9

Recently, there has been a renewed inter-est in Cross Site Scripting (XSS) attacks, as evidenced by the first paper on a XSS virus[1] and two of the recent presenta-tions in the BlackHat security conference “Six Degrees of XSSploitation”[2] and “Hacking Intranet Websites from the Outside ‘JavaScript malware just got a lot more dangerous’”[3]. Subsequently the importance of an in-depth review of web applications and databases becomes ever more apparent. An online pres-ence is essential to most companies, and databases become key to the operation of many online services; therefore the defence of these assets becomes critical in any defence-in-depth security design.

Issues can arise when companies find that they have inherited legacy software essential to business operations which is required to be accessible online in this new global environment. Such software may have been developed long ago and is often not easy to retrospectively rewrite to include modern security principles. In these cases alternative solutions are needed to adequately enforce the layered security required in the defence-in-depth paradigm of today’s environment.

In recent years, new types of security devices have appeared to fill this gap, one of these being application firewalls. These products are designed to add an additional layer of sanitization to provide vital protection to those otherwise vul-nerable applications.

Defence-in-depth in theoryThe idea behind defence-in-depth is to allow risk to be managed with a variety

of strategies and to minimize reliance on any one particular device or strategy; where one layer of defence turns out to be insufficient, another layer will prevent a full breach. Most perimeter firewalls are only effective against attacks that are targeted at services which are not tradi-tionally offered outside of the network.

“An application firewall’s role is to improve application security by integrating knowledge about an application’s specific security needs into elements of the IT security infrastructure.”

In the case of an internal network which needs access to some applications to be restricted to specific parts of an organi-zation or where some services are not intended to be available externally to the organization, a traditional firewall is insuf-ficient. This problem manifests itself when it is intended to allow users to connect to the service but with only specific requests or with functionality disallowed or disa-bled. Perimeter firewalls lack the granu-larity to specify what type of requests are valid for a particular application running on a service and those that are not.

Howard and LeBlanc[4] wrote: “Defense-in-depth is a straightforward principle: imagine your application is the last component standing and every

defensive mechanism protecting you has been destroyed. Now you must protect yourself. For example, if you expect a firewall to protect you, build the system as though the firewall has been compro-mised.”

This is where the layering of security defences can allow you to ensure a more in-depth approach to security, which subsequently reduces the chance of a successful attack. Through redundant security measures, you force a malicious user to try and circumvent all mecha-nisms in order to be able to compromise the assets being protected.

The NSA produced a detailed paper on defence-in-depth and how it enables organ-izations to provide Information Assurance of their digital assets. [http://www.nsa.gov/snac/support/defenseindepth.pdf].

Types of application firewallsWe are going to examine some of the devices that can be used in the defence-in-depth strategy and what their particular role is. An application firewall’s role is to improve application security by integrat-ing knowledge about an application’s specific security needs into elements of the IT security infrastructure. It does this by providing content filtering – of both input and output – between the various applica-tion components, for example the user and presentation servers or an application server and its backend database. The majority of such firewalls are designed to work with web based applications.

There are many variations of these which are marketed under a variety of names such as; Adaptive Firewall, Adaptive Proxy, Application Firewall, Web Application Firewall, Database Firewall, Patch Proxy, and Web Shield[5].

In this article we will look at three of these and what their roles are within a security architecture.

Web Application Firewalls Firstly, we will discuss Web Application Firewalls (WAF) as they are the most popular application firewall product currently on the market. These are capable of preventing attacks that net-work firewalls and intrusion detection

September 2006 Network Security

Application firewalls in a defence-in-depth design Paul Byrne, Senior Security Consultant, NGS Software

It is well known and accepted by most security professionals that defence-in-depth is an important security principle: the age-old say-ing of “don’t put all your eggs in one basket” applies just as much here as elsewhere. The wise assume that any part of an IT system can fail at any time and consequently look for ways to configure or intro-duce new components to limit the effects of such failures.

DEFENCE-IN-DEPTH

10Network Security September 2006

systems cannot; in most cases they do not require modification of application source code. These WAFs attempt to protect against a number of different web application attacks and filter data packets coming from users to the web server. The WAF functions by being positioned between the user-side cli-ent and the application server, thereby intercepting all data passed between the application server and the user. This traffic is examined by the WAF against various rules in an attempt to determine which data is valid and which is consid-ered invalid.

A WAF has full support for HTTP and access to individual fields within HTTP headers; it monitors the entire transaction between a user and the server and any files being uploaded. They have a number of anti-evasion features such as normalisation or transformation features to detect stealth attacks. A WAF will also provide addi-tional protection to cookies through sign-ing, together with session management to prevent session hijacking attacks. The WAF not only detects and logs attacks but also provides blocking facilities at various granularities such as by IP, session or user.

In the case of data entered by a user, this can be analysed by the WAF and checked against a list of potentially dangerous characters, such as any SQL commands that allow an SQL insertion attack. When attacks are detected, the application firewall can take whatever remedial or evasive action its owner deems appropriate, ranging from simply disconnecting the current application session to a more sophisticated approach such as redirecting the session to a “hon-eypot” system which has been created to gather details of the various attack techniques. There is also increased pro-tection to the applications and data, due to the fact that the application firewall is running on a separate machine to that of the web application.

In the example above the WAF attempts to stop the SQL injection attack before it reaches the web application; normally achieved through looking for the escape character ‘ which is known to close a quoted parameter and then allow an attacker to insert SQL queries. A problem

occurs when the SQL attack does not use a simple technique to inject into the back-end database but uses either logic flaws or numeric attacks (see “Strings without Quotes”[6]), in this case the WAF may not detect the attack.

Database Firewall Another device which can complement a WAF and also provide a much greater degree of granularity is a Database Firewall (DF). These are another form of application firewall; however, they reside in a different part of the network, between the application server and the database server. This allows the DF to be trained to understand the normal SQL queries that an application uses. This can, in some cases, be learnt by the device from normal traffic and be highly specific to allow only the queries that the web application developers intended.

Another advantage of a DF is the abil-ity to put it between client applications and databases. This can be a huge advan-tage for large organizations that have internal legacy applications that cannot easily be rewritten to include proper filtering. This is especially the case when an organization wishes to allow external access to these resources through tech-nologies such as Citrix. The ability to add a highly specialized DF in front of the backend database is very beneficial.

Patching Proxy The third type of application firewall is that of a Patching Proxy (PP). The PP works in a similar way to that of the DF in that it is much more specific in it’s focus, but rather than providing a white-list approach of allowable content it cre-ates virtual patches to known issues. The interesting part here is that many organi-zations are reluctant to stay on the leading edge of patching because most patches are released in response to an exploit and have not necessarily had extensive testing with all variations of server states and as such have the potential to disrupt server operations.

This usually means that there is a delay between a patch being released and an organization deploying it on their live net-work as they will first test the implications

of any patch on a test network. This leaves their critical infrastructure potentially vulnerable to these vulnerabilities until testing is completed. The patching proxy attempts to fill this gap by introducing the security measures for the various operating system and major software patches.

Andreas M. Antonopoulos says in his paper “Securing Critical Applications and Databases: A Layered Approach”[7]: “…A patchproxy device changes the network traffic, applying a transforma-tion to the packets that is functionally equivalent to a patch. For example, if a vulnerability is found in a piece of code that does not properly limit the length of a string or memory access call (aka a ‘buffer overrun’), the patch proxy can truncate the equivalent string in all packets….The patching proxy thereby patches the packets in the network so IT doesn’t have to patch the servers.”

Detection methodsIndustry is moving away from static analysis methods which are unable to keep up with constantly evolving attacks towards a more dynamic approach. Traditionally, in IDS applications and firewalls, a blacklist of known attacks is created and the IDS or IPS will log or block these attacks. The difficulty with this approach is that the IDS is constantly behind attack vectors as a new attack needs to be identified before being blocked.

Another approach is to create a white-list of acceptable requests, this also has drawbacks in that if a request changes or a new request is added then the IDS/IPS needs to have its list updated.

Recently, application firewall products have been introducing a more dynamic approach to solving the problems and are bringing in techniques from the world of machine learning[8]. Through analysis of the normal behavior of the system that is being protected these devices can create a dynamic white-list that better matches what the applica-tion does while still allowing changes to the system. Rather than have a hard list of specific requests, these systems have a criteria of what normal traffic is and can detect requests that break this, thus detecting modified requests.

DEFENCE-IN-DEPTH

11

When defining threats, it is imperative that there is a holistic approach to IT security, so that the voice system is included in overall security risk analysis and best prac-tices are applied as deemed appropriate. This are aligned to data system security measures as a minimum. In practical terms this would typically include the implemen-tation of following security measures:

• Use deep packet inspection techniques – IDS/ IPS or firewall systems at

WAN / Internet ingress points to pre-vent multi-layered attacks breaching the core network.

• Implement robust wireless security mechanisms such as strong authenti-cation, strong encryption and rogue access point detection.

• Deploy endpoint security on servers and hosts to enforce network attached devices to conform to defined enter-prise and desktop security policy.

However, organizations should also be aware of the potential need to harden specific IP telephony components to protect the integrity and availability of voice services in particular.

Securing network infrastructureThere are several recommended techniques for securing the network infrastructure:

Employ separate voice and data VLANs – mandatoryKeeping the voice and data traffic sepa-rate through the use of 802.1Q VLANs has several advantages. The inherent iso-lation provided by VLANs ensures that inter-VLAN traffic is under management control and that network attached PCs cannot initiate a direct attack on voice components.

This does not mean that there should be no interaction between Voice and Data VLANs – for example Unified

September 2006 Network Security

DEFENCE-IN-DEPTH

Securing IP telephony systems – best practicesPeter Titmus, Managing Director, Networks First

By definition VoIP traffic is vulnerable to the same threats as data traversing the IP network. The most common threats are from DoS attacks, malware and deliberate intrusion. We continue our VoIP series exploring how best to tackle them.

ConclusionThe defence-in-depth strategy is becom-ing increasingly important with the grow-ing desire to permeate the perimeter and allow access to internal applications. This ever present emphasis of providing a web presence capable of supplying customers with as much information and resource as possible means that business are exposing more of their networks and digital assets to the world at large. This increased access demands additional mechanisms to pro-vide the level of protection that is appro-priate to both protecting an organizations assets whilst providing the level of service demanded by the business.

Application Firewalls allow companies to retrospectively add additional layers of protection to their current network secu-rity strategy without requiring a significant redesign of the network topology. They are quickly becoming an essential component in an overall security implementation and every organization should be reviewing their applicability in their environment.

References:[1] Wade Alcorn, NGSSoftware Ltd.

http://www.bindshell.net/papers/xssv

[2] Dan Moniz and H D Moore, “Six Degrees of XSSploitation”, August 2006, http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#Moniz

[3] Jeremiah Grossman and T.C. Niedzialkowski, Hacking Intranet Websites from the Outside “JavaScript malware just got a lot more danger-ous” August 2006, http://www.black-hat.com/html/bh-usa-06/bh-usa-06-speakers.html#Grossman

[4] Howard, Michael & LeBlanc, David. Writing Secure Code. 2nd ed. Redmond, WA: Microsoft Press, 2002, (pages 59-60).

[5] Ivan Ristic, Thinking Stone, “Web Application Firewalls - When they are useful” http://www.thinkingstone.com/talks/Web_Application_Firewalls__When_Are_They_Useful.pdf

[6] Chris Anley, NGSSoftware Ltd, “Advanced SQL Injection In SQL Server Applications”, January 2002, http://www.ngssoftware.com/papers/advanced_sql_injection.pdf

[7] Andreas M. Antonopoulos, SVP and Founding Partner, Nemertes Research Inc. “Securing Critical Applications and Databases: A Layered Approach “,2006. http://www.bluelane.com/lib/pdfs/Nemertes_SecureCriticalApps.pdf

[8] Dr Steve Moyle, “An Intelligent Approach to Application Security”, March 2006, http://www.secerno.com/download_files/secerno_whitepaper.pdf

About the authorPaul Byrne is a Senior Security Consultant for NGS Software. He has experience in computer security research working for the Australian Defence Science Technology Organization for four years and two years in the commercial UK security industry as a Senior Security Consultant.

VOIP SECURITY

Peter Titmus