Download presentation
Presentation is loading. Please wait.
1
By Ben Pratt and Clint Forseth
2
Ben Pratt ◦ Primary Role: Course Mgmt. Sys. Admin ◦ Secondary Roles: Printer Server Admin, Web Application Firewall Admin, “Other Duties as Assigned” Clint Forseth ◦ Primary Role: Active Directory Accounts Admin ◦ Secondary Roles: Web Server Admin, Database Admin, Applications Developer, DNS/DHCP Admin, “Jack of All Trades, …”
3
“Largest” University in MnSCU Located in Central Minnesota ◦ About 70 miles NW of Minneapolis Enrollment: ~1600 students Web Environment ◦ Primarily Microsoft (Windows 2003/2008 and IIS) ◦ Classic ASP Web Apps with some PHP, Java, etc. ◦ Most new development in.NET
4
SQL Injection ◦ Allows an attacker to run unwanted SQL queries against your database ◦ Can result in data loss or data manipulation ◦ SQL Inject Me (Firefox Add-on), sqlmap, etc. http://xkcd.com/327/
5
Cross Site Scripting (XSS) ◦ Allows an attacker to modify your web site ◦ Can result in unwanted HTML or scripts being run as your web site ◦ XSS Me (Firefox Add-on), XSS-Proxy, etc. Many Others ◦ Information gathering ◦ Forceful browsing ◦ Buffer overflow ◦ Cookie tampering
6
Samurai Web Testing Framework (WTF) ◦ http://samurai.inguardians.com/ W3af ◦ http://w3af.sourceforge.net/ OWASP WebScarab ◦ http://www.owasp.org/ Others ◦ http://www.cs.washington.edu/homes/mernst/ pubs/create-attacks-tr054-abstract.html ◦ http://www.google.com
7
A System or Application that Limits Data Sent Between a Web Browser and a Web Server ◦ Inspects traffic at layer 7 of the OSI Model Runs Traffic Through Rules to Detect Attacks Against Web Applications ◦ Rules can check for SQL Injection Attempts, Cross Site Scripting (XSS) Attempts, invalid cookies, manipulated form data, other invalid user submitted data
8
http://isc.sans.org/diary.html?storyid=4393 SQL Injection Worm on the Loose ◦ “…a SQL Injection worm that is on the loose. From a quick google [sic] search it shows that there are about 4,000 websites infected and that this worm started at least mid- April if not earlier. …but what they are doing is putting in some scripts and iframes to take over visitors to the websites.” http://www.net-security.org/secworld.php?id=6124 Winzipices.cn SQL injection attack ◦ “According to Microsoft, there's no patch to fix the issue -- the vulnerability lies in custom ASP code that fails to follow well-established security practices for handling database input.”
9
Write More Secure Web Applications ◦ Getting easier with more secure development tools ◦ Requires rewrite/updating of old/insecure apps ◦ Depends on trusting 3 rd party applications ◦ Depends on attacker methods not evolving Use Web Application Firewall ◦ Allows for separation of web application security responsibilities from development team ◦ Can be implemented with almost any web application ◦ Single/reduced points of updates for new attacks
10
dotDefender from AppliCure ◦ ISAPI filter for IIS (Available for Apache too) Installs Directly on Web Server Quick to Install and Secure Web Sites Requires Less Network Knowledge to Configure Lower Cost for Individual Servers Ability to Protect All SSL Traffic Higher Impact on Server Performance All Attacks Reach Web Server
11
Citrix NetScaler Application Firewall ◦ Integrated into NetScaler Load Balancers ◦ Positive Security Model (Default Deny) ◦ Use of RegEx to minimize rules Takes Application Firewall Processing Load Off of Web Servers May Require Re-architecture of Datacenter Network and ACLs ◦ May require code modification for applications Higher Cost for Individual Servers
12
Required Immediate Response to Active Web Application Attacks with Ability to Grow dotDefender Installed for Quick Response to Common Web Application Attacks Determined Long Term Response Would Utilize Citrix Network Load Balancers Already in Environment
13
Initial Focus on Public, Unauthenticated Sites April 2008 ◦ dotDefender installed with (mostly) default settings June 2008 ◦ Citrix Application Firewall training July & August 2008 ◦ Updated sites not routing traffic through the Citrix network load balancer (nlb) to do so ◦ A majority of our public facing web sites were put into Learning Mode
14
September 2008 ◦ The sites that had been in Learning Mode were switched into Blocking Mode October 2008 ◦ Most popular/open sites were felt to be secure Ongoing ◦ As new issues arise or applications come online the app firewall rules are adjusted ◦ A plan is being developed for securing further, “tricky” applications Dynamic URLs, applications reading IP headers, etc.
15
Focusing on.NET Development for New Apps ◦ Increased data input validation Project Plans and Change Management ◦ Project plans include security and privacy section ◦ More Formalized Change Management Procedures Increasing Developer Awareness of Common Web Application Attacks ◦ Increased training and tools ◦ Peer reviews of code
16
Payment Card Industry Data Security Standard (PCI-DSS) version 1.2 ◦ Required as of June 30, 2008 Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes Installing a web-application firewall in front of public-facing web applications Forces someone other than your developers to understand the functionality of your site
17
Contact Info ◦ Ben Pratt bepratt@stcloudstate.edu Evaluations ◦ http://www.resnetsymposium.org/rspm/evaluation/ Questions?
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.