Title: Web Application Security F5 Application Security Manager (ASM)
1Web Application Security F5 Application
Security Manager (ASM)
Aslak Siira a.siira_at_f5.com
2Company Snapshot
Revenue
- Leading provider of Application Delivery
Networking products that optimize the security
performance availability of network
applications servers and storage systems - Founded 1996 / Public 1999
- Approx. 1580 employees
- FY07 Revenue 526M
22nd consecutive quarters of sequential revenue
growth For the third quarter of fiscal 2008 F5
Networks Inc.(NASDAQ FFIV) announced revenue
of 165.6 million up 4 percent from 159.1
million in the prior quarter and 25 percent from
132.4 million in the third quarter of fiscal
2007.
3F5 Begins 2008 as 1 in the Application Delivery
Controller Market for Q108
Q108 Gartner ADC Market Share
- Q108 ADC Market Share Leaders
- F5 38.1
- Cisco 33
- Citrix 7.6
- Q108 ADC Market Share Revenue Leaders
- F5 109.8Million
- Cisco 95 Million
- Citrix 21.8 Million
- Q108 ADC Q/Q Revenue Growth
- F5 3.1
- Cisco 6.7
- Citrix -18
- Q108 ADC Total Market Numbers
- Revenue 288 Million
- Q/Q Revenue Growth -5.2
- Y/Y Revenue Growth 15
-
-
- Application Delivery Controller (ADC) Segment
Includes Server Load Balancing/Layers 4-7
Switching and Advanced (Integrated) Platforms
Citrix 7.6
Radware 5.3
Cisco 33
Foundry 2.6
Others 13.4
F5 NETWORKS 38.1
SOURCE Gartner
4F5 Blazes Competition in Advanced Platform ADC
Segment for Q108
Q108 Gartner Advanced Platform ADC Market Share
- Q108 Advanced Platform ADC Market Share Leaders
- F5 61.1
- Citrix 12.1
- Radware 8.5
- Q108 Advanced Platform ADC Market Share Revenue
Leaders - F5 109.8 Million
- Citrix 21.8 Million
- Radware 15.3 Million
- Q108 Advanced Platform ADC Q/Q Revenue Growth
- F5 3.1
- Citrix -18
- Radware -6.7
- Cisco 20.2
- Q108 Advanced Platform ADC Total Market Numbers
- Revenue 179.7 Million
- Q/Q Revenue Growth -3.8
- Y/Y Revenue Growth 15
-
- Advanced Platform Segment Includes ADCs that
integrate several functions (typically more than
four) on a single platform (for example load
balancing TCP connection management SSL
offload compression and caching)
Radware 8.5
Cisco 5.0
Citrix 12.1
Others 13.2
F5 NETWORKS 61.1
SOURCE Gartner
5Enviable Leadership Position
Magic Quadrant for Application Delivery Products
2008
- F5 Networks - Strengths
- Offers the most feature-rich AP ADC combined
with excellent performance and programmability
via iRules and a broad product line. - Strong focus on applications including
long-term relationships with major application
vendors including Microsoft Oracle and SAP. - Strong balance sheet and cohesive management
team with a solid track record for delivering the
right products at the right time. - Strong underlying platform allows easy
extensibility to add features. - Support of an increasingly loyal and large
group of active developers tuning their
applications environments specifically with F5
infrastructure.
SOURCE Gartner
6Application Security Performance Availability
Application Layer
Data Center Solutions
Network Layer
ROUTERS
SWITCHES
FIREWALLS
Intelligent Clients
7Application Security Performance Availability
Application Layer
Data Center Solutions
Network Layer
APPLICATIONS
INTELLIGENT
iControl
ROUTERS
Functions
TMOS Modules iRules
SWITCHES
FIREWALLS
Intelligent Clients
8F5s ADN Freeing IT Optimizing Business
International Data Center
Cell
PC - Home
Enterprise Manager / ControlPoint
Applications Storage
BIG-IP Local Traffic Manager
BIG-IP Link Controller
ARX File/Data Virtualization
BIG-IP Global Traffic Manager
BIG-IP Application Security Manager
FirePass SSL VPN
BIG-IP Web Accelerator
WANJet
Remote - WAN
iControl
PC - LAN
TMOS
WLAN
F5s End-to-End Application Delivery Networking
Solution
9Unique TMOS Architecture
- TMOS traffic plugins
- High-performance networking microkernel
- Powerful application protocol support
- iControl External monitoring and control
- iRules Network programming language
10Application Deployment Guides
Configuration Templates
Deployment Guides BEA Weblogic Citrix IBM
WebSphere Microsoft Exchange Microsoft
SharePointMicrosoft Hyper-VMicrosoft
IIS Microsoft LCSMicrosoft OM Microsoft
... Oracle Access ManagerOracle ASOracle
E-Business SuiteSAP NetWeaver Enterprise
SOASiebel VMWare. . .
11Application Security Trends and Drivers
- Webification of applications
- Intelligent browsers and applications
- Public awareness of data security
- Increasing regulatory requirements
- The next attackable frontier
- Targeted attacks
12Most web application are vulnerable!
- 70 of websites at immediate risk of being
hacked! - - Accunetix Jan 2007 http//www.acunetix.co
m/news/security-audit-results.htm - 8 out of 10 websites vulnerable to attack
- - WhiteHat security report Nov 2006
https//whitehatsec.market2lead.com/go/whitehatsec
/webappstats1106 - 75 percent of hacks happen at the application.
- - Gartner Security at the Application Level
- 64 percent of developers are not confident in
their ability to write secure applications. - - Microsoft Developer Research
- The battle between hackers and security
professionals has moved from the network layer to
the Web applications themselves. - - Network World
13Top Five Vulnerabilities
- Cross-Site Scripting 7 of 10 websites vulnerable
- Predictable Resource Location 1 of 4 vulnerable
- Content Spoofing 1 of 4 websites vulnerable
- Insufficient Authentication 1 of 5 vulnerable
- SQL Injection 1 of 5 websites vulnerable
14Web Application Security Professionals Survey
2007
- Web Application Security Professionals Survey
(Oct 2007) 140 professionals - Conclusions
- 1. The vast majority of websites have at least
one serious vulnerability. - 2. Many websites are being broken into but no
one knows about them and thatll increase
exponentially over the next few years. - 3. There is NO WAY the average user can protect
themselves from being exploited. - 4. The standard mandated by the credit card
industry PCI-DSS makes little difference to the
security of a website. - 5. Web application vulnerability scanners miss
just about as many of the most common issues as
they find.
15So what does it mean
Everyone has vulnerabilities
Hacker makes music distributors advertice pirates
Simple SQL injection in user name OR 11
allowed admin access into Deutsche Bank web site
in October 2007
15
16And that means everyone http//forum.f-secure.co
m december 2007
16
17www.owasp.org Top Ten Project
18Developers are asked to do...
Application Development
Add application availability
19Who is responsible for application security
Web developers
Network Security
Engineering services
DBA
20Challenges of traditional solutions
- HTTP is stateless Application is statefull
- Web applications are unique there are no
signatures for YOUR web application - Tight development time-frame and lack of security
experties lead to vulnerabilities - Code written by third parties
- Good protection has to inspect the response as
well - Encrypted traffic only doesnt protect the server
21Lines of Code comparison
BEA WebLogic gt 10 000 000 LoC
Your Code
Estimated
22Web Application Security
Attacks Now Look To Exploit Application Vulnerabil
ities
Perimeter Security Is Strong
PORT 80 PORT 443
But Is Open to Web Traffic
High Information Density High Value Attack
23Payment Card Industry (PCI)
- VISAs Digital Dozen
- Has Been Adopted by All Card Associations
Build and Maintain a Secure Network 1. Install
and maintain a firewall configuration to protect
cardholder data 2. Do not use vendor-supplied
defaults for system passwords and other security
parameters Protect Cardholder Data 3. Protect
stored cardholder data 4. Encrypt transmission of
cardholder data across open public
networks Maintain a Vulnerability Management
Program 5. Use and regularly update anti-virus
software 6. Develop and maintain secure systems
and applications Implement Strong Access Control
Measures 7. Restrict access to cardholder data by
business need-to-know 8. Assign a unique ID to
each person with computer access 9. Restrict
physical access to cardholder data Regularly
Monitor and Test Networks 10. Track and monitor
all access to network resources and cardholder
data 11. Regularly test security systems and
processes Maintain an Information Security
Policy 12. Maintain a policy that addresses
information security
24PCI Requirement 4
- Encrypt transmission of cardholder data across
open public networks - Sensitive information must be encrypted during
transmission over networks that are easy and
common for - a hacker to intercept modify and divert data
while in transit. - 4.1 Use strong cryptography and security
protocols such as SSL TLS and/or IPSEC during
transmission over open public networks. - 4.1.1 For wireless networks transmitting
cardholder data encrypt the transmissions by
using WiFi protected access (WPA or WPA2)
technology IPSEC VPN or SSL/TLS. - (Never rely exclusively on wired equivalent
privacy (WEP) to protect confidentiality and
access to a wireless LAN.) - 4.2 Never send unencrypted PANs (Personal Account
Number) by e-mail.
25PCI Requirement 5
- Use and regularly update anti-virus software or
programs - Many vulnerabilities and malicious viruses enter
the network via employees e-mail activities.
Anti-virus software must be used on all systems
commonly affected by viruses to protect systems
from malicious software. - 5.1 Deploy anti-virus software on all systems
commonly affected by viruses (particularly
personal computers and servers) - Note Systems commonly affected by viruses
typically do not include UNIX-based operating
systems or mainframes. - 5.1.1 Ensure that anti-virus programs are capable
of detecting removing and protecting against
other forms of malicious software including
spyware and adware. - 5.2 Ensure that all anti-virus mechanisms are
current actively running and capable of
generating audit logs.
26PCI Requirement 6
- Develop and maintain secure systems and
applications - 6.1 Ensure that all system components and
software have the latest vendor-supplied security - patches installed within one month of release.
- 6.2 Establish a process to identify new security
vulnerabilities. Update standards to address new
vulnerabilities. - 6.3 Develop software applications based on
industry best practices and incorporate
information - security throughout the software development life
cycle. - 6.4 Follow change control procedures for all
system and software configuration changes. - 6.5 Develop all web applications based on secure
coding guidelines such as the Open Web - Application Security Project guidelines. Review
custom application code to identify coding - vulnerabilities. Cover prevention of common
coding vulnerabilities in software development - processes to include the OWASP Top 10.
- 6.6 Ensure that all web-facing applications are
protected against known attacks by applying
either of - the following methods
- Having all custom application code reviewed
for common vulnerabilities by an organization - that specializes in application security
- Installing an application layer firewall in
front of web-facing applications. (Note This
method will be a requirement on June 30 2008
until then it is a best practice.)
27Traditional Security Devices vs.Web Application
Firewall (ASM)
ASM
Known Web Worms Unknown Web Worms Known Web
Vulnerabilities Unknown Web Vulnerabilities Illega
l Access to Web-server files Forceful
Browsing File/Directory Enumerations Buffer
Overflow Cross-Site Scripting SQL/OS
Injection Cookie Poisoning Hidden-Field
Manipulation Parameter Tampering
X
28Web Application Protection Strategy
Web Apps
- Only protects against known vulnerabilities
- Difficult to enforce especially with
sub-contracted code - Only periodic updated large exposure window
- Done periodically only as good as the last test
- Only checks for known vulnerabilities
- Does it find everything
- Real-time 24 x 7 protection
- Enforces Best Practice Methodology
- Allows immediate protection against new
vulnerabilities
29Defining Terms Object Types
- Sample URL
- http//www.myapplication.com/login.phpuserMyUser
passMyPassword - Object Types
- The file extension of the requested object.
- In the example of above .php would be the Object
Type. - The most basic positive security mechanism.
- The learning mechanisms will learn all the types
in your application (ie. Jpg Php Gif Jsp
etc). - Application can then be locked down to the
directories each of these types are found in (ie.
/images/ is where all .jpg and .gifs are).
30Defining Terms Object Names
- Sample URL
- http//www.myapplication.com/login.phpuserMyUser
passMyPassword - Object Names
- The actual names of all objects of a certain
type. - Performed after the application Firewall has
learned the object types. - In the example above the object name is
login.php. - For any given file type you can define whether to
check object names (at this point all object
names for that type are checked). - If object names are being checked for the .php
extension then all the names for all .php
objects needs to be defined.
31Defining Terms Parameter Names
- Sample URL
- http//www.myapplication.com/login.phpuserMyUser
passMyPassword - Parameter Names
- The parameter names that are passed to an object.
- In the example above user and pass are the
parameter names passed to the object. - Parameters can be defined as mandatory or
optional. - Prevent forceful insertion of parameters.
- Also check hidden controls and parameters on web
pages to prevent hidden field tampering.
32Defining Terms Parameter Values
- Sample URL
- http//www.myapplication.com/login.phpuserMyUser
passMyPassword - Parameter Values
- The parameter values that are passed to the
parameters in the object. - In the example above these are MyUser and
MyPassword. - These can be checked for character sets lengths
etc - Character sets defined for individual parameters
supersede global character set checks.
33Defining Terms Object Flows
- Sample URL
- http//www.myapplication.com/login.phpuserMyUser
passMyPassword - Object Flows
- Maps the flow of the application.
- This is done by mapping what parts of the
application you needed to flow through to get to
a certain place in the application. - This can be complicated to manage for large
applications. - Example before visiting Page 8 of the application
you had to flow from Page 1-gtPage3 or Page4-gtPage
8.
34Positive Security Definition and Learning
OBJECT FLOWS
POLICY TIGHTENING SUGGESTIONS
Tighter Security Posture
PARAMETER VALUES
- Policy-Building Tools
- Automatic Learning and policy building
- Trusted IP Learning
- Live Traffic Learning
- Crawler
- Negative RegEx
- Template
PARAMETER NAMES
Typical standard starting point
OBJECT NAMES
OBJECT TYPES
35Web Application Security with ASM
Stops bad requests / responses
ASM allows legitimate requests
Browser
36Security Policy in ASM
Content Scrubbing Application Cloaking
Enforcement
Browser
- Can be generated automatically or manually
- Highly granular on configuration and blocking
- Easy to understand and manage
- Bi-directional
- Inbound protection from generalised targeted
attacks - Outbound content scrubbing application
cloaking - Application content context aware
37Negative Security vs Positive Security
- Negative Security
- Relies on Patterns or Signatures to define known
attacks. - Checks RFC compliance for anomalies
- Basically always looks for the known bad and then
takes action. - Unable to stop Zero Day Attacks
- Positive Security
- Relies on knowing the inner workings of an
application. - Checks for actions that fall outside applications
set allowed actions. - Queries
- Character Sets
- Flows
- Objects
- Etc
- Prevents Zero Day attacks.
- ASM Benefits
- Utilizes both Positive Security and Negative
Security to augment each other.
38Multiple Security Layers
- RFC enforcement
- http request cookies
- Black Lists Attack Signatures - System or
user provided Auto Uppdate Evasion... - Various HTTP limits enforcement
- Headers method cookies
- Profiling of how good traffic looks like
- Defined list of allowed file types Lengths
URIs parameters - Each parameter is evaluated separately for
- Pre defined value length character set attack
patterns
39Immediate Value
- Tightening model deployment starts with open
rules - Gradually introduce more specific policy rules
- Specific rules are applied before general rules
- General rules are taken out of the policy
-
40Policy Builder Automation in Policy Building
- Creates advanced security policies automatically
- Highly accurate policies every source of
information is used (responses requests
heuristics trusted IP) - Automatic detection and policy generation after
site updates - Fits into any deployment scenarios
41Policy Wizard
- Leads you through the policy building process
where you can choose the following settings - Application Policy Template or
- Used systems to specify the attack signatures
- Automatic or manual policy building
- It creates the wildcards for manual policy
building automatically -
42Application Policy Templates
- OWA
- Sharepoint
- Lotus Domino Mail Server
- Oracle Financials
- SAP Netweaver
- Generic
- And others will follow
43XML Firewall
- Well formatted validation
- Schema/WSDL validation
- Methods selection
- Attack signatures for XML platforms
- Backend Parser protection
- XML islands application protection
- Full request logging
44Extended security features
- Dynamic parameter protection
- Login page enforcement
- Information leakage prevention Data Guard
- Pre defined or Custom patterns can be applied to
any text response from the server to mask
sensitive information or block the response. - Detailed granular positive protection for every
entity - Protocoll Headers URI Parameter
- Automatic signature update
- Staging
45Protection for Dynamic Values or Hidden Field
Manipulation
46Example SAP Application
- Protect the session information in the URI
- https//saptest.xyz.de/sap(bD1kZSZjPTAxMA)/...
- Protect dynamic parameter names and values
- Tdokfilter_subdok_dokstrukturK2_Y1234567891034591
85F
47Flexible Policy Granularity
Search for command injection
- Single quote is a command delimiter
- Best practice to disallow from parameters
wherever possible - Easiest to achieve with a generic policy applied
to the whole site
BUT . . .
User Name OConnor
- Single quote needed in some parameters
- Need to be able to selectively relax policy eg
single quote allowed in this parameter - Need to limit use within relaxed policy eg only
one single quote allowed in this parameter
48Selective Application Flow Enforcement
Username
From Acc.
Amount
Transfer
To Acc.
Password
This part of the site is a financial transaction
that requires authentication we should enforce
strict flow and parameter validation
- Should this be a violation
- The user may have bookmarked the page!
- Unnecessarily enforcing flow can lead to false
positives.
49Signature staging
- In order to benefit from signatures it is
mandatory to be sure they cause no F/P. - To clean a large set usually takes a lot of
time. - During all this time All signatures are in
non-blocking mode - Signature staging allows to benefit from the
signatures that do not create f/p right after the
staging period while other remain in the staging
basket
50Extended security features more
- Comprehensive Evasion detection engine
- SEL ECT from users
- DR/blah blah blah blah/OP TABLE users
- A lot of Normalization features
- e.g. ASCII decoding
- 3Cscript3E turns to ltscriptgt
- 253Cscript253E turns to 3Cscript3E turns to
ltscriptgt -
51Granularity
- The web is a wilderness applications with no
real RFC - Granularity is a key to success and a cost
effective deployment - In ASM one can build a policy to any HTTP entity.
- HOST header - any other HTTP header
- IP address - parameter names
- cookie name - file types
- URI or directories - source IP
- Violations are broken to categories.
52Security Alerts and Reports
- General Security Alerts
- Violations Report
- IP based Report
- IP based AttackReport
- Legal and IllegalRequests
- Request Details
53Fast Custom Logging
- Can send all requests to remote syslog server
- Very flexible export customization
- Building block for compliance
54Executive Report
55ASM Platform Availability
- Standalone ASM on TMOS
- 4100 3600
- Available as a module with BIG-IP LTM
- 3600
- 6400/6800
- 8400/8800
56BIG-IP Platform Characteristics
Price
BIG-IP 8800
BIG-IP 8400
2 x 2.6 GHz Dual Core Opteron 12 10/100/1000 or
12 SFP Layer 4 ASIC (PVA10) 80 GB HD 512 CF SSL
_at_ 48K TPS/ 6 Gb Bulk HW Compression option 7-10
Gbps Traffic (7G L7 6GSSL Compress) Multiple
Product Modules
BIG-IP 6800
2 x 2.6 GHz Opteron 12 10/100/1000 or 12
SFP Layer 4 ASIC (PVA10) 80 GB HD 512 CF SSL _at_
33K TPS/ 3 Gb Bulk HW Compression option 6-10Gbps
Traffic Multiple Product Modules
2 x 2.4 GHz Opteron 16 10/100/1000 4 SFP Layer
4 ASIC (PVA2) 80 GB HD 512 CF SSL _at_ 20K TPS/ 2
Gb Bulk FIPS SSL option HW Compression option 4
Gbps Traffic Multiple Product Modules
BIG-IP 6400
2 x 1.6 GHz Opteron 16 10/100/1000 4 SFP Layer
4 ASIC (PVA2) 80 GB HD 512 CF SSL _at_ 15K TPS/ 2
Gb Bulk FIPS SSL option 2 Gbps Traffic 1 Product
Module
BIG-IP 3600
1 x 2.13 GHz Core2 Duo 8 10/100/1000 2x 1GB
SFP 1x 160 GB HD 8GB CF 4GB RAM SSL _at_ 14K TPS /
1.5 Gb/s Bulk 1.5 Gbps Traffic 1 Product Module
BIG-IP 1600
1.8 Ghz Core2Duo (Dual Core) 4 10/100/1000 2x
1GB SFP 160GB HD 4GB RAMSSL _at_ 7K TPS / 750 Mb/s
Bulk 750 M Traffic
Function / Performance
57Redundant Deployment with the Appliance
Web Servers
BIG-IP LoadBalancer
Firewall
ASM
58Redundant Deployment with the BIG-IP and ASM
Web Servers
BIG-IP with ASM-Module
Firewall
59TMOS Architecture
ASM
WAM
3rd Party
Microkernel
TCP Proxy
SSL
Compression
TCP Express
TCP Express
Caching
OneConnect
XML
Rate Shaping
Client Side
Server Side
Server
Client
iRules
High Performance HW
iControl API
- TMOS Traffic Plugins
- High-performance Networking Microkernel
- Powerful Application Protocol Support
- iControl External monitoring and control
- iRules Network Programming Language
60Improve Security with LTM
Resource Cloaking BIG-IP virtulizes and hides all
application server error codes and real URL
references that may provide hackers clues into
infrastructure services and their associated
vulnerabilities. Customized Application Attack
Filtering BIG-IPs full inspection and
event-based rules deliver a greatly enhanced
ability to search for and apply numerous rules to
block known L7 attacks. Encrypts cookies and
other tokens that are transparently distributed
to legitimate users. Organizations gain superior
security for all stateful applications
(e-commerce CRP ERP and other business-critical
applications) and a higher level of user identity
trust. Supports higher-standard AES (Advanced
Encryption Standard for SSL) algorithms with the
most secure SSL encryption available on the
market at no additional processing cost.
Content Protection Allows organizations to
prevent sensitive documents or content from
leaving their site.
61Improve Security with LTM
Protects Against Heavy Attack Volumes BIG-IP
combines a suite of security features to provide
comprehensive protection against DoS Attacks SYN
Floods and other network based attacks. Features
such as SYNCheck provide comprehensive SYN Flood
protection of the servers that sit behind the
BIG-IP device. Combined with the Dynamic Reaping
capabilities BIG-IP provides robust security to
filter out the heaviest attacks while
simultaneously delivering uninterrupted service
for legitimate connections. Insulation From
Protocol Attacks BIG-IP provides Protocol
Sanitization and a Full TCP Termination point
which independently manages client and server
side connections protecting all backend systems
and applications from malicious
attacks. Firewalling - Packet Filtering BIG-IP
now integrates a control point to define and
enforce L4-based filtering rules (based on PCAP
similar to network firewalls) improving network
protection.
62Summary
- Protecting web application is a challenge within
many organizations but attacks against web
applications are the hackers favorites - ASM provides easy and very granular configuration
options to protect web applications and to
eliminate false positives - ASM combines positive and negative security
models to achieve the optimum security - ASM is an integrated solution and can run as a
module on BIG-IP or standalone - ASM is used to provide compliance with various
standards - ASM provides hidden parameter protection and
selective flow control enforcement - ASM provides an additional security layer or can
be used as central point for web application
security enforcement
63(No Transcript)
