1 Project Part III Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez

2 Our Security Problem Is Website Attacks  Firewall are common in every network deployment, so attackers use websites to get access to internal network  Every industry, be it online hop, retail stores, educational institution or government sector has a website for public use, which makes the website problem very common in multiple industries.

3 SQL Injection Web Attack Example Query Injected by the Attacker Output from the Query Note: Account Numbers masked to protect customer identity

4 PHP File Inclusion Web Attack Example

5  In the code below, you will see that XSS can easily send you to an evil site name= window.location= “  In the code below, you will see that XSS may cause denial of service with just one line of code name= setInterval ("window.open(' The link above will open a window of Dr. Chen’s webpage and request it every 10 milliseconds. (changed from every 100 milliseconds ) Cross Side Scripting (XSS)

6  Attackers can target vulnerabilities in browser (Internet Explorer or Firefox, java console, plugins, etc Other Web Attacks

7 Our Solution Criteria for Evaluation  Cost Effective  Few False Positives  High Availability  Effective for new threats  Ease of Configuration  Out of the box functionality Solution  Web Application Firewall  Manual Code Reviews and Pen Tests  Bluecoat Web Filter  IDS/IPS not ideal for web solution

8 Solution Considerations Web Application Firewalls (WAF)  Writing Secure Code is much easier said than done  WAF can block variety of traffic  High Performance and low latency; only looks at Layer 7  Addresses PCI 6.6 requirement for web security  Out of the box Web Security Solution - “Virtual Patch”  Gartner’s Magic Quadrant on WAFs due in Q4 of 2009  Costs around $35,000 for the appliance  Common Web Application Firewalls (WAFs) include WebDefend, ModSecurity (open source) and Imperva SecureSphere

9 WAF Defined WAF Architecture Choices  Placed between Firewall and Web Application (Inline)  E.g. Reverse Proxy Mode and Transparent Mode  Connected to Network Port on same switch as Web Application (Out of Band)  E.g. Network Monitor Mode  Blocks traffic by using TCP Resets  Has no latency and prevents single point of failure Security Models  Allow only “Good” Traffic (Positive)  Block only Malicious Traffic (Negative)

10 How WAF does the job?  Dynamic Profiling (Automated Application Learning)  Session Protecting Engine  SSL Decryption  Data leakage protection

11 Manual Code Reviews and Application Pen Tests  Best Defense of Websites  Manual tests done by experts  Whitebox testing available  Costs are $300 per 500 lines of code  Average Web Application Code Review costs $30,000 (50,000 lines of code)

12 Bluecoat Web Filter Defined  Blue Coat WebFilter is an “on-proxy” web filtering solution that protects internal users from  Spyware  Phishing attacks  P2P  IM and streaming traffic  Adult content (sorry)  Botnets (yayy)  Appliance starts at $10,000

13 Bluecoat Web Filter – How it Works

14 Bluecoat on the Fly detection (Dynamic Detection)

15 Magic Quadrant for Secure Web Gateways

16 Cost/Risk Analysis  Web Application Firewalls –Costs: Open Source Options available –Risks: Developers should stay on top  Manual Code Reviews and Application Pen Test –Costs: Very High Costs $300 per 500 lines of code –Risks: Minimal; code is checked by ethical hackers  Bluecoat Web Filter –Costs: Appliance + Support Costs –Risks: Moderate; claims 98% coverage of malware

17 Feasibility Analysis  Web Application Firewalls –Feasible because open source options available. –Huge Community Support  Manual Code Reviews and Application Pen Tests –Not feasible for most organizations; very costly –PCI accepts WAF in place of this  Bluecoat Web Filter –Feasible because of its database + Dynamic Protection –Network license needed rather than per client

18 Business/Legal Consequence  Web Application Firewall (WAF) –Lessens the risk of web applications significantly –No legal consequences  Manual Code Review and Application Pen Tests –Business case not strong; compliance accepts WAF –Legal consequences applicable as exploits discovered are documented and failure to remediation can be bad  Bluecoat Web Filter –Strong Business case, given web attacks in today’s world –User privacy is a big legal concern

19 Corporate Context  All three solutions are necessary for all the Industries –Government: Needless to say –Education: Private student records are at risk –Healthcare: Private health info at risk –Private: Social Security, Credit cards, Intellectual Property at Risk  Failure to implement these solutions result in compromises which causes falling share price, dropping consumer confidence, bad reputation + high remediation costs

20 Related Work and Research in This Area  SANS Paper on Web Based Threats – s_2053?show=2053.php&cat=applicationhttp:// s_2053?show=2053.php&cat=application  Symantec’s Paper on Web Based Threats – whitepaper_web_based_attacks_ en-us.pdfhttp://eval.symantec.com/mktginfo/enterprise/white_papers/b- whitepaper_web_based_attacks_ en-us.pdf  DevShed.com’s Cross Side Scripting Paper –  Bluecoat Webfilter datasheet –  Web Application Firewall –

21 Thank You Jibran Ilyas Frank LaSota Paul Lowder Juan Mendez