Deploying The Cisco ACE Web Application Firewall: BRKAPP-2014

Deploying the Cisco ACE
Web Application Firewall
BRKAPP-2014
BRKAPP-2014
14618_05_2008_c2
2008 Cisco Systems, Inc. All rights reserved.
2006, Cisco Systems, Inc. All rights reserved.

Presentation_ID.scr
Cisco Public
What Youll Learn

Refresh on HTTP and Web Application Security
For HTTP intro, see BRKAPP-1015
BRKAPP 1015
For Web App Security, see BRKAPP-1009
The main features and functional benefits of the ACE

Web Application Firewall product
Typical use cases and deployment architectures
A step-by-step description of how to deploy ACE Web
Application Firewall for a perimeter security use case
BRKAPP-2014
14618_05_2008_c2
Cisco Public
Cisco Application Delivery Networks

Network Classification
Application Scalability
Application Networking
Quality of service
Network-based app recognition
Queuing, policing, shaping
Visibility, monitoring, control
Server load-balancing
Site selection
SSL termination and offload
Video delivery
Message transformation
Protocol transformation
Message-based security
Application visibility
WAN
Application Acceleration
WAN Acceleration
Application Optimization
Latency mitigation
Application data cache
Meta data cache
Local services
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Data redundancy elimination

Window scaling
LZ compression
Adaptive congestion avoidance
Cisco Public
Delta encoding
FlashForward optimization
Application security
Server offload
5
Other Cisco Live Breakout Sessions

that You May Want to Attend
Relevancy
GSS
ISR
WAAS
ACNS
ACE
AXG
Applications
BRKAPP-2002 Server Load Balancing Design

BRKAPP 3003 Troubleshooting ACE
BRKAPP-3003
BRKAPP-1004 Introduction WAAS
BRKAPP-2005 Deploying WAAS
BRKAPP-3006 Troubleshooting WAAS
BRKAPP-1008 What can Cisco IOS do for my application?
BRKAPP-1009 Introduction to Web Application Security
BRKAPP-2010 How to build and deploy a scalable video
communication solution for your organization
BRKAPP-2011 Scaling Applications in a Clustered
Environment
BRKAPP-2013 Best Practices for Application Optimization
illustrated with SAP, Seibel and Exchange
BRKAPP-2014 Deploying AXG
BRKAPP-1015 Web 2.0, AJAX, XML, Web Services for
Network Engineers
BRKAPP-1016 Running Applications on the Branch Router
BRKAPP-2017 Optimizing Application Delivery
BRKAPP-2018 Optimizing Oracle Deployments in
Distributed Data Centers
BRKAPP-2014
14618_05_2008_c2
Cisco Public
Application Security
Trends and
Concerns
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
The Evolution of Intent

A Shift to Financial Gain
Threats Are Becoming Increasingly Difficult to Detect and Mitigate
Applications Are the Primary Targets
Financial:
Theft and Damage
Notoriety:
Threat Severitty
Viruses and Malware
Vandalism:
Basic Intrusions and Viruses
1990
BRKAPP-2014
14618_05_2008_c2
1995
2000
2005
2007
Whats Next?
Cisco Public
PCI DSS:
Six Sections and Twelve Requirements
Build and Maintain a Secure Network
Install and maintain a firewall configuration to protect data
S ti 6.5:
Section
65 D
Develop
l secure web
b apps, cover
Do not use vendor-supplied defaults for system passwords and
prevention
of
OWASP
vulnerabilities
other security parameters
Section 6.6: Ensure all web-facing apps are
Protect Cardholder
Data against known attacks using
protected
either
of the following
methods
3. Protect stored cardholder
data
secureofcoding
practices
yp transmission
cardholder
data and sensitive
4. Encrypt
i
installing
t
lli
a
Web
W
b
App
A FW*
information across open public networks
*This becomes a requirement by June 2008
Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
10
Traditional Network Firewalls Are Blind

to Web Application Attacks
Firewall
Application
Web
Client
Web
Server
Unfiltered
HTTP Traffic
BRKAPP-2014
14618_05_2008_c2
Application
Database
Server
Ports 80
and 443
Open
Cisco Public
12
HTTP Refresher
For More In-Depth, See BRKAPP-1015
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
14
HTTPAn Application-Level Protocol

HTTP 1.0RFC 1945
Informational
Performance and functional limits
HTTP 1.1RFC 2616

Draft Standard
Persistent connections, caching
More stringent requirements
HTTP always statelessmany tricks to make it behave

as session-oriented (cookies, session IDs)
Useful links:
http://www.w3.org/Protocols/
http://www.rfc-editor.org/rfcxx00.html
BRKAPP-2014
14618_05_2008_c2
Cisco Public
15
HTTPRequest Elements
Three important elements of an HTTP request:
Method
URI
Headers
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
16
HTTPRequest Methods
HTTP 1.1Methods
OPTIONS: Ask server for available methods
GET: Request a resource from server
HEAD: Request resource and view response headers only
POST: Send data to the server
PUT: Send a file to the server
DELETE: Delete a file form the server
TRACE: Allows client to trace
trace route
route via proxies to web server
CONNECT: Used by proxies for tunneling requests to
web server
All methods expect an HTTP response from the server

In practice, both GET and POST send data to web
applications
BRKAPP-2014
14618_05_2008_c2
Cisco Public
17
HTTPQuery Parameters
The URL portion after the ?
http://www.google.com/search?q cisco
http://www.google.com/search?q=cisco
Passed to the application (and vector to several attacks

when improperly parsed)
Content returned dynamically based on query
parameters
O
Overall
e a page layout
ayou ssimilar
a while
e da
data
ad
differs
es
For an example of how query parameters are used see
Googles API description
http://www.google.com/apis/reference.html#2_2
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
18
HTTPCookies
Cookies are pieces of information generated by
a Web server and stored in the users
user s
computer, ready for future access.
Cookies Are Not Programs, and
They Cannot Run Like
Programs Do.
www.cookiecentral.com
Server sends cookie to client

Set-Cookie:NAME=VALUE;expires=DATE;path=PATH;
domain=DOMAIN_NAME; secure=YES
Client sends cookie back to server on subsequent visits to domain

GET / HTTP/1.1\r\n
Host: DOMAIN_NAME\r\n
Cookie: NAME=VALUE;
BRKAPP-2014
14618_05_2008_c2
19
Cisco Public
HTTPUniform Resource Identifiers

A URI Identifies and Locates a
Network Resource
"http:" "//" host [":"port] [abs_path["?"query]]

TCP Port
DNS Resolution
Path and File Name /
Scheme
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Additional Information
Cisco Public
20
Typical Web Application Architecture

Web server
receives Input
App server
parses Input
DB receives query
created & sent by
App server
BRKAPP-2014
14618_05_2008_c2
Cisco Public
21
Cisco ACE Web

Application Firewall:
Features and
Functionality
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
22
Introducing Cisco ACE Web Application

Firewall
Builds on top of industry-leading Cisco ACE XML Gateway platform
Can be software upgraded to full ACE XML Gateway solution
Web Application Firewall
Protects your
o r ccustom
stom HTTP and HTML
applications from high-impact Web-borne
attacks
SOA, Web Services, and XML Threat Defense
Secures and offloads web services transactions
Extensive HTML and XML Application Security

BRKAPP-2014
14618_05_2008_c2
Cisco Public
23
Platform Specifications
Specifications
S
f
1 rack unit
Four 10/100/1000 Gigabit Ethernet ports
4-GB RAM
High-performance dual-core, dual-processor architecture
High-performance
Hi h
f
cryptography
t
h acceleration
l ti
Full FIPS 140-2 Level 3 complianceoptional
Hot-swappable dual SAS HDD, fan, and power supplies

Full reverse proxy
Deployable either as firewall, manager, or 2-in-1
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
24
10
WAF and AXG Feature Comparison

ACE Web
Application
Firewall
ACE Web
Application
Firewall w/AXG
Web Application Security
Privacy
Encryption & Signature Support
Hardware SSL Acceleration

(optional FIPS)
Centralized Management,
Monitoring, Logging, and Audit
Policy-based provisioning and

g
versioning
Features
BRKAPP-2014
14618_05_2008_c2
Protocol, Data and Security

Mediation
XML Acceleration & Offload
Extensibility SDK
Content Based Routing
25
Cisco Public
Typical Deployment
ACE XML
Manager
Internet
External
Web Application
Consumers
ACE
ACE
Web Application
Firewall
DMZ
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Web Servers
Network
et o
Firewall
Portal
CUSTOMERS DATA CENTER
Cisco Public
26
11
Attacks!*
*(and how to defend against them)

BRKAPP-2014
14618_05_2008_c2
Cisco Public
27
Attacks!
Unvalidated Input
Cross-Site Scripting
SQL Injection
Cross-Site Request Forgery
Cookie Tampering
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
28
12
Attack #1Unvalidated Input

What Is It?
Web apps use parameters to obtain information from
the client
How Is This Vulnerable?

Developers focus on the legal values of parameters and how they
should be utilized
Too much credit given to client-side browser validation
Little if any attention is given to the effect of incorrect values
Result
The application acts according to the changed information,
potentially giving access to other users accounts, confidential
info, or anything else on the computervector for 90% of webbased attacks!
BRKAPP-2014
14618_05_2008_c2
Cisco Public
29
Defense: Signature Rules Engine

Blacklist approachlook for known and possible
attacks in request content
Signatures detect particular attack vectors using
pattern matching, regular expressions
Rules combine signatures to detect and block different
types of attacks
Profiles combine rules and other features and apply
particular web applications
pp
them to p
Extensible via signature languagecustomer or
partners
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
30
13
Automatic Input Normalization

Input Is Normalized to Thwart Obfuscation Attacks That Use
Encodings to Disguise Malicious Patterns
d5opx;GE] =
[Z -V'< %2E%2E%2Fhome%2Fuser../home/user
#m]o5Z!0^k
%2F%7Eroot%2Fetc%2Fpas
/~root/etc/p
mt
nkA
H ?>'5@ ;u %2Fhomepage%2Findex%2/homepage/index/pictures/thumbs.html
7JM 4[
7JM4[
m
Normalize
Terminate and Decrypt SSL
BRKAPP-2014
14618_05_2008_c2
Apply Security
Policy
Cisco Public
31
Input Normalization: Example

HTTP provides many ways to encode the same
information. Input normalization undoes encodings to
produce a canonical form of the request
http://foo.com/query?bar=%3c%73%63%72%69%70%74
http://foo.com/query?bar=<script
Many more depends on scripting language, SQL,

Unicode, etc etc etc
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
32
14
Signatures
Each Signature Has:
User-readable name
Signature ID
Pattern used for initial match
Regular expression used to confirm match
BRKAPP-2014
14618_05_2008_c2
Cisco Public
33
Rules
Rules apply signatures to places in the message
REQUEST
Q
_PARAMS sig
g SQLInject
Q
j
Severity level allows user to control strictness of

enforcement, likelihood of false positives
Rules can be written very specifically
REQUEST_PARAMS[name].normalize(html)
re ^foo.*
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
34
15
Expression Language
Variables make any part of the request message or its
connection properties available
HTTP headers
HTTP body
Request paramaters
Source and dest IP address
SSL properties (version, cipher, etc)
Operators allow applying checks to the selected part of

the message
BRKAPP-2014
14618_05_2008_c2
Cisco Public
35
Attack #2Cross Site Scripting

What Is It?
User feeds data to the web application
Web application doesnt
doesn t sanitize input and echoes back the query
The unvalidated data contains a piece of JavaScript that is executed in the
context of the users browser session
A carefully formed link sent to a victim (usually by mail) results in the
JavaScript code being run in the victims browser, sending information to
the hacker
Why Does Cross Site Scripting Happen?

Unvalidated inputexample:
input example: html is permitted into query parameter
Application blindly echoes request back to browser
Result
Virtual hijacking of the session by stealing cookies
Any information flowing between the legitimate user and site can be
manipulated or transmitted to a third party
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
36
16
Cross Site Scripting Applications

The second a hacker realizes a query parameter
accepts HTTP, he can trick your browser into doing
virtually anything:
Build hidden forms that submit your cookies
Check your browsing history
Scan your subnet for certain hosts
etc.
Commonly used in Phishing emails

Experts estimate 80% of web sites are vulnerable
(http://www.whitehatsec.com/downloads/WHXSS
Threats.pdf)
BRKAPP-2014
14618_05_2008_c2
Cisco Public
37
Defense: Cross Site Scripting signature set

Looks for HTML in input stream
Input decoding shrinks signature set
But... What if I want to allow image tags?
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
38
17
False Positives Human Assisted Learning

Ciscos Human Assisted Learning lets you place a site
in monitor mode
When in monitor mode, security alerts are reported but
traffic isnt blocked
You can click on each security incident and instruct the
WAF to block traffic matching the pattern that caused
the alert, or ignore it (false positive). The exception can
be configured either at the profile level
level, or on a per
web form parameter basis!
HaL integrates the benefit of dynamic learning but
removes the guesswork from the equation: you
ultimately control what is acceptable or not for your
applications
BRKAPP-2014
14618_05_2008_c2
39
Cisco Public
HaL Walkthrough
Consider a web form with two input boxes. Both accept
HTML and display it back to the user (fertile ground for
XSS!) but suppose the name parameter can be
exempted from XSS pattern checks
This is what the site profile looks like before HaL
intervenes:
Modifiers Represent
Exceptions to the
Classification Process
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
40
18
An XSS Attack Is Detected

Inside the event log, a Create Modifier option appears
Create Modifier Is at
the Heart of Hal
BRKAPP-2014
14618_05_2008_c2
41
Cisco Public
Options HaL Provides
Create Modifier Is at
the Heart of Hal
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
42
19
The Rule Set Is Modified on a

Per-Param Basis!
Ignore Signature 52 for

Param Name
New Modifier
Automatically Added
BRKAPP-2014
14618_05_2008_c2
Cisco Public
43
Attack #3SQL Injection

SQL stands for Structured Query Language
Allows applications to access a database
SQL can:
Execute queries against a database
Retrieve data from a database
Insert new records in a database
Delete records from a database
Update records in a database
Many applications take user input and blindingly send it

directly to SQL API!
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
44
20
Anatomy of a SQL Injection Attack:

Basic SQL Query for Payment Info
Typical SQL query
SELECT cc_number
cc number FROM users
WHERE username = 'victor'
AND password = '123'
Typical ASP/MS SQL Server login syntax

var sql = "SELECT cc_number FROM users
_
+
WHERE username = '" + form_user
"' AND password = '" + form_pwd + "'";
BRKAPP-2014
14618_05_2008_c2
45
Cisco Public
Anatomy of a SQL Injection Attack:

SQL InjectionBypass Login
Attacker Injects the following:
SQL comment
form_user = ' or 1=1
form_pwd = anything
Final query would look like this:

SELECT * FROM users
WHERE username = ' ' or 1=1
always true!
AND password = 'anything'

anything
Attacker gains access to the application!
Not just logins alter database, dump payment card
information
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
46
21
Defense: SQL Injection signature set

Detect SQL in input parameters
BRKAPP-2014
14618_05_2008_c2
Cisco Public
47
Defense: Response Message Rewrite

Search for and replace questionable content in
responses from server
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
48
22
Attack #4CSRF
Whereas cross-site scripting exploits the trust a user has in a
website, a cross-site request forgery exploits the trust a Web site
has in a user by forging a request from a trusted user.
user (source:
Wikipedia)
How does it work:
Bob is logged into his banks website
Bob is also chatting/reading a blog at the same time
Hacker posts a comment in the blog inviting Bob to click a link
The link performs an action on Bobs bank
As Bob is logged in, the action has the potential to succeed
Simple example: http://www.google.com/setprefs?hl=ga

Note that Bob doesnt even have to click a link a simple
<img src="http://example.org/buy.php?item=PS3&qty=500> on a
web page could suffice!
BRKAPP-2014
14618_05_2008_c2
Cisco Public
49
Defense: CSRF
Not trivial, no simple one-stop-solution
Several server-side solutions:
Generate random tokens for forms or actions so a hacker cant
guess
make sure the site isnt XSS-vulnerable
Use CAPTCHAs
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
50
23
Defense: Referrer Enforcement

The browser/client populates the Referer* header to
indicate the address (URI) of the resource from which
the Request-URI was obtained
WAF can require that the header be a link on the same
web site
Not foolproof spoofing has been demonstrated!
* (sic) its misspelled in the specification

BRKAPP-2014
14618_05_2008_c2
Cisco Public
51
Attack #5Broken Authentication and Session

Management Using Cookie Tampering
What Is It?
A cookie that has had its value changed by the user

Cookie storage is managed and controlled by the user
Cookies can be viewed and modified by the user
Cookies transferred in the open can be captured and modified by
a third party
Why Does It Happen?

Cookie information is weakly encrypted or hashed
Web application developers are unaware of the threat or lack the
yp g p
expertise
p
to p
prevent tampering
p
g
cryptographic
The cookie is assumed to contain a certain format of content an
assumption that isnt verified
Result
Identity theft or impersonation by a third party altering the session id or
authorization information stored in the cookie
DoS or even remote command execution due to buffer overflows
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
52
24
Defense: Cookie Tampering

No need to reinvent the wheelexisting proven
encryption algorithms available to web application
developers
Use modern development frameworks for session
maintenance
Ciscos WAF can encrypt cookies, only sending an
MD5 hash of the actual cookie
I
Immune
to
t tampering
t
i
Be aware that replay attacks are still possible
BRKAPP-2014
14618_05_2008_c2
53
Cisco Public
Cookie Security
Signing and Encryption
Clients
Web Server
CP_EN7a989b1f1b9e966e47d629eec63302d3571d1677b27f
e1bebba48df648b2edc=
expires=Mon, 15-Dec-2006 1:03:00 GMT; path=/;
domain=.cisco.com; secure
After Encryption
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
sess1=1800;
expires=Mon, 15-Dec2006 1:03:00 GMT;
path=/;
domain=.google.com;
secure
54
25
Additional Security
Features
BRKAPP-2014
14618_05_2008_c2
Cisco Public
55
Exception Mapping
Servers can expose too much data in error messages
stack traces, SQL schemas
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
56
26
Exception Mapping
Replace server errors with WAF-generated content
BRKAPP-2014
14618_05_2008_c2
57
Cisco Public
HTTP Header Processing
Server Header
Cloaking
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
58
27
Data Overflow Defense
BRKAPP-2014
14618_05_2008_c2
59
Cisco Public
SSL Termination
Offloads Crypto and connection handling from server
Enables HTTP/1.1
HTTP/1 1 connection re-use,
re-use SSL session reuse, client certificate authentication
Consolidate private keys on WAF device
Decrypt and re-encrypt for end-to-end SSL
HTTPS
HTTP
Note: ACE can also terminate SSL, will cover when to

terminate where in Deployment Considerations
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
60
28
Upgrading to ACE
XML Gateway
BRKAPP-2014
14618_05_2008_c2
Cisco Public
61
Web Services and Web Applications

ACE Web Application Firewall provides a high level of
protection for HTML-based applications.
For XML-based web services, ACE XML Gateway can
provide security, mediation, and offload
Software upgrade to move from WAF to AXGcan run
both sets of functionality on same device
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
62
29
Deployment
Considerations
BRKAPP-2014
14618_05_2008_c2
Cisco Public
63
Clustering
There are two software components: the manager and
the firewall; each has a separate software license
Both components run on the AXG appliance hardware;
you can run either or both components on the same
appliance
ACE WAF achieves high availability via an
external HTTP load balancer such as the ACE
application switch
Manager not a runtime component, so typical
deployment uses cold standby for redundancy
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
64
30
Clustering: Stand-Alone ACE WAF

Firewall and manager running on same appliance
Used for PoC situations or development environments
BRKAPP-2014
14618_05_2008_c2
65
Cisco Public
Clustering: Separate Manager

Two or more appliances running firewall component
One appliance running manager component
Firewall
Manager
Firewall
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
66
31
Clustering: Integrated Manager

One appliance running both firewall and manager
components
One or more appliances running only firewall component
Manager and
Firewall
BRKAPP-2014
14618_05_2008_c2
Firewall
Cisco Public
67
Deployment Modes
Layers 2-3: One-armed or multi-arm
One-armed: single
g NIC handles all traffic
128 32 65 37
128.32.65.37
Same VLAN for pre- and post-Gateway traffic

Simplest mode for configuration
Multi-arm: Multiple NICs for traffic

Different VLAN on each NIC
Static routes needed in most environments
Single
g routing
g table/default route for entire system
y
Decision as to which NIC to use made by Linux
kernel based on Layer 3 destination address
Firewall policy has no concept of internal/external
addresses!
128.32.65.37
10.7.83.12
In either case, multiple IPs per VLAN possible for

virtual hosting
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
68
32
Use Case: Perimeter Security
ACE XML
Manager
Internet
External
Web Application
Consumers
ACE
ACE
Web Application
Firewall
Portal
DMZ
BRKAPP-2014
14618_05_2008_c2
Web Servers
Network
et o
Firewall
CUSTOMERS DATA CENTER
Cisco Public
69
Perimeter Security: One-Armed Proxy
Traffic passes through ACE twice

Easy to insert into existing ACE deployment
Allows for fail-open or fail-closed configuration
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
70
33
Perimeter Security: Two-Armed Proxy
Public
Internet
VIP: 63.90.156.60
10 30 1 1
10.30.1.1
Different contexts
on same physical
ACE can be used
on both sides
10.30.1.152
ACE WAFs
10.20.1.151
10.20.1.1
VIP: 10.20.1.200
10.20.1.152
10.10.1.1
Best practice when

backend is multiple
hops from ACE WAF,
need DMZ separation
BRKAPP-2014
14618_05_2008_c2
10.30.1.151
ACE
Application
Switch
Web Application
Consumers
ACE
Application
Switch
10.10.1.10 10.10.1.11
10.10.1.12
Web Application
Providers
Cisco Public
71
One-Armed: Terminate SSL at ACE
Consolidate
C
lid t kkeys on lload
db
balancer
l
Use L7 classmap to direct traffic at ACE
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
72
34
One-Armed: Terminate SSL at ACE WAF
Optionally perform end-to-end SSL to application
BRKAPP-2014
14618_05_2008_c2
73
Cisco Public
Alternative Network Deployment Model

AXG Web
Application
Firewall
HTTP
WWW1
External HTTP
and XML
Web Services
Consumers
Full Reverse
Proxy
WWW2
WWW3
WWW Portal
Internet
DNS Points to AXG WAF

when Asked for WWWx
The ACE Web Application Firewall is a full reverse proxy

In other words, you can have the DNS server point to the IP
address of the WAF to represent the actual Web server
At that point, the WAF accepts all requests destined to the Web
server, filters them, and sends them out; the response comes back
to the WAF as well for total control of the session
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
74
35
Deployment
Example
BRKAPP-2014
14618_05_2008_c2
Cisco Public
75
Deployment Example
Steps to Deploy:
Configure WAF network and cluster settings
Define web application and apply profile
Deploy in monitor mode and tune
Re-deploy in enforcement mode
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
76
36
Network Diagram Before: No WAF
Standard ACE L7 configuration with SSL termination,

TCP reuse
BRKAPP-2014
14618_05_2008_c2
Cisco Public
77
Network Diagram After: With WAF
Deployment mode: one-armed proxy, terminate SSL

at ACE
Two WAF devices, one acting as firewall, other as joint
firewall and manager
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
78
37
Cable Devices
Four RJ45 Gigabit Ethernet network interfaces
One LOM NIC
See HP DL360 docs
Serial console
VGA/keyboard video console
Dual power supplies
nCipher card reader ((onlyy on FIPS model))
LOM NIC
nCipher
eth0, eth1
RS232
VGA
eth2, eth3
Dual power supplies
PS/2 keyboard
BRKAPP-2014
14618_05_2008_c2
Cisco Public
79
Configure Network Settings

Connect KVM or
Serial Console
Log in as root
Set standard IP settings
IP address
Hostname
DNS server
NTP server
Set as Gateway, Manager,

or both
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
80
38
Log in to Manager
Point browser at machine
selected to be Manager,
HTTPS port 8243
HTTPS,
https://172.25.91.151:8243/
Log in as administrator,
password swordfish
BRKAPP-2014
14618_05_2008_c2
Cisco Public
81
Configure as Cluster
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
82
39
Getting Started with the Cisco ACE WAF

1. A Wizard Helps You Define the Websites You Want to Protect
Specify the IP
Address or Name of
the Backend Server
Monitor Means the

WAF Alerts but
Doesnt Block
Extremely
C
Convenient
i t If
Youre Leery of
Deploying Inline
Call the WAF

Wizard
BRKAPP-2014
14618_05_2008_c2
83
Cisco Public

2. If (host + URL) Classification Isnt Sufficient, an Expert Mode Is Available
You Can Use

Regular
Expressions to
Define the Site.
You Can Use Additional

Parameters for
Classification.
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
84
40

3. You Can, for Instance, Require the Presence of a Given HTTP Header
Full Classification
Customization
BRKAPP-2014
14618_05_2008_c2
85
Cisco Public

4. We Have Defined Our First Protected Web Server (Http://172.25.89.140/)
Website Protected by
the WAF
Factory-Shipped PCI
Profile Applied
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
86
41
Protecting the Website from XSS

5. The WAF Ships with Predefined Profiles That You Can Clone and Edit
XSS Protection
BRKAPP-2014
14618_05_2008_c2
87
Cisco Public
Fine-Tuning a Security Profile

6. Inside a Profile You Find Groups of Rules (Rule = Signature)Each Group
Contains Rules Ranked by Security Level
XSS Rules Level
Action to Take When a

XSS Is Detected
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
88
42
Fine-Tuning a Security Profile

7. The XSS Group Contains Rules That Are Cisco Verified Signatures
Hundreds of XSS
Rules Are Shipped
from the Factory.
Each Rule Has a Unique ID and a Security

Level (basic, moderate, and strict).
BRKAPP-2014
14618_05_2008_c2
89
Cisco Public
Profile Ready to Be Deployed

8. Here Is What Our Custom Test Profile Looks LikeXSS Protection
Is Enabled
XSS Protection
Enabled with Level
Strict
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
90
43
Associate the Profile to the Website

9. Map the Profile to the Website
Profile Test Mapped

to Our Website
BRKAPP-2014
14618_05_2008_c2
91
Cisco Public
Deploy the Policy to the WAF Firewalls

10. Cisco ACE WAF Ships with Strong Change Control and Audit Log
Capabilities
Deltas Between
Current Applied Policy
and Proposed One Are
Highlighted.
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
92
44
Proactive Notification of Potential

Problems
11. Cisco ACE WAF Alerts You of Risks Associated with Certain
Configuration Options
Proactive Performance
Warnings
BRKAPP-2014
14618_05_2008_c2
93
Cisco Public
Verification of Successful Deployment

12. Multiunit Deployment + Timestamp and Rollback of Policies
Timestamps
Policies Can Be
Deployed to N
Gateways
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
94
45
The Website Is Under Attack

13. We Are Launching a XSS Attack Against the Website
Immediate Incident
Report View
BRKAPP-2014
14618_05_2008_c2
95
Cisco Public
Lets Drill Down

14. Lets See What the Attack Looks Like
ID of the Rule that

Caused the Alert
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
The Name of the Attack

Vector Is Provided
96
46
Detailed Security Event Drill-Down

15. Detailed Forensics Are Available for Each Attack
Fullll D
F
Dump off
Incoming Request
BRKAPP-2014
14618_05_2008_c2
Cisco Public
97
What the User, Hacker, and Victim See

16. Default Error Text Is Returned to Browser (Fully Customizable)
The error message and HTTP return code are fully

customizable; you can return your own HTML code
and for example
and,
example, redirect the hacker to the main page
BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
98
47
Q and A
BRKAPP-2014
14618_05_2008_c2
Cisco Public
99
Recommended Reading
Continue your Cisco Live
learning experience with further
reading from Cisco Press
Check the Recommended
Reading flyer for suggested
books
Available Onsite at the Cisco Company Store

BRKAPP-2014
14618_05_2008_c2

Presentation_ID.scr
Cisco Public
100
48
Complete Your Online

Session Evaluation
Give us your feedback and you could win
fabulous prizes. Winners announced daily.
Receive 20 Passport points for each session
evaluation you complete.
Complete your session evaluation online now
(open a browser through our wireless network
to access our portal) or visit one of the Internet
stations throughout the Convention Center.
Dont forget to activate

your Cisco Live virtual
account for access to
all session material
on-demand and return
for our live virtual event
in October 2008.
Go to the Collaboration
Zone in World of
Solutions or visit
www.cisco-live.com.
BRKAPP-2014
14618_05_2008_c2
Cisco Public
101
BRKAPP-2014
14618_05_2008_c2
Cisco Public
102

Presentation_ID.scr
49

Deploying The Cisco ACE Web Application Firewall: BRKAPP-2014

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Deploying The Cisco ACE Web Application Firewall: BRKAPP-2014

Transféré par

Droits d'auteur :

Formats disponibles

Deploying the Cisco ACE

Web Application Firewall

2008 Cisco Systems, Inc. All rights reserved.

2006, Cisco Systems, Inc. All rights reserved.

What Youll Learn

The main features and functional benefits of the ACE

2008 Cisco Systems, Inc. All rights reserved.

Cisco Application Delivery Networks

2008 Cisco Systems, Inc. All rights reserved.

2006, Cisco Systems, Inc. All rights reserved.

Data redundancy elimination

Other Cisco Live Breakout Sessions

BRKAPP-2002 Server Load Balancing Design

2008 Cisco Systems, Inc. All rights reserved.

2008 Cisco Systems, Inc. All rights reserved.

2006, Cisco Systems, Inc. All rights reserved.

The Evolution of Intent

Viruses and Malware

2008 Cisco Systems, Inc. All rights reserved.

Install and maintain a firewall configuration to protect data

Maintain a Vulnerability Management Program

2008 Cisco Systems, Inc. All rights reserved.

2006, Cisco Systems, Inc. All rights reserved.

Traditional Network Firewalls Are Blind

2008 Cisco Systems, Inc. All rights reserved.

For More In-Depth, See BRKAPP-1015

2008 Cisco Systems, Inc. All rights reserved.

2006, Cisco Systems, Inc. All rights reserved.

HTTPAn Application-Level Protocol

HTTP 1.1RFC 2616

HTTP always statelessmany tricks to make it behave

2008 Cisco Systems, Inc. All rights reserved.

2008 Cisco Systems, Inc. All rights reserved.

2006, Cisco Systems, Inc. All rights reserved.

All methods expect an HTTP response from the server

2008 Cisco Systems, Inc. All rights reserved.

Passed to the application (and vector to several attacks

2008 Cisco Systems, Inc. All rights reserved.

2006, Cisco Systems, Inc. All rights reserved.

Server sends cookie to client

Client sends cookie back to server on subsequent visits to domain

2008 Cisco Systems, Inc. All rights reserved.

HTTPUniform Resource Identifiers

"http:" "//" host [":"port] [abs_path["?"query]]

2008 Cisco Systems, Inc. All rights reserved.

2006, Cisco Systems, Inc. All rights reserved.

Typical Web Application Architecture

2008 Cisco Systems, Inc. All rights reserved.

Cisco ACE Web

2008 Cisco Systems, Inc. All rights reserved.

2006, Cisco Systems, Inc. All rights reserved.

Introducing Cisco ACE Web Application

Web Application Firewall

SOA, Web Services, and XML Threat Defense

Secures and offloads web services transactions

Extensive HTML and XML Application Security

2008 Cisco Systems, Inc. All rights reserved.

Hot-swappable dual SAS HDD, fan, and power supplies

2008 Cisco Systems, Inc. All rights reserved.

2006, Cisco Systems, Inc. All rights reserved.

WAF and AXG Feature Comparison

Web Application Security

Encryption & Signature Support