement,
 while developers are not security conscious
 New code written to best-practice methodology, but not
 tested properly
 New type of attack not protected by current methodology
 New code written in a hurry due to business pressures
 Code written by third parties; badly documented, poorly
 tested – third party not available
 Flaws in third party infrastructure elements
 Session-less web applications written with client-server
 mentality                                                  5
                                                                                                                                6




Most web application are vulnerable!
 70% of websites at immediate risk of being hacked!
 - Accunetix – Jan 2007 http://www.acunetix.com/news/security-audit-results.htm

 “8 out of 10 websites vulnerable to attack”
 - WhiteHat “security report – Nov 2006”               https://whitehatsec.market2lead.com/go/whitehatsec/webappstats1106



 “75 percent of hacks happen at the application.”
 - Gartner “Security at the Application Level”

 “64 percent of developers are not confident in their
 ability to write secure applications.”
 - Microsoft Developer Research

 The battle between hackers and security
 professionals has moved from the network layer to
 the Web applications themselves.
 - Network World
                                                                                                                            6
                                                                                                                                                7




www.owasp.org                                                           Top Ten Project
A1 – Cross Site Scripting       XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without
     (XSS)                            first validating or encoding that content. XSS allows attackers to execute script in the victim’s
                                      browser which can hijack user sessions, deface web sites, etc.

A2 – Injection Flaws            Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-
                                       supplied data is sent to an interpreter as part of a command or query. The attacker’s hostile data
                                       tricks the interpreter into executing unintended commands or changing data.

A3 – Insecure Remote File       Code vulnerable to remote file inclusion allows attackers to include hostile code and data, resulting in
     Include                         devastating attacks, such as total server compromise.

A4 – Insecure Direct Object     A direct object reference occurs when a developer exposes a reference to an internal implementation
     Reference                        object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers
                                      can manipulate those references to access other objects without authorization.

A5 – Cross Site Request         A CSRF attack forces a logged-on victim’s browser to send a pre-authenticated request to a vulnerable
     Forgery (CSRF)                  web application, which then forces the victim’s browser to perform a hostile action to the benefit of
                                     the attacker.

A6 – Information Leakage        Applications can unintentionally leak information about their configuration, internal workings, or violate
     and Improper Error               privacy through a variety of application problems. Attackers use this weakness to violate privacy,
                                      or conduct further attacks.
     Handling
A7 – Broken Authentication      Account credentials and session tokens are often not properly protected. Attackers compromise
     and Session                     passwords, keys, or authentication tokens to assume other users’ identities.
     Management
A8 – Insecure Cryptographic     Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers
     Storage                         use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.

A9 – Insecure                   Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive
     Communications                   communications.

A10 – Failure to Restrict URL   Frequently, the only protection for sensitive areas of an application is links or URLs are not presented to
                                     unauthorized users. Attackers can use this weakness to access and perform unauthorized
     Access                          operations.                                                                                            7
                                                                      8



Problems are growing
Yesterday:                        Today:

• Tens working hours of the       •Automatic and semiautomatic
                                  tools that are user friendly
best security specialists
                                  •Fuzzers (more than 20 Open
• Preparing a successful          Source tools alone)
attack on the web application
was very expensive, but it        •Newest trend: evolutionary
                                  programming
still could bring profit if the
target was interesting            •Bottom line – The cost of
enough                            preparing a successful attack
                                  has fallen dramaticaly!!


                                                                  8
                                             9




Most web application are vulnerable!


    Practical demonstration:

        - Google

        - Weak application logic

        - web browser is the only tool
          we need

                                         9
                                                       10



Not enough time!

 The time from findin the
 vulnerability to launching
 an attack is falling.


 Are the applications
 prepared for ZERO-DAY
 attacks?
                              Are your applications
                              prepared for ZERO-DAY
                              attacks?




                                                  10
                                                                                                      11




Web Application Security


                                                                              Attacks Now Look To
    !Non-
                                                Perimeter Security
                                                    Is Strong
                                                                               Exploit Application
                                                                                 Vulnerabilities
  compliant                Buffer Overflow
                       Cross-Site Scripting
 Information
                          SQL/OS Injection    PORT 80


                          Cookie Poisoning
                  Hidden-Field Manipulation
                                              PORT 443                 !
                                                                       Forced
                      Parameter Tampering                             Access to
                                                   But Is Open
    !
Infrastructural
                                                  to Web Traffic
                                                                     Information

                                                                                       High
 Intelligence                                                                      Information
                                                                                     Density
                                                                                         =
                                                                                    High Value
                                                                                      Attack



                                                                                                 11
                                                                    12




Web Application Security with ASM
                             Stops bad
                !
             Unauthorised
                             requests /           !
               Access        responses             Non-
                                                compliant
                                               Information




                           ASM allows
   Browser
                 !     legitimate requests
              Unauthorised
                                                 !
                                             Infrastructural
                Access                        Intelligence




                                                               12
                                                                        13




Traditional Security Devices vs.
Web Application Firewall (ASM)
                                        Network     IPS      ASM
                                        Firewall
   Known Web Worms                      Limited             
   Unknown Web Worms                      X        Limited   
   Known Web Vulnerabilities            Limited    Partial   
   Unknown Web Vulnerabilities            X        Limited   
   Illegal Access to Web-server files   Limited      X       
   Forceful Browsing                      X          X       
   File/Directory Enumerations            X        Limited   
   Buffer Overflow                      Limited    Limited   
   Cross-Site Scripting                 Limited    Limited   
   SQL/OS Injection                       X        Limited   
   Cookie Poisoning                       X          X       
   Hidden-Field Manipulation              X          X       
   Parameter Tampering                    X          X       

                                                                   13
                                                                     14




Security Policy in ASM
                     Security Policy
                                          Content Scrubbing
                                         Application Cloaking




                                       Definition of Good
             Enforcement
                                       and Bad Behaviour
   Browser




                                                                14
                                                                                    15




Security Policy in ASM
                                         Security Policy




                              Enforcement               Content Scrubbing
   Browser                                             Application Cloaking


             Can be generated automatically or manually
             Highly granular on configuration and blocking
             Easy to understand and manage
             Bi-directional:
              –   Inbound:    protection from generalised & targeted attacks
              –   Outbound:   content scrubbing & application cloaking
             Application content & context aware


                                                                               15
                                   16




Positive Security - Example




                              16
                                         17




Positive Security - Example




                         <script>


      Actions not known
      to be legal can now
      be blocked
       - Wrong page order
       - Invalid parameter
       - Invalid value
       - etc.




                                    17
                                      18




Negative vs. Positive Security




                                 18
                                        19




Protection for Dynamic Values or
Hidden Field Manipulation




                                   19
                                                                                                     20



Selective Application Flow
Enforcement


                                                   !
                                                ALLOWED

                                     Username
                                                          From Acc.            $ Amount
                                     Password             To Acc.              Transfer



                                 ?                             !
                                                   !
                                                VIOLATION
                                                            VIOLATION


                                                                      This part of the site is a
                                                                      financial transaction that
• Should this be a violation?
                                                                      requires authentication; we
• The user may have
                                                                      should enforce strict flow
  bookmarked the page!
                                                                      and parameter validation
• Unnecessarily enforcing flow
  can lead to false positives.


                                                                                                20
                                                              21




Flexible Policy Granularity
    Generic Policies - Policy per object type
    –   Low number of policies
    –   Quick to implement
    –   Requires little change management
    –   Can’t take application flow into account

                      Optimum policy is often a hybrid

    Specific Policies – Policy per object
    –   High number of policies
    –   More time to implement
    –   Requires change management policy
    –   Can enforce application flow
    –   Tightest possible security
    –   Protects dynamic values                          21
                                                                     22




Flexible Deployment Options

Tighter          OBJECT FLOWS               POLICY
Security                                  TIGHTENING
Posture                                  SUGGESTIONS
                 PARAMETER VALUES
                                    Policy-Building Tools
                                    • “Trusted IP” Learning
                 PARAMETER NAMES
                                    •   Live Traffic Learning
Typical
‘standard’                          •   Crawler
starting point   OBJECT NAMES       •   Negative RegEx
                                    •   Template

                 OBJECT TYPES



                                                                22
                                                                               23




            F5 is the Global Leader in
          Application Delivery Networking

  Users                                                    Data Centre


                             Application
                              Delivery
  At Home                     Network                            Oracle
In the Office                                                    Siebel
On the Road                                                       SAP




           Business goal: Achieve these objectives in the most
                     operationally efficient manner
                                                                          23
                                                                      24




F5’s Comprehensive Single Solution
      Users            The F5 Solution            Applications


               Application Delivery Network
                                                CRM
Mobile Phone
                                              Database
                                                Siebel
                                                BEA
    PDA
                                               Legacy
                                                .NET
                                                SAP
   Laptop
                                              PeopleSoft
                                                 IBM
                                                ERP
  Desktop                                        SFA
                      TMOS
                                               Custom




 Co-location

                                                                 24
                                                                                                                25




The F5 Products & Modules

    International                                                                              Microsoft
    Data Center                                                                                  SAP
                                                                                                Oracle
                                                                                                 IBM
                                                                                                 BEA

                                           TMOS




      BIG-IP
                 BIG-IP                                                       BIG-IP
      Global                          BIG-IP Local   BIG-IP
                  Link       WANJet                              FirePass   Application
      Traffic                            Traffic      Web
                Controller                                                   Security
     Manager                            Manager    Accelerator
                                                                             Manager




                                      iControl & iRules
                                                                                          HTTP /HTML, SIP, RTP,
                                         Enterprise
                                                                                          SRTP, RTCP, SMTP,
                                         Manager                                          FTP, SFTP, RTSP, SQL,
                                                                                          CIFS, MAPI, IIOP, SOAP,
                                                                                          XML etc…




                                                                                                           25
                                                                                                                                                                               26



  Unique TMOS Architecture




                                                ASM /TrafficShield




                                                                                     Web Accel




                                                                                                                   3rd Party
                         Microkernel
                                                                                                 TCP Proxy




                                                                                                                               Compression
          Rate Shaping

                           TCP Express




                                                                                                                                                          TCP Express
                                                                                                                                             OneConnect
                                                                                                 Client   Server



                                                                     Caching
                                                                                                 Side     Side




                                                                               XML
                                         SSL




Client                                                                                                                                                                  Server


         iRules
                                         High Performance HW                                                                                 iControl API

                                               TMOS Traffic Plug-ins
                                               High-Performance Networking Microkernel
                                               Powerful Application Protocol Support
                                               iControl – External Monitoring and Control
                                               iRules – Network Programming Language
                                                                                                                                                                          26
                                                                           27




BIG-IP Software Add-On Modules
Quickly Adapt to Changing Application & Business Challenges


            Compression Module                    Fast Cache Module
            Increase performance                  Offload servers




     Rate Shaping Module
     Reserve bandwidth




                                                                      27
                                                                        28




BIG-IP Security Add-On Modules
  Application Security Module     SSL Acceleration
  Protect applications and data   Protect data over the Internet




 Advanced Client
 Authentication Module
 Protect against
 unauthorised access



                                                                   28
                                              29




ASM Platform Availability
 Standalone ASM on TMOS
 – 4100
 Available as a module with BIG-IP LTM
 – 6400/6800
 – 8400/8800




                                         29
                                                                                                                                       30




Analyst Leadership Position
                                Challengers                       Leaders

                                                                                          Magic Quadrant for Application
                                                                                          Delivery Products, 2007
                                                                            F5 Networks
                                                                                          F5 Strengths
                                                                                          • Offers the most feature-rich AP ADC,
                                                                                            combined with excellent performance
     Ability to Execute




                                                                                            and programmability via iRules and a
                                                                                            broad product line.
                                                            Citrix Systems                • Strong focus on applications,
                                                                                            including long-term relationships with
                            Cisco Systems                                                   major application vendors, including
                                                                                            Microsoft, Oracle and SAP.
                                                              Akamai Technologies
                                                                                          • Strong balance sheet and cohesive
                          Foundry Networks
                                                           Cresendo                         management team with a solid track
                          Nortel Networks                  Radware                          record for delivering the right
                                                                                            products at the right time.
                                Juniper     Coyote Point
                                                                                          • Strong underlying platform allows
                                                           Zeus
                                                                                            easy extensibility to add features.
                                      NetContinuum
                               Array Networks                                             • Support of an increasingly loyal and
                                                                                            large group of active developers
                                                                                            tuning their applications
                                 Niche Players                    Visionaries               environments specifically with F5
                                       Completeness of Vision                               infrastructure.

 Source: Gartner, January 2007                                                                                                    30
                                                             31




F5 Customers in EMEA (1 of 2)
        Banking,       Insurance,    Telco, Service
        Financial     Investments   Providers, Mobile




                                                        31
                                                                              32




F5 Customers in EMEA (2 of 2)
   Transport,   Media, Technology,   Manufact.,   Governm.,    Health,
     Travel          Online           Energy        Other     Consumer




                                                                         32
                                                                            33




Summary
 Protecting web application is a challenge within many organizations
 but attacks against web applications are the hackers favorites

 ASM provides easy and very granular configuration options to protect
 web applications and to eliminate false positives

 ASM combines positive and negative security models to achieve the
 optimum security

 ASM is an integrated solution and can run as a module on BIG-IP or
 standalone

 ASM is used to provide compliance with various standards

 ASM provides hidden parameter protection and selective flow control
 enforcement

 ASM provides an additional security layer or can be used as central
 point for web application security enforcement                        33
                                                        34




Evaluation
 The best way to see how it will perform in Your
 environment with Your applications


 Soft-Tronik can provide you with evaluation
 hardware and engineers to help in deployment




                                                   34
     35




35
                       36




Back up Sliedes




                  36
                            37




    Company Snapshot




Facts
Position
References


                       37
                                                                                                                                                                                38




F5’s Continued Success
                                                                                                Revenue




                                                                                                                                                                        120,0
 Headquartered in Seattle, WA




                                                                                                                                                                111,7
                                             120




                                                                                                                                                        100,1
 F5 Ensures Applications Running             110




                                                                                                                                                 94,1
 Over the Network Are Always                 100




                                                                                                                                          88,1
                                                                                                                                   80,6
 Secure, Fast, and Available                  90




                                $ Millions




                                                                                                                            73,1
                                              80




                                                                                                                     67,7
                                                                                                              60,0
 Founded 1996 / Public 1999                   70




                                                                                                       50,2
                                              60




                                                                                                44,2
                                                                                         40,6
 Over 10,000 customers and                    50




                                                                                  36,1
                                                                           31,6
                                              40




                                                                    29.2
                                                             28.0
                                                      27,1
 30,000 systems installed                     30
                                              20
 Over 1100 Employees
                                                     03 03 03 03 04 04 04 04 05 05 05 05 06 06 06 06 07
                                                   1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q
 NASDAQ: FFIV



                                                                                                                                                                        38

				
DOCUMENT INFO