Web Applikationen: Die intelligente Kombination von
Schutzmechanismen macht den Unterschied
Daniel Estermann, M.Sc.
Web Applikationen: Die intelligente Kombination
von Schutzmechanismen macht den Unterschied
Web Application Security ist heute schon hochkomplex und die Komplexität wird sich
mit der weiteren Entwicklung von Online-Services noch rasant erhöhen. Selbst der bes-
te Programmierer kann nicht jede Angriffsmöglichkeit auf Web Applikationen kennen,
zudem sind sie auch nur Menschen und machen ab und zu Fehler. Gemäß Gartner
weisen drei Viertel der Web Applikationen Sicherheitslücken auf. Um diese Situation zu
verbessern sind neben regelmäßigen Security Audits noch weitere, vor allem proaktive
Maßnahmen angebracht. Eines der effektivsten Mittel ist der Einsatz einer Web Applica-
tion Firewall. Der Vortrag erklärt bewährte Architekturmuster wie - proaktiver Schutz vor
unbekannten Attacken dank dynamischem Whitelisting- Single-Sign-On mit vorgelager-
ter Authentisierung- Hohe Verfügbarkeit und Sicherheit kombiniert in einer Web Appli-
cation Firewall. Durch die intelligente Kombination von Schutzmechanismen können
Entwickler sich vermehrt auf die Business Logik konzentrieren und verkürzen so die Time-
to-Market. Neben Schutz und Optimierung der Webumgebung wird zudem auch die
Compliance verbessert (z.B. durch Sicherstellung des PCI Data Security Standard – PCI
DSS).
Daniel Estermann, M.Sc.
Daniel Estermann besitzt einen Master Abschluss in Informatik der Eidgenössischen
Technischen Hochschule (ETH Zürich) mit den Schwerpunkten Informationssicherheit
und Kryptographie und studierte außerdem Betriebswirtschaft im Nebenfach.
Daniel Estermann beschäftigt sich seit über zehn Jahren intensiv mit Web Applikatio-
nen: Er kennt den Spagat zwischen Einhaltung von Projektterminen und sicherer An-
wendungsentwicklung aus seiner Zeit als Entwickler und Projektleiter von anspruchsvol-
len Enterprise-Anwendungen. Bei Visonys (jetzt phion) konnte er diese Erfahrungen in
die Entwicklung und Betriebsführung der Web Application Firewall 'airlock' einbringen.
Als Professional Service Leiter lernte Estermann dort insbesondere auch den Blickwinkel
der IT-Betreiber kennen. Nach der Übernahme durch phion steuert er nun als Produkt
Manager die strategische Weiterentwicklung der phion airlock Produktlinie.
1
© phion AG
Web Application Security
Was bringt eineWeb Application Firewall?
Daniel Estermann
Dipl. Informatik Ing. ETH Zürich
Product Manager Web Application Security
phion AG
Slide 2 © phion AG
Imagine…
� This is your Web
application server:
in the center there
is your Web
application
the users are the
audience
let‘s have a closer
look...
� Everything under
control?
Slide 3 © phion AG
Goals and Challenges
� Stadium sold out
� Lots of goals
� Good ambiance
� Smooth operations
� No riots
� Keep away hooligans
and other troublemakers
2
Slide 4 © phion AG
Exposure, Attacks, Vulnerabilities, Threats
� Cross Site Scripting � Denial of Service � Forceful Browsing
Slide 5 © phion AG
About phion AG
� Founded in 2000
� HQ in Innsbruck
� Regional offices in Vienna, Munich, Düsseldorf, Zurich, Milan, London, Amsterdam, Dubai
� Since July, 4th 2007 plc at
Vienna Stock Exchange (mid market)
� Numerous international customers
� from the Fortune 500� public and health sectors� financial services (up to 85% of Austrian and Swiss banks)
� Leading enterprise security from the heart of Europe:
� Gartner: listed in the ‘visionaries’ quadrant in Gartner’s ‘Magic Quadrant for
Enterprise Network Firewalls’; November 2008.
� Burton Group: Enterprise Firewalls and Perimeter Architecture, 3 Nov 2005� Leading Web Application Firewall vendor in central Europe
Slide 6 © phion AG
History of airlock
GLOBALSECURITYALLIANCE
� Swiss Startup Seclutions, later renamed to Visonys
� Part of phion since June 2008, 2nd phion HQ in Zurich
� Highly qualified development & professional services teams
� Clear Focus on Web Application Security since 1996
� Strong historical background in finance industry
� Evolved into a standard product ”airlock” in 2001
� Large Customer Base & Top References
� About 200 productive installations in 8 countries
� References in government, banks, insurances, industry, portals etc.
3
Slide 7 © phion AG
Target No. 1: Web Applications
How do we protect our applications and data?
� Network has become increasingly hardened
� Number of web-based applications and their complexity exploded
� Additional classes of web application vulnerabilities classes were discovered
� Attackers began targeting end users, particularly with the emergence of web 2.0 applications and user-generated content delivery
Slide 8 © phion AG
Security Instruments Compared
� There is no silver bullet: Web Application Security is always a combination of instruments.
� But not every instrument is in the “magic quadrant”.
Effectivity=Security
Efficiency=Cost vs. Value
IPS / Deep Inspection
Vulnerability Scanning
Web Application Firewall
Penetration Tests
Code Analysis
Security Trainingfor developers
Slide 9 © phion AG
Deployment example: Entry Server (Reverse Proxy)
B2B ClientB2B Client
Web ClientWeb Client
AttackerAttacker
InternetInternet
SecuredSecured
AreaArea
WAFWAFAuthentication Authentication ServiceService
Remote AccessRemote Access
Antivirus Server Antivirus Server (ICAP)(ICAP)
ApplicationApplication Server Server e Business, e Banking, e Government or e Learninge Business, e Banking, e Government or e Learning
ApplicationApplication Server Server Web Services, B2B ApplicationWeb Services, B2B Application
Application Server Application Server SSHSSH--Admin, Terminal Services, EAdmin, Terminal Services, E--MailMail
DMZDMZ
User User
DirectoryDirectory
WAFWAFacts as
reverse proxy
4
Slide 10 © phion AG
Web ApplicationFirewall (WAF)
Monitoring & Reports• Log analysis
• Statistics
• Alerting
• Audit
AccessControl
• Authentication
• Autorization
• Single Sign On
• IAM
Multi-LevelFiltering
• Black/Whitelist
• Protocols
• SOAP/XML
• Cookies
Delivery &Availability
• Loadbalancing
• Compression
• Clustering
SSL Termination
• Encryption
• Offloading
ReverseProxy
• TCP/IP term.
• Virtualization
• Flow control
• Rewriting
Management& Admin• Secure OS
•Configuration
• Operation
• Deployment
SecureSession Handling• Tracking
• Anti-Hijacking
Typical WAF Features
Slide 11 © phion AG
Security for Application Servers
are we dealing with?
Access ControlAccess Control
FilteringFiltering
WHOMWHOM
WHATWHAT are we dealing with?
Slide 12 © phion AG
Multi-Level Filtering
� Strict flowcontrol
� Multiple validationprocesses
� Filtering allRequests and Data
� Real dynamicWhitelist Filtering
5
Slide 13 © phion AG
Blacklist Filter: Negative Security Model
� Examples:
� Virus/Malware Scanner
� IDS/IPS
� Airport Security X-Ray
� Issues
� Thousands of signatures
� Critical timing
� Completely reactive, always behind
� Prevents only known attacks
� Evasion techniques possible
Blacklist Filter are necessary
but not sufficient against today‘s
targeted attacks!
Slide 14 © phion AG
Whitelist Filter: Positive Security Model
� Everything forbidden unless allowed explicitly
� Prevents unknown attacks
� Challenge:How to define good andeasy to manage whitelistrules?
� Key questions:What is good (allowed) intoday‘s dynamic applicationenvironments?
Slide 15 © phion AG
� Enforcement of valid Web application usage
� Valid URLs
� Valid Parameters
� Length restrictions according to input fields
� Verification of predefined values (selections,hidden fields, radio buttons, etc)
� Protection against type or range violations
Whitelisting Web Applications
6
Slide 16 © phion AG
� Manual whitelist rules
� Too much work for complex applications
� Static ruleset
� Makes sense for critical hotspots (e.g. login page)
� Learning mode
� Records „good“ traffic during learning phase
� Generates static whitelist ruleset
� Strong dependency on application content
� High maintenance cost
� Dynamic whitelisting
� Learning at runtime
� Allow only URLs generated by the application
� Often session-based → allows to protect application flow
WAF whitelisting approaches
Slide 17 © phion AG
UserUser
UserUser
AttackerAttacker
InternetInternet
SecuredSecured
AreaArea
CRMCRM
ERPERP
AnyAny Web Web ApplicationApplication
Authentication Authentication ServerServer
User User DirectoryDirectory
Dynamic Whitelisting: URL Encryption Example
17
Manipulated requests are blocked:
https://www.myapp.com/news.php?include=../../../../../etc/passwd � Error!
Manipulated requests are blocked:
https://www.myapp.com/news.php?include=../../../../../etc/passwd � Error!
User requests start page: https://www.myapp.comUser requests start page: https://www.myapp.com
Application sends HTML containing plain URLs like
http://192.168.1.123/news.php?include=news.txtApplication sends HTML containing plain URLs like
http://192.168.1.123/news.php?include=news.txt
User browser receives encrypted URLs:
https://www.myapp.com/$xp1/GMnGuYqPtCSYMQqnWFTbUser browser receives encrypted URLs:
https://www.myapp.com/$xp1/GMnGuYqPtCSYMQqnWFTb
Slide 18 © phion AG
� HacmeBooks (Foundstone/McAfee)
� Bookshop
� Java2 Enterprise Web Application
� Several intentional vulnerabilities
� Used for training and demos
� Both HacmeBooks and airlock are
running on VMware
Live Hacking Demo
7
Slide 19 © phion AG19
URL Encryption Smart Form Protection
� Effective protection against
forceful browsing
� URLs and parameters 100%
protected
� Topology and technology hiding
� Dynamic, no static configuration
� Cryptographic protection of
HTML forms
� Only valid inputs allowed
� Automatic protection of hidden
fields, selection lists, etc
� Dynamic, no static configuration
Application dynamically defines valid
URLs, parameters and values.
WAF enforces valid usage!
Dynamic Whitelisting: Benefits
Slide 20 © phion AG
Access Control
are we dealing with?
Access ControlAccess Control
FilteringFiltering
WHOMWHOM
WHATWHAT are we dealing with?
Slide 21 © phion AG
Access Control (Theory)
AuthenticationService
WAF
UserDirectory
Web Application
UserUser
AuthenticationAuthentication
Fine-Autorization(who can access what data?)
Fine-Autorization(who can access what data?)
Identity ManagementIdentity Management
Identity PropagationIdentity Propagation
8
Slide 22 © phion AG
CA Cert.
ACE/Radius Server
Web Shop CMS Admin
ERP
Authentication may
depend on user type,role and origin…
Authentication Service
WAF
CRM
EmployeesCustomers
PublicWeb Site
Partner Portal
Partners
AnonymousAnonymoususeruser CustomerCustomer PartnerPartner EmployeeEmployee
Employee*Employee*
(Intranet)(Intranet)
**
Access Control (Real Life)
Slide 23 © phion AG
Identity Propagation (1)
1. Authenticate user (once)
Authentication Service
WAF
User
Directory
userid: sample
password: *********
Slide 24 © phion AG
Identity Propagation (2)
1. Authenticate user (once)
2. Fetch identity information from directory (once)
Authentication Service
WAF
User
Directory
userid: sample
email: [email protected]
role: employee, saleserp-userid: s.user
first name: sample
last name: user
sales
CMS:id=sample
roles=employee, sales
ERP:userid=s.user
9
Slide 25 © phion AG
Identity Propagation (3)
1. Authenticate user (once)
2. Fetch identity information from directory (once)
3. Propagate user identity
to each web application (with each request)
airlock
CMS ERP
ERP:userid=s.user
Single sign-on �
Access web applications
without logging in again
sales
CMS:id=sample
roles=employee, sales
Slide 26 © phion AG
Identitiy Propagation Techniques
� Basic-Auth header
Add a basic-authentication header to each request
Example: Authorization: Basic c2FtcGxlOnBhc3N3b3Jk [ =base64(“sample:password“) ]
� Cookie/Header
Add a cookie or arbitrary http header containing any user details,
e.g. userid + roles
Example: SAP_USER_ID: sample
Example: Cookie: USER_INFO=sample;sales,employee
Example: Cookie: ASSERTION=********************** (encrypted/signed)
� SAML Assertion
� Kerberos Ticket
In the name of the user, get a Kerberos ticket
for the desired server and add it to each request.
The user does not even have to provide his password!
Slide 27 © phion AG
Kerberos Identity Propagation
Windows/Kerberos Domain
WAF
Windows
Web Server
IIS, ISA, Exchange, Sharepoint etc.
(Front-end)Authentication
Service
https + Control API(SSL Client Cert.
Auth.)
http(s) + SPNEGO/Kerberos
Windows
Server 2003+
Kerberos Agent
Active
Directory
KDC
Kerberos v5
Ticket
10
Slide 28 © phion AG
Access Control: Typical Features of a WAF
� Simply connect existing user directories (LDAP, AD,
SQL/DB) and authentication servers (RADIUS, RSA/ACE)
� Authorization based on group membership or any other
directory information
� Single Sign-on
� Secure session handling
� Multiple authentication levels depending on application
� Change authentication scheme without touching the
applications
� Auditing, monitoring and usage analysis
(optional user id in logs)
Slide 29 © phion AG
Preceding Authentication: Benefits
� Developers can focus on business logic
� Ease of use (e.g. Single Sign-On)
� Maximum security
� Flexibility and speed
by separating application and authentication:
� Change the authentication scheme without touching the
applications
� Add new applications to a SSO domain quickly
� Cost and time savings in application development
Slide 30 © phion AG
Cookie Protection
� Pass-through
� conventional, may be read and manipulated in the browser
� Encrypt or sign
� WAF encrypts/signs cookie before sending it to the browser
� Cookie not forgeable because a valid signature/encryption is required
� Store
� cookies are not sent to the browserbut held in the user session on the WAF
11
Slide 31 © phion AG
Protecting Web Services
� SOAP/XML Filter
� Built-in or add-on module
� Typical Features:
� Well formatted validation
� Schema/WSDL validation
� Methods selection
� Blacklists for typical attacks
� Backend parser protection
� Full request logging
Slide 32 © phion AG
Why a Web Application Firewall?
Typical Drivers are...
� mostly security (prevent attacks)
� compliance (e.g. PCI DSS)
� sometimes also application delivery(high availability, load balancing etc.)
� puzzle piece in a Identity
Management/SSO project
Slide 33 © phion AG
WAF Recommendations
� Make WAF part of an overall application security strategy. Consider layering of WAF functionality to minimize risk and maximize flexibility.
� Involve enterprise architects, application delivery, and developers in order to maximize benefit and comfort with security controls.
� Strongly consider non core-WAF functionality during evaluationand ensure these are in line with evolving delivery and development models.
� Use out-of-the box black list rules for basic security, but prepare to spend time and effort to customize in order to achieve proper efficacy.
� Exercise application change process during evaluation to guess maintenance costs
12
Slide 34 © phion AG
� Looking at network packets is sometimes a too narrow view...
Looking from the right angle
Slide 35 © phion AG
� Only a WAF has the full picture because it works on the application level
Looking from the right angle
Slide 36
Thank you!