Web Application Firewalls

This talk from Gartner covered WAFs, their functionality, if they are required and possible alternatives;

Software security is improving but hasn’t caught up with the threat landscape.

Attackers have Motivation, Times, Expertise and many targets.

Software security can be improved by better education, QA, SDLC, Frameworks and tools.

  • This helps close the gap, but it still remains
  • Many legacy applications or components will exist for a long time

 Defence in depth approach is required to protect applications;

  • Firewall – allows or blocks traffic based on IP and port – positive security model; Deny all traffic unless explicitly allowed
  • NIPS (Network based Intrusion Prevention System) – Negative security model: Signatures and protocol validation
  • WAF – Identifies and blocks application layer attacks
    • Negative security model – Fixed rules, Blacklist known bad, expert deployment
    • Positive security model – Automatic application behaviour learning, whitelist known good, stratighf forward deployment model
    • Passively block or actively modify traffic to prevent specific attacks

Additional functionality over other network security tools found in many WAFs;

  • Authentication and authorisation
  • ADC functionality
  • SSL termination
  • Anti-scraping
  • Threat intelligence
  • Content inspection, data masking, and DLP

 Differentiators;

  • All have basic signatures and filtering
  • Differ in;
    • Level of granularity
      • policies per application
      • policies per url
      • fully scriptable rule engine vs. high level settings
    • Positive model capabilities
    • Additional functionality
    • Deployment methods

Interest in WAF from a business risk perspective is increasing: 

  • Protects against identified vulnerabilities: Buys time as a quick fix, and provides long-term mitigation for legacy Web applications.
  • Protects against generic classes of attacks, such as SQL injection and brute force.
  • Protects against attacks targeted at your application: Requires active response and granular policy settings.

Also, do not underestimate the benefits of the extras such as performance, caching, authentication..

What are the latest developments in WAF technology?

  • Evolution in data interchange and protocol standard support, such as JSON, XML, GWT, HTML5, SPDY, IPv6
  • User and device validation and integration with Web fraud prevention:
    • True source/real IP identification proxies
    • Geolocation and reputation services
    • Injection/Execution of code for user validation and rudimentary fraud detection
  • Increasing support for Web vulnerability scanners (DAST): “Virtual patching”
  • Support for virtualisation and SaaS Web applications, and cloud delivery options for WAF
  • Improved layer 7 DDoS protection

WAFs, are they viable for the future?

Yes..

  • They provide application layer functionality largely unavailable in many other network based defences.  They should be considered as part of your defence in depth profile for any web applications.
  • Cloud based solutions may become more viable
  • Detection quality will improve as they better understand your applications and also the browsers capabilities
  • Detection engine improvements will be required in order to keep up with evolving threats
    • But must not impact performance!
  • Must scale with the web applications.
    • Virtualisation support is critical

What alternatives are there?

  • Secure coding the the main alternative.  This sounds imple, however…
    • History shows that this fails
      • Bad scalability
      • Much insecure legacy code
      • No control over code – software from vendors, third party code etc.
    • Some functionality may be subsumed into other technology such as ADC (Application Delivery Controller) and CDN (Content Delivery Network) – so watch these spaces.
    • NGFW (Next Generation Firewall) and NGIPS (Next Generation Intrusion Prevention System) are becoming more application aware, but do not and are unlikely to ever deliver full WAF functionality

Recommendations;

  • Determine use case;
    • Compliance – buy “anything”…
    • Security – Buy a leader with low false positives and simple management
    • Application security – buy as part of an application initiative, ensure advanced policies are supported
  • If you have ADCs – asses the capabilities of these
  • Track CDN WAF capabilities
  • Complement with comprehensive monitoring and alerting capabilities

This was a very interesting, vender neutral talk that provides a good intro to WAFs, and some useful thoughts on implementing them and possible future enhancements.  Recommended.

K

Gartner Security and Risk Management conference – Software Defined Networking

This was an introductory talk around Software Defined Networking (SDN) and some of it’s security implications.

What is it?

  • Decoupling the control pane from the data plane and centralising logical controls
  • Communication between network devices and SDN controllers is with both open and proprietary protocols currently – no single standard..
  • SDN controller supports open interface to allow external programability of the environment

– Controller tells each node how to route, vs. current where each node makes it’s own routing decisions.

 How do I enforce network security in an SDN environment?

  • Switch as the Policy enforcement point
    • Switch tells controller it’s seen traffic with certain flow characteristics, Flow controller tells it what to do with the flow, and this information is cached in the local flow table for a specified time.  Another flow arrives and this one is not permitted, so the controller tells the switch to just drop the packets – switch effectively becomes a stageful firewall.
    • Existing controls such as DLP, Firewalls, Proxy servers etc. can all be used with SDN –
      • e.g. someone tries to connect to the internet – flow controller instructs switch to send traffic to the firewall / IPS / DLP server etc.
      • e.g. sending email – no matter where it’s going flow says first point is DLP, then firewall, then onto destination
      • This means devices no longer need to be inline – they can be anywhere on the network.  Flow controller just needs to know where to send certain traffic types!
    • Incoming flows can be treated in the same way
      • Something changes – such that it looks like DDoS – traffic can be routed to the DDoS protection device(s)

What risks does SDN introduce?

  • Risk is aggregated in the controller
    • Malicious or accidental changes could remove some or all of the security protections
  • Integrity of of the Flow Tables must be maintained
    • Switches etc must be managed from controller, not locally
  • Input from applications must be managed and prioritised
    • Application APIs are non standard
    • Who gets precedence?
      • Load balancer vs. security tools when defining traffic flows?

SDN products do exist now.

  • Standards do exist
    • OpenFlow – maintained by Open Networking Foundation
  • Network devices (early days)
    • Open vSwitch
    • Some products from Brocade, Cisco, HP, IBM
  • Controllers (limited maturity)
    • Floodlight (open source)
    • Products from Big Switch Networks, Cisco, HP, NEC, NTT Data, VMware
  • Applications (often tied to specific controllers)
    • Radware and HP produce some security applications

Recommendations;

  • Do not overreact to SDN hype
  • Combine IT disciplines when implementing SDN
    • Don’t forget security!!
  • Determine how existing control requirements can be met with SDN
  • Examine how SDN impacts separation of duties
    • Some similar issues to vitalisation
  • Discuss SDN with your existing security vendors
  • Deploy SDN in a lab or test environment
    • PoC and understand fully before deploying

 

Overall this was an informative and fast paced talk.  As per the speakers recommendations, SDN is a very interesting technology, although it is still in the emerging phase with the majority of deployments currently being in testing or academia.  I wouldn’t yet recommend it for production Datacentre deployments, but I would recommend you become familiar with it, especially if you work in the networking or security fields.

 

K

Gartner Security and Risk Management conference – Continuous Application Security Monitoring

This was a talk from Whitehat Security covering the the increasing need for continuous application security monitoring and how this should be integrated with the SDLC;

– Attacks becoming targeted to specific companies / industries

– Risk of severe brand damage

– Security risks becoming key concern at board level

 Effective web application security programs must comprise of;

  • Continuous, concurrent assessments
    • Continuous process – restart on completion of assessment, automatic, no need for manual intervention
    • Assess multiple applications / code bases concurrently, not serially – minimises vulnerability window
  • Manage Security posture
    • ongoing metrics and measurement
    • Real-time risk modelling
      • Understand exposure to high value business applications
      • Accurate prioritsation
      • Analytics and trend reporting
      • Benchmark with industry peers
      • Dashboards and in-depth vulnerability reports
  • Implement across SDLC
    • From requirements and design through development to deployment and production monitoring
      •  Production assessments (immediate response)
      • Pre-production (reduce cost)
      • Source code analysis (faster remediation)

Talk was very brief and don’t go into any real detail about what you should do, when to do it, how the SDLC might actually look, process of find issues – verify – plan – resolve – test not covered.  Basic points that were covered do make sense though but I’d have liked the full session to be used and a lot more detail to be covered.

Completely agree however that continuos monitoring of application and code security should be high on the security agenda – remember, that vast majority of vulnerabilities and successful attacks are against applications..  Secure development should be a key foundation of any businesses SDLC.

K

Updates and what’s coming up..

As mentioned in my McAfee post, I’d meant to produce a quick update post covering recent goings on and what’s coming up as my blog updates have been a little erratic over the last few months..

Life has been pretty busy, on top of work, getting married and a couple of honeymoons I now officially have my Masters in ‘Distributed Systems and Networks’!  This is has been a lon while coming as I have been working on my part time MSc for the last 2.5-3 years outside of office hours.  Getting a ‘commended’ result was very pleasing as I expected just a standard ‘pass’.  OK so it’s not a distinction, but still good.

This has also meant my work with the Cloud Security Alliance has slide somewhat this year due to a lack of time.  I’m hoping to get back more involved with that now things will hopefully be slowing down slightly, well apart from the impending house move of course!

Regarding work, I’m still getting to work with some very interesting projects and great technologies some of which I’ll be writing about in upcoming posts.

Talking of upcoming posts, I am at the Gartner Security and Risk Management conference this week, and the Information Security Forum world annual congress in November, both of which should provide some interesting material to share.  I’ll likely try to follow a similar approach to previous conferences and mainly ‘live-blog’ from the talks as they happen.

K

Data breaches visualisation

Came across this recently and think its a pretty decent demonstration of the continuing frequency and severity of data breaches;

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

You can hover over any of the circles then click for more information about that breach.

This also shows how companies never seem to learn and we are seeing more breaches of a very similar nature to those we were seeing several years ago.

It’s time to learn from our mistakes and actually design and build secure systems, not just tick compliance boxes!  This is definitely one of my personal bug-bears, as an example, many companies that must maintain PCI compliance care about this for obvious reason, but too often projects and system owners only care about this and not actually being secure or making systems and ‘non PCI’ data secure.  This is despite the payment card industry being very clear that PCI-DSS is the bare minimum standard you must achieve to be permitted to handle card transactions, not the standard you should aim for to be a secure business and keep your customers data secure.

It’s time to get better at communicating the risks to the business and working to ensure secure design and implementation is at the forefront of any solution.

K

An ode to McAfee.. Purveyors of the finest scamware

So I was getting ready to post about various things that have been keeping me busy recently and some upcoming plans, but a recent interaction with McAfee promoted me to write about their excellent service first..

Last week my father in law’s computer became infected with a trojan.  Not the biggest issue you’d think and a fairly common occurrence.  However he was running fully up-to-date McAfee protection that he actually pays the princely sum of about £55 per year for.

This is failure one, a pensioner who only uses the internet for running an motorcycle club, booking holidays and general browsing becomes infected with a Trojan despite having fully up to date and paid for anti-malware installed.

Then we go through the process of this exceptional anti-malware software trying to remove the trojan that goes something like this;

– McAfee needs to reboot your computer to remove the malware

– Reboot

– McAfee needs to reboot your computer to remove the malware

.. and so on

This failure is issue two.

The next is perhaps the worst failure of all, as a paying customer, my father in law then decided to contact McAfee customer support.  After a long winded conversation with someone who could barely understand him, he was finally put through to technical support.  At last someone who could help.  Well, they did understand the problem and were able to tell him his software that he subscribes to from them was likely disabled by the trojan, and that his firewall was also likely turned off.  Their next statement was that they would required a further £56 in order to provide any assistance.

So – pay a yearly subscription for McAfee anti malware, it doesn’t work..  Then when you call them for assistance they want more money to help resolve the issue caused by their solution not working!

When asked point blank what the subscription fee gets you over and above using a free anti-malware solution the response was well erm nothing sir.

So my advice to you and to anyone you know who may ask you advice on which anti-malware solution to use is;

– Don’t use McAfee

– Don’t pay for it if you are comfortable using one of the many excellent free products such as AVG free

– If you do pay for it, make sure you have a clear understanding of just what your investment will get you

– Oh and don’t use McAfee.

I have no idea if the other paid for solutions offer a service this bad, but it seems to put them on par with the scamware type vendors – here install this, when it doesn’t work pay us more to help.  The only difference is McAfee put a legal and friendly face on their scam, which probably makes them worse.

And to top it off, guess who is probably going to have to go and clean the infected machine now..

Apologies for the slightly ranty post, but this was massively poor on McAfee’s part.

A more balanced post about general IT stuff, my Masters and some upcoming plans will follow shortly 🙂

K

Training update 1..

Well I’ll obviously have to think of some more catchy titles for training related posts than 1..2..3.. but that will do for now. (ideas welcome!)

So I said I’d be posting these under the training page, however it seems WordPress doesn’t really like that idea and wants to just dump everything on the home page so we’ll just use category tags for now. There does appear to be come ways to change this by adding code to the pages / posts so I will probably look into this at some point, although it’s not exactly high on my agenda of interesting things to be getting on with!

Recent progress includes completing the foundation course at Crossfit Antaeus (http://crossfitantaeus.com/) and beginning to work more on cleans and false grip. False grip is a gymnastics inspired way of holding rings / the bar that makes the transition from chin up to dip more feasible in order to do muscle ups – they will be next on the list once I have mastered the grip.

Double unders continue to elude me in any real form – I can do one, then a few singles, then one and so on. I’ll no doubt get there soon.

Motivation is currently very high, and progress is in reality good although it is easy to get frustrated as I know where I want to get to and want to get there now. I have to keep reminding myself I have an 18 month to 2 year plan, not a 3 month plan!

In terms of gym, I can’t speak highly enough of Antaeus and Matt the head coach – he is an excellent coach and annoyingly good at all the technical movements.

This week has included, power and squat cleans, thrusters, skipping, rowing, kettle bells, push press, false grip chins, ring dips and squats amongst other things. In terms of strength I have dropped in a lot more low rep work so much of my squatting is 5 rep sets, and we also tend to do one or two 1 rep max sessions a week as well. This is great and a real departure from the approximately 10 reps per set for everything rut I was in before.

Tonights WOD was Elizabeth, first time I have done that one, and second set of cleans this week.. Took 11.32 which is pretty poor, but lots of room to improve once I get my clean act together. Luckily dips are easy so provided some respite! (Elizabeth = 21, 15, 9 reps of 60kg squat clean and ring dips. Shredded hands are an added bonus!)

I want to cover of diet in some detail as well, but I’m at the gym again in the morning so it’s time for bed!

Read this today which amused me;
On Being An Asshole
Basically work hard and don’t be lazy 🙂

K