GIS Risk Mitigation - PowerPoint PPT Presentation

1 / 30
About This Presentation
Title:

GIS Risk Mitigation

Description:

Discuss differences and purpose of Application Firewalls. Web ... Ounce Labs (Source Code Scanning) SPI Dynamics (Application Scanning) 28. Resources ... – PowerPoint PPT presentation

Number of Views:155
Avg rating:3.0/5.0
Slides: 31
Provided by: cscicS
Category:
Tags: gis | labs | mitigation | ounce | risk

less

Transcript and Presenter's Notes

Title: GIS Risk Mitigation


1
Application Firewalls
11th Annual New York StateCyber Security
Conference June 5th, 2008
2
Session Objectives
  • Discuss differences and purpose of Application
    Firewalls
  • Web Application Firewalls
  • Database Application Firewalls
  • XML Application Firewalls
  • Deployment and Management
  • Considerations

3
Overview
  • What are Application Firewalls?
  • Why do you need one when you already have a
    firewall?
  • Where do you deploy an application firewall?
  • What does it take to operate and maintain?

4
Who is Your Speaker?
Scott Sattler, Scott_at_SecureLabs.Net 22 Years in
the IT Field
  • Certifications
  • CISA, CISSP, CISM,
  • CCNP, CCDP, CBCP
  • CFE, NSA IAM
  • .

Todays Job Deploying and managing 30
Application firewalls globally
5
Some BasicsWhere do Applications Firewalls fit?
  • Networking 101
  • OSI Model Layer 1 - 10
  • Your Applications
  • Your Organization

6
History of TCP/IP Filtering
  • Layer 3 Packet Filters
  • Router Security Enhancements
  • Stateful Firewalls
  • IDS/IPS With Firewalls
  • Host Based IDS With DMZs
  • Heuristics Based Attack Pattern Recognition

7
Attack Vector Changes Course
  • Attack Focus has changed over time
  • Networks and Network Protocols
  • Host Operating System
  • Standard Host Applications
  • Web and Business Applications
  • Database and Business Logic

Gartner now suggests that about 75 percent of the
attacks on the Internet are now focused on
applications
8
Security ProblemsIts about Source Code
  • Lets Fix it Before its a Problem
  • (Not going to happen)
  • Poor coding practices
  • Cost to remediate source code
  • Time to market
  • Lack of qualified talent
  • Lack of resources

9
Availability of ToolsMaturity and Ease of Access
  • Most commercial tools are available pirated on
    p2p sites
  • Freeware tools are easily accessible
  • Hacking Frameworks are prolific
  • Automated Scanning Engines with automatic
    signature updates

10
What is an Application Firewall?
  • Wikipedia (old) An application layer firewall
    is a firewall software operating at the
    application layer of a protocol stack. Generally
    it is a host using various forms of proxy servers
    to proxy traffic instead of routing it. As it
    works on the application layer, it may inspect
    the contents of the traffic, blocking what the
    firewall administrator views as inappropriate
    content, such as certain websites, viruses,
    attempts to exploit known logical flaws in client
    software, and so forth. An application layer
    firewall does not route traffic on the network
    layer, but from the application to the OS.
  • Webappsec.org (new) An intermediary device,
    sitting between a web-client and a web server,
    analyzing OSI Layer-7 messages for violations in
    the programmed security policy. A web application
    firewall is used as a security device protecting
    the web server from attack.

11
Applications FirewallsIts really Deep Packet
Inspection
  • Deep packet inspection (DPI) (or sometimes
    complete packet inspection) is a form of computer
    network packet filtering that examines the data
    and/or header part of a packet as it passes an
    inspection point, searching for non-protocol
    compliance, viruses, spam, intrusions or
    predefined criteria to decide if the packet can
    pass or if it needs to be routed to a different
    destination, or for the purpose of collecting
    statistical information. This is in contrast to
    shallow packet inspection (usually called just
    packet inspection) which just checks the header
    portion of a packet

12
Application FirewallsVery Focused Technology
  • Web Application Firewalls
  • Database Application Firewalls
  • XML Based Application Firewalls
  • How Deep Do You Go?

13
Web Application Security Consortium
Web application firewalls (WAF) are a new breed
of information security technologies
designed to protect web sites from attack.
  • WAF solutions are capable of preventing attacks
    that network firewalls and intrusion detection
    systems can't, and they do not require
    modification of application source code.

14
Web Application Firewalls
  • Web Application Firewalls are often called 'Deep
    Packet Inspection Firewalls' because they look at
    every request and response within the
    HTTP/HTTPS/SOAP/XML-RPC/Web Service layers. Some
    Web Application Firewalls look for certain
    'attack signatures' to try to identify a specific
    attack that an intruder may be sending, while
    others look for abnormal behavior that doesn't
    fit the websites normal traffic patterns. Web
    Application Firewalls can be either software, or
    hardware appliance based and are installed in
    front of a web server in an effort to try and
    shield it from incoming attacks

15
Web Application Protection
  • Input Validation
  • Cookie Protection
  • Content Validation
  • What its not
  • logic issues, access control issues
  • End All Be All ?

16
Example Interface
17
Example Input Validation
18
Upcoming Application Firewalls
  • An XML firewall is an application layer firewall
    that specifically defends XML-based applications
    against a wide variety of XML message and parser
    level attacks. XML firewalls are generally
    implemented as proxies due to the requirement
    that incoming and outgoing messages must be
    inspected for vulnerabilities before being passed
    to the application or client.
  • XML firewalls are designed to address familiar
    Web-based attacks that can be transported via
    XML, such as SQL injection and cross-site
    scripting (XSS). They are primarily geared toward
    detecting and preventing XML specific attacks
    such as extremely large messages, highly nested
    elements, coercive parsing, recursive parsing,
    schema and WSDL poisoning, and routing based
    attacks.
  • AJAX, .Net, JAVA Application Firewalls just
    beginning to emerge

19
Database Firewalls
  • Traditional firewalls, used for protecting the
    database, only prevent attacks searching for
    vulnerabilities. Database firewalls take defense
    deep into the organization by providing full
    syntax control and audit of the SQL API stream
    before it reaches the database, and enforcing
    content-driven access to database

20
Correlation of Events
  • Who did what to Whom, When Where
  • The Front End The Back End
  • Where is IDS in this picture?
  • Log correlation Systems

21
Do you really need an Application Firewall?
  • Traditional L3 firewalls are now beginning to
    have application logic integrated however..
  • IDS/IPS is now beginning to incorporate
    application awareness, however..
  • Compliance Drivers PCI
  • Legal Liability

22
Deployment Considerations
  • Money, Politics and Religion
  • Skill set is unique is not a network skill
  • Manual Configuring or Automation
  • Testing and Validation of the AF
  • Automatic Relearning
  • Network Deployment Impacts
  • What Latency?

23
Skill set
  • Can you Afford?
  • Network Engineer
  • Software Developer
  • Web Application Specialist

24
How Much Automation?
  • 80/20 Rule or 90/10 ?
  • Automatic Application Learning
  • Automatic Application Relearning
  • Configuration Sanity Checking

25
Deployment in the Enterprise
26
Validating Your Application Security
  • Scan your Source Code
  • Scan your Run Time Code
  • Scan your Operating Environment
  • Part of you SDLC and Operations Lifecycle
  • Not just for Public facing applications!
  • Do it Often and Do it in Depth

27
Sample Vendors
  • Imperva (Web/DB Application Firewall)
  • Netcontinum (Web Application Firewall)
  • Citrix (Web Application Firewall)
  • Guardium (Database Firewall)
  • Ounce Labs (Source Code Scanning)
  • SPI Dynamics (Application Scanning)

28
Resources
  • Web Application Security Consortium
  • http//www.webappsec.org/
  • Open Web Application Security Project
  • http//www.owasp.org
  • http//www.cgisecurity.com/

29
Closing Thoughts
  • Cost
  • Need
  • Risk
  • Ongoing Support
  • Management
  • Future Technology Directions

30
Questions
  • Scott_at_SecureLabs.net
Write a Comment
User Comments (0)
About PowerShow.com