Download
securing legacy software sobenet user group meeting 25 06 2004 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Securing Legacy Software SoBeNet User group meeting 25/06/2004 PowerPoint Presentation
Download Presentation
Securing Legacy Software SoBeNet User group meeting 25/06/2004

Securing Legacy Software SoBeNet User group meeting 25/06/2004

79 Views Download Presentation
Download Presentation

Securing Legacy Software SoBeNet User group meeting 25/06/2004

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Securing Legacy SoftwareSoBeNet User group meeting25/06/2004

  2. Objectives • Existing applications are enabled to operate in a networked environment • Adapter Suites • Application Platform Suites (J2EE, .NET,…) • Application Servers • Enterprise Portals • Integration Suites • Message-Oriented Middleware • Object-Request Brokers • Transaction Processing Monitors  Preserve Security Level  Compliance with Security Standards and regulations  Manageable

  3. Ubizen – trusted partner in IT Security • Ubizen has a vast experience in Application Security • Via a highly qualified consultancy team • Risk Management, Security Policies, Procedures and Standards • Architecture Review and Infrastructure design • Penetration testing • Application Vulnerability Assessment • Implementation of best of breed security products • Via product development • AAA products • Web Shielding (DMZ/ShieldTM) • Proven Track record in IT Security • Top-3 Managed Security Service Provider World-wide • Number 1 in Europe • > 3200 devices under management • Incident Response • Forensics Investigation

  4. Three research tracks for securing existing applications • Protect all access paths to and from the application • Interception and validation of the communication between components,modules and systems • Shielding components, module and systems from malicious traffic • Apply automatic protocol security • Moving to a more formal model for protocol description and automatic application of protocol security at different layers of the stack. • Monitoring and managing • Introduction of security infrastructure is only the first step… Keeping it properly configured and monitored 24 by 7 by experienced security experts is the second.

  5. MULTI LAYER approach to Application Security • Deep Packet Inspection • Protection at the network layer • Protection at the transport layer • Protection at the application layer • Defense in depth • Perimeter • Demilitarized Zone  Transactional Zone • Multi-tier architecture • Coordination of Security Information between # tiers (e.g. SAML) • Protection of end points • Not all layers on the #tiers are under control (e.g. OS, Language execution environment, App Server) Introduction of HIDS, Policy Compliance Modules,…

  6. 2 dimensional multi layer approach Deep Packet Inspection 7 GUI Deep Packet Inspection 7 Presentation Logic Deep Packet Inspection 7 Business Logic Deep Packet Inspection 7 Data Access Deep Packet Inspection 7 Data Layer 6 6 6 6 6 5 5 5 5 5 4 4 4 4 4 3 3 3 3 3 2 2 2 2 2 1 1 1 1 1 Security Context and Coordination Defense In Depth

  7. In practice … Deep Packet Inspection 7 GUI Deep Packet Inspection 7 Presentation Logic Deep Packet Inspection 7 Business Logic Deep Packet Inspection 7 Data Access Deep Packet Inspection 7 Data Layer 6 6 6 6 6 5 5 5 5 5 4 4 4 4 4 3 3 3 3 3 2 2 2 2 2 1 1 1 1 1 Security Context and Coordination Defense In Depth

  8. Deep Packet Inspection 7 GUI Deep Packet Inspection 7 Presentation Logic Deep Packet Inspection 7 Business Logic Deep Packet Inspection 7 Data Access Deep Packet Inspection 7 Data Layer 6 6 6 6 6 5 5 5 5 5 4 4 4 4 4 3 3 3 3 3 2 2 2 2 2 1 1 1 1 1 Security Context and Coordination Defense In Depth Interception and Shielding in SoBeNet

  9. Interception Techniques • Centralized applications • Interception of method invocations/library calls/system calls System based interception and shielding • Distributed or multi-tier applications • Interception of traffic using standard internet protocols • Interception of Remote Method Invocations Network based interception and shielding

  10. System based interception • Interception at the Operating System Level • Plug-able services of the OS (e.g. network or file io) • Host Intrusion Detection and Prevention Systems work at this level • Library Level • Dynamical loaded libraries can be replaced with more secure versions • Language Runtime Support • E.g. Load time modification of binary code • Validation of pre and post conditions • Audit-ability and forensics • Application Platform Suite • J2EE container services and components • Microsoft .NET services and components

  11. Network based interception • Proxy Architectures… • Asymmetric Proxy (protocol encapsulates proxy support), no modification of client software • Reverse Proxy • Symmetric Proxy (general applicable but has influence on client software) • Transparency • Link, network, transport level • Application Protocol level (e.g. HTTP,…) • User Application level

  12. Scope definition for maximum valorization of the results? • Target is “Protecting” Legacy Applications … • … but these are built on evolving components • Web Application  HTTP Firewalls • Service Oriented Architectures  XML Firewalls • Application Platform Suites  J2EE, .NET Fall back on industry adapted standards

  13. Internet Application Protocols … • The most important internet protocols were never designed with security in mind • RFC’s describing the protocols allow often ambiguous interpretation  Vendors choose for interoperability instead of security • Most applications use only a small part of the protocol definition … and vulnerabilities are often in the non-used protocol functionality

  14. User Application Protocols … • Communication protocols at application level are rarely specified, nor formalized • User Application protocols get less attention because they are typically used once for a specific application • User Application protocols are more complex because of their dependency of a (huge) internal state  combinatorial explosion of cases

  15. Automatic protocol security Protocol = set of rules between communicating parties Form and content Sequence Formalization(Strong Typing, XML Schema,…) Formalization (State Charts, Sequence and Collaboration Diagrams, …) SANITY Checking Shields 4 of the Top 10 Vulnerabilities in application

  16. Manageability and Monitoring • Keeping the configuration up to date • Default Deny Policy • Automatic Learning of normal behavior • Configuration automation policy proposals • Monitoring of all the alerts triggered by the devices • Correlation of events from security components • Coordination and exchange of security state between devices reduces the false positives • Anomaly detection • Audit Trail • What information is required for Forensics • Performance Management

  17. www.ubizen.com