Upload
lokesh-sharma
View
388
Download
0
Embed Size (px)
Citation preview
STUDY AND IMPLEMENTATION OF UNIFIED THREAT MANAGEMENT AND WEB
APPLICATION FIREWALL
UNDERTAKEN AT Defence Research and Development Organisation (DRDO)
By: Lokesh SharmaECE (1222531042)
1
Internal threats Identity theft Data loss Data deletion Data modification
External threats Worms Malicious code Virus Malware
Social Engineeringthreats Spam Phishing Pharming
Data theft DoS attacks Hacking
USER
Attack on Organization
User – The Weakest Security Link
2
Why is this an issue? Traditional firewalls cannot detect these new applications they rely on port
numbers or protocol identifiers to recognize and categorize network traffic and to enforce policies related to such traffic
Apps that use specific port numbers or protocols make it easy for network administrators to block unwanted traffic, but browser-based applications often use only two port numbers, each associated with a protocol vital to user productivity and responsible for the bulk of Internet traffic today
This means that all traffic from browser-based apps looks exactly the same to traditional firewalls; they can’t differentiate between applications, so there is no easy way to block bad, unwanted, or inappropriate programs whilst permitting desirable or necessary apps to proceed unhindered
3
Unified Threat Management (UTM) Unified threat management (UTM) is an approach to security management that allows an administrator to monitor and manage a wide variety of security-related applications and infrastructure components through a single management console.
•UTM delivers a flexible, future-ready solution to meet the challenges of today’s networking environments.
•UTMs represent all-in-one security appliances that carry a variety of security capabilities including firewall, VPN, gateway anti-virus, gateway anti-spam, intrusion prevention, content filtering, bandwidth management, application control and centralized reporting as basic features.
•The UTM has a customized OS holding all the security features at one place.
4
UTM
The best UTM solutions include the following core security functions:Network firewalls perform stateful packet inspectionIPS detects and blocks intrusions and certain attacksApplication control provides visibility and control of application behaviour and contentVPN enables secure remote access to networksWeb filtering halts access to malicious, inappropriate, or questionable websites and online contentIPv6 support in all network security functions protects networks as they migrate from IPv4 to IPv6Support for virtualized environments, both virtual domains and virtual appliances
5
Servers
Firewalls
IPS (Intrusion Protection System)
Switches Routers
Modem
Applications
Desktop systems
Logs & Events
Identity
Logging Reporting
ComplianceManagement
ForensicAnalysis
Data Protection
Security Management
6
UTM vs. NGFW
The difference between UTMs and NGFWs is actually minimal. The only tangible difference that may be found involves their respective throughput ratings; devices marketed as UTMs typically have a lower throughput rating and are marketed to small and medium-sized businesses, while devices that maintain a higher throughput rating are typically marketed as NGFWs. In terms of functionality, the two devices are almost carbon copies.
NGFWNGFWs were designed to perform intrusion prevention and deep packet inspection while many of the other features mentioned above were offloaded to other devices to conserve network throughput and thereby better serve an enterprise network. More recently, NGFWs added application firewall features, a dynamic new capability that in many cases has allowed enterprises to consolidate and use a single device to protect their applications and core networks. At present, however, multi-Gigabit LAN speeds are commonplace, and the need for a device that only performs certain NGFW functions has become obsolete.
7
Key Features & Capabilities of UTM
The standard and Next-Generation Network Firewall (NGFS) functions include:
•The ability to track and maintain state information for communications to determine the source and purpose of network communications.
•The ability to allow or block traffic based on configured policy (which can be integrated with the state information).
•The ability to perform Network Address Translation (NAT) and Port Address Translation(PAT).
•The ability to perform application aware network traffic scanning, tracking and control.
•The ability to optimize a network connection (i.e. using TCP optimization).
8
Advantages of Using a Unified Threat Management
• Less Complexity- The all-in-one approach simplifies several things, such as
product integration, product selection and ongoing support.
• Ease of Deployment- As lesser human intervention is required, it is easy to install and maintain. One can get the product installed by finding a reputed vendor online.
• The Black Box Approach- Users have a habit of playing with things. Here, the black box approach puts a restriction on the damage that users can cause. This diminishes trouble and enhances network security.
• Integration Capabilities- The appliances can be distributed easily at remote sites. In such a scenario, a plug and play device can be set up and handled remotely. This type of management is interactive with firewalls that are software- based.
9
Disadvantages of Unified Threat Management
Lower performance
Single point of failure.
Vendor lock-in.
Difficult to scale in large environments.
Limited feature set compared to point product alternatives.
10
11
WEB APPLICATION FIREWALL
A web application firewall (WAF) is an appliance, server plug-in, or filter that applies a set of rules to an HTTP conversation. The effort to perform this customization can be significant and needs to be maintained as the application is modified.
Web application firewall is a computer networking firewall operating at the application layer of a protocol stack and is also known as a proxy-based or reverse-proxy firewall.
WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.
12
13
Problem WAF Countermeasure
Cookie protection ++
Cookies can be signed Cookies can be encrypted.
Information leakage + Cloaking filter, outgoing pages can be cleaned (error messages, comments, undesirable information).
Session fixation = Can be prevented if the WAF manages the sessions itself
File upload + Virus check (generally via external systems)
SSL + SSL connection possible from WAF to application.
Cross-site tracing + Restriction of the HTTP method
HTTP request smuggling + Is prevented via strict testing of the conformity to standards of each request.
ATTACKS PREVENTED BY WEB APPLICATION FIREWALL
SQL INJECTION CROSS-SITE SCRIPTING (XSS) DOS ATTACKS AND DDOS ATTACKS SESSION HIJACKING ATTACKS
14
SQL INJECTION
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application.
A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS).
SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system
SQL Injection is very common with PHP and ASP applications due to the prevalence of older functional interfaces
15
CROSS-SITE SCRIPTING (XSS)
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites.
XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
Cross-Site Scripting (XSS) attacks occur whenData enters a Web application through an untrusted source, most frequently a web request.The data is included in dynamic content that is sent to a web user without being validated for malicious content.
16
CROSS-SITE SCRIPT ATTACK Example
17
DOS ATTACKS AND DDOS ATTACKS
The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed.
Sometimes the attacker can inject and execute arbitrary code while performing a DoS attack in order to access critical information or execute commands on the server.
Denial-of-service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.
18
HOW DOS ATTACKS PERPETRATED?
A DoS attack can be perpetrated in a number of ways:
Consumption of computational resources, such as bandwidth, memory, disk space, or processor time.
Disruption of configuration information, such as routing information.
Disruption of state information, such as unsolicited resetting of TCP sessions.
Obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.
19
SESSION HIJACKING ATTACKS
The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token. Because http communication uses many different TCP connections, the web server needs a method to recognize every user’s connections.
The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.
The session token could be compromised in different ways :
Predictable session tokenSession SniffingClient-side attacks (XSS, malicious JavaScript Codes, Trojans, etc)Man-in-the-middle attackMan-in-the-browser attack
20
21
THREE PROTECTION STRATEGIES
1. External patching Also known as "just-in-time patching" or "virtual patching").
2. Negative security model Looking for bad stuff. Typically used for Web Intrusion Detection. Easy to start with but difficult to get right.
3. Positive security model Verifying input is correct. Usually automated, but very difficult to get right with applications that change. It's very good but you need to set your expectations accordingly.
Thank you!Download this presentation from
Questions?
22