Securing Modern Web Apps

Thomas Gobet

Architect, WAF & Application Protection EMEA / CALA

19/04/2018

2 Agenda

• WAF introduction

• Machine learning algorithms

• Deployment options

• Authentication gateway

• Bot detection

3 New OWASP Top 10: Biggest Threats in 2017

3

4 OWASP A6 : Security misconfiguration

• Security misconfiguration is the most common issue

• Insecure default configurations

• Incomplete or ad-hoc configurations

• Error messages exposing sensitive data

• …

• When migrating to cloud environments, it requires more knowledge and time to secure

• Full auto policy-generation is now a MUST!!!

5 OWASP A10 : Insufficient logging & monitoring

• Most breach studies show time to detect a breach is over 200 days

• “Insufficient Logging & Monitoring” refers to the ability of the organizations to quickly detect and respond to a security incident.

• Logging all relevant information such as HTTP request/response, username, security violation is mandatory.

• GDRP requires logs, authenticity and confidentiality.

6 GDPR Recital 39 and 49

Recital 39

personal data should be processed in a manner that ensures

appropriate security and confidentiality, including

preventing unauthorized access to or use of personal data

and the equipment used for the processing

Recital 49

the ability of a network or an information system to resist

accidental events or unlawful or malicious actions that

compromise the availability, authenticity, integrity and

confidentiality of stored or transmitted personal data, and

the security of the related services offered by, or

accessible via, those networks and systems.

This could, for example, include preventing unauthorized

access to electronic communications networks and malicious

code distribution and stopping ‘denial of service’ attacks

and damage to computer and electronic communication

systems.

7

AppWall overview

8 Introducing: AppWall

The Background

WAFs help enterprises:

Block attacks targeting their

web applications

Achieve compliance (e.g. PCI)

The Challenge

Difficult & costly to deploy

& maintain

Long time to security

High total cost of ownership

The Solution

AppWall is the best performing

application security solution for:

Attack mitigation

PCI compliance

Web security.

9 Complete Web Application Protection

Terminate TCP, Parse HTTP

Evasions

HTTP response splitting (HRS)

Signatures applied on Normalized traffic

URL / Base 64 / UTF-8 encoded Injections

Signature & Rule Protection Cross site scripting (XSS)

SQL injection, LDAP injection, OS commanding

Data Leak Prevention Credit card number (CCN)

Social Security (SSN)

Regular Expression

10 Complete Web Application Protection

Parameters Inspection Buffer overflow (BO)

Zero-day attacks

User Behavior Cross site request forgery

Cookie poisoning, session hijacking

Layer 7 ACL Application / folder / file / param level access control

White listing or black listing

XML, JSON & Web Services XML & JSON Validity and schema enforcement

Role Based Policy Authentication

User Tracking

11

Uniquely Employing Positive Security Model

Positive Security Model

Learns and defines what actions are legitimate traffic

Blocks unauthorized access or actions that are not permitted

Uniquely protects from 0-day attacks and unknown vulnerabilities

Higher layer of protection: FULL OWASP TOP-10 protection, minimum false-positives

11

Negative Security Model

Standard across most cloud WAF services and WAF technologies

Blocks known attacks via known signatures and rules

Cannot provide FULL protection against OWASP TOP-10

Cannot protect from unknown vulnerabilities: 0-day attacks

12

Multiple

Policies

User

Automation through Auto Policy and API

Step #1.1 Growing Traffic Volume to the Web Application

Step #2.1 New Tenant

Application Added

Step #1.2 High AppWall

Resource Utilization

Step #1.3 Add AppWall

Instance

Step #1.4 Reduced Resource

Utilization Step #2.2 New Policy Assigned

Alteon NG

Int vADC Ext vADC

Automation & Orchestration Infrastructure

13 Automation Flows – REST APIs

A new AppWall

New Data Center

Scale

A new Web App

Add a new:

Service IP

Protected Web Server

Tunnel

Web App

Custom Template

Policy Distribution with a custom policy templates menu

Network Team Application Teams

14

Machine learning algorithms

15 Going Beyond Static Signature Protection Machine-learning Algorithms to Automatically Generate Policies

Continuously detect changes in the application and acceptable user behavior to keep protection current

Auto Threat Analysis covering ALL OWASP Top-10

and 150+ attack vectors

App Mapping to detect new/changes in web

application

Auto Policy Activation adding tailored app rules and optimizing for best accuracy

Policy Generation with Auto-Optimization

for out-of-the-box rules to minimize false positives

16

www.reservations.com

/config/

/hotels/

16

App Mapping

/info/

/reserve/

/admin/

/register/

17

www.reservations.com

17

SQL Injection

CCN breach

Directory Traversal

Buffer Overflow

Spoof identity, steal user information, data tampering

Information leakage

Unexpected application behavior, system crash, full system compromise

App Mapping Threat Analysis

/config/

/hotels/

/info/

/reserve/

/admin/

/register/

Gain root access control

18

www.reservations.com

18

App Mapping Threat Analysis Policy Generation

Prevent access to sensitive app sections

Mask CCN, SSN, etc. in responses

Parameters inspection a

Traffic normalization & HTTP RFC validation

SQL Injection

CCN breach

Directory Traversal

Buffer Overflow

/config/

/hotels/

/info/

/reserve/

/admin/

/register/

19

www.reservations.com

19

App Mapping Threat Analysis Policy Generation

SQL Injection

CCN breach

Directory Traversal

Buffer Overflow

/config/

/hotels/

/info/

/reserve/

/admin/

/register/

Time to protect

Add tailored application rules

Optimize rules for best accuracy

Virtually zero false positive

20 Shortest Time to Security

App Mapping Threat Analysis Policy Generation Policy Activation

21

Deployment options

22

Standalone

• Reverse Proxy / Bridge

• Virtual / Physical

• Cluster support

• Defense Messaging /w DefensePro

Fast Reliable Secure

All-in-One Application Delivery & Security

• Out-of-path or inline deployment

• Supporting up to 10 Gbps

• Multiple vADC with Fault Isolation

Deployment Options

23 Integrated Hybrid Solution

IPS/IDS

“Low & Slow” DoS attacks (e.g.Sockstress)

Large volume network flood attacks

Syn Floods

Network Scan

HTTP Floods

SSL Floods App Misuse

Brute Force

Cloud DDoS protection DoS protection Behavioral analysis IPS WAF SSL protection

Internet Pipe Firewall Load Balancer/ADC Server Under Attack SQL Server

23

XSS, CSRF SQL Injections

24

Detecting and Blocking

Attacks on web apps behind CDNs

Advanced HTTP attacks (slowloris, http dynamic floods)

Brute force attacks on login pages

SSL attacks

Line Speed Mitigation 160 Gbps

25M DDoS pps

60 micro seconds latency

Multi Layer Detection and Mitigation

Scalable Line Speed Availability Attack Mitigation

25 New Technologies – New Opportunities

Next Generation Virtualization

26

AppWall is implemented out-of-path in span-port.

Attacker launches web-application attack.

Detect where you can. Mitigate where it’s right.

Client / Attacker Perimeter Data Center

DefensePro

AppWall detects the web-application attack AppWall signals attack information to DefensePro

Defense Messaging

DefensePro mitigates the attack at the Perimeter

AppWall

No Performance Impact. No Risk.

27 Out-of-Path Deployment: Scalable Deployment

Perimeter LAN

Attack Mitigation Device

Defense Messaging

WAFs

Unlimited detection and mitigation scalability

27

Alteon

Client / Attacker

28

AppWall is implemented out-of-path in span-port.

Attacker launches web-application attack.

DefenseFlow Messaging – Control Plane

Client / Attacker Perimeter Data Center

AppWall detects the web-application attack AppWall signals attack information to DefenseFlow

Defense Messaging

DefensePro mitigates the attack at the Perimeter

AppWall

No Performance Impact. Transparent integration

28

DefenseFlow sends an alert to DefensePro and a BGP diversion to the router

BGP

DefensePro

29

Authentication Gateway

30 Use Cases

Microsoft UAG / TMG replacements

Strong Authentication associated with Role based Security Policy

Single Sign-on

Cloud and Premise based Apps Web Access Management

30

31

Multi-Vector Role Based Security Policy

Web Role

IP & Geo Location

CONTEXT

Block

Report

ACTION

Application Access Control

Data Access and Visibility

Web Security, XSS, SQL Inj.

SECURITY POLICY

Authentication Gateway Authorization and access control Web based Single Sign On 2 Factor Authentication: RSA SecureID, SMS Passcode Segregation of duties

32

Authentication Gateway

Authentication Schemes (Backend Servers)

Form-based Authentication (FBA)

Kerberos Constrained Delegation (KCD)

NTLM

SAML SP

User Data Stores

Active Directory

LDAP

Radius

User Authentication and SSO

33

Un-authenticated user attempts to access Enterprise Application Redirect to Login page AppWall resubmits the credential or Kerberos ticket to backend application

Authentication Gateway Flow

Customer Premise

33

AppWall validates credentials against Active Directory & receives a Kerberos ticket AppWall applies user/role based security policy

Active Directory

KCD

User from Outside the Domain

Login with 2 Factor Authentication NTLM

FBA

34

Low and Slow Detection

35 Behavioral Layer 7 Low&Slow Attack Detection

A TCP Connection is Established

HTTP Request

Sent

Server Think Time

HTTP Response

Sent

Client Think Time

Subsequent Request

Sent

Seconds to detect and block Low&Slow attacks

Works both in Out Of Path and line modes

Mitigation by AppWall, DefenseMessaging to DefensePro or DefenseFlow

Modeling the TCP Connection Lifecycle

36 Continuous Security Delivery – Protect & Learn

Immediate Protection

Auto Policy

Generation

Apply Tailored Learned

Policy

Modeling the Application Security Lifecycle

Continuous Delivery

Continuous Security Delivery

App Change

37

IP Agnostic Bot Detection

38

Good Bots vs. Bad Bots

Simple bots are not much of a challenge to block.

Headless browsers such as PhantomJS, complicate the detection process by:

– Mimicking user behavior.

– Passing challenges

– Serving up dynamic IP addresses.

To be sure, not all bots are bad:

– Search Engine Bots

– Computer Generated API Calls

We need to Differentiate Good bots from Bad bots

39 Unique IP-Agnostic Fingerprinting Protection

Device Reputation for bot detection and blocking

• Beyond IP address blacklisting: detailed device fingerprinting through multiple parameters

• Enables precise activity tracking over time & development of IP-agnostic Device Reputation

• Provides advanced protection from:

• Website Scraping

• Brute Force Attacks

• HTTP Dynamic Floods

• Dynamic IP Attacks

System Fonts Screen Resolution

Browser Plug-ins

Local IPs

Operating System

40 Fingerprint result

Slide 40

41 Device Fingerprinting

Device fingerprint enables

– Precise activity tracking over time

– Device Reputation

Provides advanced protection from:

– Website Scraping

– Brute Force Attacks

– HTTP Dynamic Floods

CDN /

Carrier NAT

App / OS

JS JS

42 Activity Tracking

42

• Rate Limiting • TPS / TPM • Domain / Folder / URL

• Behavioral analysis

43

Attack Correlation and Source Blocking

• IP-based or Fingerprint-based tracking

• Configurable violation scores

• Correlation of Activity and Violations over time

• Blocking Attack Source once reaching a threshold

Track Record and Attack Correlation

44 Banking customer – Dynamic IP Address attack

45

Providing Protection Beyond the Perimeter

Cloud WAF Service

• Full coverage of OWASP Top-10 • ICSA Labs Certification • Auto Generated Policy • Negative & Positive security models

Radware Security Cloud POP

Hybrid, single technology solution to protect both on-premise and cloud-based applications

45

Cloud WAF Attack Mitigation Device

Best-of-breed WAF (Physical or Virtual Appliance)

46

Summary

47

Why Radware’s WAF?

Attack Mitigation Mitigating attacks on web applications behind CDNs

Blocking the attack source at the perimeter

Multi-layer detection and mitigation

Application Security & Delivery AppWall out-of-path and inline deployment modes

Delivered on platforms supporting up to 80Gbps

Compliance Action plan for compliance

Advanced security graphical reports

Web Security Short time to protection

Low false positive and false negative rates

Auto-detection of web application changes

Segregation of Duties Mapping security web roles to LDAP organizational units or attributes

Multi vector security policies: application access, data visibility etc.

48

Summary – More Than Just a WAF

Fastest to Deploy

Easiest to Maintain

Best Security Coverage

Multi layered attack detection and mitigation

Out-of-path deployment with no performance impact or risk

Fast, reliable, and secure delivery of mission-critical web applications

Low maintenance costs and post deployment peace of mind

Audit ready and visibility into application security

Thank You