intelligent wapples new appproach to web application security 2009. 7. 21
TRANSCRIPT
Intelligent WAPPLESNew Appproach to Web Application Security
2009. 7. 21
Characteristics of Application-layer Attacks Not all the abnormal behaviors are attacks.
Application attacks are usually unknown.
Security policy cannot reflect the complexity and frequent updates of application.
Attacks are highly sophisticated, intellectualized, and can be widely varied. (ex : SQL Injection, Cross Site Script, Cookie poisoning)
A new approach is needed for application security.
Only intellectualized security software can detect and block application-layer attack.
WAPPLES is the most advanced Web Application Firewall in the aspect of intelligence
Design products based on knowing Application-layer Attacks and researching methods to judge.
Not using old attack detection or defense of Firewall and IPS, but new development.
Intelligent COCEP (Contents Classification and Evaluation Processing) Engine
WAPPLES engine to process logical analysis and test to judge Application-layer
Only Intelligent S/W Can Protect Web Applications!
Key : Positive Security Model to protect from Application-layer Attack Basic Idea : Protect from unknown attacks ; allow defined applications ; and block others.
Accomplish Positive Security Model using White List Access Control
Conventional Web Application Firewall (WAF) White & Black List Layered Architecture
• Most WAFs use pattern matching engine to accomplish black list/white list access control.• Black list access control uses signature to detect and block existing known attacks.• White list access control uses pattern matching engine to accomplish positive security model by
registering reliable web application.
Conventional Approach
Positive SecurityProtection from unknown threats and vulnerabilities
Negative Security• Protection from known threats and vulnerabilities• Signatures
White List Access Control
PatternDB
Web Application Firewall Engine
Pattern MatchingEngine
Black List Access Control
Conventional WAF Architecture
Characteristics of White List Access Control Allow services that includes information in White List, block exceptions.
Web Services can be blocked White List does not hold a matching entry
• Should be updated frequently to reflect changes of Web Application.• It’s important to create White List reflecting Web Application correctly and rapidly.
Characteristics of Black List Access Control Block connection type that has information included in Black List.
Major method to accomplish Black List Access Control is to test patterns registered at Pattern DB using Pattern Matching Engine.
Black Lists for detecting attacks are made using forms called a pattern; a pattern for detecting an attack is called a Signature.
Pattern registered to detect attacks should detect attack correctly.
• A Pattern is made of String type below,.• Errors (False Positives) occur when the system regards a data-packet to be an attack when it is not.
Example of Pattern Regular Expression: "[^\d]531\d[-\.\s\\\/=]?\d{4}[-\.\s\\\/=]?\d{4}[-\.\s\\\/=]?\d{4}[^\d]{1}“
White List & Black List Access Control
WAF detection is operated by administrator’s ability Administrator registers information for White List to accomplish Access Control
Patterns for white list increase the managing burden of administrator, as the patterns should be managed with high intelligence and frequency to ensure accuracy.
Frequenly, it occurs that white list access control cannot be used effectively because it is out of date.
To avoid false positives using a black list, administrators have to optimize the patterns before registering them.
• Administrator have to accomplish for pattern optimization. Only expert can control it.• Administrators can purchase specialized pattern information and use. Operating costs increase.
1) Register optimization for signatures and consulting services for control2) Connect update Sever provided by manufacturer and use.
• Generally more than 3000 patterns generate load to system performance.
1st Generation WAF “Web Application Firewall”
White List Access Control
Matching Engine
Black List Access Control
PatternDBPattern Matching Engine
RegisterApp. Info.
Registerpatterns
Admin
1st Generation Web Application Firewall
ApplicationList
Learning
UpdatingSignatures
Adoption Module for creating White List Designed to reinforce automatic module for reducing operational burden for White List
updating.
• Administer decides White List because it uses the Auto-Mining concept, not Auto-Learning’s. If White List is created automatically, it can be a problem to run services.
• In the case of Daily Updated Web Application, Auto-Mining data is incorrect. There are chances that changes in application cannot be immediately applied. Auto-learning needs at least 2 weeks or more to create available white lists. Administer needs to modify Auto-Mining from White List.
Function of Black List is similar to 1st Generation WAFs
Cannot overcome limitations of 1st Generation WAF
2nd Generation WAF “Web Application Firewall”
White List Access Control
Matching Engine
Black List Access Control
PatternDBPattern Matching Engine
MiningApp. Info.
Registerpatterns
Admin
2nd Generation Web Application Firewall
ApplicationList
Automation
UpdatingSignatures
ConfirmationLearning
COCEP Engine made up of Intelligent Rules provides Intelligence 26 predefined rules that have been already optimized to detect and block web attacks. Our
security engineers have designed these rules by analyzing the characters of web attacks.
• Only web traffic that successfully passes through all 26 rules are delivered to the web server.• Provides consistent performance in both test environment and real operation environment.
– Different from existing WAF that whose performance is changed by the number of registered patterns.• Logical Analysis Processing can detect all sorts of altered attacks, so the rules can identify and detect
attacks even though the type or pattern of the attacks has been changed or is varied.
Administrator only sets the security level for each rule greatly enhances the ease of operation.
3rd Generation WAF “Intelligent WAPPLES”
WAPPLES
Admin
Long-termPolicy
Decision
Security LevelAdjustment
Intelligent Engine is similar to human brain!
No!!! - Coping with each attack
No!!! - Recognition of each attack’s patterns
Yes!!! - Protects the vulnerabilities of web application
Yes!!! - Blocks core mechanism of attack using logical analysis engine
Yes!!! - Distinguishes not only the type of attack, but also attacker’s characteristics.
WAPPLES Rules (1/2)
Web application program
Attack #1
Attack #2
Attack #3
Attack # 4Attack # 5
Attack # 6 Attack # 7
Copes with each attacks Need to renew attack patterns. Weak in new attack recognition. White list needs to be
regularly updated.
Attack # 8
Web application program
Attack #1
Attack #2
Attack #3
Attack # 4Attack # 5
Attack # 6Attack # 7
Protects web limitations. Blocks core mechanism of attack Can recognize and block new attacks Distinguishes and block attacks.
Attack # 8Attacker
WAPPLES1st/2nd Generation WAFS
WAPPLES Rules (2/2)
Each Rule has been optimized to detect and block a form of Web attack Each rule is composed as a union of logic with filters/tests to accurately detect web attacks.
Each logic is formed as a fusion of white lists and black lists.
To satisfy a user’s configuration needs, additional patterns can be registered to each rule.
The Security Level is controlled by adjusting each rule’s parameters.
Higher Security Extremely low possibility of false positive attack – applies a very accurate attack detection
process for the web application.
Includes the ability to detect/recognize modified attacks.
Higher Performance No additional system load by inputting new patterns.
No difference in performance, in both test environment and actual production environment.
Ease of Use and Less Maintenance Typically installed with zero/few changes to the server and network settings.
Comparatively small managing/support burden for the administrator.
Low operation/support cost – receives no signature updates service, only periodic software updates.
Intelligent WAPPLES Features
Conventional WAFs WAF is a kind of container that administrator can store intelligence and later use it.
Administrator have to register patterns and White List that represent intelligence.
Intelligent WAF : WAPPLES WAPPLES engine is intelligent by itself.
Summary
Conventional WAFs
Intelligent WAPPLES