Web Application Security F5 Application Security Manager (ASM)

1
Web Application Security F5 Application
Security Manager (ASM)
Aslak Siira a.siira_at_f5.com
2
Company Snapshot
Revenue

• Leading provider of Application Delivery
  Networking products that optimize the security,
  performance availability of network
  applications, servers and storage systems
• Founded 1996 / Public 1999
• Approx. 1,580 employees
• FY07 Revenue 526M

22nd consecutive quarters of sequential revenue
growth For the third quarter of fiscal 2008, F5
Networks, Inc.(NASDAQ FFIV) announced revenue
of 165.6 million, up 4 percent from 159.1
million in the prior quarter and 25 percent from
132.4 million in the third quarter of fiscal
2007.
3
F5 Begins 2008 as 1 in the Application Delivery
Controller Market for Q108
Q108 Gartner ADC Market Share

• Q108 ADC Market Share Leaders
• F5 38.1
• Cisco 33
• Citrix 7.6
• Q108 ADC Market Share Revenue Leaders
• F5 109.8Million
• Cisco 95 Million
• Citrix 21.8 Million
• Q108 ADC Q/Q Revenue Growth
• F5 3.1
• Cisco 6.7
• Citrix -18
• Q108 ADC Total Market Numbers
• Revenue 288 Million
• Q/Q Revenue Growth -5.2
• Y/Y Revenue Growth 15
• Application Delivery Controller (ADC) Segment
  Includes Server Load Balancing/Layers 4-7
  Switching and Advanced (Integrated) Platforms

Citrix 7.6
Radware 5.3
Cisco 33
Foundry 2.6
Others 13.4
F5 NETWORKS 38.1
SOURCE Gartner
4
F5 Blazes Competition in Advanced Platform ADC
Segment for Q108
Q108 Gartner Advanced Platform ADC Market Share

• Q108 Advanced Platform ADC Market Share Leaders
• F5 61.1
• Citrix 12.1
• Radware 8.5
• Q108 Advanced Platform ADC Market Share Revenue
  Leaders
• F5 109.8 Million
• Citrix 21.8 Million
• Radware 15.3 Million
• Q108 Advanced Platform ADC Q/Q Revenue Growth
• F5 3.1
• Citrix -18
• Radware -6.7
• Cisco 20.2
• Q108 Advanced Platform ADC Total Market Numbers
• Revenue 179.7 Million
• Q/Q Revenue Growth -3.8
• Y/Y Revenue Growth 15
• Advanced Platform Segment Includes ADCs that
  integrate several functions (typically more than
  four) on a single platform (for example, load
  balancing, TCP, connection management, SSL
  offload, compression and caching)

Radware 8.5
Cisco 5.0
Citrix 12.1
Others 13.2
F5 NETWORKS 61.1
SOURCE Gartner
5
Enviable Leadership Position
Magic Quadrant for Application Delivery Products,
2008

• F5 Networks - Strengths
• Offers the most feature-rich AP ADC, combined
  with excellent performance and programmability
  via iRules and a broad product line.
• Strong focus on applications, including
  long-term relationships with major application
  vendors, including Microsoft, Oracle and SAP.
• Strong balance sheet and cohesive management
  team with a solid track record for delivering the
  right products at the right time.
• Strong underlying platform allows easy
  extensibility to add features.
• Support of an increasingly loyal and large
  group of active developers tuning their
  applications environments specifically with F5
  infrastructure.

SOURCE Gartner
6
Application Security, Performance, Availability
Application Layer
Data Center Solutions
Network Layer
ROUTERS
SWITCHES
FIREWALLS
Intelligent Clients
7
Application Security, Performance, Availability
Application Layer
Data Center Solutions
Network Layer
APPLICATIONS
INTELLIGENT
iControl
ROUTERS
Functions
TMOS Modules iRules
SWITCHES
FIREWALLS
Intelligent Clients
8
F5s ADN Freeing IT, Optimizing Business
International Data Center
Cell
PC - Home
Enterprise Manager / ControlPoint
Applications Storage
BIG-IP Local Traffic Manager
BIG-IP Link Controller
ARX File/Data Virtualization
BIG-IP Global Traffic Manager
BIG-IP Application Security Manager
FirePass SSL VPN
BIG-IP Web Accelerator
WANJet
Remote - WAN
iControl
PC - LAN
TMOS
WLAN
F5s End-to-End Application Delivery Networking
Solution
9
Unique TMOS Architecture

• TMOS traffic plugins
• High-performance networking microkernel
• Powerful application protocol support
• iControl External monitoring and control
• iRules Network programming language

10
Application Deployment Guides
Configuration Templates
Deployment Guides BEA Weblogic Citrix IBM
WebSphere Microsoft Exchange Microsoft
SharePointMicrosoft Hyper-VMicrosoft
IIS Microsoft LCSMicrosoft OM Microsoft
... Oracle Access ManagerOracle ASOracle
E-Business SuiteSAP NetWeaver Enterprise
SOASiebel VMWare. . .
11
Application Security Trends and Drivers

• Webification of applications
• Intelligent browsers and applications
• Public awareness of data security
• Increasing regulatory requirements
• The next attackable frontier
• Targeted attacks

12
Most web application are vulnerable!

• 70 of websites at immediate risk of being
  hacked!
• - Accunetix Jan 2007 http//www.acunetix.co
  m/news/security-audit-results.htm
• 8 out of 10 websites vulnerable to attack
• - WhiteHat security report Nov 2006
  https//whitehatsec.market2lead.com/go/whitehatsec
  /webappstats1106
• 75 percent of hacks happen at the application.
• - Gartner Security at the Application Level
• 64 percent of developers are not confident in
  their ability to write secure applications.
• - Microsoft Developer Research
• The battle between hackers and security
  professionals has moved from the network layer to
  the Web applications themselves.
• - Network World

13
Top Five Vulnerabilities

• Cross-Site Scripting 7 of 10 websites vulnerable
• Predictable Resource Location 1 of 4 vulnerable
• Content Spoofing 1 of 4 websites vulnerable
• Insufficient Authentication 1 of 5 vulnerable
• SQL Injection 1 of 5 websites vulnerable

14
Web Application Security Professionals Survey
2007

• Web Application Security Professionals Survey
  (Oct 2007) 140 professionals
• Conclusions
• 1. The vast majority of websites have at least
  one serious vulnerability.
• 2. Many websites are being broken into, but no
  one knows about them and thatll increase
  exponentially over the next few years.
• 3. There is NO WAY the average user can protect
  themselves from being exploited.
• 4. The standard mandated by the credit card
  industry, PCI-DSS, makes little difference to the
  security of a website.
• 5. Web application vulnerability scanners miss
  just about as many of the most common issues as
  they find.

15
So what does it mean?
Everyone has vulnerabilities
Hacker makes music distributors advertice pirates
Simple SQL injection in user name ' OR 11
allowed admin access into Deutsche Bank web site
in October 2007
15
16
And that means everyone http//forum.f-secure.co
m december 2007
16
17
www.owasp.org Top Ten Project
18
Developers are asked to do...
Application Development
Add application availability
19
Who is responsible for application security?
Web developers?
Network Security?
Engineering services?
DBA?
20
Challenges of traditional solutions

• HTTP is stateless, Application is statefull
• Web applications are unique, there are no
  signatures for YOUR web application
• Tight development time-frame and lack of security
  experties lead to vulnerabilities
• Code written by third parties
• Good protection has to inspect the response as
  well
• Encrypted traffic only doesnt protect the server

21
Lines of Code comparison
BEA WebLogic gt 10 000 000 LoC
Your Code ?
Estimated
22
Web Application Security
Attacks Now Look To Exploit Application Vulnerabil
ities
Perimeter Security Is Strong
PORT 80 PORT 443
But Is Open to Web Traffic
High Information Density High Value Attack
23
Payment Card Industry (PCI)

• VISAs Digital Dozen
• Has Been Adopted by All Card Associations

Build and Maintain a Secure Network 1. Install
and maintain a firewall configuration to protect
cardholder data 2. Do not use vendor-supplied
defaults for system passwords and other security
parameters Protect Cardholder Data 3. Protect
stored cardholder data 4. Encrypt transmission of
cardholder data across open, public
networks Maintain a Vulnerability Management
Program 5. Use and regularly update anti-virus
software 6. Develop and maintain secure systems
and applications Implement Strong Access Control
Measures 7. Restrict access to cardholder data by
business need-to-know 8. Assign a unique ID to
each person with computer access 9. Restrict
physical access to cardholder data Regularly
Monitor and Test Networks 10. Track and monitor
all access to network resources and cardholder
data 11. Regularly test security systems and
processes Maintain an Information Security
Policy 12. Maintain a policy that addresses
information security
24
PCI Requirement 4

• Encrypt transmission of cardholder data across
  open, public networks
• Sensitive information must be encrypted during
  transmission over networks that are easy and
  common for
• a hacker to intercept, modify, and divert data
  while in transit.
• 4.1 Use strong cryptography and security
  protocols such as SSL, TLS, and/or IPSEC during
  transmission over open, public networks.
• 4.1.1 For wireless networks transmitting
  cardholder data, encrypt the transmissions by
  using WiFi protected access (WPA or WPA2)
  technology, IPSEC VPN, or SSL/TLS.
• (Never rely exclusively on wired equivalent
  privacy (WEP) to protect confidentiality and
  access to a wireless LAN.)
• 4.2 Never send unencrypted PANs (Personal Account
  Number) by e-mail.

25
PCI Requirement 5

• Use and regularly update anti-virus software or
  programs
• Many vulnerabilities and malicious viruses enter
  the network via employees e-mail activities.
  Anti-virus software must be used on all systems
  commonly affected by viruses to protect systems
  from malicious software.
• 5.1 Deploy anti-virus software on all systems
  commonly affected by viruses (particularly
  personal computers and servers)
• Note Systems commonly affected by viruses
  typically do not include UNIX-based operating
  systems or mainframes.
• 5.1.1 Ensure that anti-virus programs are capable
  of detecting, removing, and protecting against
  other forms of malicious software, including
  spyware and adware.
• 5.2 Ensure that all anti-virus mechanisms are
  current, actively running, and capable of
  generating audit logs.

26
PCI Requirement 6

• Develop and maintain secure systems and
  applications
• 6.1 Ensure that all system components and
  software have the latest vendor-supplied security
• patches installed within one month of release.
• 6.2 Establish a process to identify new security
  vulnerabilities. Update standards to address new
  vulnerabilities.
• 6.3 Develop software applications based on
  industry best practices and incorporate
  information
• security throughout the software development life
  cycle.
• 6.4 Follow change control procedures for all
  system and software configuration changes.
• 6.5 Develop all web applications based on secure
  coding guidelines such as the Open Web
• Application Security Project guidelines. Review
  custom application code to identify coding
• vulnerabilities. Cover prevention of common
  coding vulnerabilities in software development
• processes, to include the OWASP Top 10.
• 6.6 Ensure that all web-facing applications are
  protected against known attacks by applying
  either of
• the following methods
• Having all custom application code reviewed
  for common vulnerabilities by an organization
• that specializes in application security
• Installing an application layer firewall in
  front of web-facing applications. (Note This
  method will be a requirement on June 30, 2008,
  until then it is a best practice.)

27
Traditional Security Devices vs.Web Application
Firewall (ASM)
ASM
Known Web Worms Unknown Web Worms Known Web
Vulnerabilities Unknown Web Vulnerabilities Illega
l Access to Web-server files Forceful
Browsing File/Directory Enumerations Buffer
Overflow Cross-Site Scripting SQL/OS
Injection Cookie Poisoning Hidden-Field
Manipulation Parameter Tampering
? ? ? ? ? ? ? ? ? ? ? ? ?
X
28
Web Application Protection Strategy
Web Apps

• Only protects against known vulnerabilities
• Difficult to enforce especially with
  sub-contracted code
• Only periodic updated large exposure window

• Done periodically only as good as the last test
• Only checks for known vulnerabilities
• Does it find everything?

• Real-time 24 x 7 protection
• Enforces Best Practice Methodology
• Allows immediate protection against new
  vulnerabilities

29
Defining Terms Object Types

• Sample URL
• http//www.myapplication.com/login.php?userMyUser
  passMyPassword
• Object Types
• The file extension of the requested object.
• In the example of above .php would be the Object
  Type.
• The most basic positive security mechanism.
• The learning mechanisms will learn all the types
  in your application (ie. Jpg, Php, Gif, Jsp,
  etc).
• Application can then be locked down to the
  directories each of these types are found in (ie.
  /images/ is where all .jpg and .gifs are).

30
Defining Terms Object Names

• Sample URL
• http//www.myapplication.com/login.php?userMyUser
  passMyPassword
• Object Names
• The actual names of all objects of a certain
  type.
• Performed after the application Firewall has
  learned the object types.
• In the example above the object name is
  login.php.
• For any given file type you can define whether to
  check object names (at this point all object
  names for that type are checked).
• If object names are being checked for the .php
  extension, then all the names for all .php
  objects needs to be defined.

31
Defining Terms Parameter Names

• Sample URL
• http//www.myapplication.com/login.php?userMyUser
  passMyPassword
• Parameter Names
• The parameter names that are passed to an object.
  
• In the example above user and pass are the
  parameter names passed to the object.
• Parameters can be defined as mandatory or
  optional.
• Prevent forceful insertion of parameters.
• Also check hidden controls and parameters on web
  pages to prevent hidden field tampering.

32
Defining Terms Parameter Values

• Sample URL
• http//www.myapplication.com/login.php?userMyUser
  passMyPassword
• Parameter Values
• The parameter values that are passed to the
  parameters in the object.
• In the example above these are MyUser and
  MyPassword.
• These can be checked for character sets, lengths,
  etc
• Character sets defined for individual parameters
  supersede global character set checks.

33
Defining Terms Object Flows

• Sample URL
• http//www.myapplication.com/login.php?userMyUser
  passMyPassword
• Object Flows
• Maps the flow of the application.
• This is done by mapping what parts of the
  application you needed to flow through to get to
  a certain place in the application.
• This can be complicated to manage for large
  applications.
• Example before visiting Page 8 of the application
  you had to flow from Page 1-gtPage3 or Page4-gtPage
  8.

34
Positive Security Definition and Learning
OBJECT FLOWS
POLICY TIGHTENING SUGGESTIONS
Tighter Security Posture
PARAMETER VALUES

• Policy-Building Tools
• Automatic Learning and policy building
• Trusted IP Learning
• Live Traffic Learning
• Crawler
• Negative RegEx
• Template

PARAMETER NAMES
Typical standard starting point
OBJECT NAMES
OBJECT TYPES
35
Web Application Security with ASM
Stops bad requests / responses
ASM allows legitimate requests
Browser
36
Security Policy in ASM
Content Scrubbing Application Cloaking
Enforcement
Browser

• Can be generated automatically or manually
• Highly granular on configuration and blocking
• Easy to understand and manage
• Bi-directional
• Inbound protection from generalised targeted
  attacks
• Outbound content scrubbing application
  cloaking
• Application content context aware

37
Negative Security vs Positive Security

• Negative Security
• Relies on Patterns or Signatures to define known
  attacks.
• Checks RFC compliance for anomalies
• Basically always looks for the known bad and then
  takes action.
• Unable to stop Zero Day Attacks
• Positive Security
• Relies on knowing the inner workings of an
  application.
• Checks for actions that fall outside applications
  set allowed actions.
• Queries
• Character Sets
• Flows
• Objects
• Etc
• Prevents Zero Day attacks.
• ASM Benefits
• Utilizes both Positive Security and Negative
  Security to augment each other.

38
Multiple Security Layers

• RFC enforcement
• http request, cookies,
• Black Lists, Attack Signatures - System or
  user provided, Auto Uppdate, Evasion,...
• Various HTTP limits enforcement
• Headers, method, cookies,
• Profiling of how good traffic looks like
• Defined list of allowed file types, Lengths,
  URIs, parameters,
• Each parameter is evaluated separately for
• Pre defined value, length, character set, attack
  patterns,

39
Immediate Value

• Tightening model, deployment starts with open
  rules
• Gradually introduce more specific policy rules
• Specific rules are applied before general rules
• General rules are taken out of the policy

40
Policy Builder Automation in Policy Building

• Creates advanced security policies automatically
• Highly accurate policies every source of
  information is used (responses, requests,
  heuristics, trusted IP)
• Automatic detection and policy generation after
  site updates
• Fits into any deployment scenarios

41
Policy Wizard

• Leads you through the policy building process
  where you can choose the following settings
• Application Policy Template or
• Used systems to specify the attack signatures
• Automatic or manual policy building
• It creates the wildcards for manual policy
  building automatically

42
Application Policy Templates

• OWA
• Sharepoint
• Lotus Domino Mail Server
• Oracle Financials
• SAP Netweaver
• Generic
• And others will follow

43
XML Firewall

• Well formatted validation
• Schema/WSDL validation
• Methods selection
• Attack signatures for XML platforms
• Backend Parser protection
• XML islands application protection
• Full request logging

44
Extended security features

• Dynamic parameter protection
• Login page enforcement
• Information leakage prevention Data Guard
• Pre defined or Custom patterns can be applied to
  any text response from the server to mask
  sensitive information or block the response.
• Detailed granular positive protection for every
  entity
• Protocoll, Headers, URI, Parameter
• Automatic signature update
• Staging

45
Protection for Dynamic Values or Hidden Field
Manipulation
46
Example SAP Application

• Protect the session information in the URI
• https//saptest.xyz.de/sap(bD1kZSZjPTAxMA)/...
• Protect dynamic parameter names and values
• Tdokfilter_subdok_dokstrukturK2_Y1234567891034591
  85F

47
Flexible Policy Granularity
Search for command injection

• Single quote is a command delimiter
• Best practice to disallow from parameters
  wherever possible
• Easiest to achieve with a generic policy applied
  to the whole site

BUT . . .
User Name OConnor

• Single quote needed in some parameters
• Need to be able to selectively relax policy eg
  single quote allowed in this parameter
• Need to limit use within relaxed policy eg only
  one single quote allowed in this parameter

48
Selective Application Flow Enforcement
Username
From Acc.
Amount
Transfer
To Acc.
Password
?
This part of the site is a financial transaction
that requires authentication we should enforce
strict flow and parameter validation

• Should this be a violation?
• The user may have bookmarked the page!
• Unnecessarily enforcing flow can lead to false
  positives.

49
Signature staging

• In order to benefit from signatures it is
  mandatory to be sure they cause no F/P.
• To clean a large set usually takes a lot of
  time.
• During all this time, All signatures are in
  non-blocking mode
• Signature staging allows to benefit from the
  signatures that do not create f/p right after the
  staging period, while other remain in the staging
  basket

50
Extended security features, more

• Comprehensive Evasion detection engine
• SEL ECT from users
• DR/blah blah blah blah/OP TABLE users
• A lot of Normalization features
• e.g. ASCII decoding
• 3Cscript3E turns to ltscriptgt
• 253Cscript253E turns to 3Cscript3E turns to
  ltscriptgt

51
Granularity

• The web is a wilderness, applications with no
  real RFC
• Granularity is a key to success and a cost
  effective deployment
• In ASM one can build a policy to any HTTP entity.
• HOST header - any other HTTP header
• IP address - parameter names
• cookie name - file types
• URI or directories - source IP
• Violations are broken to categories.

52
Security Alerts and Reports

• General Security Alerts
• Violations Report
• IP based Report
• IP based AttackReport
• Legal and IllegalRequests
• Request Details

53
Fast Custom Logging

• Can send all requests to remote syslog server
• Very flexible export customization
• Building block for compliance

54
Executive Report
55
ASM Platform Availability

• Standalone ASM on TMOS
• 4100, 3600
• Available as a module with BIG-IP LTM
• 3600
• 6400/6800
• 8400/8800

56
BIG-IP Platform Characteristics
Price
BIG-IP 8800
BIG-IP 8400
2 x 2.6 GHz Dual Core Opteron 12 10/100/1000 or
12 SFP Layer 4 ASIC (PVA10) 80 GB HD 512 CF SSL
_at_ 48K TPS/ 6 Gb Bulk HW Compression option 7-10
Gbps Traffic (7G L7, 6GSSL Compress) Multiple
Product Modules
BIG-IP 6800
2 x 2.6 GHz Opteron 12 10/100/1000 or 12
SFP Layer 4 ASIC (PVA10) 80 GB HD 512 CF SSL _at_
33K TPS/ 3 Gb Bulk HW Compression option 6-10Gbps
Traffic Multiple Product Modules
2 x 2.4 GHz Opteron 16 10/100/1000 4 SFP Layer
4 ASIC (PVA2) 80 GB HD 512 CF SSL _at_ 20K TPS/ 2
Gb Bulk FIPS SSL option HW Compression option 4
Gbps Traffic Multiple Product Modules
BIG-IP 6400
2 x 1.6 GHz Opteron 16 10/100/1000 4 SFP Layer
4 ASIC (PVA2) 80 GB HD 512 CF SSL _at_ 15K TPS/ 2
Gb Bulk FIPS SSL option 2 Gbps Traffic 1 Product
Module
BIG-IP 3600
1 x 2.13 GHz Core2 Duo 8 10/100/1000 2x 1GB
SFP 1x 160 GB HD 8GB CF 4GB RAM SSL _at_ 14K TPS /
1.5 Gb/s Bulk 1.5 Gbps Traffic 1 Product Module
BIG-IP 1600
1.8 Ghz Core2Duo (Dual Core) 4 10/100/1000 2x
1GB SFP 160GB HD, 4GB RAMSSL _at_ 7K TPS / 750 Mb/s
Bulk 750 M Traffic
Function / Performance
57
Redundant Deployment with the Appliance
Web Servers
BIG-IP LoadBalancer
Firewall
ASM
58
Redundant Deployment with the BIG-IP and ASM
Web Servers
BIG-IP with ASM-Module
Firewall
59
TMOS Architecture
ASM
WAM
3rd Party
Microkernel
TCP Proxy
SSL
Compression
TCP Express
TCP Express
Caching
OneConnect
XML
Rate Shaping
Client Side
Server Side
Server
Client
iRules
High Performance HW
iControl API

• TMOS Traffic Plugins
• High-performance Networking Microkernel
• Powerful Application Protocol Support
• iControl External monitoring and control
• iRules Network Programming Language

60
Improve Security with LTM
Resource Cloaking BIG-IP virtulizes and hides all
application, server error codes and real URL
references that may provide hackers clues into
infrastructure, services and their associated
vulnerabilities. Customized Application Attack
Filtering BIG-IP's full inspection and
event-based rules deliver a greatly enhanced
ability to search for and apply numerous rules to
block known L7 attacks. Encrypts cookies and
other tokens that are transparently distributed
to legitimate users. Organizations gain superior
security for all stateful applications
(e-commerce, CRP, ERP and other business-critical
applications) and a higher level of user identity
trust. Supports higher-standard AES (Advanced
Encryption Standard for SSL) algorithms with the
most secure SSL encryption available on the
market, at no additional processing cost.
Content Protection Allows organizations to
prevent sensitive documents or content from
leaving their site.
61
Improve Security with LTM
Protects Against Heavy Attack Volumes BIG-IP
combines a suite of security features to provide
comprehensive protection against DoS Attacks, SYN
Floods and other network based attacks. Features
such as SYNCheck provide comprehensive SYN Flood
protection of the servers that sit behind the
BIG-IP device. Combined with the Dynamic Reaping
capabilities, BIG-IP provides robust security to
filter out the heaviest attacks while
simultaneously delivering uninterrupted service
for legitimate connections. Insulation From
Protocol Attacks BIG-IP provides Protocol
Sanitization and a Full TCP Termination point
which independently manages client and server
side connections, protecting all backend systems
and applications from malicious
attacks. Firewalling - Packet Filtering BIG-IP
now integrates a control point to define and
enforce L4-based filtering rules (based on PCAP,
similar to network firewalls) improving network
protection.
62
Summary

• Protecting web application is a challenge within
  many organizations but attacks against web
  applications are the hackers favorites
• ASM provides easy and very granular configuration
  options to protect web applications and to
  eliminate false positives
• ASM combines positive and negative security
  models to achieve the optimum security
• ASM is an integrated solution and can run as a
  module on BIG-IP or standalone
• ASM is used to provide compliance with various
  standards
• ASM provides hidden parameter protection and
  selective flow control enforcement
• ASM provides an additional security layer or can
  be used as central point for web application
  security enforcement

63
(No Transcript)