Advanced Protection for Web Services - OSSIR
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
RealSentryTM SSL overview
Advanced Protection
for Web Services
ü SSL Accelerator
ü Intrusion Detection System
ü Reverse Proxy
ü Application-Firewall
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCEWeb services deployment
The principal reasons which delay the deployment of web technologies
Technology with a poor level of security
43 %
Insufficient XML knowledge
37,8 %
Immaturity of standards
31,9 %
Not in adequation with company’s needs
31,1 %
No vendor leader clearly identified This survey was carried
30,4 % out in november 2001
Not enough tools with 135 french
24,4 % companies
Young and unstable technology (Source: 01 Informatique)
22,2 %
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCEHow to protect Web Servers today ?
WEB Servers
Vulnerability
Scanner
(ASP service)
NIDS
DMZ
NIDS
Internet FIREWALL
with IDS agent
Today, the best solution uses three components :
4 Firewall : To forward only HTTP(S) packets to Web servers
4 Network-based Intrusion Detection System (NIDS) : To prevent from malicious packets
4 Vulnerability scanner : To detect known vulnerabilities on systems
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCEVulnerabilities : A worrying progression
3000
2500
Vulnerabilities reported 2437
Source : CERT Coordination Center
+ 123%
2000
1500
1090
1000
+ 161%
500 417
262
+ 59 %
0
1998 1999 2000 2001
i Code Red : 2,6 billion US dollars of damage
Nimda : 590 million US dollars of damage
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCEWhy are Firewalls insufficient ?
n Security Policy based only on type of protocols (not on
content)
n Unable to analyse encrypted network traffic like HTTPS
n Unable to process a finer-grained analysis of the application
activities
n Usually protects only from external network
n Network device managed by a security administrator
(in opposition with a Web server managed by a webmaster)
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCEWhy are NIDS insufficient ?
n Protect only against known vulnerabilities (pattern matching)
n Cannot scan content if network traffic is encrypted
n Difficult to deploy on switched networks
n Cannot handle high-speed networks
n Critical setup : Bad configuration generates many false alarms
n Unable to process a finer-grained analysis of the application
activities
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCEA new approach against HTTP attacks
Real--time virus detection
Real Real--time HTTP traffic control
Real
Firewall
Firewall
Corporate Corporate
Internet Internet
X
Virus X
Attack RealSentry
Anti-virus
Web server
The Antivirus detects and blocks viruses RealSentry detects and protects against
known or unknown vulnerabilities
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCERealSentry concept
4
2 3
User
1
SSL Full HTTP InspectionTM
Engine Technology
7 6 5
Web Server
(1) HTTP request send by a user
(2) Hardware (RealSentry SSL) or software (RealSentry) decryption
(3) Check HTTP packet with Full Http Inspectiontm Technology
(4) If validated by security policy, safe HTTP packet is forwarded to Web Server
(5) Check HTTP packet with Full Http Inspectiontm Technology
(6) Hardware (RealSentry SSL) or software (RealSentry) encryption
(7) HTTP answer is sent back to the user
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCERealSentry provides the ultimate
protection
More than 200 new More than 20 new No vulnerability
vulnerabilities each vulnerabilities can reach your
month each month Web Server
FTP
DNS
HTTP
HTTP
HTTP
HTTPS
HTTPS
RealSentry SSL
Hacker SMTP
Firewall
ICMP Web Servers
…
Full connectivity Restricted connectivity High Secure connectivity
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCEFour technologies in a single box
Reverse Proxy NIDS
Like reverse Proxy : Like IDS Probe :
• RealSentry breaks direct connection • RealSentry is a network-based protection
between browser and Web server. and runs in stealth mode.
But unlike Reverse Proxy : But unlike IDS Probe :
• RealSentry includes filter capabilty to • RealSentry protects against unknown
exclude malicious HTTP packets. vulnerabilities.
• RealSentry keeps original IP address • RealSentry protection is effective even on
when operates in stealth mode. encrypted packets (HTTPS).
Application Firewall SSL Accelerator
Like Application Firewall : Like SSL Accelerator :
• RealSentry allows to implement a • RealSentry handles decryption and
security Policy to accept or deny packets. encryption tasks for SSL transactions.
But unlike Application Firewall : But unlike SSL Accelerator :
• RealSentry performs a detailed protocol • RealSentry incorporates built-in security
analysis to prevent against malicious mechanism to protect your web site from
HTTP requests. fraudulent activities.
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCERealSentry Technology
u Black List Detection (IDS technology)
n Concept
» Signature-based method
» Requires regular updates
» Protects only against known vulnerabilities
n RealSentry Implementation
» Automatic updates
» Multiple rules to prevent IDS evasion
» Very easy to setup : Protect your Web server in a few minutes
n RealSentry Benefits
» Detects more than 600 HTTP vulnerabilities
» Effective protection including on encrypted traffic (HTTPS)
» No need to monitor vulnerabilities or patch your Web server
» Plug and Protect solution
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCERealSentry Technology
u White List Filtering (Exclusive Axiliance technology)
n Concept
» All HTTP requests that are not expressly authorized are prohibited
» Non signature-based method
» Protection against known or unknown vulnerabilities
n RealSentry Implementation
» Security Policy define by URL groups, directories or single URL
» Security Policy includes syntax, URL length, Variables, cookies, …
» Setup assistants with learning, tracking and protecting modes
n RealSentry Benefits
» Identify and prevent both known and unknown vulnerabilities
» Effective protection including on encrypted traffic (HTTPS)
» Represents the most secure solution for Web services currently available in the world
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCENormal Life Cycle of a vulnerability …
Security Vendor Customer
Level reactivity reactivity
Time
Vulnerabilty Exploit Hotfix provided Hotfix
discovered publication by vendor applied
Minimum delay generally observed : 10 -15 days
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCERealSentry with only Black List Protection
Security Vendor Customer
Level reactivity reactivity
Time
Update
attack
signature
Vulnerabilty Exploit Hotfix provided Hotfix
discovered publication by vendor applied
Maximum delay generally observed : 24 hours
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCERealSentry with White List Protection
Security Vendor Customer
Level reactivity reactivity
Time
Insensitive
to new
vulnerabilities
Update
attack
signature
Vulnerabilty Exploit Hotfix provided Hotfix
discovered publication by vendor applied
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCEThe 4 solutions to prevent vulnerabilities
Manual
Vulnerability
Assessment (Vulnerability scanner used manually)
Automated
Vulnerability
Assessment (Vulnerability scanner used automatically)
RealSentry
(minimum secure
configuration) (RealSentry in non- stealth mode with only Black List Protection)
RealSentry
(full secure
configuration) (RealSentry in stealth mode with integral White List
Protection)
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCEBlack List Mode
RFC conformity check KO
(HTTP Header Fields)
Logs
SNMP
OK Reject + SMTP
HTTP IDS SMS
(Black List Protection) KO
OK
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCECounter measures with HTTP IDS
Buffer overflow
Cross Site Scripting
Requête HTTP
contenant un pattern Remote Command
réputé vulnérable
Black List
SQL injection
Path Transversal
Meta Caracters
Null Bytes
Toute requête …
(pour compatibilité Predefined Pattern
ancienne version)
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCEWhite List + Black List
Client
RFC conformity check KO
HTTP Headers Management
Alerts
OK OK
Logs
HTTP Firewall HTTP Firewall KO Reject SNMP
OK + SMTP
(Partial White List) (Full White List)
SMS
OK OK
HTTP IDS KO
(Black List Protection)
OK
Web Server
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCECounter measures with IDS et FW HTTP
Application vulnerabilities
White List
Requête dynamique Brute Force
avec politique de
sécurité …
Buffer overflow
Cross Site Scripting
Requête HTTP
contenant un pattern Remote Command
réputé vulnérable SQL injection
Black List
Path Transversal
Meta Caracters
Null Bytes
Toute requête
…
(pour compatibilité
Predefined Pattern
ancienne version)
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCERealSentry Security Level
High
RealSentry with a maximum security policy
RealSentry with a strong security policy Protection against
unknown attacks
Security Level White List Filtering or vulnerabilities
(URL syntax, variables and cookies
supervised by security policies)
RealSentry with a minimum security policy
Default Security Policy
(RFC conformity, URL Length, Authorized char, …)
Protection against
Black List Protection known attacks
(pattern matching)
Low or vulnerabilities
Easy Setup and management Difficult
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCEHigh Availability : Normal operation
NORMAL OPERATION
Out-of-band monitoring with RS-MONITOR & RS-FAILOVER
unsafe HTTP(S) safe HTTP
Master Slave
Electronic bypass Electronic bypass
Master : Active – Monitoring HTTP(S) Traffic
Slave : Passive - Monitoring Master activities
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCEHigh Availability : Fault operation
DEFAULT OPERATION
unsafe HTTP – unsafe HTTPS Slave safe HTTP
X
Master
Electronic bypass Electronic bypass
Master : Fail – Ethernet IN/OUT in Bypass mode
Slave : Active – Monitoring HTTP(S) Traffic
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCERealSentry SSL v1.0 Features
APPLIANCE Integrated solution (hard and soft)
SSL ACCELERATION Boosted and secure encrypted traffic
INTRUSION DETECTION Exclusive technology from Axiliance
STEALTH MODE « Plug and Protect » solution
FAULT TOLERANCE High availability - 24/7
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCECompetitive Comparisons
Company Product
Kavado Interdo No No Yes Yes
Sanctum Inc AppShield No Yes compliant Option
with 3rd party
Deny-All Rweb No No compliant No
with 3rd party
Ubizen dmz/shield No No compliant Option
with 3rd party
Stratum 8 APS No No No Yes
Axiliance RealSentry Yes Yes No Yes
Axiliance RealSentry SSL Yes Yes Yes Yes
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCERealSentry : Setup and management
Full out-of-band management by
serial or ethernet interface
Administration Web
HTTP Packets Database
SSH Ethernet
Inspection modules
Restricted Shell
Configuration
Security policies
APACHE Ethernet HTTPS
Reverse Proxy Logs
Stealth Modules
TELNET Serial
LINUX Kernel
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCERealSentry : Setup and management
ADMIN or Webmaster DMZ
HTTPS
Firewall
Internet
WEB Servers
u Network Installation Serial console
n First setup by serial console
n Access restricted to a special account (ADMIN)
u Management of services and security policies
n Network Interface card dedicated to management operations
n Intuitive and secure Web-based administration (HTTPS)
n Command line based administration via restricted and secure shell
n Service creation is only allowed to an administrator account (ADMIN)
n Each service is associated to one or several Webmaster
n Services Management is only allowed to the Webmaster
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCEBlack List Mode
Initial Setup RS232 Console
Create Services HTTPS via dedicated interface
Connect to network Web servers protected
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCEWhite List Mode
Initial Setup RS232 Console
Create Services HTTPS via dedicated interface
Bypass Mode Open network trafic
Learning Mode Generate White List
Tracking Mode Check White List
Protected Mode Web servers are protected
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCECase Studies
u Case Study 1 : RealSentry SSL protects Intranet Web Servers
u Case Study 2 : RealSentry dedicated for hosting in ISP architecture
u Case Study 3 : RealSentry mutualized for hosting in ISP architecture
u Case Study 4 : DMZ Protection with non transparent mode
u Case Study 5 : DMZ Protection with stealth mode
u Case Study 6 : Multiple DMZ Protection with non transparent mode
u Case Study 7 : Multiple DMZ Protection with stealth mode
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCECS1 : Intranet Web Servers Protection
Before After
Critical web-based
4Stealth mode intranet applications
Critical web-based 4Firewall mode
intranet applications 4Full White List
4SSL acceleration
RealSentry
Private Network
Private Network
u Customer benefits :
n Forward only HTTP(S) packets to Web Server (Firewall mode)
n Protect Web server against known or unknown HTTP Attacks
n Non restrictive SSL usage without need to upgrade server hardware
n Installation without any network modification
n Native simple fault tolerance by electronic bypass
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCECS2 : RealSentry dedicated for ISP
Secure Web Server
Web Servers
RealSentry
Internet
DMZ
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCECS3 : RealSentry mutualized for ISP
Secure Web Servers
Web Servers
RealSentry
Internet
DMZ
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCECS4 : Non Transparent Mode
Secure Web Servers
RealSentry
Internet
DMZ
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCECS5 : Stealth Mode
Secure Web Servers
DMZ
RealSentry
Internet
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCECS6 : Multiple DMZs – Non Transparent
Secure Web Servers
DMZ 1
RealSentry
Internet
Secure Web Servers
DMZ 2
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCECS7 : Multiple DMZs – Stealth Mode
Secure Web Servers
DMZ 1
Internet
RealSentry
Secure Web Servers
DMZ 2
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCEThank you for your attention
Boris MOTYLEWSKI
e-mail : bm@axiliance.com
AXILIANCE S.A.
Société Anonyme au capital de 120 000 Euros
Siège social : Montpellier - FRANCE
TEL : +33 (0)4 67 79 79 31
FAX : +33 (0)4 67 79 79 32
WEB : http://www.axiliance.com
MAIL : info@axiliance.com
RealSentry & RealSentry SSL Overview – v1.1 – © Copyright 2002 - AXILIANCEYou can also read
