Application Firewall Overview For the latest information, please see http://www.IVOappliance.com/iag/index.htm Contents IAG Application Firewall: An Overview........................................................................................1 Features and Benefits .................................................................................................................2 Technical Outline ........................................................................................................................4 Application Request Filtering ..................................................................................................4 Broad Application Attack Prevention and Prevention Capabilities ..........................................5 IAG Application Firewall: An Overview The Intelligent Application Gateway (IAG) 2007 application firewall component is a nextgeneration positive logic firewall designed to secure applications from network and applicationlayer attacks through an easy-to-manage and integrated approach. Recognized by industry analysts as a leading secure application firewall in its own right, the application firewall is a critical element in delivering a complete application access and security solution for the most demanding enterprise customers. The gateway’s ability to ensure that only valid resource requests are forwarded to the internal server protects application infrastructure and support for event-driven rules allows for the inclusion of dynamic, session-specific variables to ensure complete functionally for external access. The IAG application firewall combines Web-based connectivity, flexible authentication and authorization, endpoint compliance and sophisticated application filtering in a single appliance with a unified policy framework. The IAG application firewall can support a hybrid approach to ensure complete protection against all application-layer threats while allowing authenticated users the ability to access critical business applications from any unmanaged endpoint in conjunction with IAG endpoint compliance enforcement. In a normal, risk-free environment, administrators can assume that in the context of Webbased connectivity the user’s browser is only sending legitimate HTTP queries to the Web server. However, there are a number of scenarios that mandate the implementation of application filtering. A public browser or other non-corporate machine might be contaminated with a worm "sitting and waiting" for someone to authenticate in order to launch an attack. In addition, legitimate user credentials can be hijacked by a hacker looking to gain unauthorized access to corporate data. Another risk is that a rogue user potentially exploiting a semi-trusted connection as a partner or even a non-trusted connection as a customer can assume control over the application access gateway before or after authentication, essentially creating an open door to the internal network. Application-layer attacks may result in level of impact from a small disturbance in network availability to information theft and unauthorized control of back-end application servers. The application firewall’s role is to protect the Web application servers and the application access gateway from these exploits and malicious attacks while allowing legitimate requests to pass through to the server, enabling the business benefits of browser-based application access. The functionality of the IAG application firewall extends beyond that of the capabilities provided by other SSL VPNs that are restricted to simply protecting their own appliance from attacks. The ability to shield the application servers behind the appliance from attacks enable IAG customers to expand the number of unmanaged endpoints that can connect to internal resources while ensuring that infrastructure is not put at risk. IAG Application Firewall 1 Features and Benefits Implementing the IAG application firewall as part of an overall application access deployment provides the following benefits: Comprehensive security for sensitive applications and data Streamlined security processes through an integrated application access policy framework Policy-driven security enforcement Simplified architecture and minimized need for additional third-party elements Ability to adhere to corporate policies forbidding the opening of firewall ports Lower total cost of ownership than custom in-house solutions The application firewall can be configured to pass through only legitimate server requests based on a dynamic, event-driven white list of acceptable application transactions, and can be customized through a toolkit that includes a rule set editor, recorder and the rule set optimization tool to allow for easy policy definition. In order to reduce the complexity and minimize the overhead associated with protecting application infrastructure potentially exposed by broader access, IAG 2007 provides application-specific rule sets as an integral element of Intelligent Application Optimizers™ that will protect servers with out-of-the-box policy configurations. The application firewall’s positive logic filtering technology with support for event-driven variables is successfully shields systems from current and future potential threats through enforcing acceptable application actions. The IAG component has been proven in large-scale deployments with stringent security requirements, and incorporates rule sets for widely-used enterprise applications including Microsoft®, IBM Lotus and SAP environments. Integration of the application firewall at the product and policy levels empowers administrators to implement application access in a simple – yet secure – manner without the need for additional expensive and complicated infrastructures in order to avoid security breaches. Application-level control includes thoroughly inspecting URLs, methods, and parameters, and any other incoming data. The inspection rules can be based on the positive logic of the application, indicating a controlled set of legitimate URLs, method, and parameter combinations to which the requests are expected to conform. This prevents application-level attacks based on malformed URLs or HTTP requests. IAG 2007 also supports negative logic rules that utilize signature identification to block known attacks from reaching internal servers. In addition to its powerful technical features, the IAG application firewall centralizes and simplifies the process of managing and enforcing security, thereby reducing the likelihood of security breaches due to human error. Thanks to an integrated approach focused on the session lifecycle, organizations utilizing the IAG application firewall need not worry about conflicts between the various moving parts of their security architecture. Because IAG 2007 can provide native endpoint checking or integrate with third-party software to ensure that only healthy clients connect to the network, assign user rights and enforce acceptable session parameters through a single policy framework, administrators have a tool for upgrading or patching a single component without creating further the need for changes in security infrastructure. Of course, the application firewall itself must be internally impervious to attacks so as to ensure that internal servers are completely protected. Incorporation of Microsoft Internet IAG Application Firewall 2 Security and Acceleration (ISA) 2006 protects the IAG appliance itself from Internet-based attacks. In addition to the application firewall features, the IAG 2007 handles additional security functions such as authentication. When requests are deemed to have passed security tests, the IAG 2007 uses pre-defined configuration to determine to which application server the request must be sent, builds a TCP/IP communication channel to that server, and relays the request across the internal network. Inappropriate requests are terminated by the appliance when it inspects inbound traffic. Responses work in a similar fashion, with the IAG 2007 translating and encrypting traffic from the various application servers prior to transmission to the user. The IAG 2007 can be configured to modify application source data on the fly, changing content and adding features as desired or needed. The IAG 2007’s Host Address Translation feature supplements this capability by publishing encrypted URLs to external browsers. The Host Address Translation’s dynamic URL rewrite enables secure publishing to the Internet through resource cloaking while preserving integrity of server requests. A screenshot of the firewall rule policy definition tool. IAG Application Firewall 3 Technical Outline The IAG application firewall offers the most robust filtering available today. It utilizes a combination of negative logic, positive logic, and event-driven dynamic rules. Application Request Filtering There are several different types of filtering architectures available today. 1. Negative logic based filtering: Negative logic filtering relies on signatures of known attacks and allows security systems to prevent any requests that appear to match the attacks’ signatures from reaching protected servers. Filters relying on negative logic are quite accurate at preventing known attacks, but are powerless when it comes to shielding against unknown exploits. They also require regular updates to their signature sets. 2. Positive logic based filtering: Positive logic filtering allows valid requests based on a signature set detailing what types of communications protected servers know-how to handle; it prevents any requests not known to be valid from reaching secured servers. To minimize the performance overhead of a filtering engine utilizing positive logic, the set of valid requests is normally defined in some optimized format such as through the use of regular expressions. Valid Method-URL-Parameter combinations can be defined, as can appropriate parameter value ranges (e.g. month should have a value between 1 and 12). Defining the set of valid requests requires some upfront investment, but positive logic engines typically require less ongoing maintenance than negative logic engines, given that it is dependent on internal changes rather than emergence of new security threats. Since the set of valid requests rarely changes, maintenance is appreciably lower. Also, rule set automation and optimization tools can simplify the task as well. 3. Dynamic rules based filtering: Some security vendors proposed the idea of dynamically scanning each outgoing web page at the filter, and establishing rules accordingly – rules that would allow only the URLs that were part of the outgoing HTML page to be submitted as requests by the user. This “dynamic rules” concept has several limitations in real world implementations for a number of reasons: Technical issues – Many Web-based enterprise applications utilize Java Applets, Java Scripts, ActiveX®, Flash, and other non-HTML elements, all of which prevent the filter from properly analyzing the outgoing data stream and establishing correct rules. Security – Attempts to generate “on the fly” rules defining the lexicon of an application create the requirement for absolute accuracy. Any error made by the filter such as recognizing an invalid link as valid will immediately be implemented in a production environment since there is no testing or inspection stage. Automatically enabling all links on a web page is an insecure practice. An internal user may upload a file that when downloaded through the appliance will contain links that lead directly to the application server. Such inappropriate links could become hackers’ path to the internal network given that the appliance will do nothing to block the attack since it is a "legitimate link" which appeared in the page. Inconvenience – Filtering can frequently disable the use of bookmarks to offer convenient quick access to a web page. Performance – The overhead of analyzing web pages during production usage severely impacts the performance of systems utilizing dynamic rules. IAG Application Firewall 4 4. Positive logic based filtering with event-driven dynamic rules – This type of filtering offers the strength of positive logic based filtering together with many of the benefits of dynamic filtering (and without most of the drawbacks). Essentially, event-driven dynamic filtering utilizes positive logic based rules but allows the inclusion of variables in the rule set. The values of the variables are set dynamically during user sessions. For example, a variable called USERNAME may be set to the user’s username once he logs into an application. The capability to utilize variables in positive logic rule sets allows for the creation of extremely strict rules (and tight security) – for example, a user’s name can be included in a URL path – and even after authentication, every request to reach the application firewall will be checked to ensure that that username on the URL matches the authenticated user. Only the one authenticated user is capable of accessing the information in the current session, and the user cannot access anyone else’s data. Before relaying any data to application servers on the internal network, the IAG 2007 subjects the incoming application-level data to stringent security checks. Application-level control includes thoroughly inspecting URLs, methods, and parameters, and any other incoming data. The inspection rules can be based on the positive logic of internal applications, utilizing a controlled set of legitimate URLs, method, and parameter combinations to which the requests are expected to conform. The rules may contain variables that are set upon the occurrence of specific events. The application firewall’s application-request filtering prevents application-level attacks based on malformed URLs, the most common method of exploiting buffer overflows in Web servers. In addition, the application firewall also supports negative logic rules to specially block known attacks from reaching internal servers. The IAG 2007 further supplements application-layer negative logic rules with the ability to generate an IP address block list, which will prevent users from a particular IP address (or set of IP addresses) from accessing the application – helping to avoid Denial of Service conditions at the application layer. Broad Application Attack Prevention and Prevention Capabilities Some of the types of attack techniques that the IAG application firewall’s application filtering engine can mitigate include: Parameter tampering – The filtering engine inspects all parameters before transmitting requests to back-end Web servers. Only parameters that are expected and whose names, sizes, and values conform to the stringent rules defined in the filter configuration are accepted. If a user has tampered with a parameter in an effort to attack an internal system, the filtering engine will not allow the parameter to reach the intended target. Debug options – The filtering engine can block requests that contain parameters with Debug options. Buffer overflows – Buffer overflow attacks typically utilize long URLs or long parameter values, which will not conform to the rules in the filter configuration, and will, therefore, be blocked by the engine. Encoded attacks – The filtering engine is Unicode and escape-sequence aware, and will block Unicode and escape-sequence encoded attacks, including double encoding and overlong UTF-8 representation. Code injection – Code injection involves the submission to the Web application of code where simple data is expected. For example, a user might add a short script instead of his address – in the hopes that the system might execute the script. Alternatively, the script may be added as a parameter value added to the URL. Since the application firewall inspects requests, parameters and values, such attacks will be blocked by the filtering engine. Cross-site scripting – Cross-site scripting is a special form of code injection in which the hacker attempts to submit code in a field that a Web application that will later let other IAG Application Firewall 5 users view, in an attempt to have that code execute on other users’ machines. For example, a hacker may submit code to an online bulletin board with the hope that when users view the hacker message their browsers will execute the code instead of displaying it as text. Since the application firewall inspects requests, parameters and values, such attacks will be blocked by the filtering engine. SQL Injection – Similar to code injection, this type of attack involves embedding SQL calls to a database within a data field. As with the general case of code injection, the filtering engine will block attempts to tunnel SQL. Tunneling OS shell commands – Similar to code injection, this type of attack involves embedding operating system commands within a data field, and will be blocked by the application firewall in a similar manner to tunneled SQL commands and other injected code. Tunneling proprietary protocols – Similar to code injection, this type of attack involves embedding commands to some application on the internal network within a data field. Like the other aforementioned examples of injected code, it will be blocked by the application firewall. Inappropriate HTTP Methods – Utilizing inappropriate methods – POSTing when a GET is expected, using WebDAV methods, etc. The filtering engine checks that the METHOD for every URL is appropriate as defined in the rule set in the filter configuration. Unexpected file uploading – When files are not expected, the filter will not allow the uploading of files (e.g., through POSTs). Other application-level attacks – Positive logic based application-request filtering (with event-driven dynamic capabilities) is a powerful tool against known attacks, and even against vulnerabilities not yet discovered or patched. It reduces the likelihood of a Denial of Service attack against internal systems, as invalid requests will not be transmitted to internal servers, and servers issuing large volumes of so-called “valid requests” can be blacklisted as well. IAG Application Firewall 6 The information contained in this document represents the current view of Whale Communications on the issues discussed as of the date of publication. Because Whale Communications must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Whale Communications, and Whale Communications cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. WHALE COMMUNICATIONS MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Whale Communications. Whale Communications may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. © 2007 Whale Communications. All rights reserved. Whale Communications is a wholly owned subsidiary of Microsoft Corporation. Whale Communications®, e-Gap®, Attachment Wiper™ and the Whale logos, Microsoft and ActiveX are either registered trademarks or trademarks of Whale Communications in the United States and/or other countries. IAG Application Firewall-WP-200702.doc IAG Application Firewall 7