Web Applikationen: Die intelligente Kombination von

Schutzmechanismen macht den Unterschied

Daniel Estermann, M.Sc.

Web Applikationen: Die intelligente Kombination

von Schutzmechanismen macht den Unterschied

Web Application Security ist heute schon hochkomplex und die Komplexität wird sich

mit der weiteren Entwicklung von Online-Services noch rasant erhöhen. Selbst der bes-

te Programmierer kann nicht jede Angriffsmöglichkeit auf Web Applikationen kennen,

zudem sind sie auch nur Menschen und machen ab und zu Fehler. Gemäß Gartner

weisen drei Viertel der Web Applikationen Sicherheitslücken auf. Um diese Situation zu

verbessern sind neben regelmäßigen Security Audits noch weitere, vor allem proaktive

Maßnahmen angebracht. Eines der effektivsten Mittel ist der Einsatz einer Web Applica-

tion Firewall. Der Vortrag erklärt bewährte Architekturmuster wie - proaktiver Schutz vor

unbekannten Attacken dank dynamischem Whitelisting- Single-Sign-On mit vorgelager-

ter Authentisierung- Hohe Verfügbarkeit und Sicherheit kombiniert in einer Web Appli-

cation Firewall. Durch die intelligente Kombination von Schutzmechanismen können

Entwickler sich vermehrt auf die Business Logik konzentrieren und verkürzen so die Time-

to-Market. Neben Schutz und Optimierung der Webumgebung wird zudem auch die

Compliance verbessert (z.B. durch Sicherstellung des PCI Data Security Standard – PCI

DSS).

Daniel Estermann, M.Sc.

Daniel Estermann besitzt einen Master Abschluss in Informatik der Eidgenössischen

Technischen Hochschule (ETH Zürich) mit den Schwerpunkten Informationssicherheit

und Kryptographie und studierte außerdem Betriebswirtschaft im Nebenfach.

Daniel Estermann beschäftigt sich seit über zehn Jahren intensiv mit Web Applikatio-

nen: Er kennt den Spagat zwischen Einhaltung von Projektterminen und sicherer An-

wendungsentwicklung aus seiner Zeit als Entwickler und Projektleiter von anspruchsvol-

len Enterprise-Anwendungen. Bei Visonys (jetzt phion) konnte er diese Erfahrungen in

die Entwicklung und Betriebsführung der Web Application Firewall 'airlock' einbringen.

Als Professional Service Leiter lernte Estermann dort insbesondere auch den Blickwinkel

der IT-Betreiber kennen. Nach der Übernahme durch phion steuert er nun als Produkt

Manager die strategische Weiterentwicklung der phion airlock Produktlinie.

1

© phion AG

Web Application Security

Was bringt eineWeb Application Firewall?

Daniel Estermann

Dipl. Informatik Ing. ETH Zürich

Product Manager Web Application Security

phion AG

Slide 2 © phion AG

Imagine…

� This is your Web

application server:

in the center there

is your Web

application

the users are the

audience

let‘s have a closer

look...

� Everything under

control?

Slide 3 © phion AG

Goals and Challenges

� Stadium sold out

� Lots of goals

� Good ambiance

� Smooth operations

� No riots

� Keep away hooligans

and other troublemakers

2

Slide 4 © phion AG

Exposure, Attacks, Vulnerabilities, Threats

� Cross Site Scripting � Denial of Service � Forceful Browsing

Slide 5 © phion AG

About phion AG

� Founded in 2000

� HQ in Innsbruck

� Regional offices in Vienna, Munich, Düsseldorf, Zurich, Milan, London, Amsterdam, Dubai

� Since July, 4th 2007 plc at

Vienna Stock Exchange (mid market)

� Numerous international customers

� from the Fortune 500� public and health sectors� financial services (up to 85% of Austrian and Swiss banks)

� Leading enterprise security from the heart of Europe:

� Gartner: listed in the ‘visionaries’ quadrant in Gartner’s ‘Magic Quadrant for

Enterprise Network Firewalls’; November 2008.

� Burton Group: Enterprise Firewalls and Perimeter Architecture, 3 Nov 2005� Leading Web Application Firewall vendor in central Europe

Slide 6 © phion AG

History of airlock

GLOBALSECURITYALLIANCE

� Swiss Startup Seclutions, later renamed to Visonys

� Part of phion since June 2008, 2nd phion HQ in Zurich

� Highly qualified development & professional services teams

� Clear Focus on Web Application Security since 1996

� Strong historical background in finance industry

� Evolved into a standard product ”airlock” in 2001

� Large Customer Base & Top References

� About 200 productive installations in 8 countries

� References in government, banks, insurances, industry, portals etc.

3

Slide 7 © phion AG

Target No. 1: Web Applications

How do we protect our applications and data?

� Network has become increasingly hardened

� Number of web-based applications and their complexity exploded

� Additional classes of web application vulnerabilities classes were discovered

� Attackers began targeting end users, particularly with the emergence of web 2.0 applications and user-generated content delivery

Slide 8 © phion AG

Security Instruments Compared

� There is no silver bullet: Web Application Security is always a combination of instruments.

� But not every instrument is in the “magic quadrant”.

Effectivity=Security

Efficiency=Cost vs. Value

IPS / Deep Inspection

Vulnerability Scanning

Web Application Firewall

Penetration Tests

Code Analysis

Security Trainingfor developers

Slide 9 © phion AG

Deployment example: Entry Server (Reverse Proxy)

B2B ClientB2B Client

Web ClientWeb Client

AttackerAttacker

InternetInternet

SecuredSecured

AreaArea

WAFWAFAuthentication Authentication ServiceService

Remote AccessRemote Access

Antivirus Server Antivirus Server (ICAP)(ICAP)

ApplicationApplication Server Server e Business, e Banking, e Government or e Learninge Business, e Banking, e Government or e Learning

ApplicationApplication Server Server Web Services, B2B ApplicationWeb Services, B2B Application

Application Server Application Server SSHSSH--Admin, Terminal Services, EAdmin, Terminal Services, E--MailMail

DMZDMZ

User User

DirectoryDirectory

WAFWAFacts as

reverse proxy

4

Slide 10 © phion AG

Web ApplicationFirewall (WAF)

Monitoring & Reports• Log analysis

• Statistics

• Alerting

• Audit

AccessControl

• Authentication

• Autorization

• Single Sign On

• IAM

Multi-LevelFiltering

• Black/Whitelist

• Protocols

• SOAP/XML

• Cookies

Delivery &Availability

• Loadbalancing

• Compression

• Clustering

SSL Termination

• Encryption

• Offloading

ReverseProxy

• TCP/IP term.

• Virtualization

• Flow control

• Rewriting

Management& Admin• Secure OS

•Configuration

• Operation

• Deployment

SecureSession Handling• Tracking

• Anti-Hijacking

Typical WAF Features

Slide 11 © phion AG

Security for Application Servers

are we dealing with?

Access ControlAccess Control

FilteringFiltering

WHOMWHOM

WHATWHAT are we dealing with?

Slide 12 © phion AG

Multi-Level Filtering

� Strict flowcontrol

� Multiple validationprocesses

� Filtering allRequests and Data

� Real dynamicWhitelist Filtering

5

Slide 13 © phion AG

Blacklist Filter: Negative Security Model

� Examples:

� Virus/Malware Scanner

� IDS/IPS

� Airport Security X-Ray

� Issues

� Thousands of signatures

� Critical timing

� Completely reactive, always behind

� Prevents only known attacks

� Evasion techniques possible

Blacklist Filter are necessary

but not sufficient against today‘s

targeted attacks!

Slide 14 © phion AG

Whitelist Filter: Positive Security Model

� Everything forbidden unless allowed explicitly

� Prevents unknown attacks

� Challenge:How to define good andeasy to manage whitelistrules?

� Key questions:What is good (allowed) intoday‘s dynamic applicationenvironments?

Slide 15 © phion AG

� Enforcement of valid Web application usage

� Valid URLs

� Valid Parameters

� Length restrictions according to input fields

� Verification of predefined values (selections,hidden fields, radio buttons, etc)

� Protection against type or range violations

Whitelisting Web Applications

6

Slide 16 © phion AG

� Manual whitelist rules

� Too much work for complex applications

� Static ruleset

� Makes sense for critical hotspots (e.g. login page)

� Learning mode

� Records „good“ traffic during learning phase

� Generates static whitelist ruleset

� Strong dependency on application content

� High maintenance cost

� Dynamic whitelisting

� Learning at runtime

� Allow only URLs generated by the application

� Often session-based → allows to protect application flow

WAF whitelisting approaches

Slide 17 © phion AG

UserUser

UserUser

AttackerAttacker

InternetInternet

SecuredSecured

AreaArea

CRMCRM

ERPERP

AnyAny Web Web ApplicationApplication

Authentication Authentication ServerServer

User User DirectoryDirectory

Dynamic Whitelisting: URL Encryption Example

17

Manipulated requests are blocked:

https://www.myapp.com/news.php?include=../../../../../etc/passwd � Error!

Manipulated requests are blocked:

https://www.myapp.com/news.php?include=../../../../../etc/passwd � Error!

User requests start page: https://www.myapp.comUser requests start page: https://www.myapp.com

Application sends HTML containing plain URLs like

http://192.168.1.123/news.php?include=news.txtApplication sends HTML containing plain URLs like

http://192.168.1.123/news.php?include=news.txt

User browser receives encrypted URLs:

https://www.myapp.com/$xp1/GMnGuYqPtCSYMQqnWFTbUser browser receives encrypted URLs:

https://www.myapp.com/$xp1/GMnGuYqPtCSYMQqnWFTb

Slide 18 © phion AG

� HacmeBooks (Foundstone/McAfee)

� Bookshop

� Java2 Enterprise Web Application

� Several intentional vulnerabilities

� Used for training and demos

� Both HacmeBooks and airlock are

running on VMware

Live Hacking Demo

7

Slide 19 © phion AG19

URL Encryption Smart Form Protection

� Effective protection against

forceful browsing

� URLs and parameters 100%

protected

� Topology and technology hiding

� Dynamic, no static configuration

� Cryptographic protection of

HTML forms

� Only valid inputs allowed

� Automatic protection of hidden

fields, selection lists, etc

� Dynamic, no static configuration

Application dynamically defines valid

URLs, parameters and values.

WAF enforces valid usage!

Dynamic Whitelisting: Benefits

Slide 20 © phion AG

Access Control

are we dealing with?

Access ControlAccess Control

FilteringFiltering

WHOMWHOM

WHATWHAT are we dealing with?

Slide 21 © phion AG

Access Control (Theory)

AuthenticationService

WAF

UserDirectory

Web Application

UserUser

AuthenticationAuthentication

Fine-Autorization(who can access what data?)

Fine-Autorization(who can access what data?)

Identity ManagementIdentity Management

Identity PropagationIdentity Propagation

8

Slide 22 © phion AG

CA Cert.

ACE/Radius Server

Web Shop CMS Admin

ERP

Authentication may

depend on user type,role and origin…

Authentication Service

WAF

CRM

EmployeesCustomers

PublicWeb Site

Partner Portal

Partners

AnonymousAnonymoususeruser CustomerCustomer PartnerPartner EmployeeEmployee

Employee*Employee*

(Intranet)(Intranet)

**

Access Control (Real Life)

Slide 23 © phion AG

Identity Propagation (1)

1. Authenticate user (once)

Authentication Service

WAF

User

Directory

userid: sample

password: *********

Slide 24 © phion AG

Identity Propagation (2)

1. Authenticate user (once)

2. Fetch identity information from directory (once)

Authentication Service

WAF

User

Directory

userid: sample

email: s.user@my.com

role: employee, saleserp-userid: s.user

first name: sample

last name: user

sales

CMS:id=sample

roles=employee, sales

ERP:userid=s.user

9

Slide 25 © phion AG

Identity Propagation (3)

1. Authenticate user (once)

2. Fetch identity information from directory (once)

3. Propagate user identity

to each web application (with each request)

airlock

CMS ERP

ERP:userid=s.user

Single sign-on �

Access web applications

without logging in again

sales

CMS:id=sample

roles=employee, sales

Slide 26 © phion AG

Identitiy Propagation Techniques

� Basic-Auth header

Add a basic-authentication header to each request

Example: Authorization: Basic c2FtcGxlOnBhc3N3b3Jk [ =base64(“sample:password“) ]

� Cookie/Header

Add a cookie or arbitrary http header containing any user details,

e.g. userid + roles

Example: SAP_USER_ID: sample

Example: Cookie: USER_INFO=sample;sales,employee

Example: Cookie: ASSERTION=********************** (encrypted/signed)

� SAML Assertion

� Kerberos Ticket

In the name of the user, get a Kerberos ticket

for the desired server and add it to each request.

The user does not even have to provide his password!

Slide 27 © phion AG

Kerberos Identity Propagation

Windows/Kerberos Domain

WAF

Windows

Web Server

IIS, ISA, Exchange, Sharepoint etc.

(Front-end)Authentication

Service

https + Control API(SSL Client Cert.

Auth.)

http(s) + SPNEGO/Kerberos

Windows

Server 2003+

Kerberos Agent

Active

Directory

KDC

Kerberos v5

Ticket

10

Slide 28 © phion AG

Access Control: Typical Features of a WAF

� Simply connect existing user directories (LDAP, AD,

SQL/DB) and authentication servers (RADIUS, RSA/ACE)

� Authorization based on group membership or any other

directory information

� Single Sign-on

� Secure session handling

� Multiple authentication levels depending on application

� Change authentication scheme without touching the

applications

� Auditing, monitoring and usage analysis

(optional user id in logs)

Slide 29 © phion AG

Preceding Authentication: Benefits

� Developers can focus on business logic

� Ease of use (e.g. Single Sign-On)

� Maximum security

� Flexibility and speed

by separating application and authentication:

� Change the authentication scheme without touching the

applications

� Add new applications to a SSO domain quickly

� Cost and time savings in application development

Slide 30 © phion AG

Cookie Protection

� Pass-through

� conventional, may be read and manipulated in the browser

� Encrypt or sign

� WAF encrypts/signs cookie before sending it to the browser

� Cookie not forgeable because a valid signature/encryption is required

� Store

� cookies are not sent to the browserbut held in the user session on the WAF

11

Slide 31 © phion AG

Protecting Web Services

� SOAP/XML Filter

� Built-in or add-on module

� Typical Features:

� Well formatted validation

� Schema/WSDL validation

� Methods selection

� Blacklists for typical attacks

� Backend parser protection

� Full request logging

Slide 32 © phion AG

Why a Web Application Firewall?

Typical Drivers are...

� mostly security (prevent attacks)

� compliance (e.g. PCI DSS)

� sometimes also application delivery(high availability, load balancing etc.)

� puzzle piece in a Identity

Management/SSO project

Slide 33 © phion AG

WAF Recommendations

� Make WAF part of an overall application security strategy. Consider layering of WAF functionality to minimize risk and maximize flexibility.

� Involve enterprise architects, application delivery, and developers in order to maximize benefit and comfort with security controls.

� Strongly consider non core-WAF functionality during evaluationand ensure these are in line with evolving delivery and development models.

� Use out-of-the box black list rules for basic security, but prepare to spend time and effort to customize in order to achieve proper efficacy.

� Exercise application change process during evaluation to guess maintenance costs

12

Slide 34 © phion AG

� Looking at network packets is sometimes a too narrow view...

Looking from the right angle

Slide 35 © phion AG

� Only a WAF has the full picture because it works on the application level

Looking from the right angle

Slide 36

Thank you!