1

Web Application Security

with the Application
Security Manager (ASM)

Piotr Oleszkiewicz

Zbigniew Skurczynski
zbig@f5.com

1
 2

Agenda

Web Security What are the problems?

Vulnerabilities and protection strategies
Websecurity with a Web Application Firewall
(WAF)
Security Policy Setups
About us

2
 3

Application Security: Trends and

Drivers
Webification of applications
Intelligent browsers and applications
Public awareness of data security
Increasing regulatory requirements
The next attackable frontier
Targeted attacks

3
 4

The weakest link

Firewall
Host IDS & Secure OS Antivirus
Network IDS/IPS

Applications System Network

Access Computer

64% of the 10
million security
incidents tracked DATA
targeted port 80.

(Information Week
magazine)

4
 5

Why Are Web Applications Vulnerable?

Security officers not involved in software developement,

while developers are not security conscious
New code written to best-practice methodology, but not
tested properly
New type of attack not protected by current methodology
New code written in a hurry due to business pressures
Code written by third parties; badly documented, poorly
tested third party not available
Flaws in third party infrastructure elements
Session-less web applications written with client-server
mentality 5
 6

Most web application are vulnerable!

70% of websites at immediate risk of being hacked!
- Accunetix Jan 2007 http://www.acunetix.com/news/security-audit-results.htm

8 out of 10 websites vulnerable to attack

- WhiteHat security report Nov 2006 https://whitehatsec.market2lead.com/go/whitehatsec/webappstats1106

75 percent of hacks happen at the application.

- Gartner Security at the Application Level

64 percent of developers are not confident in their

ability to write secure applications.
- Microsoft Developer Research

The battle between hackers and security

professionals has moved from the network layer to
the Web applications themselves.
- Network World
6
 7

www.owasp.org Top Ten Project

A1 Cross Site Scripting XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without
(XSS) first validating or encoding that content. XSS allows attackers to execute script in the victims
browser which can hijack user sessions, deface web sites, etc.

A2 Injection Flaws Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-
supplied data is sent to an interpreter as part of a command or query. The attackers hostile data
tricks the interpreter into executing unintended commands or changing data.

A3 Insecure Remote File Code vulnerable to remote file inclusion allows attackers to include hostile code and data, resulting in
Include devastating attacks, such as total server compromise.

A4 Insecure Direct Object A direct object reference occurs when a developer exposes a reference to an internal implementation
Reference object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers
can manipulate those references to access other objects without authorization.

A5 Cross Site Request A CSRF attack forces a logged-on victims browser to send a pre-authenticated request to a vulnerable
Forgery (CSRF) web application, which then forces the victims browser to perform a hostile action to the benefit of
the attacker.

A6 Information Leakage Applications can unintentionally leak information about their configuration, internal workings, or violate
and Improper Error privacy through a variety of application problems. Attackers use this weakness to violate privacy, or
conduct further attacks.
Handling
A7 Broken Authentication Account credentials and session tokens are often not properly protected. Attackers compromise
and Session passwords, keys, or authentication tokens to assume other users identities.
Management
A8 Insecure Cryptographic Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers
Storage use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.

A9 Insecure Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive
Communications communications.

A10 Failure to Restrict URL Frequently, the only protection for sensitive areas of an application is links or URLs are not presented to
unauthorized users. Attackers can use this weakness to access and perform unauthorized
Access operations. 7

Problems are growing
Yesterday:
Tens working hours of the
best security specialists
Preparing a successful
attack on the web
application was very
expensive, but it still could
bring profit if the target was
interesting enough
8
Today:
Automatic and semiautomatic
tools that are user friendly
Fuzzers (more than 20 Open
Source tools alone)
Newest trend: evolutionary
programming
Bottom line The cost of
preparing a successful attack
has fallen dramaticaly!!
8
 9

Most web application are vulnerable!

Practical demonstration:

- Google

- Weak application logic

- web browser is the only tool

we need

9
 10

Not enough time!

The time from findin the

vulnerability to launching
an attack is falling.

Are the applications

prepared for ZERO-DAY
attacks?

Are your applications

prepared for ZERO-DAY
attacks?

10
 11

Web Application Security

Attacks Now Look To

!Non-
Perimeter Security
Is Strong
Exploit Application
Vulnerabilities
Buffer Overflow
compliant
Cross-Site Scripting
Information
SQL/OS Injection PORT 80

Cookie Poisoning
Hidden-Field Manipulation
PORT 443 !
Forced
Parameter Tampering Access to

!
But Is Open
Information
to Web Traffic
Infrastructural High
Intelligence Information
Density
=
High Value
Attack

11
 12

Web Application Security with ASM

! !
Stops bad
requests /
Unauthorised
responses Non-
Access
compliant
Information

! !
ASM allows
Browser legitimate requests
Unauthorised Infrastructural
Access Intelligence

12
 13

Traditional Security Devices vs.

Web Application Firewall (ASM)
Network IPS ASM
Firewall
Known Web Worms Limited
Unknown Web Worms X Limited

Known Web Vulnerabilities Limited Partial
Unknown Web Vulnerabilities X Limited

Illegal Access to Web-server files Limited X
Forceful Browsing X X
File/Directory Enumerations X Limited
Buffer Overflow Limited Limited
Cross-Site Scripting Limited Limited
SQL/OS Injection X Limited
Cookie Poisoning X X
Hidden-Field Manipulation X X
Parameter Tampering X X

13
 14

Security Policy in ASM

Security Policy
Content Scrubbing
Application Cloaking

Definition of Good
Enforcement and Bad Behaviour
Browser

14
 15

Security Policy in ASM

Security Policy

Enforcement Content Scrubbing

Browser Application Cloaking

Can be generated automatically or manually

Highly granular on configuration and blocking
Easy to understand and manage
Bi-directional:
Inbound: protection from generalised & targeted attacks
Outbound: content scrubbing & application cloaking
Application content & context aware

15
 16

Positive Security - Example

16
 17

Positive Security - Example

<script>

Actions not
known to be legal
can now be
blocked
- Wrong page
order
- Invalid
parameter
- Invalid value
- etc.

17
 18

Negative vs. Positive Security

18
 19

Protection for Dynamic Values or

Hidden Field Manipulation

19
 20

Selective Application Flow

Enforcement

!
ALLOWED

Username
From Acc. $ Amount
Password To Acc. Transfer

? !
!
VIOLATION
VIOLATION

This part of the site is a

Should this be a violation? financial transaction that
The user may have requires authentication; we
should enforce strict flow
bookmarked the page!
Unnecessarily enforcing flow and parameter validation
can lead to false positives.

20
 21

Flexible Policy Granularity

Generic Policies - Policy per object type
Low number of policies
Quick to implement
Requires little change management
Cant take application flow into account

Optimum policy is often a hybrid

Specific Policies Policy per object

High number of policies
More time to implement
Requires change management policy
Can enforce application flow
Tightest possible security
Protects dynamic values 21
 22

Flexible Deployment Options

Tighter OBJECT FLOWS POLICY

Security TIGHTENING
Posture SUGGESTIONS
PARAMETER VALUES
Policy-Building Tools
Trusted IP Learning
PARAMETER NAMES
Live Traffic Learning
Typical Crawler
standard
starting point OBJECT NAMES Negative RegEx
Template

OBJECT TYPES

22
 23

F5 is the Global Leader in

Application Delivery Networking

Users Data Centre

Application
Delivery
At Home Network Oracle
In the Office Siebel
On the Road SAP

Business goal: Achieve these objectives in the most

operationally efficient manner
23
 24

F5s Comprehensive Single Solution

Users The F5 Solution Applications

Application Delivery Network

CRM
Mobile Phone
Database
Siebel
BEA
PDA
Legacy
.NET
SAP
Laptop PeopleSoft
IBM
ERP
Desktop SFA
TMOS
Custom

Co-location

24
 25

The F5 Products & Modules

International Microsoft
SAP
Data Center
Oracle
IBM
BEA

TMOS

BIG-IP
BIG-IP BIG-IP
Global BIG-IP Local BIG-IP
Link WANJet FirePass Application
Traffic Traffic Web
Controller Security
Manager Manager Accelerator
Manager

iControl & iRules

HTTP /HTML, SIP,
RTP, SRTP, RTCP,
Enterprise
Manager SMTP, FTP, SFTP,
RTSP, SQL, CIFS,
MAPI, IIOP, SOAP,
XML etc

25
 26

Unique TMOS Architecture

ASM /TrafficShield

Web Accel

3rd Party
Microkernel
TCP Proxy
Rate Shaping

Compression
TCP Express

TCP Express
OneConnect
Client Server

Caching
Side Side

XML
SSL

Client Server

iRules
High Performance HW iControl API

TMOS Traffic Plug-ins

High-Performance Networking Microkernel
Powerful Application Protocol Support
iControl External Monitoring and Control
iRules Network Programming Language
26
 27

BIG-IP Software Add-On Modules

Quickly Adapt to Changing Application & Business Challenges

Compression Module Fast Cache Module

Increase performance Offload servers

Rate Shaping Module

Reserve bandwidth

27
 28

BIG-IP Security Add-On Modules

Application Security Module SSL Acceleration
Protect applications and data Protect data over the Internet

Advanced Client
Authentication Module
Protect against
unauthorised access

28
 29

ASM Platform Availability

Standalone ASM on TMOS
4100
Available as a module with BIG-IP LTM
6400/6800
8400/8800

29
 30

Analyst Leadership Position

Challengers Leaders

Magic Quadrant for Application

Delivery Products, 2007
F5 Networks
F5 Strengths
Offers the most feature-rich AP ADC,
combined with excellent performance
and programmability via iRules and a
Ability to Execute

broad product line.

Citrix Systems Strong focus on applications,
including long-term relationships with
Cisco Systems major application vendors, including
Microsoft, Oracle and SAP.
Akamai Technologies
Strong balance sheet and cohesive
Foundry Networks Cresendo management team with a solid track
Nortel Networks Radware record for delivering the right
products at the right time.
Juniper Coyote Point
Strong underlying platform allows
Zeus
easy extensibility to add features.
NetContinuum
Support of an increasingly loyal and
Array Networks
large group of active developers
tuning their applications
Niche Players Visionaries environments specifically with F5
Completeness of Vision infrastructure.

Source: Gartner, January 2007 30

 31

F5 Customers in EMEA (1 of 2)
Banking, Insurance, Telco, Service
Financial Investments Providers, Mobile

31
 32

F5 Customers in EMEA (2 of 2)
Transport, Media, Technology, Manufact., Governm., Health,
Travel Online Energy Other Consumer

32
 33

Summary
Protecting web application is a challenge within many organizations
but attacks against web applications are the hackers favorites

ASM provides easy and very granular configuration options to protect

web applications and to eliminate false positives

ASM combines positive and negative security models to achieve the

optimum security
ASM is an integrated solution and can run as a module on BIG-IP or
standalone
ASM is used to provide compliance with various standards
ASM provides hidden parameter protection and selective flow control
enforcement
ASM provides an additional security layer or can be used as central
point for web application security enforcement 33
 34

Evaluation
The best way to see how it will perform in Your
environment with Your applications

Soft-Tronik can provide you with evaluation

hardware and engineers to help in deployment

34
 35

35
 36

Back up Sliedes

36
 37

Company Snapshot

Facts
Position
References

37
 38

F5s Continued Success

Revenue

Headquartered in Seattle, WA
F5 Ensures Applications Running
Over the Network Are Always
Secure, Fast, and Available
Founded 1996 / Public 1999
Over 10,000 customers and
30,000 systems installed
Over 1100 Employees
NASDAQ: FFIV

38