posted on Monday, December 07, 2009 3:37 AM
The long, lost application delivery spell compendium has been found! Its once hidden, arcane knowledge is slowly being translated for the good of all web applications. Luckily, you don’t have to be Elminster or Gandalf or <insert powerful wizard you know here> to cast this spell over your infrastructure
Contingency ![image_thumb6[5]](http://devcentral.f5.com/weblogs/images/devcentral_f5_com/weblogs/macvittie/WindowsLiveWriter/TheApplicationDeliverySpellBookContingen_BBEE/image_thumb6%5B5%5D_6852c8a9-298e-4e82-974d-5abdf88d37e3.png "image_thumb6[5]")
School of Magic: Evocation
Components: Somatic (requires gestures), Material (requires physical component)
Saving Throw: None
Spell Resistance: No
Through the use of the contingency spell, application delivery professionals can dictate the conditions of the execution of another spell. The contingency spell and the companion spell(s) are cast at the same time, but the companion spell fires only when the conditions specified by the contingency spell are met.
The material component for this spell is a network-side scripting capable application delivery controller. The somatic component requires the caster to complete a series of mouse clicks and keyboard strokes that deploy a network-side script that fires when the specified event occurs. A verbal component is not necessary, but some casters find it satisfying to complete the invocation of contingency with some sort of joyful noise (defensive casters belonging to the InfoSec Guild tend to call out “Huzzah! Beat that!” for some reason).
The spell to be brought into effect by the contingency can be one that affects layers 2 through 7 and can either be narrow or broad in its targeting. For example, the contingency can be based upon specified triggers such as: HTTP_REQUEST, HTTP_RESPONSE, CLIENT_DATA, ASM_REQUEST_VIOLATION, SIP_RESPONSE, DNS_REQUEST, and ASM_RESPONSE_VIOLATION. Consult your player’s handbook for a complete list of possible triggers. You can use multiple contingency spells at a time, but each will fire according to the order of events specified in the player’s handbook.
Like many illusionist spells the effects of the companion spell(s) are heavily dependent upon your imagination. Existing spells that have been cast along with contingency that have been made available by their casters can be explored in the companion spell compendium.
EVENT-BASED APPLICATION DELIVERY
Network-side scripting capabilities in application delivery controllers offer a unique method of extending a wide variety of IT-related functions “into the network”. When we talk about Infrastructure 2.0 we tend to focus in on
control-plane APIs that enable management and dynamism in the infrastructure but
network-side scripting can be as integral to enabling an agile and extensible infrastructure as its control-plane API cousins.
“I wish it would do this when that happens” is an utterance I’m sure most of you have heard – if not muttered/exclaimed yourself. No solution is 100% perfect for your environment and needs; there’s always something you wish it could/would do that it doesn’t. In most cases there’s nothing you can do about it; it’s take it or leave it.
Network-side scripting provides the means by which you can probably make that happen when this happens. The number of that happens supported by network-side scripting capable solutions varies but in some cases is quite lengthy and spans a wide variety of infrastructure concerns. Network-side scripting enables you to say WHEN THAT_HAPPENS do THIS. It provides a framework in which you can tailor application delivery functions – security, authentication, acceleration, optimization, load balancing, routing, transformation - to your unique environment in a way that’s just not possible in a turn-key solution.
EXAMPLE: IMPROVING SECURITY-RELATED RESPONSES
One of the downsides to web application firewalls has been that the range of actions you can perform has always been somewhat limited. You can block, quarantine, log, or ignore policy violations but it’s difficult to enable custom functionality. “Contingency”, a.k.a. network-side scripting, changes that and allows developers and architects to respond to application security policy violations specifically tailored to suit organizational needs. Both inbound (request) and outbound (response) violations can be used to trigger custom responses.
Just a few of the attack types you can respond to are:
- ATTACK_TYPE_TROJAN_BACKDOOR_SPYWARE
Trojan/Backdoor/Spyware - ATTACK_TYPE_DETECTION_EVASION
Detection Evasion - ATTACK_TYPE_VULNERABILITY_SCAN
Vulnerability Scan - ATTACK_TYPE_ABUSE_OF_FUNCTIONALITY
Abuse of Functionality - ATTACK_TYPE_AUTHENTICATION_AUTHORIZATION_ATTACKS
Authentication/Authorization Attacks - ATTACK_TYPE_BUFFER_OVERFLOW
Buffer Overflow - ATTACK_TYPE_PREDICTABLE_RESOURCE_LOCATION
Predictable Resource Location - ATTACK_TYPE_INFORMATION_LEAKAGE
Information Leakage - ATTACK_TYPE_DIRECTORY_INDEXING
Directory Indexing - ATTACK_TYPE_PATH_TRAVERSAL
Path Traversal - ATTACK_TYPE_XPATH_INJECTION
XPath Injection
The ability to act on specific policy violations combined with the proper context provides the means by which a web application firewall can be leveraged to enhance business value – by providing helpful information to legitimate users that can assist in resolving the problem without involving the help/support desk – as well as the overall security posture of the applications being defended. Perhaps its nothing more than a custom blocking page on which you emphatically inform the violator that you know what they’re doing or a redirection to a self-service site for users you know, because you have the proper context, are simply having a bad day and need some help.
Ultimately the purpose of this kind of flexibility is to enable a more agile infrastructure and increase visibility into application delivery. Visibility comes from information, and it is a wealth of information that can be provided by examining application security policy violation events. Even if the response is nothing more than to log the details information security pros deem important it’s improving the visibility into the application environment that can aid IT in improving web application security and related processes.
Related blogs & articles:
Technorati Tags:
MacVittie,
F5,
application delivery,
contingency,
ADSB,
network-side scripting,
event-driven architecture,
security,
acceleration,
load balancing,
routing,
D&D,
iRules
