Project Part III
Double Deuce
Jibran Ilyas, Frank LaSota,
Paul Lowder, Juan Mendez
1
Our Security Problem Is Website Attacks

Firewall are common in every network deployment, so attackers use
websites to get access to internal network

Every industry, be it online hop, retail stores, educational institution
or government sector has a website for public use, which makes the
website problem very common in multiple industries.
2
SQL Injection Web Attack Example
Query Injected by the Attacker
Output from the Query
Note: Account Numbers masked to protect customer identity
3
PHP File Inclusion Web Attack Example
4
Cross Side Scripting (XSS)

In the code below, you will see that XSS can easily send you to
an evil site
http://www.infotech.northwestern.edu/index.php?
name=<script language=javascript>window.location=
“http://www.veryevilsite.com/toldya.htm”;</script>

In the code below, you will see that XSS may cause denial of
service with just one line of code
•
http://www.avatar.com/ccs1-release-testing/rao.php?
name=<script language=javascript>setInterval
("window.open('http://www.cs.northwestern.edu/~ychen/','innerName')",10);<
/script>
The link above will open a window of Dr. Chen’s webpage and request it
every 10 milliseconds. (changed from every 100 milliseconds  )
5
Other Web Attacks

Attackers can target vulnerabilities in browser (Internet
Explorer or Firefox, java console, plugins, etc
6
Our Solution
Criteria for Evaluation
Solution

Cost Effective

Web Application Firewall

Few False Positives

Manual Code Reviews and Pen Tests

High Availability

Bluecoat Web Filter

Effective for new threats

IDS/IPS not ideal for web solution

Ease of Configuration

Out of the box functionality
7
Solution Considerations
Web Application Firewalls (WAF)

Writing Secure Code is much easier said than done

WAF can block variety of traffic

High Performance and low latency; only looks at Layer 7

Addresses PCI 6.6 requirement for web security

Out of the box Web Security Solution - “Virtual Patch”

Gartner’s Magic Quadrant on WAFs due in Q4 of 2009

Costs around $35,000 for the appliance

Common Web Application Firewalls (WAFs) include WebDefend, ModSecurity
(open source) and Imperva SecureSphere
8
WAF Defined
WAF Architecture Choices

Placed between Firewall and Web
Application (Inline)

E.g. Reverse Proxy Mode and
Transparent Mode

Connected to Network Port on same
switch as Web Application (Out of Band)



E.g. Network Monitor Mode
Blocks traffic by using TCP Resets
Has no latency and prevents single
point of failure


Security Models
Allow only “Good” Traffic (Positive)
Block only Malicious Traffic
(Negative)
9
How WAF does the job?

Dynamic Profiling (Automated Application Learning)

Session Protecting Engine

SSL Decryption

Data leakage protection
10
Manual Code Reviews and Application Pen Tests

Best Defense of Websites

Manual tests done by experts

Whitebox testing available

Costs are $300 per 500 lines of code
 Average Web Application Code Review costs
$30,000 (50,000 lines of code)
11
Bluecoat Web Filter Defined

Blue Coat WebFilter is an “on-proxy” web filtering
solution that protects internal users from
 Spyware
 Phishing attacks
 P2P
 IM and streaming traffic
 Adult content (sorry)
 Botnets (yayy)

Appliance starts at $10,000
12
Bluecoat Web Filter – How it Works
13
Bluecoat on the Fly detection (Dynamic
Detection)
14
Magic Quadrant for Secure Web Gateways
15
Cost/Risk Analysis

Web Application Firewalls
– Costs: Open Source Options available
– Risks: Developers should stay on top

Manual Code Reviews and Application Pen Test
– Costs: Very High Costs $300 per 500 lines of code
– Risks: Minimal; code is checked by ethical hackers

Bluecoat Web Filter
– Costs: Appliance + Support Costs
– Risks: Moderate; claims 98% coverage of malware
16
Feasibility Analysis

Web Application Firewalls
– Feasible because open source options available.
– Huge Community Support

Manual Code Reviews and Application Pen Tests
– Not feasible for most organizations; very costly
– PCI accepts WAF in place of this

Bluecoat Web Filter
– Feasible because of its database + Dynamic Protection
– Network license needed rather than per client
17
Business/Legal Consequence

Web Application Firewall (WAF)
– Lessens the risk of web applications significantly
– No legal consequences

Manual Code Review and Application Pen Tests
– Business case not strong; compliance accepts WAF
– Legal consequences applicable as exploits discovered
are documented and failure to remediation can be bad

Bluecoat Web Filter
– Strong Business case, given web attacks in today’s world
– User privacy is a big legal concern
18
Corporate Context

All three solutions are necessary for all the Industries
– Government: Needless to say
– Education: Private student records are at risk
– Healthcare: Private health info at risk
– Private: Social Security, Credit cards, Intellectual
Property at Risk

Failure to implement these solutions result in compromises
which causes falling share price, dropping consumer
confidence, bad reputation + high remediation costs
19
Related Work and Research in This Area

SANS Paper on Web Based Threats
– http://www.sans.org/reading_room/whitepapers/application/web_based_attack
s_2053?show=2053.php&cat=application

Symantec’s Paper on Web Based Threats
– http://eval.symantec.com/mktginfo/enterprise/white_papers/bwhitepaper_web_based_attacks_03-2009.en-us.pdf

DevShed.com’s Cross Side Scripting Paper
– http://www.devshed.com/c/a/Security/A-Quick-Look-at-Cross-Site-Scripting/1/

Bluecoat Webfilter datasheet
– http://www.bluecoat.com/doc/direct/789

Web Application Firewall
– http://www.owasp.org/index.php/Web_Application_Firewall
20
Thank You
Jibran Ilyas
Frank LaSota
Paul Lowder
Juan Mendez
21