Egen brannmur for web trafikk?

Egen brannmur for web trafikk?
Jon Bjørnland
[email protected]
Per Bøe
[email protected]
2
F5 er den globale leder innen
Application Delivery Networking
Users
Data Centre
At Home
In the Office
On the Road
Application
Delivery
Network
SAP
Microsoft
Oracle
Business goal: Achieve these objectives in the
most operationally efficient manner
3
F5 dominerer markedet for Application Delivery Controllers
Magic Quadrant for Application
Delivery Controllers, 2009
F5 Networks - Strengths
• F5 Networks has a broad and comprehensive
vision with industry-leading understanding of the
needs of application development, deployment
and management.
• The vendor has a comprehensive feature set with
a full range of extensibility delivered through
iRules and iControl, and integration with popular
integrated development environments (IDEs),
such as Eclipse and .NET/Visual Basic.
• F5 has developed a very large community of
committed users (using F5's DevCentral portal)
that helps fuel the use of iRules to solve unique
data center application challenges, creating a
loyal and engaged user base.
• F5 has a solid financial position and continued
market-leading position.
SOURCE: Gartner, Inc.
4
F5 i Data Senteret
Link 3
DC 2: U.K.
Link 1
Link 2
Web Server
Web Server
Web Server
Link 3
App. Server
App. Server
App. Server
File Storage Virtualization
Remote - WAN
Link 2
Application Server Virtualization
PC - Home
Link 1
Web Server Virtualization
Mobile
Data Center & Link Virtualization
DC 1: U.S.
NetApp
EMC
Windows
file storage
PC - LAN
WLAN
BIG-IP GTM & LC
Web Server
BIG-IP LTM, WA, ASM
Windows
file storage
App. Server
BIG-IP LTM, APM
F5 ARX
5
F5 – mellom nettverk og applikasjoner
Data Center
Solutions
Application
Layer
Application
Layer
Network Layer
Rate Shaping
Content
Acceleration
DoS
Protection
ROUTERS
SSL
Acceleration
Load Balancing
SWITCHES
Application
Security
Traffic
Compression
Caching
Connection
Optimization
FIREWALLS
Intelligent
Clients
6
F5 – mellom nettverk og applikasjoner
Data Center
Solutions
Application Layer
Network Layer
INTELLIGENT APPLICATIONS
iControl
iRules
ROUTERS
Functions
TM/OS
SWITCHES
FIREWALLS
Intelligent
Clients
7
Intelligens, fleksibilitet og ytelse
iRules
Programmable
Application
Network
Programmable Network Language
GUI-Based Application Profiles
Repeatable Policies
Unified Application Infrastructure Services
Security
Optimisation
Delivery
Targeted and
Adaptable
Functions
New Service
Universal Inspection Engine (UIE)
Complete Visibility
and Control of
Application Flows
TM/OS
Fast Application Proxy
Client Side
Compression
TCP Offloading
Load Balancing
Server Side
8
BIG-IP Hardware Line-up
VIPRION
BIG-IP 8900
4 x 4 10/100/1000 (PB200 blade)
4 x 8 10Gb SFP+ (PB200 blade)
4 x 16 GB memory (PB200 blade)
4 x 18 Gbps Traffic (PB200 blade)
BIG-IP 6900
BIG-IP 3900
BIG-IP 3600
BIG-IP 1600
8 x 10/100/1000
2 x 1Gb SFP
4 GB memory
2 Gbps Traffic
4 x 10/100/1000
2 x 1GB SFP
4 GB memory
1 Gbps Traffic
8 x 10/100/1000
4 x 1Gb SFP
8 GB memory
4 Gbps Traffic
16 x 10/100/1000
8 x 1Gb SFP
8 GB memory
6 Gbps Traffic
16 x 10/100/1000
8 x 1Gb SFP
2 x 10Gb SFP+
16 GB memory
12 Gbps Traffic
72 Gbps Traffic in total
9
Web applikasjoner er utsatt
• New SANS report
– Focused on patching
Operating Systems
– 80% of vulnerabilities are
in web apps
– 60% of the attack vectors
are web based
10
Nesten alle web applikasjoner er sårbare
• “97% of websites at immediate risk of being hacked due to
vulnerabilites! 69% of vulnerabilities are client side-attacks”
- Web Application Security Consortium http://www.webappsec.org/projects/statistics/
• “8 out of 10 websites vulnerable to attack”
- WhiteHat “security report ”
http://www.whitehatsec.com/home/assets/WPstats0808.pdf
• “75 percent of hacks happen at the application.”
- Gartner “Security at the Application Level”
• “64 percent of developers are not confident in their ability to
write secure applications.”
- Microsoft Developer Research
11
WhiteHat Website Security Statistics 10/2009
http://www.whitehatsec.com
• Data collected from January 1, 2006 to October 1, 2009
• 1.364 websites
12
Hva koster det å fikse sårbarhetene?
•
•
The average custom business application has 150k to 250k lines of code
-- Software Magazine
Every 1k lines of code averages 15 critical security defects
-- U.S. Department of Defense
•
That means there are an average of 2.25k security defects in every business
application
•
The average security defect takes 75 minutes to diagnose and 6 hours to fix
-- 5-year Pentagon Study
•
That’s 2.8k hours to diagnose the defects and 13.5k hours to fix them
•
Average worldwide cost of programmer = $40 per hour
•
That’s a cost of $112k to diagnose the defects and $540k to fix the defects
k=1,000
-- F5 Networks
13
Hvor lang tid tar det å fikse sårbarhetene?
Spring 2009 Website Security Statistics Report
14
Utviklere blir bedt om å gjøre det umulige….
Application
Security?
Application
Patching
Application
Development
Application
Scalability
Application
Performance
15
Hvem er ansvarlig for applikasjons
sikkerhet?
Web developers?
Network Security?
Engineering services?
DBA?
16
Tradisjonelle brannmurer
17
Kryptering gjør den tradisjonelle
brannmuren “blind”
18
Perimeter Security er ikke tilstrekkelig
19
WAF: Web Application Firewall
Intelligent Client
Buffer Overflow
Cross-Site Scripting
SQL/OS Injection
Cookie Poisoning
Hidden-Field Manipulation
L7 Application DoS
Brute Force Logins
Network Plumbing
Traffic
Mgt
Firewall
IDS-IDP
Anti-Virus
Application
Error Messages
Non-compliant Content
Credit Card / SSN data
Server Fingerprints
HTTP/S Traffic
User
•
•
•
•
•
Application Infrastructure
App
Firewall
App
Xcel
Application Delivery Security
Logs and reports all HTTP traffic
Secures Applications
Application content & context aware
Bi-directional; request filtering & application cloaking
App
20
Positiv vs Negativ Sikkerhet
21
Tradisjonelle sikkerhetsprodukter vs. WAF
Known Web Worms
Unknown Web Worms
Known Web Vulnerabilities
Unknown Web Vulnerabilities
Illegal Access to Web-server files
Forceful Browsing
File/Directory Enumerations
Network
Firewall
IPS
WAF
Limited

X
Limited
Limited
Partial
















X
Limited
X
X
Limited
X
X
Limited
Buffer Overflow
Limited
Limited
Cross-Site Scripting
Limited
Limited
Brute Force Login Attacks
X
X
X
X
X
X
App. Security and Acceleration
X
SQL/OS Injection
Cookie Poisoning
Hidden-Field Manipulation
Parameter Tampering
Layer 7 DoS Attacks
Limited
X
X
X
X
X
X
22
Web Application Protection Options
• Only protects
against known
vulnerabilities
• Difficult to enforce;
especially with subcontracted code
• Only periodic
updated; large
exposure window
•
•
•
•
Best
Practice
Design
Methods
Automated
& Targeted
Testing
Web
Apps
• Done periodically;
only as good as
the last test
• Only checks for
known
vulnerabilities
• Does it find
everything?
Web
Application
Firewall
ASM
Real-time 24 x 7 protection
Layered security
Allows immediate protection against new vulnerabilities
Central point of enforcement for website security
23
Web Application Protection Options
• Only protects
against known
vulnerabilities
• Difficult to enforce;
especially with subcontracted code
• Only periodic
updated; large
exposure window
•
•
•
•
Best
Practice
Design
Methods
Automated
& Targeted
Testing
Web
Apps
Web
Application
Firewall
ASM
• Done periodically;
only as good as
the last test
• Only checks for
known
vulnerabilities
• Does it find
everything?
BIG-IP Application
Security Manager
Real-time 24 x 7 protection
Layered security
Allows immediate protection against new vulnerabilities
Central point of enforcement for website security
24
BIG-IP Application Security Manager
Powerful Adaptable Solution
• Provides comprehensive protection for all web application
vulnerabilities
• Delivers out of the box security
• Sees Application level performance
• Logs and reports all application traffic and attacks
• Educates admin. on attack type definitions and examples
• Enables L2->L7 protection
• Unifies security and acceleration services
• Provides On-Demand scaling
25
Secure the applications and data
Network and
Protocol Attack
Protection
Selective
Encryption
Resource
Cloaking and
Content Security
Application
Security Manager
(add-on module)
Security at Application, Protocol and Network Level
• Meet compliance requirements (PCI, HIPAA, etc.)
• Strong protection without interrupting legitimate traffic
“BIG-IP enabled us to improve security instead of having to
invest time and money to develop a new more secure application”
TechValidate 0C0-126-2FB
Application Manager
Global 5000 Media and Entertainment Company
26
Security Policy with Multiple security layers
• RFC enforcement
• Various HTTP limits enforcement
• Profiling of good traffic:
– Defined list of allowed file types, URI’s, parameters
• Each parameter is evaluated separately for:
–
–
–
–
Pre defined value
Length
Character set
Attack patterns
• looking for Pattern Matching Signatures
• Responses are checked as well
27
Deployment without False positives
• Predefined Policy Templates
– Pre-configured security policies
– Rapid deployment policy
• Learning mode
– Automatic or manual
• Gradual deployment
– Transparent / semi-transparent / full blocking
28
Layer 7 DoS/DDoS and Brute Force prevention
Unique Attack Detection and Protection
• Unwanted clients are remediated and desired clients are serviced
• Improved application availability
• Focus on higher value productivity while automatic controls intervene
29
Airline Inventory Vulnerable to Web Scraping
• Ryanair – Stolen data, litigation costs, decreasing revenue
– Wins injunction against Vtours GmBH
– Forbids screen-scraping as commercial use*
– Ryanair sent cease and desist letters to 300 sites
• easyJet warns Expedia: 'Hands off our flights‘
30
Protection from Web Scraping
Remote users
Dublin Datacenter
Legitimate users see
inventory while
scrapers are
remediated
Frankfurt Datacenter
IT Staff
IT Staff
Automated
scraper
Web
Web
Detect requests
and determine web
site is being
scraped
Domino Network
Domino Network
BIG-IP 8900
BIG-IP 6900
LTM/ASM
LTM/ASM
Solution
Protects valuable intellectual property
Prices are controlled and users see airline approved inventory
Integrated scrape reporting for PCI compliance
Avoid litigation drastically reducing legal costs
Comprehensive
reporting on
scraping attacks
31
Attack Expert System in ASM v10.1
1. Click on info tooltip
32
Attack Type Details
2. Click on attack type
33
Reporting Features Executive View
HTTP Response Splitting
Command Execution
Detection Evasion
Parameter Tampering
SQL –Injection
Cross Site Scripting (XSS)
XML Parser
34
GeoIP-location based reports
35
Improved PCI Compliance Reporting
New PCI reporting:
• Details security measures required by PCI DSS 1.2
• Compliancy state
• Steps required to become compliant
36
Staging
• ASM allows updated policies to be transparent for testing
• No need to reduce current protection levels until ready
• Staging allows policy testing in a live environment
without committing to implement a new policy
• Easy to stage policies with attack signatures, file types,
URLs and parameters
37
ASM Platforms
• Available as a module with BIG-IP LTM
– 3600/3900/6400/6800/6900 also FIPS
– 8400/8800/8900
– VIPRION
• Standalone ASM on TMOS
– 3600, 3900, 6900 and 8900
38
Oppsummering
• L7 attacks are hackers favorites
• Protecting web applications is a challenge within many
organizations
• ASM protects Web applications and provides easy
configuration options
• ASM provides PCI compliance reporting
• ASM provides deep application visibility & reporting
• ASM and WA secure and accelerate applications while
achieving consolidation