Global Systems Division (GSD) Information and Technology Services Web Services Gateway Implementation Michael Doney Bobby Kelley Peter Lannigan John Parker.

Slides:

Advertisements

Similar presentations

Enabling Secure Internet Access with ISA Server

Advertisements

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

Highly Available Central Services An Intelligent Router Approach Thomas Finnern Thorsten Witt DESY/IT.

1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.

Barracuda Web Application Firewall

Firewall Configuration Strategies

System and Network Security Practices COEN 351 E-Commerce Security.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

Lesson 1: Configuring Network Load Balancing

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Client-Server Processing and Distributed Databases

1 Enabling Secure Internet Access with ISA Server.

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Installing Samba Vicki Insixiengmay Jonathan Krieger.

Norman SecureSurf Protect your users when surfing the Internet.

Course 201 – Administration, Content Inspection and SSL VPN

Additional SugarCRM details for complete, functional, and portable deployment.

Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.

Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.

11/16/2012ISC329 Isabelle Bichindaritz1 Web Database Application Development.

©2008 Gotham Digital Science Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Web Application Firewall (WAF) RSA ® Conference 2013.

1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.

Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.

FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.

Deploying XenApp and XenDesktop with BIG-IP Brent Imhoff – Field Systems Engineer Gary Zaleski – Solutions Architect Michael Koyfman – Solutions Architect.

Online Translation Service Capstone Design Eunyoung Ku Jason Roberts Jennifer Pitts Gregory Woodburn Kim Tran.

Module 11: Implementing ISA Server 2004 Enterprise Edition.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

Chapter 6 Server-side Programming: Java Servlets

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

Overview Managing a DHCP Database Monitoring DHCP

® IBM Software Group © 2007 IBM Corporation Best Practices for Session Management

Integrating and Troubleshooting Citrix Access Gateway.

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.

Module 7: Advanced Application and Web Filtering.

Web Security Group 5 Adam Swett Brian Marco. Why Web Security? Web sites and web applications constantly growing Complex business applications are now.

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

Security fundamentals Topic 10 Securing the network perimeter.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.

WEB SERVER SOFTWARE FEATURE SETS

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Security fundamentals

Lab A: Planning an Installation

Fortinet NSE8 Exam Do You Want To Pass In First Attempt.

TMG Client Protection 6NPS – Session 7.

Module 3: Enabling Access to Internet Resources

Web Application Protection Against Hackers and Vulnerabilities

Chapter 7: Identifying Advanced Attacks

Enabling Secure Internet Access with TMG

Affinity Depending on the application and client requirements of your Network Load Balancing cluster, you can be required to select an Affinity setting.

F5 BIGIP V 9 Training.

Ad-blocker circumvention System

Securing the Network Perimeter with ISA 2004

Security mechanisms and vulnerabilities in .NET

AbbottLink™ - IP Address Overview

Designing IIS Security (IIS – Internet Information Service)

Presentation transcript:

Global Systems Division (GSD) Information and Technology Services Web Services Gateway Implementation Michael Doney Bobby Kelley Peter Lannigan John Parker Robin Paschall Gregory Phillips Jennifer Valdez NOAATECH 2006 November 2, 2005

Global Systems Division (GSD) Information and Technology Services Purpose Provide information on the Web Services Gateway implementation at ESRL/GSD

Global Systems Division (GSD) Information and Technology Services Topics Problems to Address Resolution Objectives Options Considered Solution Implemented Some of the Threats Mitigated Example Web Application Conclusion

Global Systems Division (GSD) Information and Technology Services Problems to Address Growing threat of malicious web application attacks 43 externally visible web applications on 22 servers Web applications written by many different developers Server configurations done by distributed systems administrators No centralized point of control for web application security

Global Systems Division (GSD) Information and Technology Services Resolution Objectives Ensure system & information security for web services Establish centralized point of control for web application security Minimize the number of directly accessible servers Minimize the effort for web application developers Maintain distributed systems administration Keep the effort as transparent as possible to customers Enable seamless addition of web applications for new projects

Global Systems Division (GSD) Information and Technology Services Options Considered 1.All branch servers located in the public access area –Not practical High cost to duplicate servers and storage –Not completely secure 2.High-availability pair of servers in the public access area to host all web applications –Large effort to port branch web applications to new servers Differing operating systems and library requirements Simply porting would not be adequate –Secure programming required Rewrite existing web applications Significant amount of time for all web application developers Additional training expense for every web application developer Requires frequent code reviews, a time consuming effort 3.Web Services Gateway –Dynamic information served from branch servers

Global Systems Division (GSD) Information and Technology Services Solution Implemented GSD Web Services Gateway A single GSD web services access point in the public access area –Load balancers –AppShield servers –Web/Proxy servers Branch servers maintained behind the GSD firewall Does not negate other IT security methods and practices Does not negate the need for secure coding in web applications Staffing: Initial work began in 2003 Ranged from 1 to 10 people over 2.5 years (approximately 1.7 staff years of effort) Plus assistance to and support from approximately 15 web application developers

Global Systems Division (GSD) Information and Technology Services Implementation Load balancers, high-availability pair –Creates multiple virtual servers that map to multiple real servers –Multiple content switching options URL, cookie, XML, http header, and SSL session ID –Multiple load balancing options Least connections, response time, round robin, … –Supports 1,000,000 concurrent sessions –4.4 Gbps throughput AppShield servers & software, high-availability pair –Provides application level system & information security –Protects web applications from exploitation –Provides security policy tuning per requirements of each web application Web/Proxy servers, high-availability pair –Some GSD web applications hosted on these servers –Proxy server provides connectivity to all web servers behind the firewall Existing branch servers –Located behind the GSD firewall –Fewest changes for web masters and continued access to existing data stores –In some cases, coordination for customer changes were necessary Customer network or firewall access from new GSD Web/Proxy servers Needed to eliminate hard-coded IP addresses on customer systems if any existed

Global Systems Division (GSD) Information and Technology Services High Level View Internet AppShield Web/Proxy Server Web/Proxy Server Firewall GSD Servers Load Balancer Public Access Area High-availability Pairs Load Balancer Firewall GSD Intranet

Global Systems Division (GSD) Information and Technology Services Hardware and Software High-availability pairs: –Foundry ServerIronXL load balancing network switches$ 33,084 –Foundry ServerIronXL annual support (one year to date)$ 1,740 –SunFire V120 Servers$ 8,232 –AppShield 4.0$ 27,000 –AppShield annual support(three years to date)$ 22,500 –Dell 2650 servers$ 11,296 –On-site AppShield training$ 11,450 TOTAL$115,302

Global Systems Division (GSD) Information and Technology Services AppShield Details AppShield is a stateful reverse proxy application firewall Most established product at the time of GSD’s implementation Did not require complete redesign of existing web applications The default configuration is the most secure Three pre-defined security levels available: –Strict (starting point for GSD’s implementation) –Intermediate –Basic Uses a positive security model –Enforces intended behavior versus watching for unintended behavior Custom security levels can be defined Customization rules (exceptions) can be written as necessary

Global Systems Division (GSD) Information and Technology Services AppShield in Operation Functions as a reverse proxy for requests and responses Learns on-the-fly for each page –As HTML requests and responses are processed Automatic generation of security policies Automatic determination of acceptable responses Forces HTTP requests from clients to conform to security policies Maintains logs for denied requests –Logs can be viewed through the AppShield console –Exception rules can be generated to prevent blocking valid requests Rule usage is logged to allow fine tuning AppShield acts as the SSL termination point for encrypted traffic –Ensures that AppShield has visibility of all HTTP traffic

Global Systems Division (GSD) Information and Technology Services AppShield Session Source: Sanctum, Inc. 1.Verifies that request contains a legal entry URL to the site 2.Creates an application session token –Stored in an encrypted and signed cookie for subsequent transactions 3.Analyzes each HTML page as they are forwarded to the client –Patented Policy Recognition Engine –Searches for CGI parameters, hidden field values, etc. 4.Determines the security policy of the web application –Checks any exception rules for sites and web applications requested –Additional legal requests used to adjust the security policy for the session –Accomplished with Adaptive Reduction Technology Reducer: Translates requests to simple & secure language Expander: Rebuilds requests to ensure only legal information In case of a hacking attempt, the reduction/expansion phase will fail »AppShield invokes a customizable error CGI with attack origin and type

Global Systems Division (GSD) Information and Technology Services Implementation Workflow Configure proxy server for web sites Create URL mappings in AppShield Test web sites through AppShield Create exception rules IF NECESSARY Retest through AppShield Developers test through AppShield Update DNS and go live Monitor AppShield logs

Global Systems Division (GSD) Information and Technology Services Web Application Example Load Balancer AppShield Web/Proxy Data Processing Cluster database Storage.gif files / static content SQL NFS read only Server Public Access Area Web Services Gateway HTTP Data Ingest

Global Systems Division (GSD) Information and Technology Services Some of the Threats Mitigated Parameter tampering Cookie poisoning HTTP request smuggling Forceful browsing Cross-site scripting Buffer overflows SQL injection Third-party misconfiguration

Global Systems Division (GSD) Information and Technology Services Conclusion Implementing a Web Services Gateway at GSD added a significant additional layer of IT Security Problems addressed and resolution objectives met Achieved a single GSD web services access point in the public access area Existing web sites and web applications were supported without requiring complete redesign does notThis implementation does not negate other IT Security methods and practices Secure coding practices should be followed for web application development GSD’s implementation is extensible, expandable, and adaptable

Global Systems Division (GSD) Information and Technology Services Questions (303)