F5 - BigIP ASM introduction

6,483 views
6,117 views

Published on

Published in: Technology
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
6,483
On SlideShare
0
From Embeds
0
Number of Embeds
17
Actions
Shares
0
Downloads
499
Comments
0
Likes
6
Embeds 0
No embeds

No notes for slide
  • A1 –Injection•Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.A2 –Cross-Site Scripting (XSS)•XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.A3 –Broken Authentication and Session Management•Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities.A4 –Insecure Direct Object References•A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.A5 –Cross-Site Request Forgery (CSRF)•A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.A6 –Security Misconfiguration•Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application.A7 –Insecure Cryptographic Storage•Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes.A8 -Failure to Restrict URL Access•Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway.A9 -Insufficient Transport Layer Protection•Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly. A10 –Unvalidated Redirects and Forwards•Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
  • Spring 2009 Website Security Statistics Report from WhiteHat Security82% of websites have had a HIGH, CRITICAL, or URGENT issue 63% of websites currently have a HIGH, CRITICAL, or URGENT issue 60% vulnerability resolution rate among sample with 7,157 (out of 17,888 historical vulnerabilities) unresolved issues remaining as of 3/31/09 Vulnerability time-to-fix metrics are not changing substantively, typically requiring weeks to months to achieve resolution. Average # of HIGH, CRITICAL, or URGENT severity vulnerabilities per website during the vulnerability assessment lifetime: 17 Average number of serious unresolved vulnerabilities per website: 7 Average number of inputs (attack surface) per website: 227 Average ratio of vulnerability count / number of inputs: 2.58%
  • Out of the box securityLog and report all application trafficProvides L2->L7 protectionPCI ComplianceComprehensive protection for all web app vulnerabilitiesSecurity policy enforcement inbound (Request) as well as outbound (Response) traffic protecting the application from attacks including OWASP top 10
  • Dos Configuration:Integratesapp latency measurement with client TPS measurement to gain visibility of the application sessionsThe integration and visibility then enable us to put the session into context, “what should or should not happen,” and apply policy.If conditions don’t conform to policy, take action by rate-limiting offending client. Layer 7 DoSProctection– Block application DoS attacks and increase end-user application performance with accurate triggers and automatic controls. This is based on a detection element and three different prevention methods which are applied one after another for in-depth prevention measures and techniques.Brute Force Protection – Detect and mitigate high volume failed login requests. ASM monitors server responses and when it detects multiple login failures related to a Brute Force Attack, ASM slows the requesting browser down.
  • Now we have consolidated PCI reports. With new PCI reporting, BIG-IP ASM details security measures required by PCI DSS 1.2, if you are in compliance and if not, steps required to become compliant.
  • A1 –Injection•Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.A2 –Cross-Site Scripting (XSS)•XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.A3 –Broken Authentication and Session Management•Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities.A4 –Insecure Direct Object References•A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.A5 –Cross-Site Request Forgery (CSRF)•A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.A6 –Security Misconfiguration•Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application.A7 –Insecure Cryptographic Storage•Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes.A8 -Failure to Restrict URL Access•Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway.A9 -Insufficient Transport Layer Protection•Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly. A10 –Unvalidated Redirects and Forwards•Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
  • What is a Cross Site Request Forgery (CSRF) attack?In a CSRF attack a hacker is forcing the browser to send a stealth valid request which the attacker created to a website in which the victim has a sessionWhat are the dangers?Attackers can execute full transactions that can be used for finance fraud, DOS – anything)Hard for victims to prove that they didn’t commit the transactionsHard to trace the origin
  • ASM can display the attacks based on country category. It’s easier for administrator to monitor where attacks are from and using policy to control that more efficiently
  • Monitors URIs for Server Latency - ASM monitors and reports the most requested URIs and every URI for server latency. BIG-IP ASM obtains visibility to slow server scripts and troubleshoots server code that causes latency. We basically monitor top accessed pages for a web application, for last hour, last day and last week. For these pages we provide average TPS and average latency.  In addition for every web application, we also provide a list of top accessing source IP address, with TPS and throughput for every IP address.  These monitoring capabilities allow the admin visibility on how the application is being accessed and how it is behaving.
  • F5 - BigIP ASM introduction

    1. 1. 1 BIG-IP ASM Comprehensive Application SecurityPresenter
    2. 2. 2Attacks are Moving “Up the Stack” Network Threats Application Threats 90% of security 75% of attacks focused investment focused here here Source: Gartner
    3. 3. 3Almost every web application is vulnerable!• “97% of websites at immediate risk of being hacked due to vulnerabilites! 69% of vulnerabilities are client side-attacks” - Web Application Security Consortium• “8 out of 10 websites vulnerable to attack” - WhiteHat “security report ”• “75 percent of hacks happen at the application.” - Gartner “Security at the Application Level”• “64 percent of developers are not confident in their ability to write secure applications.” - Microsoft Developer Research
    4. 4. 4Figure 2 and 5: 10th Website Security Statistics Report (Q3 2010)
    5. 5. 5How long to resolve a vulnerability? Website Security Statistics Report
    6. 6. 6 Developers are asked to do the impractical...Application Security? Application PatchingApplication ApplicationDevelopment Scalability Application Performance
    7. 7. 7Who is responsible for applicationsecurity? Web developers? Network Security? Engineering services? DBA?
    8. 8. 8Traditional Security Devices vs. WAF Network IPS ASM Firewall Known Web Worms Limited   Unknown Web Worms X Limited  Known Web Vulnerabilities Limited Partial  Unknown Web Vulnerabilities X Limited  Illegal Access to Web-server files Limited X  Forceful Browsing X X  File/Directory Enumerations X Limited  Buffer Overflow Limited Limited  Cross-Site Scripting Limited Limited  SQL/OS Injection X Limited  Cookie Poisoning X X  Hidden-Field Manipulation X X  Parameter Tampering X X  Layer 7 DoS Attacks X X  Brute Force Login Attacks X X  App. Security and Acceleration X X 
    9. 9. 9 Web Application Firewall - ASM Intelligent Client Network Plumbing Application Infrastructure Application Buffer Overflow DDOS Brute Force Cross-Site Scripting SQL/OS Injection Error Messages Cookie Poisoning HTTP/S Traffic Non-compliant ContentHidden-Field Manipulation Credit Card / SSN data Application DoS Attacks Server Fingerprints IPS App User Firewall App VPN Firewall IDS-IDP Anti-Virus
    10. 10. 10 Leading web attack protection BIG-IP Application Security ManagerUsers o Protect from latest web threats o Out-of-the box deployment Web Application o Meeting PCI compliance Security o Quickly resolve vulnerabilities o Improve site performanceWeb Applications Private Public Physical Virtual Multi-Site DCs Cloud
    11. 11. 11Automatic DOS Attack Detection andProtectiono Accurate detection technique – based on latencyo 3 different mitigation techniques escalated seriallyo Focus on higher value productivity while automatic controls intervene Detect a DOS condition Identify potential attackers Drop only the attackers
    12. 12. 12PCI Compliance Reporting PCI DSS reporting: • Details security measures required • Compliancy state • Steps to become compliant
    13. 13. 13Protection from all of the top vulnerabilities• OWASP Top 10 Web Application Security Risks: – A1: Injection – A2: Cross-Site Scripting (XSS) – A3: Broken Authentication and Session Management – A4: Insecure Direct Object References – A5: Cross-Site Request Forgery (CSRF) – A6: Security Misconfiguration – A7: Insecure Cryptographic Storage – A8: Failure to Restrict URL Access – A9: Insufficient Transport Layer Protection – A10: Unvalidated Redirects and Forwards
    14. 14. 14Example: OWASP Top 5 - CSRF Attack CSRF Attack example 1. Mobile user logs in to a trusted site Trusted Web 2. Session is authenticated Encrypted Site Trusted Action 3. User opens a new tab e.g., chat 4. Hacker embeds a request in the chat 5. The trusted link asks the browser to send a request to the hacked site
    15. 15. 15Reporting
    16. 16. 16Application visibility and reportingMonitor URIs for server latency • Troubleshoot server code that causes latency

    ×