Why Web Application Firewall (WAF)
Cisco Web Application Firewall Overview
Network Deployment Examples
GUI Demo
Q&A

Protecting Web Applications with Web Application Firewall

Ong Poh Seng Data Center Architect [email protected]

Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1 Agenda

Why Web Application Firewall (WAF)
Cisco Web Application Firewall Overview
Network Deployment Examples
GUI Demo
Q&A

Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2 Off the press

… more than 45 million credit and debit card numbers have been stolen from its IT systems …

Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3 Focus of today’s attacks

75% of Attacks Focused Here

Custom Web Applications Customized Packaged Apps Internal and 3rd Party Code Business Logic & Code

Web Application Database Servers Servers Servers

Operating Operating Operating Systems Systems Systems

Network IDS Network Firewall IPS

No magic signatures or patches for your custom PHP script

Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4 The Payment Card Industry (PCI) Data Security Standard

1. Install and maintain a firewall configuration to Build and protect data Maintain a 2. Do not use vendor-supplied defaults for system Secure Network passwords and other security parameters

3. Protect stored data Protect Cardholder Data 4. Encrypt transmission of cardholder data and sensitive information across public networks

Maintain a 5. Use and regularly update anti-virus software Vulnerability Management 6. Develop and maintain secure systems Program and applications 7. Restrict access to data by business Implement need-to-knowSection 6.5: develop secure web apps, cover Strong Access 8. Assign a unique preventionID to each person of withOWASP vulnerabilities Control computer access Measures 9. RestrictSection physical 6.6:access Ensure to cardholder all web-facing data apps are Regularly 10. Track and monitorprotected all access to against network known attacks using Monitor and Test resources and cardholdereither of data the following methodsNo change with Networks 11. Regularly test security systems• secure and codingprocesses practices PCI 1.2! Maintain an • installing a Web App FW Information 12. Maintain a policy that addresses Security Policy information security

Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5 What sort of attacks are we talking about?

http://www.owasp.org How widespread these attacks are Top 10

Source: WhiteHat Security, 2007

Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6 Why Not Fix Current Applications?

Every 1000 lines of code averages 15 critical security defects (US Dept of Defense)

The average business app has 150,000-250,000 lines of code (Software Magazine)

The average security defect takes 75 minutes to diagnose and 6 hours to fix (5-year Pentagon Study)

Even if you consider those figures are exaggerated (positively or negatively) the cost of fixing applications is prohibitive

WAF always a very financially sound option!

Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7 Question?

Which of the following are some examples of the PCI DSS requirements?

A. Install a Web B. Need for Anti -Virus Application Firewall update

C. Encrypt transmission D. Prevention of OWASP of cardholder data vulnerabilities

Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8 Product Overview

Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9 SDN Secured Data Center: big picture and where does ACE WAF play?

Data Center Edge Web Access Apps and Storage Mgmt • Firewall & IPS • Web Security Database • Data Encryption • Tiered Access • DOS Protection • Application Security • XML, SOAP, AJAX •In Motion • Monitoring & • App Protocol Inspection • Application Isolation Security •At Rest Analysis • Web Services Security • Content Inspection • XDoS Prevention • Stored Data • Role-Based • VPN termination • SSL • App to App Security Access Control Access • Email & Web Access Encryption/Offload • Server Hardening • Segmentation • AAA Access control • Server Hardening Control

ACE ACS

IronPort ACE WAAS E-Mail Security WAF CSA

CSM Tier 1/2/3 CSA-MC MDS Storage CW-LMN IronPort w/SME ACE Web Security WAF Application ASA CSA Servers Cat6K CSA CSA MARS FWSM CSA ACE WAF Web Servers IronPort Database Tape/Off-site Web Security Servers Backup

Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10 ACE Web Application Firewall (WAF)

Drop-in solution for PCI Compliance , Virtual App Patching , Data Loss Prevention
Secure – Deep packet protection of the most common vulnerabilities
Fast – Processes 3,000+ TPS and 10,000+ concurrent connections
Drop-in - Does not require recoding applications, deployable in under an hour
PCI 6.5/6.6 compliance is just a few clicks away

Available Now!

Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11 Not Just Signatures - Comprehensive Security

Active Security

Message Content Search and Replace

Signature-Based Inspection

Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12 Network Deployment

Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13 ACE WAF Network Deployment

WAF deploys as a full reverse proxy
Must have load balancer for HA, failover (ACE is great for this!)
Always performs source NAT on traffic –HTTP header insert exposes source IP to server
ACE WAF can optionally terminate SSL –No client cert validation without AXG license

Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14 Clustering: Separate Manager

2 or more appliances running Firewall component
1 appliance running Manager component

Firewall

Manager Firewall

Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15 Perimeter security: One-armed proxy

•Traffic passes through ACE twice •Easy to insert into existing ACE deployment •Allows for fail-open or fail-closed configuration

Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16 Perimeter Security: Two-armed proxy

Public VIP: 63.90.156.60 10.30.1.1 Internet

ACE 10.30.1.151 10.30.1.152 Web Application Application Consumers Switch ACE WAFs

10.20.1.1 10.20.1.151 10.20.1.152 VIP: 10.20.1.200

10.10.1.1

ACE 10.10.1.1010.10.1.11 10.10.1.12 Application Switch •Different contexts on same physical ACE

Web Application can be used on both sides Providers •Best practice when backend is multiple hops from ACE WAF, need DMZ separation

Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17 One-armed: Terminate SSL at ACE

Each flow carries request and corresponding response •Request in direction of arrow •Response in opposite direction

Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18 One-armed: Terminate SSL at ACE XML Gateway

Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19 Alternative Network Deployment Model

AXG Web WWW1 Application HTTP Firewall

Internet Full Reverse WWW2 Proxy External HTTP and XML Web Services WWW3 Consumers Portal Portal WWW WWW DNS Points to AXG WAF when Asked for WWWx

The AXG Web Application Firewall is a full reverse proxy.
In other words, you can have the DNS server point to the IP address of the AXG to represent the actual Web server.
At that point, the AXG accepts all requests destined to the Web server, filters them, and sends them out. The response comes back to the WAF as well for total control of the session.

Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20 WAF GUI Demo

Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21 Cisco ACE Web Application Firewall Summary

Full-featured Web application firewall with integrated XML firewall Extend protection for traditional HTML-based Web applications to modern XML- enabled Web services applications.
Access enforcement Secure applications from unauthorized access with AAA enforcement mechanism
Positive and Negative security enforcement Enjoy the best of both worlds by keeping bad traffic patterns out and allowing only good traffic through.
Human assisted learning Deploy policies and profiles in monitoring mode to prevent application downtime due to false positives typical in an automated learning environment.
Policy-based provisioning Achieve increased developer productivity and ease of deployment with sophisticated GUI, rollback, and versioning capabilities.

Defense-in-Depth Should Include a Web Application Firewall that Can Quickly, Effectively, and Cost-Effectively Block Attacks at Layers 5–7.

Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22 Q and A

Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23 Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24