web application firewall
There are 49 entries for the tag web application firewall
#infosec A recently discovered 0-day Apache exploit is no problem for BIG-IP. Here’s a couple of different options using F5 solutions to secure your site against it.
It’s called “Apache Killer” and it’s yet another example of exploiting not a vulnerability, but a protocol’s behavior.
UPDATE (8/26/2011) We're hearing that other Range-* HTTP headers are also vulnerable. Take care to secure against these potential attack vectors as well!
In this case, the target is Apache and the “vulnerability” is in the way multiple ranges are handled by the Apache HTTPD server. The RANGE HTTP header is used to request one...
#v11 AJAX, JSON and an ever increasing web application spread increase the odds of succumbing to a breach. BIG-IP ASM v11 reduces those odds, making it more likely you’ll win at the security table
When we use analogy often enough it becomes pervasive, to the point of becoming an idiom. One such idiom is the expression of unlikelihood of an event by comparing it to being hit by lightning. The irony is that the odds of being hit by lightning are actually fairly significant – about 1:576,000. Too many organizations view their risk of a breach as bring akin to...
Don’t get so focused on the trebuchets, mangonels and siege towers that you forget about the sappers. We often compare data center security to castles and medieval defenses. If we’re going to do that, we ought to also consider the nature of attacks in light of the military tactics used to perpetrate such attacks, namely siege warfare. It’s likely more apropos today than it was when the analogy was first made because today organizations are definitely under siege from a variety of attack methods. Most of them are obvious if you have someone on the walls...
Sometimes vulnerabilities are simply the result of a protocol design decision, but that doesn’t make it any less a vulnerability
An article discussing a new attack on social networking applications that effectively provides an opening through which personal data can be leaked was passed around the Internets recently.
If you haven’t read “Abusing HTTP Status Codes to Expose Private Information” yet please do, it’s a good read and exposes, if you’ll pardon the pun, yet another “vulnerability by design” flaw that exists in many of the protocols that make the web go today.
We, as an industry, spend a lot...
Detecting attacks is good, being able to do something about it is better. F5 and Oracle take their collaborative relationship even further into the data center, integrating web application and database firewall solutions to improve protection against web and database-focused attacks.
It is often the case that organizations heavily invested in security solutions designed to protect critical application infrastructure, such as the database, are unwilling to replace those solutions in favor of yet another solution. This is not necessarily a matter of functionality or trust, but a decision based on reliance on existing auditing and management solutions that are...
Use network-side scripting, of course!
While just about every developer and information security professional knows that a buffer-overflow exploit can result in the execution of malicious code not many truly grok the “why”. Fortunately, it’s not really necessary for either one to be able to walk through the execution stack and trace the byte-code as it overwrites registers and then jumps to execute it. They know it’s A Very Bad Thing™ and perhaps more importantly they know how to stop it.
SECONDARY and TERTIARY DEFENSE REQUIRED
The best place to prevent a buffer-overflow vulnerability is in the application code. Never...
Modern DoS attacks are distributed, diverse and cross the chasm that divides network components from application infrastructure. A unified application delivery platform with multi-layer visibility is the best way to detect and mitigate multi-layer attacks.
The WikiLeaks attacks have taught us that information security strategies must evolve to keep up with the ever-changing attack vectors leveraged against web applications and web sites across the Internet. It’s no longer enough to protect against attack X or Y; it’s now necessary to protect against both – simultaneously.
Because of the role F5 BIG-IP solutions play in application delivery...
It’s not just that attacks are distributed, but that attacks are also diverse in nature – up and down the stack, at the same time.
If Anonymous has taught us anything it’s that the future of information security is in fending off attacks across the breadth and depth of the network stack – and the data center architecture – at the same time. Traditionally DDoS attacks are so-named because the clients are distributed; that is they take advantage of appearing to come from a variety of locations as a means to prevent detection and easy prevention. It’s about the...
That’s “Improvise. Adapt. Overcome.” and it should be if it isn’t. The right tools can help you live up to that motto.
If you Google “Zeus Trojan” you’ll find a wealth of information. Unfortunately all that wealth appears to be draining into the bank accounts of miscreants leveraging the tenacious trojan to steal funds from organizations. Despite attempts by just about everyone to detect and prevent this nasty piece of software from infecting data centers around the world, it continues to mutate and wreak havoc across the globe.
September 28, 2010: Fake...
Catching bees with honey(pots) means they’re preoccupied with something other than stinging you.
Pop quiz time…pencils ready? Go.
Is it good or bad to block malicious requests?
If your answer was “that depends on a lot of different factors” then pat yourself on the back. You done good.
It may seem counterintuitive to answer “it’s bad block malicious requests” but depending on the attacker and his goals it may very well be just that.
MISSION IMPOSSIBLE
No security solution is a 100% guaranteed to prevent a breach (unless we’re talking about scissors) and most are simply designed to...
If you’re going to test performance of anything make sure it’s actually doing what it’s designed to do. Race cars go really fast too – but they don’t get you anywhere but around and around in a big circle.
Speed is important, especially in application delivery. We all know that the web monsters like Google and Amazon have studied and researched using real applications and users the impact of even a fraction of a second reduction in response time. It costs them money. Your users may not be quite so sensitive, but you’d rather not take the risk.
At...
Web 2.0 is about sharing content – user generated content. How do you enable that kind of collaboration without opening yourself up to the risk of infection? Turns out developers and administrators have a couple options…
The goal of many a miscreant is to get files onto your boxen. The second step after that is often remote execution or merely the hopes that someone else will look at/execute the file and spread chaos (and viruses) across your internal network. It’s a malicious intent, to be sure, and makes developing/deploying Web 2.0 applications a risky proposition. After all, Web 2.0...
The fallacy of security is that simplicity or availability of the solution has anything to do with time to resolution The announcement of the discovery of a way in which an old vulnerability might be exploited gained a lot of attention because of the potential impact on Web 2.0 and social networking sites that rely upon OAuth and OpenId, both of which use affected libraries. What was more interesting to me, however, was the admission by developers that the “fix” for this vulnerability would take only “six lines of code”, essentially implying a “quick fix.” ...
Defeating modern attacks – even distributed ones – isn’t the problem. The problem is detecting them in the first place. Last week researchers claimed they’ve discovered a way to exploit a basic security flaw that’s used in software that’s in high use by Web 2.0 applications to essentially support if not single-sign on then the next best thing – a single source of online identity. The prevalence of OAuth and OpenID across the Web 2.0 application realm could potentially be impacted (and not in a good way) if the flaw were to be exploited. Apparently a similar...
Exorcising your digital demons
Most people are familiar with Shakespeare’s The Tragedy of Macbeth. Of particularly common usage is the famous line uttered repeatedly by Lady Macbeth, “Out, damn’d spot! Out, I say” as she tries to wash imaginary bloodstains from her hands, wracked with the guilt of the many murders of innocent men, women, and children she and her husband have committed.
It might be no surprise to find a similar situation in the datacenter, late at night. With the background of humming servers and cozily blinking lights shedding a soft glow upon the floor, you might hear...
Never never trust content from a user, even if that user is another application.
Web 2.0 is as much about integration as it is interactivity. Thus it’s no surprise that an increasing number of organizations are including a feed of their recent Twitter activity on their site. But like any user generated content, and it is user generated after all, there’s a potential risk to the organization and its visitors from integrating such content without validation.
A recent political effort in the UK included launching a web site that integrated a live Twitter stream based on a particular hashtag....
Being an efficient developer often means abstracting functionality such that a single function can be applied to a variety of uses across an application. Even as this decreases risk of errors, time to develop, and the attack surface necessary to secure the application it also makes implementing security more difficult. Over the holidays I had the opportunity to do some coding on my latest web application project. I won’t bore you with the details of what it is because it’s to support a hobby of Don and mine except to say that it’s running on a LAMP stack...
Using Anonymous Human Authentication to prevent illegitimate access to sites, services, and applications. In the “real world” there are generally accepted standards set for access to a business and its services. One of the most common standards is “No shirt, no shoes, no service.” Folks not meeting this criteria are typically not allowed past the doors of a business. But on the web, access to services is implicit in the fact that the business is offering the service. If the HTTP service is accessible, it’s implicitly allowing connections and providing service without any standard criteria...
The long, lost application delivery spell compendium has been found! Its once hidden, arcane knowledge is slowly being translated for the good of all web applications. Luckily, you don’t have to be Elminster or Gandalf or <insert powerful wizard you know here> to cast this spell over your infrastructure Detect Invisible (Application) Stalkers School of Magic: Abjuration (Protective Spells) Components: Somatic (requires gestures), Material (requires physical component) Casting Time: special Range: Layers 3-7 Area: global Duration: Until discharged ...
While you spend your time arguing over where application security belongs, miscreants are taking advantage of vulnerabilities. By the time you address the problem, they’ve moved on to the next one. Dmitry Evteev @ Positive Technologies Research has discovered (yet) another method of exploitation that allows for the injection of malicious SQL into sites and databases. A method that I discovered today in MySQL documentation struck me with its simplicity and the fact that I haven’t noticed it before. Let me describe this method of bypassing WAF. ...
Brute force attacks by spammers seeking easy access causing frustration for users with no resolution in sight At least once a day I see someone on Twitter broadcast that they have been “locked out of their Twitter account, temporarily.” A search for “locked out” returns thousands of tweets with a good mixture of some folks who’ve (amusingly) been locked out of apartments/houses/buildings and many that have been temporarily locked out of Twitter. The more technically savvy tweeters like Ray Valdes often mention that it is most likely the result of spammers and miscreants attempting to brute force their...
There are few things in reality that can match The Gazebo in its ability to evoke fear and suspicion amongst gamers. The links on your web site may be one of them. In the history of Dungeons and Dragons there exists the urban legend known to all as “The Gazebo.” The Gazebo, over the years, has become a gaming euphemism for a situation in which people over analyze and overestimate the risk involved with interacting with some “thing”. In the case of The Gazebo the “thing” was, as you might guess, a gazebo. Yes, a simple wooden...
If one of the drivers for moving to cloud-based applications is reducing costs, you should think twice about the placement of application security solutions. There’s almost no way to avoid an argument on this subject so I won’t tiptoe around it: web application security in the cloud is better accomplished at the edge, with a web application firewall or similar solution, than it is inside the cloud in the application. This is true regardless of whether the cloud model is public or private; basically if you’re being charged on a per-usage basis then placement of web application security...
Logs are for auditing, accountability, and tracking down offenders – not for providing real-time security A new law signed into effect in February 2009 requires that health care providers and organizations subject to HIPAA notify affected customers in the event of a breach affecting more than 500 records. There was very little discussion of this new requirement in the blogosphere which was surprising given this statement hidden amongst one of the few articles on the subject. Dominique Levin, executive vice president of marketing and strategy for log management vendor LogLogic, told SCMagazineUS.com...
The “replace” in “rip and replace” essentially means getting rid of old security problems and replacing them with new ones. Twittergate is (thankfully) behind us but it’s almost assuredly going to be the case that we’ll be rehashing this one for a while. This certainly isn’t the first time Twitter and security issues have clashed, and as in the past Twitter (and really any very public application in a similar situation) is the clear loser. And of course there comes the unsolicited advice offered regarding what Twitter needs to do to address its security issues. I am, of...
If you haven’t got your (applications’) health, then you haven’t got anything If you happen to be unlucky enough to suffer from Celiac disease - gluten intolerance (wheat, barley, oats, rye) - then you know how important it is to keep gluten out of your diet. If you don’t know let’s just say that you have to keep even trace amounts of gluten out of your diet lest you suffer the consequences, which can be different from person to person, but none are pleasant. You feed off food; applications feed off requests and responses. Like those who...
How to defeat the ancient Jedi mind trick known as HTTP Request Smuggling. HTTP Request Smuggling (HRS) is not a new technique; it's been around since 2005. It takes advantage of architectures where one or more intermediaries (proxies) are deployed between the client and the server. HRS is can be used to poison web-caches and bypass security solutions such as web application firewalls as well as for the delivery of malicious payloads such as worms, viruses, and those used to exploit known vulnerabilities in web and application servers. The good news is that to exploit HRS,...
Collaborating automatically via Web 2.0 APIs is a beautiful thing. I can update status on Twitter and it will automagically propagate to any number of social networking sites: Facebook. FriendFeed. MySpace. LinkedIn. If I had to do it all manually, I wouldn’t. But the automation of sharing, i.e. collaboration, between Web 2.0 social networking sites made possible by open APIs is just too easy to pass up.
The danger is, of course, that a single malicious message can just as quickly propagate through that same social network. The power of the API can quickly be turned against us.
A...
Those who cannot remember the past are condemned to repeat it. George Santayana, The Life of Reason, Volume 1, 1905 US (Spanish-born) philosopher (1863 - 1952) This oft repeated quote needs to be tweaked just a bit to be more applicable to web application security: Those who choose to ignore the past in favor of convenience are condemned to repeat it. Just how many times do developers have to “hack” a protocol that eventually becomes a wide-open hole through which even a blind miscreant...
Keep in mind that the time it takes a human being to blink is an average of 300 – 400 milliseconds. I just got back from Houston where I helped present on F5’s integration with web application security vendor White Hat, a.k.a. virtual patching. As almost always happens whenever anyone mentions the term web application firewall the question of performance degradation was raised. To be precise: How much will a web application firewall degrade performance? Not will it, but how much will it, degrade performance. My question back to those of you with the same...
Mike Fratto loves to tweak my nose about web application security. He’s been doing it for years, so it’s (d)evolved to a pretty standard set of arguments. But after he tweaked the debate again in a tweet, I got to thinking that part of the problem is the definition of web application security itself. Web application security is almost always about the application (I know, duh! but bear with me) and therefore about the developer and secure coding. Most of the programmatic errors that lead to vulnerabilities and subsequently exploitation can be traced to a lack of secure...
You're standing in line at the bank when someone walks in. You instinctively look around and notice the newcomer is wearing sunglasses, and a hooded sweatshirt. His hands are both inside the pockets of his sweatshirt, even though it's warm inside. He chooses a line, and dances nervously from foot to foot, craning his neck to see to the front of the line. After a few minutes he leaves the line and chooses a new one, growing increasingly agitated at the wait. He keeps looking from the clock to the line to the tellers, and appears to be wringing his...
Yesterday I was privileged to co-host a webinar with WhiteHat Security's Jeremiah Grossman on preventing SQL injection and Cross-Site scripting using a technique called "virtual patching". While I was familiar with F5's partnership with WhiteHat and our integrated solution, I wasn't familiar with the term. Virtual patching should put an end to the endless religious warring that goes on between the secure coding and web application firewall camps whenever the topic of web application security is raised. The premise of virtual patching is that a web application firewall is not, I repeat is not a replacement for secure...
Everyone is buzzing and tweeting about the SANS Institute CWE/SANS Top 25 Most Dangerous Programming Errors, many heralding its release as the dawning of a new age in secure software. Indeed, it's already changing purchasing requirements. Byron Acohido reports that the Department of Defense is leading the way by "accepting only software tested and certified against the Top 25 flaws."
Some have begun speculating that this list obviates the need for web application firewalls (WAF). After all, if applications are secured against these vulnerabilities, there's no need for an additional layer of security.
Or is there?
Web application firewalls, while certainly...
In the face of a recession everyone, individuals and organizations alike, begin scaling back spending. The first thing to go is luxury items; after all, you probably didn't need that big screen TV for Christmas, and the kids will likely be just as happy with used video games as they would with new ones. IT departments quickly scale back as well, putting off larger, more costly projects that aren't critical to the core business and re-evaluating much of their infrastructure in an attempt to cut costs and reduce the impact of the hardware and software costs of running...
I was reading an interesting article on the return on investment for WAN Optimization solutions as discussed by analyst research firm Aberdeen and decided to download the complimentary copy of the report. Reports are generally offered as PDF downloads, not displayed in Macromedia FlashPaper, so it was not easily obtainable for sharing with friends. However, there's a nice "e-mail to a friend" link so I clicked on it, thinking of many folks I know who might be interested in this report. The next thing I know my screen is screaming at me with a warning about malicious content...
One of the arguments against the deployment of web application firewalls (WAF) is that it takes time to configure these devices to fit each individual environment. This is allegedly one of the reasons that secure coding is preferred over security devices. But it takes time to code solutions and deploy them, too. In fact, depending on the lifecycle management at any given organization, it can take more time to code a solution and get it moved through a phased environment into production. One of the benefits of an application delivery platform and web application security deployed at...
Yesterday it was reported that BusinessWeek had been infected with malware via an SQL injection attack. [begin Mom lecture] Remember when we talked about PCI DSS being a good idea for everyone, even though it's just a requirement for the payment card industry? If I've told you once, I've told you a million times: safer is better, more protection never hurts. ...
During the debate of WAF versus, well, just about everything, I heard an interesting thing.
See, I was taking the view that the duplication of security code across all services/applications lays the groundwork for the introduction of errors, accidental omission, and the degradation of performance. I argued that a WAF addressed all these problems and was therefore a better option.
The person with whom I was discussing the subject declared that security code did not necessarily need to be included in the application, it could be a service that, in the spirit of SOA, could be reused and that this...
An ant named Archimedes is in a hole 6' deep. He climbs half the distance to the top every hour. How long does it take for him to escape the hole? Trick question. He can never, mathematically, escape. Realistically, we know that when Archimedes gets close to the top he will escape because he is actually longer than the amount of hole he has left to go. But what if every hour that Archimedes climbed the hole expanded 6" and thus changed the equation? He'd be one frustrated ant, that's what he'd be. That's how...
An application delivery controller (ADC) essentially acts a reverse proxy. That means that client requests interact with the ADC, and the ADC interacts with web and application servers on the client's behalf. This mediation offers the chance to implement acceleration, availability, and security features without requiring changes to existing applications. There are many, many more features in an ADC that provide significant value. These eight capabilities are the most commonly employed features in reverse-proxy application delivery solutions that provide immediate benefits to web applications, and all can be used without modifying applications or the servers on...
Apache is a great web server if for no other reason than it offers more flexibility through modules than just about any other web server. You can plug-in all sorts of modules to enhance the functionality of Apache.
But as I often say, just because you can doesn't mean you should.
One of the modules you can install is mod_security. If you aren't familiar with mod_security, essentially it's a "roll your own" web application firewall plug-in for the Apache web server.
Some of the security functions you can implement via mod_security are:
Simple filtering
...
Via Hacker News and Peteris Kumins' blog on programming, hacking, software reuse and stuff comes the latest Google tech talk, this one on web application vulnerabilities and "how cybercriminals steal money". While Peteris and Google are targeting web developers with this informative video talk, it's a great resource as well for security folks as well as network administrators tasked with understanding how to thwart web application attacks. Even if you've deployed a web application firewall to protect you from these kinds of vulnerabilities, it's still a great idea to watch this one and get a better...
Andre Gironda (Dre) has declared war on WAF (Web Application Firewalls). I found his attack on WAFs a bit amusing because the belief that secure coding will take care of all web application vulnerabilities is quite utopian, and thus more compatible with a more passive-aggressive strategy and not a frontal assault with a war-declaring-gut-stomping-heated list of reasons to discount a technological solution to the problem of web application threat defense. Today I'm going to focus on reason #2, because I don't believe it's peculiar to WAFs at all. The "number 2" reason to wait on WAFs, according...
The good folks at Verizon Business who recently released their 2008 Data Breach Investigations Report sounded almost surprised by the discovery that "Intrusion attempts targeted the application layer more than the operating system and less than a quarter of attacks exploited vulnerabilities. Ninety percent of known vulnerabilities exploited by these attacks had patches available for at least six months prior to the breach." This led the researchers to conclude that "For the overwhelming majority of attacks exploiting known vulnerabilities, the patch had been available for months prior to the breach. [...] Also worthy of mention is that no...
Verizon Business recently released its 2008 Data Breach Investigations Report, covering more than 500 different security breach incidents occurring in the past four years. It's a fascinating read and should be mandatory for business and IT professionals alike. The report should be of assistance to those attempting to decide whether to comply with requirement 6.6 of PCI DSS by deploying an application firewall or engaging in code reviews. The answer? Both are necessary; not because the standard requires both, but because employing both will provide the best coverage across a varied set of attacks. Verizon's report indicates that...
With the deadline of June 2008 quickly approaching for retailers who need to be compliant with PCI DSS (Payment Card Industry Data Security Standard) there's a lot of focus in IT shops on requirement 6.6, the somewhat hotly debated requirement which states organizations must implement either a web application firewall or perform code reviews (and address vulnerabilities discovered) in order to be compliant with the standard and continue accepting credit cards. So much focus is on this standard and online retailers that it seems like the "bad guys" might consider other avenues of attack. Malicious code (malware) and...
According to a recent ComputerWorld article, most retailers aren't ready for the forthcoming June deadline for PCI DSS compliance.
From ComputerWorld :: Few expected to make June 30 PCI deadline for Web application security
Most retailers will not meet the June 30 deadline for complying with new Payment Card Industry Data Security Standard (PCI-DSS) requirements for securing web applications. Companies can achieve compliance with either a specialized firewall or web application software code review, which entails finding vulnerabilities and fixing them. Many retailers appear to be opting for firewalls, which are "quick fixes," according to Gartner analyst Aviva Litan. "Application firewalls...
This is an interesting article from Network World about how CIOs in Australia and New Zealand perceive security as being easier than reducing costs. The IDC Annual Forecast for Management report surveyed 363 IT executives from Australia (254 respondents) and New Zealand (109 respondents) across industries including finance, distribution, leisure and the public sector. CIO Challenges ...
