Transcription
Web Applikationen: Die intelligente Kombination vonSchutzmechanismen macht den UnterschiedDaniel Estermann, M.Sc.Web Applikationen: Die intelligente Kombinationvon Schutzmechanismen macht den UnterschiedWeb Application Security ist heute schon hochkomplex und die Komplexität wird sichmit der weiteren Entwicklung von Online-Services noch rasant erhöhen. Selbst der beste Programmierer kann nicht jede Angriffsmöglichkeit auf Web Applikationen kennen,zudem sind sie auch nur Menschen und machen ab und zu Fehler. Gemäß Gartnerweisen drei Viertel der Web Applikationen Sicherheitslücken auf. Um diese Situation zuverbessern sind neben regelmäßigen Security Audits noch weitere, vor allem proaktiveMaßnahmen angebracht. Eines der effektivsten Mittel ist der Einsatz einer Web Application Firewall. Der Vortrag erklärt bewährte Architekturmuster wie - proaktiver Schutz vorunbekannten Attacken dank dynamischem Whitelisting- Single-Sign-On mit vorgelagerter Authentisierung- Hohe Verfügbarkeit und Sicherheit kombiniert in einer Web Application Firewall. Durch die intelligente Kombination von Schutzmechanismen könnenEntwickler sich vermehrt auf die Business Logik konzentrieren und verkürzen so die Timeto-Market. Neben Schutz und Optimierung der Webumgebung wird zudem auch dieCompliance verbessert (z.B. durch Sicherstellung des PCI Data Security Standard – PCIDSS).Daniel Estermann, M.Sc.Daniel Estermann besitzt einen Master Abschluss in Informatik der EidgenössischenTechnischen Hochschule (ETH Zürich) mit den Schwerpunkten Informationssicherheitund Kryptographieund studierteaußerdemBetriebswirtschaft imNebenfach.Daniel Estermann beschäftigt sich seit über zehn Jahren intensiv mit Web Applikationen: Er kennt den Spagat zwischen Einhaltung von Projektterminen und sicherer Anwendungsentwicklung aus seiner Zeit als Entwickler und Projektleiter von anspruchsvollen Enterprise-Anwendungen. Bei Visonys (jetzt phion) konnte er diese Erfahrungen indie Entwicklung und Betriebsführung der Web Application Firewall 'airlock' einbringen.Als Professional Service Leiter lernte Estermann dort insbesondere auch den Blickwinkelder IT-Betreiber kennen. Nach der Übernahme durch phion steuert er nun als ProduktManager die strategische Weiterentwicklung der phion airlock Produktlinie.
Web Application SecurityWas bringt eineWeb Application Firewall?Daniel EstermannDipl. Informatik Ing. ETH ZürichProduct Manager Web Application Securityphion AG phion AGImagine This is your Webapplication server: in the center thereis your Webapplicationthe users are theaudiencelet‘s have a closerlook.Everything undercontrol? Slide 2 phion AGGoals and Challenges Stadium sold out Lots of goals Good ambiance Smooth operations No riots Keep away hooligansand other troublemakersSlide 3 phion AG1
Exposure, Attacks, Vulnerabilities, Threats Cross Site Scripting Denial of Service Forceful BrowsingSlide 4 phion AGAbout phion AG Founded in 2000 HQ in Innsbruck Regional offices in Vienna, Munich, Düsseldorf, Zurich,Milan, London, Amsterdam, Dubai Since July, 4th 2007 plc atVienna Stock Exchange (mid market) Numerous international customers from the Fortune 500public and health sectorsfinancial services (up to 85% of Austrian and Swiss banks)Leading enterprise security from the heart of Europe: Gartner: listed in the ‘visionaries’ quadrant in Gartner’s ‘Magic Quadrant forEnterprise Network Firewalls’; November 2008.Burton Group: Enterprise Firewalls and Perimeter Architecture, 3 Nov 2005Leading Web Application Firewall vendor in central EuropeSlide 5 phion AGHistory of airlock Swiss Startup Seclutions, later renamed to Visonys Part of phion since June 2008, 2nd phion HQ in Zurich Highly qualified development & professional services teams Clear Focus on Web Application Security since 1996 Strong historical background in finance industry Evolved into a standard product ”airlock” in 2001 Large Customer Base & Top References About 200 productive installations in 8 countries References in government, banks, insurances, industry, portals etc.GLOBALSECURITYALLIANCESlide 6 phion AG2
Target No. 1: Web Applications Network has become increasingly hardened Number of web-based applications and theircomplexity exploded Additional classes of web applicationvulnerabilities classes were discovered Attackers began targeting end users, particularlywith the emergence of web 2.0 applications anduser-generated content deliveryHow do we protectour applicationsand data?Slide 7 phion AGSecurity Instruments Compared There is no silver bullet:Web Application Security is alwaysa combination of instruments.But not every instrument isin the “magic quadrant”.CodeAnalysisEffectivity SecurityPenetrationTestsWeb ApplicationFirewallSecurity Trainingfor developersIPS / DeepInspectionVulnerabilityScanningEfficiency Cost vs. ValueSlide 8 phion AGDeployment example: Entry Server (Reverse Proxy)Application Servere Business, e Banking, e Government or e LearningApplication ServerWeb Services, B2B ApplicationApplication ServerWAFSSH--Admin, Terminal Services, ESSHE-Mailacts asreverse proxyAntivirus 2B ClientSecuredAreaWeb ClientRemote AccessDMZInternetAttackerSlide 9 phion AG3
Typical WAF FeaturesMulti-LevelFilteringSSLTermination Black/Whitelist Protocols SOAP/XML Cookies Encryption OffloadingAccessControl Authentication Autorization Single Sign On IAMWeb ApplicationFirewall (WAF)SecureSessionHandling Tracking Anti-HijackingManagement& Admin Secure OS Configuration Operation DeploymentReverseProxy TCP/IP term. Virtualization Flow control RewritingDelivery &Availability Loadbalancing Compression ClusteringMonitoring& Reports Log analysis Statistics Alerting AuditSlide 10 phion AGSecurity for Application ServersWHOMare we dealing with?Access ControlWHATare we dealing with?FilteringSlide 11 phion AGSlide 12 phion AGMulti-Level Filtering Strict flowcontrol Multiple validationprocesses Filtering allRequests and Data Real dynamicWhitelist Filtering4
Blacklist Filter: Negative Security Model Examples: Virus/Malware ScannerIDS/IPSAirport Security X-RayIssues Thousands of signaturesCritical timingCompletely reactive, always behindPrevents only known attacksEvasion techniques possibleBlacklist Filter are necessarybut not sufficient against today‘stargeted attacks!Slide 13 phion AGWhitelist Filter: Positive Security Model Everything forbiddenunless allowed explicitly Prevents unknown attacks Challenge:How to define good andeasy to manage whitelistrules? Key questions:What is good (allowed) intoday‘s dynamic applicationenvironments?Slide 14 phion AGWhitelisting Web Applications Enforcement of valid Web application usage Valid URLs Valid Parameters Length restrictions according to input fields Verification of predefined values (selections,hidden fields, radio buttons, etc) Protection against type or range violationsSlide 15 phion AG5
WAF whitelisting approaches Manual whitelist rules Too much work for complex applications Static ruleset Makes sense for critical hotspots (e.g. login page) Learning mode Records „good“ traffic during learning phase Generates static whitelist ruleset Strong dependency on application content High maintenance cost Dynamic whitelisting Learning at runtime Allow only URLs generated by the application Often session-based allows to protect application flowSlide 16 phion AGDynamic Whitelisting: URL Encryption ExampleUser requests start page: https://www.myapp.comCRMApplication sends HTML containing plain URLs likeERPhttp://192.168.1.123/news.php?include news.txtAny WebApplicationUser browser receives encrypted URLs:https://www.myapp.com/ ted requests are blocked:https://www.myapp.com/news.php?include ./././././etc/passwd Error!Slide 1717AG phionLive Hacking Demo HacmeBooks (Foundstone/McAfee) Bookshop Java2 Enterprise Web Application Several intentional vulnerabilities Used for training and demosBoth HacmeBooks and airlock arerunning on VMwareSlide 18 phion AG6
Dynamic Whitelisting: BenefitsURL EncryptionSmart Form Protection Effective protection againstforceful browsing Cryptographic protection ofHTML forms URLs and parameters 100%protected Only valid inputs allowed Automatic protection of hiddenfields, selection lists, etc Dynamic, no static configuration Topology and technology hiding Dynamic, no static configurationApplication dynamically defines validURLs, parameters and values.WAF enforces valid usage!19AG phionSlide 19Access ControlWHOMare we dealing with?Access ControlWHATare we dealing with?FilteringSlide 20 phion AGAccess Control Identity PropagationFine-AutorizationUserDirectory(who can access what data?)WebApplicationIdentity ManagementSlide 21 phion AG7
Access Control (Real Life)AnonymoususerAuthentication maydepend on user type,role and origin cationServiceWAFCA Cert.PartnerPortalCustomersPartnersPublicWeb SiteCRMEmployeesWeb ShopERPCMSAdmin*ACE/RadiusServerSlide 22 phion AGIdentity Propagation (1)1. Authenticate user (once)userid:samplepassword: e 23 phion AGIdentity Propagation (2)1. Authenticate user (once)2. Fetch identity information from directory (once)CMS:Authenticatioid sampleERP:n Serviceroles employee,WAFuserid ployee, saleserp-userid: s.userUserfirst name: sampleDirectorylast name: userSlide 24 phion AG8
Identity Propagation (3)1. Authenticate user (once)2. Fetch identity information from directory (once)3. Propagate user identityto each web application (with each request)CMS:id sampleERP:airlockroles employee,userid s.usersalesSingle sign-on Access web applicationswithout logging in againCMSERPSlide 25 phion AGIdentitiy Propagation Techniques Basic-Auth headerAdd a basic-authentication header to each requestExample: Authorization: Basic c2FtcGxlOnBhc3N3b3Jk[ base64(“sample:password“) ] Cookie/HeaderAdd a cookie or arbitrary http header containing any user details,e.g. userid rolesExample: SAP USER ID: sampleExample: Cookie: USER INFO sample;sales,employeeExample: Cookie: ASSERTION ********************** SAML Assertion Kerberos TicketIn the name of the user, get a Kerberos ticketfor the desired server and add it to each request.The user does not even have to provide his password!(encrypted/signed)Slide 26 phion AGKerberos Identity sAgentWAFhttps Control API(SSL Client Cert.Auth.)WindowsServer 2003 http(s) SPNEGO/KerberosWindowsWeb ServerIIS, ISA, Exchange,Sharepoint etc.Kerberos v5TicketActiveDirectoryKDCWindows/Kerberos DomainSlide 27 phion AG9
Access Control: Typical Features of a WAF Simply connect existing user directories (LDAP, AD,SQL/DB) and authentication servers (RADIUS, RSA/ACE) Authorization based on group membership or any otherdirectory information Single Sign-on Secure session handling Multiple authentication levels depending on application Change authentication scheme without touching theapplications Auditing, monitoring and usage analysis(optional user id in logs)Slide 28 phion AGPreceding Authentication: Benefits Developers can focus on business logic Ease of use (e.g. Single Sign-On) Maximum security Flexibility and speedby separating application and authentication:Change the authentication scheme without touching theapplicationsAdd new applications to a SSO domain quickly Cost and time savings in application development Slide 29 phion AGCookie Protection Pass-through Encrypt or sign conventional, may be read and manipulated in the browserWAF encrypts/signs cookie before sending it to the browserCookie not forgeable because a valid signature/encryption isrequiredStore cookies are not sent to the browserbut held in the user session on the WAFSlide 30 phion AG10
Protecting Web ServicesSOAP/XML FilterBuilt-in or add-on module Typical Features: Well formatted validationSchema/WSDL validationMethods selectionBlacklists for typical attacksBackend parser protectionFull request loggingSlide 31 phion AGWhy a Web Application Firewall?Typical Drivers are. mostly security (prevent attacks) compliance (e.g. PCI DSS) sometimes also application delivery(high availability, load balancing etc.) puzzle piece in a IdentityManagement/SSO projectSlide 32 phion AGWAF Recommendations Make WAF part of an overall applicationsecurity strategy. Consider layering of WAFfunctionality to minimize risk and maximizeflexibility.Involve enterprise architects, applicationdelivery, and developers in order to maximizebenefit and comfort with security controls.Strongly consider non core-WAFfunctionality during evaluationand ensure these are in line with evolving deliveryand development models. Use out-of-the box black list rules for basicsecurity, but prepare to spend time and effort tocustomize in order to achieve proper efficacy. Exercise application change process duringevaluation to guess maintenance costsSlide 33 phion AG11
Looking from the right angle Looking at network packets issometimes a too narrow view.Slide 34 phion AGLooking from the right angle Only a WAF has the full picturebecause it works on the application levelSlide 35 phion AGThank you!Slide 3612
in the "magic quadrant". Effectivity Security Efficiency Cost vs. Value IPS / Deep Inspection Vulnerability Scanning Web Application Firewall Penetration Tests Code Analysis . IAM Multi-Level Filtering Black/Whitelist Protocols SOAP/XML Cookies Delivery & Availability Loadbalancing Compression Clustering SSL .
