STUDY AND IMPLEMENTATION OF UNIFIED THREAT MANAGEMENT AND WEB

APPLICATION FIREWALL

UNDERTAKEN AT Defence Research and Development Organisation (DRDO)

By: Lokesh SharmaECE (1222531042)

1

Internal threats Identity theft Data loss Data deletion Data modification

External threats Worms Malicious code Virus Malware

Social Engineeringthreats Spam Phishing Pharming

Data theft DoS attacks Hacking

USER

Attack on Organization

User – The Weakest Security Link

2

Why is this an issue? Traditional firewalls cannot detect these new applications they rely on port

numbers or protocol identifiers to recognize and categorize network traffic and to enforce policies related to such traffic

Apps that use specific port numbers or protocols make it easy for network administrators to block unwanted traffic, but browser-based applications often use only two port numbers, each associated with a protocol vital to user productivity and responsible for the bulk of Internet traffic today

This means that all traffic from browser-based apps looks exactly the same to traditional firewalls; they can’t differentiate between applications, so there is no easy way to block bad, unwanted, or inappropriate programs whilst permitting desirable or necessary apps to proceed unhindered

3

Unified Threat Management (UTM) Unified threat management (UTM) is an approach to security management that allows an administrator to monitor and manage a wide variety of security-related applications and infrastructure components through a single management console.

•UTM delivers a flexible, future-ready solution to meet the challenges of today’s networking environments.

•UTMs represent all-in-one security appliances that carry a variety of security capabilities including firewall, VPN, gateway anti-virus, gateway anti-spam, intrusion prevention, content filtering, bandwidth management, application control and centralized reporting as basic features.

•The UTM has a customized OS holding all the security features at one place.

4

UTM

The best UTM solutions include the following core security functions:Network firewalls perform stateful packet inspectionIPS detects and blocks intrusions and certain attacksApplication control provides visibility and control of application behaviour and contentVPN enables secure remote access to networksWeb filtering halts access to malicious, inappropriate, or questionable websites and online contentIPv6 support in all network security functions protects networks as they migrate from IPv4 to IPv6Support for virtualized environments, both virtual domains and virtual appliances

5

Servers

Firewalls

IPS (Intrusion Protection System)

Switches Routers

Modem

Applications

Desktop systems

Logs & Events

Identity

Logging Reporting

ComplianceManagement

ForensicAnalysis

Data Protection

Security Management

6

UTM vs. NGFW

The difference between UTMs and NGFWs is actually minimal. The only tangible difference that may be found involves their respective throughput ratings; devices marketed as UTMs typically have a lower throughput rating and are marketed to small and medium-sized businesses, while devices that maintain a higher throughput rating are typically marketed as NGFWs. In terms of functionality, the two devices are almost carbon copies.

NGFWNGFWs were designed to perform intrusion prevention and deep packet inspection while many of the other features mentioned above were offloaded to other devices to conserve network throughput and thereby better serve an enterprise network. More recently, NGFWs added application firewall features, a dynamic new capability that in many cases has allowed enterprises to consolidate and use a single device to protect their applications and core networks. At present, however, multi-Gigabit LAN speeds are commonplace, and the need for a device that only performs certain NGFW functions has become obsolete.

7

Key Features & Capabilities of UTM

The standard and Next-Generation Network Firewall (NGFS) functions include:

•The ability to track and maintain state information for communications to determine the source and purpose of network communications.

•The ability to allow or block traffic based on configured policy (which can be integrated with the state information).

•The ability to perform Network Address Translation (NAT) and Port Address Translation(PAT).

•The ability to perform application aware network traffic scanning, tracking and control.

•The ability to optimize a network connection (i.e. using TCP optimization).

8

Advantages of Using a Unified Threat Management

• Less Complexity- The all-in-one approach simplifies several things, such as

product integration, product selection and ongoing support.

• Ease of Deployment- As lesser human intervention is required, it is easy to install and maintain. One can get the product installed by finding a reputed vendor online.

• The Black Box Approach- Users have a habit of playing with things. Here, the black box approach puts a restriction on the damage that users can cause. This diminishes trouble and enhances network security.

• Integration Capabilities- The appliances can be distributed easily at remote sites. In such a scenario, a plug and play device can be set up and handled remotely. This type of management is interactive with firewalls that are software- based.

9

Disadvantages of Unified Threat Management

Lower performance

Single point of failure.

Vendor lock-in.

Difficult to scale in large environments.

Limited feature set compared to point product alternatives.

10

11

WEB APPLICATION FIREWALL

A web application firewall (WAF) is an appliance, server plug-in, or filter that applies a set of rules to an HTTP conversation. The effort to perform this customization can be significant and needs to be maintained as the application is modified.

Web application firewall is a computer networking firewall operating at the application layer of a protocol stack and is also known as a proxy-based or reverse-proxy firewall.

WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code.

12

13

Problem WAF Countermeasure

Cookie protection ++

Cookies can be signed Cookies can be encrypted.

Information leakage + Cloaking filter, outgoing pages can be cleaned (error messages, comments, undesirable information).

Session fixation = Can be prevented if the WAF manages the sessions itself

File upload + Virus check (generally via external systems)

SSL + SSL connection possible from WAF to application.

Cross-site tracing + Restriction of the HTTP method

HTTP request smuggling + Is prevented via strict testing of the conformity to standards of each request.

ATTACKS PREVENTED BY WEB APPLICATION FIREWALL

SQL INJECTION CROSS-SITE SCRIPTING (XSS) DOS ATTACKS AND DDOS ATTACKS SESSION HIJACKING ATTACKS

14

SQL INJECTION

A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application.

A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS).

SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system

SQL Injection is very common with PHP and ASP applications due to the prevalence of older functional interfaces

15

CROSS-SITE SCRIPTING (XSS)

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites.

XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

Cross-Site Scripting (XSS) attacks occur whenData enters a Web application through an untrusted source, most frequently a web request.The data is included in dynamic content that is sent to a web user without being validated for malicious content.

16

CROSS-SITE SCRIPT ATTACK Example

17

DOS ATTACKS AND DDOS ATTACKS

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed.  

Sometimes the attacker can inject and execute arbitrary code while performing a DoS attack in order to access critical information or execute commands on the server.

Denial-of-service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.

18

HOW DOS ATTACKS PERPETRATED?

A DoS attack can be perpetrated in a number of ways:

Consumption of computational resources, such as bandwidth, memory, disk space, or processor time.

Disruption of configuration information, such as routing information.

Disruption of state information, such as unsolicited resetting of TCP sessions.

Obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.

19

SESSION HIJACKING ATTACKS

The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token. Because http communication uses many different TCP connections, the web server needs a method to recognize every user’s connections.

The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.

 The session token could be compromised in different ways :

Predictable session tokenSession SniffingClient-side attacks (XSS, malicious JavaScript Codes, Trojans, etc)Man-in-the-middle attackMan-in-the-browser attack

20

21

THREE PROTECTION STRATEGIES

1. External patching Also known as "just-in-time patching" or "virtual patching").

2. Negative security model Looking for bad stuff. Typically used for Web Intrusion Detection. Easy to start with but difficult to get right.

3. Positive security model Verifying input is correct. Usually automated, but very difficult to get right with applications that change. It's very good but you need to set your expectations accordingly.

Thank you!Download this presentation from

Questions?

22