RealSetry TM SSL overview Advaced Protectio for Web Services SSL Accelerator Itrusio Detectio System Reverse Proxy Applicatio-Firewall
Web services deploymet The pricipal reasos which delay the deploymet of web techologies Techology with a poor level of security Isufficiet XML kowledge Immaturity of stadards Not i adequatio with compay s eeds No vedor leader clearly idetified Not eough tools Youg ad ustable techology 24,4 % 22,2 % 31,9 % 31,1 % 30,4 % 37,8 % 43 % This survey was carried out i ovember 2001 with 135 frech compaies (Source: 01 Iformatique)
How to protect Web Servers today? Vulerability Scaer (ASP service) NIDS WEB Servers DMZ NIDS Iteret FIREWALL with IDS aget Today, the best solutio uses three compoets : Firewall : To forward oly HTTP(S) packets to Web servers Network-based Itrusio Detectio System (NIDS) : To prevet from malicious packets Vulerability scaer : To detect kow vulerabilities o systems
Vulerabilities : A worryig progressio 3000 2500 2000 Vulerabilities reported Source : CERT Coordiatio Ceter 2437 + 123% 1500 1000 500 0 1090 + 161% 262 417 + 59 % 1998 1999 2000 2001 i Code Red : 2,6 billio US dollars of damage Nimda : 590 millio US dollars of damage
Why are Firewalls isufficiet? Security Policy based oly o type of protocols (ot o cotet) Uable to aalyse ecrypted etwork traffic like HTTPS Uable to process a fier-graied aalysis of the applicatio activities Usually protects oly from exteral etwork Network device maaged by a security admiistrator (i oppositio with a Web server maaged by a webmaster)
Why are NIDS isufficiet? Protect oly agaist kow vulerabilities (patter matchig) Caot sca cotet if etwork traffic is ecrypted Difficult to deploy o switched etworks Caot hadle high-speed etworks Critical setup : Bad cofiguratio geerates may false alarms Uable to process a fier-graied aalysis of the applicatio activities
A ew approach agaist HTTP attacks Real-time virus detectio Real-time HTTP traffic cotrol Firewall Corporate Firewall Corporate Iteret Iteret X Virus Ati-virus X RealSetry Attack Web server The Ativirus detects ad blocks viruses RealSetry detects ad protects agaist kow or ukow vulerabilities
RealSetry cocept 4 User 1 2 3 SSL Full HTTP Ispectio TM 7 Egie 6 Techology 5 Web Server (1) HTTP request sed by a user (2) Hardware (RealSetry SSL) or software (RealSetry) decryptio (3) Check HTTP packet with Full Http Ispectio tm Techology (4) If validated by security policy, safe HTTP packet is forwarded to Web Server (5) Check HTTP packet with Full Http Ispectio tm Techology (6) Hardware (RealSetry SSL) or software (RealSetry) ecryptio (7) HTTP aswer is set back to the user
RealSetry provides the ultimate protectio More tha 200 ew vulerabilities each moth More tha 20 ew vulerabilities each moth No vulerability ca reach your Web Server FTP DNS Hacker HTTP HTTPS SMTP ICMP Firewall HTTP HTTPS RealSetry SSL HTTP Web Servers Full coectivity Restricted coectivity High Secure coectivity
Four techologies i a sigle box Reverse Proxy Like reverse Proxy : RealSetry breaks direct coectio betwee browser ad Web server. But ulike Reverse Proxy : RealSetry icludes filter capabilty to exclude malicious HTTP packets. RealSetry keeps origial IP address whe operates i stealth mode. NIDS Like IDS Probe : RealSetry is a etwork-based protectio ad rus i stealth mode. But ulike IDS Probe : RealSetry protects agaist ukow vulerabilities. RealSetry protectio is effective eve o ecrypted packets (HTTPS). Applicatio Firewall Like Applicatio Firewall : RealSetry allows to implemet a security Policy to accept or dey packets. But ulike Applicatio Firewall : RealSetry performs a detailed protocol aalysis to prevet agaist malicious HTTP requests. SSL Accelerator Like SSL Accelerator : RealSetry hadles decryptio ad ecryptio tasks for SSL trasactios. But ulike SSL Accelerator : RealSetry icorporates built-i security mechaism to protect your web site from fraudulet activities.
RealSetry Techology u Black List Detectio (IDS techology) Cocept» Sigature-based method» Requires regular updates» Protects oly agaist kow vulerabilities RealSetry Implemetatio» Automatic updates» Multiple rules to prevet IDS evasio» Very easy to setup : Protect your Web server i a few miutes RealSetry Beefits» Detects more tha 600 HTTP vulerabilities» Effective protectio icludig o ecrypted traffic (HTTPS)» No eed to moitor vulerabilities or patch your Web server» Plug ad Protect solutio
RealSetry Techology u White List Filterig (Exclusive Axiliace techology) Cocept» All HTTP requests that are ot expressly authorized are prohibited» No sigature-based method» Protectio agaist kow or ukow vulerabilities RealSetry Implemetatio» Security Policy defie by URL groups, directories or sigle URL» Security Policy icludes sytax, URL legth, Variables, cookies,» Setup assistats with learig, trackig ad protectig modes RealSetry Beefits» Idetify ad prevet both kow ad ukow vulerabilities» Effective protectio icludig o ecrypted traffic (HTTPS)» Represets the most secure solutio for Web services curretly available i the world
Normal Life Cycle of a vulerability Security Level Vedor reactivity Customer reactivity Time Vulerabilty discovered Exploit publicatio Hotfix provided by vedor Hotfix applied Miimum delay geerally observed : 10-15 days
RealSetry with oly Black List Protectio Security Level Vedor reactivity Customer reactivity Time Update attack sigature Vulerabilty discovered Exploit publicatio Hotfix provided by vedor Hotfix applied Maximum delay geerally observed : 24 hours
RealSetry with White List Protectio Security Level Vedor reactivity Customer reactivity Time Isesitive to ew vulerabilities Update attack sigature Vulerabilty discovered Exploit publicatio Hotfix provided by vedor Hotfix applied
The 4 solutios to prevet vulerabilities Maual Vulerability Assessmet (Vulerability scaer used maually) Automated Vulerability Assessmet (Vulerability scaer used automatically) RealSetry (miimum secure cofiguratio) (RealSetry i o- stealth mode with oly Black List Protectio) RealSetry (full secure cofiguratio) (RealSetry i stealth mode with itegral White List Protectio)
Black List Mode RFC coformity check KO (HTTP Header Fields) OK HTTP IDS (Black List Protectio) KO Reject + Logs SNMP SMTP SMS OK
Couter measures with HTTP IDS Buffer overflow Black List Requête HTTP coteat u patter réputé vulérable Toute requête (pour compatibilité aciee versio) Cross Site Scriptig Remote Commad SQL ijectio Path Trasversal Meta Caracters Null Bytes Predefied Patter
White List + Black List Cliet RFC coformity check KO OK HTTP Headers Maagemet OK OK HTTP Firewall HTTP Firewall (Partial White List) (Full White List) OK OK KO Reject + Alerts Logs SNMP SMTP SMS HTTP IDS (Black List Protectio) KO OK Web Server
Couter measures with IDS et FW HTTP Black List White List Requête dyamique avec politique de sécurité Requête HTTP coteat u patter réputé vulérable Toute requête (pour compatibilité aciee versio) Applicatio vulerabilities Brute Force Buffer overflow Cross Site Scriptig Remote Commad SQL ijectio Path Trasversal Meta Caracters Null Bytes Predefied Patter
RealSetry Security Level High RealSetry with a maximum security policy Security Level RealSetry with a strog security policy White List Filterig (URL sytax, variables ad cookies supervised by security policies) RealSetry with a miimum security policy Protectio agaist ukow attacks or vulerabilities Low Default Security Policy (RFC coformity, URL Legth, Authorized char, ) Easy Black List Protectio (patter matchig) Setup ad maagemet Difficult Protectio agaist kow attacks or vulerabilities
High Availability : Normal operatio NORMAL OPERATION Out-of-badmoitorig with RS-MONITOR & RS-FAILOVER usafe HTTP(S) safe HTTP Master Electroic bypass Slave Electroic bypass Master : Active Moitorig HTTP(S) Traffic Slave : Passive - Moitorig Master activities
High Availability : Fault operatio DEFAULT OPERATION usafe HTTP usafe HTTPS X Electroic bypass Master Slave Electroic bypass safe HTTP Master : Fail Etheret IN/OUT i Bypass mode Slave : Active Moitorig HTTP(S) Traffic
RealSetry SSL v1.0 Features APPLIANCE Itegrated solutio (hard ad soft) SSL ACCELERATION Boosted ad secure ecrypted traffic INTRUSION DETECTION Exclusive techology from Axiliace STEALTH MODE «Plug ad Protect» solutio FAULT TOLERANCE High availability - 24/7
Competitive Comparisos Compay Product Kavado Iterdo No No Yes Yes Sactum Ic AppShield No Yes compliat Optio with 3rd party Dey-All Rweb No No compliat No with 3rd party Ubize dmz/shield No No compliat Optio with 3rd party Stratum 8 APS No No No Yes Axiliace RealSetry Yes Yes No Yes Axiliace RealSetry SSL Yes Yes Yes Yes
RealSetry : Setup ad maagemet Full out-of-bad maagemet by serial or etheret iterface SSH TELNET Etheret Serial Restricted Shell HTTP Packets Ispectio modules APACHE Reverse Proxy Stealth Modules Database Cofiguratio Security policies Logs Admiistratio Web Etheret HTTPS LINUX Kerel
RealSetry : Setup ad maagemet ADMIN or Webmaster DMZ Iteret Firewall HTTPS u Network Istallatio First setup by serial cosole Access restricted to a special accout (ADMIN) Serial cosole WEB Servers u Maagemet of services ad security policies Network Iterface card dedicated to maagemet operatios Ituitive ad secure Web-basedadmiistratio (HTTPS) Commad lie based admiistratio via restricted ad secure shell Service creatio is oly allowed to a admiistrator accout (ADMIN) Each service is associated to oe or several Webmaster Services Maagemet is oly allowed to the Webmaster
Black List Mode Iitial Setup RS232 Cosole Create Services HTTPS via dedicated iterface Coect to etwork Web servers protected
White List Mode Iitial Setup RS232 Cosole Create Services HTTPS via dedicated iterface Bypass Mode Ope etwork trafic Learig Mode Geerate White List Trackig Mode Check White List Protected Mode Web servers are protected
Case Studies u Case Study 1 : RealSetry SSL protects Itraet Web Servers u Case Study 2 : RealSetry dedicated for hostig i ISP architecture u Case Study 3 : RealSetry mutualized for hostig i ISP architecture u Case Study 4 : DMZ Protectio with o trasparet mode u Case Study 5 : DMZ Protectio with stealth mode u Case Study 6 : Multiple DMZ Protectio with o trasparet mode u Case Study 7 : Multiple DMZ Protectio with stealth mode
CS1 : Itraet Web Servers Protectio Before Critical web-based itraet applicatios After Stealth mode Firewall mode Full White List SSL acceleratio Critical web-based itraet applicatios Private Network RealSetry Private Network u Customer beefits : Forward oly HTTP(S) packets to Web Server (Firewall mode) Protect Web server agaist kow or ukow HTTP Attacks No restrictive SSL usage without eed to upgrade server hardware Istallatio without ay etwork modificatio Native simple fault tolerace by electroic bypass
CS2 : RealSetry dedicated for ISP Secure Web Server Web Servers Iteret RealSetry DMZ
CS3 : RealSetry mutualized for ISP Secure Web Servers Web Servers Iteret RealSetry DMZ
CS4 : No Trasparet Mode Secure Web Servers Iteret RealSetry DMZ
CS5 : Stealth Mode Secure Web Servers DMZ Iteret RealSetry
CS6 : Multiple DMZs No Trasparet Secure Web Servers DMZ 1 Iteret RealSetry Secure Web Servers DMZ 2
CS7 : Multiple DMZs Stealth Mode Secure Web Servers DMZ 1 Iteret RealSetry Secure Web Servers DMZ 2
Thak you for your attetio Boris MOTYLEWSKI e-mail : bm@axiliace.com AXILIANCE S.A. Société Aoyme au capital de 120 000 Euros Siège social : Motpellier - FRANCE TEL : +33 (0)4 67 79 79 31 FAX : +33 (0)4 67 79 79 32 WEB : http://www.axiliace.com MAIL : ifo@axiliace.com