Date post: | 08-Nov-2014 |
Category: |
Documents |
Upload: | hoanghung-tran |
View: | 146 times |
Download: | 19 times |
Protect your online assets today, Hackers Don’t Wait! Barracuda Web Application Firewall
Jumpstart Training
Mohd Fadhly Mohd [email protected]
Barracuda Networks Technical Conference 2012
2
Barracuda Web Application Firewall Features and Benefits
Barracuda Networks Technical Conference 2012
3
Architecture
Barracuda Networks Technical Conference 2012
4
Barracuda Web Application Firewall vs IPS/IDS
Attack IPS/IDS BWAF
1. Injection attack protection (XSS, SQL) Limited Yes
2. Normalize encoded traffic No Yes
3. Inspect HTTPS traffic Limited Yes
4. Session tampering/hijacking/riding protection No Yes
5. Forceful browsing prevention No Yes
6. Data theft protection, cloaking No Yes
7. Brute-force protection No Yes
8. Web services protection No Yes
9. Application layer DoS protection No Yes
10. Rate control protection No Yes
Barracuda Networks Technical Conference 2012
5
Barracuda WAF Features Overview
• Comprehensive Website Protection– Proxies all Website traffic to provide complete
protection for Websites
• Identity and Access Management– Application authentication and authorization
• Application Delivery and Acceleration– Additional non-security capabilities and features such
as High-Availability clustering, load balancing and content compression and caching
• Logging, Monitoring and Reporting
Barracuda Networks Technical Conference 2012
6
Securing against injection attacks
• Every web application has a form
• Forms have input fields• Hackers can inject bad data into
these fields
• Types of possible attacks– Cross Site Scripting attacks– SQL injection attacks– OS Command injection– Malware injection
admin
' OR username IS NOT NULL OR username = '
Barracuda Networks Technical Conference 2012
7
Inbound and Outbound Inspection
Servers
Inbound inspection for Layer 7 attacks
Outbound inspection to protect against data theft via
blocking or data masking
Barracuda Web Application Firewall• Based on reverse proxy technology
• Has bi-directional content inspection and security
• As a reverse proxy, it can load balance and accelerate application delivery
Barracuda Networks Technical Conference 2012
8
Securing web transactions
• HTTP is a stateless protocol• Transactions boundaries are maintained
using– Cookies– Read only parameters– Session bound enumerations
• Type of attacks against these – Tampering attacks– Hijacking attacks– Replay attacks– Cross site request forgery
Browser Web Server
Request
Response
Barracuda Networks Technical Conference 2012
9
Securing against rate based attacks
• Hackers can do legitimate operations repeatedly to create problems
• Operations can result in– Creation of a session– Download of big files – Big database transaction– Slow download upload
• Type of attacks against these – Guessing of passwords– Excessive session creation rates– Resource choking
Browser Web Server
Barracuda Networks Technical Conference 2012
10
Securing outbound data
• Responses may contain – Sensitive information
• Credit card numbers• Social Security Numbers
– Errors• Server errors
• Useful to the hacker– Steal information– Fine tune the attack
Barracuda Networks Technical Conference 2012
11
Securing Against Distributed Denial of Service
Barracuda Networks Technical Conference 2012
12
OSI Model DoS Attack
7 Application Slowloris – Incomplete HTTP Requests
6 Presentation
5 Session
4 Transport SYN Flood – Incomplete TCP Handshakes
3 Network
2 Data Link
1 Physical Cut a cable
Where it fits in
Barracuda Networks Technical Conference 2012
14
DDoS Prevention Setting in Barracuda WAF
15
How we prevent against Slow client attack
16
DDoS Security• Geo Filter
• Geo Filter enables you to associate a geo pool with a Service to block the incoming traffic originating from the geographical regions specified in the geo pool.Multi select edit
Barracuda Networks Technical Conference 2012
17
HTTP Parameter Pollution
• How does your web application respond if it receives multiple parameters all with the same name?
HPP prevention in WAF
Max instances of a parameter can be configured for wildcard values as well
Cross site request forgery-example
1. A valid user, Alice, logs in to bank.example.com with her credentials. A trust relationship is established between Alice and bank.example.com at this point.
2. Attacker sends Alice a link (social engineering). The HTML code for the web page for that link has an image tag pointing to bank.example.com and references an action. For ex. , <img src="http://bank.example.com/transfer?account=alice&amount=1000000&to=attacker">
3. Alice visits the attacker controlled web page, alice’s web browser parses the HTML content and thereby initiates an unintentional request to bank.example.com and requests the action referenced in the HTML code.
4. bank.example.com completes the action since it trusts Alice as a valid user for that action.
WAF prevents CSRF
• WAF prevented CSRF as part of website profiles , under URL profiles
What’s new in Firmware v7.7 :
• CSRF prevention is enhanced and supported as a global setting under Security policies -> URL protection
Threat Control Manager
• Barracuda approach in mitigating Website Vulnerabilities using Vulnerability Scanners
• Currently, the Barracuda Web Application Firewall supports only – IBM AppScan (version 7.9) and – Cenzic Hailstorm (version 6.6). – The assessment report exported should be
in .xml format.
How ?
• Users click on a link or go to the webpage that has the HTML form
• WAF detects the form in the response body, appends a hidden parameter with a hashed token value to the response page.
• The subsequent HTTP request for user input in the form by that user is checked for the inclusion of the previously generated hidden param and token hash. If there is no match, the request is blocked as a CSRF violation.
• The same check is applied for URLs incase Forms and URLs is selected for CSRF prevention.
Barracuda Networks Technical Conference 2012
23
Identity and Access Management
• LDAP and RADIUS integration– Including Active Directory
• Simple Single Sign-On (SSO)• Two-Factor Authentication
– Certification-based authentication– RSA token IDs– -SMS Passcode Integration
• Access Control– Granular policies governing what areas or which
resources users can access
Barracuda Networks Technical Conference 2012
24
User Authentication
• User DB– Internal Stored
User Database– Or external
LDAP, RADIUS• Client Certificates
– Digital certificate authentication can also be used
Cache
Business Partner
Internet
LDAP, RADIUS …
External Authentication System
2. Please Supply User-ID: ______Password:
1. Initial Access
3. User supplies Credentials 4. DB
verification 5. Access after successful sign on
Start page
Barracuda Networks Technical Conference 2012
25
Multi Domain SSO
• User needs to log in only once across multiple domains• Master domain and slave domains are defined
– Ex. slave: abc.com and master: xyz.com
• If the request comes directly to slave domain (www.abc.com) before the master, it is redirected to master.
• Master domain issues the authentication cookie
www.abc.com
www.xyz.com Master domain
Slave domainhttp://www.abc.com/protected.html
Should have gone straight to slave
But BWAF redirects the request to the master domain:
Barracuda Networks Technical Conference 2012
26
Application Delivery and Acceleration
• High Availability Cluster• Load balancing• SSL offloading• Content Caching• Compression• Connection pooling
Servers
Perimeter
SSL Accelerators
Security
Web & XML
Caching
Barracuda Web Application Firewalls
Load Balancing
Access Control
Evolution of DMZ Architecture
Servers
Perimeter
Evolution of DMZ Architecture
IPv6 IPv6
IPv6 IPv4
IPv4 IPv6
Barracuda Web Application Firewalls
Vulnerability Scanner
Integration
Role Based Administration
Servers
Perimeter
Backed by Barracuda Central
Barracuda Web Application FirewallsBarracuda Central
• Attack updates• Anti Virus updates• Definition updates• Geo Location
updates• IP Reputation
updates
IPv6 IPv6
IPv6 IPv4
IPv4 IPv6
Vulnerability Scanner
Integration
Role Based Administration
VLAN Trunking
• 7.7 Firmware release updates feature supporting VLAN Trunking
• one Vsite per VLAN with Vsite host Services belongs to each VLAN
• WAN IP & WAN Default Gateway should be on default VLAN
Active-Active HA
Automatic Failover-Failback
Manual Mode
VSite concept example 1 – Standalone setup
Vsite “test” is created and one service is part of the vsiteA vsite level route is configured to route all traffic through 192.168.30.2 which is different from the WAN GW,192.168.20.2Possible : To create acls specific to vsite
VSite concept example 2 – HA setup
WAF Load Balancing
SSL Offloading
• The Barracuda WAF does SSL encryption and decryption– Offloads the job of encryption from servers to the
Barracuda– Requires only 1 certificate instead of 1 certificate for each
server– Back-end SSL between the WAF and the Servers is also
available
HTTPS HTTP
Caching and Compression
• Caching– Docs, pdfs, images and other file types can be cached
locally instead of being repeatedly pulled from application server
• Compression– Text can be compressed using gzip,deflate– Compression should be done by the WAF and not the
application server
Connection pooling
• Setting up TCP sessions can be resource intensive
• WAF automatically pools multiple front-end connections into a single back-end connection
• This reduces connection overhead and improves server performance
Configuration, Logging, Monitoring & Reporting
• Web-based UI• Role-Based Access Control• Comprehensive logging• Syslog support• Extensive reports
Servers
Perimeter
Gain Visibility
Barracuda Web Application FirewallsBarracuda Central
• Attack updates• Anti Virus updates• Definition updates• Geo Location
updates• IP Reputation
updates
Barracuda WAF Web Interface
• Easy• Intuitive• Consistent• Multiple Languages• Configure and Forget
Role-Based Access Control
• Each admin user has unique login credentials, privileges and permissions
• Admins can be defined and authenticated with LDAP
• Compliant with PCI DSS Section 7.1
Log Types
• Access Logs• Web Firewall Logs• Audit Logs
Barracuda Networks Technical Conference 2012
46
Deployment Options
Deployment Options
WAF in the Network
• Modes of Operation– Bridge Mode
• With Ethernet Fail Open– Proxy Mode
• Inline or One-Arm
Internet
Application 1223.216.5.9
Application 2223.216.5.10
N/w Firewall Web Application FirewallSwitch
Switch / Router
Clients
Application 3
The WAF should be between the Network firewall and the switch to the backend application servers.
Bridge and Proxy Mode
• Bridge Mode
• Operates as a Layer 2 Bridge
• Traffic meeting specified definition is inspected and then passed to app server– The rest of the traffic is
bridged
• Proxy Mode
• Operates as a Layer 3 router– Client sessions
terminate at WAF– WAF initiates session to
app server• Traffic meeting specified
definitions is inspected– The rest of the traffic is
blocked
Bridge Mode Deployment
• Bridge mode of deployment uses the same IP for the VIP as the IP addresses of the Web servers
Internet
Application 1223.216.5.9
Application 2 223.216.5.10
Configure the IP addresses of the Web Server on the Web Application Firewall.
N/w Firewall Barracuda Web Application FirewallSwitchSwitch / Router
Clients
Application 1 : 223.216.5.9Application 2 : 223.216.5.10
The WAN and LAN must be on two different logical switches.
Bridge Mode
• Advantages– No addressing changes needed on firewall, app servers– No NAT required– Ethernet Fail Open available
• Disadvantages– No TCP Connection Pooling available– No Load Balancing available– Not as secure as Proxy-mode
Hardware Bypass Feature
Normal Operation Fail SafeComponent Failure
Fail SafePower Failure
BarracudaWeb Application Firewall
System Health Monitor
Firewallcomponent
Wide Area Network(WAN)
Local Area Network(LAN)
BarracudaWeb Application Firewall
System Health Monitor
Firewall component
Wide Area Network(WAN)
Local Area Network( LAN)
!!! !!!
BarracudaWeb Application Firewall
System Health Monitor
Firewallcomponent
Wide Area Network(WAN)
Local Area Network(LAN)
Inline Proxy Mode
Internet
Application 110.0.0.1
Application 210.0.0.2
N/w Firewall Web Application FirewallSwitch
Switch / Router
Clients
VIP 1223.216.5.9
VIP 2223.216.5.10
Server IPs change to private addresses
Also called “Full Reverse Proxy Mode”
One-Armed Configuration
Client TrafficTest Traffic
Cache
DMZ
Testers can use the internally published VIP
Server
10.10.10.101:80
VIP
10.10.10.202:80
Advertised IP for Website No changes
Clients
Switch / Router
Internet
MZ
Once the evaluation of the Barracuda WAF is complete, it can be moved inline into production, either coexisting with the Load Balancer or replacing it
Review: Deployment Modes
Criteria Reverse Proxy Bridge One-ArmedMaximize network bandwidth (use both ports)
Create secure path to Web servers
Load Balancing and Layer 7 features (e.g. Instant SSL)
Minimize change to existing network infrastructure
Integrate with existing enterprise load balancers
Establish multiple paths to Servers for testing
Cannot change existing Server IP addresses
Barracuda Networks Technical Conference 2012
55
Sizing and Product Selection
• https://www.barracudanetworks.com/products/webapplicationfirewall/models
Model Comparison By Capacity
Proper WAF Sizing
Barracuda Web Application Firewall Product Line
Barracuda Web App Firewall 660
Barracuda Web App Firewall 460
Barracuda Web App Firewall 360
SMB
Enterprise
Barracuda Web App Firewall 860
Barracuda Web App Firewall 960
Vx
59
Summary : What does Barracuda WAF do ?
• Attack protection• SQL injection, Cross Site Scripting, Command injection, CSRF ….• DoS, Brute Force, Session Hijacking, XML attacks, Anti Virus
protection
• Data Theft Protection – Credit Cards, SSN, Custom patterns
• Website Cloaking
• Access Control – Form and Basic Authentication and Single Sign On with integrations into LDAP, RADIUS, CA SiteMinder, RSA SecurID
• Application Delivery – Load Balancing, Caching,
Compression, SSL Offloading, Rate Control
Thank You