Web Application Security Radovan Gibala Senior Field Systems Engineer F5 Networks r.gibala@f5.com
Security s Gaping Hole 64% of the 10 million security incidents tracked targeted port 80. Information Week DATA F5 Networks, Inc 2
Web Application Security! Non-compliant Information! Infrastructural Intelligence Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering Perimeter Security Is Strong PORT 80 PORT 443 But Is Open to Web Traffic Forced! Access to Information Attacks Now Look To Exploit Application Vulnerabilities High Information Density = High Value Attack F5 Networks, Inc 3
Web Application Security
Who is responsible for application security? Web developers? Network Security? Engineering services? DBA? F5 Networks, Inc 5
Web Application Protection Strategy Only protects against known vulnerabilities Best Practice Design Methods Web Apps Automated & Targeted Testing Done periodically; only as good as the last test Difficult to enforce; especially with sub-contracted code Only checks for known vulnerabilities Only periodic updated; large exposure window Web Application Firewall Does it find everything? Real-time 24 x 7 protection Enforces Best Practice Methodology Allows immediate protection against new vulnerabilities F5 Networks, Inc 6
Web Application Firewall
Common attacks on web applications BIG-IP ASM delivers comprehensive protection against critical web attacks CSRF Cookie manipulation OWASP top 10 Brute force attacks Forceful browsing Buffer overflows Web scraping Parameter tampering SQL injections information leakage Field manipulation Session high jacking Cross-site scripting Zero-day attacks Command injection ClickJacking Bots Business logic flaws F5 Networks, Inc 8
Traditional Security Devices vs. WAF Known Web Worms Unknown Web Worms Known Web Vulnerabilities Unknown Web Vulnerabilities Illegal Access to Web-server files Forceful Browsing File/Directory Enumerations Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering Layer 7 DoS Attacks Brute Force Login Attacks App. Security and Acceleration Network Firewall Limited Limited Limited Limited Limited IPS Limited Partial Limited Limited Limited Limited Limited WAF F5 Networks, Inc 9
Full Proxy Security
Full-proxy architecture WAF WAF Slowloris attack SS HTTP irule irule HTTP Data leakage SSL renegotiation SSL irule irule SSL SYN flood ICMP flood TCP irule irule TCP Network Firewall F5 Networks, Inc 11
F5 provides comprehensive application security Virtual Patching Network DDoS Protection Web Application Firewall Network Access DNS DDoS Protection Application Access Network Firewall SSL DDoS Protection Application DDoS Protection Fraud Protection F5 Networks, Inc 12
Application Security Manager
BIG-IP Application Security Manager Provides transparent protection from ever changing threats Ensure application availability while under attack Deployed as a full proxy or transparent full proxy (bridge mode) Minimal impact on application performance Turn-on with license key or standalone Caching, compression and SSL acceleration included in standalone BIG-IP BIG-IP ASM security ASM security policy checked policy checked Server response generated Request made Secure response delivered Dynamic Multi-Layered Security BIG-IP ASM applies security policy Response Drop, block inspection or forward for errors request and leakage of sensitive Application information attack filtering & inspection SSL, TCP, HTTP DoS mitigation Vulnerable application BIG-IP Local Traffic Manager BIG-IP Application Security Manager F5 Networks, Inc 14
BIG-IP Application Security Manager BIG-IP ASM protects the applications your business relies on most and scales to meet changing demands. Comprehensive protections Protection web app vulnerabilities including L7 DDoS Advanced anti-bot mitigation Integrated ML firewall Multiple deployment options Standalone or ADC add-on Appliance or Virtual edition Manual or automatic policy building 3rd party DAST integration Visibility and analysis Visibility and analysis High speed customizable syslog Granular attack details Expert attack tracking and profiling Policy & compliance reporting Integrates with SIEM software Full HTTP/S request logging F5 Networks, Inc 15
ASM Comprehensive Protection
Comprehensive Protections BIG-IP ASM extends protection to more than application vulnerabilities L7 DDOS ML Firewall Web Scraping Geolocation blocking ASM Web bot identification ICAP anti-virus Integration ML filtering, validation & mitigation F5 Networks, Inc 17
Site Visit Site Log In User Navigation Transactions Transaction Execution Fraud Protection Device Fingerprinting Geo-location Brute Force Detection Behavioral Analysis Behavioral and Click Analysis Abnormal Money Movement Analysis Customer Fraud Alerts Phishing Threats Credential Grabbing Malware Injections PII and CC Grabbing Automatic Transactions F5 Networks, Inc 18
Building The Security Policy
Different ways to build a policy Security policy checked Security policy applied DYNAMIC POLICY BUILDER INTEGRATION WITH APP SCANNERS PRE-BUILT POLICIES Automatic No knowledge of the app required Adjusts policies if app changes Manual Advanced configuration for custom policies Virtual patching with continuous application scanning Out-of-the-box Pre-configure and validated For mission-critical apps including: Microsoft, Oracle, PeopleSoft F5 Networks, Inc 20
Identify, virtually patch, mitigate vulnerabilities Scan application with a web application security scanner: Import vulnerabilities into BIG-IP ASM Mitigate web app attacks Hacker Generic Scanner Qualys IBM WhiteHat Cenzic HP WI Clients F5 Networks, Inc 21
Reporting
Detailed logging with actionable reports At-a-glance PCI compliance reports Drill-down for information on security posture F5 Networks, Inc 23
Enhanced visibility and analysis Statistics collected URLs Server/client latency Throughput Response codes Methods Client IPs and geos User agents User sessions Views Virtual server Pool member Response codes URLs and HTTP methods Application analytics for assured availability ASM logs provide deeper intelligence grouped by application and user Rules can be applied based on user behavior Latency monitoring provides: Business intelligence/capacity planning Troubleshooting and performance tuning Anomalous behavior detection F5 Networks, Inc 24