Wednesday, September 28, 2011

IPS or WAF Dilemma

As they endeavor to secure their systems from malicious intrusion attempts, many companies face the same decision: whether to use a web application firewall (WAF) or an intrusion detection or prevention system (IDS/IPS).  But this notion that only one or the other is the solution is faulty.  Attacks occur at different layers of the OSI model and they often penetrate multiple layers of either the stack or the actual system infrastructure.  Attacks are also evolving—what once was only a network layer attack has shifted into a multi-layer network and application attack.  For example, malicious intruders may start with a network-based attack, like denial of service (DoS), and once that takes hold, quickly launch another wave of attacks targeted at layer 7 (the application).
Ultimately, this should not be an either/or discussion.  Sound security means not only providing the best security at one layer, but at all layers.  Otherwise organizations have a closed gate with no fence around it.
Often, IDS and IPS devices are deployed as perimeter defense mechanisms, with an IPS placed in line to monitor network traffic as packets pass through.  The IPS tries to match data in the packets to data in a signature database, and it may look for anomalies in the traffic. IPSs can also take action based on what it has detected, for instance by blocking or stopping the traffic. IPSs are designed to block the types of traffic that they identify as threatening, but they do not understand web application protocol logic and cannot decipher if a web application request is normal or malicious.  So if the IPS does not have a signature for a new attack type, it could let that attack through without detection or prevention.  With millions of websites and innumerable exploitable vulnerabilities available to attackers, IPSs fail when web application protection is required.  They may identify false positives, which can delay response to actual attacks. And actual attacks might also be accepted as normal traffic if they happen frequently enough since an analyst may not be able to review every anomaly.
WAFs have greatly matured since the early days.  They can create a highly customized security policy for a specific web application. WAFs can not only reference signature databases, but use rules that describe what good traffic should look like with generic attack signatures to give web application firewalls the strongest mitigation possible.  WAFs are designed to protect web applications and block the majority of the most common and dangerous web application attacks.  They are deployed inline as a proxy, bridge, or a mirror port out of band and can even be deployed on the web server itself, where they can audit traffic to and from the web servers and applications, and analyze web application logic.  They can also manipulate responses and requests and hide the TCP stack of the web server. Instead of matching traffic against a signature or anomaly file, they watch the behavior of the web requests and responses.  IPSs and WAFs are similar in that they analyze traffic; but WAFs can protect against web-based threats like SQL injections, session hijacking, XSS, parameter tampering, and other threats identified in the OWASP Top 10.  Some WAFs may contain signatures to block well-known attacks, but they also understand the web application logic.  In addition to protecting the web application from known attacks, WAFs can also detect and potentially prevent unknown attacks.  For instance, a WAF may observe an unusually large amount of traffic coming from the web application. The WAF can flag it as unusual or unexpected traffic, and can block that data.
A signature-based IPS has very little understanding of the underlying application.  It cannot protect URLs or parameters. It does not know if an attacker is web-scraping, and it cannot mask sensitive information like credit cards and Social Security numbers.  It could protect against specific SQL injections, but it would have to match the signatures perfectly to trigger a response, and it does not normalize or decode obfuscated traffic.  One advantage of IPSs is that they can protect the most commonly used Internet protocols, such as DNS, SMTP, SSH, Telnet, and FTP.  The best security implementation will likely involve both an IPS and a WAF, but organizations should also consider which attack vectors are getting traction in the malicious hacking community.  An IDS or IPS has only one solution to those problems: signatures. Signatures alone can’t protect against zero-day attacks for example; proactive URLs, parameters, allowed methods, and deep application knowledge are essential to this task. And if a zero-day attack does occur, an IPS’s signatures can’t offer any protection.  However if a zero-day attack occurs that a WAF doesn’t detect, it can still be virtually patched using F5’s iRules until a there’s a permanent fix.
A security conversation should be about how to provide the best layered defense.  Web application firewalls like BIG-IP ASM protects traffic at multiple levels, using several techniques and mechanisms.  IPS just reads the stream of data, hoping that traffic matches its one technique: signatures.  
Web application firewalls are unique in that they can detect and prevent attacks against a web application.  They provide an in-depth inspection of web traffic and can protect against many of the same vulnerabilities that IPSs look for.  They are not designed, however, to purely inspect network traffic like an IPS.  If an organization already has an IPS as part of the infrastructure, the ideal secure infrastructure would include a WAF to enhance the capabilities offered with an IPS.  This is a best practice of layered defenses. The WAF provides yet another layer of protection within an organization’s infrastructure and can protect against many attacks that would sail through an IPS.  If an organization has neither, the WAF would provide the best application protection overall.


ps


Related:
Technorati Tags: F5, PCI DSS, waf, owasp, Pete Silva, security, ips, vulnerabilities, compliance, web, internet, cybercrime, web application, identity theft
Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Tuesday, September 27, 2011

VMworld 2011: F5 BIG-IP v11 iApps for Citrix

The bonus VMworld2011 video - like the special features of a DVD! This was shot by our good friends at Dell and originally posted to the Dell TechCenter home page and Dell TechCenter YouTube channel. I interview F5 Solution Architect, Michael Koyfman who gives a demo of the F5 BIG-IP v11 iApp Template for Citrix load balancing and remote access.  Special thanks to Jeffrey Sullivan, Dell TechCenter Community Manager and Lee Burnette, Social Media & Community Technologist for Dell TechCenter.

ps

Related:

Technorati Tags: F5, vmworld, integration, Pete Silva, security, business, vdi, vmotion, application delivery, cloud, virtualization, vmware, vsphere, vCloud, v11

 

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Monday, September 26, 2011

F5 Case Study: WhiteHat Security

Founder & CTO of WhiteHat Security, Jeremiah Grossman talks about the F5/WhiteHat partnership, the benefits of the WhiteHat Sentinel & BIG-IP ASM integration, the sophistication level of some of the recent attacks/breaches reported in the media, blocking SQL Injections and why organizations should consider an integrated WAF and Scanner like the WhiteHat/F5 solution.

ps

Related:

Technorati Tags: F5, RSA, Pete Silva, security, business, education, technology, internet, cybercrime, grossman

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Tuesday, September 20, 2011

Cloud Computing Making Waves

Every once in a while, I’ll do a news search for ‘cloud computing.’  Yesterday was one of those days and while there are always a few stories about ‘the cloud,’ I was somewhat amazed by the number and range of topics that appeared.  Also, the most recent issue (Oct 2011) of Consumer Reports had an article about ‘what’s the cloud.’  It was fairly elementary but for some reason when something is covered in Consumer Reports, I tend to think it’s finally reaching the masses.  I’m glad they included, ‘Use caution when signing up for any cloud service. Make sure your information is well protected against cyber thieves. The company you're using should encrypt sensitive data and have state-of-the art privacy safeguards. And use strong passwords—a combination of letters, numbers, and symbols in a minimum of six characters’  Yes, we love encryption.

And to the search results.

With the economy still sputtering along, Forbes had an article talking about how Cloud Computing May be a Shot in the Arm our Economy Needs.  On demand applications, pay-as-you-go and agility were common themes, as they have been for a couple years.  The author talks about the fear of ‘hollow corporations,’ or those that do not produce and good or services but simply act as middle-men – brokers of services.  However, these services are coming from the cloud, delivered via technology from the provider to the consumer.  They are not really ‘hollow’ but what is called, ‘loosely coupled’ corporations.  How a system or entity can do fine on it’s own, but when coupled with other systems, that’s when the fireworks fly.  These providers would simply be the aggregation point of various third-party services which are made available to the consumer on-demand.  He talks about how cloud computing can blur the lines between IT consumers  and providers.  How traditional non-IT companies, like online retailer Amazon, is also a cloud provider and how corporations could build their own private cloud and offer those services to partners and customers.  He also looks into how Cloud can get a startup going very inexpensively; how small application shops can survive by selling their innovative software in app stores; and how ‘micro-outsourcing,’ not the entire bundle but pieces of IT resources are becoming more common.  He really talks about the business angle rather than cloud technology.

When the cloud first started making headlines, there was a notion due to costs and even technical knowledge, that the cloud would be perfect for small businesses.  While some SMB took advantage, the big growth came when large enterprises began tinkering with cloud services, albeit with small portions of their infrastructure.  Over at SmallBusinessComputing.com, an article called Cloud Computing Tips for Small Business gives small businesses some areas of focus when looking into cloud services.  Things like software management, data storage and IaaS as a potential area for investigation for those with equipment like servers that may be nearing end of life.  Avoid that onsite upgrade, especially for storage.  Security is certainly another area not only for small business but all companies that consider cloud.  The cloud can give small businesses (and their customers) that round-the-clock feeling of a large enterprise.  Of course, plan and budget wisely, according to the article.

We knew it was happening and CIO has an article about How Cloud Computing Is Changing Data Center Designs and Costs.  Interesting look at how cloud computing is driving data center design.  Formally, the cloud advantage relied on efficient use of current data center design patterns and now the cost basis of data centers is transforming by the creation of new data center designs focused on scale, efficiency and commodity components.  They are becoming mass scale computing environments rather than raised floor cages housing individual company servers.  Cost is a big topic of this article.

Of all the IT services that could benefit from cloud computing, email was always considered a great contender.  Jumping on a Gartner report which says Gmail Now Credible Rival to Microsoft Exchange, a bunch of folks wrote about the implications of cloud email.  While still only around 4% of the total enterprise email market, Gartner expects it to grow to 20% by 2016 and 55% market share by 2020.  Still a way off and lots can happen but certainly a trend to follow.  Financial institutions, who may require greater security and other features may not be so quick to adopt, but others are signing up rapidly.  One way to transition is to have a hybrid of cloud and on-premise inboxes.

Public?  Private?  Oh, no…it’s Hybrid Cloud to the rescue.  Yes Public is growing fast; yes, companies feel more comfortable with Private; but Hybrid might be the best of both worlds.  The ability to balance workloads, move peak traffic, outsource less critical apps, adhere to SLAs and overall agility is making Hybrids very attractive to those looking to cloud computing.

On any given day a ‘cloud computing’ search can give varying results depending on the hot topics, this time it seemed to return a cornucopia of stories covering a wide section of topics.  And now I’m caught up….until tomorrow.

ps

Resources:

Technorati Tags: F5, costs, integration, cloud computing, Pete Silva, security, business, education, technology, application delivery, cloud, context-aware, infrastructure 2.0, web, internet

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Wednesday, September 14, 2011

Hackers Hit Vacation Spots

Just when you were having all that fun running around the waterpark and playing those arcade games comes news that the card processing system of Vacationland Vendors Inc., a Wisconsin Dells firm that supplies arcade games and installs vending machines, was breached.  From the notice on their website, they say, ‘Vacationland Vendors recently discovered that an unauthorized person wrongfully accessed certain parts of the point of sales systems that Vacationland Vendors uses to process credit and debit transactions at the Wilderness Resorts.’  Up to 40,000 debit or credit cards that were used in the arcades any time between December 2008 to May 2011 at the Wilderness Waterpark Resort near Wisconsin Dells and a companion resort in Tennessee are potentially compromised.  The hackers, according to Vacationland Vendors, improperly acquired credit card and debit information and around 20 accounts have shown irregular activity.  Reservation and restaurant transactions were not involved in the breach, only the point-of-sale devices.  Malware was the apparent culprit.

Point-of-sale devices and the networks they are connected to are often the target of malicious hackers.  These ‘kiosks’ are typically unattended and might be in locations where observation is limited.  A couple years ago, Target’s breach was the result of hackers gaining access via the customer service kiosks and the huge hit at Heartland Payment Systems, resulting in tens of millions of exposed credit and debit cards was from a breach of the company's point-of-sale network.  After successful installation of malicious software, thieves are able to sniff and intercept payment card data as the information is transmitted within the internal network or to the bank for authorization.  It might not even be encrypted as it travels.  If it was, then the crooks wouldn’t have the info.  Many people may think these kiosk point-of-sale devices are safe since it is taking credit card data and merchants need to be PCI compliant.  While the overall deadline for PCI 1.2 compliance was a couple years ago (and PCI 2.0 at the end of this year), the deadline for unattended point-of-sale devices was July 2010, a little over a year ago.  That’s why you’ve seen a whole slew of new gas station pumps at your favorite fueling stations and just like regular compliance, it’s going to take time to update all the point-of-sale devices.  Now, I’m not insinuating that the arcade devices were not PCI compliant since nothing has been reported about that, but what I am saying is be careful with those since you may not know if it is or not.  If it looks a few years old, then most likely, it is not.

With this and other similar point-of-sale breaches, many security experts (and even the Heartland CEO) believe end-to-end encryption is necessary, even if transmitting on the internal network, from the time the card is swiped all the way until the data reaches the the processor or bank.   Many credit card swipe terminal vendors are building encryption into the hardware itself and F5 can help keep that information encrypted while it’s travelling the great unknown.  Our BIG-IP APM and BIG-IP Edge Gateway (voted Best Secure Remote Access Product by TechTarget Readers) can easily encrypt any traffic, internal or external.  Heck, even a couple BIG-IP LTM running our latest v11 code can initiate a secure tunnel between them, creating an instant, secure WAN connection.

With the advent of credit card swiping capabilities on mobile phones now in full force, I’m not sure if this is going to get better or worse.  The terminal might be fine but if you install a hacked mobile payment app, then you can skim credit card info like the pros.  Remember, humans will often trade privacy for convenience.

ps

Related blogs & articles:

Technorati Tags: F5, PCI DSS, virtualization, cloud computing, Pete Silva, security, cloud, credit card, compliance, web, internet, cybercrime, holiday shopping, identity theft,

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Friday, September 9, 2011

From the Greenroom

iStock_000014803690XSmallIf you even glanced at my blog last week you probably noticed a slew of videos from VMworld 2011.  What was a simple idea a couple years ago – give people a taste of what we were up to at the various trade shows & highlight partners – has turned into a fun and exciting part of my job.  I do hope they give you a flavor of what is happening on the show floor.  While I try to schedule some interviews and topics prior to the show(s), many of the ‘on the spot’ videos truly are situations where I’m like, ‘ohhh, lets shoot that – ready?’  We do a little prep work especially for the whiteboard discussions but most of the time we just briefly chat about it and go live.  Many times we nail it but sometimes a hiccup happens, mostly mine, which is why I also post the video outtakes at the end.  I’ve always loved bloopers, even back when Dick Clark was pretending to laugh at all the flubs of 80’s TV.  We’ll be shooting again in a few weeks at Oracle OpenWorld so if you’re around, stop by and say hi.  I’ll even interview you if you like.

Over the next couple months, we’ll be posting a number of videos covering some v11 features like iApps and DNS Express along with series focusing on the many security solutions F5 offers.  I also got a few ‘In 5 Minutes’ videos in the queue  Video has certainly exploded over the last couple years and is an impactful way to communicate.  Retailers are using video more on their ecommerce sites to help consumers make informed purchasing decisions.  According to Forbes, video has graduated from a novelty to a mainstream method for execs in the C-Suite to get business information.  According to comScore, in December 2010, the average American spent more than 14 hours watching online video, a 12-percent increase from the prior year, and streamed a record 201 videos, an 8-percent increase. And according to Nielsen, on a year-to-year basis, the number of people watching mobile video increased more than 43%, while the amount of time spent doing so was up almost 7% and over 180 million (86%) of the U.S. Internet audience viewed online video during July 2011.  Viewers watch online video for an average of 18.5 hours per viewer and engaged in 6.9 billion viewing sessions..  Obviously, this trend will continue as more people turn to their mobile devices for entertainment and information.

I sometimes find it a little difficult to get into the writing groove again after a week of shooting so I’ll just end it here but thanks for watching and stay tuned for more.

ps

Related

Technorati Tags: F5, video, webmedia, ondemand, Pete Silva, security, business, education, technology, mobile, instructional, web, internet

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]