슬라이드 1 - PDF Free Download

PENTASEC 2011 Penta Security Systems, Inc. October, 2011 김덕수, dskim@pentasecurity.com

Penta Security Systems - Products No. 1 Web Application Firewall Vendor in Korea (WAPPLES) No. 1 Database Encryption Solution Vendor in Korea (D Amo) Intelligent Web Application Firewall, WAPPLES Leading WAF product in Korea with 50%+ market share. Unique Logic Based Detection Engine Near 0 false positive detection and immunity to unknown attacks Security Compatibility Certification from National Intelligence Service Integrated DB Security, D Amo No.1 Database Encryption Software in Korea since 2004 with 650 customers of all sectors. Runs on Oracle(Enterprise/Standard), MS SQL Server, DB2, ALTIBASE, Tibero and MySQL Supports various security configurations through D Amo SG and D Amo SCP Realization of strong comprehensive DB Security PKI Security Solution, ISSAC The First PKI applied International standard technology in Korea. User authentication is provided through NPKI and GPKI systems Supports web session encryption and user authentication PKI Development Toolkit, SCP Cryptographic Module, CIS Cryptographic function and security service development tool. Supports embedded environment Be able to support from PC to 통합 Mainframe 애플리케이션보안솔루션로드맵 SSO & EAM Solution, ISign The First SSO solution in Korea. Single Sign On (SSO)solution for enterprise security since 2001 Extranet Access Management based on RBAC (Role Based Access Control)

Penta Security Systems - Products User Web Server DB Web Application Security Web-based Security Application Development Toolkit Data Encryption Transaction Protection Entity Authentication Single Sign On Web Application Security Web Application Firewall Prevent Web Attacks Privacy Protection DBMS Security Integrated DBMS Encryption Solution Data Encryption Access Control & Audit

IT System Architecture A P P L I C A T I O N S S Y S T E M S N E T W O R K S

Technologies in each layer E M A I L A P P L I C A T I O N S W E B - B A S E D A P P L I C A T I O N S H O S T - B A S E D A P P L I C A T I O N S C L I E N T S E R V E R A P P L I C A T I O N S N E T W O R K M A N A G E M E N T A P P L I C A T I O N S S E C U R I T Y A P P L I C A T I O N S A P P L I C A T I O N S E R V E R S O P E R A T I N G S Y S T E M S E R V E R S F I L E S E R V E R S W E B S E R V E R S N E T W O R K O P E R A T I N G SY S T E M S M I D D L E W A R E SY S T E M S A T M W A N R O U T E R S S W I T C H E S H U B S

Secure IT System! A P P L I C A T I O N S S Y S T E M S N E T W O R K S Security Security Security

Application Security A P P L I C A T I O N S S Y S T E M S N E T W O R K S ISSAC = Integrated Security System based on Advanced Cryptography Security 는통합 (Integration) 을피할수없다! Integration 은 Security 의운명!

Application Security A P P L I C A T I O N S S Y S T E M S DBMS N E T W O R K S Security 는통합 (Integration) 을피할수없다! Integration 은 Security 의운명!

Application Security A P P L I C A T I O N S S Y S T E M S N E T W O R K S Network Connected to Web Servers Security 는통합 (Integration) 을피할수없다! Integration 은 Security 의운명!

Security Trio A P P L I C A T I O N S S Y S T E M S N E T W O R K S

DB 암호화방식 DB 암호화는크게 API, Plug-In, In-Place 세가지방식으로분류됩니다. API Plug-In In-Place Application 에서데이터암복호화수행 적용가능 DB 제한없음 암호화대상데이터와관렦된쿼리모두수정필요 접근제어, 감사기능부재 Application DBMS 에 Plug-In 형식으로암복호화모듈설치 Application 으로부터독립되어쿼리수정최소화 암호화컬럼에대한인덱스지원 암호화, 접근제어, 감사통합보안기능제공 DB 엔짂안에암복호화기능포함 이경우, 접근제어, 감사 기능을지원하기위해서는 별도패키지사용필요 OS 의디스크드라이버수준에서암호화하는제품도있음 보안통합관리의어려움및직관성이떨어짐 Database Database Encryption Agent Select Insert Database Engine Encryption Engine API Plug-In In-Place 완벽한데이터보호를위해서는암호화뿐만이아닌접귺제어, 감사를통한보안통합관리가필요

성능관점에서 DB 암호화 3 요소 설치정상운영성공적인구축 실시간처리 OLTP 초기암호화 배치 DW OLAP

DB 암호화 - API 방식 일종의암호모듈을제공하는방식 Application DBMS 암복호화 API 키관리 API 키관리 API 키관리서버 키관리구현 Application 과의 Integration 구현 Legacy 의경우, 초기암호화는누가?

DB 암호화 - Plug-In 방식 Application 을수정하지않는방식 Application DBMS 암복호화 API Interface Objects 키관리 API 키관리서버 패키지설치 운영방식컨설팅 초기데이터암호화지원

DB 암호화 - Plug-In 방식 Application 수정을하지않는가? Application DBMS 개발자 Code Queries 암복호화 API Interface Objects 키관리 API 키관리서버 Query 도 Application 의일부라고생각함 Limitation 이미 Full-scan 하는 Queries Interface Objects 의 Limitation

요즘의 DB 암호화제품 통합형으로제공 Application DBMS API 방식 암복호화 API 키관리 API DBMS용API 암복호화API Interface Objects 키관리API Plug-in 방식 키관리서버 고객의시스템홖경에맞는적용필요

D Amo Product Line-up API Plug-In In-Place Application Database Select Database Database Engine Encryption Agent Insert Encryption Engine API Plug-In In-Place 완벽한데이터보호를위해서는암호화뿐만이아닌접귺제어, 감사를통한보안통합관리가필요

D Amo Analyzer Searching for columns storing privacy information Searching for important encryption target column, ex. credit card number, social identification number, etc Searching for DB Objects involved in the query optimization after encryption Analyzing traffic characteristics on queries accessing encryption columns

D Amo Analyzer Analysis report on encryption before/after Performance expectation report Recommending optimized queries related to encryption columns

Application Security Application Security Is A Totally Different World Network Security Part of IT Networking Experts Product Focused 1000 s of Copies Signature Based Patch Management Application Security Part of Business Units Software Experts Custom Code Focused 1 Copy of Software No Signatures Prevent infinite variant attacks and unknown attacks Don t let anyone rely on network security techniques to gain application security

Traditional Network Firewalls, IDS/IPS, and Anti-Virus systems do NOT protect the Layer-7 Applications (OSI Network). Gartner

70% of ALL threats are at the Web application layer Gartner

93% of oganizations hacked in the past two years through In secure Web Applications Gartner

88% of companies spend more on coffee than Web app security Ponemom Institute

Why Web Application Firewall Web Application Security thought Solid but Vulnerable Hackers steal e-commerce customer credit card numbers Hackers breached company s network even though patches were up-to-date and defenses in place Patches were up-to-date and defenses were in place A coordinated and sophisticated group of hackers broke in and stole customer s credit card information.

Web Application Attack SQL Injection 웹페이지의로그인창에특정명령어를넣어 가입자들이입력한이름, 주민등록번호등을빼내는방법 초보적인방법으로평가된다 보안을염두에두고사이트를설계해야한다 출처 : http://www.asiae.co.kr/news/view.htm?idxno=2011052310523881295

Web Application Attack

Conventional Approach Key : Positive Security Model 을구현하여 Application-layer Attack 을막는다! 기본아이디어 : 알려지지않은공격을막기위하여공격이아니라고정의된 Application 접속만을통과시키고그이외의접속은차단한다. White List Access Control 을구현하여 Positive Security Model 구현 Conventional Web Application Firewall (WAF) White & Black List Layered Architecture Black List Access Control 과 White List Access Control 를결합한형태로구현 Black List Access Control 은기존의알려짂공격방어를위한 Signature 홗용 White List Access Control 은싞뢰할수있는 Web Application 을등록하여 Positive Security 구현하기위해사용 Conventional WAF Architecture Positive Security Protection from unknown threats and vulnerabilities Negative Security Protection from known threats and vulnerabilities Signatures White List Access Control Black List Access Control Web Application Firewall Engine Pattern Matching Engine Pattern DB

White List & Black List Access Control White List Access Control 의특징 접속유형이등록된정보 (White List) 에포함되어있으면서비스를허용되고, 그이외의유형인경우에는모두차단하는방식 Web Application 에대한정확한 White List 가아닌경우, 웹서비스가차단될수있음 Web Application 변경에맞추어정확한 White List 가수집되도록관리되어야함 Web Application 을정확하고싞속하게반영하여 White List 를만들어내는것이관건 Black List Access Control 의특징 접속유형이등록된정보 (Black List) 에포함되어있으면공격으로판단하고차단하는방식 Black List Access Control 을구현하는대표적인방법은 Pattern Matching Engine 을이용하여 Pattern DB 에등록된 Pattern 들을검사하는방식 공격에대한 Black List 는 Pattern 형태로작성되며, 공격탐지를위한패턴을 Signature 라고부름 Pattern 은공격을정확하게탐지하도록정교하게작성하여등록하여야함 Pattern 은아래와같은 String 형식으로작성되어공격이아닌것에대해서도공격으로오탐하는경우가많음 Pattern 의 Regular Expression 의예 ) "[^\d]531\d[-\.\s\\\/=]?\d{4}[-\.\s\\\/=]?\d{4}[-\.\s\\\/=]?\d{4}[^\d]{1}

The 1 st Generation WAF WAF 의정확한탐지능력은관리자의능력에의해좌우 White List를위한정보를관리자가직접등록하여 Access Control 수행 계속변경되는 Web Application의특성상관리자의운영부담이가중 실질적으로 White List Access Control을사용하지못하고운영되는 WAF이많음 Black List 를위한패턴이 False Positive 를발생시키지않도록고도의최적화된패턴등록및관리필 요 관리자가직접패턴최적화를위한작업수행 숙력된기술자만이 WAF 운영가능 추가적인운영비용을투자하여젂문화된패턴정보를구매하여사용하기도함 1) Signature 에대한최적화및관리에대한컨설팅서비스가입 2) 제조사가제공한 Update Sever 에연결하여사용하기도함 운영비용증가 일반적인 Pattern Matching Engine 의경우 Pattern 의수가 3000~5000 개이상이되면성능에부하발생 1 st Generation Web Application Firewall White List Access Control Matching Engine Application List Learning Register App. Info. Black List Access Control Pattern Matching Engine Pattern DB Updating Signatures Register patterns Admin

The 2 nd Generation WAF White List 생성을위한자동화된모듈채용 White List 관리에대한관리자부담을줄이기위하여자동화모듈보강 Auto-Learning 이아닌 Auto-Mining 개념이기때문에실제적으로관리자의개입을통하여 White List 확정 White List의성격상자동생성될경우, 서비스운영에문제가발생할수있기때문 Daily Updated Web Application 의경우, Auto-Mining 데이터가정확하지않음 Application 변경사항을즉각적으로반영하지못하는경우발생 사용가능한 White List 생성을위해최소 2 주이상의 Auto-Mining 필요 Auto-Mining 된 White List 에대한관리자의수정작업필요 Black List 관리에대한기능은 1st Generation WAF 과큰차이가없음 1 st Generation WAF 의한계점을극복하지못함 2 nd Generation Web Application Firewall White List Access Control Mining App. Info. Automation Matching Engine Application List Learning Confirmation Black List Access Control Pattern Matching Engine Pattern DB Updating Signatures Register patterns Admin

WAPPLES Detection Rules WAPPLES COCEP Engine is composed of 26 detection rules and 1 function. Each rule analyzes and responds against various types of attacks. WAPPLES rules provide easy security policy set-up by just selecting detection level and countermeasure option. 1 Buffer Overflow 10 Invalid HTTP 19 Response Header Filtering 2 Cookie Poisoning 11 Invalid URI 20 SQL Injection 3 Cross Site Script 12 IP Filtering 21 Stealth Commanding 4 Directory Listing 13 Parameter Tampering 22 Suspicious Access 5 Error Handling 14 Privacy File Filtering 23 Unicode Directory Traversal 6 Extension Filtering 15 Privacy Input Filtering 24 URI Access Control 7 File Upload 16 Privacy Output Filtering 25 User Defined 8 Include Injection 17 Request Header Filtering 26 Web Site Defacement 9 Input Contents Filtering 18 Request Method Filtering 27 IP Block IP Block is the function that blocks IP connection by the condition user sets. For example, if a certain attack is detected for a given period, IP Block will be triggered for the source IP address.

Detection Engine s 3 mechanisms WAPPLES Detection Engine is using 3 evaluation mechanisms. Logical analytic engine means a detection engine to carry out an application layer interpretation and verification based on below 3 mechanisms. Evaluation based on Heuristic analysis Evaluation based on Semantic analysis Evaluation based on Pattern Matching WAPPLES 26 detection rules and 1 function(ip Block) can be classified as following. Evaluation based on Heuristic Analysis Evaluation based on Semantic Analysis Evaluation based on Pattern Matching Cross Site Scripting Include Injection Buffer Overflow Directory Listing Cookie Poisoning Invalid HTTP Error Handling IP Block Invalid URI Extension Filtering Parameter Tampering Parameter Tampering File Upload Suspicious Access Privacy File Filtering Input Content Filtering URI Access Control Privacy Input Filtering IP Filtering Privacy Output Filtering Request Header Filtering SQL Injection Stealth Commanding Request Method Filtering Response Header Filtering User Defined Pattern Web Site Defacement Unicode Directory Traversal

Rule Example : SQL Injection Example of how WAPPLES s SQL-parser works Assuming that SQL Injection String is (name= penta or name= security ) and keyword= pentasec WAPPLES s SQL-parser processes it as below to decide whether the string has an intention of attack or not. Parse() Expression() queryterm() and Emit Intersect ( Expression() ) Emit ( Emit ) queryterm() or queryterm() keyword = pentasec Emit equal condition SQL queryterm() If all the final results of each end-node are part of SQL command, then WAPPLES SQLparser recognizes the original string as a SQL command. Emit Union name = Penta name = securit y Emit equal condition SQL Emit equal condition SQL

Example of False-Positive and Misdetection (1/4) Misdetection Example of Signature based Engine In the case that WAF has below signatures, Example of SQL Injection Signature - Below part means substring-searching target. rgxp means a regular expression. - After finding a string of part, rgxp is applied. Signature part="or 'a' = 'a" Signature Name SQL Injection WHERE Statement Manipulation part="or 'a'= 'a" SQL Injection WHERE Statement Manipulation 1 part="or 'a'= 'a" SQL Injection WHERE Statement Manipulation 2 part="or 'a'='a" SQL Injection WHERE Statement Manipulation 3 part="or 'a' ='a" SQL Injection WHERE Statement Manipulation 4 part="or 'a'='a" SQL Injection WHERE Statement Manipulation 5 part="or 'a' ='a" SQL Injection WHERE Statement Manipulation 6 part="or a=a" SQL Injection WHERE Statement Override part="or 1=1" SQL Injection WHERE Statement Override 1 if SQL Injection source is modified from a = a to b = b, the regular expression cannot detect the modified SQL Injection attack.

Example of False-Positive and Misdetection (2/4) False-positive Example of Signature based Engine In the case that WAF has below signatures, Example of SQL Injection Signature Signature part="waitfor", rgxp="[^a-za-z]waitfor\s*delay" Signature Name SQL Injection - Waitfor part="having", rgxp="[^a-za-z]having[^\&]{0,20}=[^\&]{0,20}" SQL Injection - "having" statement injection attampt part="opendatasource", rgxp="select.*from.*opendatasource" SQL Injection - opendatasource if HTTP message includes string having a good time == like below, signature based WAF makes a false positive.

Example of False-Positive and Misdetection (3/4) Signature Sample related to Privacy(Credit Card Number) Filtering Ex) For a credit card number 4254361480110015 4254361480110016 : Detected in spite of invalid card number False-Positive 4254-3614-8011-0015-1234-5678 : Detected in spite of not credit card number False-Positive 4254_3614_8011_0015 : Credit card number, but not in pattern Misdetection Limitation Although Credit Card Number is invalid or even not Credit Card Number, the regular expression filters it. If Credit Card Number s format is changed, it can not detect at all. Signature Signature Name part="349", rgxp="[^\d]349\d[-\.\s\\\/=]?\d{4} Data Leakage: credit card number extraction - 213 - American [-\.\s\\\/=]?\d{4}[-\.\s\\\/=]?\d{3}[^\d]{1}" Express part="422", rgxp="[^\d]422\d[-\.\s\\\/=]?\d{4} Data Leakage: credit card number extraction - 24 - Visa [-\.\s\\\/=]?\d{4}[-\.\s\\\/=]?\d{4}[^\d]{1}" part="423", rgxp="[^\d]423\d[-\.\s\\\/=]?\d{4} Data Leakage: credit card number extraction - 25 - Visa [-\.\s\\\/=]?\d{4}[-\.\s\\\/=]?\d{4}[^\d]{1}" part="424", rgxp="[^\d]424\d[-\.\s\\\/=]?\d{4} Data Leakage: credit card number extraction - 26 - Visa [-\.\s\\\/=]?\d{4}[-\.\s\\\/=]?\d{4}[^\d]{1}" part="425", rgxp="[^\d]425\d[-\.\s\\\/=]?\d{4} Data Leakage: credit card number extraction - 27 - Visa [-\.\s\\\/=]?\d{4}[-\.\s\\\/=]?\d{4}[^\d]{1}" part="299", rgxp="[^\d]299\d[-\.\s\\\/=]?\d{4} Data Leakage: credit card number extraction - 276- Diner's Cl [-\.\s\\\/=]?\d{4}[-\.\s\\\/=]?\d{2}[^\d]{1}" ub / Carte Blanche part="300", rgxp="[^\d]300\d[-\.\s\\\/=]?\d{4} Data Leakage: credit card number extraction - 277- Diner's Cl [-\.\s\\\/=]?\d{4}[-\.\s\\\/=]?\d{2}[^\d]{1}" ub / Carte Blanche

Example of False-Positive and Misdetection (4/4) Signature Sample of Buffer Overflow Attack Attempt If the Buffer Overflow Attack is modified like abcdabcd abcd, the regular expression cannot detect it. Signature is made to cope with some scanners and robots. So, it leads to many misdetection. Limitation It is very difficult to express an infinite number of cases as one pattern. To add many single patterns gives additional system load to web application firewall. Signature Signature Name part="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Buffer Overflow Attack Attempt aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaa" part="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Buffer Overflow Attack Attempt 1 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA" part="bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB Buffer Overflow Attack Attempt 2 BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" part="cccccccccccccccccccccccccccccccccccccccccc CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC Buffer Overflow Attack Attempt 3 CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCC" part="ddddddddddddddddddddddddddddddddddddd DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD Buffer Overflow Attack Attempt 4 DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD" part="eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE Buffer Overflow Attack Attempt 5 EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE EEEEEEEEEEEEEEEEEEEEEEEEE"

Detection Engine s Advantages Advantages of evaluation mechanisms Heuristic Analysis enables proactive detection ability of unknown attacks by using multicriteria analysis and testing and verification processes. By adopting Heuristic Analysis WAPPLES minimizes false negatives. Semantic Analysis enables detection of modified attacks with a low possibility of false positives by using application layer parsers to verify protocol and syntax. WAPPLES Advantages Higher Security Extremely low possibility of false positive Accurate detection against modified attacks. Higher Performance No additional system load such as inputting new patterns. Generally, more than five thousand (5K) patterns lead to low system performance. No difference in performance in test and production environments. Ease of Use and Less Maintenance Extremely low management support by administrator and low operation cost Does not need signature update service

Cloud Computing Definition Cloud computing is Web-based processing, whereby shared resources, software, and information are provided to computers and other devices (such as smartphones) on demand over the Internet. (Wikipedia) 이기종단말 다양한서비스 표준화된통싞프로토콜 HTTP 단말에독립적인인터페이스 웹브라우저

Cloud Computing Cloud Computing Security Is A No. 1 Issue Cloud computing issues : Security There are lots of issues related to newly-rising cloud computing; Performance, Availability, Integration, and etc. Despite existence of many issues, security sector is the most high-lighted one. The challenges/issues ascribed to the cloud /ondemand model Security Performance 63.1% 74.6% Source: IDC Enterprise Panel, August 2008 Availability 63.1% Hard to integrate with in-house IT 61.1% Not enough ability to customize 55.8% 40% 50% 60% 70% 80%

Virtual WAPPLES Must-have for Trend Cloud Computing Security Web-based cloud computing All businesses(services) based on cloud computing are provided via web: whether it is form of IaaS, PaaS, SaaS Service that satisfies Essential characteristics of Cloud Computing is web(visual Model of NIST Working Definition) Web is the most appropriate and optimized interface to provide cloud computing service It s Web! Cloud Computing Security is Web Application Security Since cloud computing is web-based, its security issues share lots of commons with web application security.

WAPPLES for Cloud

Penta Security Systems - Products User Web Server DB Web Application Security Web-based Security Application Development Toolkit Data Encryption Transaction Protection Entity Authentication Single Sign On Web Application Security Web Application Firewall Security-as-a-Service Prevent Web Attacks Privacy Protection Cloud DBMS Security Integrated DBMS Encryption Solution Data Encryption Access Control & Audit

Thank you Korea(Headquarter) www.pentasecurity.com 20Fl. Hanjin Shipping Bldg., 25-11 Yoido-Dong, Youngdeungpo-Gu, Seoul, Korea Tel: 82-2-780-7728 Fax: 82-2-786-5281 Japan(Branch) www.pentasecurity.co.jp Ascend Akasaka Bldg., 3F. 3-2-8 Akasaka, Minato-ku, Tokyo 107-0052 Japan Tel: 81-3-5573-8191 Fax: 81-3-5573-8193 Copyright 1997-2011 PentaSecurity Systems, Inc. All rights reserved