Web applications - Starnberger IT Forum

Werbung
Gezielte Angriffe auf Unternehmen –
Warum die beste Netzwerksicherheit
allein nicht greift
Securing and Optimizing Web applications
Agenda
1. Gezielte Angriffe auf Unternehmen - Wieso
müssen wir uns mit dem Thema unausweichlich
beschäfigen?
2. Weshalb die beste Netzwerksicherheit allein nicht
greift ….
3. Diskussion
4. Welche Dinge sind für ein effektives & effizientes
Handling relevant?
Securing and optimizing web applications
2
Veränderung der Angriffe auf Web
Applikationen
Spion
Nationale
Interessen
Persönlicher
Gewinn
Eindringling
Persönlicher
Ruhm
Neugier
Höchste
Zunahme
Dieb
Vandal
ScriptScript-Kiddy
Autor
Hobby Hacker
Experte
Securing and optimizing web applications
Expertentools
werden
vermehrt von
HobbyHackern und
Kriminellen
verwendet
Spezialist
3
Netzwerk vs. Applikation
Securing and optimizing web applications
4
Why Application Security is a High Priority !
• Does not require to be highly skilled or any material
• Web applications are high value targets for hackers:
Customer data, credit cards, ID theft, fraud, site defacement
High
Complexity
Low
Low
Hackers ROI
Securing and optimizing web applications
High
5
Lage der IT-Sicherheit in Deutschland 2009
Securing and optimizing web applications
6
Top 10 Web Threats
Securing and optimizing web applications
7
Demo: Login per SQL-Injection
Quelle: GAI netconsult
Securing and optimizing web applications
8
Demo: Manipulation eines Hidden-Fields
Quelle: GAI netconsult
Securing and optimizing web applications
9
Die wachsende Bedrohung durch Web-Angriffen
• Test, durchgeführt von
PSINet und Pansec
Internet
– 2 "dummy" Web-Sites wurden
erstellt, die europäische Bank-Sites
simulieren
• Das Ergebnis
– 2000 Angriffe pro Woche auf
die ungeschützte Web-Site
– 200 Angriffe pro Woche durch
die Firewall, von denen mehr
als 33% als „High Risk“
eingestuft wurden
200
2000
Die Frage ist deshalb nicht …
Wird es eine „High Risk Attacke“ gegen die Web-Anwendung geben?
… sondern WANN?
Securing and optimizing web applications
10
Network firewalls are inefficient
Web servers
Databases
Netbios
HTTP/S
HTTP/S
Application
Server
Backend
Server/System
NFS
Source ?
Destination ?
Service ?
• Network Firewalls check IP source and destination, port numbers and
sometimes protocol compliance
• Web Applications Firewalls inspect the HTTP/HTTPS/XML content
Securing and optimizing web applications
11
Network Security Doesn’t Protect - Web Applications
Known Web Worms
Unknown Web Worms
Known Web Vulnerabilities
Unknown Web Vulnerabilities
Illegal Access to Web-server files
Forceful Browsing
File/Directory Enumerations
Brute Force attacks
Buffer Overflow
Cross-Site Scripting
SQL/OS Injection
Cookie Poisoning
Hidden-Field Manipulation
Parameter Tampering
Web Application
Firewall
Network
Firewall
IPS
Limited
X
Limited
X
Limited
X
X
X
Limited
Partial
Limited
X
X
Limited
X
Limited
Limited
Limited
Limited
X
X
X
X
Securing and optimizing web applications
X
X
X
X
12
12
Web attacks: targets and impacts
Web servers
Databases
Application
Server
Web Services
Users
Impact
Targets
• Users
• Web servers
• Web applications
• Databases
• Web services
• Session hijacking
• Web Server defacement
• Deny of services (DoS)
• Remote control on the Web server
• Web applications behavior modification
• Data theft, datas modification
Securing and optimizing web applications
13
Web Application Security
Web servers
Databases
Application
Server
Backend
Server/System
Users
• An efficient & effective solution should protect against applicative
attacks that target :
• Users
• Databases
• Web servers
• Web services
• Web applications
Securing and optimizing web applications
14
Vergleich von Security-Maßnahmen
Hoch
Code
Analyse
Web Application
Firewalls
Penetrations-test
Effektivität
(erreichter Schutz)
Security Training
für Entwickler
Schwachstellenscans
Niedrig
IPS / Deep
Inspection
Niedrig
Effizienz
(Kosten-/Nutzen-Verhältnis)
Securing and optimizing web applications
Hoch
15
Deny All Security Solutions
Securing and optimizing web applications
16
WAF = Web Application Firewall ?
Securing and optimizing web applications
17
Why Customers deploy
Transactional
application
Business data
protection
Web mail
Application
performance
PCI compliance
PCI DSS 6.6
Web services
protection
Securing and optimizing web applications
18
Company overview
•
Initally developed and used by
Société Générale, independent
company launched in 2001
•
More than 10 years in production
network 24x7x365
•
Leading European WAF vendor
- 350+ customers
- all sectors
•
Protection of more than 13.000 web
sites
•
Worldwide operations
- active in more than 25 countries
- presented by own teams and/or
certified partners
•
Revenue
- 60% in France
- 40% International
Key partners for Technology and Hardware:
Securing and optimizing web applications
19
Deny All Application Firewall Lösungen
• rFTP – File Transfer Application Firewall
– Sofortiger Schutz der File Transfer Dienste und Applikationen
• rWeb – Web und XML Application Firewall
– Vollständiger Schutz, Beschleunigung und Vereinfachung von
Web-Applikationen und des Web Services Environments
• sProxy – Secure Web Accelerator
– Beschleunigung und Schutz Ihres Web-Daten-Centers
– Hoher Basis Schutz mit Blacklist & Scoringlist
Securing and optimizing web applications
20
Architecture with reverse proxy DMZ mode
Public DMZ
Web server
Databases
Application
server
Backend
Server/System
SAP PORTAL
• Architecture security improvement
• Application level security
• Acceleration
Securing and optimizing web applications
21
Multi DMZ mode
Public DMZ
Web frontal
Databases
Acceleration
Application
server
Backend
Server/System
Private DMZ
SAP PORTAL
Authentication / Filtering
• 1st appliance Acceleration
• 2nd appliance Authentication and Filtering
Securing and optimizing web applications
22
Security mechanisms
Reverse Proxy
• Reverse Proxy, no direct access from
outside world
Protocol Inspection
Black List
Scoring List
• Benefits
• Applicative Infrastructure virtualization
• Powerful rewriting
White list
• Acceleration features
Statefull
Cookie Tracking
User behavior tracking
Client Sanitization
Securing and optimizing web applications
23
Security mechanisms
Reverse Proxy
Protocol Inspection
Black List
• Protocol Inspection
• URL normalization
• Anti-evasion
Scoring List
White list
Statefull
Cookie Tracking
User behavior tracking
• Benefits:
• Able to detect and blocks that have been encoded
• Immediate protection against attacks that use
protocol manipulation
Client Sanitization
Securing and optimizing web applications
24
Security mechanisms
Reverse Proxy
• Black list
Protocol Inspection
Black List
Scoring List
• Over 2000 signatures of web application
vulnerabilities
• Periodically updated
• Auto/Manual upload
• Groups to improve performances
White list
Statefull
Cookie Tracking
User behavior tracking
Client Sanitization
• Benefits
• Immediate protection against known
vulnerabilities
• No need to know the application or the web
server technology
Securing and optimizing web applications
25
Security mechanisms
Reverse Proxy
• Scoring list
• Score every incoming requests
Protocol Inspection
Black List
Scoring List
• Drop the request when the score is too high
• Result of years of experience to allocate the weight.
• Integration of our know-how in Plug&Play feature
(10 years)
White list
Statefull
CookieTracking
User behavior tracking
Client Sanitization
•Benefits
• Very low level of false positive for attacks such as
SQL injection, XSS, code injection compared to a
simple black list
•block injection across multiple parameters
• Able to block 97% of new vulnerabilities without any
modification, or adaptation (SQLi, XSS, HTMLi, LFi)
Securing and optimizing web applications
26
Unique WAF-Feature: Scoringlist
Pattern 1:
Pattern 2:
Pattern 3:
^select$
^union$
^from$
union
union select
union select * from
weight=0,50
weight=0,25
weigth=0,25
weight=0,25 – nicht geblockt
weight=0, 75 – nicht geblockt
weight=1,00 – geblockt
Securing and optimizing web applications
27
Hoher Basis-Schutz mit negativer Security
100%
Security
Level
Scoring List
+
Black-List
Blacklist
0%
Securing and optimizing web applications
28
Security mechanisms
Reverse Proxy
Protocol Inspection
• White list
Black List
Scoring List
• Only expected request will be granted
• Tools to generate automatically the white list:
• Multiple security Levels
White list
Statefull
Cookie Tracking
User behavior tracking
Client Sanitization
•Benefits
• Easy to set up
• Improve the security level
• By using a low level of white list, improve to security
level and doesn't increase administration cost
Securing and optimizing web applications
29
Security mechanisms
Reverse Proxy
Protocol Inspection
Black List
Scoring List
White list
Statefull
Cookie Tracking
• Cookie stateful tracking
• Signature
• Encryption
Anti brute force
Anti Dos
• Benefits
Client Sanitization
• Immediate protection against cookie manipulations
Securing and optimizing web applications
30
Security mechanisms
Reverse Proxy
Protocol Inspection
Black List
Scoring List
• Anti Brute force / Anti DOS
White list
Statefull
Cookie Tracking
• Multiples criteria (Time, ip, cookie, response code …)
• Multiples reactions (error page, slow down, redirect …)
User behavior tracking
Client Sanitization
•Benefits
• Protect against attacks that can’t be blocked with
positive or negative security model
Securing and optimizing web applications
31
Security mechanisms
Man-in-the-browser/Trojan (MITB)
Reverse Proxy
Protocol Inspection
Black List
Scoring List
• Operates inside the browser with full access
• Disclosure of sensitive data
• Manipulates transaction data
Spyware
• Operates typically from inside the browser, but may
operate from other places
• Steals confidential information
White list
Statefull
Cookie Tracking
User behavior tracking
Mitigation
• Secure services even on a possibly infected system
• Proactive protection features integrated in a browser
• Maximum security level without the need for a
separate installation or admin rights
Client Sanitization
• No end-user configuration required
• Low overhead ensuring stable system speed
Securing and optimizing web applications
32
Security mechanisms
Reverse Proxy
1. Client connects to the Web site
Protocol Inspection
Black List
Scoring List
White list
Client
rWeb
Server
Statefull
Cookie Tracking
User behavior tracking
2. rWeb forces the loading of shield
Client Sanitization
3. Client connects from a secured browser
Securing and optimizing web applications
33
WEB Services Protection
Databases
WEB
services
Backend
Server/System
• Protocol Validation
• Schema Validation (WSDL, DTD, XSD …)
• Xpath enforcement
• Canonization
Next Feature
Securing and optimizing web applications
34
SAP
Public DMZ
Databases
SAP
Service
Backend
Server/System
SAP Portal
• Deny All provides SAP Web Applications protection
Next Feature
Securing and optimizing web applications
35
Authentication
Databases
SAP
Service
Backend
Server/System
• Client Certificats
• One time password
• RSA Secure ID
• Radius
• Ldap(s)
•Active Directory
Securing and optimizing web applications
36
SSO Authorization
Databases
SAP
Service
Backend
Server/System
•CA Site Minder
Securing and optimizing web applications
37
Web application visibility
• Visibility on Web Servers response time
• In the logs
• Total time – Web server response time = rWeb processing time
• Visibility on the users requests
• Evidence of attacks (Web servers don’t log entire traffic)
• Debug and Web application behavior improvement
Securing and optimizing web applications
38
Acceleration
Server
Load
Backend
Server/System
Application
Server
• Cache
• TCP Multiplexing
• SSL offload
• On the fly compression
• Improve user’s experience
Securing and optimizing web applications
39
Appliances High availability - Active/Active
rWeb Cluster
• Both nodes are active
• Failover < 1s
• Up to 32 active nodes
Securing and optimizing web applications
40
Feature distribution
rWeb 4.0
rWeb 4.0
rWeb 4.0
Caching
Filtering
Load-Balancing
Securing and optimizing web applications
41
Back ends High availability / Load Balancing
Backend
Server/System
Application
Server
Databases
•Algorithms:
•Weighted
•Round robin
•Least requests
• Benefits :
• Applicative Health check
• Session tracking
• Web server « soft removing »
• No need to implement HA mechanisms
on Web servers
• Applicative HA
• Scalable architecture
Securing and optimizing web applications
42
Management
Administration
•
•
•
•
•
GUI WEB 2.0
SNMP (V2c V3)
Syslog
Configuration synchronization
Backup / restore
Securing and optimizing web applications
43
Reporting
Securing and optimizing web applications
44
Monitoring
System Health
Overall Throughput
Security Alerts
Incidents Severity
Securing and optimizing web applications
45
Denyall Security Solutions
Hide Server from Internet
Protect against Unknown
vulnerabilities
Validation HTTP protocol
Application zone restriction
Protect against known
vulnerabilities
Sensible data hidden
Strong
authentication
Session protection
Less servers needed
Behavior agreement
Improved response
time
Isolate external sessions
Remove any possibilities of jump
Securing and optimizing web applications
46
Benefits
• (Web Application) Security
• Acceleration
• Visibility on Web applications
• Infrastructure optimisation
Securing and optimizing web applications
47
Kontakt:
Deny All GmbH
Ingmar Lüdemann
+49 89 2001 9239
[email protected]
Securing and optimizing web applications
48
Herunterladen