Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Layer 7: Securing Web 2.0 - What You Need to Know
1. Securing Web 2.0
What You Need to Know
K. Scott Morrison
VP Engineering and Chief Architect
January 2007
2. Bio – K. Scott Morrison
VP Engineering & Chief Architect at Layer 7 Technologies
• http://www.layer7tech.com
• Layer 7 is based in Vancouver BC, Canada
Co-author of Sams’ Java Web Services Unleashed and Wrox’s
Professional JMS
• Over 50 other publications in academic journals and trade magazines
Co-Editor WS-I Basic Security Profile
Co-Author WS-Federation
Frequent speaker on Web services, XML, mobile/wireless
computing systems, distributed systems architecture, and Java
design issues
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 2
3. Agenda
Web 2.0
AJAX
What’s new about this?
The collision between AJAX & SOA
What are the new threat vectors
Mitigation strategies
Infrastructure solutions
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 3
4. Web 2.0
Web 2.0 isn’t a technology
It’s actually an approach to building for the Web
Web 2.0 is:
MySpace
Aggregation of content Flickr
Collaboration Google Maps
Google Gmail
Synergizing the efforts of individuals Google Suggest
del.icio.us
Rich interaction models …etc
Remember: “You” is not a technology
Graphic source: http://www.time.com/time/covers/0,16641,20061225,00.html
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 4
5. AJAX
AJAX is an approach underpinning Web 2.0
Provides rich browser interaction models
This contributes to goal of fostering individual contributions
Can also be used to aggregate content
AJAX is really a slick new name for existing technology:
1. (X)HTML and CSS for presentation markup
2. DOM and JavaScript for dynamic content
3. XMLHttpRequest (XHR), IFrame, dynamic <SCRIPT> hack
for asynchronous content retrieval
4. XML, JSON, JavaScript Objects, or just text for data
communication
So what is different here?
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 5
6. Web 1.0
Firewall
Web
Application
Server Network
Directory
Server
User clicks link,
User clicks link,
presses button,
presses button,
is referred, etc
is referred, etc
Corporate
Network
Internet
Web
Browser
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 6
7. Web 1.0 (cont.)
Firewall
Web
Application
Server Network
Directory
Server
AuthN,
AuthN,
AuthR
AuthR
HTTP headers+
Query params or
POST contents
HTTP GET or
HTTP GET or Corporate
POST
POST Network
Internet
HTTP
Request
Web
Browser
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 7
8. Web 1.0 (cont.)
Firewall
Web
Application
Server Network
Directory
Server
New page
New page
rendered
rendered
Corporate
Network
HTTP Internet
Response
HTML, images,
JavaScript, etc
User experiences long
Web
Browser latency delays that affects
usability
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 8
9. Web 2.0 – AJAX Paradigm
Firewall
Web
Application
Server Network
Directory
Server
… Request as before
… Request as before
Page load HTML
Page load HTML
with embedded
with embedded
JavaScript Engine Corporate
JavaScript Engine
Separation between Network
presentation and
HTTP
content retrieval
Response
Internet
HTML, images,
JavaScript
engine, etc
Web
Browser
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 9
10. Web 2.0 – AJAX Paradigm (cont.)
Firewall
Web
Application
Server Network
Directory
Server
Service
HTTP GET,
HTTP GET,
POST, PUT,
POST, PUT,
DELETE, HEAD,
DELETE, HEAD,
etc
User interacts etc Corporate
User interacts Network
with AJAX HTTP
with AJAX
engine Request
engine
Internet
HTTP
XML, JSON,
Response
JavaScript
Objects, text, etc
Web
Browser
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 10
11. Web 2.0 – Server Side Aggregations
Look familiar? It’s data
integration all over again… Firewall
New data, new transport, Web
same old problems Application
Server pulls Server Network
Server pulls Directory
external
RSS, ATOM, external Server
XML, etc information
information
External
Feeds and
Services
User interacts Corporate
User interacts Network
with web app
with web app
server
server
Internet
Aggregate
content page
This, of course could There are also models for
Web also be an AJAX-based
Browser application
client-side (browser)
aggregation
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 11
12. What are the Threats?
Threats Against The Client
New Attack
New Attack
Surface: the
Surface: the
AJAX engine
AJAX engine
itself
itself
AJAX
Engine Loads of potential parameter &
injection attacks. Attempts to
hijack session tokens, cookies, etc.
Cross Site Scripting (XSS), Cross
Site Reference Forgery (XSRF)
Lots of potentially dangerous
Lots of potentially dangerous
things to query or even set.
things to query or even set.
Consider DOM:
Consider DOM:
document.URL
document.URL
document.cookie
document.cookie
Web document.domain
document.domain
Browser document.referrer
document.referrer
etc…
etc…
Turn off JavaScript??? No.
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 12
13. What are the Threats (cont.)?
Firewall
Threats Against The Server Web
Application
Server
Classic Attack
Classic Attack
Surface, but
Surface, but
with new
with new
challenges
challenges
80, 443
In: Richer parameter
attacks, XML-based DOS Corporate
attacks, etc Network
Out: Information leaking,
integrity compromise,
injection, etc
Big problem: XML parsers
are just too helpful and
naive
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 13
14. What are the Threats (cont.)?
Threats Against Content
External
Feeds and
Services
In: Session hijacking,
unauthorized access, etc
Out: Integrity compromise,
injection of poison content Corporate
like scripts into XML, etc Network
Another classic attack
Another classic attack
surface, but with still
surface, but with still
more new challenges
more new challenges
Note that the aggregator is
just another web client. It’s
not a browser, but many
similar attack still apply
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 14
15. Why Should You Care?
Big questions around corporate responsibility
Regulatory issues around privacy (HIPAA, PIPEDA, etc)
Regulatory issues around accountability (Sarbox, etc)
Liability for forged transaction
Liability for damage from compromised servers
Not to mention huge issues around
brand and reputation damage accrued
from a significant security event
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 15
16. Tactical Security Measures
Clients (browsers)
Tough area to secure
Must ensure you are serving solid code
Rigorous code review
AJAX has submarine complexity
Ensure that data streams you serve are validated
Redaction, strict validation to tightened schemas
Servers offer
Servers offer
clean and secure
clean and secure
code
code
Servers offer
Servers offer
validated and
validated and
cleansed data
cleansed data
The problem with JavaScript
is that it makes it easy to
Web write code, but hard to
Browser write secure code
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 16
17. Tactical Security Measures (cont.)
Core Servers (Web application servers)
More control, and more mature best practices
Add rigorous AuthN, AuthR, Audit
Look at cryptographic model
Inward: DOS protect
Threat protect
Parameter validate
Outward: Schema validation and redaction
Validate
Validate
params
params
Validate and
Validate and
cleanse data
cleanse data
What makes this difficult is the
Secure channel added complexity of XML data
Secure channel
structures, and the richer attack
surface of service-based APIs
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 17
18. Tactical Security Measures (cont.)
Aggregation Servers (Application servers)
Emerging area, with few best practices
Encourage authenticated access model
You may be forced into this anyway…
Look at cryptographic model
Incoming data: Validate feed content
Strip potential exploits like embedded
<SCRIPT> tags
Authenticate
Authenticate
access
access The big problem here is you may not
have control of the source of the data. A
large number of sites are cracking down
Validate and
on “unauthorized” use in mashups.
Validate and
threat protect
threat protect
data feed
Furthermore, APIs may change
data feed
radically, making it critical to validate
the incoming feed against a schema to
Secure channel
Secure channel catch API updates
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 18
19. Thanks For Nothing Scott: “So How Do I Really Do This?”
You could just build it into your systems…
But that is brittle and error-prone
What you really need is specialized infrastructure built for this
purpose
Needs to be:
High performance
Scalable
Simple to configure
And most important: offer tunable security policy
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 19
20. Why Tunable Policy?
Not all services are equal:
Not all services are equal:
getStockQuote():
anonymous access,
unsecure channel
buyStock():
authenticated and
authorized access, secured
(integrity and privacy)
channel or message
Policy (the security
Policy (the security
processing model) must
processing model) must
be customized to the
be customized to the
business requirements
business requirements
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 20
21. Securing Web 2.0: SecureSpan Data Screen™
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 21
22. Securing Web 2.0: SecureSpan Data Screen™
Hardware appliance for Web, REST, & AJAX security
processing.
ASICs for XML schema validation, XPath, XSLT, cryptographic
operations
Fully clustered
Policy-based processing model
Browser-based management and operations console
Integration with all major directory, IAM, access control
servers
Integration with Symantec antivirus scan engine
Web Browser-based SecureSpan Data Screen™
management and cluster
operations
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 22
23. Securing Web 2.0: SecureSpan Data Screen™
Wire speed schema validation of XML entering network
Wire speed schema validation of XML entering network
Rigorous HTTP parameter validation
Rigorous HTTP parameter validation
Tight control over HTTP methods (GET, POST, Web
Tight control over HTTP methods (GET, POST,
DELETE, PUT, etc). Control over REST. Application
DELETE, PUT, etc). Control over REST.
Server Network
Hardware transformation of XML content in and out of
Hardware transformation of XML content in and out of Directory
network
network Server
Throttle access to back end services
Throttle access to back end services
Traffic shaping across server farms
Traffic shaping across server farms
XML threat detection
XML threat detection
Endpoint for SSL and XML document security
Endpoint for SSL and XML document security
(encryption, signature & canonicalization according to W3C
(encryption, signature & canonicalization according to W3C
specs)
specs)
Controlled striping of <SCRIPT>, eval() (PHP, JS,
Controlled striping of <SCRIPT>, eval() (PHP, JS,
Python, etc), shell injection attacks, etc to combat XSS
Python, etc), shell injection attacks, etc to combat XSS
Corporate
Network
Internet
Web
Gateway Deployment
Gateway Deployment
Browser
For Incoming Calls
For Incoming Calls
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 23
24. Securing Web 2.0: SecureSpan Data Screen™
Proxy Deployment For
Proxy Deployment For
Outgoing Calls
Outgoing Calls Web
Application
Server Network
RSS, ATOM,
XML, etc
Directory
Server
External
Services
Corporate
Network
Wire speed validation of XML entering network
Wire speed validation of XML entering network
Stripping of potential harmful data in feeds
Stripping of potential harmful data in feeds
(<SCRIPT>, etc)
(<SCRIPT>, etc)
Web Management of outgoing cryptography and credentials
Management of outgoing cryptography and credentials
Browser Wire speed transformation of XML data to insulate
Wire speed transformation of XML data to insulate
internal servers from external API changes
internal servers from external API changes
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 24
25. Summary
Web 2.0 and the technologies associated with it are too good to
ignore
However, they introduce huge new security complexities
The only way to deal with these effectively is with diligence,
rigor, and specialized infrastructure to manage an evolving threat
model
Layer 7’s SecureSpan Data Screen™ provides the tools to help
secure Web 2.0, REST, AJAX, SOA, RSS and ATOM today.
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 25
26. For further information:
K. Scott Morrison
Layer 7 Technologies
1501 – 700 West Georgia St.
Vancouver, B.C. V7Y 1B6
Canada
(800) 681-9377
smorrison@layer7tech.com
http://www.layer7tech.com
January 2007