CyberoamWhite paper

Web Application Firewall

Intrusion

Prevention

System

Anti-Virus &

Anti-Spyware

On-Appliance Reporting

Bandwidth Management

Application

Visibility and Control Anti-Spam

Firewall

VPN

Web Filtering

Are you fighting new threats with old weapons?Secure your Web applications with Web Application Firewalls.

Introduction

Web applications have increased the speed and accessibility to business information for an organization’s customers, partners and employees. And at the same time, delivering tangible savings. Business applications for accounting, collaboration, customer relationship Management (CRM), Enterprise Resource Management (ERP), content management, online banking, E-commerce, and many more, are all available on the Web…and all of them house valuable, sensitive data! Unfortunately, hackers realized this much before organizations could.

Today, Web applications are the most common target for attack by hackers because they are ubiquitous and provide easy entry to virtually any organization’s lucrative data. SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), OS command injection, session hijacking and buffer overflows are the most commonly used attacks targeting Web applications hosted within an organization’s local network or in private data centers .

A study done by Ponemon Institute in 2011 reveals that 73 percent of organizations have been hacked in the last 24 months as a result of weakness in their web applications! Sadly, 69% of organizations surveyed relied on the security of their traditional network firewalls to protect web applications. This whitepaper will examine the variety of web application attacks hitting organizations today and discuss why traditional network firewalls are not capable of defending against them. A new breed of Web Application Firewalls is the solution to protect corporate data, observe regulatory compliance like the PCI DSS, and safeguard their brand, reputation and customers.

! Theft of Intellectual property! Identity and information

theft! Loss of revenue, brand,

customers! Fines and lawsuits from

failure in regulatory compliance

! Threat to National security

! E-commerce! Information delivery vehicle

for partners, employees, customers

! Accelerated pace of business! Reduced business costs

Web Applications

Risk Benefits

www.cyberoam.com I sales@cyberoam.com

Web Application Security should not be ignored!Montana-based broker-dealer D.A. Davidson & Co. had to cough out

$375,000 after the Financial Industry Regulatory Agency (FINRA) found it

to be neglectful in protecting the personal data of 192,000 of its clients.

The data, which resided in a database on a Web server, was compromised

as the result of a SQL Injection attack launched by Latvian cyber criminals.

The Company’s web facing applications were left wide open to the point

that the database was never encrypted nor was the default password

changed, leaving it blank.

Vulnerabilities in Web Applications Rising with their NumbersOrganizations continuously develop new web-based applications to meet

their product or service promotional needs. The high-pressure

environment this creates for programmers is less than ideal for developing

never-ending enhancements and new functionality. Without rigid secure

software development practices, inserting even the smallest piece of code

on the website can lead to serious vulnerabilities. Besides, logic flaws,

forgotten backup files, debug code, and other production-related

vulnerabilities are a regular challenge to the security of websites and other

Web applications in organizations.

Securing the bigger picture around Web ApplicationsThere are many Web application attacks that have nothing to do with

developers and coding errors. Many times the threat comes from the

language, protocol or the platform that supports the delivery of these

applications. In other words, the environment surrounding the web

applications. The main reason the majority of Web application attacks are

successful today is due to the fact that the attackers come in the same way

any legitimate user would –all without disturbing the sanctity of RFC’s or

W3C standards.

Web applications reside at the top of the OSI stack and are practically cut-

off from the rest of the network and application layers in the stack. They

have no control or visibility in the layers underneath them. When attackers

exploit the HTTP/TCP behavior, like in the case of Layer 7 DoS attack,

neither the Web application nor the developer has no knowledge of the

exploit. This is where Web Application Firewalls help to add an extra layer

of security to secure Web applications. Web Application Firewalls have the

ability to understand the bigger picture surrounding the applications. They

look at every request and response within the HTTP/HTTPS/ Web Service

layers and understand the context in which to evaluate the behavior of

requests, thereby blocking Web application attacks.

WEB APPLICATION DATA

APPLICATION(HTTP)

NETWORK(IP)

HARDWARE

TRANSPORT(TCP/UDP)

OSI Layer 5-7

OSI Layer 4

OSI Layer 3

OSI Layer 1-2

www.cyberoam.com I sales@cyberoam.com

Common Web Application Attacks

SQL InjectionIn an SQL injection attack, the attacker gains access to the entire contents

of a backend database including identity information by bypassing

authentication to gain unauthorized access. Here, the input validation

vulnerabilities are exploited in the application code to send unauthorized

SQL commands to a back-end database.

Cross-site ScriptingCross-site scripting attacks the application code by exploiting script

injection vulnerabilities where malicious HTML tags or client-side scripting

code is injected into HTML form fields and a customer’s login credentials

redirected to an attacker.

WormsWorms take advantage of vulnerabilities in commercial software platforms

and operating systems. Code Red, Nimda, and MSBlaster are some

examples of worm infections that spread at an astounding rate, sometimes

affecting hundreds of thousands of servers within minutes.

URL Parameter TamperingThis type of attack involves manipulation of parameters exchanged

between client and server. The attacker alters the URL query string

parameter values in the browser’s address bar to change application data

such as user credentials, permissions, and other information.

Cross-site Request Forgery (CSRF)CSRF forces the authenticated user of an application to send an HTTP

request to a target destination, desired by the attacker, without the user’s

knowledge or intent. This results into data theft and in case of a full-blown

attack, it can compromise the entire web application.

OS command injectionOS Command Injection exploits vulnerabilities that occur during the design

and development of applications. In this, the attacker takes advantage of

an application vulnerability that results in execution of system-level

commands.

Session HijackingSession Hijacking exploits a valid computer session by stealing or

predicting a valid session token and gains unauthorized access to

information or services on the Web server.

Common Web Application Attacks

! SQL Injection

! Cross-site Scripting

! Worms

! URL Parameter Tampering

! Cross-site Request Forgery (CSRF)

! OS command injection

! Session Hijacking

www.cyberoam.com I sales@cyberoam.com

Traditional Network Security Solutions Prove Inadequate for

Securing Web Applications Effective web application security requires understanding of a user’s

interaction with web applications – session IDs, cookies, URLs, HTTP

methods, and more. Many organizations rely on their network firewalls

and intrusion prevention system to overcome web application threats. But

this is how traditional security solutions fall short:

Network FirewallsPart of the reason why we need Web Application Firewalls today is the

network firewalls! Although network firewalls protect against network

layer attacks, they ought to allow HTTP and HTTPS traffic to the Web

servers. Hackers have been using this fact to embed attacks like SQL

injection and Cross-Site Scripting (XSS) into Web traffic using allowed

application protocols, which are ignored by network firewalls and pass

through them, uninterrupted.Besides, network firewalls work over the

third and fourth of the seven layers of the OSI network model and do not

understand protocols and languages like, HTML and XML, have no means

of controlling/filtering sensitive data included in server responses, lack

ways to detect tampering of parameters in a URL request, cannot validate

user inputs to an HTML application and most importantly, they lack

awareness about session data, limiting their effectiveness against web

application attacks.

Intrusion Prevention SystemIntrusion Prevention System can look into a packet’s payload and compare

it with a list of known signatures/attacks. Hence, they are effective against

worms and other attacks based on known software vulnerabilities but are

largely ineffective against web application attacks targeting unknown

vulnerabilities in application code or vulnerabilities arising out of poor

coding.

Web Application Firewalls – the only Answer to Web

Application SecurityWeb Application Firewalls sit between the web client and a web server to

analyze OSI Layer 7 messages for violations in the programmed security

policy to protect websites and web applications from attacks. They

function bi-directionally by intercepting incoming Layer 7 attacks before

reaching the Web server. In addition, they also analyze Web server

responses to protect against potential risks of information leakage in

organizations. Placed right in front of the Web server, it becomes the last

and first stop for information requests to be entertained, as well as the

information delivery process.

PCI-DSS and Web Application Security Web applications have been declared as the initial point of attack on

cardholder data. Requirement 6.6 of the Payment Card Industry Data

Security Standard requires organizations to ensure that web facing

applications should be protected by installing an application-layer firewall

in front of them, or by having all custom application code reviewed for

common vulnerabilities by an organization that specializes in application

security. With the Code review technique turning out to be expensive and

tedious, Web application firewall comes out to be the only option left with

organizations. Web application firewalls perform a deep packet inspection

of incoming traffic to detect threats, thereby creating a security layer in

Many organizations rely on their network

firewalls and intrusion prevention system

to overcome web application threats. But

traditional security solutions fall short of

protecting against Web application

attacks.

www.cyberoam.com I sales@cyberoam.com

Internet

Conforms to HTTP specification?

Matches a user-defined policy?

Adheres to Intuitive Website Flow Detector?

HTTP/HTTPS

The request doesn’t pass any of the 3 validation steps. Web server is thus protected from present/future URL-based HTTP attacks.

InternetInternet Internet

HTTP Protocol SpecificationIntuitive Website Flow Detector User-defined policiesRequest is legitimate and adheres to the Intuitive Website Flow Detector’s “self-learning” in the past, when such a request was last made to the Web server.

Internet

www.abcretaillogin.com

The server request was not found valid under the Intuitive Website Flow Detector’s knowledge from the past – the requested URL cannot be the entry point and it is, hence, blocked from reaching the Web server and the browser receives an HTTP 403 Forbidden response code. No other information is exposed as decided under the User Defined Policy.

Web & ApplicationServer

Database Server

Hacker

Cyberoam Web Application Firewall Protection against Web-based Application Attacks

Web User

Client /Partner

SQL Injection, cookie poisoning, XSS,...

Cyberoam Web Application Firewall

Internet

www.cyberoam.com I sales@cyberoam.com

front of the application itself that ensures security of the web server that

secures credit card and other sensitive data, which needs to be protected

under the PCI DSS requirements.

Cyberoam Web Application FirewallCyberoam Web Application Firewall is available as a subscription on

Cyberoam Network Security appliances (UTM, NGFW). It follows the

positive security model based on its Intuitive Website Flow Detector to

secure websites and Web-based applications against attacks like SQL

injection, cross-site scripting (XSS), URL parameter tampering, session

hijacking, buffer overflows, and more-- including the OWASP Top 10 Web

application vulnerabilities.

Cyberoam Web Application Firewall is deployed to intercept the traffic to and

from the Web servers to provide an added layer of security against attacks

before they can reach the Web applications. Its Intuitive Website Flow

Detector intelligently “self-learns” the legitimate behavior and response of

Web applications. Based on the Intuitive Website Flow Detector, the Web

Application Firewall ensures the sanctity of Web applications in response to

server requests, protecting them against Web application attacks.

Cyberoam Web Application Firewall looks at every request and response

within the HTTP/HTTPS/Web Service layers. It is effective at repelling attacks

from a wide range of commercial and open-source automated vulnerability

scanners (e.g. Nessus, WebInspect), as well as hand-crafted attacks.

Features:

Positive protection model without Signature Tables

The Cyberoam Web Application Firewall enforces a

positive security model through Intuitive Website Flow

Detector to automatically identify and block all application-

layer attacks without relying on signature tables or pattern-

matching techniques. The Web Application Firewall

considers defined Web application behavior as “good”.

Any deviation is considered “bad”, or malicious, and is

blocked accordingly. This provides security against zero-

day attacks and eliminates the need to manually populate

and update signature tables. The Intuitive Website Flow

Detector automatically adapts to changes in the website.

Comprehensive business logic protection

The Cyberoam WAF protects against attacks like SQL

injection,cross-site scripting (XSS),and cookie-poisoning

that seek to exploit business logic behind Web

applications, ensuring they are used exactly as intended.

HTTPS (SSL) encryption Offloading

Attackers cannot bypass the Cyberoam WAF protection

measures through an HTTPS (SSL) connection, mostly

used in the financial services, healthcare, e-commerce,

and other industries that process sensitive data. The WAF

not only secures encrypted connections, but also reduces

latency of SSL traffic with its SSL offloading capabilities.

Instant Web server hardening

The Cyberoam WAF instantly shields any Web

environment (IIS, Apache, WebSphere®, etc.) against the

more than 14,000 common server mis-configurations and

an ever-expanding universe of known 3rd-party software

vulnerabilities.

Reverse proxy for incoming HTTP/HTTPS traffic

The Cyberoam WAF follows a reverse proxy model for all

incoming HTTP and HTTPS traffic which provides an

added level of security by virtualizing the application

infrastructure. All incoming Web application requests from

the Web client terminate at the WAF. Valid requests are

submitted to the back-end Web server, hiding the

existence and characteristics of originating servers.

URL , Cookie, and Form hardening

Application-defined URL query string parameters,

cookies, and HTML form field values (including hidden

fields, radio buttons, checkboxes, and select options) are

protected by the Cyberoam WAF. Attempts to escalate

user privileges through cookie-poisoning, gain access to

other accounts through URL query string parameter

tampering, and other types of browser data manipulation

are automatically identified and blocked.

Monitoring and reporting

Cyberoam Web Application Firewall provides alerts and

logs that help organizations with information on types of

attacks, source of attacks, action taken on them, and more

that help comply with the PCI DSS requirements.

Additional Features:

Block/alert known bad IP addresses

Customizable user messages for blocked requests

Rate-based connection safeguards

Business Benefits

! Offers instant protection without requiring changes to existing Web applications when deployed.! Prevents intruders from manipulating web content! Protects data inside the organization from being hacked by exploiting Web application vulnerabilities! Secures corporate brands, trade secrets, and Intellectual Property! Maintains customer confidence in your website’s security, especially for banks, e-commerce, and more.! Ensures sensitive information about the environment doesn’t go out to hackers by sending customizable error

messages to users.! Easy to use with no special training required for administrators! Low maintenance as it automatically adapts to website / web-application changes! Promotes integrity and availability of Web applications! Helps comply with mandatory PCI requirements

www.cyberoam.com I sales@cyberoam.com

Toll Free Numbers

USA : +1-877-777-0368 | India : 1-800-301-00013

APAC/MEA : +1-877-777-0368 | Europe : +44-808-120-3958

Cyberoam Awards & Certifications

C o p y r i g h t © 1999-2014 Cyberoam Te c h n o l o g i e s Pvt. L t d. A l l R i g h t s R e s e r v e d . Cyberoam &

Cyberoam logo are registered trademarks of Cyberoam Technologies Pvt. Ltd. Ltd. ®/TM: Registered trade

marks of Cyberoam Technologies Pvt. Ltd. Technologies or of the owners of the Respective

Products/Technologies.

Although Cyberoam attempted to provide accurate information, Cyberoam assumes no responsibility for

accuracy or completeness of information neither is this a legally binding representation. Cyberoam has the right to

change, modify, transfer or otherwise revise the publication without notice.

www.check-mark.com

CERTIFIED

VPNC

InteropBasic

AES

Interop

CERTIFIED

VPNC

SSL Advanced Network Extension

SSL Basic Network Extension

SSL JavaScript

SSLFirefox

SSLExchange

SSLPortal

PROPCRECOMMENDED

RECOMMENDS

BEST BUY

EDITOR’S C H O I C E

www.itpro.co.uk