210 likes | 231 Views
Learn about common website attacks and the importance of web application firewalls (WAFs) in protecting against SQL injection, PHP file inclusion, and cross-site scripting. Explore cost-effective security solutions, such as manual code reviews, Blue Coat WebFilter, and WAFs, to safeguard your online presence.
E N D
Project Part III Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez
Our Security Problem Is Website Attacks Firewall are common in every network deployment, so attackers use websites to get access to internal network Every industry, be it online hop, retail stores, educational institution or government sector has a website for public use, which makes the website problem very common in multiple industries.
SQL Injection Web Attack Example Query Injected by the Attacker Output from the Query Note: Account Numbers masked to protect customer identity
Cross Side Scripting (XSS) • In the code below, you will see that XSS can easily send you to an evil site • http://www.infotech.northwestern.edu/index.php? name=<script language=javascript>window.location=“http://www.veryevilsite.com/toldya.htm”;</script> • In the code below, you will see that XSS may cause denial of service with just one line of code • http://www.avatar.com/ccs1-release-testing/rao.php?name=<script language=javascript>setInterval("window.open('http://www.cs.northwestern.edu/~ychen/','innerName')",10);</script> • The link above will open a window of Dr. Chen’s webpage and request it every 10 milliseconds. (changed from every 100 milliseconds )
Other Web Attacks • Attackers can target vulnerabilities in browser (Internet Explorer or Firefox, java console, plugins, etc
Criteria for Evaluation Cost Effective Few False Positives High Availability Effective for new threats Ease of Configuration Out of the box functionality Solution Web Application Firewall Manual Code Reviews and Pen Tests Bluecoat Web Filter IDS/IPS not ideal for web solution Our Solution
Solution Considerations • Web Application Firewalls (WAF) • Writing Secure Code is much easier said than done • WAF can block variety of traffic • High Performance and low latency; only looks at Layer 7 • Addresses PCI 6.6 requirement for web security • Out of the box Web Security Solution - “Virtual Patch” • Gartner’s Magic Quadrant on WAFs due in Q4 of 2009 • Costs around $35,000 for the appliance • Common Web Application Firewalls (WAFs) include WebDefend, ModSecurity (open source) and ImpervaSecureSphere
WAF Defined • WAF Architecture Choices • Placed between Firewall and Web Application (Inline) • E.g. Reverse Proxy Mode and Transparent Mode • Connected to Network Port on same switch as Web Application (Out of Band) • E.g. Network Monitor Mode • Blocks traffic by using TCP Resets • Has no latency and prevents single point of failure • Security Models • Allow only “Good” Traffic (Positive) • Block only Malicious Traffic (Negative)
How WAF does the job? • Dynamic Profiling (Automated Application Learning) • Session Protecting Engine • SSL Decryption • Data leakage protection
Manual Code Reviews and Application Pen Tests • Best Defense of Websites • Manual tests done by experts • Whitebox testing available • Costs are $300 per 500 lines of code • Average Web Application Code Review costs $30,000 (50,000 lines of code)
Bluecoat Web Filter Defined • Blue Coat WebFilter is an “on-proxy” web filtering solution that protects internal users from • Spyware • Phishing attacks • P2P • IM and streaming traffic • Adult content (sorry) • Botnets (yayy) • Appliance starts at $10,000
Cost/Risk Analysis • Web Application Firewalls • Costs: Open Source Options available • Risks: Developers should stay on top • Manual Code Reviews and Application Pen Test • Costs: Very High Costs $300 per 500 lines of code • Risks: Minimal; code is checked by ethical hackers • Bluecoat Web Filter • Costs: Appliance + Support Costs • Risks: Moderate; claims 98% coverage of malware
Feasibility Analysis • Web Application Firewalls • Feasible because open source options available. • Huge Community Support • Manual Code Reviews and Application Pen Tests • Not feasible for most organizations; very costly • PCI accepts WAF in place of this • Bluecoat Web Filter • Feasible because of its database + Dynamic Protection • Network license needed rather than per client
Business/Legal Consequence • Web Application Firewall (WAF) • Lessens the risk of web applications significantly • No legal consequences • Manual Code Review and Application Pen Tests • Business case not strong; compliance accepts WAF • Legal consequences applicable as exploits discovered are documented and failure to remediation can be bad • Bluecoat Web Filter • Strong Business case, given web attacks in today’s world • User privacy is a big legal concern
Corporate Context • All three solutions are necessary for all the Industries • Government: Needless to say • Education: Private student records are at risk • Healthcare: Private health info at risk • Private: Social Security, Credit cards, Intellectual Property at Risk • Failure to implement these solutions result in compromises which causes falling share price, dropping consumer confidence, bad reputation + high remediation costs
Related Work and Research in This Area SANS Paper on Web Based Threats http://www.sans.org/reading_room/whitepapers/application/web_based_attacks_2053?show=2053.php&cat=application Symantec’s Paper on Web Based Threats http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_web_based_attacks_03-2009.en-us.pdf DevShed.com’s Cross Side Scripting Paper http://www.devshed.com/c/a/Security/A-Quick-Look-at-Cross-Site-Scripting/1/ Bluecoat Webfilter datasheet http://www.bluecoat.com/doc/direct/789 Web Application Firewall http://www.owasp.org/index.php/Web_Application_Firewall
Thank You Thank You! Jibran Ilyas Frank LaSota Paul Lowder Juan Mendez