Application Defense

Saeed Rajput

Object Oriented Modeling 1

Copyright Cerebit, Inc © 20031

Application Defense:Application Defense:An emerging Security ConceptAn emerging Security Concept

Basit Hussain, Ph.D.Basit Hussain, Ph.D.CTO CTO CerebitCerebit, Inc. , Inc. www.www.cerebitcerebit.com.com

Copyright Cerebit, Inc. © 2003 2

Order of presentationOrder of presentation•• Problem space and needProblem space and need

•• Conventional wisdomConventional wisdom

•• Limitations and issuesLimitations and issues

•• Application security solutionApplication security solution

Saeed Rajput



The need for application securityThe need for application security•• 75% of attacks are initiated by insiders. (Source: 75% of attacks are initiated by insiders. (Source:

CSI/ FBI 2002)CSI/ FBI 2002)

•• A single security infraction costs $6.5M for theft A single security infraction costs $6.5M for theft of proprietary information and $4.4M for of proprietary information and $4.4M for financial fraud. (Source: CSI/ FBI 2002)financial fraud. (Source: CSI/ FBI 2002)

•• The aggregate loss reported by 223 organizations The aggregate loss reported by 223 organizations was $456 million. (was $456 million. (Source: CSI/ FBI 2002)Source: CSI/ FBI 2002)

•• Threats to mission critical applications are not Threats to mission critical applications are not stopped by firewallsstopped by firewalls


The need for application securityThe need for application security•• ““Enterprises will spend large amounts of money Enterprises will spend large amounts of money

and time on building firewalls to cope with and time on building firewalls to cope with threats that can make the front page of a threats that can make the front page of a newspaper, but they will allow their users to gain newspaper, but they will allow their users to gain deep access into company networks and deep access into company networks and applications with simple user IDs and applications with simple user IDs and passwords.passwords.”” (Source: Gartner, Oct 2002)(Source: Gartner, Oct 2002)

Saeed Rajput



The need (a case study)The need (a case study)•• Fact:Fact: In the case of U.S. vs.In the case of U.S. vs. OsowskiOsowski, November 2001, two , November 2001, two

employees participated in a scheme to defraud Cisco employees participated in a scheme to defraud Cisco Systems to obtain unauthorized Cisco stock. As part of the Systems to obtain unauthorized Cisco stock. As part of the scheme, they exceeded their authorized access to scheme, they exceeded their authorized access to computer systems at Cisco on three occasions in order to computer systems at Cisco on three occasions in order to access a computer system used to manage stock option access a computer system used to manage stock option disbursals. The total value of the Cisco stock pilfered on disbursals. The total value of the Cisco stock pilfered on these occasions was approximately $7,868,637.these occasions was approximately $7,868,637.

•• What went wrong?What went wrong? Inadequate authentication and Inadequate authentication and authorization mechanisms led to monetary loss.authorization mechanisms led to monetary loss.

•• How could it be prevented?How could it be prevented? Access control, audit activity Access control, audit activity and incident response would have pinpointed suspicious and incident response would have pinpointed suspicious behavior well in time to avoid the loss.behavior well in time to avoid the loss.


Information Security PyramidInformation Security Pyramid

Policy

Applicat ionSecurit y

Operat ing SystemSecurit y

I nfrast ructure Securit y

Saeed Rajput



Typical physical network setupTypical physical network setup

Public NetworkPublic Network

Remote BranchRemote Branch

VPN, Dedicated Link, Frame relay, T1 etc.VPN, Dedicated Link, Frame relay, T1 etc.

Partner’s NetworkPartner’s Network

Internal ResourcesInternal Resources

Internal UsersInternal Users

Partner’s UsersPartner’s UsersRemote Branch Remote Branch

UsersUsers

DialDial--upup

Remote UserRemote User


Logical Corporate NetworkLogical Corporate Network

Critical ServersCritical Servers

SMTP ServerSMTP Server

DNS ServerDNS Server

Web ServerWeb ServerPublic ServersPublic Servers


Employee N etworkEmployee N etwork

UsersUsers

Saeed Rajput



Typical Firewalls SetupTypical Firewalls Setup



UsersUsersSMTP ServerSMTP Server





Typical NIDS SetupTypical NIDS Setup







N IDSN IDSNIDSNIDS

NIDSNIDS

Saeed Rajput



Using NIDS and HIDSUsing NIDS and HIDS







N IDSN IDSNIDSNIDS

NIDSNIDS

HIDS AgentsHIDS Agents


Critical Resources: AuthorizationCritical Resources: Authorization

AACCLL

Access Control ListAccess Control List(Who is permitted to use this App)(Who is permitted to use this App)

AACCLL

AACCLL

AACCLL

Application 1:Application 1:Securities Trading ServiceSecurities Trading Service

Application 2:Application 2:Stock Quote FeedStock Quote Feed

Application N:Application N:Market reportsMarket reports

Corporate Corporate Authentication Authentication

SystemSystem

NIDSNIDS

Saeed Rajput



Critical Resources: DetailsCritical Resources: Details



Application N:Application N:Market ReportsMarket Reports


SystemSystem

NIDSNIDS

AACCLL

App. 2’s App. 2’s ACLACL

AACCLL

App. 1’s App. 1’s ACLACL

AACCLL

App. N’s App. N’s ACLACL

App. 1’s App. 1’s LogLog

App. 2’s App. 2’s LogLog

App. N’s App. N’s LogLog


Issues Issues •• Logs are distributed and difficult to analyze Logs are distributed and difficult to analyze

–– different conventions and formatsdifferent conventions and formats

•• Access Control is distributed. Access Control is distributed. –– Have to add/ delete users on each system Have to add/ delete users on each system –– Error proneError prone

•• Firewalls do not protect against attacks from within or Firewalls do not protect against attacks from within or from partnersfrom partners

•• Application level threats can traverse firewallsApplication level threats can traverse firewalls

•• IDS is not very effective and may not signal in timeIDS is not very effective and may not signal in time

•• SSL does not enforce “ strong” authentication for usersSSL does not enforce “ strong” authentication for users–– Does not provide nonDoes not provide non--repudiation on transactions.repudiation on transactions.

Saeed Rajput



IssuesIssues•• Users roles are not well definedUsers roles are not well defined

•• Access control cannot be fine tuned to Access control cannot be fine tuned to emulate the business processesemulate the business processes

•• Applications do not usually provide good Applications do not usually provide good access controlaccess control

•• Applications may rely on crude access Applications may rely on crude access control built into the operating systemcontrol built into the operating system


IDS and FirewallsIDS and Firewalls•• Gartner: Gartner:

–– IDS do not add an additional security layer as IDS do not add an additional security layer as promised.promised.

–– IDS are costly (why?) and an ineffective IDS are costly (why?) and an ineffective investment. investment.

–– Recommends that enterprises focus on integrated Recommends that enterprises focus on integrated networknetwork--level and applicationlevel and application--level firewall. level firewall.

–– What is that product? How complex is it? What is that product? How complex is it? ––Another Hype?Another Hype?

Saeed Rajput



IDS Systems, and FirewallsIDS Systems, and Firewalls•• Problems associated withProblems associated with IDSsIDSs are: are:

–– False positives and negatives False positives and negatives

–– An increased burden on the IS organization by requiring An increased burden on the IS organization by requiring fullfull--time monitoring (24 hours a day, seven days a week, time monitoring (24 hours a day, seven days a week, 365 days a year) 365 days a year)

–– A taxing incidentA taxing incident--response process response process

–– An inability to monitor traffic at transmission rates greater An inability to monitor traffic at transmission rates greater than 600 megabits per second than 600 megabits per second Scalability Scalability

–– An organization should build an infrastructure that allows An organization should build an infrastructure that allows easy scalability as traffic increases and as more security easy scalability as traffic increases and as more security rules are applied.rules are applied.

–– Too many events to be monitored manually by Managers.Too many events to be monitored manually by Managers.


FirewallsFirewalls•• Network Security Managers are torn apart:Network Security Managers are torn apart:

•• Need to block intrudersNeed to block intruders

•• Need to allow trafficNeed to allow traffic–– Remote Branches not on network (cheaper)Remote Branches not on network (cheaper)

–– Connections with partners Connections with partners ------ WebWeb--servicesservices

•• Firewalls block access, webFirewalls block access, web--services allow access. services allow access.

•• What is done by one is undone by the other. What is done by one is undone by the other.

•• Too much security management needed.Too much security management needed.

Saeed Rajput



How to Translate Business Rules How to Translate Business Rules to Security Policies?to Security Policies?

•• Firewalls and IDS are infrastructure (lower level) products.Firewalls and IDS are infrastructure (lower level) products.

•• It is HARD to translate business rules to Firewall policies and It is HARD to translate business rules to Firewall policies and IDS rules.IDS rules.

•• The rules have to be distributed over the entire organization The rules have to be distributed over the entire organization over multiple devices.over multiple devices.

•• Little central control.Little central control.

•• Problem is “Inherent” in the way things are handled not in a Problem is “Inherent” in the way things are handled not in a particular product.particular product.


An AnalogyAn Analogy•• Software Development:Software Development:

–– What is the most critical phase to catch defects?What is the most critical phase to catch defects?

•• Implementation?Implementation?

•• Design?Design?

•• Specifications?Specifications?

–– AnsAns: Specifications.. A defect at Specification : Specifications.. A defect at Specification phase is MOST expensive to fix.phase is MOST expensive to fix.

•• What is the best level place to provide security?What is the best level place to provide security?

Saeed Rajput



AnalogyAnalogy•• What is the most critical level to detect What is the most critical level to detect

intrusions?intrusions?

–– Hardware levelHardware level

–– Software levelSoftware level

–– Network levelNetwork level

–– Infrastructure levelInfrastructure level

–– Application levelApplication level

–– Business Level Business Level


Common CriteriaCommon Criteria

Proxy AccessProxy Access

Application Integration and Application Integration and CommunicationsCommunications

Systems Configuration ParametersSystems Configuration Parameters

Storage of Security DataStorage of Security Data

Entitlement ManagementEntitlement Management

Resource ManagementResource Management

User ManagementUser Management

Access MediationAccess MediationFunctional PointFunctional Point

Saeed Rajput




GuidanceGuidanceSecurity AdministrationSecurity AdministrationSystem Integrity System Integrity Data DisposalData DisposalAudit Audit Functional PointFunctional Point



Data IntegrityData Integrity

Confidentiality Confidentiality

AuthorizationAuthorization

Authentication Authentication

NonNon--RepudiationRepudiation

Identification Identification Functional PointFunctional Point

Saeed Rajput



Risks Associated with Online Risks Associated with Online Registrations Registrations

Lets get to know Mr. Lets get to know Mr. User. Or lets register User. Or lets register

as Mr. User as Mr. User

Mr. Mr. CrackerCracker

Is it really Mr. User Is it really Mr. User ??

Is my identity Is my identity safe?safe?

Mr. UserMr. User


FirewallFirewall


SystemSystem


Risks with Online TransactionsRisks with Online TransactionsIs it really Mr. Is it really Mr. User using his User using his

password? password?

Mr. UserMr. User


FirewallFirewall


SystemSystem

ImpersonatorImpersonator

InterceptorInterceptorPay Pay day!day!

Pay Pay day!day!

Saeed Rajput



Issues and SolutionsIssues and Solutions•• Solution requirementsSolution requirements

–– Ease of useEase of use

–– Simplified administrationSimplified administration

–– Validity of user thru strong authenticationValidity of user thru strong authentication

–– NonNon--repudiation of critical actionsrepudiation of critical actions

–– Seamless integration into technology and business Seamless integration into technology and business processesprocesses

–– Comprehensive audit trailsComprehensive audit trails

–– Incident response of anomalous activityIncident response of anomalous activity


Enterprise Security PolicyEnterprise Security Policy•• Understand Business ProcessesUnderstand Business Processes

•• Identify the critical enterprise resourcesIdentify the critical enterprise resources

•• Conduct security auditsConduct security audits

•• Identify the leakage pointsIdentify the leakage points

•• Identify user typesIdentify user types

•• Identify user rolesIdentify user roles–– Employees, Administrators, Partners, GuestsEmployees, Administrators, Partners, Guests

•• Define access needs of each roleDefine access needs of each role

Saeed Rajput



Unified Application DefenseUnified Application Defense


SystemSystem

NIDSNIDS




Application DefenseApplication Defense Central Central ACLsACLs

Central Central LoggingLogging

Optional Optional Certification Certification

Authority (CA)Authority (CA)


Simplified Security ManagementSimplified Security Management

Security ManagerSecurity Manager

AuditAudit

Access ControlAccess Control

Central Central ACLsACLs




Access Control Access Control PointPoint



Central Central LoggingLogging

Saeed Rajput



Features of Application SecurityFeatures of Application Security•• AuthenticationAuthentication.. Verify if users are who they Verify if users are who they

claim to be.claim to be.

•• Authorization.Authorization. Users can only access what the Users can only access what the security policy allows.security policy allows.

•• RoleRole--based access controlbased access control.. Grant access based Grant access based on the useron the user’’s role in the organization.s role in the organization.

•• Data privacyData privacy. . Data integrityData integrity. . Data reliabilityData reliability..

•• Data validationData validation.. Process only if data is within Process only if data is within prepre--defined limits.defined limits.


Features of Application SecurityFeatures of Application Security•• NonNon--repudiation on Transactionsrepudiation on Transactions.. Important user Important user

actions carry proof of execution to prevent denial.actions carry proof of execution to prevent denial.

•• Session securitySession security.. User sessions are uniquely identifiable User sessions are uniquely identifiable and not subject to masquerading.and not subject to masquerading.

•• Audit logsAudit logs.. All actions are logged for audit use.All actions are logged for audit use.

•• Single signSingle sign--onon.. Usage of multiple systems or services Usage of multiple systems or services does not require additional credentials.does not require additional credentials.

•• Session timeSession time--outout.. Session inactivity leads to session Session inactivity leads to session terminationtermination

•• Incident responseIncident response. Anomalous activity leads to . Anomalous activity leads to immediate alarms to curtail damage.immediate alarms to curtail damage.

Saeed Rajput



Advantages of Application DefenseAdvantages of Application Defense•• All features of application security PLUS …All features of application security PLUS …

–– Consolidated logsConsolidated logs•• Run IDS rules at one placeRun IDS rules at one place

–– Single point of policy controlSingle point of policy control–– Granular access controlGranular access control–– Secure legacy systemsSecure legacy systems–– Interfaces with HTTP, SOAP, EJB, CORBA, RMIInterfaces with HTTP, SOAP, EJB, CORBA, RMI–– Supports most authentication systems Supports most authentication systems –– Modular and expandableModular and expandable–– Signed transactions Signed transactions

•• NonNon--repudiation per transactionrepudiation per transaction


Benefits of Application DefenseBenefits of Application Defense•• Reduced managementReduced management

•• Improved securityImproved security

–– Secure what was not possible beforeSecure what was not possible before

•• Reduce risk and errorsReduce risk and errors

•• Comprehensive monitoringComprehensive monitoring

•• Incident responseIncident response

•• Forensic analysisForensic analysis

Saeed Rajput



Contact informationContact informationCerebitCerebit, Inc, Inc

12000 2812000 28thth Street North, Second FloorStreet North, Second Floor

St. Petersburg, Florida 33716 USASt. Petersburg, Florida 33716 USA

•• basitbasit@@cerebitcerebit.com.com

Documents

Application Defense