Securing Legacy Software SoBeNet User group meeting 25/06/2004.
-
Upload
alfred-cobb -
Category
Documents
-
view
216 -
download
2
Transcript of Securing Legacy Software SoBeNet User group meeting 25/06/2004.
Objectives
• Existing applications are enabled to operate in a networked environment
• Adapter Suites
• Application Platform Suites (J2EE, .NET,…)• Application Servers• Enterprise Portals• Integration Suites
• Message-Oriented Middleware
• Object-Request Brokers
• Transaction Processing Monitors
Preserve Security Level Compliance with Security Standards and regulations Manageable
Ubizen – trusted partner in IT Security
• Ubizen has a vast experience in Application Security • Via a highly qualified consultancy team
• Risk Management, Security Policies, Procedures and Standards• Architecture Review and Infrastructure design• Penetration testing• Application Vulnerability Assessment• Implementation of best of breed security products
• Via product development• AAA products• Web Shielding (DMZ/ShieldTM)
• Proven Track record in IT Security• Top-3 Managed Security Service Provider World-wide
• Number 1 in Europe
• > 3200 devices under management
• Incident Response
• Forensics Investigation
Three research tracks for securing existing applications
• Protect all access paths to and from the application• Interception and validation of the communication between
components,modules and systems
• Shielding components, module and systems from malicious traffic
• Apply automatic protocol security• Moving to a more formal model for protocol description and
automatic application of protocol security at different layers of the stack.
• Monitoring and managing• Introduction of security infrastructure is only the first step…
Keeping it properly configured and monitored 24 by 7 by experienced security experts is the second.
MULTI LAYER approach to Application Security
• Deep Packet Inspection• Protection at the network layer
• Protection at the transport layer
• Protection at the application layer
• Defense in depth• Perimeter
• Demilitarized Zone Transactional Zone
• Multi-tier architecture• Coordination of Security Information between # tiers (e.g. SAML)
• Protection of end points• Not all layers on the #tiers are under control
(e.g. OS, Language execution environment, App Server) Introduction of HIDS, Policy Compliance Modules,…
Dee
p P
acke
t Ins
pect
ion
Security Context and CoordinationDefense In Depth
2 dimensional multi layer approach
1234567
GU
ID
eep
Pac
ket I
nspe
ctio
n
1234567
Pre
sen
tati
on L
ogic
Dee
p P
acke
t Ins
pect
ion
1234567
Bu
sin
ess
Log
ic
Dee
p P
acke
t Ins
pect
ion
1234567
Dat
a A
cces
s
Dee
p P
acke
t Ins
pect
ion
1234567
Dat
a L
ayer
In practice …D
eep
Pac
ket I
nspe
ctio
n
Security Context and CoordinationDefense In Depth
1234567
GU
I
Dee
p P
acke
t Ins
pect
ion
1234567
Pre
sen
tati
on L
ogic
Dee
p P
acke
t Ins
pect
ion
1234567
Bu
sin
ess
Log
ic
Dee
p P
acke
t Ins
pect
ion
1234567
Dat
a A
cces
s
Dee
p P
acke
t Ins
pect
ion
1234567
Dat
a L
ayer
Interception and Shielding in SoBeNet
Dee
p P
acke
t Ins
pect
ion
Security Context and CoordinationDefense In Depth
1234567
GU
I
Dee
p P
acke
t Ins
pect
ion
1234567
Pre
sen
tati
on L
ogic
Dee
p P
acke
t Ins
pect
ion
1234567
Bu
sin
ess
Log
ic
Dee
p P
acke
t Ins
pect
ion
1234567
Dat
a A
cces
s
Dee
p P
acke
t Ins
pect
ion
1234567
Dat
a L
ayer
Interception Techniques
• Centralized applications• Interception of method invocations/library calls/system calls
System based interception and shielding
• Distributed or multi-tier applications• Interception of traffic using standard internet protocols
• Interception of Remote Method Invocations
Network based interception and shielding
System based interception
• Interception at the Operating System Level• Plug-able services of the OS (e.g. network or file io)
• Host Intrusion Detection and Prevention Systems work at this level
• Library Level• Dynamical loaded libraries can be replaced with more secure
versions
• Language Runtime Support• E.g. Load time modification of binary code
• Validation of pre and post conditions
• Audit-ability and forensics
• Application Platform Suite• J2EE container services and components
• Microsoft .NET services and components
Network based interception
• Proxy Architectures…• Asymmetric Proxy (protocol encapsulates proxy support), no
modification of client software
• Reverse Proxy
• Symmetric Proxy (general applicable but has influence on client software)
• Transparency• Link, network, transport level
• Application Protocol level (e.g. HTTP,…)
• User Application level
Fall back on industry adapted standards
Scope definition for maximum valorization of the results?
• Target is “Protecting” Legacy Applications …
• … but these are built on evolving components
• Web Application HTTP Firewalls
• Service Oriented Architectures XML Firewalls
• Application Platform Suites J2EE, .NET
Internet Application Protocols …
• The most important internet protocols were never designed with security in mind
• RFC’s describing the protocols allow often ambiguous interpretation Vendors choose for interoperability instead of security
• Most applications use only a small part of the protocol definition … and vulnerabilities are often in the non-used protocol functionality
User Application Protocols …
• Communication protocols at application level are rarely specified, nor formalized
• User Application protocols get less attention because they are typically used once for a specific application
• User Application protocols are more complex because of their dependency of a (huge) internal state combinatorial explosion of cases
Automatic protocol security
Protocol=
set of rules between communicating parties
SequenceForm and content
Formalization(Strong Typing, XML Schema,…)
Formalization(State Charts, Sequence and Collaboration Diagrams, …)
SANITY Checking
Shields 4 of the Top 10 Vulnerabilities in application
Manageability and Monitoring
• Keeping the configuration up to date• Default Deny Policy
• Automatic Learning of normal behavior
• Configuration automation policy proposals
• Monitoring of all the alerts triggered by the devices• Correlation of events from security components
• Coordination and exchange of security state between devices reduces the false positives
• Anomaly detection
• Audit Trail• What information is required for Forensics
• Performance Management