1. STUDY AND IMPLEMENTATION OF UNIFIED
THREAT MANAGEMENT AND WEB
APPLICATION FIREWALL
UNDERTAKEN AT
Defence Research and Development Organisation (DRDO)
By: Lokesh Sharma
ECE (1222531042)
1
2. Internal threats
Identity theft
Data loss
Data deletion
Data modification
External threats
Worms
Malicious code
Virus
Malware
Social Engineering
threats
Spam
Phishing
Pharming
Data theft
DoS attacks
Hacking
USER
Attack on
Organization
User – The Weakest Security Link
2
3. Why is this an issue?
Traditional firewalls cannot detect these new applications they rely on port numbers or protocol
identifiers to recognize and categorize network traffic and to enforce policies related to such
traffic
Apps that use specific port numbers or protocols make it easy for network administrators to
block unwanted traffic, but browser-based applications often use only two port numbers, each
associated with a protocol vital to user productivity and responsible for the bulk of Internet
traffic today
This means that all traffic from browser-based apps looks exactly the same to traditional
firewalls; they can’t differentiate between applications, so there is no easy way to block bad,
unwanted, or inappropriate programs whilst permitting desirable or necessary apps to proceed
unhindered
3
4. Unified Threat Management (UTM)
Unified threat management (UTM) is an approach to security management that allows an administrator to
monitor and manage a wide variety of security-related applications and infrastructure components through a
single management console.
•
UTM delivers a flexible, future-ready solution to meet the challenges of today’s networking
environments.
•
UTMs represent all-in-one security appliances that carry a variety of security capabilities including
firewall, VPN, gateway anti-virus, gateway anti-spam, intrusion prevention, content filtering, bandwidth
management, application control and centralized reporting as basic features.
•
The UTM has a customized OS holding all the security features at one place.
4
5. UTM
The best UTM solutions include the following core security functions:
Network firewalls perform stateful packet inspection
IPS detects and blocks intrusions and certain attacks
Application control provides visibility and control of application behaviour and content
VPN enables secure remote access to networks
Web filtering halts access to malicious, inappropriate, or questionable websites and online
content
IPv6 support in all network security functions protects networks as they migrate from IPv4 to IPv6
Support for virtualized environments, both virtual domains and virtual appliances
5
7. UTM vs. NGFW
The difference between UTMs and NGFWs is actually minimal. The only tangible difference that
may be found involves their respective throughput ratings; devices marketed as UTMs typically
have a lower throughput rating and are marketed to small and medium-sized businesses, while
devices that maintain a higher throughput rating are typically marketed as NGFWs. In terms of
functionality, the two devices are almost carbon copies.
NGFW
NGFWs were designed to perform intrusion prevention and deep packet inspection while many
of the other features mentioned above were offloaded to other devices to conserve network
throughput and thereby better serve an enterprise network. More recently, NGFWs added
application firewall features, a dynamic new capability that in many cases has allowed enterprises
to consolidate and use a single device to protect their applications and core networks. At present,
however, multi-Gigabit LAN speeds are commonplace, and the need for a device that only
performs certain NGFW functions has become obsolete.
7
8. Key Features & Capabilities of UTM
The standard and Next-Generation Network Firewall (NGFS) functions include:
•
The ability to track and maintain state information for communications to determine the source
and purpose of network communications.
•
The ability to allow or block traffic based on configured policy (which can be integrated with the
state information).
•
The ability to perform Network Address Translation (NAT) and Port Address Translation(PAT).
•
The ability to perform application aware network traffic scanning, tracking and control.
•
The ability to optimize a network connection (i.e. using TCP optimization).
8
9. Advantages of Using a Unified Threat Management
•
Less Complexity- The all-in-one approach simplifies several things, such as product integration,
product selection and ongoing support.
•
Ease of Deployment- As lesser human intervention is required, it is easy to install and
maintain. One can get the product installed by finding a reputed vendor online.
•
The Black Box Approach- Users have a habit of playing with things. Here, the black box
approach puts a restriction on the damage that users can cause. This diminishes trouble and
enhances network security.
•
Integration Capabilities- The appliances can be distributed easily at remote sites. In such a
scenario, a plug and play device can be set up and handled remotely. This type of management
is interactive with firewalls that are software- based.
9
10. Disadvantages of Unified Threat Management
Lower performance
Single point of failure.
Vendor lock-in.
Difficult to scale in large environments.
Limited feature set compared to point product alternatives.
10
12. WEB APPLICATION FIREWALL
A web application firewall (WAF) is an appliance, server plug-in, or filter that applies a set of
rules to an HTTP conversation. The effort to perform this customization can be significant and
needs to be maintained as the application is modified.
Web application firewall is a computer networking firewall operating at the application layer of a
protocol stack and is also known as a proxy-based or reverse-proxy firewall.
WAF solutions are capable of preventing attacks that network firewalls and intrusion detection
systems can't, and they do not require modification of application source code.
12
13. 13
Problem WAF Countermeasure
Cookie protection +
+
Cookies can be signed
Cookies can be encrypted.
Information leakage + Cloaking filter, outgoing pages can
be cleaned (error messages,
comments, undesirable information).
Session fixation = Can be prevented if the WAF
manages the sessions itself
File upload + Virus check (generally via external
systems)
SSL + SSL connection possible from WAF
to application.
Cross-site tracing + Restriction of the HTTP method
HTTP request smuggling + Is prevented via strict testing of the
conformity to standards of each
request.
14. ATTACKS PREVENTED BY WEB APPLICATION FIREWALL
SQL INJECTION
CROSS-SITE SCRIPTING (XSS)
DOS ATTACKS AND DDOS ATTACKS
SESSION HIJACKING ATTACKS
14
15. SQL INJECTION
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from
the client to the application.
A successful SQL injection exploit can read sensitive data from the database, modify database
data (Insert/Update/Delete), execute administration operations on the database (such as
shutdown the DBMS).
SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause
repudiation issues such as voiding transactions or changing balances, allow the complete
disclosure of all data on the system
SQL Injection is very common with PHP and ASP applications due to the prevalence of older
functional interfaces
15
16. CROSS-SITE SCRIPTING (XSS)
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected
into otherwise benign and trusted web sites.
XSS attacks occur when an attacker uses a web application to send malicious code, generally in
the form of a browser side script, to a different end user.
Cross-Site Scripting (XSS) attacks occur when
Data enters a Web application through an untrusted source, most frequently a web request.
The data is included in dynamic content that is sent to a web user without being validated for
malicious content.
16
18. DOS ATTACKS AND DDOS ATTACKS
The Denial of Service (DoS) attack is focused on making a resource (site, application, server)
unavailable for the purpose it was designed.
Sometimes the attacker can inject and execute arbitrary code while performing a DoS attack in
order to access critical information or execute commands on the server.
Denial-of-service attacks significantly degrade the service quality experienced by legitimate users.
These attacks introduce large response delays, excessive losses, and service interruptions,
resulting in direct impact on availability.
18
19. HOW DOS ATTACKS PERPETRATED?
A DoS attack can be perpetrated in a number of ways:
Consumption of computational resources, such as bandwidth, memory, disk space, or
processor time.
Disruption of configuration information, such as routing information.
Disruption of state information, such as unsolicited resetting of TCP sessions.
Obstructing the communication media between the intended users and the victim so that they
can no longer communicate adequately.
19
20. SESSION HIJACKING ATTACKS
The Session Hijacking attack consists of the exploitation of the web session control mechanism,
which is normally managed for a session token. Because http communication uses many different
TCP connections, the web server needs a method to recognize every user’s connections.
The Session Hijacking attack compromises the session token by stealing or predicting a valid
session token to gain unauthorized access to the Web Server.
The session token could be compromised in different ways :
Predictable session token
Session Sniffing
Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc)
Man-in-the-middle attack
Man-in-the-browser attack
20
21. 21
THREE PROTECTION STRATEGIES
1. External patching
Also known as "just-in-time patching" or "virtual patching").
1. Negative security model
Looking for bad stuff.
Typically used for Web Intrusion Detection.
Easy to start with but difficult to get right.
1. Positive security model
Verifying input is correct.
Usually automated, but very difficult to get right with applications that change.
It's very good but you need to set your expectations accordingly.