1 F5 Application Security Radovan Gibala Field Systems Engineer r.gibala@f5.com +420 731 137 223 2007
2 Agenda Challenge Websecurity What are the problems? Building blocks of Web Applications Vulnerabilities and protection strategies Websecurity with a Web Application Firewall (WAF) Security Policy Setups Deployment Methods Attacking the Application How to mitigate the risk in Web Applications with ASM
3 Market Trends Webalization of Critical Applications Mission-Critical Applications ERP, CRM, SCM - With access from Internet Business-Critical Applications Advantages of Voice, Data and Video Integration Profitability Increase Data Centre Consolidation Centralization of Applications and Access from Internet XML-based Web Services B2B Business Processes over Web Services / XML Mobile Applications Access and Usage of Applications from Mobile (private?) Devices
4 Security s Gaping Hole 64% of the 10 million security incidents tracked targeted port 80. Information Week DATA
5 Web Application Security! Noncompliant Information! Infrastructural Intelligence Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering Perimeter Security Is Strong PORT 80 PORT 443 But Is Open to Web Traffic! Forced Access to Information Attacks Now Look To Exploit Application Vulnerabilities High Information Density = High Value Attack
6 Why Are Web Applications Vulnerable? New code written to best-practice methodology, but not tested properly New type of attack not protected by current methodology New code written in a hurry due to business pressures Code written by third parties; badly documented, poorly tested third party not available Flaws in third party infrastructure elements Session-less web applications written with client-server mentality
7 Solution Sentences for Application Security Make Bug-free applications Network Firewalls + Marketing Tools in the Web Servers Infrastructure Solutions
Traditional Alternative: Rely Exclusively on the Developer Application Patching 8 Application Logic Application Optimization 1+1=2 Application Security Application Scalability Application Integration Application Availability Application Performance
9 Web Application Protection Strategy Best Practice Design Methods Only protects against known vulnerabilities Automated & Targeted Testing Web Apps Difficult to enforce; especially with subcontracted code Only periodic updated; large exposure window Done periodically; only as good as the last test Only checks for known vulnerabilities Does it find everything? Web Application Firewall Real-time 24 x 7 protection Enforces Best Practice Methodology Allows immediate protection against new vulnerabilities
10 Web Applications Increasingly Under Attack High information density in the core Flaws in applications & 3rd party software Traditional security does not protect web apps. Gaping hole in perimeter security for web traffic SANS (November 2006) - Top Vulnerabilities in Cross-Platform Applications C1. Backup Software C2. Anti-virus Software C3. PHP-based Applications (50% of all Apache installations worldwide use php!) C4. Database Software... C6. DNS Software... C9. Mozilla and Firefox Browsers...
11 Application Security Lacks Test...or: The Point of Truth Simple Version: Does your WAF discover that the Price of an Item on an Online Shop was changed? Technical Version: OWASP ( http://www.owasp.org/index.php/owasp_top_ten_project ) Unvalidated Input Broken Access Control Broken Authentication and Session Management Cross Site Scripting Buffer Overflow Injection Flaws Emproper Error Handling Insecure Storage Application Denial of Service Insecure Configuration Management
OWASP Top 10 / January 2007 12 A1 Cross Site Scripting (XSS) A2 Injection Flaws A3 Insecure Remote File Include A4 Insecure Direct Object Reference A5 Cross Site Request Forgery (CSRF) A6 Information Leakage and Improper Error Handling A7 Broken Authentication and Session Management A8 Insecure Cryptographic Storage A9 Insecure Communications A10 Failure to Restrict URL Access XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim s browser which can hijack user sessions, deface web sites, etc. Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker s hostile data tricks the interpreter into executing unintended commands or changing data. Code vulnerable to remote file inclusion allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization. A CSRF attack forces a logged-on victim s browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim s browser to perform a hostile action to the benefit of the attacker. Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to violate privacy, or conduct further attacks. Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users identities. Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud. Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications. Frequently, the only protection for sensitive areas of an application is links or URLs are not presented to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations.
n-tier Web Application Layer 13
Where does Application Security make Sense? Option 4 Option 2 Routing, ACL Router Network Layer Security Packet Filtering Pros: First point of entry Cons: Zero application fluency Wrong location No support for SSL Too little and expensive processing power Option 3 Network Security Application Security, Optimization & Delivery A combined application delivery Option 1 BIG-IP LTM Application Firewall Security Manager controller and Web application firewall, Web rather than stand-alone Application Layer Server Security, Acceleration, Session Layer products, provides a & single-vendor Availability Security relationship Stateful Inspectionand performance Pros: Application Fluent improvements. Pros: Already used as SSL proxy Experienced in for applications Gartner Network security Research High performance Layer 7 Has some session & processing app protocol awareness Stronger support for L7 Cons: protocol validation No application fluency Perfect location directly in front Out in DMZ / wrong of applications and servers location Cons: Not optimized for L7 Less focus on Layer 2/3 processing security Cannot filter encrypted content Less focus on SSL Application Core Functionality App. Server Pros: Very specific to each application type and vendor Database Cons: Complex to manage Costly to implement inside each application Error-prone In-efficient and re-active 14
Traditional Security Doesn t Protect Web Applications Looking at the wrong thing in the wrong place 15 Known Web Worms Unknown Web Worms Known Web Vulnerabilities Unknown Web Vulnerabilities Illegal Access to Web-server files Forceful Browsing File/Directory Enumerations Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering Application Firewall Network Firewall X X X IPS X X X
16 Application Security with a WAF! Unauthorised Access And Stops Bad Requests! Noncompliant Information Browser! Unauthorised Access WAF Allows Legitimate Requests! Infrastructural Intelligence Bi-directional: Inbound: protection from generalised & targeted attacks Outbound: content scrubbing & application cloaking Application content & context aware High performance, low latency, high availability, high security Policy-based full proxy with deep inspection & Java support Positive security augmenting negative security Central point of application security enforcement
17 Application Security with a WAF Intelligent Decisions Allow Only Good Application Behaviour; Positive Security Browser Definition of Good and Bad Behaviour
18 Negative vs. Positive Security Model Negative Security Model Lock Known Attacks Everything else is Allowed Patches implementation is quick and easy (Protection against Day Zero Attacks) Positive Security Model (Automatic) Analysis of Web Application Allow wanted Transactions Everything else is Denied Implicit Security against New, yet Unknown Attacks (Day Zero Attacks)
19 Flexible Policy Granularity Search for: command injection Single quote is a command delimiter: Best practice to disallow from parameters wherever possible Easiest to achieve with a generic policy applied to the whole site BUT... User Name: O Connor Single quote needed in some parameters: Need to be able to selectively relax policy eg single quote allowed in this parameter Need to limit use within relaxed policy eg only one single quote allowed in this parameter
Support of dynamic values 20
21 Example: SAP Application Protect the session information in the URI https://saptest.xyz.de/sap(bd1kzszjptaxma==)/... Protect dynamic parameter names and values &Tdokfilter_subdok_dokstrukturK2_Y123456789103459 185=F
22 Selective Application Flow Enforcement! ALLOWED Should this be a violation? The user may have bookmarked the page! Unnecessarily enforcing flow can lead to false positives.? Username Password! VIOLATION From Acc. To Acc.! VIOLATION $ Amount Transfer This part of the site is a financial transaction that requires authentication; we should enforce strict flow and parameter validation
23 XML Firewall Well formatted validation Schema/WSDL validation Methods selection Attack signatures for XML platforms Backend Parser protection XML islands application protection Full request Logging
24 Flexible Policy Granularity Generic Policies - Policy per object type Low number of policies Quick to implement Requires little change management Can t take application flow into account Optimum policy is often a hybrid Specific Policies Policy per object High number of policies More time to implement Requires change management policy Can enforce application flow Tightest possible security Protects dynamic values
25 Flexible Deployment Options Tighter Security Posture Typical standard starting point OBJECT FLOWS PARAMETER VALUES PARAMETER NAMES OBJECT NAMES OBJECT TYPES POLICY TIGHTENING SUGGESTIONS Policy-Building Tools Trusted IP Learning Live Traffic Learning Crawler Negative RegEx Template
26 WAF deployment with the BIG-IP LTM & ASM Web Servers Internet Firewall BIG-IP with ASM Management Access (browser) ASM = Application Security Manager
27 Link Collection www.f5.com Overall Technical www.f5.com ask.f5.com devcentral.f5.com F5 University www.f5university.com/» Login: your email» Password: adv5tech Partner Informaiotn www.f5.com/partners www.f5.com/training_services/certification/certfaq.html Gartner Report http://mediaproducts.gartner.com/reprints/f5networks/article1/article1.html Important deployment information is available at Data Center Virtualization Application Traffic Management Application Briefs Solution Briefs F5 Compression and Cache Test F5 icontrol Alliance Partners F5 Technology Alliance Partners http://www.f5.com/solutions/deployment/ http://www.f5.com/solutions/technology/pdfs/dc_virtualization_wp.pdf http://www.f5.com/solutions/technology/pdfs/atm_wp.pdf http://www.f5.com/solutions/applications/ http://www.f5.com/solutions/sb/ http://www.f5demo.com/compression/index.php http://www.f5.com/solutions/partners/icontrol/ http://www.f5.com/solutions/partners/tech/ Let us know if you need any clarification or you have any further questions.
28 F5 is the Global Leader in Application Delivery Networking Users Data Centre At Home In the Office On the Road Application Delivery Network SAP Microsoft Oracle Business goal: Achieve these objectives in the most operationally efficient manner
29