Development of a Web 2.0 Firewall Parallel Application Recognition in Overlay Networks Author: Alexander von Gernler, genua mbh Abstract: Nowadays it is hardly possible to envisage modern web sites without Web 2.0 and its protocols and frameworks such as JavaScript, AJAX, JSON, XML-RPC, and the Google API. Web 2.0 technology provides web sites with powerful toolsets for graphic design and the delivery of database-driven content management but at the same time it is almost impossible to keep a check on this technology. PADIOFIRE is a joint research project started in July 2011 as a part of a security research program funded by the Federal German Ministry of Education and Re- search and is concerned with securing and inspecting Web 2.0-traffic through firewalls. Project Aims Whereas in the 90s web sites were static objects for the presentation of infor- mation, it has become the norm that today’s Web 2.0 landscape of colorful and interactive web presences encourages the provision of information by their users, either in the form of comments or uploads. And this change in environment doesn’t stop short of the typical workstation in the public sector: even though the majority of working time spent using a browser may be spent mainly with applications running within the organizational Intranet, a quick enquiry on one of the Google pages to gather more information has now become standard. At the same time, personnel departments have made checks into candidates’ backgrounds using Facebook and other social networks to a routine part of their work. Not to speak of the use of Web 2.0 sites during the lunch hour or for quick private excursion in between times. Access to Web 2.0 content at the workplace has become the norm today, when it is not blocked by a company firewall filter. Seite 1
Transcript
Development of a Web 2.0 Firewall
Parallel Application Recognition in Overlay Networks
Author: Alexander von Gernler, genua mbh
Abstract:
Nowadays it is hardly possible to envisage modern web sites without Web 2.0 and its protocols and frameworks such as JavaScript, AJAX, JSON, XML-RPC, and the Google API. Web 2.0 technology provides web sites with powerful toolsets for graphic design and the delivery of database-driven content management but at the same time it is almost impossible to keep a check on this technology.
PADIOFIRE is a joint research project started in July 2011 as a part of a security research program funded by the Federal German Ministry of Education and Re-search and is concerned with securing and inspecting Web 2.0-traffic through firewalls.
Project Aims
Whereas in the 90s web sites were static objects for the presentation of infor-mation, it has become the norm that today’s Web 2.0 landscape of colorful and interactive web presences encourages the provision of information by their users, either in the form of comments or uploads.
And this change in environment doesn’t stop short of the typical workstation in the public sector: even though the majority of working time spent using a browser may be spent mainly with applications running within the organizational Intranet, a quick enquiry on one of the Google pages to gather more information has now become standard.
At the same time, personnel departments have made checks into candidates’ backgrounds using Facebook and other social networks to a routine part of their work. Not to speak of the use of Web 2.0 sites during the lunch hour or for quick private excursion in between times.
Access to Web 2.0 content at the workplace has become the norm today, when it is not blocked by a company firewall filter.
Seite 1
Facebook: now available as a business application for social marketing and personnel management
However, the difficulties do not lie in the primary contents of the pages being accessed. With companies making ever-increasing use of blogs, Twitter and YouTube channels to attract attention to themselves, it is desirable, for example, that in addition to their normal activities employees further the recruitment of new colleagues through networking.
The danger here lies in the misuse of the powerful frameworks that are used to realize these platforms: While everything in the “old“ web was static, the new networks thriving under the diffuse title of “Web 2.0” rely upon program logic being executed in the client side – i.e. in the browser.
In combination with the ability to establish rapid communication between browser and server and to download content without a page being fully reloaded, this means that a variety of powerful tools is available for attackers. And these tools can be used for a wide range of tasks: Spying out information from the local browser cache, monitoring sittings or using the client as an unknowing platform for further attacks: creativity knows no boundaries in this field.
This has become possible because nowadays the activation of active content in browsers – starting with JavaScript – has become unavoidable, with the majority of pages otherwise remaining “empty“.
Seite 2
Message: “Your browser does not support JavaScript“
In the security field – that is not only in companies with security needs or in official organizations but also in firms that want to avoid an all-too-simple flow of information from their internal network – there was only one solution for this problem: JavaScript and other active content is filtered out as far as possible. This can either result from a directive requiring all browsers in the company to be configured to do this or from a centrally configured firewall, which is the better method. This 99 percent solution would normally be sufficient but can be got around through one of those sublime channels that appear from time to time: different coding procedures, differences in implementation, changes in standards, etc. This solution also means that the network can be used safely but not very comfortably because important sites function either minimally or not at all.
An Ideal Solution
It would be desirable that it was not only possible to “throw a big switch” here and completely ban Web 2.0 technology but also set up a finely granulated set of guidelines.
This would mean that an administrator could, for example, determine that in general Web 2.0-Seiten cannot be opened but that the interactive view of Google
Seite 3
Maps should be allowed to be used for planning company business trips – even in an otherwise tightly safeguarded internal company network.
However it is not enough for this project to simply carry out standard URL filtering from the standpoint that all content that comes maps.google.de may pass the firewall. First of all, one may perhaps want to allow only one of the many pages on a particular host. Secondly, as recently demonstrated by security experts such as Dan Kaminsky, DNS impersonations are possible through attacks targeted at the Internet name system, so that it is theoretically possible for an attacker to appear to come from a company address such as maps.google.de – at least for long enough to place malicious code. And thirdly, even SSL security certificates that are supposed to guarantee that content comes from a particular Internet domain have fallen into disrepute after recent analysis by experts such as Moxie Marlinspike and others.
Firewall GUI: Prohibited JavaScript with exception list
Towards a Solution
It should be clear that in the security field one cannot rely on “repackaging” and instead would like to analyze not only the content being transported but also the Web 2.0 logic itself. The logic being transported is seen within the project as overlays or additional transport layers that are created through the conversion of the application layers (so called overlaying).
The hypertext transport protocol (HTTP), for example, is being used nowadays for purposes beyond the straightforward transport of text in a markup language such as HTML. In particular HTTP 1.1 and its persistent connections together with
Seite 4
HTML5 and its extension of the web socket present a very wide field to be covered.
Overlaying – a protocol within a protocol within a protocol
To be able to gain knowledge of the real contents being transported despite this complexity it is necessary to first unravel the many layers of the transport protocol. It is only possible to carry out a semantic analysis of the content actually being transported after this separation of the transport layers has been carried out. Help for the classification of the content rushing by is drawn from a related field: network based intrusion detection systems (NIDS), which basically spend their time listening to the traffic in, for example, a whole network segment. These systems attempt to extract from the traffic those content patterns that may indicate anomalies (variations from the normal state) and, in particular, whether an attack on the system may be in progress.
In order to be able to easily adapt NIDS to the problems in question, a language is to be developed as part of the PADIOFIRE project, in which the content of the Web 2.0 communication that is to be recognized by the detection system is to be described in rule sets. The adaptation of the NIDS technology for overlay analysis fulfils the first phase of the PADIOFIRE project: the overlay and application protocol analysis by an IDS based rule language.
The problem now remaining is to make the performance of the whole system acceptable: modern network connections work in the region between 1 and 10 GBit/s. A meaningful analysis of the data flow must be scalable against the number of computer systems in use, or at least against the number of processor cores within a system, otherwise the undertaking will rapidly become unworkable with increasing bandwidth.
A flow-based approach is recommended in order to be able to distribute the workload over a number of systems or cores. This approach means that all data
Seite 5
packets that belong to a logical connection have to be processed by the same analysis system – otherwise an important context for the analysis will be missing.
The division of the network traffic into separate streams according to the com-munication relationships should be carried out using the already existing “Vermont” toolkit, developed as part of the HISTORY research project. This means that a further part of the project, the efficient monitoring and parallel detection on multicore systems will have also been completed.
Schematic structure of the PADIOFIRE project
However, there is more to be done than detection: a reaction has to take place once the parallelized application recognition has detected a suspicious data flow. A signal has to be sent to the firewall, which in turn has to react appropriately. This is where the second part of the project comes into play: the development of a firewall architecture with asynchronously coupled overlay detection.
Seite 6
Funding and Participating Partners
The PADIOFIRE project is supported by the Federal German Ministry of Education and Research.
The coordinating partner of this joint venture is the Brandenburg Technical University in Cottbus, Germany. The Friedrich-Alexander University of Erlangen in Nuremberg, Germany (FAU) and the Gesellschaft für Netzwerk- und Unix-Administration genua mbh from Kirchheim by Munich, Germany continue as cooperating partners. The University of Innsbruck in Austria and Ixia Technologies Europe, represented through their German subsidiary in Gilching by Munich, Germany are associate partners.
Project Summary: A Short Description of the Partners
BTU (Brandenburg University of Technology), Cottbus: Lehrstuhl Rechnernetze und Kommunikationssysteme (Chair of Computer Networks and Communications Systems)
• Key research areas:
Host and network based signature recognition, signature engineering, intrusion detection
• Project roles:
Project coordination, work on the IDS component and rule based policy language (key areas: SGML integration, signatures for JavaScript applications)
Seite 7
FAU Erlangen, Lehrstuhl für Sicherheitsinfrastrukturen(Chair of Security Infrastructure)
• Key research areas:
Expertise in practical computer security: cold boot attacks, malware, timing and side channel attacks, models of attack on wireless networks
• Project roles:
Development of a system for estimating the danger from known JavaScript code; Work on the compromise between security and performance for the project demonstrator
genuaGesellschaft für Netzwerk- und Unix-Administration mbH
• Key research areas:
Long term practical experience in the implementation of specific application proxies on the application level gateway of the two-stage genugate high security firewall; Experience with security requirements through numerous certification and approval procedures for their own products
• Project roles:
HTTP integration of the intrusion detection system (key areas: compression, dechunking); asynchronous coupling of an in-house firewall in the system
Seite 8
University of Innsbruck, Austria, Lehrstuhl Technische Informatik (Chair for Technical Computer Studies)
• Key research areas:
Relevant preparatory work through a series of master’s theses in the faculty
• Project roles:
Activation of the intrusion detection system based on anomaly detection, performance optimization with the Vermont monitoring toolkit, poss. extended detection of HTTP sessions
Ixia Technologies Europe Limited
• Key research areas:
Cutting edge practical experience as test equipment manufacturer and service provider for high performance IT infrastructure components
• Project roles:
Provision of test equipment for the demonstrator, adaptation of test scenarios for the project
About the author
Dipl.-Inf. (Diploma in Computer Science) Alexander von Gernler is responsible for research projects at genua mbh and always on the lookout for new and interesting fields of activity around computer and network security. Before this he worked at
Seite 9
genua as a software and system developer and as scrum master. He has thereby acquired a great deal of practical experience, which he is able to profit from in his current position.
