F5 Web Application Security

Web Application Security
Radovan Gibala
Senior Field Systems Engineer
F5 Networks
r.gibala@f5.com

© F5 Networks, Inc 2
The New Perimeter Is An App Perimeter
Network Threats Application Threats
Source: Gartner
of attacks are
focused here
25%
of security
investment
90%
of attacks are
focused here
75%
of security
investment
10%

…resulting in an unprecedented increase in attacks
Source of data breaches
Source: Based on aggregated data from IT Business Edge, Krebs on Security, Security Week, and CSO Online

Common attacks on web applications
BIG-IP ASM delivers comprehensive protection against critical web attacks
CSRF Cookie manipulation
OWASP top 10 Brute force attacks
Forceful browsing Buffer overflows
Web scraping Parameter tampering
SQL injections information leakage
Field manipulation Session high jacking
Cross-site scripting Zero-day attacks
Command injection ClickJacking
Bots Business logic flaws

Web Application Protection Strategy
•  Only protects against known
vulnerabilities
•  Difficult to enforce; especially with
sub-contracted code
•  Only periodic updated; large exposure
window
Web
Apps
Best
Practice
Design
Methods
Automated
& Targeted
Testing
  Done periodically; only as good
as the last test
  Only checks for known
vulnerabilities
  Does it find everything?

0 20 40 60 80 100 120 140
Cross-Site Scripting
Information Leakage
Content Spoofing
Insufficient Authorization
SQL Injection
Predicatble Resource Location
Session Fixation
Cross-Site Request Forgery
Insufficient Authentication
HTTP Response Spliting
How long it takes to resolve a vulnerability?
Website Security Statistics Report

Web Application Protection Strategy
•  Only protects against known
vulnerabilities
•  Difficult to enforce; especially with
sub-contracted code
•  Only periodic updated; large exposure
window
Web
Apps
Web
Application
Firewall
Best
Practice
Design
Methods
Automated
& Targeted
Testing
  Done periodically; only as good
as the last test
  Only checks for known
vulnerabilities
  Does it find everything?
  Real-time 24 x 7 protection
  Enforces Best Practice Methodology
  Allows immediate protection against new
vulnerabilities

Traditional Security Devices vs. WAF
Known Web Worms
Unknown Web Worms
Known Web Vulnerabilities
Unknown Web Vulnerabilities
Illegal Access to Web-server ﬁles
Forceful Browsing
File/Directory Enumerations
Buffer Overﬂow
Cross-Site Scripting
SQL/OS Injection
Cookie Poisoning
Hidden-Field Manipulation
Parameter Tampering
Layer 7 DoS Attacks
Brute Force Login Attacks
App. Security and Acceleration
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
WAF
X
X
X
X
X
X
X
X
Network
Firewall
Limited
Limited
Limited
Limited
Limited
IPS
Limited
Partial
Limited
Limited
Limited
Limited
Limited
X
X
X
X
ü
X
X
X
X
X
X X

Negative vs. Positive Security Model
•  Negative Security Model
•  Lock Known Attacks
•  Everything else is Allowed
•  Patches implementation is quick and easy (Protection against Day Zero Attacks)
•  Positive Security Model
•  (Automatic) Analysis of Web Application
•  Allow wanted Transactions
•  Everything else is Denied
•  Implicit Security against New, yet Unknown Attacks (Day Zero Attacks)

Full-proxy architecture
iRule
iRule
iRule
TCP
SSL
HTTP
TCP
SSL
HTTP
iRule
iRule
iRule
ICMP flood
SYN flood
SSL renegotiation
Data
leakageSlowloris attackXSS
Network
Firewall
WAF WAF

Application
Access
Network
Access
Network
Firewall
Network DDoS
Protection
SSL DDoS
Protection
DNS DDoS
Protection
Application
DDoS Protection
Web Application
Firewall
Fraud
Protection
F5 provides comprehensive application security
Virtual
Patching

Encrypted Traffic Is Increasing Rapidly
50%
75%
0%
10%
20%
30%
40%
50%
60%
70%
80%
Encrypted Web Traffic
2016
2019
Source: “TLS/SSL: Where Are We Today?”, NSS Labs, October 2016

Encryption is Not as Simple as ”On/Off”
SSL Server Test
•  Overall Rating
•  Certificate
•  Chain, CA
•  Protocols
•  Ciphers
•  Handshake
•  Protocol Configuration
•  Documentation
•  Recommendations
•  …

BIG-IP® Application Security Manager™
Dynamic
Multi-Layered
Security
•  Turn-on with license key or standalone
•  Caching, compression and SSL acceleration included in standalone
BIG-IP Local Traffic Manager
BIG-IP Application Security Manager
Secure response
delivered
Request made
BIG-IP ASM security
policy checked
Server response
generated
BIG-IP ASM applies
security policy
Vulnerable
application
•  Provides transparent protection from ever changing threats
•  Ensure application availability while under attack
•  Deployed as a full proxy or transparent full proxy (bridge mode)
•  Minimal impact on application performance
•  Drop, block or forward
request
•  Application attack filtering
& inspection
•  SSL , TCP, HTTP DoS
mitigation
•  Response inspection for
errors and leakage of
sensitive information
BIG-IP ASM security
policy checked

BIG-IP Application Security Manager
Multiple deployment
options
Visibility and
analysis
Comprehensive
protections
•  Standalone or ADC add-on
•  Appliance or Virtual edition
•  Manual or automatic policy
building
•  3rd party DAST integration
•  Visibility and analysis
•  High speed customizable syslog
•  Granular attack details
•  Expert attack tracking
and profiling
•  Policy & compliance reporting
•  Integrates with SIEM software
•  Full HTTP/S request logging
•  Protection web app vulnerabilities
including L7 DDoS
•  Advanced anti-BOT mitigation
•  Integrated XML firewall
BIG-IP ® ASM™ protects the applications your business relies on most and scales
to meet changing demands.

OBJECT TYPES
OBJECT NAMES
PARAMETER NAMES
PARAMETER VALUES
OBJECT FLOWS
Required Security Level
Tighter
Security
Posture
Typical ‘standard’
starting point

Different ways to build a policy
Security policy
checked
Security policy
applied
DYNAMIC POLICY BUILDER INTEGRATION WITH APP SCANNERS PRE-BUILT POLICIES
Automatic
•  No knowledge of the
app required
•  Adjusts policies if
app changes
Manual
•  Advanced
configuration for
custom policies
•  Virtual patching with
continuous application
scanning
•  Out-of-the-box
•  Pre-configure and validated
•  For mission-critical apps
including: Microsoft, Oracle,
PeopleSoft

Identify, virtually patch, mitigate vulnerabilities
Import vulnerabilities
into BIG-IP ASM
Mitigate web app attacksScan application with a
web application
security scanner:
Hacker
Clients
•  Generic
Scanner
•  Qualys
•  IBM
•  WhiteHat
•  Cenzic
•  HP WI

NSS Labs

Application attacks are inevitable
Prepare for application attacks
every 23 minutes
95% of breaches through 2018 will
be caused by misconfigured firewalls
not vulnerabilities (Gartner )
86% of websites has at least 1
vulnerability and an average of 56 per
website WhiteHat Security Statistics Report 2013
75% of internet threats target web
servers (2015 Cisco Annual Security Report)
2.3M Bots actively attacking in 2014
Symantec Internet Security Report 2014

L7 DDOS
Web Scraping
Web bot
identification
XML filtering,
validation &
mitigation
ICAP anti-virus
Integration
XML Firewall
Geolocation
blocking
Comprehensive Protections
BIG-IP ASM extends protection to more than application vulnerabilities
ASM

Different attack/issue types
Application
SSL
DNS
Network

DoS is Not a Rocket Science!

Delivering the most accurate anti-bot, scanner & scraper
protection
•  Validate user on initial site access with proactive bot defense
•  Differentiate between script and browser
•  Inspect user interaction with browser & finger print devices
•  Distinguish real-user from bot with client integrity checks and captcha challenge
•  Mitigate automated attacks, scanners, botnets and intellectual property scrapers
•  Detect a persistent scraper that uses multiple IP addresses or a single request session
ASM Website
Application
Security
Web Bot
User

Defending against automated attacks
ASM Website
Application
Security
Web Bot
/
Client check
BOT identified
ALERT &
BLOCK
•  Performs a variety of
checks to distinguish
humans from BOTS
•  Allows only verified
client requests to
pass through to app
server
•  Notifies then drops
requests that cannot
be verified
ASM identifies and blocks automated web scraping and scanning
•  Performs rapid surfing analysis of page changes
•  Blocks clients making excessive page requests
•  Issues captcha challenge on mitigated threats & initial visits
•  Detects previously identified browsers & bad IPs
•  Disallow web scraping , table captures, & UA Spoofing ext.
ASM Bot Protection

•  Enables always-on protection that preempts
attacks
•  Complements existing reactive protections
•  Utilizes advances detection methods and
techniques CAPTCHA challenges &
geolocation enforcement
•  Categorize BOTs detected by signature
classification to distinguishes good Bots
from malicious offenders
•  Detect headless browsers that run JS
ASM’s unique Proactive Bot defense
Web
Application
Stop automated attacks from ever materializing
Defend against automated non-human web scraping, DDoS
and Brute force attacks
ASM Bot Protection

•  Leverages ASM attack signatures in
conjunction with ASM bot techniques
•  Applied to DOS and ASM policies with
support for custom bots signatures and
custom categories
•  Updates like the ASM attack signatures
Reporting
•  Visible in DoS charts & custom widgets
•  New Bot drilldown screen per category or per
individual bot
Signature-based bot categorization/classification
Helps identify and protect against L7 anomaly-based attacks
Gain visibility to Bot-generated traffic
Reduce server strain caused by bots
Block vulnerability scanners, rendering them
blind
Block BotNets during DoS attacks
Web
Application
The value delivered

•  ASM injects a JS challenge with obfuscated
cookie
•  Legitimate browsers resend the request with
cookie
•  ASM checks and validates the cookie
•  Requests with valid signed cookie are then
passed through to the server
•  Invalidated requests are dropped or
terminated
•  Cookie expiration and client IP address are
enforced – no replay attacks
•  Prevented attacks will be reported and logged
w/o detected attack
1st time request
to web server
ASM Proactive Bot defense: How it Works
Internet
Web
Application
Legitimate browser
verification
No challenge
response from bots
BOTS ARE
DROPPED
ASM responds with
injected JS challenge.
Request is not passed
to server
JS challenge placed
in browser
-  ASM verifies
response
authenticity
-  Cookie is signed,
time stamped
and finger printed
Valid requests are
passed to the
server
Browser
responds to
challenge &
resends request
Continuous invalid bot
attempts are blocked
Valid browser requests
bypass challenge w/
future requests
ASM Bot Protection

•  iRules commands enable customized
action on bots detected
•  Launches against Proactive Bot Defense
DoS events
•  Provides the control needed to ensure
accuracy of threat detection
•  Use it to …
o  retrieve the data processed by Bot Defense mechanism,
o  query and override URL qualification,
o  force logging and challenges,
o  Customize an HTML redirect
iRules enhanced Bot protection
Delivers increased granularity to the bot detection process
# EXAMPLE 1: Bypassing enforcement on URL pattern
when BOTDEFENSE_ACTION {
if {[HTTP::uri] starts_with "/t/"} {
log local0. "bypassing enforcement for URI [HTTP::uri]"
set res [BOTDEFENSE::action allow]
log local0. "set action to allow, result "$res""
log local0. "resulting action [BOTDEFENSE::action]
reason "[BOTDEFENSE::reason]""
}
}

# EXAMPLE 2: Instead of blocking the request with TCP RST,
respond with a
# blocking-page
if {[BOTDEFENSE::action] eq "tcp_rst"} {
# if the custom_response action fails, the tcp_rst
action will remain,
# so we don't need to check the return string
in this case
BOTDEFENSE::action custom_response "sorryni am
blocking youn"
}
}

# EXAMPLE 3: Force the browser_challenge to be sent to the
client on the login
# page, even if the cookie is valid (may be used to force the
renewal of the
# Bot Defense cookie)
if { ([HTTP::uri] eq "/t/login.php") &&
([BOTDEFENSE::action] eq "allow") &&
(not ([BOTDEFENSE::reason] starts_with "passed
browser challenge"))} {
BOTDEFENSE::action browser_challenge
}
}
ASM Bot Protection

Browser finger printing and device ID
•  Uniquely protects against session hijacking by
matching cookies with device ID
•  Captures unique device characteristics for bots, DoS
attacks, headless browsers and human users.
•  Identifies repeat visitors learning their traffic
patterns, even in the case users switched sessions
or source IP’s.
•  Applies to brute force, volumetric DDoS, session
hijacking protections and proactive bot defense
•  Thwart tracking evasion attempts by bots and
scrapers
Accurately track good and bad actors wherever they go

How it works
• Runs client-side code that collects
various attributes about the client.
• Attributes are summed up to a hash
which we call a fingerprint.
• A cache of those fingerprints is stored
on BIG-IP, and used to persistently
identify clients when preventing from
Web Scraping.
•  Activates DeviceID tracking from a check box
when proactive defense is not used
•  Clients with JS disabled will be blocked
Browser finger printing and device ID
More accurately prevents webscraping

ASM Request List Events Log
•  View the full request itself, the violation
rating and any associated violations
•  Immediately discern request status (i.e.,
legal or illegal, blocked, truncated, or has a response)
•  Drill down to view detailed descriptions of
the violations and potential attacks.
•  Accept trusted violations
•  Quickly identify events requiring immediate
attention
•  Easily distinguish false positives and negatives
•  Enables the novice users to understand the severity
of an event
•  Alleviate cycles spent on F/P and F/N
Violation ratings highlighting priority violations

Consolidated view of attacks and mitigation
•  See real time summary of
active policies & attacks
•  Understand ASM Health
and network/traffic stats
•  View data by different
criteria in graphical
reports.
•  Get top 10 entity reports
Security Overview
Screen
TOP 10
ENTITIES
Drill down and filter all AVR
HTTP entities
Statistics concerning attack types, violations, and anomalies, traffic summaries

ASM resource consumption reporting
Ensures application security when ASM resources are burdened
•  Predictive information communicated includes:
•  pending requests
•  CPU utilization – updated every 1 minute
•  memory utilization – updated every 5 minutes
•  ASM bypass information – updated every 5 minutes
•  The plug-in queue utilization
•  User can set specific alert types and threshold values
for events
•  Leverages REST API publishing framework in AVR
•  Requires cloud orchestration to trigger action in
external security service (BIG_IQ)
ASM health
statistics &
charts
New in BIG-IP 12.0

Maintaining PCI Compliance
•  Shows each security
measure and policy
required for PCI-DSS
compliance 3.0
•  Create printable
versions of PCI
compliance reports for
each web application
•  Provides guidance to
bring flagged items
into compliance
•  Click quick links to
adjust the non-
compliant settings.
Quickly discern your state
of compliance

Telecom Operator: LB, SSL offload, TV portal protection
Users
Data Center
Solution highlights
•  Advanced load-balancing and session stickiness
•  iRules for prevention of STB traffic storms (rate
limiting) and SSL vulnerabilities
•  SSL offload for application and control plane data
•  Web application FW (ASM) for Live TV application
protection including brute force login page
protection (against password guessing) – block
access to login page after x failed attempts for
configured period of time, etc.
Operator’s Benefits
•  Better user experience due to TCP optimisation
(network latency, throughput increase)
•  A solution for prevention of STB authentication storms
•  Protection of TV portal against attacks
•  Consolidated solution load-balancing + Web application
FW on single platform
Streaming Servers
Advanced LB
STB storm protection
SSL offload
Web Application FW
BIG-IP
Portal, EPG, …

Financial organisation protected by F5 ASM & AFM
Leveraged Compliance & Consolidation
Drivers:
•  Cisco Replacement
•  Regulation demand for application security
•  Regulation demand for dual FW vendors
Competition:
•  IPS technology
•  FW vendors
•  WAF Vendors
Why we won:
•  Early engagement to the process
•  Differentiate between IPS & WAF
•  Consolidate solution – LB/WAF/FW on same unit
•  CAPEX / OPEX trade off from consolidation
•  Presentation, demo and prove of the solution
•  Excellent customer relationship with local account team
•  Strong partner collaboration
Additional benefit to F5:
•  Future potential for Anti-Fraud solutions
•  Professional services implementation

F5 Web Application Security

More Related Content

What's hot

Similar to F5 Web Application Security

More from MarketingArrowECS_CZ

Recently uploaded

F5 Web Application Security