deploying the cisco ace web application firewallfaculty.ccc.edu/mmoizuddin/cisco live...
TRANSCRIPT
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
1
Deploying the Cisco ACE Web Application Firewall
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAPP-201414618_05_2008_c2 2
BRKAPP-2014
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
2
What You’ll Learn
Refresh on HTTP and Web Application SecurityFor HTTP intro, see BRKAPP-1015For HTTP intro, see BRKAPP 1015
For Web App Security, see BRKAPP-1009
The main features and functional benefits of the ACE Web Application Firewall product
Typical use cases and deployment architectures
A step-by-step description of how to deploy ACE Web
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4BRKAPP-201414618_05_2008_c2
A step-by-step description of how to deploy ACE Web Application Firewall for a perimeter security use case
Application NetworkingMessage transformationProtocol transformationMessage-based security
Application ScalabilityServer load-balancingSite selectionSSL termination and offload
Network ClassificationQuality of serviceNetwork-based app recognitionQueuing, policing, shaping
Cisco Application Delivery Networks
Application visibilityVideo deliveryVisibility, monitoring, control
WAN
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5BRKAPP-201414618_05_2008_c2
WAN AccelerationData redundancy eliminationWindow scalingLZ compressionAdaptive congestion avoidance
Application AccelerationLatency mitigationApplication data cacheMeta data cacheLocal services
Application OptimizationDelta encodingFlashForward optimizationApplication securityServer offload
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
3
Other Cisco Live Breakout Sessions that You May Want to Attend
BRKAPP-2002 Server Load Balancing Design
BRKAPP 3003 Troubleshooting ACE
ApplicationsISRGSS WAAS ACE AXGACNS
Relevancy
BRKAPP-3003 Troubleshooting ACE
BRKAPP-1004 Introduction WAAS
BRKAPP-2005 Deploying WAAS
BRKAPP-3006 Troubleshooting WAAS
BRKAPP-1008 What can Cisco IOS do for my application?
BRKAPP-1009 Introduction to Web Application Security
BRKAPP-2010 How to build and deploy a scalable video communication solution for your organization
BRKAPP-2011 Scaling Applications in a Clustered Environment
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6BRKAPP-201414618_05_2008_c2
BRKAPP-2013 Best Practices for Application Optimization illustrated with SAP, Seibel and Exchange
BRKAPP-2014 Deploying AXG
BRKAPP-1015 Web 2.0, AJAX, XML, Web Services for Network Engineers
BRKAPP-1016 Running Applications on the Branch Router
BRKAPP-2017 Optimizing Application Delivery
BRKAPP-2018 Optimizing Oracle Deployments in Distributed Data Centers
Application Security Trends and Concerns
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7BRKAPP-201414618_05_2008_c2
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
4
The Evolution of IntentA Shift to Financial Gain
Threats Are Becoming Increasingly Difficult to Detect and MitigateApplications Are the Primary Targets
ty
Financial:Theft and Damage
Notoriety:Viruses and Malware
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9BRKAPP-201414618_05_2008_c2
Thre
at S
ever
it
1990 1995 2000 2005 What’s Next?
Vandalism:Basic Intrusions and Viruses
2007
Build and Maintain a Secure NetworkInstall and maintain a firewall configuration to protect data
PCI DSS: Six Sections and Twelve Requirements
S ti 6 5 D l bDo not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data3. Protect stored cardholder data 4. Encrypt transmission of cardholder data and sensitive
Section 6.5: Develop secure web apps, cover prevention of OWASP vulnerabilities
Section 6.6: Ensure all web-facing apps are protected against known attacks using either of the following methods
secure coding practicesi t lli W b A FW*
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10BRKAPP-201414618_05_2008_c2
ypinformation across open public networks
Maintain a Vulnerability Management Program5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications
installing a Web App FW**This becomes a requirement by June 2008
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
5
Traditional Network Firewalls Are Blind to Web Application Attacks
Firewall
WebClient
WebServer
Application
Application
DatabaseServer
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12BRKAPP-201414618_05_2008_c2
Ports 80 and 443
Open
Unfiltered HTTP Traffic
HTTP Refresher
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14BRKAPP-201414618_05_2008_c2
For More In-Depth, See BRKAPP-1015
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
6
HTTP—An Application-Level Protocol
HTTP 1.0—RFC 1945InformationalPerformance and functional limits
HTTP 1.1—RFC 2616Draft StandardPersistent connections, cachingMore stringent requirements
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15BRKAPP-201414618_05_2008_c2
HTTP always stateless—many tricks to make it behave as session-oriented (cookies, session IDs)Useful links:
http://www.w3.org/Protocols/http://www.rfc-editor.org/rfcxx00.html
HTTP—Request Elements
Three important elements of an HTTP request:MethodMethod
URI
Headers
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16BRKAPP-201414618_05_2008_c2
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
7
HTTP—Request Methods
HTTP 1.1—MethodsOPTIONS: Ask server for available methodsGET: Request a resource from serverHEAD: Request resource and view response headers onlyPOST: Send data to the serverPUT: Send a file to the serverDELETE: Delete a file form the serverTRACE: Allows client to “trace route” via proxies to web server
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17BRKAPP-201414618_05_2008_c2
TRACE: Allows client to trace route via proxies to web serverCONNECT: Used by proxies for tunneling requests to web server
All methods expect an HTTP response from the serverIn practice, both GET and POST send data to web applications
HTTP—Query Parameters
The URL portion after the “?”http://www.google.com/search?q=ciscohttp://www.google.com/search?q cisco
Passed to the application (and vector to several attacks when improperly parsed)
Content returned dynamically based on query parameters
Overall page layout similar while data differs
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18BRKAPP-201414618_05_2008_c2
O e a page ayou s a e da a d e s
For an example of how query parameters are used see Google’s API description
http://www.google.com/apis/reference.html#2_2
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
8
HTTP—Cookies
“Cookies are pieces of information generated by a Web server and stored in the user’s
Server sends cookie to client
a Web server and stored in the user s computer, ready for future access.”
www.cookiecentral.comCookies Are Not Programs, and They Cannot Run Like Programs Do.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19BRKAPP-201414618_05_2008_c2
Set-Cookie:NAME=VALUE;expires=DATE;path=PATH; domain=DOMAIN_NAME; secure=YES
Client sends cookie back to server on subsequent visits to domainGET / HTTP/1.1\r\nHost: DOMAIN_NAME\r\nCookie: NAME=VALUE;
HTTP—Uniform Resource Identifiers
A URI Identifies and Locates a Network Resource
"http:" "//" host [":"port] [abs_path["?"query]]
DNS Resolution
TCP Port
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20BRKAPP-201414618_05_2008_c2
DNS Resolution
Scheme
Path and File Name /
Additional Information
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
9
Typical Web Application Architecture
Web server receives Input
App server parses Input
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21BRKAPP-201414618_05_2008_c2
DB receives querycreated & sent by
App server
Cisco ACE Web Application Firewall: Features and Functionality
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22BRKAPP-201414618_05_2008_c2
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
10
Introducing Cisco ACE Web Application Firewall
Builds on top of industry-leading Cisco ACE XML Gateway platform
Can be software upgraded to full ACE XML Gateway solution
Protects o r c stom HTTP and HTML
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23BRKAPP-201414618_05_2008_c2
Protects your custom HTTP and HTML applications from high-impact Web-borne attacks
SOA, Web Services, and XML Threat Defense Secures and offloads web services transactions
Web Application Firewall
Extensive HTML and XML Application Security
Platform Specifications
S fSpecifications1 rack unitFour 10/100/1000 Gigabit Ethernet ports4-GB RAMHigh-performance dual-core, dual-processor architectureHi h f t h l ti
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24BRKAPP-201414618_05_2008_c2
High-performance cryptography accelerationFull FIPS 140-2 Level 3 compliance—optional
Hot-swappable dual SAS HDD, fan, and power suppliesFull reverse proxyDeployable either as firewall, manager, or 2-in-1
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
11
WAF and AXG Feature Comparison
Features
Web Application Security ● ●
ACE Web Application
Firewall
ACE Web Application
Firewall w/AXG
Privacy ● ●
Encryption & Signature Support ● ●
Hardware SSL Acceleration (optional FIPS) ● ●
Centralized Management, Monitoring, Logging, and Audit ● ●
Policy-based provisioning and versioning ● ●
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25BRKAPP-201414618_05_2008_c2
g
Protocol, Data and Security Mediation ●
XML Acceleration & Offload ●
Extensibility SDK ●
Content Based Routing ●
Typical Deployment
Network
Web Servers
ExternalWeb Application
Consumers
et oFirewall
ACEWeb Application
Firewall
PortalACE
ACE XMLManagerInternet
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26BRKAPP-201414618_05_2008_c2
DMZ CUSTOMER’S DATA CENTER
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
12
Attacks!*
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27BRKAPP-201414618_05_2008_c2
*(and how to defend against them)
Attacks!
Unvalidated Input
Cross-Site ScriptingCross-Site Scripting
SQL Injection
Cross-Site Request Forgery
Cookie Tampering
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28BRKAPP-201414618_05_2008_c2
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
13
Attack #1—Unvalidated Input
What Is It?Web apps use parameters to obtain information from the client
How Is This Vulnerable?Developers focus on the legal values of parameters and how they should be utilizedToo much credit given to client-side browser validationLittle if any attention is given to the effect of incorrect values
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29BRKAPP-201414618_05_2008_c2
ResultThe application acts according to the changed information, potentially giving access to other user’s accounts, confidentialinfo, or anything else on the computer—vector for 90% of web-based attacks!
Defense: Signature Rules Engine
Blacklist approach—look for known and possible attacks in request contentSignatures detect particular attack vectors using pattern matching, regular expressionsRules combine signatures to detect and block different types of attacksProfiles combine rules and other features and apply them to particular web applications
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30BRKAPP-201414618_05_2008_c2
p ppExtensible via signature language—customer or partners
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
14
Automatic Input NormalizationInput Is Normalized to Thwart Obfuscation Attacks That Use Encodings to Disguise Malicious Patterns
d5opx;ÐÓGE]Ì�€³óâ=� [Z�ܾç-Ù‰Vð„'‰<½#Ôm]ëæoª5Zòˆ!0^Ý£kêØmt�È‘�œ��ín‘k»AH��?>'5@Ì¿êÜ�°Ýë�;u³7JM 4[ ´Èò¾ á¼
%2E%2E%2Fhome%2Fuser
%2F%7Eroot%2Fetc%2Fpas
%2Fhomepage%2Findex%2
../home/user
/~root/etc/p
/homepage/index/pictures/thumbs.html
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31BRKAPP-201414618_05_2008_c2
³7JMµ4[�ø´Èò¾ø má¼�
Terminate and Decrypt SSLNormalize
Apply Security Policy
Input Normalization: Example
HTTP provides many ways to encode the same information. Input normalization “undoes” encodings to produce a canonical form of the request
http://foo.com/query?bar=%3c%73%63%72%69%70%74
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32BRKAPP-201414618_05_2008_c2
http://foo.com/query?bar=<script
Many more – depends on scripting language, SQL, Unicode, etc etc etc
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
15
Signatures
Each Signature Has:
User-readable nameUser-readable name
Signature ID
Pattern used for initial match
Regular expression used to confirm match
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 33BRKAPP-201414618_05_2008_c2
Rules
Rules apply signatures to places in the messageREQUEST PARAMS sig SQLInjectQ _ g Q j
Severity level allows user to control strictness of enforcement, likelihood of false positives
Rules can be written very specificallyREQUEST_PARAMS[’name’].normalize(html)
re ^foo.*
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34BRKAPP-201414618_05_2008_c2
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
16
Expression Language
Variables make any part of the request message or its connection properties available
HTTP headers
HTTP body
Request paramaters
Source and dest IP address
SSL properties (version, cipher, etc)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35BRKAPP-201414618_05_2008_c2
Operators allow applying checks to the selected part of the message
Attack #2—Cross Site ScriptingWhat Is It?
User feeds data to the web applicationWeb application doesn’t sanitize input and echoes back the queryWeb application doesn t sanitize input and echoes back the queryThe unvalidated data contains a piece of JavaScript that is executed in the context of the user’s browser sessionA carefully formed link sent to a victim (usually by mail) results in the JavaScript code being run in the victim’s browser, sending information to the hacker
Why Does Cross Site Scripting Happen?Unvalidated input—example: html is permitted into query parameter
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36BRKAPP-201414618_05_2008_c2
Unvalidated input example: html is permitted into query parameterApplication blindly echoes request back to browser
Result“Virtual hijacking” of the session by stealing cookies Any information flowing between the legitimate user and site can be manipulated or transmitted to a third party
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
17
Cross Site Scripting Applications
The second a hacker realizes a query parameter accepts HTTP, he can trick your browser into doing virtually anything:
Build hidden forms that submit your cookies
Check your browsing history
Scan your subnet for certain hosts
etc.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37BRKAPP-201414618_05_2008_c2
Commonly used in Phishing emails
Experts estimate 80% of web sites are vulnerable (http://www.whitehatsec.com/downloads/WHXSSThreats.pdf)
Defense: Cross Site Scripting signature set
Looks for HTML in input stream
Input decoding shrinks signature setInput decoding shrinks signature set
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38BRKAPP-201414618_05_2008_c2
But... What if I want to allow image tags?
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
18
False Positives – Human Assisted Learning
Cisco’s Human Assisted Learning lets you place a site in monitor mode
When in monitor mode, security alerts are reported but traffic isn’t blocked
You can click on each security incident and instruct the WAF to block traffic matching the pattern that caused the alert, or ignore it (false positive). The exception can be configured either at the profile level or on a per
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 39BRKAPP-201414618_05_2008_c2
be configured either at the profile level, or on a per web form parameter basis!
HaL integrates the benefit of dynamic learning but removes the guesswork from the equation: you ultimately control what is acceptable or not for your applications
HaL Walkthrough
Consider a web form with two input boxes. Both accept HTML and display it back to the user (fertile ground for XSS!) but suppose the “name” parameter can be exempted from XSS pattern checks
This is what the site profile looks like before HaL intervenes:
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40BRKAPP-201414618_05_2008_c2
Modifiers Represent Exceptions to the Classification Process
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
19
An XSS Attack Is Detected
Inside the event log, a “Create Modifier” option appears
Create Modifier Is at the Heart of Hal
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41BRKAPP-201414618_05_2008_c2
Options HaL Provides
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 42BRKAPP-201414618_05_2008_c2
Create Modifier Is at the Heart of Hal
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
20
The Rule Set Is Modified on a Per-Param Basis!
Ignore Signature 52 for Param “Name”
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43BRKAPP-201414618_05_2008_c2
New Modifier Automatically Added
Attack #3—SQL Injection
SQL stands for Structured Query Language
Allows applications to access a databaseAllows applications to access a database
SQL can:Execute queries against a database
Retrieve data from a database
Insert new records in a database
Delete records from a database
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44BRKAPP-201414618_05_2008_c2
Delete records from a database
Update records in a database
Many applications take user input and blindingly send it directly to SQL API!
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
21
Anatomy of a SQL Injection Attack:Basic SQL Query for Payment Info
Typical SQL querySELECT cc number FROM usersSELECT cc_number FROM users
WHERE username = 'victor'
AND password = '123'
Typical ASP/MS SQL Server login syntaxvar sql = "SELECT cc_number FROM usersWHERE username = '" + form_user +
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45BRKAPP-201414618_05_2008_c2
_"' AND password = '" + form_pwd + "'";
Anatomy of a SQL Injection Attack:SQL Injection—Bypass Login
Attacker Injects the following:form_user = ' or 1=1 – – SQL commentform_pwd = anything
Final query would look like this:SELECT * FROM users
WHERE username = ' ' or 1=1
– – AND password = 'anything'
always true!
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 46BRKAPP-201414618_05_2008_c2
AND password = anything
Attacker gains access to the application!Not just logins – alter database, dump payment card information…
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
22
Defense: SQL Injection signature set
Detect SQL in input parameters
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47BRKAPP-201414618_05_2008_c2
Defense: Response Message Rewrite
Search for and replace questionable content in responses from server
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 48BRKAPP-201414618_05_2008_c2
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
23
Attack #4—CSRF
“Whereas cross-site scripting exploits the trust a user has in a website, a cross-site request forgery exploits the trust a Web site has in a user by forging a request from a trusted user ” (source:has in a user by forging a request from a trusted user. (source: Wikipedia)
How does it work:Bob is logged into his bank’s website
Bob is also chatting/reading a blog at the same time
Hacker posts a comment in the blog inviting Bob to click a link
The link performs an action on Bob’s bank
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 49BRKAPP-201414618_05_2008_c2
As Bob is logged in, the action has the potential to succeed
Simple example: http://www.google.com/setprefs?hl=ga
Note that Bob doesn’t even have to click a link – a simple <img src="http://example.org/buy.php?item=PS3&qty=500> on a web page could suffice!
Defense: CSRF
Not trivial, no simple one-stop-solution
Several server-side solutions:Several server-side solutions:Generate random tokens for forms or actions so a hacker can’t guess
make sure the site isn’t XSS-vulnerable
Use CAPTCHAs
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50BRKAPP-201414618_05_2008_c2
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
24
Defense: Referrer Enforcement
The browser/client populates the ‘Referer’* header to indicate the address (URI) of the resource from which the Request-URI was obtained
WAF can require that the header be a link on the same web site
Not foolproof – spoofing has been demonstrated!
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 51BRKAPP-201414618_05_2008_c2
* (sic) – it’s misspelled in the specification
Attack #5—Broken Authentication and Session Management Using Cookie Tampering
What Is It?A cookie that has had its value changed by the userCookie storage is managed and controlled by the userCookie storage is managed and controlled by the userCookies can be viewed and modified by the userCookies transferred in the open can be captured and modified by a third party
Why Does It Happen?Cookie information is weakly encrypted or hashed Web application developers are unaware of the threat or lack the cryptographic expertise to prevent tampering
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52BRKAPP-201414618_05_2008_c2
yp g p p p p gThe cookie is assumed to contain a certain format of content –an assumption that isn’t verified
ResultIdentity theft or impersonation by a third party altering the session id or authorization information stored in the cookieDoS or even remote command execution due to buffer overflows
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
25
Defense: Cookie Tampering
No need to reinvent the wheel—existing proven encryption algorithms available to web application developers
Use modern development frameworks for session maintenance
Cisco’s WAF can encrypt cookies, only sending an MD5 hash of the actual cookie
I t t i
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53BRKAPP-201414618_05_2008_c2
Immune to tampering
Be aware that replay attacks are still possible
Cookie SecuritySigning and Encryption
Clients Web Server
CP_EN7a989b1f1b9e966e47d629eec63302d3571d1677b27fe1bebba48df648b2edc=expires=Mon, 15-Dec-2006 1:03:00 GMT; path=/; domain=.cisco.com; secure
sess1=1800; expires=Mon, 15-Dec-2006 1:03:00 GMT;path=/; domain=.google.com; secure After Encryption
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54BRKAPP-201414618_05_2008_c2
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
26
Additional SecurityFeatures
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55BRKAPP-201414618_05_2008_c2
Exception Mapping
Servers can expose too much data in error messages –stack traces, SQL schemas
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56BRKAPP-201414618_05_2008_c2
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
27
Exception Mapping
Replace server errors with WAF-generated content
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57BRKAPP-201414618_05_2008_c2
HTTP Header Processing
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58BRKAPP-201414618_05_2008_c2
Server Header Cloaking
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
28
Data Overflow Defense
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59BRKAPP-201414618_05_2008_c2
SSL Termination
Offloads Crypto and connection handling from server
Enables HTTP/1 1 connection re-use SSL session re-Enables HTTP/1.1 connection re-use, SSL session re-use, client certificate authentication
Consolidate private keys on WAF device
Decrypt and re-encrypt for end-to-end SSL
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 60BRKAPP-201414618_05_2008_c2
Note: ACE can also terminate SSL, will cover when to terminate where in Deployment Considerations
HTTPS HTTP
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
29
Upgrading to ACE XML Gateway
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 61BRKAPP-201414618_05_2008_c2
Web Services and Web Applications
ACE Web Application Firewall provides a high level of protection for HTML-based applications.
For XML-based web services, ACE XML Gateway can provide security, mediation, and offload
Software upgrade to move from WAF to AXG—can run both sets of functionality on same device
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62BRKAPP-201414618_05_2008_c2
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
30
Deployment Considerations
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 63BRKAPP-201414618_05_2008_c2
Clustering
There are two software components: the manager and the firewall; each has a separate software license
Both components run on the AXG appliance hardware; you can run either or both components on the same appliance
ACE WAF achieves high availability via an external HTTP load balancer such as the ACE application switch
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 64BRKAPP-201414618_05_2008_c2
application switch
Manager not a runtime component, so typical deployment uses cold standby for redundancy
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
31
Clustering: Stand-Alone ACE WAF
Firewall and manager running on same appliance
Used for PoC situations or development environmentsUsed for PoC situations or development environments
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 65BRKAPP-201414618_05_2008_c2
Clustering: Separate Manager
Two or more appliances running firewall component
One appliance running manager componentOne appliance running manager component
Firewall
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 66BRKAPP-201414618_05_2008_c2
ManagerFirewall
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
32
Clustering: Integrated Manager
One appliance running both firewall and manager components
One or more appliances running only firewall component
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 67BRKAPP-201414618_05_2008_c2
Manager and Firewall
Firewall
Deployment Modes
Layers 2-3: One-armed or multi-armOne-armed: single NIC handles all traffic 128 32 65 37g
Same VLAN for pre- and post-Gateway trafficSimplest mode for configuration
Multi-arm: Multiple NICs for trafficDifferent VLAN on each NICStatic routes needed in most environmentsSingle routing table/default route for entire system
128.32.65.37
128.32.65.37
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 68BRKAPP-201414618_05_2008_c2
g g yDecision as to which NIC to use made by Linux kernel based on Layer 3 destination addressFirewall policy has no concept of internal/external addresses!
In either case, multiple IP’s per VLAN possible for virtual hosting
10.7.83.12
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
33
Use Case: Perimeter Security
Network W
eb Servers
ExternalWeb Application
Consumers
et oFirewall
ACEWeb Application
Firewall
PortalACE
ACE XMLManagerInternet
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 69BRKAPP-201414618_05_2008_c2
DMZ CUSTOMER’S DATA CENTER
Perimeter Security: One-Armed Proxy
Traffic passes through ACE twice
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 70BRKAPP-201414618_05_2008_c2
Traffic passes through ACE twice
Easy to insert into existing ACE deployment
Allows for fail-open or fail-closed configuration
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
34
Public VIP: 63.90.156.60 10 30 1 1
Perimeter Security: Two-Armed Proxy
ACE WAFs
PublicInternet
ACEApplication
SwitchWeb Application
Consumers
10.10.1.10
10.30.1.15210.30.1.151
10.10.1.1210.10.1.11
10.20.1.15210.20.1.151
ACE
10.20.1.1VIP: 10.20.1.200
10.30.1.1
10.10.1.1
Different contexts on same physical ACE can be used on both sides
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 71BRKAPP-201414618_05_2008_c2
Web ApplicationProviders
ACEApplication
SwitchBest practice when backend is multiple hops from ACE WAF, need DMZ separation
One-Armed: Terminate SSL at ACE
C lid t k l d b l
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 72BRKAPP-201414618_05_2008_c2
Consolidate keys on load balancer
Use L7 classmap to direct traffic at ACE
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
35
One-Armed: Terminate SSL at ACE WAF
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 73BRKAPP-201414618_05_2008_c2
Optionally perform end-to-end SSL to application
Alternative Network Deployment Model
WWW1AXG Web
Application Firewall
HTTP
WW
W P
orta
l
External HTTPand XML
Web Services Consumers
Full Reverse Proxy
WWW2
WWW3
DNS Points to AXG WAFwhen Asked for WWWx
Internet
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 74BRKAPP-201414618_05_2008_c2
The ACE Web Application Firewall is a full reverse proxy
In other words, you can have the DNS server point to the IP address of the WAF to represent the actual Web server
At that point, the WAF accepts all requests destined to the Web server, filters them, and sends them out; the response comes back to the WAF as well for total control of the session
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
36
Deployment Example
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 75BRKAPP-201414618_05_2008_c2
Deployment Example
Configure WAF network and cluster settings
Steps to Deploy:
Configure WAF network and cluster settings
Define web application and apply profile
Deploy in monitor mode and tune
Re-deploy in enforcement mode
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 76BRKAPP-201414618_05_2008_c2
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
37
Network Diagram Before: No WAF
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 77BRKAPP-201414618_05_2008_c2
Standard ACE L7 configuration with SSL termination, TCP reuse
Network Diagram After: With WAF
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 78BRKAPP-201414618_05_2008_c2
Deployment mode: one-armed proxy, terminate SSL at ACE
Two WAF devices, one acting as firewall, other as joint firewall and manager
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
38
Cable Devices
Four RJ45 Gigabit Ethernet network interfacesOne LOM NICOne LOM NIC
See HP DL360 docs
Serial consoleVGA/keyboard video consoleDual power suppliesnCipher card reader (only on FIPS model)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 79BRKAPP-201414618_05_2008_c2
( y )LOM NIC eth0, eth1
RS232 VGA eth2, eth3
PS/2 keyboard
Dual power supplies
nCipher
Configure Network Settings
Connect KVM or Serial Console
Log in as “root”
Set standard IP settingsIP address
Hostname
DNS server
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 80BRKAPP-201414618_05_2008_c2
DNS server
NTP server
Set as Gateway, Manager, or both
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
39
Log in to Manager
Point browser at machine selected to be Manager, HTTPS port 8243HTTPS, port 8243
https://172.25.91.151:8243/
Log in as “administrator”, password “swordfish”
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 81BRKAPP-201414618_05_2008_c2
Configure as Cluster
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 82BRKAPP-201414618_05_2008_c2
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
40
Getting Started with the Cisco ACE WAF1. A Wizard Helps You Define the Websites You Want to Protect
Specify the IP
Monitor Means the WAF Alerts but Doesn’t Block—Extremely C i t If
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 83BRKAPP-201414618_05_2008_c2
Specify the IP Address or Name of the Backend Server
Call the WAF Wizard
Convenient If You’re Leery of Deploying Inline
Getting Started with the Cisco ACE WAF2. If (host + URL) Classification Isn’t Sufficient, an Expert Mode Is Available
You Can Use Regular
Expressions to
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 84BRKAPP-201414618_05_2008_c2
Expressions to Define the Site.
You Can Use Additional Parameters for Classification.
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
41
Getting Started with the Cisco ACE WAF3. You Can, for Instance, Require the Presence of a Given HTTP Header
Full Classification Customization
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 85BRKAPP-201414618_05_2008_c2
Getting Started with the Cisco ACE WAF4. We Have Defined Our First Protected Web Server (Http://172.25.89.140/)
Website Protected by
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 86BRKAPP-201414618_05_2008_c2
Website Protected by the WAF
Factory-Shipped PCI Profile Applied
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
42
Protecting the Website from XSS5. The WAF Ships with Predefined Profiles That You Can Clone and Edit
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 87BRKAPP-201414618_05_2008_c2
XSS Protection
Fine-Tuning a Security Profile6. Inside a Profile You Find Groups of Rules (Rule = Signature)—Each Group Contains Rules Ranked by Security Level
XSS Rules Level
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 88BRKAPP-201414618_05_2008_c2
Action to Take When a XSS Is Detected
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
43
7. The XSS Group Contains Rules That Are Cisco Verified SignaturesFine-Tuning a Security Profile
Hundreds of XSS Rules Are Shipped from the Factory.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 89BRKAPP-201414618_05_2008_c2
Each Rule Has a Unique ID and a Security Level (basic, moderate, and strict).
Profile Ready to Be Deployed8. Here Is What Our Custom Test Profile Looks Like—XSS Protection Is Enabled
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 90BRKAPP-201414618_05_2008_c2
XSS Protection Enabled with Level Strict
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
44
Associate the Profile to the Website9. Map the Profile to the Website
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 91BRKAPP-201414618_05_2008_c2
Profile “Test” Mapped to Our Website
Deploy the Policy to the WAF Firewalls10. Cisco ACE WAF Ships with Strong Change Control and Audit Log Capabilities
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 92BRKAPP-201414618_05_2008_c2
Deltas Between Current Applied Policy and Proposed One Are Highlighted.
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
45
11. Cisco ACE WAF Alerts You of Risks Associated with Certain Configuration Options
Proactive Notification of Potential Problems
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 93BRKAPP-201414618_05_2008_c2
Proactive Performance Warnings
12. Multiunit Deployment + Timestamp and Rollback of PoliciesVerification of Successful Deployment
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 94BRKAPP-201414618_05_2008_c2
Policies Can Be Deployed to N Gateways
Timestamps
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
46
The Website Is Under Attack13. We Are Launching a XSS Attack Against the Website
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 95BRKAPP-201414618_05_2008_c2
Immediate Incident Report View
Let’s Drill Down14. Let’s See What the Attack Looks Like
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 96BRKAPP-201414618_05_2008_c2
The Name of the Attack Vector Is Provided
ID of the Rule that Caused the Alert
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
47
Detailed Security Event Drill-Down15. Detailed Forensics Are Available for Each Attack
F ll D f
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 97BRKAPP-201414618_05_2008_c2
Full Dump of Incoming Request
What the User, Hacker, and Victim See16. Default Error Text Is Returned to Browser (Fully Customizable)
The error message and HTTP return code are fully customizable; you can return your own HTML code and for example redirect the hacker to the main page
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 98BRKAPP-201414618_05_2008_c2
and, for example, redirect the hacker to the main page
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
48
Q and A
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 99BRKAPP-201414618_05_2008_c2
Recommended Reading
Continue your Cisco Live learning experience with further reading from Cisco Press
Check the Recommended Reading flyer for suggested books
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 100BRKAPP-201414618_05_2008_c2
Available Onsite at the Cisco Company Store
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
49
Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily.
Don’t forget to activate your Cisco Live virtual account for access to
Receive 20 Passport points for each session evaluation you complete.
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
all session material on-demand and return for our live virtual event in October 2008.
Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 101BRKAPP-201414618_05_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 102BRKAPP-201414618_05_2008_c2