DISTRIBUTING EMERGING TECHNOLOGIES, REGION-WIDE WEB APPLICATION FIREWALLS: DO WE NEED THEM? SHAIKH SURMED Sr. Solutions Engineer info@fvc.com www.fvc.com
HAVE YOU BEEN HACKED?????
WHAT IS THE PROBLEM? 75% of Attacks Focused Here (Gartner) SQL Injection Parameter Tampering Cross-Site Scripting Other Attacks Customized Application Code Rushed to Production Written Before Security was a Priority Network IDS Firewall IPS Web Servers Application Servers Database Servers Operating Systems Network Operating Systems Operating Systems Confidential Data
WHY DON T TRADITIONAL FIREWALLS WORK? Basic Reason: The attacks are embedded in the traffic they are designed to let through IP address TCP port Denial of Service (DoS) Distributed DoS SYN flood Ping of death TCP session hijacking Packet fragmentation HTTP header Cookie URL Form data Port 80/443 traffic goes through Web Applications
WHO ARE THE ATTACKERS ORGANIZED CRIMINAL GANGS They go out and hack websites, install malware, steal credit cards for the purpose of financial gains. HACKTIVIST Groups like Anonymous, Lulzsec. They may have political cause or driver behind them. NATION STATES Governments with serious money behind them who are conducting Cyber Warfare.
WHO ARE THE TARGETS??? BANKS & FINANCIAL ORGANIZATIONS Bank of America, Master Card ENTERPRISES Twitter, Sony, Apple GOVERNMENTS Malaysia Vs Philippines
WHAT ARE THE CONSEQUENCES CUSTOMER ISSUES OPERATIONAL ISSUES Downtime Identity Theft Defacement Link spam Information Leakage Information Leakage Worms / Malware Phishing BUSINESS REPUTATION Loss of sales Monetary loss Black mail
WHAT S THE SOLUTION??? Layer 7 Security Firewall blocks only network attacks WAF Web Applications Port 80/443 traffic goes through
WHAT'S A WAF? A Web Application Firewall (WAF) is an appliance or software which applies a set of rules to protects the Web Servers (http/https) from both Inbound & Outbound attacks.
OPERATION MODE OF A WAF? A Negative Security Model (Block-List) defines what is disallowed while implicitly allowing everything. It recognize attacks by relying on databases of expected attack signature. A Positive Security Model (White-List) defines what is allowed while rejecting everything. It enforces positive behavior by learning the application logic and then building a security policy of valid known good requests.
OPEN WEB APPLICATION SECURITY PROJECT (OWASP) The Open Web Application Security Project (OWASP) is an open-source application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies. The OWASP Top 10 has become a de facto standard for application security
INJECTION FLAWS SQL Injection Attack User = bob or 1=1 http://shop/index.asp?user=bob or 1=1 Injection flaws allow attackers to relay malicious code through web apps to another system such as back-end databases or the operating system. SQL injection is a particularly widespread and dangerous form of injection. These attacks are not difficult to attempt and more tools are emerging that scan for these flaws. To remedy this, organizations can use a WAF which can include negative security signatures to identify the attack payload.
CROSS SITE SCRIPTING Hacker posts <malicious script> to vulnerable Web application 1 3 Script captures credential info and sends to hacker 2 Innocent user downloads script and executes Cross Site Scripting allows attackers to execute script in the victim s browser which can hijack user sessions, insert hostile content, hijack the user s browser using malware, or redirect the user to phishing or malware malicious sites.
INSECURE CRYPTOGRAPHIC STORAGE Web Applications Many web applications do not properly protect sensitive data such as credit cards, Social Security Numbers (SSNs), and authentication credentials with appropriate encryption or hashing. Attackers may use this weakly protected data to conduct identity theft, credit card fraud, or other crimes. WAF can mitigate insecure cryptographic storage by inspecting outbound traffic to identify potential leakage of sensitive data such as cardholder data and SSNs through the application
INSUFFICIENT TRANSPORT LAYER PROTECTION Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly. WAF can actively terminate SSL connections when configured as a transparent or reverse proxy and thus has the ability to enforce SSL to specific resources.
SECURITY MISCONFIGURATION Security misconfiguration can happen at any level of an application attack, including the platform, web server, application server, framework, and custom code. Such flaws can give attackers access to default accounts, unused pages, unpatched flaws, unprotected files, and directories to gain unauthorized access to system data. WAF protects against this by Dynamic profiling or integrating with a VA.
IMPORTANT SELECTION CRITERIA Protection Against OWASP Top Ten! Very Few False Positives Strength of Default (Out of the Box) Defenses Power and Ease of Learn Mode Types of Vulnerabilities it can prevent. Detects content in outbound reply messages Both Positive and Negative Security model support. Simplified and Intuitive User Interface. Cluster mode support. High Performance (milliseconds latency). Alerting, Forensics, Reporting capabilities. Brute Force protection.
Well Known Commercial WAF Riverbed Stingray Application Firewall, is a sophisticated, application-aware web application firewall for deep application security that can be flexibly deployed in a public, private and hybrid environment. Now you can protect against known and unknown attacks at the application layer (such as OWASP Top10), secure your application and meet compliance requirements with confidence Stingray Traffic Manager The Riverbed Stingray Application Firewall provides an additional layer of security, giving us peace of mind and optimum protection for our online presence. Rob Wilmshurst, CEO 2011 Riverbed Technology. Confidential. IMPORTANT NOTE: The roadmap is for information purposes only and is not a commitment, promise or legal obligation to deliver any new products, features or functionality. The development, release, and timing of any features or functionality described remains at Riverbed's sole discretion. 18
What is the Stingray ADC? 19 Stingray virtual ADC FASTER: SSL and XML offload Content Compression HTTP Caching HTTP Multiplexing TCP Offload Web Sites E-commerce, corporate sites MORE RELIABLE: Load balancing Fault tolerance Monitoring Bandwidth and rate shaping Enterprise Apps Intranets, Document Mgmt, ERP, CRM MORE SECURE: Server Isolation Traffic Filtering and Scrubbing Scalable, Distributed Application Firewall Email SMTP, IMAP. POP EASIER TO MANAGE: TrafficScript logic Service Level Monitoring Reporting and alerting Control and Event API Web Services Databases, XML, SOAP Rich Media Video, Audio, SIP, RTSP 2011 Riverbed Technology. Confidential. IMPORTANT NOTE: The roadmap is for information purposes only and is not a commitment, promise or legal obligation to deliver any new products, features or functionality. The development, release, and timing of any features or functionality described remains at Riverbed's sole discretion.
Stingray Traffic Manager: A new kind of ADC solution Performance and Throughput Increase customer satisfaction and generate more revenue from improved availability and response times. Virtual and Cloud Platforms Reduce costs by increasing flexibility and utilization, release more of the benefits of virtualization, by deploying ADC resources directly in the virtual or cloud environment. Application Development Reduce the risk and disruption of new service launch with seamless application upgrades, and competitive advantage from increased agility, even with third party/outsourced applications Distributed Application Firewall Secure online applications to prevent revenue loss and brand damage caused by external threats to both in-house applications and third-party/outsourced applications. 2011 Riverbed Technology. Confidential. IMPORTANT NOTE: The roadmap is for information purposes only and is not a commitment, promise or legal obligation to deliver any new products, features or functionality. The development, release, and timing of any features or functionality described remains at Riverbed's sole discretion. 20
1000+ Stingray Customers across many verticals Telco Media Hosting & Cloud eretail Other 2011 Riverbed Technology. Confidential. IMPORTANT NOTE: The roadmap is for information purposes only and is not a commitment, promise or legal obligation to deliver any new products, features or functionality. The development, release, and timing of any features or functionality described remains at Riverbed's sole discretion. 21