Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Piotr Oleszkiewicz
Zbigniew Skurczynski
zbig@f5.com
1
2
Agenda
2
3
3
4
Firewall
Host IDS & Secure OS Antivirus
Network IDS/IPS
64% of the 10
million security
incidents tracked DATA
targeted port 80.
(Information Week
magazine)
4
5
A2 Injection Flaws Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-
supplied data is sent to an interpreter as part of a command or query. The attackers hostile data
tricks the interpreter into executing unintended commands or changing data.
A3 Insecure Remote File Code vulnerable to remote file inclusion allows attackers to include hostile code and data, resulting in
Include devastating attacks, such as total server compromise.
A4 Insecure Direct Object A direct object reference occurs when a developer exposes a reference to an internal implementation
Reference object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers
can manipulate those references to access other objects without authorization.
A5 Cross Site Request A CSRF attack forces a logged-on victims browser to send a pre-authenticated request to a vulnerable
Forgery (CSRF) web application, which then forces the victims browser to perform a hostile action to the benefit of
the attacker.
A6 Information Leakage Applications can unintentionally leak information about their configuration, internal workings, or violate
and Improper Error privacy through a variety of application problems. Attackers use this weakness to violate privacy, or
conduct further attacks.
Handling
A7 Broken Authentication Account credentials and session tokens are often not properly protected. Attackers compromise
and Session passwords, keys, or authentication tokens to assume other users identities.
Management
A8 Insecure Cryptographic Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers
Storage use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.
A9 Insecure Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive
Communications communications.
A10 Failure to Restrict URL Frequently, the only protection for sensitive areas of an application is links or URLs are not presented to
unauthorized users. Attackers can use this weakness to access and perform unauthorized
Access operations. 7
8
8
9
Practical demonstration:
9
10
10
11
!Non-
Perimeter Security
Is Strong
Exploit Application
Vulnerabilities
Buffer Overflow
compliant
Cross-Site Scripting
Information
SQL/OS Injection PORT 80
Cookie Poisoning
Hidden-Field Manipulation
PORT 443 !
Forced
Parameter Tampering Access to
!
But Is Open
Information
to Web Traffic
Infrastructural High
Intelligence Information
Density
=
High Value
Attack
11
12
! !
Stops bad
requests /
Unauthorised
responses Non-
Access
compliant
Information
! !
ASM allows
Browser legitimate requests
Unauthorised Infrastructural
Access Intelligence
12
13
13
14
Definition of Good
Enforcement and Bad Behaviour
Browser
14
15
15
16
16
17
<script>
Actions not
known to be legal
can now be
blocked
- Wrong page
order
- Invalid
parameter
- Invalid value
- etc.
17
18
18
19
19
20
!
ALLOWED
Username
From Acc. $ Amount
Password To Acc. Transfer
? !
!
VIOLATION
VIOLATION
20
21
OBJECT TYPES
22
23
Application
Delivery
At Home Network Oracle
In the Office Siebel
On the Road SAP
Co-location
24
25
International Microsoft
SAP
Data Center
Oracle
IBM
BEA
TMOS
BIG-IP
BIG-IP BIG-IP
Global BIG-IP Local BIG-IP
Link WANJet FirePass Application
Traffic Traffic Web
Controller Security
Manager Manager Accelerator
Manager
25
26
ASM /TrafficShield
Web Accel
3rd Party
Microkernel
TCP Proxy
Rate Shaping
Compression
TCP Express
TCP Express
OneConnect
Client Server
Caching
Side Side
XML
SSL
Client Server
iRules
High Performance HW iControl API
27
28
Advanced Client
Authentication Module
Protect against
unauthorised access
28
29
29
30
F5 Customers in EMEA (1 of 2)
Banking, Insurance, Telco, Service
Financial Investments Providers, Mobile
31
32
F5 Customers in EMEA (2 of 2)
Transport, Media, Technology, Manufact., Governm., Health,
Travel Online Energy Other Consumer
32
33
Summary
Protecting web application is a challenge within many organizations
but attacks against web applications are the hackers favorites
Evaluation
The best way to see how it will perform in Your
environment with Your applications
34
35
35
36
Back up Sliedes
36
37
Company Snapshot
Facts
Position
References
37
38
Headquartered in Seattle, WA
F5 Ensures Applications Running
Over the Network Are Always
Secure, Fast, and Available
Founded 1996 / Public 1999
Over 10,000 customers and
30,000 systems installed
Over 1100 Employees
NASDAQ: FFIV
38