Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Webový aplikační firewall (WAF) jako živý inteligentní samoučící organizmus

738 views

Published on

Prezentace F5 Networks z konference Virtualization Forum 2018
Clarion Congress Hotel Prague, 25.10.2018

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Webový aplikační firewall (WAF) jako živý inteligentní samoučící organizmus

  1. 1. Web Application Firewall (WAF) Dynamic Multi-Layered Security Secure response delivered Request made Server response generated BIG-IP ASM applies security policy Vulnerable application • Provides transparent protection from ever changing threats • Ensure application availability while under attack • Deployed as a full proxy or transparent full proxy (bridge mode) • Drop, block or forward request • Application attack filtering & inspection • SSL , TCP, HTTP DoS mitigation • Response inspection for errors and leakage of sensitive information BIG-IP ASM security policy checked
  2. 2. Traditional Security Devices vs. WAF Known Web Worms Unknown Web Worms Known Web Vulnerabilities Unknown Web Vulnerabilities Illegal Access to Web-server files Forceful Browsing File/Directory Enumerations Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering Layer 7 DoS Attacks Brute Force Login Attacks App. Security and Acceleration ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ WAF X X X X X X X X Network/Next Gen Firewall Limited Limited Limited Limited Limited IPS Limited Partial Limited Limited Limited Limited Limited X X X X ✓ X X X X X X X
  3. 3. Looks like a groundhog day... https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
  4. 4. Four Ways to Build a WAF Policy Security policy checked Security policy applied DYNAMIC POLICY BUILDER INTEGRATION WITH APP SCANNERS PRE-BUILT POLICIES Automatic • No knowledge of the app required • Adjusts policies if app changes Manual • Advanced configuration for custom policies • Virtual patching with continuous application scanning • Out-of-the-box • Pre-configure and validated • For mission-critical apps including: Microsoft, Oracle, PeopleSoft • Rapid Deployment Policy
  5. 5. Start with a Negative Policy: Rapid Deployment Policy BASELINE EVOLUTION • HTTP Compliance Check • Signatures in Staging Mode • Dataguard • Transparent Mode • Blocking Mode • Enforcement of Signatures • Manual Learning, Staging & Enforcement of Entities
  6. 6. Start with a Positive Policy: Dynamic Policy Builder BASELINE EVOLUTION • Automatic Learning & Staging of Signatures, Entities (URLs, Files, Parameters) • Blocking Mode • Manual or Automatic Enforcement of Signatures • Manual or Automatic Enforcement of Entities
  7. 7. Automatic Traffic Learning DISPLAYS THE LEARNING SCORE, THAT SHOWS HOW FAR THE SUGGESTION IS FROM BEING ADDED TO THE POLICY
  8. 8. The rise of the BOTs 52% of Internet traffic is automated 77% of 2016 web application breaches involved the use of bots 98.6M bots observed Source: Internet Security Threat Report, Symantec, April 2017 http://bit.ly/2FOtjA6 APPROVED denied
  9. 9. Affected Devices 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 7Bots SORA OWARI UPnPProxy OMNI RoamingMantis Wicked VPNFilter 1Bot Brickerbot 2Bots WireX Reaper 3Bots Mirai BigBrother Rediation 1Bot Remaiten 1Bot Moon 1Bot Aidra 1Bot Hydra 3Bots Satori Fam Amnesia Persirai 6Bots Masuta PureMasuta Hide ‘N Seek JenX OMG DoubleDoor 1Bot Crash override 1Bot Gafgyt Family 2Bots Darlloz Marcher 1Bot Psyb0t 4Bots Hajime Trickbot IRC Telnet Annie CCTV DVRs WAPs Set-Top Boxes Media Center Android Wireless Chipsets NVR Surveillance Busybox Platforms Smart TVs VoIP Devices Cable Modems ICS 74%Discovered in last 2 years SOHO routers iOS IP Cameras https://www.f5.com/labs
  10. 10. Thingbot Attack Type 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 7Bots SORA OWARI UPnPProxy OMNI RoamingMantis Wicked VPNFilter 1Bot Brickerbot 2Bots WireX Reaper 3Bots Mirai BigBrother Rediation 1Bot Remaiten 1Bot Moon 1Bot Aidra 1Bot Hydra 3Bots Satori Fam Amnesia Persirai 6Bots Masuta PureMasuta Hide ‘N Seek JenX OMG DoubleDoor 1Bot Crash override 1Bot Gafgyt Family 2Bots Darlloz Marcher 1Bot Psyb0t 4Bots Hajime Trickbot IRC Telnet Annie DNS Hijack DDoS PDoS Proxy Servers Unknown… Rent-a-bot Install-a-bot Multi-purpose Bot Fraud trojan ICS protocol monitoring Tor Node Sniffer Credential Collector Shifting from primarily DDoS to multi-purpose Crypto-miner https://www.f5.com/labs
  11. 11. BOTs Detection and Mitigation • Bot signatures - Categorizing Bots Bad Bots Good Bots • Proactive Bot Defense can detect and mitigate Automation bots Headless browsers bots
  12. 12. BOTs and Mobile Devices • Web application traffic comprises ~ 40% (and growing) mobile devices today • The target clients are NOT mobile web browsers, which are treated like regular clients, but Mobile applications • Solution –Anti-Bot Mobile SDK • • • • • • • •
  13. 13. L7 DoS is Not a Rocket Science! Application SSL DNS Network
  14. 14. Medusa Botnet Attacks on Server stack. Low and Slow. • Botnet specifically built to generate powerful L7 “low and slow” attacks • 30k RPS with <100 bots • Evades bot DDoS protections • Recently used in DDoS vs Russian Banks (“site:youtube.com medusa botnet”)
  15. 15. Machine Learning F5 learns normal traffic baselines Attack Mitigation F5 shuns bad traffic automatically 1 2 3 4 Stress Monitoring F5 detects abnormal application stress Dynamic Signatures F5 identifies bad traffic and bad actors Accurate Detection with Behavioral Analytics 20
  16. 16. • Signature ID: Contains ID for generated signature • Deployment State: Mitigate, Detect Only, Learn Only, Disabled. Enabled here, b/c DoS Profile did not require signatures be approved, request signature detection was enabled, and the feature was configured for Standard mitigation • Approval State: Manually Approved or Unapproved • Shareability: Valid for persistent signatures only, allows for signature to be used across other protected objects/VS’s upon approval. Attack Mitigation in Progress Signature evolves and becomes more accurate as time progresses. Also, new signatures are dynamically generated as attack traffic changes Absent BaDOS, security admin would need to manually tune mitigation rules. BaDOS does it for them!
  17. 17. • • • • • •
  18. 18. DataSafe
  19. 19. Attacker The victim is infected with malware The victim makes a secure connection to a web site This triggers the malware The victim enters data into the web form This content can be stolen by the malware The victim submits the web form The information is encrypted (SSL,TLS) and sent to the web server The information is also sent to the drop zone in clear text Web Site Victim Drop zone
  20. 20. Credential stealing Mitigation Options – DataSafe • For defined parameters you can enable: • Encrypt: encrypt the parameter's value attribute (i.e. provided password) • Substitute Value: substitutes the parameter's value with a random value while the form is being filled. • Obfuscate: encrypts the parameter's name attribute and not its value • Add Decoy Inputs: randomly & continuously generates & removes decoy <input> fields that are added to the web page. • Remove Element Ids: removes the ID attribute from any element with Obfuscate enabled. • Remove Event Listeners: removes any attached JavaScript Event Listeners.
  21. 21. Credential stealing Mitigation Options – DataSafe
  22. 22. Credential stealing Mitigation Options – DataSafe You can encrypt any confidential input fields
  23. 23. Credential stealing Mitigation Options – DataSafe Unprotected web forms are easy to manipulate
  24. 24. Credential stealing Mitigation Options – DataSafe With HTML field obfuscation, field names change dynamically every second Multiple inputs types can be added and removed dynamically

×