Why Web Application Firewall (WAF) Cisco Web Application Firewall Overview Network Deployment Examples GUI Demo Q&A
Total Page:16
File Type:pdf, Size:1020Kb
Protecting Web Applications with Web Application Firewall Ong Poh Seng Data Center Architect [email protected] Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1 Agenda Why Web Application Firewall (WAF) Cisco Web Application Firewall Overview Network Deployment Examples GUI Demo Q&A Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2 Off the press … more than 45 million credit and debit card numbers have been stolen from its IT systems … Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3 Focus of today’s attacks 75% of Attacks Focused Here Custom Web Applications Customized Packaged Apps Internal and 3rd Party Code Business Logic & Code Web Application Database Servers Servers Servers Operating Operating Operating Systems Systems Systems Network IDS Network Firewall IPS No magic signatures or patches for your custom PHP script Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4 The Payment Card Industry (PCI) Data Security Standard 1. Install and maintain a firewall configuration to Build and protect data Maintain a 2. Do not use vendor-supplied defaults for system Secure Network passwords and other security parameters 3. Protect stored data Protect Cardholder Data 4. Encrypt transmission of cardholder data and sensitive information across public networks Maintain a 5. Use and regularly update anti-virus software Vulnerability Management 6. Develop and maintain secure systems Program and applications 7. Restrict access to data by business Implement need-to-knowSection 6.5: develop secure web apps, cover Strong Access 8. Assign a unique preventionID to each person of withOWASP vulnerabilities Control computer access Measures 9. RestrictSection physical 6.6:access Ensure to cardholder all web-facing data apps are Regularly 10. Track and monitorprotected all access to against network known attacks using Monitor and Test resources and cardholdereither of data the following methodsNo change with Networks 11. Regularly test security systems• secure and codingprocesses practices PCI 1.2! Maintain an • installing a Web App FW Information 12. Maintain a policy that addresses Security Policy information security Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5 What sort of attacks are we talking about? http://www.owasp.org How widespread these attacks are Top 10 Source: WhiteHat Security, 2007 Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6 Why Not Fix Current Applications? Every 1000 lines of code averages 15 critical security defects (US Dept of Defense) The average business app has 150,000-250,000 lines of code (Software Magazine) The average security defect takes 75 minutes to diagnose and 6 hours to fix (5-year Pentagon Study) Even if you consider those figures are exaggerated (positively or negatively) the cost of fixing applications is prohibitive WAF always a very financially sound option! Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7 Question? Which of the following are some examples of the PCI DSS requirements? A. Install a Web B. Need for Anti -Virus Application Firewall update C. Encrypt transmission D. Prevention of OWASP of cardholder data vulnerabilities Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8 Product Overview Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9 SDN Secured Data Center: big picture and where does ACE WAF play? Data Center Edge Web Access Apps and Storage Mgmt • Firewall & IPS • Web Security Database • Data Encryption • Tiered Access • DOS Protection • Application Security • XML, SOAP, AJAX •In Motion • Monitoring & • App Protocol Inspection • Application Isolation Security •At Rest Analysis • Web Services Security • Content Inspection • XDoS Prevention • Stored Data • Role-Based • VPN termination • SSL • App to App Security Access Control Access • Email & Web Access Encryption/Offload • Server Hardening • Segmentation • AAA Access control • Server Hardening Control ACE ACS IronPort ACE WAAS E-Mail Security WAF CSA CSM Tier 1/2/3 CSA-MC MDS Storage CW-LMN IronPort w/SME ACE Web Security WAF Application ASA CSA Servers Cat6K CSA CSA MARS FWSM CSA ACE WAF Web Servers IronPort Database Tape/Off-site Web Security Servers Backup Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10 ACE Web Application Firewall (WAF) Drop-in solution for PCI Compliance , Virtual App Patching , Data Loss Prevention Secure – Deep packet protection of the most common vulnerabilities Fast – Processes 3,000+ TPS and 10,000+ concurrent connections Drop-in - Does not require recoding applications, deployable in under an hour PCI 6.5/6.6 compliance is just a few clicks away Available Now! Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11 Not Just Signatures - Comprehensive Security Active Security Message Content Search and Replace Signature-Based Inspection Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12 Network Deployment Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13 ACE WAF Network Deployment WAF deploys as a full reverse proxy Must have load balancer for HA, failover (ACE is great for this!) Always performs source NAT on traffic –HTTP header insert exposes source IP to server ACE WAF can optionally terminate SSL –No client cert validation without AXG license Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14 Clustering: Separate Manager 2 or more appliances running Firewall component 1 appliance running Manager component Firewall Manager Firewall Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15 Perimeter security: One-armed proxy •Traffic passes through ACE twice •Easy to insert into existing ACE deployment •Allows for fail-open or fail-closed configuration Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16 Perimeter Security: Two-armed proxy Public VIP: 63.90.156.60 10.30.1.1 Internet ACE 10.30.1.151 10.30.1.152 Web Application Application Consumers Switch ACE WAFs 10.20.1.1 10.20.1.151 10.20.1.152 VIP: 10.20.1.200 10.10.1.1 ACE 10.10.1.1010.10.1.11 10.10.1.12 Application Switch •Different contexts on same physical ACE Web Application can be used on both sides Providers •Best practice when backend is multiple hops from ACE WAF, need DMZ separation Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17 One-armed: Terminate SSL at ACE Each flow carries request and corresponding response •Request in direction of arrow •Response in opposite direction Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18 One-armed: Terminate SSL at ACE XML Gateway Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19 Alternative Network Deployment Model AXG Web WWW1 Application HTTP Firewall Internet Full Reverse WWW2 Proxy External HTTP and XML Web Services WWW3 Consumers Portal Portal WWW WWW DNS Points to AXG WAF when Asked for WWWx The AXG Web Application Firewall is a full reverse proxy. In other words, you can have the DNS server point to the IP address of the AXG to represent the actual Web server. At that point, the AXG accepts all requests destined to the Web server, filters them, and sends them out. The response comes back to the WAF as well for total control of the session. Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20 WAF GUI Demo Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21 Cisco ACE Web Application Firewall Summary Full-featured Web application firewall with integrated XML firewall Extend protection for traditional HTML-based Web applications to modern XML- enabled Web services applications. Access enforcement Secure applications from unauthorized access with AAA enforcement mechanism Positive and Negative security enforcement Enjoy the best of both worlds by keeping bad traffic patterns out and allowing only good traffic through. Human assisted learning Deploy policies and profiles in monitoring mode to prevent application downtime due to false positives typical in an automated learning environment. Policy-based provisioning Achieve increased developer productivity and ease of deployment with sophisticated GUI, rollback, and versioning capabilities. Defense-in-Depth Should Include a Web Application Firewall that Can Quickly, Effectively, and Cost-Effectively Block Attacks at Layers 5–7. Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22 Q and A Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23 Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24.