Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Saeed Rajput
Object Oriented Modeling 1
Copyright Cerebit, Inc © 20031
Application Defense:Application Defense:An emerging Security ConceptAn emerging Security Concept
Basit Hussain, Ph.D.Basit Hussain, Ph.D.CTO CTO CerebitCerebit, Inc. , Inc. www.www.cerebitcerebit.com.com
Copyright Cerebit, Inc. © 2003 2
Order of presentationOrder of presentation•• Problem space and needProblem space and need
•• Conventional wisdomConventional wisdom
•• Limitations and issuesLimitations and issues
•• Application security solutionApplication security solution
Saeed Rajput
Object Oriented Modeling 2
Copyright Cerebit, Inc. © 2003 3
The need for application securityThe need for application security•• 75% of attacks are initiated by insiders. (Source: 75% of attacks are initiated by insiders. (Source:
CSI/ FBI 2002)CSI/ FBI 2002)
•• A single security infraction costs $6.5M for theft A single security infraction costs $6.5M for theft of proprietary information and $4.4M for of proprietary information and $4.4M for financial fraud. (Source: CSI/ FBI 2002)financial fraud. (Source: CSI/ FBI 2002)
•• The aggregate loss reported by 223 organizations The aggregate loss reported by 223 organizations was $456 million. (was $456 million. (Source: CSI/ FBI 2002)Source: CSI/ FBI 2002)
•• Threats to mission critical applications are not Threats to mission critical applications are not stopped by firewallsstopped by firewalls
Copyright Cerebit, Inc. © 2003 4
The need for application securityThe need for application security•• ““Enterprises will spend large amounts of money Enterprises will spend large amounts of money
and time on building firewalls to cope with and time on building firewalls to cope with threats that can make the front page of a threats that can make the front page of a newspaper, but they will allow their users to gain newspaper, but they will allow their users to gain deep access into company networks and deep access into company networks and applications with simple user IDs and applications with simple user IDs and passwords.passwords.”” (Source: Gartner, Oct 2002)(Source: Gartner, Oct 2002)
Saeed Rajput
Object Oriented Modeling 3
Copyright Cerebit, Inc. © 2003 5
The need (a case study)The need (a case study)•• Fact:Fact: In the case of U.S. vs.In the case of U.S. vs. OsowskiOsowski, November 2001, two , November 2001, two
employees participated in a scheme to defraud Cisco employees participated in a scheme to defraud Cisco Systems to obtain unauthorized Cisco stock. As part of the Systems to obtain unauthorized Cisco stock. As part of the scheme, they exceeded their authorized access to scheme, they exceeded their authorized access to computer systems at Cisco on three occasions in order to computer systems at Cisco on three occasions in order to access a computer system used to manage stock option access a computer system used to manage stock option disbursals. The total value of the Cisco stock pilfered on disbursals. The total value of the Cisco stock pilfered on these occasions was approximately $7,868,637.these occasions was approximately $7,868,637.
•• What went wrong?What went wrong? Inadequate authentication and Inadequate authentication and authorization mechanisms led to monetary loss.authorization mechanisms led to monetary loss.
•• How could it be prevented?How could it be prevented? Access control, audit activity Access control, audit activity and incident response would have pinpointed suspicious and incident response would have pinpointed suspicious behavior well in time to avoid the loss.behavior well in time to avoid the loss.
Copyright Cerebit, Inc. © 2003 6
Information Security PyramidInformation Security Pyramid
Policy
Applicat ionSecurit y
Operat ing SystemSecurit y
I nfrast ructure Securit y
Saeed Rajput
Object Oriented Modeling 4
Copyright Cerebit, Inc. © 2003 7
Typical physical network setupTypical physical network setup
Public NetworkPublic Network
Remote BranchRemote Branch
VPN, Dedicated Link, Frame relay, T1 etc.VPN, Dedicated Link, Frame relay, T1 etc.
Partner’s NetworkPartner’s Network
Internal ResourcesInternal Resources
Internal UsersInternal Users
Partner’s UsersPartner’s UsersRemote Branch Remote Branch
UsersUsers
DialDial--upup
Remote UserRemote User
Copyright Cerebit, Inc. © 2003 8
Logical Corporate NetworkLogical Corporate Network
Critical ServersCritical Servers
SMTP ServerSMTP Server
DNS ServerDNS Server
Web ServerWeb ServerPublic ServersPublic Servers
Public NetworkPublic Network
Employee N etworkEmployee N etwork
UsersUsers
Saeed Rajput
Object Oriented Modeling 5
Copyright Cerebit, Inc. © 2003 9
Typical Firewalls SetupTypical Firewalls Setup
Critical ServersCritical Servers
Employee N etworkEmployee N etwork
UsersUsersSMTP ServerSMTP Server
DNS ServerDNS Server
Web ServerWeb ServerPublic ServersPublic Servers
Public NetworkPublic Network
Copyright Cerebit, Inc. © 2003 10
Typical NIDS SetupTypical NIDS Setup
Critical ServersCritical Servers
Employee N etworkEmployee N etwork
UsersUsersSMTP ServerSMTP Server
DNS ServerDNS Server
Web ServerWeb ServerPublic ServersPublic Servers
Public NetworkPublic Network
N IDSN IDSNIDSNIDS
NIDSNIDS
Saeed Rajput
Object Oriented Modeling 6
Copyright Cerebit, Inc. © 2003 11
Using NIDS and HIDSUsing NIDS and HIDS
Critical ServersCritical Servers
Employee N etworkEmployee N etwork
UsersUsersSMTP ServerSMTP Server
DNS ServerDNS Server
Web ServerWeb ServerPublic ServersPublic Servers
Public NetworkPublic Network
N IDSN IDSNIDSNIDS
NIDSNIDS
HIDS AgentsHIDS Agents
Copyright Cerebit, Inc. © 2003 12
Critical Resources: AuthorizationCritical Resources: Authorization
AACCLL
Access Control ListAccess Control List(Who is permitted to use this App)(Who is permitted to use this App)
AACCLL
AACCLL
AACCLL
Application 1:Application 1:Securities Trading ServiceSecurities Trading Service
Application 2:Application 2:Stock Quote FeedStock Quote Feed
Application N:Application N:Market reportsMarket reports
Corporate Corporate Authentication Authentication
SystemSystem
NIDSNIDS
Saeed Rajput
Object Oriented Modeling 7
Copyright Cerebit, Inc. © 2003 13
Critical Resources: DetailsCritical Resources: Details
Application 1:Application 1:Securities Trading ServiceSecurities Trading Service
Application 2:Application 2:Stock Quote FeedStock Quote Feed
Application N:Application N:Market ReportsMarket Reports
Corporate Corporate Authentication Authentication
SystemSystem
NIDSNIDS
AACCLL
App. 2’s App. 2’s ACLACL
AACCLL
App. 1’s App. 1’s ACLACL
AACCLL
App. N’s App. N’s ACLACL
App. 1’s App. 1’s LogLog
App. 2’s App. 2’s LogLog
App. N’s App. N’s LogLog
Copyright Cerebit, Inc. © 2003 14
Issues Issues •• Logs are distributed and difficult to analyze Logs are distributed and difficult to analyze
–– different conventions and formatsdifferent conventions and formats
•• Access Control is distributed. Access Control is distributed. –– Have to add/ delete users on each system Have to add/ delete users on each system –– Error proneError prone
•• Firewalls do not protect against attacks from within or Firewalls do not protect against attacks from within or from partnersfrom partners
•• Application level threats can traverse firewallsApplication level threats can traverse firewalls
•• IDS is not very effective and may not signal in timeIDS is not very effective and may not signal in time
•• SSL does not enforce “ strong” authentication for usersSSL does not enforce “ strong” authentication for users–– Does not provide nonDoes not provide non--repudiation on transactions.repudiation on transactions.
Saeed Rajput
Object Oriented Modeling 8
Copyright Cerebit, Inc. © 2003 15
IssuesIssues•• Users roles are not well definedUsers roles are not well defined
•• Access control cannot be fine tuned to Access control cannot be fine tuned to emulate the business processesemulate the business processes
•• Applications do not usually provide good Applications do not usually provide good access controlaccess control
•• Applications may rely on crude access Applications may rely on crude access control built into the operating systemcontrol built into the operating system
Copyright Cerebit, Inc. © 2003 16
IDS and FirewallsIDS and Firewalls•• Gartner: Gartner:
–– IDS do not add an additional security layer as IDS do not add an additional security layer as promised.promised.
–– IDS are costly (why?) and an ineffective IDS are costly (why?) and an ineffective investment. investment.
–– Recommends that enterprises focus on integrated Recommends that enterprises focus on integrated networknetwork--level and applicationlevel and application--level firewall. level firewall.
–– What is that product? How complex is it? What is that product? How complex is it? ––Another Hype?Another Hype?
Saeed Rajput
Object Oriented Modeling 9
Copyright Cerebit, Inc. © 2003 17
IDS Systems, and FirewallsIDS Systems, and Firewalls•• Problems associated withProblems associated with IDSsIDSs are: are:
–– False positives and negatives False positives and negatives
–– An increased burden on the IS organization by requiring An increased burden on the IS organization by requiring fullfull--time monitoring (24 hours a day, seven days a week, time monitoring (24 hours a day, seven days a week, 365 days a year) 365 days a year)
–– A taxing incidentA taxing incident--response process response process
–– An inability to monitor traffic at transmission rates greater An inability to monitor traffic at transmission rates greater than 600 megabits per second than 600 megabits per second Scalability Scalability
–– An organization should build an infrastructure that allows An organization should build an infrastructure that allows easy scalability as traffic increases and as more security easy scalability as traffic increases and as more security rules are applied.rules are applied.
–– Too many events to be monitored manually by Managers.Too many events to be monitored manually by Managers.
Copyright Cerebit, Inc. © 2003 18
FirewallsFirewalls•• Network Security Managers are torn apart:Network Security Managers are torn apart:
•• Need to block intrudersNeed to block intruders
•• Need to allow trafficNeed to allow traffic–– Remote Branches not on network (cheaper)Remote Branches not on network (cheaper)
–– Connections with partners Connections with partners ------ WebWeb--servicesservices
•• Firewalls block access, webFirewalls block access, web--services allow access. services allow access.
•• What is done by one is undone by the other. What is done by one is undone by the other.
•• Too much security management needed.Too much security management needed.
Saeed Rajput
Object Oriented Modeling 10
Copyright Cerebit, Inc. © 2003 19
How to Translate Business Rules How to Translate Business Rules to Security Policies?to Security Policies?
•• Firewalls and IDS are infrastructure (lower level) products.Firewalls and IDS are infrastructure (lower level) products.
•• It is HARD to translate business rules to Firewall policies and It is HARD to translate business rules to Firewall policies and IDS rules.IDS rules.
•• The rules have to be distributed over the entire organization The rules have to be distributed over the entire organization over multiple devices.over multiple devices.
•• Little central control.Little central control.
•• Problem is “Inherent” in the way things are handled not in a Problem is “Inherent” in the way things are handled not in a particular product.particular product.
Copyright Cerebit, Inc. © 2003 20
An AnalogyAn Analogy•• Software Development:Software Development:
–– What is the most critical phase to catch defects?What is the most critical phase to catch defects?
•• Implementation?Implementation?
•• Design?Design?
•• Specifications?Specifications?
–– AnsAns: Specifications.. A defect at Specification : Specifications.. A defect at Specification phase is MOST expensive to fix.phase is MOST expensive to fix.
•• What is the best level place to provide security?What is the best level place to provide security?
Saeed Rajput
Object Oriented Modeling 11
Copyright Cerebit, Inc. © 2003 21
AnalogyAnalogy•• What is the most critical level to detect What is the most critical level to detect
intrusions?intrusions?
–– Hardware levelHardware level
–– Software levelSoftware level
–– Network levelNetwork level
–– Infrastructure levelInfrastructure level
–– Application levelApplication level
–– Business Level Business Level
Copyright Cerebit, Inc. © 2003 22
Common CriteriaCommon Criteria
Proxy AccessProxy Access
Application Integration and Application Integration and CommunicationsCommunications
Systems Configuration ParametersSystems Configuration Parameters
Storage of Security DataStorage of Security Data
Entitlement ManagementEntitlement Management
Resource ManagementResource Management
User ManagementUser Management
Access MediationAccess MediationFunctional PointFunctional Point
Saeed Rajput
Object Oriented Modeling 12
Copyright Cerebit, Inc. © 2003 23
Common CriteriaCommon Criteria
GuidanceGuidanceSecurity AdministrationSecurity AdministrationSystem Integrity System Integrity Data DisposalData DisposalAudit Audit Functional PointFunctional Point
Copyright Cerebit, Inc. © 2003 24
Common CriteriaCommon Criteria
Data IntegrityData Integrity
Confidentiality Confidentiality
AuthorizationAuthorization
Authentication Authentication
NonNon--RepudiationRepudiation
Identification Identification Functional PointFunctional Point
Saeed Rajput
Object Oriented Modeling 13
Copyright Cerebit, Inc. © 2003 25
Risks Associated with Online Risks Associated with Online Registrations Registrations
Lets get to know Mr. Lets get to know Mr. User. Or lets register User. Or lets register
as Mr. User as Mr. User
Mr. Mr. CrackerCracker
Is it really Mr. User Is it really Mr. User ??
Is my identity Is my identity safe?safe?
Mr. UserMr. User
Public NetworkPublic Network
FirewallFirewall
Corporate Corporate Authentication Authentication
SystemSystem
Copyright Cerebit, Inc. © 2003 26
Risks with Online TransactionsRisks with Online TransactionsIs it really Mr. Is it really Mr. User using his User using his
password? password?
Mr. UserMr. User
Public NetworkPublic Network
FirewallFirewall
Corporate Corporate Authentication Authentication
SystemSystem
ImpersonatorImpersonator
InterceptorInterceptorPay Pay day!day!
Pay Pay day!day!
Saeed Rajput
Object Oriented Modeling 14
Copyright Cerebit, Inc. © 2003 27
Issues and SolutionsIssues and Solutions•• Solution requirementsSolution requirements
–– Ease of useEase of use
–– Simplified administrationSimplified administration
–– Validity of user thru strong authenticationValidity of user thru strong authentication
–– NonNon--repudiation of critical actionsrepudiation of critical actions
–– Seamless integration into technology and business Seamless integration into technology and business processesprocesses
–– Comprehensive audit trailsComprehensive audit trails
–– Incident response of anomalous activityIncident response of anomalous activity
Copyright Cerebit, Inc. © 2003 28
Enterprise Security PolicyEnterprise Security Policy•• Understand Business ProcessesUnderstand Business Processes
•• Identify the critical enterprise resourcesIdentify the critical enterprise resources
•• Conduct security auditsConduct security audits
•• Identify the leakage pointsIdentify the leakage points
•• Identify user typesIdentify user types
•• Identify user rolesIdentify user roles–– Employees, Administrators, Partners, GuestsEmployees, Administrators, Partners, Guests
•• Define access needs of each roleDefine access needs of each role
Saeed Rajput
Object Oriented Modeling 15
Copyright Cerebit, Inc. © 2003 29
Unified Application DefenseUnified Application Defense
Corporate Corporate Authentication Authentication
SystemSystem
NIDSNIDS
Application 1:Application 1:Securities Trading ServiceSecurities Trading Service
Application 2:Application 2:Stock Quote FeedStock Quote Feed
Application N:Application N:Market ReportsMarket Reports
Application DefenseApplication Defense Central Central ACLsACLs
Central Central LoggingLogging
Optional Optional Certification Certification
Authority (CA)Authority (CA)
Copyright Cerebit, Inc. © 2003 30
Simplified Security ManagementSimplified Security Management
Security ManagerSecurity Manager
AuditAudit
Access ControlAccess Control
Central Central ACLsACLs
Application 1:Application 1:Securities Trading ServiceSecurities Trading Service
Application 2:Application 2:Stock Quote FeedStock Quote Feed
Application N:Application N:Market ReportsMarket Reports
Access Control Access Control PointPoint
Access Control Access Control PointPoint
Access Control Access Control PointPoint
Central Central LoggingLogging
Saeed Rajput
Object Oriented Modeling 16
Copyright Cerebit, Inc. © 2003 31
Features of Application SecurityFeatures of Application Security•• AuthenticationAuthentication.. Verify if users are who they Verify if users are who they
claim to be.claim to be.
•• Authorization.Authorization. Users can only access what the Users can only access what the security policy allows.security policy allows.
•• RoleRole--based access controlbased access control.. Grant access based Grant access based on the useron the user’’s role in the organization.s role in the organization.
•• Data privacyData privacy. . Data integrityData integrity. . Data reliabilityData reliability..
•• Data validationData validation.. Process only if data is within Process only if data is within prepre--defined limits.defined limits.
Copyright Cerebit, Inc. © 2003 32
Features of Application SecurityFeatures of Application Security•• NonNon--repudiation on Transactionsrepudiation on Transactions.. Important user Important user
actions carry proof of execution to prevent denial.actions carry proof of execution to prevent denial.
•• Session securitySession security.. User sessions are uniquely identifiable User sessions are uniquely identifiable and not subject to masquerading.and not subject to masquerading.
•• Audit logsAudit logs.. All actions are logged for audit use.All actions are logged for audit use.
•• Single signSingle sign--onon.. Usage of multiple systems or services Usage of multiple systems or services does not require additional credentials.does not require additional credentials.
•• Session timeSession time--outout.. Session inactivity leads to session Session inactivity leads to session terminationtermination
•• Incident responseIncident response. Anomalous activity leads to . Anomalous activity leads to immediate alarms to curtail damage.immediate alarms to curtail damage.
Saeed Rajput
Object Oriented Modeling 17
Copyright Cerebit, Inc. © 2003 33
Advantages of Application DefenseAdvantages of Application Defense•• All features of application security PLUS …All features of application security PLUS …
–– Consolidated logsConsolidated logs•• Run IDS rules at one placeRun IDS rules at one place
–– Single point of policy controlSingle point of policy control–– Granular access controlGranular access control–– Secure legacy systemsSecure legacy systems–– Interfaces with HTTP, SOAP, EJB, CORBA, RMIInterfaces with HTTP, SOAP, EJB, CORBA, RMI–– Supports most authentication systems Supports most authentication systems –– Modular and expandableModular and expandable–– Signed transactions Signed transactions
•• NonNon--repudiation per transactionrepudiation per transaction
Copyright Cerebit, Inc. © 2003 34
Benefits of Application DefenseBenefits of Application Defense•• Reduced managementReduced management
•• Improved securityImproved security
–– Secure what was not possible beforeSecure what was not possible before
•• Reduce risk and errorsReduce risk and errors
•• Comprehensive monitoringComprehensive monitoring
•• Incident responseIncident response
•• Forensic analysisForensic analysis
Saeed Rajput
Object Oriented Modeling 18
Copyright Cerebit, Inc. © 2003 35
Contact informationContact informationCerebitCerebit, Inc, Inc
12000 2812000 28thth Street North, Second FloorStreet North, Second Floor
St. Petersburg, Florida 33716 USASt. Petersburg, Florida 33716 USA
•• basitbasit@@cerebitcerebit.com.com