F5 Web Application Security. Radovan Gibala Senior Solutions Architect r.gibala@f5.com +420 731 137 223

1 F5 Web Application Security Radovan Gibala Senior Solutions Architect r.gibala@f5.com +420 731 137 223 2011

2 Security s Gaping Hole 64% of the 10 million security incidents tracked targeted port 80. Information Week DATA

3 Web Application Security! Noncompliant Information! Infrastructural Intelligence Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering Perimeter Security Is Strong PORT 80 PORT 443 But Is Open to Web Traffic! Forced Access to Information Attacks Now Look To Exploit Application Vulnerabilities High Information Density = High Value Attack

4 Why Are Web Applications Vulnerable? New code written to best-practice methodology, but not tested properly New type of attack not protected by current methodology New code written in a hurry due to business pressures Code written by third parties; badly documented, poorly tested third party not available Flaws in third party infrastructure elements Session-less web applications written with client-server mentality

5 Who is responsible for application security? Web developers? Network Security? Engineering services? DBA?

Traditional Alternative: Rely Exclusively on the Developer Application Patching 6 Application Logic Application Optimization 1+1=2 Application Security Application Scalability Application Integration Application Availability Application Performance

7 Web Application Protection Strategy Only protects against known vulnerabilities Best Practice Design Methods Web Apps Automated & Targeted Testing Done periodically; only as good as the last test Difficult to enforce; especially with subcontracted code Only periodic updated; large exposure window Only checks for known vulnerabilities Does it find everything?

8 Challenges of traditional solutions HTTP attacks are valid requests HTTP is stateless, application is stateful Web applications are unique there are no signatures for YOUR web application Good protection has to inspect the response as well Encrypted traffic facilitates attacks Organizations are living in the dark missing tools to expose/log/report HTTP attacks

9 Traditional Scan and Fix and Audits Scan and Fix Scanners can t find all vulnerabilities Scanners can t reverse engineer the code Scanners can t find business logic vulnerabilities When something is detected, it requires an immediate code change Not a pro-active solution Security Code Audits Extremely expensive ($25,000 for medium to small app) Requires preparation and availability of the dev team. Requires iterations of audit and fix Each fix may add more bugs to current application or may add another vulnerability we only protect from what we know, we never protect from what we don t know

10 Web Application Protection Strategy Only protects against known vulnerabilities Best Practice Design Methods Web Apps Automated & Targeted Testing Done periodically; only as good as the last test Difficult to enforce; especially with subcontracted code Only periodic updated; large exposure window Web Application Firewall Only checks for known vulnerabilities Does it find everything? Real-time 24 x 7 protection Enforces Best Practice Methodology Allows immediate protection against new vulnerabilities

OWASP Top 10 / January 2007 11 A1 Cross Site Scripting (XSS) A2 Injection Flaws A3 Insecure Remote File Include A4 Insecure Direct Object Reference A5 Cross Site Request Forgery (CSRF) A6 Information Leakage and Improper Error Handling A7 Broken Authentication and Session Management A8 Insecure Cryptographic Storage A9 Insecure Communications A10 Failure to Restrict URL Access XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim s browser which can hijack user sessions, deface web sites, etc. Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker s hostile data tricks the interpreter into executing unintended commands or changing data. Code vulnerable to remote file inclusion allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization. A CSRF attack forces a logged-on victim s browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim s browser to perform a hostile action to the benefit of the attacker. Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to violate privacy, or conduct further attacks. Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users identities. Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud. Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications. Frequently, the only protection for sensitive areas of an application is links or URLs are not presented to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations.

12 Traditional Security Devices vs. WAF Known Web Worms Unknown Web Worms Known Web Vulnerabilities Unknown Web Vulnerabilities Illegal Access to Web-server files Forceful Browsing File/Directory Enumerations Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering Layer 7 DoS Attacks Brute Force Login Attacks App. Security and Acceleration Network Firewall Limited X Limited X Limited X X Limited Limited X X X X X X X IPS Limited Partial Limited X X Limited Limited Limited Limited X X X X X X ASM

13 Application Security Lacks Test...or: The Point of Truth Simple Version: Does your WAF discover that the Price of an Item on an Online Shop was changed?

Support of dynamic values 14

15 Application Security Lacks Test...or: The Point of Truth Simple Version: Does your WAF discover that the Price of an Item on an Online Shop was changed? Technical Version: OWASP (http://www.owasp.org/index.php/owasp_top_ten_project ) 1. Unvalidated Input 2. Broken Access Control 3. Broken Authentication and Session Management 4. Cross Site Scripting 5. Buffer Overflow 6. Injection Flaws 7. Emproper Error Handling 8. Insecure Storage 9. Application Denial of Service 10. Insecure Configuration Management

Traditional Security Doesn t Protect Web Applications Looking at the wrong thing in the wrong place 16 Known Web Worms Unknown Web Worms Known Web Vulnerabilities Unknown Web Vulnerabilities Illegal Access to Web-server files Forceful Browsing File/Directory Enumerations Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering Application Firewall Network Firewall Present Present Present Present Present Present Present Present Present Present X X X IPS Present Present Present Present Present Present Present Present Present Present X X X

17 Negative vs. Positive Security Model Negative Security Model Lock Known Attacks Everything else is Allowed Patches implementation is quick and easy (Protection against Day Zero Attacks) Positive Security Model (Automatic) Analysis of Web Application Allow wanted Transactions Everything else is Denied Implicit Security against New, yet Unknown Attacks (Day Zero Attacks)

18 Application Security with a WAF! Unauthorised Access And Stops Bad Requests! Noncompliant Information Browser! Unauthorised Access WAF Allows Legitimate Requests! Infrastructural Intelligence Bi-directional: Inbound: protection from generalised & targeted attacks Outbound: content scrubbing & application cloaking Application content & context aware High performance, low latency, high availability, high security Policy-based full proxy with deep inspection & Java support Positive security augmenting negative security Central point of application security enforcement

19 Application Security with a WAF Intelligent Decisions Allow Only Good Application Behaviour; Positive Security Browser Definition of Good and Bad Behaviour

20 Selective Application Flow Enforcement! ALLOWED Should this be a violation? The user may have bookmarked the page! Unnecessarily enforcing flow can lead to false positives.? Username Password! VIOLATION From Acc. To Acc.! VIOLATION $ Amount Transfer This part of the site is a financial transaction that requires authentication; we should enforce strict flow and parameter validation

21 Flexible Deployment Options Tighter Security Posture OBJECT FLOWS PARAMETER VALUES PARAMETER NAMES Typical standard starting point OBJECT NAMES OBJECT TYPES

22 How does it work? Request made Security Policy checked Server response Response delivered Enforcement Security policy applied Content Scrubbing Application Cloaking Security at Application, Protocol and Network Level BIG-IP enabled us to improve security instead of having to invest time and money to develop a new more secure application TechValidate 0C0-126-2FB Application Manager Global 5000 Media and Entertainment Company

23 Multiple security layers RFC enforcement Various HTTP limits enforcement Profiling of good traffic: Defined list of allowed file types, URI s, parameters Each parameter is evaluated separately for: Pre defined value Length Character set Attack patterns looking for Pattern Matching Signatures

24 Flexible Policy Granularity Generic Policies - Policy per object type Low number of policies Quick to implement Requires little change management Can t take application flow into account Optimum policy is often a hybrid Specific Policies Policy per object High number of policies More time to implement Requires change management policy Can enforce application flow Tightest possible security Protects dynamic values

25 Flexible Deployment Options Tighter Security Posture Typical standard starting point OBJECT FLOWS PARAMETER VALUES PARAMETER NAMES OBJECT NAMES OBJECT TYPES POLICY TIGHTENING SUGGESTIONS Policy-Building Tools Trusted IP Learning Live Traffic Learning Crawler Negative RegEx Template

26 Deployment without False positives Easy web application implementation Rapid deployment policy Pre-configured application policies Learning mode Gradual deployment Transparent / semi-transparent / full blocking

27 Layer 7 DOS/DDOS DOS/DDOS attacks are on the increase The wide spread of malware is providing much more tools/means to execute these attacks via BOTnets Danger of DOS: Service availability Resource cost optimization Stability of the security state Two main scenarios Network pipe is saturated Server resources are saturated An ideal solution will stop the malicious traffic, allowing legitimate end users to get service Automatically!!!

28 Layer 7 DoS and Brute Force Unique Attack Detection and Protection Unwanted clients are remediated and desired clients are serviced Improved application availability Focus on higher value productivity while automatic controls intervene

29 Hacking Automation Attackers are using commercial scanners to find vulnerabilities Automated attack BOTS/ Worms randomly scan the internet for vulnerabilities and exploit them What is the probably the most difficult BOT activity to detect? Web Scraping : Stealing IP content from a website, harvesting its database

Automated scanner and bot programs Web Scraping a Real Problem 30 Remote users Dublin datacenter Frankfurt datacenter Scraping a public page or requesting private data behind login page Web IT Staff Domino ADC Network Automated scraper Web IT Staff Domino ADC Network Legitimate user and web scraping traffic copying or requesting data Problem Entire web site is being scraped of valuable IP information Scrapers fail to provide company s terms and updates Sites copying content end up ranking above company s for keywords Need logging and reporting on Web scraping

Airline Inventory Vulnerable to Web Scraping Ryanair Forbids screen-scraping as commercial use. Major business problem Unister online travel site: Duesseldorf to London Ryanair 93.25 Euros vs. Unister 111.86 Euros, a 20% increase in price easyjet warns Expedia: 'Hands off our flights Tried to block IP address but Expedia uses millions of IP addresses Alternatives: Litigation and legal letters Ryanair sent cease and desist letters to 300 sites Ryanair wins injunction against Vtours GmBH 31

32 Protection from Web Scraping Remote users Legitimate users see data while scrapers are remediated Dublin Datacenter IT Staff Frankfurt Datacenter IT Staff Automated scraper Web Domino Network Detect requests and determine web site is being scraped Web Domino Network BIG-IP 8900 LTM/ASM BIG-IP 6900 LTM/ASM Comprehensive reporting on scraping attacks Solution Protects valuable intellectual property Prices are controlled and users see airline approved inventory Integrated scrape reporting for PCI compliance Avoid litigation drastically reducing legal costs

33 Control Over Bots and Scanners Protection from Web Scraping Design rate shaping and interval requests before blocking Add IP addresses to Whitelist for allowable scrapers

34 OWASP Top 5: CSRF Attack What is a Cross Site Request Forgery (CSRF) attack? In a CSRF attack a hacker is forcing the browser to send a stealth valid request which the attacker created to a website in which the victim has a session What are the dangers? Attackers can execute full transactions that can be used for finance fraud, DOS anything) Hard for victims to prove that they didn t commit the transactions Hard to trace the origin

35 OWASP Top 5: CSRF Attack Encrypted Trusted Web Trusted Site Action CSRF Attack example 1. Mobile user logs in to a trusted site 2. Session is authenticated 3. User opens a new tab e.g., chat 4. Hacker embeds a request in the chat 5. The trusted link asks the browser to send a request to the hacked site

36 ASM: Attack Protection from Rogue Users Only vendor with checkbox functionality for easy protection of all URLs in an approved URL list.

37 ASM: ICAP support Extract every file upload and send them to AntiVirus scan over Internet Content Adaptation Protocol (ICAP) Every file upload within multi-part request is sent

38 Web Services-encryption and digital signature support ASM can cover a basic use case of message level encryption WS-Security standard was implemented* Limitations Encryption card isn t being used Requires the user to manage certificates in both ASM AND LTM Authentication not included

39 XML Firewall Well formatted validation Schema/WSDL validation Methods selection Attack signatures for XML platforms Backend Parser protection XML islands application protection Full request Logging

40 IP penalties IP Penalty Enforcer Regular and repeatable attacks from reported IPs are mitigated A policy in ASM allows only a designated number of violations blocked per minute Upon threshold the IP session is blocked Tighter security coverage for IP violators

n-tier Web Application Layer 41

42 Secerno DataWall Real-Time database activity monitoring and blocking Responds to each type of threat via either logging, monitoring, alerting, blocking or substituting. Enables rapid application development by reducing the need for intensive security code development Enforces a positive-security model: Only approved behavior is allowed Zero false positives

43 The Integration: F5 ASM+Secerno DataWall Monitor & Block traffic at the web and database layers Application sessions tracked from client to database and back. When anomalies are detected by ASM, they are logged to both the ASM & Secerno DataWall logs. ASM provides user and web context of the attack to Secerno enabling complete visibility of attack from source IP address, through HTTP page and session to SQL transaction. Secerno can analyse the full SQL transaction to see if the query is out of policy, rather than just a fragment. Ensures that administrators are always able to get consistent, correlated application monitoring data. Web tier attacks are blocked by ASM Undetected attacks that get to the database are blocked by Secerno DataWall Users who do not access the database via the web application (DBA s, consultants, and operations staff) are still controlled by Secerno, whether the access is made over then network, remote session, SSH or keyboard.

44 How The Integration Works Web traffic is secured with BIG-IP ASM, and database traffic with Secerno DataWall When a user logs into an application, BIG-IP passes their identity to Secerno DataWall. If a SQL attack takes place, then all context of the attack is sent to Secerno DataWall, and user identity is associated with the attack in reports, based on session and the ASM cookie.

45 BIG-IP Protocol Security Module (PSM) Integrated Platform to Secure Application Traffic Protects HTTP(s), FTP, and SMTP at BIG-IP System Speeds Application Security Accessible for the Network Guy Application Protocol, Not Application Logic Fully Configured after Installation Easy Introduction to Application Security First Step Toward a true Application Firewall

46 Simplified Security - PSM Enforces Mandatory Headers Length Checks Data Guard Protocol Anomaly Exploits White-List Server Commands Mitigates Brute- Force Attacks Length Checks RFC Compliance Mitigates Directory Harvesting Rate Limits Anti-SPAM Grey-Listing Augments MSM L4 w/ L7

Simplified Security - PSM 47

BIG-IP LTM BIG-IP PSM BIG-IP ASM 48 Stepping-Stone Security Application App. Protocol Transport Network Data Link

49 Only Completely Integrated Security Solution Stepping Stone Security TMOS/LTM Provides L2-L4 PSM Provides L4-L7 Protocol Security ASM Provides Application Security Builds on ADN Functionality SSL Termination Caching/Compression IPv6 Gateway

50 Attack Expert System in ASM v10.1 1. Click on info tooltip

51 Attack Type Details 2. Click on attack type

Improved PCI Compliance Reporting 52 New PCI reporting: Details security measures required by PCI DSS 1.2 Compliancy state Steps required to become compliant

Reporting 53

Reporting 54

55 Application visibility and reporting Monitor URIs for server latency Troubleshoot server code that causes latency

56 Reporting Features Executive View HTTP Response Splitting Command Execution Detection Evasion Parameter Tampering SQL Injection Cross Site Scripting (XSS) XML Parser

Geo-location based reporting 57

Centralized Advanced Reporting with Splunk 58 Centralized reporting with Splunk s large-scale, highspeed indexing and search solution Packaged 15 different ASM specific reports Provide visibility into attack trends and traffic trends Identify unanticipated threats before exposure occurs http://www.f5.com/solutions/technologyalliances/security/splunk.html

59 Sample Reports with Splunk Top violations Top violations by protocol (HTTP, FTP, SMTP) Top HTTP violations by web application Top attackers Top attackers by protocol (HTTP, FTP, SMTP) Top web applications attacked, alerted or blocked Top web applications alerted by IP address Attacks by location Top response codes by web application Top alerted or blocked web application requests by time period Web application requests by method Custom ASM forensics filtering & search

60 F5 Application Security Manager (ASM) and WhiteHat Sentinel partnership Turnkey Vulnerability Detection and Remediation Solution

61 ASM + Sentinel Benefits Discovery and remediation within minutes Single click policy rules (XSS, SQLi) Targeted laser focused policy rules No false positives Third party policy validation Out-of-the-box integration for fast implementation

62 ASM vs. competition Features F5 Barracuda Breach Citrix Imperva Signature-based Security X Policy-based Security Staging area for new signatures X X X X Human Readable Policies X X X X Pre-configured policies X X XML Schema validation X X X Integration with Vuln. Scanners X X X (1) Data center security in one unit X X X X Monitor URIs for server latency X X X X Web scraping protection X (2) (2) X Encrypted cookie support X X X X Rate limiting X X X Geolocation reporting X X X X Layer 7 DoS attack protection X X X X Brute Force attack protection X X X Acceleration and security X X X(3) X

63 Link Collection www.f5.com Overall Technical www.f5.com ask.f5.com devcentral.f5.com F5 University www.f5university.com/» Login: your email» Password: adv5tech Partner Informaiotn www.f5.com/partners www.f5.com/training_services/certification/certfaq.html Gartner Report http://mediaproducts.gartner.com/reprints/f5networks/article1/article1.html Important deployment information is available at Data Center Virtualization Application Traffic Management Application Briefs Solution Briefs F5 Compression and Cache Test F5 icontrol Alliance Partners F5 Technology Alliance Partners http://www.f5.com/solutions/deployment/ http://www.f5.com/solutions/technology/pdfs/dc_virtualization_wp.pdf http://www.f5.com/solutions/technology/pdfs/atm_wp.pdf http://www.f5.com/solutions/applications/ http://www.f5.com/solutions/sb/ http://www.f5demo.com/compression/index.php http://www.f5.com/solutions/partners/icontrol/ http://www.f5.com/solutions/partners/tech/ Let us know if you need any clarification or you have any further questions.

64 F5 is the Global Leader in Application Delivery Users Data Centre At Home In the Office On the Road Application Delivery Network SAP Microsoft Oracle Business goal: Achieve these objectives in the most operationally efficient manner

65