Project Part IIIOur Security Problem Is Website AttacksSQL Injection Web Attack ExampleSlide 4Slide 5Slide 6Our SolutionSlide 8Slide 9Slide 10Manual Code Reviews and Application Pen TestsBluecoat Web Filter DefinedBluecoat Web Filter – How it WorksBluecoat on the Fly detection (Dynamic Detection)Slide 15Cost/Risk AnalysisFeasibility AnalysisBusiness/Legal ConsequenceCorporate ContextRelated Work and Research in This AreaThank You1Project Part IIIDouble DeuceJibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez2Our Security Problem Is Website AttacksFirewall are common in every network deployment, so attackers use websites to get access to internal networkEvery industry, be it online hop, retail stores, educational institution or government sector has a website for public use, which makes the website problem very common in multiple industries.3SQL Injection Web Attack ExampleQuery Injected by the AttackerOutput from the QueryNote: Account Numbers masked to protect customer identity4PHP File Inclusion Web Attack Example5In the code below, you will see that XSS can easily send you to an evil site http://www.infotech.northwestern.edu/index.php? name=<script language=javascript>window.location=“http://www.veryevilsite.com/toldya.htm”;</script>In the code below, you will see that XSS may cause denial of service with just one line of code http://www.avatar.com/ccs1-release-testing/rao.php?name=<script language=javascript>setInterval("window.open('http://www.cs.northwestern.edu/~ychen/','innerName')",10);</script>•The link above will open a window of Dr. Chen’s webpage and request it every 10 milliseconds. (changed from every 100 milliseconds )Cross Side Scripting (XSS)6Attackers can target vulnerabilities in browser (Internet Explorer or Firefox, java console, plugins, etcOther Web Attacks7Our SolutionCriteria for EvaluationCost EffectiveFew False PositivesHigh AvailabilityEffective for new threatsEase of ConfigurationOut of the box functionalitySolutionWeb Application FirewallManual Code Reviews and Pen TestsBluecoat Web FilterIDS/IPS not ideal for web solution8Solution ConsiderationsWeb Application Firewalls (WAF)Writing Secure Code is much easier said than done WAF can block variety of traffic High Performance and low latency; only looks at Layer 7Addresses PCI 6.6 requirement for web securityOut of the box Web Security Solution - “Virtual Patch”Gartner’s Magic Quadrant on WAFs due in Q4 of 2009Costs around $35,000 for the applianceCommon Web Application Firewalls (WAFs) include WebDefend, ModSecurity (open source) and Imperva SecureSphere9WAF Defined WAF Architecture ChoicesPlaced between Firewall and Web Application (Inline)E.g. Reverse Proxy Mode and Transparent ModeConnected to Network Port on same switch as Web Application (Out of Band)E.g. Network Monitor ModeBlocks traffic by using TCP ResetsHas no latency and prevents single point of failureSecurity Models Allow only “Good” Traffic (Positive)Block only Malicious Traffic (Negative)10How WAF does the job?Dynamic Profiling (Automated Application Learning)Session Protecting EngineSSL DecryptionData leakage protection11Manual Code Reviews and Application Pen TestsBest Defense of Websites Manual tests done by experts Whitebox testing availableCosts are $300 per 500 lines of codeAverage Web Application Code Review costs $30,000 (50,000 lines of code)12Bluecoat Web Filter DefinedBlue Coat WebFilter is an “on-proxy” web filtering solution that protects internal users from SpywarePhishing attacksP2PIM and streaming trafficAdult content (sorry)Botnets (yayy)Appliance starts at $10,00013Bluecoat Web Filter – How it Works14Bluecoat on the Fly detection (Dynamic Detection)15Magic Quadrant for Secure Web Gateways16Cost/Risk AnalysisWeb Application Firewalls–Costs: Open Source Options available–Risks: Developers should stay on top Manual Code Reviews and Application Pen Test–Costs: Very High Costs $300 per 500 lines of code–Risks: Minimal; code is checked by ethical hackersBluecoat Web Filter–Costs: Appliance + Support Costs–Risks: Moderate; claims 98% coverage of malware17Feasibility AnalysisWeb Application Firewalls–Feasible because open source options available. –Huge Community SupportManual Code Reviews and Application Pen Tests–Not feasible for most organizations; very costly–PCI accepts WAF in place of thisBluecoat Web Filter–Feasible because of its database + Dynamic Protection–Network license needed rather than per client18Business/Legal ConsequenceWeb Application Firewall (WAF)–Lessens the risk of web applications significantly–No legal consequencesManual Code Review and Application Pen Tests–Business case not strong; compliance accepts WAF–Legal consequences applicable as exploits discovered are documented and failure to remediation can be badBluecoat Web Filter–Strong Business case, given web attacks in today’s world–User privacy is a big legal concern19Corporate ContextAll three solutions are necessary for all the Industries–Government: Needless to say–Education: Private student records are at risk–Healthcare: Private health info at risk–Private: Social Security, Credit cards, Intellectual Property at RiskFailure to implement these solutions result in compromises which causes falling share price, dropping consumer confidence, bad reputation + high remediation costs20Related Work and Research in This AreaSANS Paper on Web Based Threats–http://www.sans.org/reading_room/whitepapers/application/web_based_attacks_2053?show=2053.php&cat=applicationSymantec’s Paper on Web Based Threats–http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_web_based_attacks_03-2009.en-us.pdfDevShed.com’s Cross Side Scripting Paper–http://www.devshed.com/c/a/Security/A-Quick-Look-at-Cross-Site-Scripting/1/Bluecoat Webfilter datasheet–http://www.bluecoat.com/doc/direct/789 Web Application Firewall –http://www.owasp.org/index.php/Web_Application_Firewall21Thank You Jibran IlyasFrank LaSotaPaul LowderJuan
View Full Document