Securing Web Applications at the Network Layer v.1.5

Transcription

1 Securing Web Applications at the Network Layer v.1.5 WebSec th February México D.F. Internet Carlos Fragoso Mariscal Supercomputing Center of Catalunya (CESCA) 1

2 Who s Carlos Fragoso? Networking Systems and Security Engineer at Supercomputing Center of Catalunya (CESCA) Responsible for proactive, reactive and value-added security services on Anella Científica RREN and CATNIX IXP: Perimeter protection, infrastructure hardening, intrusion and anomaly detection, incident handling, malware analysis, etc. ERIAC Incident Response Team Incident Handling Manager Involved in several IR communities and security workgroups: TF-CSIRT, EURO-IX, ABUSE-ES, UNISOG and NSP-SEC Guest speaker at several national and international security conferences, workshops and master degree courses Bachelor s Degree on Computer Science (UAB) Master on Networking and Telecommunication Services (URL) Cisco Systems Certified Engineer (CCNA, CCNP*) SANS GIAC Certified (GSEC, GCFW, GCIH, GHTQ, GREM) Jessland Community Core Member Spanish Honeynet Project (SHP) member Fields of interest: IPv6, multicast, routing, traffic engineering, MPLS, QoS, WLANs, VPNs, firewalls, IDS/IPS, honeypots/nets, incident handling, forensics, etc. 2

3 Table of Contents Overview Security Architecture Design parameters and procedure Security areas Devices Network Firewalls Network Intrusion Prevention/Detection Systems Security Architecture Case Study Conclusion 3

4 Overview Network security is usually not considered in web application security as part of a defensein-depth approach Security architecture could provide a robust topology to enforce security in web services environments This talk focuses on how to increase web services security through network security architecture protection and detection 4

5 Overview: Web application clients interface Web application clients mainly use HTTP protocol as their interface to the application Users (B2C) and hosts (B2B) reside on external or business partners networks 5

6 Overview: Web application layered model Interface Application Data Some web applications are not able to separate interface and application layers so they are just one Data layer is commonly a filesystem or a database 6

7 Overview: Web application layers segregation Interface Application Data First operational and security approach is to separate the different layers on different hosts 7

8 Overview: Summary Client networks External Business partners Interface HTTP/S protocol... Web Application Services Interface (web) Application Data (databases) 8

9 Security Architecture: Design parameters Defense-in-depth Technology balance Least privilege principle Simplicity Biodiversity Access control Operational/Risk balance Escalability Redundancy 9

10 Security Architecture: Perimeter Security 10

11 Security Architecture: Design procedure Security policy Security levels classification Deploy network devices Segmentation with firewalls Deploy additional security devices IDS/IPS Content inspection VPNs 11

12 Security Architecture: Security Areas Internet Extranets Business partner or remote sites DMZ s External Intranets Users network Protected network 12

13 Security Architecture: Devices Firewalls Routers Switches Intrusion Detection/Prevention Systems Honeypots and Honeynets Security Event Managers Desktop and mobile end-user systems Wireless Access Points Hybrids... 13

14 Security Architecture: Network Firewalls Interconnects different security level networks providing traffic access control Technology: Stateless: each packet handled individually Stateful: keeps state of network flows Stateful Inspection: understand application layer protocols Value-added features: Load balancing, failover, address translation, VPNs, packet normalization, content inspection, etc. Ruleset: Firewall lockdown No logging Log denied Sneaky rule 14

15 Security Architecture: Network Intrusion/Prevention Detection Systems (NIDS/NIPS) Their job is to provide network audit features and intrusion detection and prevention over the network Types: network, node (IDS) and in-line (IDS, IPS) Traffic capture: taps, hubs, span ports, balancing... Advantages: Easy to deploy Effective Good scalability Disadvantages False positives False negatives Non-textual alarms High-volume of data Ciphered traffic An IPS is not a firewall!!! 15

16 Security Architecture: Tips n hints Critical information must be placed far away from possible risky areas Network security does not patch your hosts for you! Some critical services have a low rate of possible vulnerabilities because they have been heavily tested Sometimes information must be replicated to give a limited-scope view 16

17 Security Architecture Case Study WebSec Enterprises Inc (WEI) 3l33t to deceived hacker Clueless to smart admin 17

18 Security Architecture Case Study: WebSec Enterprises Inc (WEI) Internet Intranet External Workstations WEI s network grew without a security-minded approach Several incidents lead to a security architecture redesign Let s follow together how to face common issues on the new architecture deployment 18

19 Security Architecture Case Study: Identifying Systems Relationship Internet Intranet External Workstations External users access external servers Some external servers (web, app, dns, smtp) need to access internal server Workstation users manage servers and have Internet access 19

20 Security Architecture Case Study: Identifying Security Areas Internet Intranet External Workstations server contains WEI jewels of the crown Workstation users manage WEI infrastructure External servers provide services to the outside Internet is a public, least-secure, network 20

21 Security Architecture Case Study: Step 0 Plain network - Weaknesses Internet Intranet External Workstations Lack of firewalling Different security areas in the same network Oh my god! 21

22 Security Architecture Case Study: Step 0 Plain network Abuse Internet Intranet External t00 e9sy f0r m3! Workstations 1. Reconaissance and exploit launch to compromise WEI external web server 2. reconaissance attack trying to compromise internal workstations or servers 22

23 Security Architecture Case Study: Step 1 DMZ deployment - Weaknesses Internet DMZ Intranet External Workstations Sharing the DMZ between critical services (dns, smtp) and the web server Still a lot to do! 23

24 Security Architecture Case Study: Step 1 DMZ deployment - Abuse Internet DMZ Intranet External Workstations 1. Reconaissance and exploit launch to compromise WEI external web server 2. Firewall allows web server to download hacking tools 3. Local layer-3 compromise or DoS attack against DNS and SMTP external WEI servers P1nch3 9dm1n! 24

25 Security Architecture Case Study: Step 2 VLAN-based DMZ - Weaknesses Internet Intranet DMZ VLAN 2 VLAN 3VLAN VLAN 4 External Workstations Logical isolation (VLAN) on the same physical switch could encourage the hacker to perform Layer-2 DoS or VLAN hopping attacks Same software vendor could ease multilayer compromise Looks better! 25

26 Security Architecture Case Study: Step 2 VLAN-based DMZ - Abuse Internet Intranet DMZ VLAN 2 VLAN 3VLAN VLAN 4 External Workstations a) Compromise webserver and perform layer-2 vlan hopping in order to try to breach the other servers b) Launch exploit against smtp or dns server and relaunch it again to get internal access (nicer if possible) h3h3, n1c3 try! 26

27 Security Architecture Case Study: Step 3 Dual Public DMZ - Weaknesses Internet DMZ-1 External Intranet VLAN 3 VLAN 4 DMZ-2 External Workstations Vulnerability over the single firewall could allow direct communication to WEI intranet Malware injection could compromise workstations I m doing my best! 27

28 Security Architecture Case Study: Step 3 Dual Public DMZ - Abuse Internet DMZ-1 External Intranet VLAN 3 VLAN 4 DMZ-2 External Workstations a) Specially crafted packets are sent so that filtering is overcomed and sent directly to internal server b) Malware is injected through a URL (malware site) on fake Br3ak d9 p3r1m1t3r 28

29 Security Architecture Case Study: Step 4 Multilayered service-leg-based double-dmz Internet DMZ-1 Web Proxy Intranet DMZ-2 App VLAN 3 VLAN 4 External Workstations Database Vulnerabilities such as SQLInjection on App or database could compromise the boxes and probably disclose sensitive information Paranoia is your friend 29

30 Security Architecture Case Study: Step 4 Multilayered service-leg-based double-dmz Internet DMZ-1 Web DMZ-2 App VLAN 3 VLAN 4 External W0w, th9t s n0t 39sy Proxy Intranet Workstations Database 1. Reconaissance against web/app server to identify database internal server 2. Perform SQL Injection in order to get sensitive data back to the hacker 30

31 Security Architecture Case Study: Step 5 Protected network with data replication Internet DMZ-1 Web Proxy Intranet DMZ-2 App VLAN 3 VLAN 4 External Workstations Database Protected Network Database Necessary content database replication GREEEEAAAAT!!! 31

32 Security Architecture Case Study: Some remarkable security issues Lack of multilayer firewalling Network sharing of different security areas Outbound traffic control on DMZ areas Relaxed server patching policy Shared resource used for critical information Logical vs physical isolation OS, Software and hardware biodiversity Sensitive data access 32

33 Security Architecture Case Study: Long life to the new WEI network! Internet Internet DMZ-1 DMZ-2 Intranet Web App VLAN VLAN External Workstations External Proxy Intranet Database Protected Network Database 33

34 Security Architecture Case Study: Prevention is IDEAL but detection is a MUST! Internet DMZ-1 Web Proxy Intranet DMZ-2 App VLAN 3 VLAN 4 External Workstations Database Protected Network Database 34

35 Conclusion Security architecture definitively helps to improve the global state of security for web services It is highly recommended to separate interface, application and data layers Knowing your environment is half-the-battle in order to choose a good topology approach Place hosts in the infrastructure according to their data security level, sometimes splitting or replicating the information is necessary What has been described makes thing more difficult to the hacker but not impossible! 35

36 Coming Soon... Router Infrastructure Hardening Talleres WebSec 2006 Monitoreo y Defensa 16 th February, :00-11:20 36

37 Thank you for your time!!! Special greetings to CESCA workmates, Jess García, Victor Chapela and his team, and of course... to WebSec Padawans!!! Carlos Fragoso Mariscal 335C CB9F 84E8 85E9 A62B EF3A 102F 01FF 0E4E DE07 37