Gezielte Angriffe auf Unternehmen – Warum die beste Netzwerksicherheit allein nicht greift Securing and Optimizing Web applications Agenda 1. Gezielte Angriffe auf Unternehmen - Wieso müssen wir uns mit dem Thema unausweichlich beschäfigen? 2. Weshalb die beste Netzwerksicherheit allein nicht greift …. 3. Diskussion 4. Welche Dinge sind für ein effektives & effizientes Handling relevant? Securing and optimizing web applications 2 Veränderung der Angriffe auf Web Applikationen Spion Nationale Interessen Persönlicher Gewinn Eindringling Persönlicher Ruhm Neugier Höchste Zunahme Dieb Vandal ScriptScript-Kiddy Autor Hobby Hacker Experte Securing and optimizing web applications Expertentools werden vermehrt von HobbyHackern und Kriminellen verwendet Spezialist 3 Netzwerk vs. Applikation Securing and optimizing web applications 4 Why Application Security is a High Priority ! • Does not require to be highly skilled or any material • Web applications are high value targets for hackers: Customer data, credit cards, ID theft, fraud, site defacement High Complexity Low Low Hackers ROI Securing and optimizing web applications High 5 Lage der IT-Sicherheit in Deutschland 2009 Securing and optimizing web applications 6 Top 10 Web Threats Securing and optimizing web applications 7 Demo: Login per SQL-Injection Quelle: GAI netconsult Securing and optimizing web applications 8 Demo: Manipulation eines Hidden-Fields Quelle: GAI netconsult Securing and optimizing web applications 9 Die wachsende Bedrohung durch Web-Angriffen • Test, durchgeführt von PSINet und Pansec Internet – 2 "dummy" Web-Sites wurden erstellt, die europäische Bank-Sites simulieren • Das Ergebnis – 2000 Angriffe pro Woche auf die ungeschützte Web-Site – 200 Angriffe pro Woche durch die Firewall, von denen mehr als 33% als „High Risk“ eingestuft wurden 200 2000 Die Frage ist deshalb nicht … Wird es eine „High Risk Attacke“ gegen die Web-Anwendung geben? … sondern WANN? Securing and optimizing web applications 10 Network firewalls are inefficient Web servers Databases Netbios HTTP/S HTTP/S Application Server Backend Server/System NFS Source ? Destination ? Service ? • Network Firewalls check IP source and destination, port numbers and sometimes protocol compliance • Web Applications Firewalls inspect the HTTP/HTTPS/XML content Securing and optimizing web applications 11 Network Security Doesn’t Protect - Web Applications Known Web Worms Unknown Web Worms Known Web Vulnerabilities Unknown Web Vulnerabilities Illegal Access to Web-server files Forceful Browsing File/Directory Enumerations Brute Force attacks Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering Web Application Firewall Network Firewall IPS Limited X Limited X Limited X X X Limited Partial Limited X X Limited X Limited Limited Limited Limited X X X X Securing and optimizing web applications X X X X 12 12 Web attacks: targets and impacts Web servers Databases Application Server Web Services Users Impact Targets • Users • Web servers • Web applications • Databases • Web services • Session hijacking • Web Server defacement • Deny of services (DoS) • Remote control on the Web server • Web applications behavior modification • Data theft, datas modification Securing and optimizing web applications 13 Web Application Security Web servers Databases Application Server Backend Server/System Users • An efficient & effective solution should protect against applicative attacks that target : • Users • Databases • Web servers • Web services • Web applications Securing and optimizing web applications 14 Vergleich von Security-Maßnahmen Hoch Code Analyse Web Application Firewalls Penetrations-test Effektivität (erreichter Schutz) Security Training für Entwickler Schwachstellenscans Niedrig IPS / Deep Inspection Niedrig Effizienz (Kosten-/Nutzen-Verhältnis) Securing and optimizing web applications Hoch 15 Deny All Security Solutions Securing and optimizing web applications 16 WAF = Web Application Firewall ? Securing and optimizing web applications 17 Why Customers deploy Transactional application Business data protection Web mail Application performance PCI compliance PCI DSS 6.6 Web services protection Securing and optimizing web applications 18 Company overview • Initally developed and used by Société Générale, independent company launched in 2001 • More than 10 years in production network 24x7x365 • Leading European WAF vendor - 350+ customers - all sectors • Protection of more than 13.000 web sites • Worldwide operations - active in more than 25 countries - presented by own teams and/or certified partners • Revenue - 60% in France - 40% International Key partners for Technology and Hardware: Securing and optimizing web applications 19 Deny All Application Firewall Lösungen • rFTP – File Transfer Application Firewall – Sofortiger Schutz der File Transfer Dienste und Applikationen • rWeb – Web und XML Application Firewall – Vollständiger Schutz, Beschleunigung und Vereinfachung von Web-Applikationen und des Web Services Environments • sProxy – Secure Web Accelerator – Beschleunigung und Schutz Ihres Web-Daten-Centers – Hoher Basis Schutz mit Blacklist & Scoringlist Securing and optimizing web applications 20 Architecture with reverse proxy DMZ mode Public DMZ Web server Databases Application server Backend Server/System SAP PORTAL • Architecture security improvement • Application level security • Acceleration Securing and optimizing web applications 21 Multi DMZ mode Public DMZ Web frontal Databases Acceleration Application server Backend Server/System Private DMZ SAP PORTAL Authentication / Filtering • 1st appliance Acceleration • 2nd appliance Authentication and Filtering Securing and optimizing web applications 22 Security mechanisms Reverse Proxy • Reverse Proxy, no direct access from outside world Protocol Inspection Black List Scoring List • Benefits • Applicative Infrastructure virtualization • Powerful rewriting White list • Acceleration features Statefull Cookie Tracking User behavior tracking Client Sanitization Securing and optimizing web applications 23 Security mechanisms Reverse Proxy Protocol Inspection Black List • Protocol Inspection • URL normalization • Anti-evasion Scoring List White list Statefull Cookie Tracking User behavior tracking • Benefits: • Able to detect and blocks that have been encoded • Immediate protection against attacks that use protocol manipulation Client Sanitization Securing and optimizing web applications 24 Security mechanisms Reverse Proxy • Black list Protocol Inspection Black List Scoring List • Over 2000 signatures of web application vulnerabilities • Periodically updated • Auto/Manual upload • Groups to improve performances White list Statefull Cookie Tracking User behavior tracking Client Sanitization • Benefits • Immediate protection against known vulnerabilities • No need to know the application or the web server technology Securing and optimizing web applications 25 Security mechanisms Reverse Proxy • Scoring list • Score every incoming requests Protocol Inspection Black List Scoring List • Drop the request when the score is too high • Result of years of experience to allocate the weight. • Integration of our know-how in Plug&Play feature (10 years) White list Statefull CookieTracking User behavior tracking Client Sanitization •Benefits • Very low level of false positive for attacks such as SQL injection, XSS, code injection compared to a simple black list •block injection across multiple parameters • Able to block 97% of new vulnerabilities without any modification, or adaptation (SQLi, XSS, HTMLi, LFi) Securing and optimizing web applications 26 Unique WAF-Feature: Scoringlist Pattern 1: Pattern 2: Pattern 3: ^select$ ^union$ ^from$ union union select union select * from weight=0,50 weight=0,25 weigth=0,25 weight=0,25 – nicht geblockt weight=0, 75 – nicht geblockt weight=1,00 – geblockt Securing and optimizing web applications 27 Hoher Basis-Schutz mit negativer Security 100% Security Level Scoring List + Black-List Blacklist 0% Securing and optimizing web applications 28 Security mechanisms Reverse Proxy Protocol Inspection • White list Black List Scoring List • Only expected request will be granted • Tools to generate automatically the white list: • Multiple security Levels White list Statefull Cookie Tracking User behavior tracking Client Sanitization •Benefits • Easy to set up • Improve the security level • By using a low level of white list, improve to security level and doesn't increase administration cost Securing and optimizing web applications 29 Security mechanisms Reverse Proxy Protocol Inspection Black List Scoring List White list Statefull Cookie Tracking • Cookie stateful tracking • Signature • Encryption Anti brute force Anti Dos • Benefits Client Sanitization • Immediate protection against cookie manipulations Securing and optimizing web applications 30 Security mechanisms Reverse Proxy Protocol Inspection Black List Scoring List • Anti Brute force / Anti DOS White list Statefull Cookie Tracking • Multiples criteria (Time, ip, cookie, response code …) • Multiples reactions (error page, slow down, redirect …) User behavior tracking Client Sanitization •Benefits • Protect against attacks that can’t be blocked with positive or negative security model Securing and optimizing web applications 31 Security mechanisms Man-in-the-browser/Trojan (MITB) Reverse Proxy Protocol Inspection Black List Scoring List • Operates inside the browser with full access • Disclosure of sensitive data • Manipulates transaction data Spyware • Operates typically from inside the browser, but may operate from other places • Steals confidential information White list Statefull Cookie Tracking User behavior tracking Mitigation • Secure services even on a possibly infected system • Proactive protection features integrated in a browser • Maximum security level without the need for a separate installation or admin rights Client Sanitization • No end-user configuration required • Low overhead ensuring stable system speed Securing and optimizing web applications 32 Security mechanisms Reverse Proxy 1. Client connects to the Web site Protocol Inspection Black List Scoring List White list Client rWeb Server Statefull Cookie Tracking User behavior tracking 2. rWeb forces the loading of shield Client Sanitization 3. Client connects from a secured browser Securing and optimizing web applications 33 WEB Services Protection Databases WEB services Backend Server/System • Protocol Validation • Schema Validation (WSDL, DTD, XSD …) • Xpath enforcement • Canonization Next Feature Securing and optimizing web applications 34 SAP Public DMZ Databases SAP Service Backend Server/System SAP Portal • Deny All provides SAP Web Applications protection Next Feature Securing and optimizing web applications 35 Authentication Databases SAP Service Backend Server/System • Client Certificats • One time password • RSA Secure ID • Radius • Ldap(s) •Active Directory Securing and optimizing web applications 36 SSO Authorization Databases SAP Service Backend Server/System •CA Site Minder Securing and optimizing web applications 37 Web application visibility • Visibility on Web Servers response time • In the logs • Total time – Web server response time = rWeb processing time • Visibility on the users requests • Evidence of attacks (Web servers don’t log entire traffic) • Debug and Web application behavior improvement Securing and optimizing web applications 38 Acceleration Server Load Backend Server/System Application Server • Cache • TCP Multiplexing • SSL offload • On the fly compression • Improve user’s experience Securing and optimizing web applications 39 Appliances High availability - Active/Active rWeb Cluster • Both nodes are active • Failover < 1s • Up to 32 active nodes Securing and optimizing web applications 40 Feature distribution rWeb 4.0 rWeb 4.0 rWeb 4.0 Caching Filtering Load-Balancing Securing and optimizing web applications 41 Back ends High availability / Load Balancing Backend Server/System Application Server Databases •Algorithms: •Weighted •Round robin •Least requests • Benefits : • Applicative Health check • Session tracking • Web server « soft removing » • No need to implement HA mechanisms on Web servers • Applicative HA • Scalable architecture Securing and optimizing web applications 42 Management Administration • • • • • GUI WEB 2.0 SNMP (V2c V3) Syslog Configuration synchronization Backup / restore Securing and optimizing web applications 43 Reporting Securing and optimizing web applications 44 Monitoring System Health Overall Throughput Security Alerts Incidents Severity Securing and optimizing web applications 45 Denyall Security Solutions Hide Server from Internet Protect against Unknown vulnerabilities Validation HTTP protocol Application zone restriction Protect against known vulnerabilities Sensible data hidden Strong authentication Session protection Less servers needed Behavior agreement Improved response time Isolate external sessions Remove any possibilities of jump Securing and optimizing web applications 46 Benefits • (Web Application) Security • Acceleration • Visibility on Web applications • Infrastructure optimisation Securing and optimizing web applications 47 Kontakt: Deny All GmbH Ingmar Lüdemann +49 89 2001 9239 [email protected] Securing and optimizing web applications 48