Jon Bjørnland Per Bøe Egen brannmur for web trafikk?

Transcription

1 Jon Bjørnland Per Bøe Egen brannmur for web trafikk?

2 2 F5 er den globale leder innen Application Delivery Networking Users Data Centre At Home In the Office On the Road Application Delivery Network SAP Microsoft Oracle Business goal: Achieve these objectives in the most operationally efficient manner

3 3 F5 dominerer markedet for Application Delivery Controllers Magic Quadrant for Application Delivery Controllers, 2009 F5 Networks - Strengths F5 Networks has a broad and comprehensive vision with industry-leading understanding of the needs of application development, deployment and management. The vendor has a comprehensive feature set with a full range of extensibility delivered through irules and icontrol, and integration with popular integrated development environments (IDEs), such as Eclipse and.net/visual Basic. F5 has developed a very large community of committed users (using F5's DevCentral portal) that helps fuel the use of irules to solve unique data center application challenges, creating a loyal and engaged user base. F5 has a solid financial position and continued market-leading position. SOURCE: Gartner, Inc.

4 F5 i Data Senteret 4 DC 1: U.S. Mobile PC - Home Remote - WAN Data Center & Link Virtualization Link 1 Link 2 Link 3 DC 2: U.K. Link 1 Link 2 Link 3 Web Server Virtualization Web Server Web Server Web Server Application Server Virtualization App. Server App. Server App. Server File Storage Virtualization NetApp EMC Windows file storage PC - LAN WLAN Web Server App. Server Windows file storage BIG-IP GTM & LC BIG-IP LTM, WA, ASM BIG-IP LTM, APM F5 ARX

5 5 F5 mellom nettverk og applikasjoner Application Layer Layer Network Layer ROUTERS Rate Shaping Content Acceleration DoS Protection SSL Acceleration Data Center Solutions Load Balancing Intelligent Clients SWITCHES FIREWALLS Application Security Traffic Compression Caching Connection Optimization

6 6 F5 mellom nettverk og applikasjoner Network Layer Application Layer INTELLIGENT Data Center Solutions APPLICATIONS icontrol ROUTERS irules SWITCHES TM/OS Functions FIREWALLS Intelligent Clients

7 7 Intelligens, fleksibilitet og ytelse irules Programmable Network Language Programmable Application Network GUI-Based Application Profiles Repeatable Policies Unified Application Infrastructure Services Targeted and Adaptable Functions Security Optimisation Delivery New Service Universal Inspection Engine (UIE) Complete Visibility and Control of Application Flows TM/OS Fast Application Proxy Client Side Compression TCP Offloading Server Side Load Balancing

8 8 BIG-IP Hardware Line-up VIPRION BIG-IP 8900 BIG-IP 1600 BIG-IP x 10/100/ x 1Gb SFP 4 GB memory 2 Gbps Traffic BIG-IP x 10/100/ x 1Gb SFP 8 GB memory 4 Gbps Traffic BIG-IP x 10/100/ x 1Gb SFP 8 GB memory 6 Gbps Traffic 16 x 10/100/ x 1Gb SFP 2 x 10Gb SFP+ 16 GB memory 12 Gbps Traffic 4 x 4 10/100/1000 (PB200 blade) 4 x 8 10Gb SFP+ (PB200 blade) 4 x 16 GB memory (PB200 blade) 4 x 18 Gbps Traffic (PB200 blade) 72 Gbps Traffic in total 4 x 10/100/ x 1GB SFP 4 GB memory 1 Gbps Traffic

9 9 Web applikasjoner er utsatt New SANS report Focused on patching Operating Systems 80% of vulnerabilities are in web apps 60% of the attack vectors are web based

10 10 Nesten alle web applikasjoner er sårbare 97% of websites at immediate risk of being hacked due to vulnerabilites! 69% of vulnerabilities are client side-attacks - Web Application Security Consortium 8 out of 10 websites vulnerable to attack - WhiteHat security report 75 percent of hacks happen at the application. - Gartner Security at the Application Level 64 percent of developers are not confident in their ability to write secure applications. - Microsoft Developer Research

11 11 WhiteHat Website Security Statistics 10/2009 Data collected from January 1, 2006 to October 1, websites

12 12 Hva koster det å fikse sårbarhetene? The average custom business application has 150k to 250k lines of code -- Software Magazine Every 1k lines of code averages 15 critical security defects -- U.S. Department of Defense That means there are an average of 2.25k security defects in every business application The average security defect takes 75 minutes to diagnose and 6 hours to fix -- 5-year Pentagon Study That s 2.8k hours to diagnose the defects and 13.5k hours to fix them Average worldwide cost of programmer = $40 per hour -- F5 Networks That s a cost of $112k to diagnose the defects and $540k to fix the defects k=1,000

13 13 Hvor lang tid tar det å fikse sårbarhetene? Spring 2009 Website Security Statistics Report

14 14 Utviklere blir bedt om å gjøre det umulige. Application Security? Application Patching Application Development Application Scalability Application Performance

15 15 Hvem er ansvarlig for applikasjons sikkerhet? Web developers? Network Security? Engineering services? DBA?

16 Tradisjonelle brannmurer 16

17 Kryptering gjør den tradisjonelle brannmuren blind 17

18 Perimeter Security er ikke tilstrekkelig 18

19 19 WAF: Web Application Firewall Intelligent Client Network Plumbing Application Infrastructure Application Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation L7 Application DoS Brute Force Logins User HTTP/S Traffic Firewall IDS-IDP Anti-Virus Traffic Mgt App Xcel App Firewall Error Messages Non-compliant Content Credit Card / SSN data Server Fingerprints App Application Delivery Security Logs and reports all HTTP traffic Secures Applications Application content & context aware Bi-directional; request filtering & application cloaking

20 Positiv vs Negativ Sikkerhet 20

21 21 Tradisjonelle sikkerhetsprodukter vs. WAF Known Web Worms Unknown Web Worms Known Web Vulnerabilities Unknown Web Vulnerabilities Illegal Access to Web-server files Forceful Browsing File/Directory Enumerations Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering Layer 7 DoS Attacks Brute Force Login Attacks App. Security and Acceleration Network Firewall Limited X Limited X Limited X X Limited Limited X X X X X X X IPS Limited Partial Limited X X Limited Limited Limited Limited X X X X X X WAF

22 22 Web Application Protection Options Only protects against known vulnerabilities Difficult to enforce; especially with subcontracted code Only periodic updated; large exposure window Best Practice Design Methods Web Apps Web Application Firewall ASM Automated & Targeted Testing Done periodically; only as good as the last test Only checks for known vulnerabilities Does it find everything? Real-time 24 x 7 protection Layered security Allows immediate protection against new vulnerabilities Central point of enforcement for website security

23 23 Web Application Protection Options Only protects against known vulnerabilities Difficult to enforce; especially with subcontracted code Only periodic updated; large exposure window Best Practice Design Methods Web Apps Web Application Firewall ASM Automated & Targeted Testing Done periodically; only as good as the last test Only checks for known vulnerabilities Does it find everything? BIG-IP Application Security Manager Real-time 24 x 7 protection Layered security Allows immediate protection against new vulnerabilities Central point of enforcement for website security

24 24 BIG-IP Application Security Manager Powerful Adaptable Solution Provides comprehensive protection for all web application vulnerabilities Delivers out of the box security Sees Application level performance Logs and reports all application traffic and attacks Educates admin. on attack type definitions and examples Enables L2->L7 protection Unifies security and acceleration services Provides On-Demand scaling

25 25 Secure the applications and data Network and Protocol Attack Protection Resource Cloaking and Content Security Selective Encryption Application Security Manager (add-on module) Security at Application, Protocol and Network Level Meet compliance requirements (PCI, HIPAA, etc.) Strong protection without interrupting legitimate traffic BIG-IP enabled us to improve security instead of having to invest time and money to develop a new more secure application TechValidate 0C FB Application Manager Global 5000 Media and Entertainment Company

26 26 Security Policy with Multiple security layers RFC enforcement Various HTTP limits enforcement Profiling of good traffic: Defined list of allowed file types, URI s, parameters Each parameter is evaluated separately for: Pre defined value Length Character set Attack patterns looking for Pattern Matching Signatures Responses are checked as well

27 27 Deployment without False positives Predefined Policy Templates Pre-configured security policies Rapid deployment policy Learning mode Automatic or manual Gradual deployment Transparent / semi-transparent / full blocking

28 28 Layer 7 DoS/DDoS and Brute Force prevention Unique Attack Detection and Protection Unwanted clients are remediated and desired clients are serviced Improved application availability Focus on higher value productivity while automatic controls intervene

29 29 Airline Inventory Vulnerable to Web Scraping Ryanair Stolen data, litigation costs, decreasing revenue Wins injunction against Vtours GmBH Forbids screen-scraping as commercial use* Ryanair sent cease and desist letters to 300 sites easyjet warns Expedia: 'Hands off our flights

30 30 Protection from Web Scraping Remote users Legitimate users see inventory while scrapers are remediated Dublin Datacenter IT Staff Frankfurt Datacenter IT Staff Automated scraper Web Domino Network Detect requests and determine web site is being scraped Web Domino Network BIG-IP 8900 LTM/ASM BIG-IP 6900 LTM/ASM Comprehensive reporting on scraping attacks Solution Protects valuable intellectual property Prices are controlled and users see airline approved inventory Integrated scrape reporting for PCI compliance Avoid litigation drastically reducing legal costs

31 31 Attack Expert System in ASM v Click on info tooltip

32 32 Attack Type Details 2. Click on attack type

33 33 Reporting Features Executive View HTTP Response Splitting Command Execution Detection Evasion Parameter Tampering SQL Injection Cross Site Scripting (XSS) XML Parser

34 GeoIP-location based reports 34

35 35 Improved PCI Compliance Reporting New PCI reporting: Details security measures required by PCI DSS 1.2 Compliancy state Steps required to become compliant

36 36 Staging ASM allows updated policies to be transparent for testing No need to reduce current protection levels until ready Staging allows policy testing in a live environment without committing to implement a new policy Easy to stage policies with attack signatures, file types, URLs and parameters

37 37 ASM Platforms Available as a module with BIG-IP LTM 3600/3900/6400/6800/6900 also FIPS 8400/8800/8900 VIPRION Standalone ASM on TMOS 3600, 3900, 6900 and 8900

38 38 Oppsummering L7 attacks are hackers favorites Protecting web applications is a challenge within many organizations ASM protects Web applications and provides easy configuration options ASM provides PCI compliance reporting ASM provides deep application visibility & reporting ASM and WA secure and accelerate applications while achieving consolidation

39