Presentation is loading. Please wait.

Presentation is loading. Please wait.

Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez

Published byEgbert Hodge Modified over 6 years ago

Similar presentations

Presentation on theme: "Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez"— Presentation transcript:

1 Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez
Project Part III Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez

2 Our Security Problem Is Website Attacks
Firewall are common in every network deployment, so attackers use websites to get access to internal network Every industry, be it online hop, retail stores, educational institution or government sector has a website for public use, which makes the website problem very common in multiple industries.

3 SQL Injection Web Attack Example
Query Injected by the Attacker Output from the Query Note: Account Numbers masked to protect customer identity

4 PHP File Inclusion Web Attack Example

5 Cross Side Scripting (XSS)
In the code below, you will see that XSS can easily send you to an evil site name=<script language=javascript>window.location= “ In the code below, you will see that XSS may cause denial of service with just one line of code name=<script language=javascript>setInterval ("window.open(' The link above will open a window of Dr. Chen’s webpage and request it every 10 milliseconds. (changed from every 100 milliseconds  )

6 Other Web Attacks Attackers can target vulnerabilities in browser (Internet Explorer or Firefox, java console, plugins, etc

7 Our Solution Criteria for Evaluation Cost Effective
Few False Positives High Availability Effective for new threats Ease of Configuration Out of the box functionality Solution Web Application Firewall Manual Code Reviews and Pen Tests Bluecoat Web Filter IDS/IPS not ideal for web solution

8 Solution Considerations
Web Application Firewalls (WAF) Writing Secure Code is much easier said than done WAF can block variety of traffic High Performance and low latency; only looks at Layer 7 Addresses PCI 6.6 requirement for web security Out of the box Web Security Solution - “Virtual Patch” Gartner’s Magic Quadrant on WAFs due in Q4 of 2009 Costs around $35,000 for the appliance Common Web Application Firewalls (WAFs) include WebDefend, ModSecurity (open source) and Imperva SecureSphere

9 WAF Architecture Choices
WAF Defined WAF Architecture Choices Placed between Firewall and Web Application (Inline) E.g. Reverse Proxy Mode and Transparent Mode Connected to Network Port on same switch as Web Application (Out of Band) E.g. Network Monitor Mode Blocks traffic by using TCP Resets Has no latency and prevents single point of failure Security Models Allow only “Good” Traffic (Positive) Block only Malicious Traffic (Negative)

10 Dynamic Profiling (Automated Application Learning)
How WAF does the job? Dynamic Profiling (Automated Application Learning) Session Protecting Engine SSL Decryption Data leakage protection

11 Manual Code Reviews and Application Pen Tests
Best Defense of Websites Manual tests done by experts Whitebox testing available Costs are $300 per 500 lines of code Average Web Application Code Review costs $30,000 (50,000 lines of code)

12 Bluecoat Web Filter Defined
Blue Coat WebFilter is an “on-proxy” web filtering solution that protects internal users from Spyware Phishing attacks P2P IM and streaming traffic Adult content (sorry) Botnets (yayy) Appliance starts at $10,000

13 Bluecoat Web Filter – How it Works
Refer to whitepaper to explain this

14 Bluecoat on the Fly detection (Dynamic Detection)
Refer to whitepaper to explain this

15 Magic Quadrant for Secure Web Gateways

16 Web Application Firewalls
Cost/Risk Analysis Web Application Firewalls Costs: Open Source Options available Risks: Developers should stay on top Manual Code Reviews and Application Pen Test Costs: Very High Costs $300 per 500 lines of code Risks: Minimal; code is checked by ethical hackers Bluecoat Web Filter Costs: Appliance + Support Costs Risks: Moderate; claims 98% coverage of malware

17 Web Application Firewalls
Feasibility Analysis Web Application Firewalls Feasible because open source options available. Huge Community Support Manual Code Reviews and Application Pen Tests Not feasible for most organizations; very costly PCI accepts WAF in place of this Bluecoat Web Filter Feasible because of its database + Dynamic Protection Network license needed rather than per client

18 Business/Legal Consequence
Web Application Firewall (WAF) Lessens the risk of web applications significantly No legal consequences Manual Code Review and Application Pen Tests Business case not strong; compliance accepts WAF Legal consequences applicable as exploits discovered are documented and failure to remediation can be bad Bluecoat Web Filter Strong Business case, given web attacks in today’s world User privacy is a big legal concern

19 Corporate Context All three solutions are necessary for all the Industries Government: Needless to say Education: Private student records are at risk Healthcare: Private health info at risk Private: Social Security, Credit cards, Intellectual Property at Risk Failure to implement these solutions result in compromises which causes falling share price, dropping consumer confidence, bad reputation + high remediation costs

20 Related Work and Research in This Area
SANS Paper on Web Based Threats Symantec’s Paper on Web Based Threats DevShed.com’s Cross Side Scripting Paper Bluecoat Webfilter datasheet Web Application Firewall 20

21 Thank You! Jibran Ilyas Frank LaSota Paul Lowder Juan Mendez Thank You
21

Download ppt "Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez"

Similar presentations

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Lisa Farmer, Cedo Vicente, Eric Ahlm

Lisa Farmer, Cedo Vicente, Eric Ahlm
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
1 Project Part II Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez.

1 Project Part II Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
1 Project Part III Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez.

1 Project Part III Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
SiteLock Internet Security: Big Threats for Small Business.

SiteLock Internet Security: Big Threats for Small Business.
CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.

CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.
1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause.

1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause.
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.
Protecting Customer Websites and Web Applications Web Application Security.

Protecting Customer Websites and Web Applications Web Application Security.
Securing Information Systems

Securing Information Systems
Application Data Security Stallion Winter Seminar 2009 Otepää, March 06th 2009.

Application Data Security Stallion Winter Seminar 2009 Otepää, March 06th 2009.
Computer Security Fundamentals Chuck Easttom Chapter 1 Introduction to to Computer Security.

Computer Security Fundamentals Chuck Easttom Chapter 1 Introduction to to Computer Security.
Brad Baker CS526 May 7 th, 2008 5/7/2008 1. 1. Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.

Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.

Similar presentations

Ads by Google