1 / 33

Enterprise-wide Web Security Res. Assistant Enis Karaarslan Ege Univ. Campus Network Manager ULAK-CSIRT http://csirt.u

Enterprise-wide Web Security Res. Assistant Enis Karaarslan Ege Univ. Campus Network Manager ULAK-CSIRT http://csirt.ulakbim.gov.tr /eng. CONTENT. 1 . Why web security? 2. Network / web system Awareness 3. Secure Coding 4. Enterprise Web Security Model Standardization Awareness

elewa
Download Presentation

Enterprise-wide Web Security Res. Assistant Enis Karaarslan Ege Univ. Campus Network Manager ULAK-CSIRT http://csirt.u

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enterprise-wide Web Security Res. Assistant Enis Karaarslan Ege Univ. Campus Network Manager ULAK-CSIRT http://csirt.ulakbim.gov.tr/eng

  2. CONTENT 1. Why web security? 2. Network / web system Awareness 3. Secure Coding 4. Enterprise Web Security Model • Standardization • Awareness • Training/Testing • Detection • Prevention • Coordination Centre

  3. CONTENT (cont.) • 4. Implementation • 5. Conclusion

  4. 1. Why need web security? • Web (server) usage increases • information systems, devices ...etc • Web incidents increase • Zone-H– 400,000 (%36) increase in 2004 • CSI-FBI – “Computer Crime and Security Survey” - %95 of the correspondents experienced more than 10 web site incidents in 2005

  5. Why need web security? (contd.) • Incidents can cause • Loss of privacy of the customer data • Many results of private data loss • Damage to the enterprise’s/vendor’s reputation • Reaching network devices and ... • Etc.

  6. Major Problems in Web Security • Not enough importance is given for the web security • Traditional security measures are not sufficient • Insufficient web server security • Lack of secure coding

  7. We wouldn’t need so much network security, if we didn’t have such bad software security. Bruce Schneier

  8. To win a war,one must know the waySun TzuThe Art of War

  9. 2. Network / Web System Awareness • Know your enemy (?) • Know yourself, know your assets know what to protect • Know your systems more than the attacker

  10. Network / Web System Awareness (contd.) • Network Awareness the ability of knowing what is happening on the network • Web System Awareness specialized form of network awareness • Web System Awareness • Vulnerability Analysis • System Monitoring

  11. Web System Awareness • Web InfrastructureAwareness Collect and have current system information • Vulnerability Testing Know your visible weaknesses • Monitoring the system See the current status of the system

  12. Web Infrastructure Awareness • Web server IP addresses • Protocols used (https, http) • Site domain names (ex. socrates.ege.edu.tr) • Web server ports (80, 8080, etc) • Operating system (Linux, Windows, etc) • Web server software types and versions (Apache 2.0, IIS 6.0, etc)

  13. Web Infrastructure Awareness (contd) • Content Management Systems (CMS), Portals, Wikis, Bulletin Boards, discussion forums • Web frameworks (PHP, .NET, J2EE, Ruby on Rails, ColdFusion, Perl, etc) and all types of web applications • Application file names • Path to the applications, the directory structures • Application parameters and their types

  14. 3.Secure Coding • Secure coding and vulnerability testing in Software Devolopment Life Cycle (SDLC) • Assurance Models Ex. OWASP Clasp, Microsoft SDL • OWASP Tutorials http://www.owasp.org

  15. Secure Coding (contd.) Can not be implemented perfectly as • Project deadlines • Programmer’s lack of security-awareness But should be focused on. Also network based measures must be considered.

  16. 4. Enterprise Wide Web Security Model Model consists of sub modules: • Standardization • Awareness • Training/Testing • Detection • Prevention • Coordination Centre

  17. Standardization • Policy based Define what is permitted, what is not • Define the preffered system Supply templates, best practices • Secure coding • Documentation

  18. Training / Testing • Workshop Show secure coding examples, attack scenarios • Training Portal • Related secure coding best practices • Guidelines, standards • Test Server • Black box testing • Source code analysis

  19. Intrusion Detection • Intrusion Detection Systems Ex. Snort, Mod Security • Log Control • Honeypot, honeynet

  20. Prevention • Access Control Ex.Network firewall, router ACL • Server Local Security Ex. Mod Security • Reverse Proxy - Web Application Firewall Ex. Mod Security – Mod Rewrite

  21. 5. Implementation • Web Security model on process in Ege University –Turkey • Web Security Group in Ulak-Csirt • Focus on Web System awareness and training • Open source tools • Results will be given

  22. 5.1. Active/Passive System Awaress • Aim is to collect and have the current view of the web system • Active Scan • NMAP – AMAP • Perl Code for the analysis • Open Source Search Engine (future work) • Passive Scan • Snort • Mod Security

  23. Active/Passive System Awaress Model

  24. Test Deployment Schema • IDS configured for web security • WEBIDS • TWEBIDS- knows web system infrastructure

  25. Statistical Results • Alerts collected in one month duration • TWEBIDS which knows the system, has more specific alerts and less false alarms • More statistics in the paper

  26. Vulnerability Analysis

  27. Awareness Portal A web portal for web server administrators and security proffessionals: • Detailed reports about their web systems • Summarized information about the vulnerabilities • Recommend actions to solve the problems. • Track the changes on the systems. • Plan to expand this implementation to control the critical web servers of the universities in the Turkish Acedemic Network ULAKNET.

  28. System Database Schema

  29. 5.2. Training • Workshops, meetings, live demos Web server administrators, web application developers • Habits can’t change easily • Education is a must! • Documentations • Turkish documents - translations http://websecurity.ege.edu.tr http://csirt.ulakbim.gov.tr/dokumanlar • İTU-Ninova – Web Security e-learningcontent http://ninova.itu.edu.tr

  30. 6. Conclusion • For enterprise web security, implement modules of the Web Security Model • Complexity versus protection • Select the modules which suite your enterprise • Primary objectives for the enterprise wide web security should be: • Web system awareness • Training web server administrators, web programmers

  31. Conclusion (contd.) • Systems should be monitored for Intrusion Detection • Web security firewall implementation if possible • Future plans: • Fully integrate this model • Continue to increase web security awareness • Continue to involve in documentation projects and translations

  32. Thanks for your interest .... • Any questions? • Contact: • csirt@ulakbim.gov.tr • info@karaarslan.net • ULAK-CSIRT • http://csirt.ulakbim.gov.tr/eng

More Related