Project Part III Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez 1 Our Security Problem Is Website Attacks Firewall are common in every network deployment, so attackers use websites to get access to internal network Every industry, be it online hop, retail stores, educational institution or government sector has a website for public use, which makes the website problem very common in multiple industries. 2 SQL Injection Web Attack Example Query Injected by the Attacker Output from the Query Note: Account Numbers masked to protect customer identity 3 PHP File Inclusion Web Attack Example 4 Cross Side Scripting (XSS) In the code below, you will see that XSS can easily send you to an evil site http://www.infotech.northwestern.edu/index.php? name=<script language=javascript>window.location= “http://www.veryevilsite.com/toldya.htm”;</script> In the code below, you will see that XSS may cause denial of service with just one line of code • http://www.avatar.com/ccs1-release-testing/rao.php? name=<script language=javascript>setInterval ("window.open('http://www.cs.northwestern.edu/~ychen/','innerName')",10);< /script> The link above will open a window of Dr. Chen’s webpage and request it every 10 milliseconds. (changed from every 100 milliseconds ) 5 Other Web Attacks Attackers can target vulnerabilities in browser (Internet Explorer or Firefox, java console, plugins, etc 6 Our Solution Criteria for Evaluation Solution Cost Effective Web Application Firewall Few False Positives Manual Code Reviews and Pen Tests High Availability Bluecoat Web Filter Effective for new threats IDS/IPS not ideal for web solution Ease of Configuration Out of the box functionality 7 Solution Considerations Web Application Firewalls (WAF) Writing Secure Code is much easier said than done WAF can block variety of traffic High Performance and low latency; only looks at Layer 7 Addresses PCI 6.6 requirement for web security Out of the box Web Security Solution - “Virtual Patch” Gartner’s Magic Quadrant on WAFs due in Q4 of 2009 Costs around $35,000 for the appliance Common Web Application Firewalls (WAFs) include WebDefend, ModSecurity (open source) and Imperva SecureSphere 8 WAF Defined WAF Architecture Choices Placed between Firewall and Web Application (Inline) E.g. Reverse Proxy Mode and Transparent Mode Connected to Network Port on same switch as Web Application (Out of Band) E.g. Network Monitor Mode Blocks traffic by using TCP Resets Has no latency and prevents single point of failure Security Models Allow only “Good” Traffic (Positive) Block only Malicious Traffic (Negative) 9 How WAF does the job? Dynamic Profiling (Automated Application Learning) Session Protecting Engine SSL Decryption Data leakage protection 10 Manual Code Reviews and Application Pen Tests Best Defense of Websites Manual tests done by experts Whitebox testing available Costs are $300 per 500 lines of code Average Web Application Code Review costs $30,000 (50,000 lines of code) 11 Bluecoat Web Filter Defined Blue Coat WebFilter is an “on-proxy” web filtering solution that protects internal users from Spyware Phishing attacks P2P IM and streaming traffic Adult content (sorry) Botnets (yayy) Appliance starts at $10,000 12 Bluecoat Web Filter – How it Works 13 Bluecoat on the Fly detection (Dynamic Detection) 14 Magic Quadrant for Secure Web Gateways 15 Cost/Risk Analysis Web Application Firewalls – Costs: Open Source Options available – Risks: Developers should stay on top Manual Code Reviews and Application Pen Test – Costs: Very High Costs $300 per 500 lines of code – Risks: Minimal; code is checked by ethical hackers Bluecoat Web Filter – Costs: Appliance + Support Costs – Risks: Moderate; claims 98% coverage of malware 16 Feasibility Analysis Web Application Firewalls – Feasible because open source options available. – Huge Community Support Manual Code Reviews and Application Pen Tests – Not feasible for most organizations; very costly – PCI accepts WAF in place of this Bluecoat Web Filter – Feasible because of its database + Dynamic Protection – Network license needed rather than per client 17 Business/Legal Consequence Web Application Firewall (WAF) – Lessens the risk of web applications significantly – No legal consequences Manual Code Review and Application Pen Tests – Business case not strong; compliance accepts WAF – Legal consequences applicable as exploits discovered are documented and failure to remediation can be bad Bluecoat Web Filter – Strong Business case, given web attacks in today’s world – User privacy is a big legal concern 18 Corporate Context All three solutions are necessary for all the Industries – Government: Needless to say – Education: Private student records are at risk – Healthcare: Private health info at risk – Private: Social Security, Credit cards, Intellectual Property at Risk Failure to implement these solutions result in compromises which causes falling share price, dropping consumer confidence, bad reputation + high remediation costs 19 Related Work and Research in This Area SANS Paper on Web Based Threats – http://www.sans.org/reading_room/whitepapers/application/web_based_attack s_2053?show=2053.php&cat=application Symantec’s Paper on Web Based Threats – http://eval.symantec.com/mktginfo/enterprise/white_papers/bwhitepaper_web_based_attacks_03-2009.en-us.pdf DevShed.com’s Cross Side Scripting Paper – http://www.devshed.com/c/a/Security/A-Quick-Look-at-Cross-Site-Scripting/1/ Bluecoat Webfilter datasheet – http://www.bluecoat.com/doc/direct/789 Web Application Firewall – http://www.owasp.org/index.php/Web_Application_Firewall 20 Thank You Jibran Ilyas Frank LaSota Paul Lowder Juan Mendez 21