1 1 Web Application Security with the Application Security Manager (ASM) Piotr Oleszkiewicz Zbigniew Skurczynski [email protected]
Feb 25, 2016
1
1
Web Application Security with the Application Security Manager (ASM)
Piotr Oleszkiewicz
Zbigniew [email protected]
2
2
Agenda
Web Security – What are the problems?Vulnerabilities and protection strategiesWebsecurity with a Web Application Firewall (WAF)Security Policy SetupsAbout us
3
3
Application Security: Trends and Drivers
“Webification” of applicationsIntelligent browsers and applicationsPublic awareness of data securityIncreasing regulatory requirementsThe next attackable frontierTargeted attacks
4
4
The weakest link
DATA“64% of the 10 million security incidents tracked targeted port 80.”
(Information Week magazine)
5
5
Why Are Web Applications Vulnerable?
Security officers not involved in software developement, while developers are not security consciousNew code written to best-practice methodology, but not tested properlyNew type of attack not protected by current methodologyNew code written in a hurry due to business pressuresCode written by third parties; badly documented, poorly tested – third party not availableFlaws in third party infrastructure elementsSession-less web applications written with client-server mentality
6
6
Most web application are vulnerable!70% of websites at immediate risk of being hacked!
- Accunetix – Jan 2007 http://www.acunetix.com/news/security-audit-results.htm
“8 out of 10 websites vulnerable to attack”- WhiteHat “security report – Nov 2006” https://whitehatsec.market2lead.com/go/whitehatsec/webappstats1106
“75 percent of hacks happen at the application.” - Gartner “Security at the Application Level”
“64 percent of developers are not confident in their ability to write secure applications.” - Microsoft Developer Research
The battle between hackers and security professionals has moved from the network layer to the Web applications themselves.- Network World
7
7
www.owasp.org Top Ten ProjectA1 – Cross Site Scripting
(XSS)XSS flaws occur whenever an application takes user supplied data and sends it to a web browser
without first validating or encoding that content. XSS allows attackers to execute script in the victim’s browser which can hijack user sessions, deface web sites, etc.
A2 – Injection Flaws Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker’s hostile data tricks the interpreter into executing unintended commands or changing data.
A3 – Insecure Remote File Include
Code vulnerable to remote file inclusion allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise.
A4 – Insecure Direct Object Reference
A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.
A5 – Cross Site Request Forgery (CSRF)
A CSRF attack forces a logged-on victim’s browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim’s browser to perform a hostile action to the benefit of the attacker.
A6 – Information Leakage and Improper Error Handling
Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to violate privacy, or conduct further attacks.
A7 – Broken Authentication and Session Management
Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users’ identities.
A8 – Insecure Cryptographic Storage
Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.
A9 – Insecure Communications
Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications.
A10 – Failure to Restrict URL Access
Frequently, the only protection for sensitive areas of an application is links or URLs are not presented to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations.
8
8
Problems are growingYesterday:
• Tens working hours of the best security specialists
• Preparing a successful attack on the web application was very expensive, but it still could bring profit if the target was interesting enough
Today:
• Automatic and semiautomatic tools that are user friendly
• Fuzzers (more than 20 Open Source tools alone)
• Newest trend: evolutionary programming
• Bottom line – The cost of preparing a successful attack has fallen dramaticaly!!
9
9
Most web application are vulnerable!
Practical demonstration:
- Weak application logic
- web browser is the only tool we need
10
10
Not enough time!
The time from findin the vulnerability to launching an attack is falling.
Are the applications prepared for ZERO-DAY attacks?
Are your applications prepared for ZERO-DAY attacks?
11
11
Web Application Security
PORT 80
PORT 443
Attacks Now Look ToExploit Application
VulnerabilitiesPerimeter Security
Is StrongBuffer Overflow
Cross-Site ScriptingSQL/OS Injection
Cookie Poisoning Hidden-Field Manipulation
Parameter Tampering
!InfrastructuralIntelligence
!Non-
compliantInformation
HighInformation
Density=
High ValueAttack
!Forced
Access toInformation
But Is Opento Web Traffic
12
12
!Non-
compliantInformation
Web Application Security with ASM
!Unauthorised
Access
!InfrastructuralIntelligence
ASM allowslegitimate requests
Stops badrequests /responses
!Unauthorised
Access
Browser
13
13
Traditional Security Devices vs.Web Application Firewall (ASM)
Known Web WormsUnknown Web WormsKnown Web VulnerabilitiesUnknown Web VulnerabilitiesIllegal Access to Web-server filesForceful BrowsingFile/Directory EnumerationsBuffer OverflowCross-Site ScriptingSQL/OS InjectionCookie Poisoning Hidden-Field ManipulationParameter Tampering
ASM
X
X
XX
XXXX
Network FirewallLimited
Limited
Limited
Limited
Limited
IPS
X
XXX
Limited
Partial
XLimited
Limited
Limited
LimitedLimited
14
14
Security Policy in ASM
Browser
Security Policy
Enforcement
Content ScrubbingApplication Cloaking
Definition of Goodand Bad Behaviour
15
15
Security Policy in ASM
Can be generated automatically or manuallyHighly granular on configuration and blockingEasy to understand and manageBi-directional:– Inbound: protection from generalised & targeted attacks– Outbound: content scrubbing & application cloaking
Application content & context aware
Browser
Security Policy
Enforcement Content ScrubbingApplication Cloaking
16
16
Positive Security - Example
17
17
Actions not known to be legal can now be blocked - Wrong page order - Invalid parameter - Invalid value - etc.
<script>
Positive Security - Example
18
18
Negative vs. Positive Security
19
19
Protection for Dynamic Values or Hidden Field Manipulation
20
20
Selective Application Flow Enforcement
!VIOLATION!
VIOLATION
?
• Should this be a violation?• The user may have
bookmarked the page!• Unnecessarily enforcing flow
can lead to false positives.
This part of the site is a financial transaction that requires authentication; we should enforce strict flow and parameter validation
From Acc.
Transfer
$ Amount
To Acc.Password
Username
!ALLOWED
21
21
Flexible Policy GranularityGeneric Policies - Policy per object type– Low number of policies– Quick to implement– Requires little change management– Can’t take application flow into account
Specific Policies – Policy per object– High number of policies– More time to implement– Requires change management policy– Can enforce application flow– Tightest possible security– Protects dynamic values
Optimum policy is often a hybrid
22
22
OBJECT TYPES
OBJECT NAMES
PARAMETER NAMES
PARAMETER VALUES
OBJECT FLOWS
Flexible Deployment Options
Policy-Building Tools• “Trusted IP” Learning• Live Traffic Learning• Crawler• Negative RegEx• Template
POLICY TIGHTENING
SUGGESTIONS
Tighter Security Posture
Typical ‘standard’ starting point
23
23
ApplicationDeliveryNetwork
Users Data Centre
OracleSiebelSAP
At HomeIn the OfficeOn the Road
Business goal: Achieve these objectives in the most operationally efficient manner
F5 is the Global Leader inApplication Delivery Networking
24
24
The F5 Solution ApplicationsUsers
Mobile Phone
PDA
Laptop
Desktop
Co-location
F5’s Comprehensive Single Solution
CRM
Database
Siebel
BEA
Legacy
.NET
SAP
PeopleSoft
IBM
ERP
SFA
CustomTMOS
Application Delivery Network
25
25
TMOS
The F5 Products & Modules
WANJet FirePassBIG-IP LocalTraffic
Manager
BIG-IPApplication
SecurityManager
BIG-IP Link
Controller
InternationalData Center
BIG-IP Global Traffic
Manager
BIG-IPWeb
Accelerator
Enterprise Manager
iControl & iRulesHTTP /HTML, SIP, RTP, SRTP, RTCP, SMTP, FTP, SFTP, RTSP, SQL, CIFS, MAPI, IIOP, SOAP, XML etc…
MicrosoftSAP
OracleIBMBEA
26
26
SSL
Com
pres
sion
ClientSide
ServerSide
TCP
Expr
ess
ServerTCP
Expr
ess
Cac
hing
Microkernel
TMOS Traffic Plug-insHigh-Performance Networking MicrokernelPowerful Application Protocol SupportiControl – External Monitoring and ControliRules – Network Programming Language
High Performance HW
iRules
Client
iControl API
TCP Proxy
One
Con
nect
XML
Rat
e Sh
apin
g ASM
/Tra
fficS
hiel
d
Web
Acc
el
3rd P
arty
Unique TMOS Architecture
27
27
BIG-IP Software Add-On ModulesQuickly Adapt to Changing Application & Business Challenges
Compression ModuleIncrease performance
Fast Cache ModuleOffload servers
Rate Shaping ModuleReserve bandwidth
28
28
Application Security ModuleProtect applications and data
SSL AccelerationProtect data over the Internet
Advanced Client Authentication ModuleProtect against unauthorised access
BIG-IP Security Add-On Modules
29
29
Standalone ASM on TMOS– 4100
Available as a module with BIG-IP LTM – 6400/6800– 8400/8800
ASM Platform Availability
30
30Source: Gartner, January 2007
Magic Quadrant for Application Delivery Products, 2007
F5 Strengths• Offers the most feature-rich AP ADC,
combined with excellent performance and programmability via iRules and a broad product line.
• Strong focus on applications, including long-term relationships with major application vendors, including Microsoft, Oracle and SAP.
• Strong balance sheet and cohesive management team with a solid track record for delivering the right products at the right time.
• Strong underlying platform allows easy extensibility to add features.
• Support of an increasingly loyal and large group of active developers tuning their applications environments specifically with F5 infrastructure.
Analyst Leadership PositionChallengers Leaders
Niche Players Visionaries
Abi
lity
to E
xecu
te
Completeness of Vision
F5 Networks
Citrix Systems
Akamai Technologies
RadwareCresendo
Coyote PointZeus
Cisco Systems
Foundry Networks
Nortel Networks
Juniper
NetContinuumArray Networks
31
31
F5 Customers in EMEA (1 of 2)Banking,Financial
Telco, ServiceProviders, Mobile
Insurance,Investments
32
32
F5 Customers in EMEA (2 of 2)Governm.,
OtherHealth,
ConsumerManufact.,
EnergyTransport,
TravelMedia, Technology,
Online
33
33
SummaryProtecting web application is a challenge within many organizations but attacks against web applications are the hackers favorites
ASM provides easy and very granular configuration options to protect web applications and to eliminate false positives
ASM combines positive and negative security models to achieve the optimum security
ASM is an integrated solution and can run as a module on BIG-IP or standalone
ASM is used to provide compliance with various standards
ASM provides hidden parameter protection and selective flow control enforcement
ASM provides an additional security layer or can be used as central point for web application security enforcement
34
34
Evaluation
The best way to see how it will perform in Your environment with Your applications
Soft-Tronik can provide you with evaluation hardware and engineers to help in deployment
35
35
36
36
Back up Sliedes
37
37
FactsPositionReferences
Company Snapshot
38
38
F5’s Continued Success
Headquartered in Seattle, WA
F5 Ensures Applications Running Over the Network Are Always Secure, Fast, and Available
Founded 1996 / Public 1999
Over 10,000 customers and 30,000 systems installed
Over 1100 Employees
NASDAQ: FFIV
Revenue
27,1 36
,1
50,2 60
,0 67,7 73
,1
94,1 10
0,1 11
1,7 12
0,0
28.0
29.2 31,6 40
,6 44,2
88,1
80,6
20 30 40 50 60 70 80 90
100 110 120
$ M
illio
ns