ACE Web Application Firewall - Cisco

1y ago
8 Views
2 Downloads
1.70 MB
30 Pages
Last View : Today
Last Download : 3m ago
Upload by : Helen France
Transcription

ACE Web Application FirewallOng Poh Sengongps@cisco.com31st Oct 2008Rev 1.5– Jun 08 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential1

Topics Secure Data Center Transformation Application Security Trends and Concerns Web Application Attack Introducing Cisco Web Application Firewall WAF Q&ASession IDPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential2

Secure Data CenterTransformationSession IDPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential3

Cisco: Transforming Data CentersData CenterAssuranceProgramEdge to Disk DataCenter systemstesting andvalidationApplicationNetworkingDC AutomatedProvisioning Empoweringapplications thrunetwork WAN Optim, AppSwitching, XMLSecurity/Offload Broad Portfolioof ApplicationNetworkingTechnologiesSession IDPresentation ID 2007 Cisco Systems, Inc. All rights reserved. Link LAN, SAN,AFE, Securitytogether w/compute andstorage Visibility toBusinessProcessExecutionCisco ConfidentialSecure DCInfrastructureUnified NetworkFabricPurpose builtinfrastructureand transportsystemsdesigned fortomorrow’s datacentersEvolution of datalink to allow asingle network inthe data centerfor all traffictypes4

SDN Secured Data Center:big picture and where does ACE WAF play?Data Center Edge Firewall & IPSDOS ProtectionApp Protocol InspectionWeb Services SecurityVPN terminationEmail & Web AccesscontrolWeb Access Web SecurityApplication SecurityApplication IsolationContent InspectionSSLEncryption/Offload Server HardeningApps andDatabase XML, SOAP, AJAXSecurity XDoS Prevention App to App Security Server HardeningStorageMgmt Data Encryption In Motion At Rest Stored DataAccess Control Segmentation Tiered Access Monitoring &Analysis Role-BasedAccess AAA AccessControlACEACSWAASACEWAFIronPortE-Mail SecurityCSAACEACEWAFWeb App FirewallCSAASAMDSw/SMEIronPortWeb SecurityCat6KFWSMTier W-LMNCSAACEWAFIronPortWeb SecuritySession IDPresentation IDWebServers 2007 Cisco Systems, Inc. All rights reserved.DatabaseServersCisco ConfidentialTape/Off-siteBackup5

Typical Web Application ArchitectureWeb serverreceives InputApp serverparses InputDB receives querycreated & sent byApp serverSession IDPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential6

Application SecurityTrends andConcernsSession IDPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential7

Off the press more than 45million credit anddebit cardnumbers havebeen stolen fromits IT systems Session IDPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential8

Traditional Network Firewalls ill-equipped toprotect Web ApplicationsIP FirewallApplicationWebClientWebServerPorts 80 & 443open to bothGood andMalicious HTTPTrafficUnfilteredHTTP TrafficSession IDPresentation ID 2007 Cisco Systems, Inc. All rights reserved.ApplicationDatabaseServerCisco Confidential9

Focus of today’s attacks75% of AttacksFocused HereserutCustom Web aApplicationsngisSeoN atchProCustomized Packaged AppsInternal and 3rd Party CodeBusiness Logic & ingSystemsNetworkIDSIPSNo magic signatures or patches for your custom PHP scriptSession IDPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential10

What sort of attacks are we talking about?http://www.owasp.orgTop 10How widespread these attacks areSource: WhiteHat Security, 2007Session IDPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential11

Industry Response Visa, American Express, Master Cardand others (the Payment Card Industry)Created a Data Security Standard (PCIDSS) Section 6.6:Must conduct code reviews orInstall a Web Application Firewall Every company that processes creditcards must comply or face fines Compliance deadline is June 30 2008 April 15 revision added XML security tothe list of requirements; recommendsWAF and secure coding practicesSession IDPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential12

Why Not Fix Current Applications?Every 1000 lines of code averages 15 criticalsecurity defects(US Dept of Defense)The average business app has 150,000-250,000lines of code(Software Magazine)The average security defect takes 75 minutes todiagnose and 6 hours to fix(5-year Pentagon Study)Even if you consider those figures are exaggerated (positively ornegatively) the cost of fixing applications is prohibitiveWAF always a very financially sound option!Session IDPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential13

Web AttacksSession IDPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential14

Cross-Site Scripting (XSS) attacks What is it?A malicious script is echoed back into HTML returned from atrusted web site. The scripts executes locally on the client.Extremely widespread – some experts estimate 70%-80% ofwebsites are vulnerable What are the implications?Web Site DefacementSession IDs stolen (cookies exported to hacker’s site)Browser security compromised – control given to hackerAll data sent between client and server potentially hijackedSession IDPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential15

The XSS attack processSession IDPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential16

SQL Injection SQL stands for Structured Query Language Allows applications to access a database SQL can:Execute queries against a databaseRetrieve data from a databaseInsert new records in a databaseDelete records from a databaseUpdate records in a database Many applications take user input and blindingly send itdirectly to SQL API!Session IDPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential17

Response Message Rewrite Search for and replace questionable content inresponses from serverSession IDPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential18

Cross Site Request Forgery “Whereas cross-site scripting exploits the trust a user has in awebsite, a cross-site request forgery exploits the trust a Web sitehas in a user by forging a request from a trusted user.” (source:Wikipedia) How does it work:Bob is logged into his bank’s websiteBob is also chatting/reading a blog at the same timeHacker posts a comment in the blog inviting Bob to click a linkThe link performs an action on Bob’s bankAs Bob is logged in, the action has the potential to succeed Simple example: http://www.google.com/setprefs?hl ga Note that Bob doesn’t even have to click a link – a simple img src "http://example.org/buy.php?item PS3&qty 500 on aweb page could suffice!Session IDPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential19

Introducing the ACEWeb Application FirewallSession IDPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential20

Introducing The ACE Web Application Firewall (WAF)Drop-in solution forPCI Compliance, Virtual App Patching, Data Loss Prevention Secure – Deep packet protection of the most common vulnerabilities Fast – Processes 3,000 TPS and 10,000 concurrent connections Drop-in - Does not require recoding applications, deployable in under an hour PCI 6.5/6.6 compliance is just a few clicks awaySession IDPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential21

Key Release 6.0 FeaturesThreat ProtectionAddresses All Key PCIRequirements Extensive Threat Signatures HTTP Input Normalization Application Cloaking Encrypted & Tamperproof Cookies SSL client and server decryption Data overflow protection Data Theft Prevention Custom error remapping Egress content rewriteUsability Powerful yet simple GUI Seamless Signature Updates Human-assisted site learning MIB & Statistics Instant alerting and reporting Change control and audit log Extensive Security LoggingSession IDPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential22

Hardware and Software Part NumbersFIPSHWACE-XML-K9 (FIPS) ACE-XML-NF-K9 F-MGT-LICFXNon FIPSHWSW Licenses for WAF onlyThere is also a “full” license which contains both XML/Web Services and WAF feature setsSession IDPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential23

Alternative Network Deployment ModelAXG WebApplicationFirewallHTTPWWW1External HTTPand XMLWeb ServicesConsumersFull ReverseProxyWWW2WWW3WWW PortalInternetDNS Points to AXG WAFwhen Asked for WWWx The ACE Web Application Firewall is a full reverse proxy In other words, you can have the DNS server point to the IPaddress of the WAF to represent the actual Web server At that point, the WAF accepts all requests destined to the Webserver, filters them, and sends them out; the response comes backto the WAF as well for total control of the sessionSession IDPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential24

Typical Network DeploymentWAF 1WAF 2Internetwww1 www4 Clients resolve www.site.com to a VIP residing on the ACE The ACE picks a WAF and sticks the session to it The WAF chooses a policy based on the Host header When done with the inspection, the WAF sends the packet out to aninternal VIP That internal VIP represents the actual www servers, ACE performs theLB decision and sticks the WAF session to one real serverSession IDPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential25

The Website Is Under Attack13. We Are Launching a XSS Attack Against the WebsiteImmediate IncidentReport ViewSession IDPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential26

Let’s Drill Down14. Let’s See What the Attack Looks LikeID of the Rule thatCaused the AlertSession IDPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialThe Name of theAttack Vector IsProvided27

Detailed Security Event Drill-Down15. Detailed Forensics Are Available for Each AttackFull Dump ofIncoming RequestSession IDPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential28

ACE Web Application Firewall Summary Future proof application security – Full featured Web Application firewall withintegrated XML FirewallExtend protection for traditional HTML-based web applications to modern XML-enabledWeb services applications. Access enforcementAAA enforcement mechanism to secure applications from unauthorized access Positive and Negative security enforcementBest of both worlds by keeping bad traffic patterns out and allowing only good trafficthrough Human assisted learningDeploy policies and profiles in monitoring mode to prevent application downtime due tofalse positives typical in an automated learning environment. Policy-based provisioningIncreases developer productivity and ease of deployment with sophisticated GUI, rollbackand versioning capabilities.Defense-in-Depth should include a web application firewall that canquickly, effectively and cost-effectively block attacks at layers 5-7Session IDPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential29

Session IDPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential30

AXG Web Application Firewall WWW3 DNS Points to AXG WAF when Asked for WWWx HTTP Internet The ACE Web Application Firewall is a full reverse proxy In other words, you can have the DNS server point to the IP address of the WAF to represent the actual Web server At that point, the WAF accepts all requests destined to the Web

Related Documents:

Cisco ASA 5505 Cisco ASA 5505SP Cisco ASA 5510 Cisco ASA 5510SP Cisco ASA 5520 Cisco ASA 5520 VPN Cisco ASA 5540 Cisco ASA 5540 VPN Premium Cisco ASA 5540 VPN Cisco ASA 5550 Cisco ASA 5580-20 Cisco ASA 5580-40 Cisco ASA 5585-X Cisco ASA w/ AIP-SSM Cisco ASA w/ CSC-SSM Cisco C7600 Ser

1.1 Purpose. This document describes the ordering guidance for the Cisco Secure Cloud Web Application Firewall (WAF) solution. Cisco Secure Cloud Web Application Firewall (WAF) is a Cisco Secure OEM solution based on Radware's Cloud WAF Service that provides a fully managed, cloud-based application firewall service.

Cisco IOS Nortel Switch 460-24T-PWR Cisco IronPort Nortel Switch 470-48T-PWR Cisco Pix Firewall Nortel Switch 5520-24T Cisco Pix Firewall 501 Nortel Switch 5520-48T Cisco Pix Firewall 506 NortelBPS2000 Cisco Pix Firewall 506E Radware WSD Cisco Pix Fi

Supported Devices - Cisco SiSi NetFlow supported Cisco devices Cisco Catalyst 3560 Cisco 800 Cisco 7200 Cisco Catalyst 3750 Cisco 1800 Cisco 7600 Cisco Catalyst 4500 Cisco 1900 Cisco 12000 Cisco Catalyst 6500 Cisco 2800 Cisco ASR se

Cisco Nexus 1000V Cisco Nexus 1010 Cisco Nexus 4000 Cisco MDS 9100 Series Cisco Nexus 5000 Cisco Nexus 2000 Cisco Nexus 6000 Cisco MDS 9250i Multiservice Switch Cisco MDS 9700 Series Cisco Nexus 7000/7700 Cisco Nexus 3500 and 3000 CISCO NX-OS: From Hypervisor to Core CISCO DCNM: Single

Cisco Nexus 7706 Cisco ASR1001 . Cisco ISR 4431 Cisco Firepower 1010 Cisco Firepower 1140 Cisco Firepower 2110 Cisco Firepower 2130 Cisco FMC 1600 Cisco MDS 91485 Cisco Catalyst 3750X Cisco Catalyst 3850 Cisco Catalyst 4507 Cisco 5500 Wireless Controllers Cisco Aironet Access Points .

Sep 11, 2017 · Note: Refer to the Getting Started with Cisco Commerce User Guide for detailed information on how to use common utilities for a record in Cisco Commerce. See Cisco Commerce Estimates and Configurations User Guide for more information.File Size: 664KBPage Count: 5Explore furtherSolved: Cisco Serial Number Lookups - Cisco Communitycommunity.cisco.comHow to view and/or update your CCO profilewww.cisco.comSolved: How do I associate a contract to my Cisco.com .community.cisco.comHow do I find my Cisco Contract Number? - Ciscowww.cisco.comPower calculator tool - Cisco Communitycommunity.cisco.comRecommended to you b

OBJECTIVE 1. Understanding Korean norms in the aspect of intercultural communication 2. Discussing about different cultural Norms - Relate to Japanese Society