Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Fortinet®, FortiGate®, and FortiGuard® are registered trademarks of Fortinet, Inc. in the U.S. and other
jurisdictions, and other Fortinet names herein may also be trademarks, registered or otherwise, of
Fortinet. All other product or company names may be trademarks of their respective owners. Copyright
© 2002 - 2016 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet
without prior notice. No part of this publication may be reproduced in any form or by any means or
used to make any derivative such as translation, transformation, or adaptation without permission from
Fortinet, Inc., as stipulated by the United States Copyright Act of 1976.
Table of Contents
GLOSSARY...................................................................................................18
REFERENCES ...............................................................................................21
Application Security Application Challenges to Meeting User Needs
Application Security
Threats are constantly evolving, so network security technologies and methods must evolve too. Threats
to application security—including Bots, Ransomware, Advanced Persistent Threats (APTs), viruses, and
Spam—have a heavy content component, and are not just focused on the physical and data layers. In
this context, content refers to packet payload analysis and how they are transported—in particular, layers
3-7 of the Open Systems Interconnection (OSI) Model. Table 1 [1] shows a comparison of the models for
layers and protocols.
Table 1. Comparative models for layers and protocols.
These threats focus on the application content component and transport, rather than on the link and
physical components. Therefore, firewalls designed to protect, load balance, and accelerate content
between web servers are necessary. The Web Application Firewall (WAF) is designed to provide
protection for web applications and related database content [2]. In order to better understand the type of
threats that the WAF faces in protecting networks, we will examine the vulnerable areas that are targeted
by application threats.
known as the Application Layers, when translated into the broader TCP/IP Model.
SSL traffic poses a challenge because legacy servers and load balancers cannot manage the increased
loads caused by increased SSL traffic. In order to detect potential malicious code attempting to sneak into
the network in encrypted data packets, the SSL traffic must be decrypted, scanned, and then re-
encrypted.
Scalability is the concept of enabling a system, network, or application to handle a growing volume of
work in an efficient manner. Scalability may be accomplished by using hardware, software, or a
combination of both, to improve availability and reliability by:
Managing data flow and workload across multiple servers to increase capacity
Improving application response times by either hardware upgrades or software solutions
Reducing costs by optimizing resources through improved allocation
Allocating data across multiple data centers to facilitate redundancy and recovery
Applications allow users to accomplish tasks using computer systems and networks. Common
applications include word processing, spreadsheets, graphics design programs, email applications,
games, and media. Many applications may apply across platforms, from wired desktop systems to
smartphones and others. Many of these applications are now web-based such as Infrastructure as a
Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
Application Vulnerabilities
Applications are widely used by both business users and private consumers. If application threats infect
the systems of multiple private users who interface with organizational networks, they have the potential
for repeated instances. These threats can come in through innocuous sources such as customers,
clients, or those using a BYOD model who fail to complete regular security screenings on their
equipment. These threats can also come from an outside competitor, malcontent, or hacker.
OWASP
Fortunately, there is a global project that assists application developers and system and network security
administrators in identifying and understanding prevalent and emerging application security threats. This
project is the Open Web Application Security Project (OWASP) and is supported by an OWASP
Foundation in the United States.
OWASP is an open community dedicated to enabling organizations to conceive, develop,
acquire, operate, and maintain applications that can be trusted. All of the OWASP tools,
documents, forums, and chapters are free and open to anyone interested in improving
application security… Our freedom from commercial pressures allows us to provide
unbiased, practical, cost-effective information about application security. OWASP is not
affiliated with any technology company, although we support the informed use of
commercial security technology. [3]
One of the primary studies done by OWASP is the cataloging and ranking of the most prevalent
threats in web applications. A comparison of the 2010 and 2013 findings appears in Table 4.
Table 4. OWASP top 10 2010 vs. 2013 comparison.
The OWASP analysis shows a consistent top four application threats to system and network security:
The OWASP analysis also indicates which threats have increased and declined, indicating trends that
may assist security administrators in determining the most effective system and network configurations.
SQL Injection. Insertion or injection of an SQL query through data input from the client to the application.
This type of attack may allow attackers to spoof identities, tamper with or delete data, change or void
transactions, enable complete disclosure of the system’s database—or destroy it or make it unavailable,
or even become a new database server administrator. It is common with PHP and ASP applications, less
likely with J2EE and ASP.NET applications. Severity depends on the attacker’s creativity and computer
skills, but has the potential to be devastating. SQL Injection is a high impact threat.
Cross-site Scripting (XSS). Also referred to as XSS Injection, malicious scripts are injected into
otherwise benign and trusted web sites, generally in the form of browser side scripts to be transmitted to
end users. Because the end user’s browser regards the site as trusted, it will execute the script, allowing
access to any cookies, session tokens, or other information retained by the browser and used with the
site. Some of these scripts are even capable of rewriting content on HTML pages.
Broken Authentication & Session Management. This area includes all aspects of user
authentication and active session management handling. Even robust authentication protocols may be
undermined by flawed credential management functions, such as password changing, “forgot my
password” and “remember my password” options, account update options, and other functions. The
complexity of this issue comes from the fact that many developers prefer to create their own session
tokens. These tokens may not be properly protected, or steps may not be in place to protect them
throughout the application’s life cycle. If they are not protected with SSL and against other flaws (such
as XSS) an attacker can hijack the user’s session and assume their identity.
Insecure Direct Object References. When an application provides direct access to objects because of
user-based inputs, attackers can bypass authorization and access resources in the system directly.
These resources may include valuable data such as databases and organizational files. Insecure Direct
Object References allow attackers to bypass authorization and gain access to resources by modifying the
parameter values used to point directly to objects. These resources may be any type of information stored
on the system. This method simply takes the user’s supplied input and uses it to retrieve data as though
the attacker were the authorized user.
Individual, targeted attacks are often manageable and, in many cases, traceable. More and more, these
attacks are aimed at denying use of a network to outside users. These attacks are known as Denial of
Service (DoS) attacks. The prospect for coordinated networks attacks from multiple sources present an
even more critical challenge for continued secure and uninterrupted network operations. These
simultaneous coordinated attacks target a network from a number of outside systems and are referred to
as a Distributed Denial of Service (DDoS) attacks.
Attacks that focus on content components of systems and networks focus on ISO/OSI Model layers 3, 4,
and 7 application services. Although layers 3, 4, and 7 are at risk from DDoS attacks, the attacks against
layer 7 are often detected through actions affecting the associated port in layer 4, as a method by which
to sneak undetected into layer 7 to accomplish its malicious task. As an analogy, one may think of it as
the attack on layer 7 riding like a signal on the carrier wave into layer 4. As a result, most recommended
parameter adjustments focus on layers 3 and 4, while events to watch include a broader range of
indicators.
Even with the global trend toward increasing IPv6 traffic, DDoS attacks above the 50 Mbps benchmark
are rare. South Korea’s average network speed leads the world at 24.6 Mbps, with Hong Kong a
distant second at 15.7 Mbps. The US ranks 14th at 11.4 Mbps. As the shift from IPv4 to IPv6 traffic
moves forward, the incidences of DDoS attacks appear to be inversely proportional to IPv6 network
growth [5]. This may be an indicator that average network speeds available through IPv6 are making
the cost and coordination of DDoS more difficult—or prohibitively costly, in some cases.
An important tool in protecting the network is Intrusion Prevention System (IPS), which looks beyond port
and protocol to examine the signature—or actual content—of network traffic to identify and stop threats.
FortiGate NGFW and UTM appliances, using enhanced capabilities such as Advanced Threat Protection
(ATP), protect the layer 3 and layer 4 regions of the network against DDoS attacks by combining
hardware and programmable software solutions. In addition to protection against layer 3 and layer 4
threats, the enhanced NGFW and UTM capabilities also include layer 4 routing and load balancing to
increase efficiency and availability of application traffic in the network.
Using NGFW and UTM in concert with other network security capabilities presents additional end-to-end
protection that is both scalable and future ready. The capabilities discussed in the following sections add
critical security solutions to protect against DDoS attacks and protect layer 3, 4, and 7 functions.
elements performs functions that enable user access to applications (Figure 6).
Server Load Balancing. The ADC allows the use of software-based intelligent load balancing to
enhance performance over hardware-based simple load balancing. This not only provides a path-to-
open server capability, but also matches the best server for the incoming traffic based on programmed
policies and application-layer knowledge that supports business requirements (Figure 7).
Benefits. Because the ADC conducts continuous health checks of network servers, only routes
traffic to online devices, and routes to the best performing devices using intelligent load balancing
capability, server load balancing provides a 25% increase in capacity and reduces server
hardware requirements by 25% over traditional DNS round-robin configurations.
Connection Persistence. This capability is critical to transaction-based applications. For example, if you
begin a transaction, add an item to your virtual shopping cart, and are then load balanced to a different
server for checkout without a persistent connection back to the original server, your cart will be empty at
checkout. The ADC uses session state with HTTP headers and cookies to ensure that users and servers
remain persistent throughout the transaction.
Benefits. By maintaining a persistent connection to the original server that started the
transaction, the transaction may be completed without loss of data or loss of connection.
SSL Offloading/Acceleration. SSL traffic may result in overloading servers, reducing capacity to a
range in the 100’s TPS. By offloading and accelerating SSL encryption, decryption, and certificate
management from servers, the ADC enables web and application servers to focus CPU and memory
resources to deliver application content, responding more quickly to user requests. This offloading
boosts capacity up to 10’s of 1,000’s TPS, pushes HTTPS to servers, and HTTPS to users (Figure 8).
Benefits. SSL offloading and acceleration provides a 100X increase in traffic flow, reducing the
need for additional servers in order to accommodate data volume.
HTTP Compression. One of the challenges, as the number of network users grow, is that application
programming becomes more complex, and data sets become larger, is bandwidth limitations. One way
that an ADC reduces bandwidth constraints is by using HTTP compression to prevent non-essential data
from traversing network links from servers to web browsers (Figure 8).
In addition to the ADC, the ADN includes a firewall component that provides security for traffic flowing
between the server side and outer perimeter. To accomplish this function in a content-focused,
application-level environment, the WAF is used.
Heuristics
One of the key features that enables WAFs to counter DDoS threats is heuristic—or behavior-based—
analysis. Behavior-based DDoS protection measures require different mitigating parameters than
content-based protections. Some of these protection measures include configuring systems to identify
potential threats based on source volume (intent vs. content), ping rates (hardcoded vs. custom), packet
dimensions (coarse vs. granular), and trend-matching (fixed vs. adaptive). When using these behavior-
based DDoS protection measures—focusing on traffic characteristics rather than content—policies do not
require threat signature updates like content-based measures do.
Quality of Service (QoS). One of the challenges posed by the seemingly constant increase in data traffic
is identifying and prioritizing important traffic over routine or less important traffic. QoS is managed by
configuring rules and policies for traffic policing, traffic shaping, and queuing that ensure the most
important traffic for the organization is prioritized above other data.
Benefits. QoS results in higher quality data flow for the most critical traffic based on organization
priorities, whether it be VoIP for sales and customer support, eCommerce transactions, or
corporate file transfers. By setting the appropriate rules and policies in the ADC, organization and
user quality of service—and efficiency and satisfaction—may be enhanced.
Link Load Balancing (LLB). LLB addresses the issues of bandwidth and redundancy by using multiple
WAN links. A link load balancer connects many WAN links to the network, and routes inbound and
outbound traffic based on criteria like availability, performance, or business rules to use lowest-cost links.
If a link should fail, traffic is routed to others to ensure your application remains available to users.
Benefits. LLB provides redundancy to maintain application availability by rerouting traffic to users
through another available link. By selectively routing traffic over the most available and
appropriate links based on programmed rules and policies, LLB optimizes bandwidth use,
reducing bandwidth needs. These two features both improve application response times to users.
Key Acronyms
AAA Authentication, Authorization, and ICMP Internet Control Message Protocol
Accounting ICSA International Computer Security
AD Active Directory Association
ADC Application Delivery Controller ID Identification
ADN Application Delivery Network IDC International Data Corporation
ADOM Administrative Domain IDS Intrusion Detection System
AM Antimalware IM Instant Messaging
API Application Programming Interface IMAP Internet Message Access Protocol
APT Advanced Persistent Threat IMAPS Internet Message Access Protocol
ASIC Application-Specific Integrated Circuit Secure
ASP Analog Signal Processing IoT Internet of Things
ATP Advanced Threat Protection IP Internet Protocol
AV Antivirus IPS Intrusion Prevention System
AV/AM Antivirus/Antimalware IPSec Internet Protocol Security
BYOD Bring Your Own Device IPTV Internet Protocol Television
CPU Central Processing Unit IT Information Technology
DDoS Distributed Denial of Service J2EE Java Platform Enterprise Edition
DLP Data Leak Prevention LAN Local Area Network
DNS Domain Name System LDAP Lightweight Directory Access Protocol
DoS Denial of Service LLB Link Load Balancing
DPI Deep Packet Inspection LOIC Low Orbit Ion Cannon
DSL Digital Subscriber Line MSP Managed Service Provider
FTP File Transfer Protocol MSSP Managed Security Service Provider
FW Firewall NGFW Next Generation Firewall
Gb Gigabyte NSS NSS Labs
GbE Gigabit Ethernet OSI Open Systems Infrastructure
Gbps Gigabits per second OTS Off the Shelf
GSLB Global Server Load Balancing PaaS Platform as a Service
GUI Graphical User Interface PC Personal Computer
HTML Hypertext Markup Language PCI DSS Payment Card Industry Data
Security
HTTP Hypertext Transfer Protocol
Standard
HTTPS Hypertext Transfer Protocol Secure
PHP PHP Hypertext Protocol
IaaS Infrastructure as a Service
Glossary
ADC. An Application Delivery Controller (ADC) is a network device that manages client connections to
complex Web and enterprise applications. An ADC essentially functions as a load balancer, optimizing
end-user performance, reliability, data center resource use and security for enterprise applications. An
ADC can be physical (hardware appliance) or virtual (software program).
ADN. An Application Delivery Network (ADN) is a suite of technologies that together provide application
availability, security, visibility, and acceleration. Gartner defines Application Delivery Networking as the
combination of WAN Optimization Controllers (WOCs) and Application Delivery Controllers (ADCs) [8]. At
the data center end of an ADN is the Application Delivery Controller (ADC). In the branch office portion of
an ADN is the WAN optimization controller (WOC), which shapes TCP traffic using prioritization and other
optimization techniques.
APT. An Advanced Persistent Threat is a network attack in which an unauthorized person gains access
to a network and stays there undetected for a long period of time. The intention of an APT attack is to
steal data rather than to cause damage to the network or organization. APT attacks target organizations
in sectors with high-value information, such as national defense, manufacturing and the financial industry.
Bot. An Internet bot, also known as web robot, WWW robot or simply bot, is a software application that
runs automated tasks over the Internet. Typically, bots perform tasks that are both simple and structurally
repetitive, at a much higher rate than would be possible for a human alone. The largest use of bots is
in web spidering, in which an automated script fetches, analyses, and files information from web servers
at many times the speed of a human.
DoS. Denial of Service (DoS) attacks aim increasingly at denying use of a network to outside users by
flooding it with useless traffic, often exploiting limitations in the TCP/IP protocols. For all known DoS
attacks, there are software fixes that system administrators can install to limit the damage caused by the
attacks; however, like viruses new DoS attacks are constantly being developed.
DDoS. Distributed Denial of Serivce (DDoS) attacks are a type of DoS attack where multiple
compromised systems, which are often infected with a Trojan, are used to target a single system causing
a Denial of Service (DoS) attack. Victims of a DDoS attack consist of both the end targeted system and all
systems maliciously used and controlled by the hacker in the distributed attack.
NGFW. Next Generation Firewall provides multi-layered capabilities in a single firewall appliance instead
of a basic firewall and numerous add-on appliances. NGFW integrates the capabilities of a traditional
firewall with advanced features including:
Intrusion Prevention (IPS) Deep Packet Inspection Network App ID & Control
(DPI)
OWASP. The Open Web Application Security Project (OWASP) is an open community dedicated to
enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be
trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone
interested in improving application security.
Ransomware. Ransomware is a form of malware in which rogue software code effectively holds a user's
computer hostage until a "ransom" fee is paid. Ransomware often infiltrates a PC as a computer worm or
Trojan that takes advantage of open security vulnerabilities. Upon compromising a computer,
ransomware will typically either lock a user's system or encrypt files on the computer and then demand
payment before the system or files will be restored.
Spam. Spam is usually considered to be electronic junk mail or junk newsgroup postings. Some people
define spam even more generally as any unsolicited email. Spam is generally email advertising for some
product sent to a mailing list or newsgroup.
Virus. A computer virus is a program or piece of code that is loaded onto your computer without your
knowledge and runs against your wishes. Viruses can also replicate themselves. All computer viruses are
man-made. A simple virus that can make a copy of itself over and over again is relatively easy to
produce. Even such a simple virus is dangerous because it will quickly use all available memory and
bring the system to a halt. An even more dangerous type of virus is one capable of transmitting itself
across networks and bypassing security systems.
VPN. Virtual Private Network (VPN) is a network that is constructed by using public wires — usually the
Internet — to connect to a private network, such as a company's internal network. VPNs use
encryption and other security mechanisms to ensure that only authorized users can access the network
and that the data cannot be intercepted.
Web Application Firewall (WAF). A WAF is designed to provide protection for web applications and
related database content.
UTM. Unified Threat Management (UTM) provides administrators the ability to monitor and manage
multiple, complex security-related applications and infrastructure components through a single
management console. The advantage to UTM is that it goes beyond the NGFW focus of high
performance protection of data centers by incorporating a broader range of security capabilities as either
cloud services or network appliances, integrating:
Identity-based Application
Control
References
1. Rischbeck, T. XML Appliances for Service-Oriented Architectures. SOA Magazine, 2010.
2. Tam, K., et al., UTM Security with Fortinet: Mastering FortiOS. 2013, Waltham, MA: Elsevier.
3. OWASP. About the Open Web Application Security Project. 2014 [cited 2014 October 31];
Available from: https://www.owasp.org/index.php/About_OWASP.
4. Maiwald, E., Network Security: A Beginner's Guide. 3rd ed. 2013, New York, NY: McGraw-Hill.
5. Nichols, S. Peak IPv4? Global IPv6 traffic is growing, DDoS dying, says Akamai. The Register,
2014.
6. Rouse, M. Application Delivery Controller. Essential Guide 2013 [cited 2014 October 15];
Available from: http://searchnetworking.techtarget.com/definition/Application-delivery-controller.
8. Gartner, Gartner Says Worldwide Application Acceleration Market Will Reach $3.7 Billion in 2008.
2006, Gartner: Stamford, CT.