GIS Risk Mitigation

1
Application Firewalls
11th Annual New York StateCyber Security
Conference June 5th, 2008
2
Session Objectives

• Discuss differences and purpose of Application
  Firewalls

• Web Application Firewalls
• Database Application Firewalls
• XML Application Firewalls
• Deployment and Management
• Considerations

3
Overview

• What are Application Firewalls?
• Why do you need one when you already have a
  firewall?
• Where do you deploy an application firewall?
• What does it take to operate and maintain?

4
Who is Your Speaker?
Scott Sattler, Scott_at_SecureLabs.Net 22 Years in
the IT Field

• Certifications
• CISA, CISSP, CISM,
• CCNP, CCDP, CBCP
• CFE, NSA IAM
• .

Todays Job Deploying and managing 30
Application firewalls globally
5
Some BasicsWhere do Applications Firewalls fit?

• Networking 101
• OSI Model Layer 1 - 10
• Your Applications
• Your Organization

6
History of TCP/IP Filtering

• Layer 3 Packet Filters
• Router Security Enhancements
• Stateful Firewalls
• IDS/IPS With Firewalls
• Host Based IDS With DMZs
• Heuristics Based Attack Pattern Recognition

7
Attack Vector Changes Course

• Attack Focus has changed over time

• Networks and Network Protocols
• Host Operating System
• Standard Host Applications
• Web and Business Applications
• Database and Business Logic

Gartner now suggests that about 75 percent of the
attacks on the Internet are now focused on
applications
8
Security ProblemsIts about Source Code

• Lets Fix it Before its a Problem
• (Not going to happen)

• Poor coding practices
• Cost to remediate source code
• Time to market
• Lack of qualified talent
• Lack of resources

9
Availability of ToolsMaturity and Ease of Access

• Most commercial tools are available pirated on
  p2p sites
• Freeware tools are easily accessible
• Hacking Frameworks are prolific
• Automated Scanning Engines with automatic
  signature updates

10
What is an Application Firewall?

• Wikipedia (old) An application layer firewall
  is a firewall software operating at the
  application layer of a protocol stack. Generally
  it is a host using various forms of proxy servers
  to proxy traffic instead of routing it. As it
  works on the application layer, it may inspect
  the contents of the traffic, blocking what the
  firewall administrator views as inappropriate
  content, such as certain websites, viruses,
  attempts to exploit known logical flaws in client
  software, and so forth. An application layer
  firewall does not route traffic on the network
  layer, but from the application to the OS.
• Webappsec.org (new) An intermediary device,
  sitting between a web-client and a web server,
  analyzing OSI Layer-7 messages for violations in
  the programmed security policy. A web application
  firewall is used as a security device protecting
  the web server from attack.

11
Applications FirewallsIts really Deep Packet
Inspection

• Deep packet inspection (DPI) (or sometimes
  complete packet inspection) is a form of computer
  network packet filtering that examines the data
  and/or header part of a packet as it passes an
  inspection point, searching for non-protocol
  compliance, viruses, spam, intrusions or
  predefined criteria to decide if the packet can
  pass or if it needs to be routed to a different
  destination, or for the purpose of collecting
  statistical information. This is in contrast to
  shallow packet inspection (usually called just
  packet inspection) which just checks the header
  portion of a packet

12
Application FirewallsVery Focused Technology

• Web Application Firewalls
• Database Application Firewalls
• XML Based Application Firewalls
• How Deep Do You Go?

13
Web Application Security Consortium
Web application firewalls (WAF) are a new breed
of information security technologies
designed to protect web sites from attack.

• WAF solutions are capable of preventing attacks
  that network firewalls and intrusion detection
  systems can't, and they do not require
  modification of application source code.

14
Web Application Firewalls

• Web Application Firewalls are often called 'Deep
  Packet Inspection Firewalls' because they look at
  every request and response within the
  HTTP/HTTPS/SOAP/XML-RPC/Web Service layers. Some
  Web Application Firewalls look for certain
  'attack signatures' to try to identify a specific
  attack that an intruder may be sending, while
  others look for abnormal behavior that doesn't
  fit the websites normal traffic patterns. Web
  Application Firewalls can be either software, or
  hardware appliance based and are installed in
  front of a web server in an effort to try and
  shield it from incoming attacks

15
Web Application Protection

• Input Validation
• Cookie Protection
• Content Validation
• What its not
• logic issues, access control issues
• End All Be All ?

16
Example Interface
17
Example Input Validation
18
Upcoming Application Firewalls

• An XML firewall is an application layer firewall
  that specifically defends XML-based applications
  against a wide variety of XML message and parser
  level attacks. XML firewalls are generally
  implemented as proxies due to the requirement
  that incoming and outgoing messages must be
  inspected for vulnerabilities before being passed
  to the application or client.
• XML firewalls are designed to address familiar
  Web-based attacks that can be transported via
  XML, such as SQL injection and cross-site
  scripting (XSS). They are primarily geared toward
  detecting and preventing XML specific attacks
  such as extremely large messages, highly nested
  elements, coercive parsing, recursive parsing,
  schema and WSDL poisoning, and routing based
  attacks.
• AJAX, .Net, JAVA Application Firewalls just
  beginning to emerge

19
Database Firewalls

• Traditional firewalls, used for protecting the
  database, only prevent attacks searching for
  vulnerabilities. Database firewalls take defense
  deep into the organization by providing full
  syntax control and audit of the SQL API stream
  before it reaches the database, and enforcing
  content-driven access to database

20
Correlation of Events

• Who did what to Whom, When Where
• The Front End The Back End
• Where is IDS in this picture?
• Log correlation Systems

21
Do you really need an Application Firewall?

• Traditional L3 firewalls are now beginning to
  have application logic integrated however..
• IDS/IPS is now beginning to incorporate
  application awareness, however..
• Compliance Drivers PCI
• Legal Liability

22
Deployment Considerations

• Money, Politics and Religion
• Skill set is unique is not a network skill
• Manual Configuring or Automation
• Testing and Validation of the AF
• Automatic Relearning
• Network Deployment Impacts
• What Latency?

23
Skill set

• Can you Afford?
• Network Engineer
• Software Developer
• Web Application Specialist

24
How Much Automation?

• 80/20 Rule or 90/10 ?
• Automatic Application Learning
• Automatic Application Relearning
• Configuration Sanity Checking

25
Deployment in the Enterprise
26
Validating Your Application Security

• Scan your Source Code
• Scan your Run Time Code
• Scan your Operating Environment
• Part of you SDLC and Operations Lifecycle
• Not just for Public facing applications!
• Do it Often and Do it in Depth

27
Sample Vendors

• Imperva (Web/DB Application Firewall)
• Netcontinum (Web Application Firewall)
• Citrix (Web Application Firewall)
• Guardium (Database Firewall)
• Ounce Labs (Source Code Scanning)
• SPI Dynamics (Application Scanning)

28
Resources

• Web Application Security Consortium
• http//www.webappsec.org/
• Open Web Application Security Project
• http//www.owasp.org
• http//www.cgisecurity.com/

29
Closing Thoughts

• Cost
• Need
• Risk
• Ongoing Support
• Management
• Future Technology Directions

30
Questions

• Scott_at_SecureLabs.net