FortiWeb 4.0 Jacob Chen April 2005

複雜的網頁應用軟體安全 什麼是網頁應用軟體? Web server data center 網頁應用軟體是公開，且能夠在網際網路上使用的應用軟體 經由標準的瀏覽器來存取，提供電子郵件、線上消費商店、拍賣網站、佈落格及其他所有功能。 主要應用在提供電子商務及商業應用工作的組織單位使用 網頁應用軟體通常以最有效率的方法提供資訊以供訪問者瀏覽。 可能會留下應用軟體的漏洞 潛在的資訊洩漏危機 攻擊者能夠以一些變形的資訊來企圖偷取信用卡資料及其他個人資料 Web server data center Data Center Perimeter Front End Web Servers Web applications are exposed and open for access to anyone on the internet. This exposure increases the risks of attack and exploitation by hackers. Database Servers 2

為什麼需要 Web Application Firewalls? 隨時隨地都需要使用網頁應用軟體 可是… 49% 的網路應用軟體包含高風險的漏洞，而大部份皆為自動的程式碼產生的* 80%-96% 的軟體可以手動的被入侵 99% 的網頁應用軟體是未經過 PCI 組織的測試承認 大部份的網頁應用軟體的弱點是無法被防火牆發現的 Cross-site scripting SQL injection Information Leakage HTTP Response Splitting 面臨攻擊的商業行為: 收益的損失– 300$ per stolen record 沒有通過法規驗證的罰金 公司形象及品牌受損 The implications of attacks include lost revenue, brand erosion, and fines and penalties. With web application attacks appearing on the news practically on a weekly basis security measures need to be taken. *Source – Web Application Security Consortium (WASC)

Payment Card Industry Security Standards Council Imperva PCI Compliance Presentation Script 9/22/2018 Payment Card Industry Security Standards Council Formed December 2004 by top 5 credit card companies Aligned each company’s individual policies and released the PCI DSS A standard that ensures merchants meet minimum levels of security when they store, process and transmit cardholder data Merchants that process credit cards must comply with the new PCI standard In October 2008 version 1.2 was introduced Prevention of common coding vulnerabilities such as those defined by OWASP Code reviews or - Verify that a web-application firewall is in place in front of public-facing web applications to detect and prevent web- based attacks Compliance enhances reputation and lowers risk Non-compliance can result in fines and sanctions Fortinet is a part of the PCI Security Standard Council (oct 6th, 2009) The PCI SSC was formed in 2004 by the top 5 credit card companies in order to create a standard across the board. PCI DSS aligned each of the companies own policies and in 2008 version 1.2 introduced new mandates requiring merchants to prevent vulnerabilities such as those defined by OWASP and run periodic code reviews or deploy a WAF. Imperva Confidential

What is ‘Application Security’ ? 應用軟體的生命週期專注於: (長期控制) 設計-Design 研發-Development 配置-Deployment 升級-Upgrade 維護-Maintenance 應用軟體控制專注於: (補償控制) 減低攻擊威脅 (技術及功能面) 網頁應用軟體安全策略的實行 Analysis from a life cycle perspective. ie quality by design, introducing the minimum vulnerabilities through development and deployment Unfortunately, most of the above hasn’t and isn’t really done too effectively …. We need to live with what we’ve got !! We are under time pressures to get our application environment under control today without having to rework the entire applications estate. So we take a controls oriented approach. – To do this, we must look at threats. Fortinet Confidential 5

只有 Web Application Firewalls 能夠完整辨視、偵測及阻斷攻擊! 現有的資安解決方案已不夠完備 傳統的防火牆能夠偵測網路型攻擊 監控 IP 及 Port; 有限的應用軟體辨視功能 IPS 產品儘能夠監控已知的攻擊特徵 特徵值能夠輕易的被重新編碼或阻斷，無法偵測SSL加密流量，無應用軟體辨別功能 無法辨別使用者，高誤判率 只有 Web Application Firewalls 能夠完整辨視、偵測及阻斷攻擊! Application Layer Web Application Firewall FortiWeb Protocols (OSI Layer 4 – 7) When looking into the current security approach we understand that what we have today is not enough. IPS and firewalls simply lack the understanding of how web applications work. They rely on signatures and have no user awareness. Only web application firewalls can truly protect your applications! IPS and Deep Packet Inspection Firewalls Network Layer Network Firewall Network Access (OSI Layer 1 – 3)

Web Application Firewall Hardware overview

FortiWeb 網頁應用防火牆 Web Application Firewall – 保護網頁應用軟體並幫助客戶達成符合法規要求 保護網頁應用程式不受攻擊 維持網頁服務安全 維持應用軟體的可用性 Web Application 平台 Web Application Firewall – 保護網頁應用軟體並幫助客戶達成符合法規要求 XML Firewall – 預防及保護XML應用 Application Acceleration – 使用 Fortinet ASIC 科技加速應用程式運作功能 FortiWeb requires no changes to applications and can be deployed in several ways that do not require any network changes. It provides security for web applications, web services and additional acceleration and load balancing capabilities

FortiWeb-1000B Hardware Information Front Back FortiModule Ports 3 and 4 Onboard Ports 1 and 2 Hardware 4 x 10/100/1000 ports 2 USB ports 1 x 1TB SATA hard drive – For log archiving (2 x 1TB Optional) 1 RU height rack mount unit FortiModule (Ports 3 and 4) – integrated CP6 ASIC Throughput 500 Mbps HTTP 22,000 New sessions/second ICSA Labs Certificate Web Application Firewall

FortiModule – CP6 RJ45 Hardware PCIe accelerator card (Ethernet ports 3 and 4) CP6 for accelerated SSL processing Onboard Flash storage also used to embed the system serial number and digital certificates

FortiWeb-400B Hardware Information 4 x 10/100/1000 ports 1 USB ports 500GB SATA hard drive 1 RU height rack mount unit Integrated CP6 ASIC Latency – Sub Milisecond Throughput 100 Mbps HTTP 10,000 New sessions/second ICSA Labs Certificate Web Application Firewall

HTTP Transactions / sec FortiWeb Product Line Model Form Factor HTTP Transactions / sec Throughput Storage Capacity FortiWeb-400B 1U Rack mountable 10,000 100Mb/sec 0.5 TB Standard FortiWeb-1000B 22,000 500Mb/sec 1 TB Standard New 12

FortiGuard™ 資安訂閱服務 確保客戶能夠得到完整 Fortinet 產品資安更新訂閱服務 FDS CANADA FDS UNITED STATES FDS UNITED KINGDOM FDS FRANCE FDS JAPAN FDS CHINA FDS MALAYSIA New FortiWeb FortiGuard updates! 24 x 7 Global Threat Research Team Intrusion Prevention System (IPS) FortiWeb Security Update Service AntiSpam (AS) Antivirus (AV) (Includes Anti-Spyware) Web Filtering (WF) Worldwide Presence 100% Fortinet Technology Automatic Updates

What Customers Want Deployment and Management Compliance Accurate Protection and Monitoring Compliance When we talk to customers about what are the top requirements in general when deploying a web application firewall they consistently mention the following: Deployment and Management – ease of deployment and management of the product The product must be accurate with minimal false positives It must help me get PCI compliant

FortiWeb 可彈性化的配置模式選擇 透通模式 - Transparent Inline bridge 容易配置- 不需要更改原有整體網路架構，不需要更改 IP配置，完全透明的配置。 支援完整的防禦功能 可選購Bypass單元。 反向代理伺服器模式 - Reverse Proxy 支援完整的內文置換功能，同時可置換來源要求及伺服器回應封包。 進階的URL重新撰寫功能 HTTPS 加速及卸載功能。 進階負載平衡功能 離線、旁聽模式-Non Inline Deployment – SPAN port 零網路延遲 使用 TCP Reset 來阻斷攻擊以及異常流量 適合使用在產品測試及無法被更改的網路配置。 FortiWeb Web Application Servers FortiWeb FortiWeb provides multiple deployment modes, to fit into every environment 15

High Availability Active / Passive 完整設定故障復原功能。 HA Interface Configuration synchronization and availability heartbeat FortiWeb FortiWeb HA Server Farm

What Customers Want Deployment and Management Compliance Accurate Protection and Monitoring Compliance

早期的網站設計防護功能 管理者必須手動的定義: 每一筆 URL,目錄, 參數, 欄位長度和類別 使用正規表示式來判斷動態 物件內文，JavaScript, XML, etc 經常需要更新白名單 誤判率高 – 只要不是在白名單上 的流量就會被阻斷 Before installing FortiWeb customers that require application security to the level FortiWeb provides would need to manually define every element within their environment and constantly maintain this list. This would be very time consuming.

準確的保護必須要… 非常了解被保護的應用軟體。 了解駭客行為 整個應用軟體的架構 (URLs, parameters, methods) 可疑的存取以及正常的存取 了解駭客行為 普通的攻擊方法, 工具, 和應用軟體的弱點 了解在網頁應用軟體元件的組成, 人因錯誤、真實世界的攻擊。 Providing real application security requires understanding the application structure but also understand how hackers work.

FortiWeb Auto Learn 自動學習功能 了解網頁應用軟體的整體架構 從真實的網路流量來學習物件模型 建築基本的URL目錄，參數，及HTTP methods 全自動了解真實要求及行為 可形成參數、欄位以及客戶可改變的欄位 欄位長度及欄位可能的類別 可以接受的字元 (min, max, average)? 是否為必填欄位? 產生建議設定及圖表。 FortiWeb automates manual rule creation by monitoring real user access to the application. By monitoring access over and over to the application based on acceptable behavior FortiWeb can provide recommendation on how to set up rules.

FortiWeb Auto Learn 自動學習到保護應用軟體的架構 分析: 自動產生規則 可匯出為 PDF 格式 URLs Parameters Expected behavior 分析: 訪問 攻擊 自動產生規則 可匯出為 PDF 格式

FortiWeb 提供更多層次的保護 Validates Users Detects Information Disclosure, CC, PII Deviations from Normal User Behavior Detects Known Application Attacks (FortiGuard Updated) Validates HTTP RFC compliance Authentication Policy Data Leak Prevention Auto Learn and Validation Rules Application Attack Signatures FortiWeb provides multiple layers of protection starting from protocol validation (HTTP RFS compliance) through application signatures, validation rules DLP and authentication policy. Protocol Validation

使用者可自訂規則 產生自訂策略 基本規則 (Input validation rules) 自訂機器人 HTTP Protocol 限制 Regular expression statements 產生自訂策略 基本規則 (Input validation rules) 自訂機器人 HTTP Protocol 限制 來源 IP (Black list, White list) And much more… FortiWeb extends protection by providing an easy way to create Validation rules that take protection to the URL and parameter level. Administrators can use the Auto-Learn feature to automate rule creation. 23

資料外洩防護 - Data Leak Prevention FortiWeb 監看所有流出的流量以保護使用者個資: 個人資料外洩 信用卡資料偷竊及誤用 Extensive Data Leak Prevention makes sure application are protected from credit card theft/misuse and different information disclosure and leakage.

依設定時間間隔監看應用軟體檔案的更改時間。 網站防竄改控制 - Web Site Anti-Defacement 依設定時間間隔監看應用軟體檔案的更改時間。 FortiWeb一旦偵測到更改成，可進行動作： 警告 自動回復 FortiWeb Anti Defacement feature allows customers to protect themselves from defacement attacks. FortiWeb can alert on applcation changes and also automatically restore applications to their previous state

網站弱點掃描- Web Application Scanner 容易上手使用。 知己知彼，了解自己的網站弱點進行防護 常見弱點掃描 SQL Injection, XSS, 異常外部連結掃描 Reports Complements WAF for PCI DSS 6.6 As part of PCI 1.2 section 6.6 – deploy a web application firewall an alternative is to address new vulnerabilities by running ongoing vulnerability assessments (annually, after changes, correct vulnerabilities and rescan). FortiWeb helps organization by providing both – a web application firewall and a web application scanner.

負載平衡及加速功能 XML 網站服務負載平衡Web Services balancing 網頁應用軟體負載平衡 應用軟體加速 WSDL or Content routing statements 網頁應用軟體負載平衡 持續連線逾期機制 設定權值輪詢Weighted Round Robin (3.1) 實體伺服器監控 ，支援 HTTPS, HTTP, TCP, Ping 應用軟體加速 結合 ASIC 晶片加速功能 SSL 卸載 TCP 多工 Multiplexing FortiWeb FortiWeb provides additional features such as load balancing and acceleration. 27

及時系統資訊監控 FortiWeb 提供及時資訊監控台 流量監看 攻擊歷史記錄 最新的警告 設備及時狀態 Administrators can monitor HTTP activity to their applications and view real time events using the dashboard.

事件記錄 / 攻擊 / 警示告警 攻擊告警功能 流量監看 事件告警 完整HTTP 要求內容資料 任何存取資料 任何FortiWeb動作 Using the Alerts screen administrators can view different types of activity – Attacks, Traffic and FortiWeb Events

攻擊行為報表 豐富的報表種類及圖形式報表 自訂報表項目 定期產生報表–每日、每週、每月或者依須要產生 支援多種格式 PDF, HTML, Word, TXT, MHT formats FortiWeb provides rich reporting capabilities providing ability to report on any activity – attack, traffic and FortiWeb events. Reports can be scheduled on daily, weekly and monthly basis and exported in different formats

流量報表 Reports – Traffic and Events 儲存任何存取網站流量記錄 Application Hits Service type usage (HTTP/HTTPS) Top sources FortiWeb 更入，更改稽核記錄

Fortinet Addresses PCI DSS FortiWeb addresses PCI 6.6 Web Application Firewall Web Application Scanner FortiDB addresses PCI requirements with Data Activity Monitoring and Vulnerability Assessment for Databases Requirement 2 : No vendor supplied defaults for system passwords Requirement 3 : Stored cardholder data must be protected Requirement 6 : Develop and maintain secure systems Requirement 7 : Access to data restricted on a need-to-know basis Requirement 10 : Track and monitor access to cardholder data Requirement 11 : Regular systems testing Requirement 12 : Maintaining an information security policy Fortinet addresses PCI DSS with FortiWeb web app firewall and scanner and extends compliance coverage to Database Activity Monitoring with FortiDB

FortiWeb 帶給您的益處 顯著的降低風險及資料外洩風險. 容易配置在任何環境之中 使用自動學習進行自動管理 協助達成 PCI 法規 精確的防護功能、進行多層次的防護 內建網站弱點掃描功能 容易配置在任何環境之中 多種配置模式選項 使用自動學習進行自動管理 協助達成 PCI 法規 Fortinet Confidential

FORTIWEB WVS - SCAN 網頁弱點掃描

FortiWeb Vulnerability Scan 網頁弱點掃描 Scan for Commmon Vulnerability, Cross-Site Scripting, SQL Injection, Source Disclosure, OS Commands

網頁弱點掃描- Summary Cross-Site Scripting (70) SQL Injection (1) 網站應用程式漏洞 網站一般性問題 Information (1) 網站伺服器資訊 網站Web伺服器 找到的URL/網頁 內含可輸入參數的URL 外部連結

網站Web伺服器資訊

關於 XSS (Cross Site Scripting) 由於這一則 XSS 為一處 GET，若是直接將 URI貼在 Firefox 上……

真實的 XSS Case.

Cross Script Result – 使用 FortiWeb 可將此類攻擊阻擋在外 將此 URL 貼在瀏灠器上會得到以下結果! http://*****.edu.tw/2009programarea/pgArea_info.html?amp;year=99&attrib=D%3E%22%3E%3CScRiPt%20%0A%0D%3Ealert%28%22Your%20PC%20has%20been%20HACKed%22%29%3B%3C/ScRiPt%3E

SQL Injection 植入漏洞 經由FortiWeb 弱點掃描的目前已知可能的漏洞

SQL Injection Result 正常的觀看只有 19 門或 60 門

SQL Injection 使用 FortiWeb 可將此類攻擊阻擋在外 使用此特別的URL,可一次看到 386 門 http://*****.edu.tw/2009programarea/pgArea_info.html?attrib=C&year=99%27+or+%271%27%3D%271&查詢=%E6%9F%A5%E8%A9%A2

網頁弱點掃描 – 其餘功能 找到的URL/網頁 可經由首頁進入掃描到的網站連結 內含可輸入參數的URL 可知道有多少網頁具備 Post 或者 GET 傳入作為參考 外部連結 可用來掃描是否被植入異常連結 可疑連結 – 釣魚網站

FORTIWEB 報表及自動學習功能

自動學習功能 經由自動學習功能，可得到整體網站連結架構，進而使用 參數白名單保護功能。

Auto-Learn Report Enhancement

偵測異常 PHP Information Leakage 使用 FortiWeb 可將此類攻擊阻擋在外

PHP 洩漏了資料庫的帳號密碼以及資料庫名稱 偵測異常 PHP Information Leakage 使用 FortiWeb 可將此類攻擊阻擋在外 PHP 洩漏了資料庫的帳號密碼以及資料庫名稱

從 Log 中看到 SQL Injection 的 POST 資料內容

SQL Injection 封包內容

已經可能存在 SQL Injection 檔案列表

FORTIWEB 實機功能簡介

FortiWeb – 攻擊偵測 Fortinet 特徵值資料庫 特徵值由 FortiGuard 全球團隊進行維護，7x24 線上更新 可進行手動更新 特徵值為進行第一層防護 54

Web Site with Anti-Defacement 網站防竄改控制 防止網站伺服器因為系統漏洞或者是惡意使用者從內部更改網站內容 FortiWeb 會將整個網站備份到本身的硬碟中，並定時連入網站伺服器作比對網頁的動作，若發現有任何檔案被更改的話，將會發出告警。 可啟動全自動恢復，將會從FortiWeb的備份檔案覆蓋回去。

Restore Changed File Automatically 網站防竄改控制設定 Email Alert Restore Changed File Automatically

偵測到網站原始碼改變 點選 Acknowledge 進行改變確認程序 選擇確認改變

支援網站外掛認證功能

正體中文版介面

每小時的異常流覽 建議將PHP錯誤訊息隱藏 Apache 錯誤訊息隱藏

攻擊來源 Yahoo 的快取攻擊佔了 19.76%

攻擊分佈

攻擊類別分佈

Only Fortinet Offers a Full Security Product Family Cisco IBM Imperva F5 Citrix Barracuda Web Application Firewall Yes Yes (DataPower) UTM Partial No Dedicated appliance for each security function Database security Vulnerability Assessment (DB only) End point Security 64

Questions

OWASP Top 10 2007 Vulnerability Description A1 - Cross Site Scripting (XSS) XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc A2 - Injection Flaws Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data. A3 - Malicious File Execution Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users. A4 - Insecure Direct Object Reference A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization A5 - Cross Site Request Forgery (CSRF) A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks.

OWASP Top 10 2007 Vulnerability Description A6 - Information Leakage and Improper Error Handling Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to steal sensitive data, or conduct more serious attacks. A7 - Broken Authentication and Session Management Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users' identities. A8 - Insecure Cryptographic Storage Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud. A9 - Insecure Communications Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications. A10 - Failure to Restrict URL Access Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly.

Reference Site FWB1000Bx2 , Electricity Authority of Cyprus’ FWB1000Bx2 , University of Szczecin , 6th the biggest university in Poland FWB1000Bx4 , South African National Roads Agency Ltd (SANRAL) FWB1000Bx2 , Paynova, online payment company FWB1000Bx5 , Kabel Deutschland (KDG), Biggest Cable Net Provider In Germany FWB1000Bx2 , Wind Telecomunicazioni fixed-mobile-Internet communications services operator in It FWB1000B, Kuwait Finance House - Middle East - Finance FWB1000B, French Connection - UK - Fashion & Clothing FWB1000B, GRASCC is the Italian defense department FWB1000Bx2, China MinSheng Bank FWB1000B , 立德大學 FWB1000B , 高雄醫大附設中和醫院