1Barracuda Networks Confidential1 Web Application Protection Against Hackers and Vulnerabilities...
Transcript of 1Barracuda Networks Confidential1 Web Application Protection Against Hackers and Vulnerabilities...
1Barracuda Networks Confidential 1
Web Application Protection Against Hackers and Vulnerabilities
Barracuda Web Application Controllers
2
Agenda• Introductions• Barracuda Networks Company Overview• Barracuda Web Application Controller
– Deployment Options– Detection / Protection Methods– Profiling – Positive vs. Negative Security Model– Authentication– Traffic Management– Logging and Reporting– Performance
• Roadmap• Q&A
Barracuda Networks Confidential 3
Company Information• Mission
– Deliver comprehensive mid-market appliance-based solutions
• Leader in Email and Web Security– Company started in late 2003
• Headquarters in Campbell, California– Sales and support presence in Australia, Brazil, Belgium, Canada, China,
France, Germany, India, Japan, Spain, Taiwan, UK and USA– 400+ employees worldwide
• Privately Funded– Cash flow positive for more than 4 years– First outside investment $40 million: Sequoia Capital & Francisco
Partners (January 2006)
• Market Leader– 70,000 customers worldwide
Barracuda Networks Confidential 4
Barracuda Networks Management Team• Dean Drako, President & CEO – Velosel, Boldfish, Design Acceleration, 3DO, Apple
• Michael Perone, Executive VP & CMO – Address.com, Spinway, GE, JPL • Zach Levow, CTO – Affinity Path, Spinway, Sun, Cadence
• David Faugno, CFO – Cisco Systems, AT&T
• Blair Hankins, VP Engineering – Nokia, Intellisync, Lotus
• Stephen Pao, VP Product Management – Cisco Systems, Nuance, Oracle
• Sales Management– Ezra Hookano, VP Sales North America – SonicWALL, U4EA– José Luis Sanchez, VP Sales Latin America – Netscreen– Paul Thackeray, VP & Managing Director EMEA – SonicWALL– Peter He, Managing Director China – Pandaguard, PricewaterhouseCoopers– Niall King, VP Sales APAC – Neoteris, Cacheflow
Barracuda Networks Confidential 5
Barracuda Networks Company Strategy• Powerful, easy-to-use hardware solutions• Simple sales process• Aggressive price point
– No per user licensing fees
• Yearly subscription– Energize Updates
• Enterprise and SMB market• Great customer service and technical support• Streamlined manufacturing and delivery
Barracuda Networks Confidential 6
Barracuda Networks Product Strategy• Integrated hardware and software solutions• Comprehensive products
– Complete problem solutions in a single product– No “options” to add extra charges
• Ease of use– Flexible deployment options– Easy to use interfaces
• Single vendor for service and support• No per user license fees• Ongoing security services
Barracuda Networks Confidential 7
Products For All Parts of the NetworkDMZ
Barracuda Spam Firewall
Barracuda IM Firewall
Data Center
Barracuda Load Balancer
Barracuda Web Site Firewall
Inside the Network
Barracuda Web Filter
Barracuda Message Archiver
Barracuda Networks Confidential 8
Barracuda Networks Worldwide
• Products in multiple languages
• Offices in more than 10 countries
• Distributors in more than 80 countries
Barracuda Networks Confidential 9
USA Customers
Barracuda Networks Confidential 10
Vertical CustomersEducation FinancialGovernment Technology /
InternetCorporate
Barracuda Networks Confidential 11
Worldwide Customers (70,000 +)APAC Latin AmericaEMEA
Barracuda Networks Confidential 12
Award-Winning Products“(The Barracuda Web Filter is) an attractive proposition for the enterprise
market, designed for simple administration and high throughput.”
-SC Magazine, February 2007
“Despite being heavy on the features, (Barracuda) WebFilter 310 remains easy to use and fully customizable.”
-CRN, June 2007
Barracuda Networks Confidential 13
Barracuda Networks & NetContinuum
• NetContinuum acquired in July 2007– Leading provider of Web Application Firewall and
Application Gateway appliances– Ranked No. 1 in Forrester Research WAVE Report 2006– Strategic acquisition puts Barracuda Networks in strong
position to expand Web Application Firewall market
• Barracuda Networks support and product investment– Building upon existing NetContinuum products– Additional plans to address needs of smaller customers– Increasing investment in Web Application Firewall
product category
Barracuda Networks Confidential 14
Web Application Controllers Major Features
• Comprehensive Web site protection– Attacks– Unauthorized access– Data theft– Web site defacement
• Web XML services protection• Application access control• Application delivery and acceleration• Logging, monitoring and reporting
Barracuda Networks Confidential 15
Web Application Controllers Detailed Features• Application access control
– SSO portal– LDAP and RADIUS integration– PKI support– Web access management
• CA Siteminder• RSA Access Manager
• Application delivery and acceleration– Caching– Compression– Connection pooling – Load balancing– SSL acceleration– High availability
• Plus much, much more...
• Web site protection– HTTP protocol compliance– SQL injection blocking– OS command injection protection– XSS protection– Form/cookie tampering defense– Online form field validation– Denial of Service Protection– Outbound packet scanning – Web site cloaking– Anti-crawling– Advanced learning modes
• XML services security– XML attack prevention– Validation of XML schema, SOAP
envelopes and XML content– WS-I profile validation– Web services cloaking– XML DoS attack protection
Integrates easily into existing systems
• Authentication– LDAP– RADIUS– X509 / CRL – for two factor authentication with client
certificates
• Logging– Syslog– FTP - standardized transport for log storage– W3C Extended logging – standardized log format to
integrate with generic access log parsers
16
17
Barracuda Web Site Firewall Product Line
Barracuda Networks Confidential 17
NC2000 AG
1 Gbps
NC1100 AG
Barracuda Application Gateway NC500 AG
Barracuda Web Site Firewall 660
Barracuda Web Site Firewall 460
Barracuda Web Site Firewall 360
25 Mbps
Barracuda Web Application Controllers Satisfy Major PCI DSS requirements
• Credit card companies increase pressure on merchants– Must be PCI compliant by June 30, 2008
• Acts as both network firewall and Web Application Firewall• Proxies Web traffic and insulates Web servers from direct
attacks• Provides SSL encryption• Blocks top 10 most common application vulnerabilities• Provides role-based administration• LDAP integration and unique ID support• Provides application access logging and interacts with AAA
systems
Barracuda Networks Confidential 18
Barracuda Networks Confidential 19
Web Application Controllers Architecture• Single point of protection for inbound and outbound Web traffic
20
Session Control• TCP Session Termination
• SSL Termination
• HTTP Protocol Normalization & Compliance
• FTP Compliance
• HTTP Header Re-Write
• URL Translation
• URL Rate Control
Security Assurance• Application Cloaking
• AAA
• White List
• Forms Protection
• Cookie Protection
• Data Theft Protection
• Dynamic Learning
• SQL & OS CMD Injection
• XSS Attack Protection
• Custom Black List: REGEX
Availability Assurance• Caching
• GZIP Compression
• TCP Connection Pooling
• SSL Cryptographic Offload, Backend Encryption
• Layer 7 Content Switching
• Load Balancing
• Server & App Health Checking with Failover
Users Web Applications
Terminate Secure Accelerate
Centralized Control
Deployment Options
21
• Full reverse proxy• One-armed proxy• Normal bridged• Fail open bridged
Proxy vs. Non-proxy: Fundamental Difference in Security Capabilities
22
• Non-proxy WAFs expose server operating systems and TCP stacks directly to the Internet
• You need a proxy based WAF to:
• Web Address Translation – Non-proxies can not re-write URLs
• Cloaking – Non-proxies do not Cloak
• SSL – Non-proxies SSL is VERY slow
• Cookie security – Non-proxies do not protect against ID theft
• L7 Rate Control – Non-proxies do not protect against DoS
• Authentication and Authorization – Non-proxies can not do AAA
• Data Theft Protection – Non-proxies can not mask outbound data
• Response time acceleration – Non-proxies can not accelerate
Flexible HTTP / HTTPS deployments
23
• Front end SSL (Offload SSL)• Front and back end SSL• Enforced SSL : automatic redirect of HTTP to HTTPS
Client SSL certificates support
24
The WAC can support client certificates for authentication to an application/VIP. In addition, the WAC can support client certificates for backend communication.
Client Certificates for backend communication.
Client Certificates for authentication to an application/VIP
Security: Web Site Cloaking
25
Attackers first task: Reconnaissance of network for weakness What Web, database, application servers are being used? What versions, patches or known vulnerabilities are there?
Cloaking makes enterprise Web resources invisible to hackers and worms• Hides all error codes, HTTP headers, IP addresses
Security: Inbound
26
Attacks Injection – SQL, OS
commands Scripting – XSS, CSRF Cookie/session poisoning Parameter/form tampering
Protocol sanitization Validation Request limit checks
Zero-day attacks via Web site profiles
Web ApplicationsPort 80/443 traffic goes through
Cookie and Session Protection
27
Cookie Protection
Session ID Tracking
Security: Outbound
28
Web Applications
• Deep inspection of outgoing content blocks– Credit cards– Social security numbers– Custom patterns
Brute Force Prevention & Rate Control
29
Brute force Prevention
Slow down attackers via Rate Control
Top 10 threats …
Threat Protection Mechanism1 Un-validated Input Learns accepted application logic to validate incoming and outgoing session
content for legitimate application behavior
2 Broken Access Control Sets up and enforces authorization and access control policies to authenticate user access
3 Broken Authentication and Session Management
Automatically encrypts session cookies and assigns unique session-IDs to ensure secure user sessions
4 Cross-Site Scripting (XSS) Attacks
Validates user input by terminating session and inspecting incoming requests
5 Buffer Overflows Rejects any file from in invalid Web page and limits total Web request length across applications
6 Injection Flaws Inspects each request to the Web application for malicious code and blocks the request prior to reaching
7 Improper Error Handling Cloaks details of Web application infrastructure
8 Insecure Storage Filters and intercepts outbound traffic and also blocks or masks attempts to access sensitive information.
9 Application Denial of Service (DoS)
Monitors and controls the amount of queries to the same URL from a single user and queues the requests while allowing legitimate Web site Access
10 Insecure Configuration Management
Acts as the DMZ to proxy inbound and outbound Web traffic to neutralize any configuration vulnerabilities 30
Web Address Translation
31
• URL Translations• Request Rewrites• Response Rewrites• Response Body Rewrites
Real-world WAF deployment experience …
• Multiple geographically distributed deployments• Multiple customers with over 5 years of experience –
using reverse proxy protection• Multiple customers with over 15 Web Application
controllers• Customers protecting THOUSANDS of Web
applications• Wide variety of applications – enterprise,
government, telecom, energy, e-commerce providers
32
33
WAC Customers
Bank
Default Security Policy with Exceptions
Application Templates (OWA, SharePoint, etc.)
Hand Coded Protection
Proven WAF Success Model
Barracuda Networks Confidential 34
Negative Security Model
•Broad based protection
Positive Security Model•Targeted applications
Best Practice – Mix Security Models• Positive versus Negative security models
– Positive: Define the “good” behavior and assume all other traffic is attack traffic
– Negative: Insulate against “bad” behavior • Don’t over-apply positive security model
– Difficult to understand and maintain profiles– Applications change frequently– Only provides cost/benefit for certain applications
• Target specific applications for positive security model• Most companies aim for broad protection through negative
security model
Barracuda Networks Confidential 35
Is this Madness? NO!• Most “real world” security is “negative security model”
– Spam filters profile spam and viruses and let other email traffic flow
– Web filters categorize bad sites and let unknown sites pass• The same should apply to Web application security• Why?
– Most bad traffic is usually easy to identify– False positives are costly and defeat the purpose of
security– Good traffic changes frequently with new business
partners, new business trends, and new applications
Barracuda Networks Confidential 36
Most Bad Traffic is Easy to Identify
Do not need a detailed application profile to:• Cloak the Web site to hide known areas of
vulnerability• Digitally sign or encrypt cookies to prevent cookie
and session tampering• Identify or block common attack types
– SQL injections, OS command injections– Cross-Site Scripting attacks– Remote file inclusions– Directory traversals
• Filter outbound content for credit card, SSN, etc.Barracuda Networks Confidential 37
Defining Policy Exceptions
• Start with conservative policies to provide protection• Can optionally start with passive monitoring• Interactive log view differentiates attacks from
potential policy problems• In many cases, can mitigate issues with a single click• Then, enable active protection
Priority should be on providing broad-based protection to avoid the majority of attack types upfront and early
Barracuda Networks Confidential 38
Fine grained control …
39
The Barracuda Web Application Controller can be deployed in either active or passive modes for each application/VIP (virtual IP).
In addition the following can individually be set to passive mode for further granularity.
• Header ACLs• URL Policies• URL Profiles• Parameter Profiles
Application/VIP:
Easy to use Feedback loop
40
Policy Tuning wizard to make it simple to relax rules and accept false positives.
Full flexibility for power users …
41
The Barracuda Web Application Controller allows a user to create custom signatures via a regular expression wizard.
SharePoint 2007 Deployment with Barracuda Web Application Controller
42
• Deployment• Website Cloaking• Request Lengths• URL Normalization• URL Protection• Enhanced Application Profiles• Session protection• Data/Identity Theft• Deployment Scenarios• SSL• Load balancing and Application monitoring• Authentication and Access Control• Compression and caching• Content Routing• Other Ongoing Efforts
• Virus Protection for uploaded files• Enhanced URL protection in the path itself
Learning Mode
43
Ease of configuring the learning mode
Learning Mode : Flexible Deployment …
44
Can deploy in Active OR Passive mode while learning
Avoid Common Pitfalls• Take care not to over-apply positive security model• Be wary of relying heavily on automated “learning”
– Learning technology has some “sizzle” with new customers– Useful in certain cases (particularly response-based learning on very
simple applications)– Experienced WAF users prefer implementing broad-based protections
early and hand coding targeted application areas
• Problems– Hard to generate complete test traffic cases– Can “learn” bad behavior if used against real-world traffic– Automated profiles are hard to maintain
Analogy: think about automated HTML generators– Does not learn “structure” from a human point of view– Hard to go “half way” – usually not worth waiting for
Barracuda Networks Confidential 45
Authentication, Authorization & Single Sign On
46
Web Applications
Authentication Server
• Provides front-end authentication for Web applications• Integrates with popular authentication servers• Supports two-factor authentication schemes
Authentication Service Support
47
Authentication Support• Basic• Digest Authentication • Client Certificate Authentication.
Integration with the following authentication services• Internal• LDAP• RADIUS• CA SiteMinder• RSA Access Manager
Traffic Management
48
• Load Balancing– Server Health monitoring– Layer 7 persistence– Fall back servers
• Content Switching• Caching• Compression
Cache
www.estore.com/images/banner.jpg
Image Server
HR Server
Partner Portal
www.estore.com/hr/leaveform.html
www.estore.com/partner/order.jsp
Content Switching
Application Delivery and Acceleration
49
TCP Pooling - Multiple requests use same connectionImproved Performance
SSL Offloading/Acceleration, Backend Encryption
Internet
Application Health Monitoring ensures optimal Load Balancing
High Availability minimizes downtime of critical business Apps
Extensive Logging Capabilities
50
- Audit logs, Web firewall logs, Web logs, System logs, and Network Firewall logs.
Comprehensive reporting and scheduling
51
Performance
52
Performance MetricTransaction Rates and
Throughput
NC-1100 Proven through
testing
NC-2000 Proven through testing
L2-L4 Maximum Concurrent TCP Connections
400,000 conns 1,400,000 conns
Maximum Throughput 1 Gbps 1 Gbps
Maximum TCP Connections/sec
6,000 cps 23,000 cps
TCP Multiplexing Ratio 7:1 10:1
L7HTTP
HTTP 1.1 Transactions/Requests/sec
12,000 tps 44,000 tps
HTTP 1.1 Trans/sec - Security Features - Turned ON
6,000 tps 30,000 tps
HTTP 1.1 Trans/sec - Security + Acceleration Features - Turned ON
5,000 tps 28,000 tps
Latency during HTTP 1.1 testing
<1 ms <1 ms
conns=total simultaneous connections
cps=new L4 connections per second
tps=new L7 transactions per second
Mbps=Megabits per second
Gbps=Gigabits per second
kbps=kilobits per second
ms=milliseconds
s=seconds
*Transaction Rate tests measured using 1024 byte objects, except for TCP and SSL Bulk Throughput test using 1Mb object.
*Latency testing performed against 5 popular websites (Yahoo.com, Amazon.com, BBC.com, UCLA.edu, Whitehouse.gov), totaling 1,262,608 bytes of data, sustaining 2048 transactions/second unless otherwise stated.
Performance
53
L7HTTPS
HTTPS 1.1 Transactions/Requests/sec
9,000 tps 16,000 tps
HTTPS 1.1 Trans/sec - Security Features - Turned ON
6,000 tps 15,000 tps
HTTPS 1.1 Trans/sec - Security + Acceleration Features - Turned ON
4,000 tps 10,000 tps
Latency during HTTPS 1.1 testing <5 ms <10 ms
SSL Maximum Concurrent SSL Connections
100,000 conns
100,000 conns
Maximum SSL Throughput - Bulk Transfer of 1Mb File
1 Gbps1 Gbps
Maximum SSL Transaction Rate with No Session Re-Use
4,000 tps 8,000 tps
conns=total simultaneous connections
cps=new L4 connections per second
tps=new L7 transactions per second
Mbps=Megabits per second
Gbps=Gigabits per second
kbps=kilobits per second
ms=milliseconds
s=seconds
*Transaction Rate tests measured using 1024 byte objects, except for TCP and SSL Bulk Throughput test using 1Mb object.
*Latency testing performed against 5 popular websites (Yahoo.com, Amazon.com, BBC.com, UCLA.edu, Whitehouse.gov), totaling 1,262,608 bytes of data, sustaining 2048 transactions/second unless otherwise stated.
Road Ahead : Barracuda Control Center
54
London, DC
Mumbai, DC
New York, DC
California, DC
Barracuda Control Center
55
Barracuda Control Center: Features
• Status– See all the devices– Check on:
• Hardware• Connectivity• Subscription• Traffic• Firmware
• Reporting– Aggregated reporting
• Restrict data based on user groups
• Configurations– Standardize
configuration of multiple appliances
– Create exceptions for individual appliance
• Multiple administrators– Provide access to a
subset of appliances– Set permissions
56
Other Roadmap Items• Security
– Virus Checking for file uploads
– Automated attack definitions
• Authentication– Built-in single sign-on across
Web applications– SAML
• Performance– Caching improvements
• Virus checking for file upload
• Performance– Improved caching / content
optimization
• Scalability– Global server load balancing
for N-way clustering– Larger hardware platform –
model 1060 based on model 1000 hardware
57