Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (20)
Similaire à F5 - BigIP ASM introduction
Similaire à F5 - BigIP ASM introduction (20)
Plus de Jimmy Saigon
Dernier
Dernier (20)
F5 - BigIP ASM introduction
- 1. 1 BIG-IP ASM Comprehensive Application Security Presenter
- 2. 2 Attacks are Moving “Up the Stack” Network Threats Application Threats 90% of security 75% of attacks focused investment focused here here Source: Gartner
- 3. 3 Almost every web application is vulnerable! • “97% of websites at immediate risk of being hacked due to vulnerabilites! 69% of vulnerabilities are client side-attacks” - Web Application Security Consortium • “8 out of 10 websites vulnerable to attack” - WhiteHat “security report ” • “75 percent of hacks happen at the application.” - Gartner “Security at the Application Level” • “64 percent of developers are not confident in their ability to write secure applications.” - Microsoft Developer Research
- 4. 4 Figure 2 and 5: 10th Website Security Statistics Report (Q3 2010)
- 5. 5 How long to resolve a vulnerability? Website Security Statistics Report
- 6. 6 Developers are asked to do the impractical... Application Security? Application Patching Application Application Development Scalability Application Performance
- 7. 7 Who is responsible for application security? Web developers? Network Security? Engineering services? DBA?
- 8. 8 Traditional Security Devices vs. WAF Network IPS ASM Firewall Known Web Worms Limited Unknown Web Worms X Limited Known Web Vulnerabilities Limited Partial Unknown Web Vulnerabilities X Limited Illegal Access to Web-server files Limited X Forceful Browsing X X File/Directory Enumerations X Limited Buffer Overflow Limited Limited Cross-Site Scripting Limited Limited SQL/OS Injection X Limited Cookie Poisoning X X Hidden-Field Manipulation X X Parameter Tampering X X Layer 7 DoS Attacks X X Brute Force Login Attacks X X App. Security and Acceleration X X
- 9. 9 Web Application Firewall - ASM Intelligent Client Network Plumbing Application Infrastructure Application Buffer Overflow DDOS Brute Force Cross-Site Scripting SQL/OS Injection Error Messages Cookie Poisoning HTTP/S Traffic Non-compliant Content Hidden-Field Manipulation Credit Card / SSN data Application DoS Attacks Server Fingerprints IPS App User Firewall App VPN Firewall IDS-IDP Anti-Virus
- 10. 10 Leading web attack protection BIG-IP Application Security Manager Users o Protect from latest web threats o Out-of-the box deployment Web Application o Meeting PCI compliance Security o Quickly resolve vulnerabilities o Improve site performance Web Applications Private Public Physical Virtual Multi-Site DCs Cloud
- 11. 11 Automatic DOS Attack Detection and Protection o Accurate detection technique – based on latency o 3 different mitigation techniques escalated serially o Focus on higher value productivity while automatic controls intervene Detect a DOS condition Identify potential attackers Drop only the attackers
- 12. 12 PCI Compliance Reporting PCI DSS reporting: • Details security measures required • Compliancy state • Steps to become compliant
- 13. 13 Protection from all of the top vulnerabilities • OWASP Top 10 Web Application Security Risks: – A1: Injection – A2: Cross-Site Scripting (XSS) – A3: Broken Authentication and Session Management – A4: Insecure Direct Object References – A5: Cross-Site Request Forgery (CSRF) – A6: Security Misconfiguration – A7: Insecure Cryptographic Storage – A8: Failure to Restrict URL Access – A9: Insufficient Transport Layer Protection – A10: Unvalidated Redirects and Forwards
- 14. 14 Example: OWASP Top 5 - CSRF Attack CSRF Attack example 1. Mobile user logs in to a trusted site Trusted Web 2. Session is authenticated Encrypted Site Trusted Action 3. User opens a new tab e.g., chat 4. Hacker embeds a request in the chat 5. The trusted link asks the browser to send a request to the hacked site
- 15. 15 Reporting
- 16. 16 Application visibility and reporting Monitor URIs for server latency • Troubleshoot server code that causes latency
Notes de l'éditeur
- A1 –Injection•Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.A2 –Cross-Site Scripting (XSS)•XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.A3 –Broken Authentication and Session Management•Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities.A4 –Insecure Direct Object References•A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.A5 –Cross-Site Request Forgery (CSRF)•A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.A6 –Security Misconfiguration•Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application.A7 –Insecure Cryptographic Storage•Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes.A8 -Failure to Restrict URL Access•Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway.A9 -Insufficient Transport Layer Protection•Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly. A10 –Unvalidated Redirects and Forwards•Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
- Spring 2009 Website Security Statistics Report from WhiteHat Security82% of websites have had a HIGH, CRITICAL, or URGENT issue 63% of websites currently have a HIGH, CRITICAL, or URGENT issue 60% vulnerability resolution rate among sample with 7,157 (out of 17,888 historical vulnerabilities) unresolved issues remaining as of 3/31/09 Vulnerability time-to-fix metrics are not changing substantively, typically requiring weeks to months to achieve resolution. Average # of HIGH, CRITICAL, or URGENT severity vulnerabilities per website during the vulnerability assessment lifetime: 17 Average number of serious unresolved vulnerabilities per website: 7 Average number of inputs (attack surface) per website: 227 Average ratio of vulnerability count / number of inputs: 2.58%
- Out of the box securityLog and report all application trafficProvides L2->L7 protectionPCI ComplianceComprehensive protection for all web app vulnerabilitiesSecurity policy enforcement inbound (Request) as well as outbound (Response) traffic protecting the application from attacks including OWASP top 10
- Dos Configuration:Integratesapp latency measurement with client TPS measurement to gain visibility of the application sessionsThe integration and visibility then enable us to put the session into context, “what should or should not happen,” and apply policy.If conditions don’t conform to policy, take action by rate-limiting offending client. Layer 7 DoSProctection– Block application DoS attacks and increase end-user application performance with accurate triggers and automatic controls. This is based on a detection element and three different prevention methods which are applied one after another for in-depth prevention measures and techniques.Brute Force Protection – Detect and mitigate high volume failed login requests. ASM monitors server responses and when it detects multiple login failures related to a Brute Force Attack, ASM slows the requesting browser down.
- Now we have consolidated PCI reports. With new PCI reporting, BIG-IP ASM details security measures required by PCI DSS 1.2, if you are in compliance and if not, steps required to become compliant.
- A1 –Injection•Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.A2 –Cross-Site Scripting (XSS)•XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.A3 –Broken Authentication and Session Management•Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities.A4 –Insecure Direct Object References•A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.A5 –Cross-Site Request Forgery (CSRF)•A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.A6 –Security Misconfiguration•Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application.A7 –Insecure Cryptographic Storage•Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes.A8 -Failure to Restrict URL Access•Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway.A9 -Insufficient Transport Layer Protection•Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly. A10 –Unvalidated Redirects and Forwards•Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
- What is a Cross Site Request Forgery (CSRF) attack?In a CSRF attack a hacker is forcing the browser to send a stealth valid request which the attacker created to a website in which the victim has a sessionWhat are the dangers?Attackers can execute full transactions that can be used for finance fraud, DOS – anything)Hard for victims to prove that they didn’t commit the transactionsHard to trace the origin
- ASM can display the attacks based on country category. It’s easier for administrator to monitor where attacks are from and using policy to control that more efficiently
- Monitors URIs for Server Latency - ASM monitors and reports the most requested URIs and every URI for server latency. BIG-IP ASM obtains visibility to slow server scripts and troubleshoots server code that causes latency. We basically monitor top accessed pages for a web application, for last hour, last day and last week. For these pages we provide average TPS and average latency. In addition for every web application, we also provide a list of top accessing source IP address, with TPS and throughput for every IP address. These monitoring capabilities allow the admin visibility on how the application is being accessed and how it is behaving.