Gezielte Angriffe auf Unternehmen. Warum die beste Netzwerksicherheit allein nicht greift. Securing and Optimizing Web applications

Transcription

1 Gezielte Angriffe auf Unternehmen Warum die beste Netzwerksicherheit allein nicht greift Securing and Optimizing Web applications

2 Agenda 1. Gezielte Angriffe auf Unternehmen - Wieso müssen wir uns mit dem Thema unausweichlich beschäfigen? 2. Weshalb die beste Netzwerksicherheit allein nicht greift. 3. Diskussion 4. Welche Dinge sind für ein effektives & effizientes Handling relevant? 2

3 Veränderung der Angriffe auf Web Applikationen Nationale Interessen Spion Persönlicher Gewinn Dieb Höchste Zunahme Persönlicher Ruhm Neugier Vandal Eindringling Autor Expertentools werden vermehrt von Hobby- Hackern und Kriminellen verwendet Script-Kiddy Hobby Hacker Experte Spezialist 3

4 Netzwerk vs. Applikation 4

5 Why Application Security is a High Priority! Does not require to be highly skilled or any material Web applications are high value targets for hackers: Customer data, credit cards, ID theft, fraud, site defacement High Complexity Low Low Hackers ROI High 5

6 Lage der IT-Sicherheit in Deutschland

7 Top 10 Web Threats 7

8 Demo: Login per SQL-Injection Quelle: GAI netconsult 8

9 Demo: Manipulation eines Hidden-Fields Quelle: GAI netconsult 9

10 Die wachsende Bedrohung durch Web-Angriffen Test, durchgeführt von PSINet und Pansec 2 "dummy" Web-Sites wurden erstellt, die europäische Bank-Sites simulieren Das Ergebnis 2000 Angriffe pro Woche auf die ungeschützte Web-Site 200 Angriffe pro Woche durch die Firewall, von denen mehr als 33% als High Risk eingestuft wurden Internet Die Frage ist deshalb nicht Wird es eine High Risk Attacke gegen die Web-Anwendung geben? sondern WANN? 10

11 Network firewalls are inefficient Web servers Netbios Databases HTTP/S HTTP/S Application Server Backend Server/System NFS Source? Destination? Service? Network Firewalls check IP source and destination, port numbers and sometimes protocol compliance Web Applications Firewalls inspect the HTTP/HTTPS/XML content 11

12 Network Security Doesn t Protect - Web Applications Known Web Worms Unknown Web Worms Known Web Vulnerabilities Unknown Web Vulnerabilities Illegal Access to Web-server files Forceful Browsing File/Directory Enumerations Brute Force attacks Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering Web Application Firewall Network Firewall Limited X Limited X Limited X X X Limited Limited X X X X IPS Limited Partial Limited X X Limited X Limited Limited X X X X 12 12

13 Web attacks: targets and impacts Web servers Databases Application Server Web Services Users Impact Targets Users Web servers Web applications Databases Web services Session hijacking Web Server defacement Deny of services (DoS) Remote control on the Web server Web applications behavior modification Data theft, datas modification 13

14 Web Application Security Web servers Databases Application Server Backend Server/System Users An efficient & effective solution should protect against applicative attacks that target : Users Databases Web servers Web services Web applications 14

15 Vergleich von Security-Maßnahmen Hoch Effektivität (erreichter Schutz) Code Analyse Penetrations-test Security Training für Entwickler Web Application Firewalls Niedrig IPS / Deep Inspection Schwachstellenscans Niedrig Effizienz (Kosten-/Nutzen-Verhältnis) Hoch 15

16 Deny All Security Solutions 16

17 WAF = Web Application Firewall? 17

18 Why Customers deploy Transactional application Web mail Business data protection PCI compliance PCI DSS 6.6 Web services protection Application performance 18

19 Company overview Initally developed and used by SociétéGénérale, independent company launched in 2001 More than 10 years in production network 24x7x365 Leading European WAF vendor customers - all sectors Protection of more than web sites Worldwide operations -active in more than 25 countries -presented by own teams and/or certified partners Revenue - 60% in France - 40% International Key partners for Technology and Hardware: 19

20 Deny All Application Firewall Lösungen rftp File Transfer Application Firewall Sofortiger Schutz der File Transfer Dienste und Applikationen rweb Web und XML Application Firewall Vollständiger Schutz, Beschleunigung und Vereinfachung von Web-Applikationen und des Web Services Environments sproxy Secure Web Accelerator Beschleunigung und Schutz Ihres Web-Daten-Centers Hoher Basis Schutz mit Blacklist & Scoringlist 20

21 Architecture with reverse proxy DMZ mode Public DMZ Web server Application server Databases Backend Server/System SAP PORTAL Architecture security improvement Application level security Acceleration 21

22 Multi DMZ mode Public DMZ Acceleration Web frontal Application server Databases Backend Server/System Private DMZ Authentication / Filtering SAP PORTAL 1st appliance Acceleration 2nd appliance Authentication and Filtering 22

23 Security mechanisms Reverse Proxy Protocol Inspection Reverse Proxy, no direct access from outside world Black List Scoring List White list Statefull Cookie Tracking Benefits Applicative Infrastructure virtualization Powerful rewriting Acceleration features User behavior tracking Client Sanitization 23

24 Security mechanisms Reverse Proxy Protocol Inspection Black List Scoring List Protocol Inspection URL normalization Anti-evasion White list Statefull Cookie Tracking User behavior tracking Client Sanitization Benefits: Able to detect and blocks that have been encoded Immediate protection against attacks that use protocol manipulation 24

25 Security mechanisms Reverse Proxy Protocol Inspection Black List Scoring List White list Statefull Cookie Tracking User behavior tracking Client Sanitization Black list Over 2000 signatures of web application vulnerabilities Periodically updated Auto/Manual upload Groups to improve performances Benefits Immediate protection against known vulnerabilities No need to know the application or the web server technology 25

26 Security mechanisms Reverse Proxy Protocol Inspection Black List Scoring List Scoring list Score every incoming requests Drop the request when the score is too high Result of years of experience to allocate the weight. Integration of our know-how in Plug&Play feature (10 years) White list Statefull CookieTracking User behavior tracking Client Sanitization Benefits Very low level of false positive for attacks such as SQL injection, XSS, code injection compared to a simple black list block injection across multiple parameters Able to block 97% of new vulnerabilities without any modification, or adaptation (SQLi, XSS, HTMLi, LFi) 26

27 Unique WAF-Feature: Scoringlist Pattern 1: ^select$ weight=0,50 Pattern 2: ^union$ weight=0,25 Pattern 3: ^from$ weigth=0,25 union weight=0,25 nicht geblockt union select weight=0, 75 nicht geblockt union select * from weight=1,00 geblockt 27

28 Hoher Basis-Schutz mit negativer Security 100% Security Level Scoring List + Black-List Blacklist 0% 28

29 Security mechanisms Reverse Proxy Protocol Inspection Black List Scoring List White list Statefull Cookie Tracking User behavior tracking Client Sanitization White list Only expected request will be granted Tools to generate automatically the white list: Multiple security Levels Benefits Easy to set up Improve the security level By using a low level of white list, improve to security level and doesn't increase administration cost 29

30 Security mechanisms Reverse Proxy Protocol Inspection Black List Scoring List White list Statefull Cookie Tracking Anti brute force Anti Dos Client Sanitization Cookie stateful tracking Signature Encryption Benefits Immediate protection against cookie manipulations 30

31 Security mechanisms Reverse Proxy Protocol Inspection Black List Scoring List White list Statefull Cookie Tracking Anti Brute force / Anti DOS Multiples criteria (Time, ip, cookie, response code ) Multiples reactions (error page, slow down, redirect ) User behavior tracking Client Sanitization Benefits Protect against attacks that can t be blocked with positive or negative security model 31

32 Security mechanisms Reverse Proxy Protocol Inspection Man-in-the-browser/Trojan (MITB) Operates inside the browser with full access Disclosure of sensitive data Manipulates transaction data Black List Scoring List White list Statefull Cookie Tracking User behavior tracking Client Sanitization Spyware Operates typically from inside the browser, but may operate from other places Steals confidential information Mitigation Secure services even on a possibly infected system Proactive protection features integrated in a browser Maximum security level without the need for a separate installation or admin rights No end-user configuration required Low overhead ensuring stable system speed 32

33 Security mechanisms Reverse Proxy 1. Client connects to the Web site Protocol Inspection Black List Scoring List White list Statefull Cookie Tracking User behavior tracking Client rweb Server 2. rweb forces the loading of shield Client Sanitization 3. Client connects from a secured browser 33

34 WEB Services Protection Databases WEB services Backend Server/System Protocol Validation Schema Validation (WSDL, DTD, XSD ) Xpath enforcement Canonization Next Feature 34

35 SAP Public DMZ Databases SAP Service Backend Server/System SAP Portal Deny All provides SAP Web Applications protection Next Feature 35

36 Authentication Databases SAP Service Backend Server/System Client Certificats One time password RSA Secure ID Radius Ldap(s) Active Directory 36

37 SSO Authorization Databases SAP Service Backend Server/System CA Site Minder 37

38 Web application visibility Visibility on Web Servers response time In the logs Total time Web server response time = rwebprocessing time Visibility on the users requests Evidence of attacks (Web servers don t log entire traffic) Debug and Web application behavior improvement 38

39 Acceleration Server Load Backend Server/System Application Server Cache TCP Multiplexing SSL offload On the fly compression Improve user s experience 39

40 Appliances High availability - Active/Active rweb Cluster Both nodes are active Failover < 1s Up to 32 active nodes 40

41 Feature distribution rweb 4.0 Caching rweb 4.0 Filtering rweb 4.0 Load-Balancing 41

42 Back ends High availability / Load Balancing Application Server Backend Server/System Algorithms: Weighted Round robin Least requests Applicative Health check Session tracking Web server «soft removing» Databases Benefits : No need to implement HA mechanisms on Web servers Applicative HA Scalable architecture 42

43 Management Administration GUI WEB 2.0 SNMP (V2c V3) Syslog Configuration synchronization Backup / restore 43

44 Reporting 44

45 Monitoring System Health Overall Throughput Security Alerts Incidents Severity 45

46 Denyall Security Solutions Hide Server from Internet Validation HTTP protocol Protect against known vulnerabilities Protect against Unknown vulnerabilities Application zone restriction Sensible data hidden Less servers needed Improved response time Strong authentication Session protection Behavior agreement Isolate external sessions Remove any possibilities of jump 46

47 Benefits (Web Application) Security Acceleration Visibility on Web applications Infrastructure optimisation 47

48 Kontakt: Deny All GmbH Ingmar Lüdemann