1 / 21

Project Part III

Project Part III. Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez. Our Security Problem Is Website Attacks. Firewall are common in every network deployment, so attackers use websites to get access to internal network

jaden
Download Presentation

Project Part III

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Project Part III Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez

  2. Our Security Problem Is Website Attacks Firewall are common in every network deployment, so attackers use websites to get access to internal network Every industry, be it online hop, retail stores, educational institution or government sector has a website for public use, which makes the website problem very common in multiple industries.

  3. SQL Injection Web Attack Example Query Injected by the Attacker Output from the Query Note: Account Numbers masked to protect customer identity

  4. PHP File Inclusion Web Attack Example

  5. Cross Side Scripting (XSS) • In the code below, you will see that XSS can easily send you to an evil site • http://www.infotech.northwestern.edu/index.php? name=<script language=javascript>window.location=“http://www.veryevilsite.com/toldya.htm”;</script> • In the code below, you will see that XSS may cause denial of service with just one line of code • http://www.avatar.com/ccs1-release-testing/rao.php?name=<script language=javascript>setInterval("window.open('http://www.cs.northwestern.edu/~ychen/','innerName')",10);</script> • The link above will open a window of Dr. Chen’s webpage and request it every 10 milliseconds. (changed from every 100 milliseconds  )

  6. Other Web Attacks • Attackers can target vulnerabilities in browser (Internet Explorer or Firefox, java console, plugins, etc

  7. Criteria for Evaluation Cost Effective Few False Positives High Availability Effective for new threats Ease of Configuration Out of the box functionality Solution Web Application Firewall Manual Code Reviews and Pen Tests Bluecoat Web Filter IDS/IPS not ideal for web solution Our Solution

  8. Solution Considerations • Web Application Firewalls (WAF) • Writing Secure Code is much easier said than done • WAF can block variety of traffic • High Performance and low latency; only looks at Layer 7 • Addresses PCI 6.6 requirement for web security • Out of the box Web Security Solution - “Virtual Patch” • Gartner’s Magic Quadrant on WAFs due in Q4 of 2009 • Costs around $35,000 for the appliance • Common Web Application Firewalls (WAFs) include WebDefend, ModSecurity (open source) and ImpervaSecureSphere

  9. WAF Defined • WAF Architecture Choices • Placed between Firewall and Web Application (Inline) • E.g. Reverse Proxy Mode and Transparent Mode • Connected to Network Port on same switch as Web Application (Out of Band) • E.g. Network Monitor Mode • Blocks traffic by using TCP Resets • Has no latency and prevents single point of failure • Security Models • Allow only “Good” Traffic (Positive) • Block only Malicious Traffic (Negative)

  10. How WAF does the job? • Dynamic Profiling (Automated Application Learning) • Session Protecting Engine • SSL Decryption • Data leakage protection

  11. Manual Code Reviews and Application Pen Tests • Best Defense of Websites • Manual tests done by experts • Whitebox testing available • Costs are $300 per 500 lines of code • Average Web Application Code Review costs $30,000 (50,000 lines of code)

  12. Bluecoat Web Filter Defined • Blue Coat WebFilter is an “on-proxy” web filtering solution that protects internal users from • Spyware • Phishing attacks • P2P • IM and streaming traffic • Adult content (sorry) • Botnets (yayy) • Appliance starts at $10,000

  13. Bluecoat Web Filter – How it Works

  14. Bluecoat on the Fly detection (Dynamic Detection)

  15. Magic Quadrant for Secure Web Gateways

  16. Cost/Risk Analysis • Web Application Firewalls • Costs: Open Source Options available • Risks: Developers should stay on top • Manual Code Reviews and Application Pen Test • Costs: Very High Costs $300 per 500 lines of code • Risks: Minimal; code is checked by ethical hackers • Bluecoat Web Filter • Costs: Appliance + Support Costs • Risks: Moderate; claims 98% coverage of malware

  17. Feasibility Analysis • Web Application Firewalls • Feasible because open source options available. • Huge Community Support • Manual Code Reviews and Application Pen Tests • Not feasible for most organizations; very costly • PCI accepts WAF in place of this • Bluecoat Web Filter • Feasible because of its database + Dynamic Protection • Network license needed rather than per client

  18. Business/Legal Consequence • Web Application Firewall (WAF) • Lessens the risk of web applications significantly • No legal consequences • Manual Code Review and Application Pen Tests • Business case not strong; compliance accepts WAF • Legal consequences applicable as exploits discovered are documented and failure to remediation can be bad • Bluecoat Web Filter • Strong Business case, given web attacks in today’s world • User privacy is a big legal concern

  19. Corporate Context • All three solutions are necessary for all the Industries • Government: Needless to say • Education: Private student records are at risk • Healthcare: Private health info at risk • Private: Social Security, Credit cards, Intellectual Property at Risk • Failure to implement these solutions result in compromises which causes falling share price, dropping consumer confidence, bad reputation + high remediation costs

  20. Related Work and Research in This Area SANS Paper on Web Based Threats http://www.sans.org/reading_room/whitepapers/application/web_based_attacks_2053?show=2053.php&cat=application Symantec’s Paper on Web Based Threats http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_web_based_attacks_03-2009.en-us.pdf DevShed.com’s Cross Side Scripting Paper http://www.devshed.com/c/a/Security/A-Quick-Look-at-Cross-Site-Scripting/1/ Bluecoat Webfilter datasheet http://www.bluecoat.com/doc/direct/789 Web Application Firewall http://www.owasp.org/index.php/Web_Application_Firewall

  21. Thank You Thank You! Jibran Ilyas Frank LaSota Paul Lowder Juan Mendez

More Related