F5 ASM i DB Monitoring w ofercie NASK
Impacting People s Daily Lives F5 is Everywhere 2
3 Agenda Security What are the challenges Operation Efficiency using a ADC Database and Application Monitoring Round Up Questions and Answers
Security - Challenges Today Presentation Jürg Wiesmann CISSP, Field System Engineer, Switzerland 21 September 2009
5 Were it started Dependence on IT Infrastructure Access to Data and Information from Everywere Awareness of Users Regulatory Requirments Due Dilligance / Due Care Today: DOS and DDOS Attacks
6 Security Challenging Questions Need for Investment must be given Return of Investment is Key Reputation Costs are mostly not waighted
7 Security Vulnerabilities in Web-Applications! Noncompliant Information! Infrastructural Intelligence Forceful Browsing Cross-Site Scripting Cookie Poisoning SQL/OS Injection Hidden-Field Manipulation Parameter Tampering Buffer Overflow Perimeter Security Is Strong PORT 80 SMTP PORT 443 FTP But Is Open to Web Traffic! Forced Access to Information Attacks Now Look To Exploit Application Vulnerabilities High Information Density = High Value Attack
8 The CIA Triad We What do if not somebody have sensitive gets the Data asset What should if asset someone gets do modified with my Data What if asset can not be used
Where do Failures result from? 9
10 Why Security Why is nothing SECURE. Humans are building Humans are driving Humans operate Humans test Humans do mistakes Security is a Businessneed More Security More Protection for Assets
11 Problems in Networking are solved with several Pointsolutions Users Network Point Solutions Applications Mobile Phone DoS Protection PDA Rate Shaping SSL Acceleration CRM CRM SFA ERP Server Load Balancer Laptop ERP ERP Content Acceleration Application Firewall CRM SFA Desktop Connection Optimization Traffic Compression Customize Application SFA Co-location Complex and hard to maintain.
12 F5 s Integrated Solution Users The F5 Solution Applications Application Delivery Network Mobile Phone PDA Laptop Desktop TMOS CRM Database Siebel BEA Legacy.NET SAP PeopleSoft IBM ERP SFA Custom Co-location Reducing Complexity increases Security.
13 Web Application Protection Strategy Best Practice Design Methods Only protects against known vulnerabilities Difficult to enforce; especially with subcontracted code Only periodic updated; large exposure window Web Apps Web Application Firewall Automated & Targeted Testing Done periodically; only as good as the last test Only checks for known vulnerabilities Does it find everything? Real-time 24 x 7 protection Enforces Best Practice Methodology Allows immediate protection against new vulnerabilities
Operation Efficiency
ASM Comparison 15 Known Web Worms Unknown Web Worms Known Web Vulnerabilities Unknown Web Vulnerabilities Illegal Access to Web-server files Forceful Browsing File/Directory Enumerations Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering ASM Solution needs to be operatable Network Firewall Limited X Limited X Limited X X Limited Limited X X X X IPS Limited Partial Limited X X Limited Limited Limited X X X X Looking at the wrong thing in the wrong place
16 Multiple Security Layers Hard- und Software Hardening DOS und SYN Flood Protection RFC enforcement http request, cookies, Various HTTP limits enforcement Headers, method, cookies, Profiling of how good traffic looks like Defined list of allowed file types, Length s, URI s, parameters, Each parameter is evaluated separately for Pre defined value, length, character set, attack patterns,
17 Security Policy in ASM Security Policy Browser Enforcement Content Scrubbing Application Cloaking Benefits Can be generated automatically or manually Highly granular on configuration and blocking Easy to understand and manage Bi-directional: Inbound: protection from generalised & targeted attacks Outbound: content scrubbing & application cloaking Application content & context aware
18 ARN policy templates Pre-defined policies Integration with the BIG-IP configuration wizard
19 Flexible Policy Granularity Search for: command injection Single quote is a command delimiter: Best practice to disallow from parameters wherever possible Easiest to achieve with a generic policy applied to the whole site BUT... User Name: O Connor Single quote needed in some parameters: Need to be able to selectively relax policy eg single quote allowed in this parameter Need to limit use within relaxed policy eg only one single quote allowed in this parameter
20 Improved security Improved attack signatures (+1700) Automatic signatures update Evasion detection Signature Staging
21 NO False positives!!!! Black List Selection Black List Staging Wildcard Object/Parameter Policy Deph can be different Blocking Page with ID LIFE or LIVE
22 Selective Application Flow Enforcement! ALLOWED Username From Acc. $ Amount Should this be a violation? The user may have bookmarked the page! Unnecessarily enforcing flow can lead to false positives.? Password! VIOLATION To Acc.! VIOLATION Transfer This part of the site is a financial transaction that requires authentication; we should enforce strict flow and parameter validation Login page enforcement (application flow)
23 Data Guard ASM is configured with pre defined patterns for social security numbers and credit cards, these can be applied to any text response from the server, once there is a match, ASM will log the request which generated that response and per configuration will either drop the entire response or mask the information making sure no confidential information is being leaked. Custom patterns can be added by the user
24 Layer 7 DoS and Brute Force Unique Attack Detection and Protection Unwanted clients are remediated and desired clients are serviced Improved application availability Focus on higher value productivity while automatic controls intervene
XML Security 25 Well formatted validation Schema/WSDL validation Methods selection Attack signatures for XML platforms Backend Parser protection Full request Logging
ASM GUI objects screenshot 26
Forensics individual request/response log 27 Full HTTP request logged Server response can be viewed as well
28 Extensible Server Resource Cloaking Redirect On Weak Encryption Rate Limit HTTP Requests Client Connection Limits HTTP Session Limit Phishing Prevention Html Comment Scrubber Encrypting Cookies DoS Flood Protection Number Scrubbing
Database and Application Monitoring
Health Monitors 30 Check Network - wires and gateways Check Servers by: Pinging servers connecting to servers Check Applications : Retrieving and validating the content Conducting live interactive transactions and evaluating the results Validating dependency between applications LDAP/LDAPs, Oracle/SQL, SIP, SOAP, FTP (Passive/Active) M of N rule Set Connection Limits to Applications Network BIG-IP W W A Database System A
Database Specific Monitoring 31
32 Real-time Monitoring In-Band monitors Monitor real traffic instead of probing Monitor more types of applications Less stress on network, servers, and BIG-IP Immediate redirection on failure 01010101010101010101010101010101010101010101010101010101010101010
33 Security Triangle Examples of How we address it Dataguard, FP, SAM ASM, PSM, XML Log / Syslog / SNMP / Auditlog LTM / GTM / LC
Visible Security 34
Security should be invisible 35