securing modern web apps · 2018-04-19 · attacker launches web-application attack. detect where...
TRANSCRIPT
Securing Modern Web Apps
Thomas Gobet
Architect, WAF & Application Protection EMEA / CALA
19/04/2018
2 Agenda
• WAF introduction
• Machine learning algorithms
• Deployment options
• Authentication gateway
• Bot detection
3 New OWASP Top 10: Biggest Threats in 2017
3
4 OWASP A6 : Security misconfiguration
• Security misconfiguration is the most common issue
• Insecure default configurations
• Incomplete or ad-hoc configurations
• Error messages exposing sensitive data
• …
• When migrating to cloud environments, it requires more knowledge and time to secure
• Full auto policy-generation is now a MUST!!!
5 OWASP A10 : Insufficient logging & monitoring
• Most breach studies show time to detect a breach is over 200 days
• “Insufficient Logging & Monitoring” refers to the ability of the organizations to quickly detect and respond to a security incident.
• Logging all relevant information such as HTTP request/response, username, security violation is mandatory.
• GDRP requires logs, authenticity and confidentiality.
6 GDPR Recital 39 and 49
Recital 39
personal data should be processed in a manner that ensures
appropriate security and confidentiality, including
preventing unauthorized access to or use of personal data
and the equipment used for the processing
Recital 49
the ability of a network or an information system to resist
accidental events or unlawful or malicious actions that
compromise the availability, authenticity, integrity and
confidentiality of stored or transmitted personal data, and
the security of the related services offered by, or
accessible via, those networks and systems.
This could, for example, include preventing unauthorized
access to electronic communications networks and malicious
code distribution and stopping ‘denial of service’ attacks
and damage to computer and electronic communication
systems.
7
AppWall overview
8 Introducing: AppWall
The Background
WAFs help enterprises:
Block attacks targeting their
web applications
Achieve compliance (e.g. PCI)
The Challenge
Difficult & costly to deploy
& maintain
Long time to security
High total cost of ownership
The Solution
AppWall is the best performing
application security solution for:
Attack mitigation
PCI compliance
Web security.
9 Complete Web Application Protection
Terminate TCP, Parse HTTP
Evasions
HTTP response splitting (HRS)
Signatures applied on Normalized traffic
URL / Base 64 / UTF-8 encoded Injections
Signature & Rule Protection Cross site scripting (XSS)
SQL injection, LDAP injection, OS commanding
Data Leak Prevention Credit card number (CCN)
Social Security (SSN)
Regular Expression
10 Complete Web Application Protection
Parameters Inspection Buffer overflow (BO)
Zero-day attacks
User Behavior Cross site request forgery
Cookie poisoning, session hijacking
Layer 7 ACL Application / folder / file / param level access control
White listing or black listing
XML, JSON & Web Services XML & JSON Validity and schema enforcement
Role Based Policy Authentication
User Tracking
11
Uniquely Employing Positive Security Model
Positive Security Model
Learns and defines what actions are legitimate traffic
Blocks unauthorized access or actions that are not permitted
Uniquely protects from 0-day attacks and unknown vulnerabilities
Higher layer of protection: FULL OWASP TOP-10 protection, minimum false-positives
11
Negative Security Model
Standard across most cloud WAF services and WAF technologies
Blocks known attacks via known signatures and rules
Cannot provide FULL protection against OWASP TOP-10
Cannot protect from unknown vulnerabilities: 0-day attacks
12
Multiple
Policies
User
Automation through Auto Policy and API
Step #1.1 Growing Traffic Volume to the Web Application
Step #2.1 New Tenant
Application Added
Step #1.2 High AppWall
Resource Utilization
Step #1.3 Add AppWall
Instance
Step #1.4 Reduced Resource
Utilization Step #2.2 New Policy Assigned
Alteon NG
Int vADC Ext vADC
Automation & Orchestration Infrastructure
13 Automation Flows – REST APIs
A new AppWall
New Data Center
Scale
A new Web App
Add a new:
Service IP
Protected Web Server
Tunnel
Web App
Custom Template
Policy Distribution with a custom policy templates menu
Network Team Application Teams
14
Machine learning algorithms
15 Going Beyond Static Signature Protection Machine-learning Algorithms to Automatically Generate Policies
Continuously detect changes in the application and acceptable user behavior to keep protection current
Auto Threat Analysis covering ALL OWASP Top-10
and 150+ attack vectors
App Mapping to detect new/changes in web
application
Auto Policy Activation adding tailored app rules and optimizing for best accuracy
Policy Generation with Auto-Optimization
for out-of-the-box rules to minimize false positives
16
www.reservations.com
/config/
/hotels/
16
App Mapping
/info/
/reserve/
/admin/
/register/
17
www.reservations.com
17
SQL Injection
CCN breach
Directory Traversal
Buffer Overflow
Spoof identity, steal user information, data tampering
Information leakage
Unexpected application behavior, system crash, full system compromise
App Mapping Threat Analysis
/config/
/hotels/
/info/
/reserve/
/admin/
/register/
Gain root access control
18
www.reservations.com
18
App Mapping Threat Analysis Policy Generation
Prevent access to sensitive app sections
Mask CCN, SSN, etc. in responses
Parameters inspection a
Traffic normalization & HTTP RFC validation
SQL Injection
CCN breach
Directory Traversal
Buffer Overflow
/config/
/hotels/
/info/
/reserve/
/admin/
/register/
19
www.reservations.com
19
App Mapping Threat Analysis Policy Generation
SQL Injection
CCN breach
Directory Traversal
Buffer Overflow
/config/
/hotels/
/info/
/reserve/
/admin/
/register/
Time to protect
Add tailored application rules
Optimize rules for best accuracy
Virtually zero false positive
20 Shortest Time to Security
App Mapping Threat Analysis Policy Generation Policy Activation
21
Deployment options
22
Standalone
• Reverse Proxy / Bridge
• Virtual / Physical
• Cluster support
• Defense Messaging /w DefensePro
Fast Reliable Secure
All-in-One Application Delivery & Security
• Out-of-path or inline deployment
• Supporting up to 10 Gbps
• Multiple vADC with Fault Isolation
Deployment Options
23 Integrated Hybrid Solution
IPS/IDS
“Low & Slow” DoS attacks (e.g.Sockstress)
Large volume network flood attacks
Syn Floods
Network Scan
HTTP Floods
SSL Floods App Misuse
Brute Force
Cloud DDoS protection DoS protection Behavioral analysis IPS WAF SSL protection
Internet Pipe Firewall Load Balancer/ADC Server Under Attack SQL Server
23
XSS, CSRF SQL Injections
24
Detecting and Blocking
Attacks on web apps behind CDNs
Advanced HTTP attacks (slowloris, http dynamic floods)
Brute force attacks on login pages
SSL attacks
Line Speed Mitigation 160 Gbps
25M DDoS pps
60 micro seconds latency
Multi Layer Detection and Mitigation
Scalable Line Speed Availability Attack Mitigation
25 New Technologies – New Opportunities
Next Generation Virtualization
26
AppWall is implemented out-of-path in span-port.
Attacker launches web-application attack.
Detect where you can. Mitigate where it’s right.
Client / Attacker Perimeter Data Center
DefensePro
AppWall detects the web-application attack AppWall signals attack information to DefensePro
Defense Messaging
DefensePro mitigates the attack at the Perimeter
AppWall
No Performance Impact. No Risk.
27 Out-of-Path Deployment: Scalable Deployment
Perimeter LAN
Attack Mitigation Device
Defense Messaging
WAFs
Unlimited detection and mitigation scalability
27
Alteon
Client / Attacker
28
AppWall is implemented out-of-path in span-port.
Attacker launches web-application attack.
DefenseFlow Messaging – Control Plane
Client / Attacker Perimeter Data Center
AppWall detects the web-application attack AppWall signals attack information to DefenseFlow
Defense Messaging
DefensePro mitigates the attack at the Perimeter
AppWall
No Performance Impact. Transparent integration
28
DefenseFlow sends an alert to DefensePro and a BGP diversion to the router
BGP
DefensePro
29
Authentication Gateway
30 Use Cases
Microsoft UAG / TMG replacements
Strong Authentication associated with Role based Security Policy
Single Sign-on
Cloud and Premise based Apps Web Access Management
30
31
Multi-Vector Role Based Security Policy
Web Role
IP & Geo Location
CONTEXT
Block
Report
ACTION
Application Access Control
Data Access and Visibility
Web Security, XSS, SQL Inj.
SECURITY POLICY
Authentication Gateway Authorization and access control Web based Single Sign On 2 Factor Authentication: RSA SecureID, SMS Passcode Segregation of duties
32
Authentication Gateway
Authentication Schemes (Backend Servers)
Form-based Authentication (FBA)
Kerberos Constrained Delegation (KCD)
NTLM
SAML SP
User Data Stores
Active Directory
LDAP
Radius
User Authentication and SSO
33
Un-authenticated user attempts to access Enterprise Application Redirect to Login page AppWall resubmits the credential or Kerberos ticket to backend application
Authentication Gateway Flow
Customer Premise
33
AppWall validates credentials against Active Directory & receives a Kerberos ticket AppWall applies user/role based security policy
Active Directory
KCD
User from Outside the Domain
Login with 2 Factor Authentication NTLM
FBA
34
Low and Slow Detection
35 Behavioral Layer 7 Low&Slow Attack Detection
A TCP Connection is Established
HTTP Request
Sent
Server Think Time
HTTP Response
Sent
Client Think Time
Subsequent Request
Sent
Seconds to detect and block Low&Slow attacks
Works both in Out Of Path and line modes
Mitigation by AppWall, DefenseMessaging to DefensePro or DefenseFlow
Modeling the TCP Connection Lifecycle
36 Continuous Security Delivery – Protect & Learn
Immediate Protection
Auto Policy
Generation
Apply Tailored Learned
Policy
Modeling the Application Security Lifecycle
Continuous Delivery
Continuous Security Delivery
App Change
37
IP Agnostic Bot Detection
38
Good Bots vs. Bad Bots
Simple bots are not much of a challenge to block.
Headless browsers such as PhantomJS, complicate the detection process by:
– Mimicking user behavior.
– Passing challenges
– Serving up dynamic IP addresses.
To be sure, not all bots are bad:
– Search Engine Bots
– Computer Generated API Calls
We need to Differentiate Good bots from Bad bots
39 Unique IP-Agnostic Fingerprinting Protection
Device Reputation for bot detection and blocking
• Beyond IP address blacklisting: detailed device fingerprinting through multiple parameters
• Enables precise activity tracking over time & development of IP-agnostic Device Reputation
• Provides advanced protection from:
• Website Scraping
• Brute Force Attacks
• HTTP Dynamic Floods
• Dynamic IP Attacks
System Fonts Screen Resolution
Browser Plug-ins
Local IPs
Operating System
40 Fingerprint result
Slide 40
41 Device Fingerprinting
Device fingerprint enables
– Precise activity tracking over time
– Device Reputation
Provides advanced protection from:
– Website Scraping
– Brute Force Attacks
– HTTP Dynamic Floods
CDN /
Carrier NAT
App / OS
JS JS
42 Activity Tracking
42
• Rate Limiting • TPS / TPM • Domain / Folder / URL
• Behavioral analysis
43
Attack Correlation and Source Blocking
• IP-based or Fingerprint-based tracking
• Configurable violation scores
• Correlation of Activity and Violations over time
• Blocking Attack Source once reaching a threshold
Track Record and Attack Correlation
44 Banking customer – Dynamic IP Address attack
45
Providing Protection Beyond the Perimeter
Cloud WAF Service
• Full coverage of OWASP Top-10 • ICSA Labs Certification • Auto Generated Policy • Negative & Positive security models
Radware Security Cloud POP
Hybrid, single technology solution to protect both on-premise and cloud-based applications
45
Cloud WAF Attack Mitigation Device
Best-of-breed WAF (Physical or Virtual Appliance)
46
Summary
47
Why Radware’s WAF?
Attack Mitigation Mitigating attacks on web applications behind CDNs
Blocking the attack source at the perimeter
Multi-layer detection and mitigation
Application Security & Delivery AppWall out-of-path and inline deployment modes
Delivered on platforms supporting up to 80Gbps
Compliance Action plan for compliance
Advanced security graphical reports
Web Security Short time to protection
Low false positive and false negative rates
Auto-detection of web application changes
Segregation of Duties Mapping security web roles to LDAP organizational units or attributes
Multi vector security policies: application access, data visibility etc.
48
Summary – More Than Just a WAF
Fastest to Deploy
Easiest to Maintain
Best Security Coverage
Multi layered attack detection and mitigation
Out-of-path deployment with no performance impact or risk
Fast, reliable, and secure delivery of mission-critical web applications
Low maintenance costs and post deployment peace of mind
Audit ready and visibility into application security
Thank You