Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Internet Applications SoBeNet User group meeting 08/10/2004.

Published byLoreen Harrington Modified over 9 years ago

Similar presentations

Presentation on theme: "Securing Internet Applications SoBeNet User group meeting 08/10/2004."— Presentation transcript:

1 Securing Internet Applications SoBeNet User group meeting 08/10/2004

2 Recent trends in Internet Security Key findings for Q1-Q2 2004 Increased Threats to e-Commerce Attacks Against Web Application Technologies Are Increasingly Popular Short Time Between Vulnerability and Exploit Rise in Bot Networks Increase in Severe, Easy-to-Exploit vulnerabilities  end user systems are compromised and used to attack the application/server platforms

3 Attack life cycle Step1: Reconnaissance scanning Port scans, Vulnerability scans Asset discovery scans Step 2: Exploiting vulnerabilities Buffer overflows, Backdoors, Email attachments, active content,… Step 3: Installing backdoors, trojans Create new and modify existing files, weaken security settings Step 4: Go forth and multiply Mail, web, irc,ftp, file shares Step 5: Distributed attack Delete files, DOS, …

4 Beyond network attacks … hidden field manipulation cookie poisoning backdoor and debug options stealth commanding parameter tampering SQL injection session hijacking buffer overflow Interception at the network layer doesn’t allow enough protection! cross-site scripting forceful browsing denial of service data theft forged transactions... application level attacks

5 Rooting out flaws… Discovering vulnerabilities before applications reach production status  No absolute security: secure for how long? from whom? Source: Infosecurity Magazine

6 MULTI LAYER approach to Application Security Coarse grain interception techniques Network based interception System based interception Deep Packet Inspection Security Context and Coordination Defense In Depth 1 2 3 4 5 6 7 GUI Deep Packet Inspection 1 2 3 4 5 6 7 Presentation Logic Deep Packet Inspection 1 2 3 4 5 6 7 Business Logic Deep Packet Inspection 1 2 3 4 5 6 7 Data Access Deep Packet Inspection 1 2 3 4 5 6 7 Data Layer

7 Network based Interception Perimeter Security Packet filter  circuit level gateway  application gateway General trend to incorporate application level security in the perimeter firewalls Concentration of security logic, but performance? Connection Security Mutual Authenticated Connection Confidentiality Integrity Symmetric Proxy configuration (client site component) IPSEC Tunnel - SSH Tunnel - SSL Tunnel (Semi) Transparent solution  general applicable in production environments

8 Network based Interception (cont’d) Application Security Detection vs. Prevention techniques Network Transparent Proxy and Reverse Proxy Separate system intercepting all requests/responses between client and server Isolation of the systems running the application in a secure zone Authentication and coarse grain authorization, SSO Implement application level sanitizing and shielding Application specific approach

9 Example 1: Web Application Shielding Network level filtering Application level filtering An application firewall filters the traffic that the network firewall must allow HTTP allowed Firewall Server HTTP validation Application Shield Regular Users

10 Example 1: Web Application Shielding Network level filtering Application level filtering zero latency! An application firewall filters the traffic that the network firewall must allow HTTP allowed Firewall Server HTTP validation Application Shield Regular Users Hacker

11 How does it work? sanity checkpolicy checkcontent check The Security Shield blocks all traffic that an application does not expect, using a three-layer validation is the request well-formed? e.g. buffer overflow, cookie poisoning 1 is the request expected? e.g. forceful browsing, stealth commanding 2 is the content expected? e.g. parameter tampering, forged transactions 3

12 Sanity check Translation of URI into canonical form Empty URI Starting / Hex decoding Ascii control characters (e.g. <32) Reserved characters (RFC)-> %xy Remove “.” and “..” dirs Protocol check E.g. HTTP1.0/HTTP1.1 Method check E.g. HEAD/POST/GET/…

13 Sanity check (cont’d) Path Sanity check URI length Path depth Determination of file part in an URL Hidden files E.g. /site/dir/malicious_script.asp/pathinfo/goodlooking.html E.g. /site/version2.1/good.html Request and Response Header check Application Defined headers RFC defined headers Other not-standard headers Protect against fingerprinting.

14 Policy check Default Deny Policy If the URI doesn’t match a known pattern  reject request Attack patterns Predefined list of well-known attack patterns Filtering Patterns File name pattern directory string and flag indicating if the pattern is valid for all subdirectories of that directory as well set of allowed request methods for the pattern switch indicating if parameters are allowed or not and if there is a maximum length specified

15 Content check Parameter Check Name Maximum length Type : "nocheck“, "alpha“, "numeric“, "alphanumeric“, "ip“, "enumeration“, "pattern“, "empty“, "novalue“ Allowed/required Encoding (multi-part, url-encoding) Maximum Occurrences Parameter Groups Manageable configuration Contains a list of individual parameter check definitions If exhaustive switch set  no other parameters allowed

16 Other checks Cookie protection Integrity check for detecting cookie poisoning and tampering confidentiality for cookies in transit or persistent cookies  Introduction of security state in the application session Hidden field Protection Mapping of response of the server to request of the client  Requires a state full system Request – Response Mapping Validation of response codes Validation of mime-type response corresponds to original requests Pattern matching in response content Audit log Secure trace of all traffic for forensic analyses Logs a stored on secure system

17 Problems related to http reverse proxy architecture E.g. HTTP protocol contains references to information of lower level layers Relocation stage Request header Host: Response header Location: Response header Content-Location:  reverse mapping: Forwarder stage SSL authentication bridging

18 Pro’s and con’s related to http reverse proxy architecture Pro’s Centrally managed, secured and accelerated SSL Ideal place for Web Caching and Content Compression Con’s Inline point of failure Increased latency

19 System based Interception Operating System Level Plug-able services of the OS (e.g. network or file io) Loadable kernel module for system call interception are well known in the research community for more than 5 years Very effective technique for protection against Step 3,4 and 5  Since recent general applicable in production environments Considerable effort is spent on tools for defining a system baseline for common platforms and to make the technology manageable Library Level Invasiveness scale Not invasive: Dynamic Linking against other libraries Medium invasive: Recompilation with f.e. compiler supporting addition of code to dynamically check stack frames Highly invasive: Modifying program code to interact with new api’s See a.o. work of DistriNet in the context of the SoBeNet project

20 System based Interception (cont’d) Data Privacy Encrypted File systems Encrypted databases Generic Interception technique via Views and Triggers to transparently add encrypted information in tables  Key management Language Runtime Support E.g. Load time modification of binary code Techniques are well known and promising for supporting composition and component frameworks but not general applicable for legacy software  Allows very fine-grained modifications and as such too intrusive to apply on production applications Application Platform Suite J2EE container services and components Microsoft.NET services and components  Under investigation

21 Example 2: Securing System Endpoints Network Host Operating System Application Network Traffic Interceptor  Network Shield (FW) System Call Interceptor  LKM File IO Process Execution Memory Access Registry Access COM Object Access DiskSystem IP level -Syn Flood -Malicious IP headers -ICMP requests -… Service level - ip ranges (in/out) - services A host intrusion prevention system filters all access to the system

22 How does it work? Policy based on access rules Policy based on heuristic rules Correlation of system call events Cross Correlation of events of different systems Resource Operation Application Allow/ Disallow Rule

23 Example rules Operation Read, Write File Access Control Rule Action Deny, Allow, Query App Class $MS_Offic e Files C:\winnt\*.exe Connection Direction Client, Server Network Access Control Rule Action Deny, Allow, Query App Class $MS_Office Network Address 128.66.2.10-20 Network Service tcp/80

24 Pre defined system baselines Network Applications Processes created by Network Apps Processes that read downloaded content Processes created by servers (TCP and UDP) Remote clients Microsoft Office Applications Web Browser Applications Email Applications...

25 Current and future work Study and evaluation of point solutions Additional research on interaction of interceptors For exchanging information not accessible in a particular interception point (e.g. authentication information for access control module or database access) For attack correlation  reduction of false positives while preserving security level Applying interception framework to case studies using industry technology (J2EE,.NET)

26 www.ubizen.com

Download ppt "Securing Internet Applications SoBeNet User group meeting 08/10/2004."

Similar presentations

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Working with Proxy Servers and Application-Level Firewalls Chapter 5.

Working with Proxy Servers and Application-Level Firewalls Chapter 5.
Web Server Administration TEC 236 Securing the Web Environment.

Web Server Administration TEC 236 Securing the Web Environment.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Barracuda Web Application Firewall

Barracuda Web Application Firewall
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Chapter 7: Working with Proxy Servers & Application-Level Firewalls

Chapter 7: Working with Proxy Servers & Application-Level Firewalls
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
Securing Legacy Software SoBeNet User group meeting 25/06/2004.

Securing Legacy Software SoBeNet User group meeting 25/06/2004.
LINUX Security, Firewalls & Proxies. Course Title Introduction to LINUX Security Models Objectives To understand the concept of system security To understand.

LINUX Security, Firewalls & Proxies. Course Title Introduction to LINUX Security Models Objectives To understand the concept of system security To understand.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
FIREWALL Mạng máy tính nâng cao-V1.

FIREWALL Mạng máy tính nâng cao-V1.

Similar presentations

Ads by Google