Académique Documents
Professionnel Documents
Culture Documents
BRKAPP-2014
BRKAPP-2014
14618_05_2008_c2
Cisco Public
BRKAPP-2014
14618_05_2008_c2
Cisco Public
Application Scalability
Application Networking
Quality of service
Network-based app recognition
Queuing, policing, shaping
Visibility, monitoring, control
Server load-balancing
Site selection
SSL termination and offload
Video delivery
Message transformation
Protocol transformation
Message-based security
Application visibility
WAN
Application Acceleration
WAN Acceleration
Application Optimization
Latency mitigation
Application data cache
Meta data cache
Local services
BRKAPP-2014
14618_05_2008_c2
Delta encoding
FlashForward optimization
Application security
Server offload
5
ISR
WAAS
ACNS
ACE
AXG
Applications
Cisco Public
Application Security
Trends and
Concerns
BRKAPP-2014
14618_05_2008_c2
Cisco Public
Financial:
Theft and Damage
Notoriety:
Threat Severitty
Vandalism:
Basic Intrusions and Viruses
1990
BRKAPP-2014
14618_05_2008_c2
1995
2000
2005
2007
Whats Next?
Cisco Public
PCI DSS:
Six Sections and Twelve Requirements
Build and Maintain a Secure Network
S ti 6.5:
Section
65 D
Develop
l secure web
b apps, cover
Do not use vendor-supplied defaults for system passwords and
prevention
of
OWASP
vulnerabilities
other security parameters
Section 6.6: Ensure all web-facing apps are
Protect Cardholder
Data against known attacks using
protected
either
of the following
methods
3. Protect stored cardholder
data
secureofcoding
practices
yp transmission
cardholder
data and sensitive
4. Encrypt
i
installing
t
lli
a
Web
W
b
App
A FW*
information across open public networks
*This becomes a requirement by June 2008
Cisco Public
10
Application
Web
Client
Web
Server
Unfiltered
HTTP Traffic
BRKAPP-2014
14618_05_2008_c2
Application
Database
Server
Ports 80
and 443
Open
Cisco Public
12
HTTP Refresher
BRKAPP-2014
14618_05_2008_c2
Cisco Public
14
Cisco Public
15
HTTPRequest Elements
Three important elements of an HTTP request:
Method
URI
Headers
BRKAPP-2014
14618_05_2008_c2
Cisco Public
16
HTTPRequest Methods
HTTP 1.1Methods
OPTIONS: Ask server for available methods
GET: Request a resource from server
HEAD: Request resource and view response headers only
POST: Send data to the server
PUT: Send a file to the server
DELETE: Delete a file form the server
TRACE: Allows client to trace
trace route
route via proxies to web server
CONNECT: Used by proxies for tunneling requests to
web server
Cisco Public
17
HTTPQuery Parameters
The URL portion after the ?
http://www.google.com/search?q cisco
http://www.google.com/search?q=cisco
BRKAPP-2014
14618_05_2008_c2
Cisco Public
18
HTTPCookies
Cookies are pieces of information generated by
a Web server and stored in the users
user s
computer, ready for future access.
Cookies Are Not Programs, and
They Cannot Run Like
Programs Do.
www.cookiecentral.com
19
Cisco Public
Additional Information
Cisco Public
20
App server
parses Input
DB receives query
created & sent by
App server
BRKAPP-2014
14618_05_2008_c2
Cisco Public
21
BRKAPP-2014
14618_05_2008_c2
Cisco Public
22
Protects your
o r ccustom
stom HTTP and HTML
applications from high-impact Web-borne
attacks
Cisco Public
23
Platform Specifications
Specifications
S
f
1 rack unit
Four 10/100/1000 Gigabit Ethernet ports
4-GB RAM
High-performance dual-core, dual-processor architecture
High-performance
Hi h
f
cryptography
t
h acceleration
l ti
Full FIPS 140-2 Level 3 complianceoptional
Cisco Public
24
10
ACE Web
Application
Firewall w/AXG
Privacy
Centralized Management,
Monitoring, Logging, and Audit
Features
BRKAPP-2014
14618_05_2008_c2
Extensibility SDK
25
Cisco Public
Typical Deployment
ACE XML
Manager
Internet
External
Web Application
Consumers
ACE
ACE
Web Application
Firewall
DMZ
BRKAPP-2014
14618_05_2008_c2
Web Servers
Network
et o
Firewall
Portal
Cisco Public
26
11
Attacks!*
Cisco Public
27
Attacks!
Unvalidated Input
Cross-Site Scripting
SQL Injection
Cross-Site Request Forgery
Cookie Tampering
BRKAPP-2014
14618_05_2008_c2
Cisco Public
28
12
Result
The application acts according to the changed information,
potentially giving access to other users accounts, confidential
info, or anything else on the computervector for 90% of webbased attacks!
BRKAPP-2014
14618_05_2008_c2
Cisco Public
29
BRKAPP-2014
14618_05_2008_c2
Cisco Public
30
13
d5opx;GE] =
[Z -V'< %2E%2E%2Fhome%2Fuser../home/user
#m]o5Z!0^k
%2F%7Eroot%2Fetc%2Fpas
/~root/etc/p
mt
nkA
H ?>'5@ ;u %2Fhomepage%2Findex%2/homepage/index/pictures/thumbs.html
7JM 4[
7JM4[
m
Normalize
Terminate and Decrypt SSL
BRKAPP-2014
14618_05_2008_c2
Apply Security
Policy
Cisco Public
31
http://foo.com/query?bar=<script
Cisco Public
32
14
Signatures
Each Signature Has:
User-readable name
Signature ID
Pattern used for initial match
Regular expression used to confirm match
BRKAPP-2014
14618_05_2008_c2
Cisco Public
33
Rules
Rules apply signatures to places in the message
REQUEST
Q
_PARAMS sig
g SQLInject
Q
j
BRKAPP-2014
14618_05_2008_c2
Cisco Public
34
15
Expression Language
Variables make any part of the request message or its
connection properties available
HTTP headers
HTTP body
Request paramaters
Source and dest IP address
SSL properties (version, cipher, etc)
BRKAPP-2014
14618_05_2008_c2
Cisco Public
35
Result
Virtual hijacking of the session by stealing cookies
Any information flowing between the legitimate user and site can be
manipulated or transmitted to a third party
BRKAPP-2014
14618_05_2008_c2
Cisco Public
36
16
Cisco Public
37
BRKAPP-2014
14618_05_2008_c2
Cisco Public
38
17
39
Cisco Public
HaL Walkthrough
Consider a web form with two input boxes. Both accept
HTML and display it back to the user (fertile ground for
XSS!) but suppose the name parameter can be
exempted from XSS pattern checks
This is what the site profile looks like before HaL
intervenes:
Modifiers Represent
Exceptions to the
Classification Process
BRKAPP-2014
14618_05_2008_c2
Cisco Public
40
18
Create Modifier Is at
the Heart of Hal
BRKAPP-2014
14618_05_2008_c2
41
Cisco Public
Create Modifier Is at
the Heart of Hal
BRKAPP-2014
14618_05_2008_c2
Cisco Public
42
19
New Modifier
Automatically Added
BRKAPP-2014
14618_05_2008_c2
Cisco Public
43
Cisco Public
44
20
BRKAPP-2014
14618_05_2008_c2
45
Cisco Public
always true!
Cisco Public
46
21
BRKAPP-2014
14618_05_2008_c2
Cisco Public
47
BRKAPP-2014
14618_05_2008_c2
Cisco Public
48
22
Attack #4CSRF
Whereas cross-site scripting exploits the trust a user has in a
website, a cross-site request forgery exploits the trust a Web site
has in a user by forging a request from a trusted user.
user (source:
Wikipedia)
How does it work:
Bob is logged into his banks website
Bob is also chatting/reading a blog at the same time
Hacker posts a comment in the blog inviting Bob to click a link
The link performs an action on Bobs bank
As Bob is logged in, the action has the potential to succeed
Cisco Public
49
Defense: CSRF
Not trivial, no simple one-stop-solution
Several server-side solutions:
Generate random tokens for forms or actions so a hacker cant
guess
make sure the site isnt XSS-vulnerable
Use CAPTCHAs
BRKAPP-2014
14618_05_2008_c2
Cisco Public
50
23
Cisco Public
51
Result
Identity theft or impersonation by a third party altering the session id or
authorization information stored in the cookie
DoS or even remote command execution due to buffer overflows
BRKAPP-2014
14618_05_2008_c2
Cisco Public
52
24
BRKAPP-2014
14618_05_2008_c2
53
Cisco Public
Cookie Security
Signing and Encryption
Clients
Web Server
CP_EN7a989b1f1b9e966e47d629eec63302d3571d1677b27f
e1bebba48df648b2edc=
expires=Mon, 15-Dec-2006 1:03:00 GMT; path=/;
domain=.cisco.com; secure
After Encryption
BRKAPP-2014
14618_05_2008_c2
Cisco Public
sess1=1800;
expires=Mon, 15-Dec2006 1:03:00 GMT;
path=/;
domain=.google.com;
secure
54
25
Additional Security
Features
BRKAPP-2014
14618_05_2008_c2
Cisco Public
55
Exception Mapping
Servers can expose too much data in error messages
stack traces, SQL schemas
BRKAPP-2014
14618_05_2008_c2
Cisco Public
56
26
Exception Mapping
Replace server errors with WAF-generated content
BRKAPP-2014
14618_05_2008_c2
57
Cisco Public
Server Header
Cloaking
BRKAPP-2014
14618_05_2008_c2
Cisco Public
58
27
BRKAPP-2014
14618_05_2008_c2
59
Cisco Public
SSL Termination
Offloads Crypto and connection handling from server
Enables HTTP/1.1
HTTP/1 1 connection re-use,
re-use SSL session reuse, client certificate authentication
Consolidate private keys on WAF device
Decrypt and re-encrypt for end-to-end SSL
HTTPS
HTTP
Cisco Public
60
28
Upgrading to ACE
XML Gateway
BRKAPP-2014
14618_05_2008_c2
Cisco Public
61
BRKAPP-2014
14618_05_2008_c2
Cisco Public
62
29
Deployment
Considerations
BRKAPP-2014
14618_05_2008_c2
Cisco Public
63
Clustering
There are two software components: the manager and
the firewall; each has a separate software license
Both components run on the AXG appliance hardware;
you can run either or both components on the same
appliance
ACE WAF achieves high availability via an
external HTTP load balancer such as the ACE
application switch
Manager not a runtime component, so typical
deployment uses cold standby for redundancy
BRKAPP-2014
14618_05_2008_c2
Cisco Public
64
30
BRKAPP-2014
14618_05_2008_c2
65
Cisco Public
Firewall
Manager
Firewall
BRKAPP-2014
14618_05_2008_c2
Cisco Public
66
31
Manager and
Firewall
BRKAPP-2014
14618_05_2008_c2
Firewall
Cisco Public
67
Deployment Modes
Layers 2-3: One-armed or multi-arm
One-armed: single
g NIC handles all traffic
128 32 65 37
128.32.65.37
128.32.65.37
10.7.83.12
BRKAPP-2014
14618_05_2008_c2
Cisco Public
68
32
ACE XML
Manager
Internet
External
Web Application
Consumers
ACE
ACE
Web Application
Firewall
Portal
DMZ
BRKAPP-2014
14618_05_2008_c2
Web Servers
Network
et o
Firewall
Cisco Public
69
BRKAPP-2014
14618_05_2008_c2
Cisco Public
70
33
Public
Internet
VIP: 63.90.156.60
10 30 1 1
10.30.1.1
Different contexts
on same physical
ACE can be used
on both sides
10.30.1.152
ACE WAFs
10.20.1.151
10.20.1.1
VIP: 10.20.1.200
10.20.1.152
10.10.1.1
BRKAPP-2014
14618_05_2008_c2
10.30.1.151
ACE
Application
Switch
Web Application
Consumers
ACE
Application
Switch
10.10.1.10 10.10.1.11
10.10.1.12
Web Application
Providers
Cisco Public
71
Consolidate
C
lid t kkeys on lload
db
balancer
l
Use L7 classmap to direct traffic at ACE
BRKAPP-2014
14618_05_2008_c2
Cisco Public
72
34
BRKAPP-2014
14618_05_2008_c2
73
Cisco Public
HTTP
WWW1
External HTTP
and XML
Web Services
Consumers
Full Reverse
Proxy
WWW2
WWW3
WWW Portal
Internet
BRKAPP-2014
14618_05_2008_c2
Cisco Public
74
35
Deployment
Example
BRKAPP-2014
14618_05_2008_c2
Cisco Public
75
Deployment Example
Steps to Deploy:
Configure WAF network and cluster settings
Define web application and apply profile
Deploy in monitor mode and tune
Re-deploy in enforcement mode
BRKAPP-2014
14618_05_2008_c2
Cisco Public
76
36
BRKAPP-2014
14618_05_2008_c2
Cisco Public
77
Cisco Public
78
37
Cable Devices
Four RJ45 Gigabit Ethernet network interfaces
One LOM NIC
See HP DL360 docs
Serial console
VGA/keyboard video console
Dual power supplies
nCipher card reader ((onlyy on FIPS model))
LOM NIC
nCipher
eth0, eth1
RS232
VGA
eth2, eth3
PS/2 keyboard
BRKAPP-2014
14618_05_2008_c2
Cisco Public
79
Cisco Public
80
38
Log in to Manager
Point browser at machine
selected to be Manager,
HTTPS port 8243
HTTPS,
https://172.25.91.151:8243/
Log in as administrator,
password swordfish
BRKAPP-2014
14618_05_2008_c2
Cisco Public
81
Configure as Cluster
BRKAPP-2014
14618_05_2008_c2
Cisco Public
82
39
Specify the IP
Address or Name of
the Backend Server
83
Cisco Public
Cisco Public
84
40
Full Classification
Customization
BRKAPP-2014
14618_05_2008_c2
85
Cisco Public
Website Protected by
the WAF
Factory-Shipped PCI
Profile Applied
BRKAPP-2014
14618_05_2008_c2
Cisco Public
86
41
XSS Protection
BRKAPP-2014
14618_05_2008_c2
87
Cisco Public
BRKAPP-2014
14618_05_2008_c2
Cisco Public
88
42
Hundreds of XSS
Rules Are Shipped
from the Factory.
89
Cisco Public
XSS Protection
Enabled with Level
Strict
BRKAPP-2014
14618_05_2008_c2
Cisco Public
90
43
BRKAPP-2014
14618_05_2008_c2
91
Cisco Public
Deltas Between
Current Applied Policy
and Proposed One Are
Highlighted.
BRKAPP-2014
14618_05_2008_c2
Cisco Public
92
44
Proactive Performance
Warnings
BRKAPP-2014
14618_05_2008_c2
93
Cisco Public
Timestamps
Policies Can Be
Deployed to N
Gateways
BRKAPP-2014
14618_05_2008_c2
Cisco Public
94
45
Immediate Incident
Report View
BRKAPP-2014
14618_05_2008_c2
95
Cisco Public
Cisco Public
46
Fullll D
F
Dump off
Incoming Request
BRKAPP-2014
14618_05_2008_c2
Cisco Public
97
BRKAPP-2014
14618_05_2008_c2
Cisco Public
98
47
Q and A
BRKAPP-2014
14618_05_2008_c2
Cisco Public
99
Recommended Reading
Continue your Cisco Live
learning experience with further
reading from Cisco Press
Check the Recommended
Reading flyer for suggested
books
Cisco Public
100
48
BRKAPP-2014
14618_05_2008_c2
Cisco Public
101
BRKAPP-2014
14618_05_2008_c2
Cisco Public
102
49