Deploying the Cisco ACE XML Gateway - psau.edu.sa › filedownload ›...
Transcript of Deploying the Cisco ACE XML Gateway - psau.edu.sa › filedownload ›...
© 2009 Cisco Systems, Inc. All rights reserved. 1BRKAPP-2014 Cisco Public
Deploying the Cisco ACE XML Gateway
BRKAPP-2014
Chris O’BrienCisco
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 2Cisco Public
Housekeeping
� We value your feedback- don't forget to complete your online session evaluations after each session & complete the Overall Conference Evaluation which will be available online from Thursday
� Visit the World of Solutions
� Please remember this is a 'non-smoking' venue!
� Please switch off your mobile phones
� Please make use of the recycling bins provided
� Please remember to wear your badge at all times including the Party
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 3Cisco Public
WAN Acceleration� Data redundancy elimination
� Window scaling� LZ compression
� Adaptive congestion avoidance
Application Acceleration� Latency mitigation
� Application data cache� Meta data cache� Local services
Application Optimization� Delta encoding
� FlashForward optimization� Application security
� Server offload
Application Networking� Message transformation� Protocol transformation� Message-based security� Application visibility
Application Scalability� Server load-balancing
� Site selection� SSL termination and offload
� Video delivery
Network Classification� Quality of service
� Network-based app recognition� Queuing, policing, shaping� Visibility, monitoring, control
Cisco Application Delivery Networks
WAN
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 4Cisco Public
Other Cisco Live Breakout Sessions that You May Want to Attend
BRKAPP-2002 Server Load Balancing Design
BRKAPP-3003 Troubleshooting ACE
BRKAPP-1004 Introduction WAAS
BRKAPP-2005 Deploying WAAS
BRKAPP-3006 Troubleshooting WAAS
BRKAPP-1008 What can Cisco IOS do for my application?
BRKAPP-1009 Introduction to Web Application Security
BRKAPP-2010 How to build and deploy a scalable video communication solution for your organization
BRKAPP-2011 Scaling Applications in a Clustered Environment
BRKAPP-2013 Best Practices for Application Optimization illustrated with SAP, Seibel and Exchange
BRKAPP-2014 Deploying AXG
BRKAPP-1015 Web 2.0, AJAX, XML, Web Services for Network Engineers
BRKAPP-1016 Running Applications on the Branch Router
BRKAPP-2017 Optimizing Application Delivery
BRKAPP-2018 Optimizing Oracle Deployments in Distributed Data Centers
ApplicationsISRGSS WAAS ACE AXGACNS
Relevancy
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 5Cisco Public
Data Center Evolution Affects Security
Full circle for Securing your Applications
Full circle for Securing your Applications
Reputation
Regulatory Compliance
Efficient Business
Operations
Limiting Liability
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 6Cisco Public
� Siloed� Siloed
� Complex, heterogeneous infrastructure� Complex, heterogeneous infrastructure
� New developments and applications� New developments and applications
Email, File & Print
Email, File & Print
Web/Application Server Farm
Web/Application Server Farm
Blade ServersBlade
ServersDepartmental
ServersDepartmental
ServersIBM Mainframe
with OSAIBM Mainframe
with OSAStorage
& BackupStorage
& BackupPoint
AppliancesPoint
Appliances
The “Accidental Architecture”
� Fragmented Security� Fragmented Security
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 7Cisco Public
Introducing Cisco ACE AXG� Builds on top of industry-leading Cisco ACE XML
Gateway platform
� Can be software upgraded to full ACE XML Gateway solution
� Protects your custom HTTP and HTML applications from high-impact Web-borne attacks
SOA, Web Services, and XML Threat Defense � Secures and offloads web services transactions
Web Application Firewall
Extensive HTML and XML Application Security
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 8Cisco Public
Platform Specifications
� Specifications1 rack unit
Four 10/100/1000 Gigabit Ethernet ports
4-GB RAM
High-performance dual-core, dual-processor architecture
High-performance cryptography acceleration
Full FIPS 140-2 Level 3 compliance—optional
Hot-swappable dual SAS HDD, fan, and power supplies
Full reverse proxy
Deployable either as firewall, manager, or 2-in-1
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 9Cisco Public
Web Application Security ● ●
Privacy ● ●
Encryption & Signature Support ● ●
Hardware SSL Acceleration (optional FIPS) ● ●
Centralized Management, Monitoring, Logging, and Audit ● ●
Policy-based provisioning and versioning
● ●
Protocol, Data and Security Mediation ●
XML Acceleration & Offload ●
Extensibility SDK ●
Content Based Routing ●
WAF and AXG XML Feature Comparison
Features
ACE Web Application
Firewall
ACE Web Application
Firewall w/AXG
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 10Cisco Public
Introduction toWeb Services
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 11Cisco Public
Applications Transition to SOA & Web 2.0
� Web 1.0Siloed Applications
Making each app work on its own is challenging enough
Limited data sharing between applications
Challenges with Scalability, Security and Control
� Web 2.0 & SOACollaborative personalized User Experience
Inherently Internet/Web Services based
Dynamic Content, Rich Media
Siloed Collaborative
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 12Cisco Public
Why XML Web Services?
� XML is plain ASCII� Introduces non-binary messaging
� XML messaging rides on top of existing application protocols
� XML over HTTP solves the problem of distributed applications across firewalls
� Guess what the ‘Web’ in Web Services is for? The communications can run over HTTP. SOAP is XML over HTTP – more on this topic in a few slides …
Loosely-coupled apps that use open standards to describe an interface for accessing them and a messaging format for communication
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 13Cisco Public
XML in 10 seconds� HTML = a set of tags to format data (eg: bold <b>, tables <td><tr>,
colors <font>, etc.) – entirely focused on formatting rather than data
� XML = focuses on content rather than format. XML does not have any predefined tags. No such thing as <b>, <h1> etc.
<customer><name><title>Mr.</title><first-name>John</first-name><last-name>Doe</last-name></name><street>123 ABC Street</street><city>Anytown</city><state>Ca</state><zipcode>95134</zipcode></customer>
XML<pre><h1>Customer</h1><h2>Title</h2>Mr.<h2>Name</h2>John Doe<h2>Address</h2>123 ABC StreetAnytownCa95134
HTML
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 14Cisco Public
Giving XML meaning: XML Schemas
� Schemas are rules that an XML document must abide by
� Popular ways to define schemas include Document Type Definition (DTD) or W3C XML Schema
� W3C XML Schema fare more prevalent for data-oriented style documents (e.g. restricting content, explicit data types)
� Provides a very convenient way to inform clients about the data types and ranges accepted by my exposed services
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 15Cisco Public
Exchanging data in a WS world: SOAP
� Simple Object Access Protocol
� XML-based messaging format
� Rides on top of HTTP
� SOAP = XML over HTTP
http://172.25.89.140/WS/soapheaders.php?ARG=req
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 16Cisco Public
Web Services – Extend the protocol stackFrame Preamble Dest Addr Src Addr Type CRCData
IP Datagram
IP Hdr Src IP Addr DataDest IP Addr
TCP Packet
Src Port Dest Port DataSeq # Ack #
Desr Addr [Src Addr] DataHTTP
Request
XML-Sig WS-Addr SOAP DataSOAPMsg Timestamp Kerberos
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 17Cisco Public
Web Services In Action
SOAP
SOAP
Databases
Web Service
Web Service
Web Service Consumers
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 18Cisco Public
Another Approach: REST
� REpresentational State TransferReaction to complexity of SOAP
� Leverages existing properties of HTTP to build application protocols
URLS name resources
HTTP methods (GET, POST, PUT, DELETE) name operations
XML encodes data
� Simpler to implement but limited to HTTP, no general message meta-data mechanism (SOAP Header)
� Increasingly popular with public web servicesAmazon, eBay, Google, etc
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 19Cisco Public
SOA: it’s happening today!
� Salesforce.com: reports on their blog that over 40% of all of Salesforce.com traffic comes from their API.
� Amazon: 140,000 registered developers. Information Week article reported 3rd party sellers generated 28% of Amazon’s Q2 unit sales, or $490 million.
� eBay : Over 25,000 developers with 1,900 certified applications. A TechWeb story notes that during Q4CY05, eBay handled more than 8 billion Web service requests, up from less than 1 billion for the entire CY02.
SOA: capitalizing on the enterprise’s core competency
Some numbers
“XML accounted for 15% of internet traffic in 2005. By 2008, it is expected to account for 50%” – 451 Group
XML usage is increasing
http://blog.programmableweb.com/?p=277
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 20Cisco Public
What is the ACE XMLGateway
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 21Cisco Public
How can the ACE XML Gateway Help!!
� Proxy server that understands how to process XML and SOAP-based web services
� Provides functions for
Threat Defense
Authentication and Authorization
Server Optimization and Offload
Protocol Mediation
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 22Cisco Public
Threat Defense: Structural XML analysis
� XML has a concept of being well-formed, that is, in compliance with all the syntax rules of XML. AXG can enforce that only well-formed documents are accepted
<customer><name><title>Mr.<first-name>John</last-name><last-name>Doe</last-name></name><street>123 ABC Street<city>Anytown<state>Ca</state><zipcode>95134</zipcode></customer>
<customer><name><title>Mr.</title><first-name>John</first-name><last-name>Doe</last-name></name><street>123 ABC Street</street><city>Anytown</city><state>Ca</state><zipcode>95134</zipcode></customer>
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 23Cisco Public
Threat Defense: DoS Protection
� AXG provides detection and blocking based on several DoS indicators:
Overall rate
Authentication failures
Per-message AXG CPU usage
Invalid messages
Backend latency
Backend errors
� Recommend deploying in warn-only mode first in order to tune thresholds.
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 24Cisco Public
Threat Defense: Content Screening
� Signature-based protection against malicious content or content policy violations
� SQL Injection attack prevention
� Cross-site scripting protection
� Masking of national ID numbers (Social Security in US), email addresses, phone numbers
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 25Cisco Public
Authentication and Authorization
� Threat Defense all about what you want to keep out
� Authentication and Authorization all about who you want to let in
� Wider variety of credentials for web services
� SOA architectures often assume identity attached to message at the edge
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 26Cisco Public
AuthC/AuthZ: Credential Types
� Vary by level of IP stack
� TCP/IP: IP address
� SSL: Client X.509 certificate
� HTTP: Basic Auth, NTLM/SPEGNO
� XML: Embedded username/password
� SOAP: WS-Security usernames and passwords, X.509 certificates
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 27Cisco Public
AuthC/AuthZ: Verification Methods
� Sometimes hard-coded on AXG:Internal or external IP addresses
Client cert from trusted CA
� More frequently, AXG must consult an identity management system
–LDAP (various brands)
–Microsoft Active Directory
–CA SiteMinder
–Tivoli Access Manager
–Oracle CoreID
–Many Others
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 28Cisco Public
Offload and Optimization
Move Web Services tasks off the server and into the network
� XSLT
� Schema Validation
� WS-Security
� SSL Termination
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 29Cisco Public
Offload: XML Schema Validation
� Provides a way to specify the valid structure of an XML document
which elements can have children,
what children they must have,
how many they can have (zero, one, many),
what attributes are expected, etc
� Additional syntactic validation above what well-formedness provides
� Ensures application only sees valid messages
� Also seen as part of threat defense
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 30Cisco Public
Offload: WS-Security� Describes how to secure SOAP messages
� Defines how to identify the creator of the messageCarries multiple credential types including
Usernames & passwordsX509 certificatesSAML statements
� Message IntegrityIntegrity of all or part of a messageBuilds on XML-SignatureSupports multiple and overlapping signatures
� Message ConfidentialityConfidentiality of all or part of a messageBuilds on XML-Encryption
XML Gateway implementations
significantly faster than typical
application server (100x)
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 31Cisco Public
<soap:Envelope ..><soap:Header ..>
<wsse:Security ><wsse:BinarySecurityToken ValueType="http://docs.oas is-open.org/wss/2004/01/oasis-
200401-wss-x509-token-profile-1.0#X509v3" EncodingT ype="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message- security-1.0#Base64Binary" wsu:Id="RXFIDZQWHJTB">
MIIENTCCA56gAwIBAgIBEDANBgkqhkiG9w0BAQQFADCBxjELMAkGA1UEBhMCVVMxFjAUBgNVBAgT...</wsse:BinarySecurityToken><Signature xmlns="http://www.w3.org/2000/09/xmldsig #">
<SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org /2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2000/0 9/xmldsig#rsa-sha1"/><Reference URI="# RXFIDYQWHJTB">
<Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml -exc-c14n#"/>
</Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/x mldsig#sha1"/><DigestValue>6mkomjZ5OgAyZbzWZi0lUrieH7o=</DigestVa lue>
</Reference></SignedInfo><SignatureValue>d9scoCXAAEIiECp...</SignatureValue><KeyInfo>
<wsse:SecurityTokenReference><wsse:Reference ValueType="http://docs.oasis-open.or g/wss/2004/01/oasis-200401-
wss-x509-token-profile-1.0#X509v3" URI="#RXFIDZQWHJ TB"/></wsse:SecurityTokenReference>
</KeyInfo></Signature>
</wsse:Security></soap:Header><soap:Body wsu:Id=" RXFIDYQWHJTB" ..>
<retrieveQuoteResponse xmlns="http://oakinsurance.co m/order/"><retrieveQuoteResult>
<quoteId>0</quoteId><quantity>0</quantity>
Example: WS-Security
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 32Cisco Public
� Offloads Crypto and connection handling from server
� Enables HTTP/1.1 connection re-use, SSL session re-use, client certificate authentication
� Consolidate private keys on AXG device, use same keys for SSL and WS-Security
Note: ACE can also terminate SSL, will cover when to terminate where in Deployment Considerations
Offload: SSL Termination
HTTPS HTTP
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 33Cisco Public
Protocol Mediation
Bridging between differing protocol expectations for webservices consumers and producers
May occur at many levels of the network stack
Examples:
� HTTP Basic Auth to WS-Security
� AJAX to SOAP
� HTTP to MQ
� HTTP to JMS
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 34Cisco Public
Introduction toWeb ApplicationSecurity
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 35Cisco Public
The Evolution of IntentA Shift to Financial Gain
Threats Are Becoming Increasingly Difficult to Detect and MitigateApplications Are the Primary Targets
Thr
eat S
ever
ity
1990 1995 2000 2005 What’s Next?
Financial:Theft and Damage
Notoriety:Viruses and Malware
Vandalism:Basic Intrusions and Viruses
2007
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 36Cisco Public
Build and Maintain a Secure Network
� Install and maintain a firewall configuration to protect data
� Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data and sensitive information across open public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
PCI DSS: Six Sections and Twelve Requirements
Section 6.5: Develop secure web apps, cover prevention of OWASP vulnerabilities
Section 6.6: Ensure all web-facing apps are protected against known attacks using either of the following methods� secure coding practices� installing a Web App FW*
*This becomes a requirement by June 2008
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 37Cisco Public
OWASP—2007 Top Ten Attack List
Source: WhiteHat Security
OWASP = Open Web Application Security Project
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 38Cisco Public
Traditional Network Firewalls Are Blind to Web Application Attacks
Firewall
Ports 80 and 443
Open
Unfiltered HTTP Traffic
WebClient
WebServer
Application
Application
DatabaseServer
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 39Cisco Public
Attacks!
� Unvalidated Input
� Cross-Site Scripting
� SQL Injection
� Cross-Site Request Forgery
� Cookie Tampering
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 40Cisco Public
Attack #1—Unvalidated Input
What Is It?
� Web apps use parameters to obtain information from the client
How Is This Vulnerable?� Developers focus on the legal values of parameters and how they
should be utilized
� Too much credit given to client-side browser validation
� Little if any attention is given to the effect of incorrect values
Result� The application acts according to the changed information, potentially
giving access to other user’s accounts, confidentialinfo, or anything else on the computer—vector for 90% of web-based attacks!
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 41Cisco Public
Defense: Signature Rules Engine
� Blacklist approach - look for known and possible attacks in request content
� Signatures detect particular attack vectors using pattern matching, regular expressions
� Rules combine signatures to detect and block different types of attacks
� Profiles combine rules and other features and apply them to particular web applications
� Extensible via signature language—customer or partners
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 42Cisco Public
Input Normalization: Example
� HTTP provides many ways to encode the same information. Input normalization “undoes” encodings to produce a canonical form of the request
http://foo.com/query?bar=<script
http://foo.com/query?bar=%3c%73%63%72%69%70%74
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 43Cisco Public
Signatures
Each Signature Has:
� User-readable name
� Signature ID
� Pattern used for initial match
� Regular expression used to confirm match
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 44Cisco Public
Rules
� Rules apply signatures to places in the messageREQUEST_PARAMS sig SQLInject
� Severity level allows user to control strictness of enforcement, likelihood of false positives
� Rules can be written very specificallyREQUEST_PARAMS[’name’].normalize(html)
re ^foo.*
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 45Cisco Public
Expression Language
� Variables make any part of the request message or its connection properties available
HTTP headers
HTTP body
Request parameters
Source and destination IP address
SSL properties (version, cipher, etc)
� Operators allow applying checks to the selected part of the message
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 46Cisco Public
Attack #2—Cross Site Scripting
What Is It?� User feeds data to the web application
� Web application doesn’t sanitize input and echoes back the query
� The unvalidated data contains a piece of JavaScript that is executed in the context of the user’s browser session
� A carefully formed link sent to a victim (usually by mail) results in the JavaScript code being run in the victim’s browser, sending information to the hacker
Why Does Cross Site Scripting Happen?� Unvalidated input—example: html is permitted into query parameter
� Application blindly echoes request back to browser
Result� “Virtual hijacking” of the session by stealing cookies
� Any information flowing between the legitimate user and site can be manipulated or transmitted to a third party
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 47Cisco Public
Cross Site Scripting Applications
� The second a hacker realizes a query parameter accepts HTTP, he can trick your browser into doing virtually anything:
Build hidden forms that submit your cookies
Check your browsing history
Scan your subnet for certain hosts
etc.
� Commonly used in Phishing emails
� Experts estimate 80% of web sites are vulnerable (http://www.whitehatsec.com/downloads/WHXSSThreats.pdf)
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 48Cisco Public
Defense: Cross Site Scripting signature set
� Looks for HTML in input stream
� Input decoding shrinks signature set
� But... What if I want to allow image tags?
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 49Cisco Public
False Positives – Human Assisted Learning
� Cisco’s Human Assisted Learning lets you place a site in monitor mode
� When in monitor mode, security alerts are reported but traffic isn’t blocked
� You can click on each security incident and instruct the WAF to block traffic matching the pattern that caused the alert, or ignore it (false positive). The exception can be configured either at the profile level, or on a per web form parameter basis!
� HaL integrates the benefit of dynamic learning but removes the guesswork from the equation: you ultimately control what is acceptable or not for your applications
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 50Cisco Public
HaL Walkthrough
� Consider a web form with two input boxes. Both accept HTML and display it back to the user (fertile ground for XSS!) but suppose the “name” parameter can be exempted from XSS pattern checks
� This is what the site profile looks like before HaLintervenes:
Modifiers Represent Exceptions to the Classification Process
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 51Cisco Public
An XSS Attack Is Detected
� Inside the event log, a “Create Modifier” option appears
Create Modifier Is at the Heart of Hal
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 52Cisco Public
Options HaL Provides
Create Modifier Is at the Heart of Hal
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 53Cisco Public
Attack #3—SQL Injection
� SQL stands for Structured Query Language
� Allows applications to access a database
� SQL can:
Execute queries against a database
Retrieve data from a database
Insert new records in a database
Delete records from a database
Update records in a database
� Many applications take user input and blindingly send it directly to SQL API!
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 54Cisco Public
Anatomy of a SQL Injection Attack:Basic SQL Query for Payment Info
� Typical SQL query
SELECT cc_number FROM users
WHERE username = 'victor'
AND password = '123'
� Typical ASP/MS SQL Server login syntaxvar sql = "SELECT cc_number FROM users
WHERE username = '" + form_user +
"' AND password = '" + form_pwd + "'";
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 55Cisco Public
Anatomy of a SQL Injection Attack:SQL Injection—Bypass Login
� Attacker Injects the following:form_user = ' or 1=1 – –
form_pwd = anything
� Final query would look like this:SELECT * FROM users
WHERE username = ' ' or 1=1
– – AND password = 'anything'
� Attacker gains access to the application!
� Not just logins – alter database, dump payment card information…
SQL comment
always true!
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 56Cisco Public
Defense: SQL Injection signature set
� Detect SQL in input parameters
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 57Cisco Public
Defense: Response Message Rewrite
� Search for and replace questionable content in responses from server
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 58Cisco Public
Attack #4—CSRF
� “Whereas cross-site scripting exploits the trust a user has in a website, a cross-site request forgery exploits the trust a Web site has in a user by forging a request from a trusted user.” (source: Wikipedia)
� How does it work:
Bob is logged into his bank’s website
Bob is also chatting/reading a blog at the same time
Hacker posts a comment in the blog inviting Bob to click a link
The link performs an action on Bob’s bank
As Bob is logged in, the action has the potential to succeed
� Simple example: http://www.google.com/setprefs?hl=ga
� Note that Bob doesn’t even have to click a link – a simple <img src="http://example.org/buy.php?item=PS3&qty=500> on a web page could suffice!
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 59Cisco Public
Defense: CSRF
� Not trivial, no simple one-stop-solution
� Several server-side solutions:
Generate random tokens for forms or actions so a hacker can’t guess
� make sure the site isn’t XSS-vulnerable
Use CAPTCHAs
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 60Cisco Public
Defense: Referrer enforcement
� The browser/client populates the ‘Referer’* header to indicate the address (URI) of the resource from which the Request-URI was obtained
� WAF can require that the header be a link on the same web site
� Not foolproof – spoofing has been demonstrated!
* (sic) – it’s misspelled in the specification
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 61Cisco Public
Attack #5—Broken Authentication and Session Management Using Cookie Tampering
What Is It?� A cookie that has had its value changed by the user
� Cookie storage is managed and controlled by the user� Cookies can be viewed and modified by the user� Cookies transferred in the open can be captured and modified by
a third party
Why Does It Happen?� Cookie information is weakly encrypted or hashed
� Web application developers are unaware of the threat or lack thecryptographic expertise to prevent tampering
� The cookie is assumed to contain a certain format of content –an assumption that isn’t verified
Result� Identity theft or impersonation by a third party altering the session id or
authorization information stored in the cookie
� DoS or even remote command execution due to buffer overflows
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 62Cisco Public
Defense: Cookie Tampering
� No need to reinvent the wheel—existing proven encryption algorithms available to web application developers
� Use modern development frameworks for session maintenance
� Cisco’s WAF can encrypt cookies, only sending an MD5 hash of the actual cookie
Immune to tampering
Be aware that replay attacks are still possible
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 63Cisco Public
Cookie SecuritySigning and Encryption
Clients Web Server
CP_EN7a989b1f1b9e966e47d629eec63302d3571d1677b27fe1bebba48df648b2edc=expires=Mon, 15-Dec-2006 1:03:00 GMT; path=/; domain=.cisco.com; secure
sess1=1800; expires=Mon, 15-Dec-2006 1:03:00 GMT;path=/; domain=.google.com; secure After Encryption
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 64Cisco Public
Exception Mapping
� Replace server errors with WAF-generated content
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 65Cisco Public
HTTP Header Processing
Server Header Cloaking
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 66Cisco Public
Data Overflow Defense
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 67Cisco Public
Centralized Management and Deployment
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 68Cisco Public
Clustering: Stand-Alone ACE WAF
� Gateway and manager running on same appliance
� Used for demo and proof of concepts situations or development environments
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 69Cisco Public
Clustering: Separate Manager
� Two or more appliances running gateway component
� One appliance running manager component
Manager
Gateway
Gateway
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 70Cisco Public
Clustering: Integrated Manager
� One appliance running both gateway and manager components
� One or more appliances running only gateway component
Manager and Gateway
Gateway
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 71Cisco Public
Deployment Modes� One-armed: single NIC handles all traffic
Same VLAN for pre- and post-Gateway trafficSimplest mode for configuration
� Multi-arm: Multiple NICs for trafficDifferent VLAN on each NIC
Static routes needed in most environmentsSingle routing table/default route for entire system
Decision as to which NIC to use made by Linux kernel based on Layer 3 destination address
Firewall policy has no concept of internal/external addresses!
� In either case, multiple IP’s per VLAN possible for virtual hosting
128.32.65.37
10.7.83.12
128.32.65.37
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 72Cisco Public
Perimeter Security: One-Armed Proxy
� Traffic passes through ACE twice
� Easy to insert into existing ACE deployment
� Allows for fail-open or fail-closed configuration
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 73Cisco Public
ACE WAFs
Public
Internet
Web Application
Providers
ACE
Application
Switch
Web Application
Consumers
VIP: 63.90.156.60
10.10.1.10
10.30.1.15210.30.1.151
10.10.1.1210.10.1.11
10.20.1.15210.20.1.151
ACE
Application
Switch
10.20.1.1
VIP: 10.20.1.200
10.30.1.1
10.10.1.1
Perimeter Security: Two-Armed Proxy
� Different contexts on same physical ACE can be used on both sides
� Best practice when backend is multiple hops from ACE WAF, need DMZ separation
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 74Cisco Public
One-Armed: Terminate SSL at ACE
� Consolidate keys on load balancer
� Use L7 classmap to direct traffic at ACE
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 75Cisco Public
One-Armed: Terminate SSL at ACE WAF
� Optionally perform end-to-end SSL to application
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 76Cisco Public
Deployment Example
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 77Cisco Public
Deployment Example
� Configure WAF network and cluster settings
� Define web application and apply profile
� Deploy in monitor mode and tune
� Re-deploy in enforcement mode
Steps to Deploy:
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 78Cisco Public
Network Diagram Before: No WAF
� Standard ACE L7 configuration with SSL termination, TCP reuse
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 79Cisco Public
Network Diagram After: with WAF
� Deployment mode: one-armed proxy, terminate SSL at ACE
� Two WAF devices, one acting as firewall, other as joint firewall and manager
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 80Cisco Public
Cable Devices
� Four RJ45 Gigabit Ethernet network interfaces
� One LOM NICSee HP DL360 docs
� Serial console
� VGA/keyboard video console
� Dual power supplies
� nCipher card reader (only on FIPS model)
LOM NIC eth0, eth1
RS232 VGA eth2, eth3
PS/2 keyboard
Dual power supplies
nCipher
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 81Cisco Public
Configure Network Settings
� Connect KVM or Serial Console
� Log in as “root”
� Set standard IP settings
IP address
Hostname
DNS server
NTP server
� Set as Gateway, Manager, or both
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 82Cisco Public
Log in to Manager
� Point browser at machine selected to be Manager, HTTPS, port 8243
https://172.25.91.151:8243/
� Log in as “administrator”, password “swordfish”
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 83Cisco Public
Configure as Cluster
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 84Cisco Public
Getting Started with the Cisco ACE WAF1. A Wizard Helps You Define the Websites You Want to Protect
Specify the IP Address or Name of the Backend Server
Call the WAF Wizard
Monitor Means the WAF Alerts but Doesn’t Block—Extremely Convenient If You’re Leery of Deploying Inline
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 85Cisco Public
Getting Started with the Cisco ACE WAF
You Can Use Regular
Expressions to Define the Site.
You Can Use Additional Parameters
for Classification.
2. If (host + URL) Classification Isn’t Sufficient, an Expert Mode Is Available
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 86Cisco Public
Getting Started with the Cisco ACE WAF
Full Classification Customization
3. You Can, for Instance, Require the Presence of a Given HTTP Header
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 87Cisco Public
Getting Started with the Cisco ACE WAF
Website Protected by the WAF
Factory-Shipped PCI Profile Applied
4. We Have Defined Our First Protected Web Server (Http://172.25.89.140/)
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 88Cisco Public
Protecting the Website from XSS
XSS Protection
5. The WAF Ships with Predefined Profiles That You Can Clone and Edit
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 89Cisco Public
Fine-Tuning a Security Profile
XSS Rules Level
Action to Take When a XSS Is Detected
6. Inside a Profile You Find Groups of Rules (Rule = Signature)—Each Group Contains Rules Ranked by Security Level
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 90Cisco Public
7. The XSS Group Contains Rules That Are Cisco® Verified Signatures
Fine-Tuning a Security Profile
Hundreds of XSS Rules Are Shipped from the Factory.
Each Rule Has a Unique ID and a Security Level (basic, moderate, and strict).
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 91Cisco Public
Profile Ready to Be Deployed
XSS Protection Enabled with Level Strict
8. Here Is What Our Custom Test Profile Looks Like—XSS Protection Is Enabled
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 92Cisco Public
Associate the Profile to the Website
Profile “Test” Mapped to Our Website
9. Map the Profile to the Website
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 93Cisco Public
Deploy the Policy to the WAF Firewalls
Deltas Between Current Applied Policy and Proposed One Are Highlighted.
10. Cisco ACE WAF Ships with Strong Change Control and Audit LogCapabilities
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 94Cisco Public
11. Cisco ACE WAF Alerts You of Risks Associated with Certain Configuration Options
Proactive Notification of Potential Problems
Proactive Performance Warnings
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 95Cisco Public
12. Multiunit Deployment + Timestamp and Rollback of Policies
Verification of Successful Deployment
Policies Can Be Deployed to N Gateways
Timestamps
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 96Cisco Public
The Website Is Under Attack
Immediate Incident Report View
13. We Are Launching a XSS Attack Against the Website
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 97Cisco Public
Let’s Drill Down
The Name of the Attack Vector Is Provided
ID of the Rule that Caused the Alert
14. Let’s See What the Attack Looks Like
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 98Cisco Public
Detailed Security Event Drill-Down
Full Dump of Incoming Request
15. Detailed Forensics Are Available for Each Attack
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 99Cisco Public
What the User, Hacker, and Victim See
� The error message and HTTP return code are fully customizable; you can return your own HTML code and, for example, redirect the hacker to the main page
16. Default Error Text Is Returned to Browser (Fully Customizable)
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 100Cisco Public
Q and A
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 101Cisco Public
Source: Cisco Press
Recommended ReadingBRKAPP-3003
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 102Cisco Public
Meet The Expert
To make the most of your time at Cisco Networkers 2009, schedule a Face-to-Face Meeting with a top Cisco Expert.
Designed to provide a "big picture" perspective as well as "in-depth" technology discussions, these face-to-face meetings will provide fascinating dialogue and a wealth of valuable insights and ideas.
Visit the Meeting Centre reception desk located in the Meeting Centre in World of Solutions
© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 103Cisco Public