NSE1 Application Security

Study Guide for NSE 1: Application Security 2016
Study Guide February 1
for NSE 1:
Application
Security
2016
This Study Guide is designed to provide information for the Fortinet Fortinet
Network Security Expert Program – Level 1 curriculum. The study
guide presents discussions on concepts and equipment necessary as a
Network
foundational understanding for modern network security prior to Security
taking more advanced and focused NSE program levels.
Solutions
Contents
Figures ..................................................................................................................................................... iii
Tables ...................................................................................................................................................... iv
Application Security ...................................................................................................................................... 1
Application Challenges to Meeting User Needs .................................................................................... 1
Application Layers: The OSI Model ....................................................................................................... 2
Application Vulnerabilities ........................................................................................................................ 3
OWASP .................................................................................................................................................. 4
Distributed Denial of Service (DDoS) .................................................................................................... 6
Application Security Solutions .................................................................................................................. 8
Application Delivery Controllers (ADC) ................................................................................................. 9
Application Delivery Network (ADN) .................................................................................................. 10
ADC: Solutions and Benefits Part I ....................................................................................................... 11
Web Application Firewall (WAF) Characteristics .................................................................................... 13
Heuristics............................................................................................................................................. 14
WAFs and PCI DSS Compliance ........................................................................................................... 14
ADC: Solutions and Benefits Part II...................................................................................................... 15
Summary ................................................................................................................................................ 17
Key Acronyms.............................................................................................................................................. 18
Glossary ....................................................................................................................................................... 20
References .................................................................................................................................................. 22
ii |
Figures
Figure 1. DDoS architecture. ......................................................................................................................... 6
Figure 2. SYN Flood DDoS attack................................................................................................................... 7
Figure 3. ICMP Flood DDoS attack. ............................................................................................................... 7
Figure 4. Zombie DDoS attack. ...................................................................................................................... 8
Figure 5. Application Delivery Controller (ADC)............................................................................................ 9
Figure 6. Typical Application Delivery Network (ADN) infrastructure. ....................................................... 10
Figure 7. Intelligent Load Balancing. ........................................................................................................... 11
Figure 8. SSL offloading and HTTP compression. ........................................................................................ 12
Figure 9. Web Application Firewall (WAF). ................................................................................................. 13
Figure 10. Global Server Load Balancing (GSLB). ........................................................................................ 16
Figure 11. Server ID masking with ADC. ...................................................................................................... 16
iii |
Tables
Table 1. Comparative models for layers and protocols. ............................................................................... 1
Table 2. Translation of ISO/OSI layers to TCP/IP model. .............................................................................. 2
Table 3. Function of network layers in OSI model. ....................................................................................... 3
Table 4. OWASP top 10 2010 vs. 2013 comparison. ..................................................................................... 4
Table 5. Web Application Firewall (WAF) application-level security measures. ........................................ 14
Table 6: Payment Card Industry Data Security Standards (PCI DSS)........................................................... 15
iv |
Application Security
Because threats are constantly evolving, network security technologies and methods must evolve also.
One of the most important points about application security is that threats—including such evils as Bots,
Ransomware, Advanced Persistent Threats (APT), Viruses, and Spam, to name some recent prevalent
threats—have a heavy content component and not just focused on the physical and data layers. In this
context, content refers to packet payload analysis and how they are transported—in particular, layers 3-
7 of the OSI Model (Table 1) [1].
Table 1. Comparative models for layers and protocols.
Because of the focus of these threats on the application content component and transport rather than
link and physical components, firewalls designed to protect, load balance, and accelerate content
between web servers are necessary. This type of appliance is the Web Application Firewall (WAF),
designed to provide protection for web applications and related database content [2]. In order to
understand better the type of threats that the WAF faces in protecting networks, an examination of the
vulnerable areas targeted by application threats provides the necessary context.
Application Challenges to Meeting User Needs

With increased reliance of businesses on cloud-based applications, focus on the vulnerabilities of web-
based applications is essential to system and network security. These applications reside deep in layer 7
of the OSI Model, which will be discussed further in this module, but remain vulnerable to targeted
attacks. Of these attacks, Denial of Service (DoS)—or more importantly, Distributed Denial of Service
(DDoS)—attacks designed to inhibit use of such applications have evolved as technology evolved,
becoming much more sophisticated than early hacker methods.
1|
The mobility of modern business, combined with distributed enterprise networking, demands VPNs with
secure access to resources. SSL VPNs establish connectivity at L4 & L5; information is encapsulated at L6
& L7. So, these VPNs—and other remote accessing sites to network resources—function in the top tiers
of the OSI Model, known as the Application Layers when translated into the broader TCP/IP Model.
Table 2. Translation of ISO/OSI layers to TCP/IP model.
Secure Socket Layer (SSL) traffic poses a challenge because legacy servers and load balancers cannot
manage increased loads caused by increased SSL traffic requiring decryptionscanre-encryption in
order to detect potential malicious code attempting to sneak into the network in encrypted data
packets.
Scalability is the concept of enabling a system, network, or application to handle a growing volume of
work in an efficient manner or, if necessary, to be enlarged to accommodate growth. Scalability may be
accomplished through the use of hardware, software, or a combination of both, in order to improve
availability and reliability by:
 Managing data flow and workload across multiple servers to increase capacity
 Improve application response times by either hardware upgrades or software solutions
 Reducing costs by optimizing resources through improved allocation
 Allocating data across multiple data centers to facilitate redundancy and recovery
Application Layers: The OSI Model

The Open Systems Interconnection (OSI) model defines computer networks by functional levels. As the
level increases, so also increases the complexity and critical nature of the data contained therein. A
description of the OSI layers and their functions appear in Table 3.
2|
Table 3. Function of network layers in OSI model.
Applications are what allow users to accomplish tasks using computer systems and networks without
having to learn the complex languages of writing their own code. Many common applications include
word processing, spreadsheet, and graphics design programs, email applications, games, and media, and
may apply across platforms from wired desktop systems to smartphones and myriad others. Many of
these applications are now web-based, as discussed in the Module 1 section on Application Services
such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
Application Vulnerabilities
Because threats are constantly evolving, network security technologies and methods must evolve also.
An important point about modern and emerging threats is that they have a heavy content component
focused beyond physical and data link layers (L1 & L2). These threats focused on content include such
current challenges as:
 Bots  Ransomware  Advanced Persistent Threats (APT)

 Viruses  Spam  …and others…
In this context, “content” refers to packet payload analysis and how they are transported, particularly
focusing on layers 3, 4, & 7 of the OSI Model.
Widespread use of applications provides commonality between business users and private consumers,
making application threats a problem with the potential for repeated instances if such a threat infects
the systems of multiple private users who interface with organizational networks. This may occur from
innocuous sources such as customers, clients, or those using a BYOD model who fail to accomplish
regular security screenings on their equipment. They may also occur as a dedicated effort to adversely
affect the success of the organization by an outside competitor, malcontent, or hacker.
3|
OWASP
Fortunately, a global project exists that assists application developers and system/network security
administrators in identifying and understanding the prevalent and emerging application security threats.
This project is the Open Web Application Security Project (OWASP) and is also supported by an OWASP
Foundation in the United States.
OWASP is an open community dedicated to enabling organizations to conceive, develop,

acquire, operate, and maintain applications that can be trusted. All of the OWASP tools,
documents, forums, and chapters are free and open to anyone interested in improving
application security… Our freedom from commercial pressures allows us to provide
unbiased, practical, cost-effective information about application security. OWASP is not
affiliated with any technology company, although we support the informed use of
commercial security technology. [3]
One of the primary studies accomplished by OWASP is cataloging and ranking of the most prevalent
threats in web applications. A comparative analysis between the 2010 and 2013 findings appears in
Table 4.
Table 4. OWASP top 10 2010 vs. 2013 comparison.
Over the prior four years, OWASP found consistency among the top four application threats to system
and network security:
 SQL Injection  Cross-site Scripting (XSS)

 Broken Authentication & Session  Insecure Direct Object References
Management
4|
Of note, the OWASP analysis also provides information on which threats have increased and declined,
indicating trends that may assist security administrators in determining the most effective system and
network configurations.
SQL Injection. Insertion or injection of an SQL query via input data from the client to the application.
This type of attack may allow attackers to spoof identities, tamper with or delete data, change or void
transactions of various types, enable complete disclosure of the system’s database—or destroy it or
make it unavailable, or even become a new database server administrator. Common with PHP and ASP
applications, less likely with J2EE and ASP.NET applications. Severity depends on the attacker’s creativity
and computer skills, but have the potential to be devastating. SQL Injection is a high impact threat.
Cross-site Scripting (XSS). Also referred to as XSS Injection, malicious scripts are injected into otherwise
benign and trusted web sites, generally used in the form of browser side scripts to be transmitted to end
users. Because the end user’s browser regards the site as trusted, it will execute the script, allowing
access to any cookies, session tokens, or other information retained by the browser and used with the
site. Some of these scripts are even capable of rewriting content on HTML pages.
Broken Authentication & Session Management. This area includes all aspects of user authentication
and active session management handling. Even robust authentication protocols may be undermined by
flawed credential management functions, such as password changing, “forgot my password” and
“remember my password” options, account update options, and other functions. The complexity for this
issue comes with the fact that many developers prefer to create their own session tokens—which may
not be properly protected, depending on the skill of the creator, steps may not be in place to protect
them throughout the application’s life cycle, and if not protected with SSL and against other flaws (such
as XSS), an attacker may hijack the user’s session and assume their identity.
Insecure Direct Object References. When an application provides direct access to objects because of
user-based inputs, attackers may bypass authorization and access resources in the system directly.
These resources may include valuable data such as databases and organizational files. Insecure Direct
Object References allow attackers to bypass authorization and gain access to resources by modifying
parameter values used to point directly to objects. These resources may be any type of information
stored on the system. This method simply takes the user’s supplied input and uses it to retrieve data as
though the attacker were the authorized user.
Individual, targeted attacks are often manageable and, in many cases, traceable. These attacks aim
increasingly at denying use of a network to outside users, known as Denial of Service (DoS). However,
with continued evolution of networking for both productive purposes as well as malicious intentions,
the prospect for coordinated networks attacks from multiple sources present an even more critical
challenge for continued secure and uninterrupted network operations. These simultaneous coordinated
attacks target a network from a number of outside systems, referred to as a Distributed Denial of Service
(DDoS), which will be addressed in the following section.
5|
Distributed Denial of Service (DDoS)
A malicious act designed to deny access to a system, network, application, or information to a legitimate
user is called Denial-of-Service (DoS). In a Distributed Denial-of-Service (DDoS) attack, the malicious act
originates from a large number of systems. DDoS are most often launched from a single system, using a
large remote network to actually conduct the attack [4]. A basic DDoS method is called the Smurf Attack,
where the hacker sends a ping packet to a large network while spoofing the target system’s source
address to overload the target system. A more sophisticated DDoS method is the Low-Orbit Ion Cannon
(LOIC) that allows hackers to allow others to use their own systems temporarily as a slave in a DDoS
attack. More detailed discussion of DDoS attacks appears following the notional DDoS architecture
illustration in Figure 1.
Referring back to the classifications illustrated in Table 3 (page 50), attacks focusing on content
components of systems and networks focus on ISO/OSI Model layers 3, 4, and 7 application services.
Although layers 3, 4, and 7 are at risk from DDoS attacks, the attacks against layer 7 are often detected
through actions affecting the associated port in layer 4 as a method by which to sneak undetected into
layer 7 to accomplish its malicious task. As an analogy, one may think of it as the attack on layer 7 riding
like a signal on the carrier wave into layer 4. As a result, most recommended parameter adjustments
focus on layers 3 and 4, while events to watch include a broader range of indicators.
Figure 1. DDoS architecture.
DDoS attacks have a wide range of methods, from simple to complex, from a single hacker using a single
system to a network of hackers coordinating multiple systems. Common types of DDoS attacks include
the SYN flood, ICMP flood, and Zombie attack. In each case, the DDoS relies on overloading network
capability to process seemingly valid traffic, resulting in denial of service. These attacks are referred to
as volumetric attacks because of their focus on overloading the network in order to deny service.
6|
SYN Flood. This attack consists of an

excessive number of packets directed to
a specific TCP port. In most cases, the
source address is spoofed (Figure 2).
Figure 2. SYN Flood DDoS attack.
ICMP Flood. This attack results from

an excessive number of ICMP packets
targeting the network (Figure 3).
Figure 3. ICMP Flood DDoS attack.
7|
Zombie Attack. This attack results when

too many legitimate IP sources send
valid TCP packets to the network (Figure
4).
Figure 4. Zombie DDoS attack.
The common thread in each of these DDoS attacks is the flooding of the network with seemingly valid
inputs in a way that slows, stalls, or shuts down the network’s ability to operate. For each of these
attacks, threshold monitoring and adjustments at layer 3 and 4 protocols, ports, and SYN may allow
network administrators to detect and counter DDoS efforts against layers 3, 4, and 7 and keep the
network from extended down times.
Even with the global trend toward increasing IPv6 traffic, DDoS attacks above the 50 Mbps benchmark
are rare. South Korea’s average network speed leads the world with 24.6 Mbps, with Hong Kong a
distant second at 15.7 Mbps. The US ranks 14th at 11.4 Mbps. As the shift from IPv4 to IPv6 traffic moves
forward, the incidences of DDoS attacks appear to be inversely proportional to IPv6 network growth [5].
This may be an indicator that average network speeds available through IPv6 are making the cost and
coordination of DDoS more difficult—or prohibitively costly, in some cases.
Application Security Solutions

The Next Generation Firewall (NGFW) [Module 2] and Unified Threat Management (UTM) [Module 3]
brought enhanced capabilities to network security.
An important tool in protecting the network is Intrusion Prevention System (IPS), which looks beyond
port and protocol to examine the signature—or actual content—of network traffic to identify and stop
threats. FortiGate NGFW and UTM appliances, using enhanced capabilities such as Advanced Threat
Protection (ATP), protect the L3 & L4 regions of the network against DDoS attacks by combining
hardware and programmable software solutions to target modern and emerging threats. In addition to
protection against L3 & L4 threats, the enhanced NGFW and UTM capabilities also include L4 routing
and load balancing to increase efficiency and availability of application traffic in the network.
8|
Beyond NGFW and UTM as stand-alone capabilities, using these appliances in concert with other
network security capabilities presents additional end-to-end protection that is both scalable and future-
ready. The capabilities discussed in the following sections add critical security solutions to protect
against DDoS attacks and protect L3, L4, and L7 functions.
Application Delivery Controllers (ADC)

Application Delivery Controllers (ADC) are network devices that manage client interfaces to complex
Web and enterprise applications—beyond the scope of SMB and home office applications. An ADC
functions primarily as a server load balancer, resulting in optimized end-user system performance and
reliability by increased Gbps of L4 throughput, accessibility to data center resources, and enterprise
application security. ADC controllers are deployed in data centers, strategically placed behind the
firewall and in front of application server(s), acting as the point of control for application security and
providing authentication, authorization, and accounting (AAA) [6].
Figure 5. Application Delivery Controller (ADC).
The ADC is part of a larger process that makes applications available, responsive, and secure for users.
This end-to-end model is called the Application Delivery Network (ADN), consisting of an application
delivery controller, firewall, and link load balancer. Figure 6 illustrates a typical ADN infrastructure.
9|
Application Delivery Network (ADN)
The ADN is divided into three elements—a server side, security, and an outer perimeter. Each of these
elements performs functions that enable user access to applications (Figure 6):
Figure 6. Typical Application Delivery Network (ADN) infrastructure.
Server Side. When applications outgrow a single server, an ADC manages multiple servers to enable
applications beyond a single server—essentially creating a single virtual server. Once the ADC selects the
best server for the application, the ADC uses Connection Persistence to maintain a connection back to
the original server where the transaction began. The ADC routes traffic to the best available server
based on configurable rules, as well as providing options to offload encrypted traffic and conduct HTTP
compression for bandwidth reduction. SSL offloading does not protect against DDoS attacks; however,
the ADC may reduce the need for additional servers by as much as 25%.
Security Core. This element is where the tools and services to defend applications from threats reside.
Capabilities include a strong firewall, VPN, AV/antimalware scanning, and other security features, which
may include NGFW with IPS and deep packet scanning, application control, and user access policies to
enhance protection.
Outer Perimeter. Basic Link Load Balancing (LLB) manages bandwidth and redundancy using multiple
WAN links. If application use includes multiple data center access for operations such as disaster
recovery, Global Server Load Balancing (GSLB) uses a DNS-based resolution platform to route traffic
between multiple data centers, allowing either automatic or programmable data center routing based
on infrastructure performance needs.
10 |
ADC: Solutions and Benefits Part I
An advanced, modern ADC provides enhanced capabilities that provide both security and efficiency to
networks. The capabilities brought by ADCs to the Server Side of the ADN include:
Server Load Balancing. The ADC allows the use of software-based intelligent load balancing to enhance
performance over hardware-based simple load balancing. This not only provides a path to open server
capability, but also matches the best server for the incoming traffic based on programmed policies and
application-layer knowledge that supports business requirements (Figure 7).
Benefits. Because the ADC conducts continuous health checks of network servers, only routes
traffic to online devices, and routes to the best performing devices using intelligent load
balancing capability, Server Load Balancing provides a 25% increase in capacity and reduces
server hardware requirements by 25% over traditional DNS round-robin configurations.
Figure 7. Intelligent Load Balancing.
L7 Content Routing. By designating different servers for different types of data functions, the ADC may
be configured to route traffic to the server(s) best configured to process applications based on their
specific needs (Figure 7).
Benefits. By using L7 content routing, the ADC can optimize data center resources while
protecting the network and applications from security threats.
11 |
Connection Persistence. This capability is critical to transaction-based applications. For example, if you
begin a transaction, add an item to your virtual shopping cart, and are then load balanced to a different
server for checkout without a persistent connection back to the original server, your cart will be empty
at checkout. The ADC uses session state with HTTP headers and cookies to ensure that users and servers
remain persistent throughout the transaction.
Benefits. By maintaining a persistent connection to the original server that started the
transaction, the transaction may be completed without loss of data or loss of connection.
SSL Offloading/Acceleration. SSL traffic may result in overloading servers, reducing capacity to a range
in the 100’s TPS. By offloading and accelerating SSL encryption, decryption, and certificate management
from servers, the ADC enables web and application servers to focus CPU and memory resources to
deliver application content, responding more quickly to user requests. This offloading boosts capacity up
to 10’s of 1,000’s TPS, pushes HTTPS to servers, and HTTPS to users (Figure 8).
Benefits. SSL offloading and acceleration provides a 100X increase in traffic flow, reducing the
need for additional servers in order to accommodate data volume.
Figure 8. SSL offloading and HTTP compression.
HTTP Compression. One of the challenges as the number of network users grow, application
programming becomes more complex, and data sets become larger, is concern over bandwidth
limitations. One way that an ADC acts to reduce bandwidth constraints is through HTTP compression to
remove non-essential data from traversing network links from servers to user web browsers (Figure 8).
12 |
Benefits. By reducing bandwidth demands, HTTP compression creates increased throughput
capability, increasing data flow efficiency to the user.
In addition to the ADC, the ADN includes a firewall component that provides security for traffic flowing
between the server side and outer perimeter. To accomplish this function in a content-focused,
application-level environment, the Web Application Firewall (WAF).
Web Application Firewall (WAF) Characteristics

Essential for businesses that host web-based applications, Web Application Firewalls (WAFs) deployed in
the data center provide protection, load balancing, and content acceleration to and from web servers.
The primary use of WAFs is to protect web-based applications from attacks that attempt to exploit
vulnerabilities. They protect web applications and associated database content by WAF Vulnerability
Scanning, mitigating prevalent threats such as cross-site scripting (XSS), buffer overflows, denial of
service (DoS), SQL injection, and cookie poisoning, as well as focusing on the OWASP Top 10 web
application vulnerabilities [2]. The primary use of WAFs is to protect web-based applications from attacks
that attempt to exploit vulnerabilities (Figure 9).
Figure 9. Web Application Firewall (WAF).
The question may be asked why the NGFW or IPS cannot mitigate these threats. As discussed in modules
2 and 3, IPS signatures only detect known problem, may produce false positives, do not protect against
threats embedded in SSL traffic, and have no application or user awareness. Basic firewalls look for
network-based attacks, not at application-based attacks. For these reasons, the Web Application
Firewall (WAF) provides critical protections to the network security arsenal (Table 5).
13 |
Table 5. Web Application Firewall (WAF) application-level security measures.
Heuristics
One of the key features that enables WAFs to counter DDoS threats is heuristic—or behavior-based—
analysis. Behavior-based DDoS protection measures, however, require different mitigating parameters
than content-based protections. Some of these protection measures include configuring systems to
identify potential threats based on source volume (intent vs. content), ping rates (hardcoded vs.
custom), packet dimensions (coarse vs. granular), and trend-matching (fixed vs. adaptive). When using
these behavior-based DDoS protection measures—focusing on traffic characteristics rather than
content—policies do not require threat signature updates like content-based measures do.
WAFs and PCI DSS Compliance

In the increasingly more technology-driven and mobile lifestyle of the 21st Century, the ability to provide
secure data transactions is not limited to considerations of data and program corruption, throughput
limitations, or network operational parameters in the strict sense of providing digital pathways and
storage. Additional considerations regarding Personal Identifiable information (PII), credit security, and
other personal account and data safety are regulated from outside the technology sector. Payment Card
Industry Data Security Standards (PCI DSS) set requirements for security practices that apply to any
vendors or organizations that process, store, or transmit cardholder data. Regulated also by government
agencies and addressable by fines of up to $10,000 per breach, the PCI DSS program is a necessary
consideration for most of the technology industry.
PCI Data Security Standard consists of 12 requirements covering 6 common sense goals that reflect
security best practices. Table 6 depicts the current standards for PCI data security compliance [7]. Of the
6 goals listed, goal number 3 most closely influences the ability of the network to maintain secure
operations and effective monitoring against DDoS and other malicious threats to network security. Of
course, all appliances, software, policy and processes within control of the network administrator should
be regularly monitored and updated against modern, advanced, and emerging complex threats.
14 |
Table 6: Payment Card Industry Data Security Standards (PCI DSS).
ADC: Solutions and Benefits Part II

While the modern ADC provides enhanced capabilities to the Server Side of the ADN, an ADC also
provides capabilities to the Outer Perimeter function of the ADN, which include:
Disaster Recovery. This capability of the ADC provides redundancy while scaling applications across
multiple data centers. This DNS-based function uses Global Server Load Balancing (GSLB) smart routing
between data centers using configurable business rules, with automatic response that switches between
data centers for disaster recovery contingency when a data center or connectivity link becomes
unavailable (Figure 10).
Benefits. The disaster recovery and GSLB feature provide important network security
capabilities. The automatic switching feature provides the ability to survive data center or
transmission link outages while ensuring data is automatically recovered. Because of intelligent
switching, users are rerouted to the next best data center for their needs, making the process
seamless to the end user.
15 |
Figure 10. Global Server Load Balancing (GSLB).
Mask Server IPs. A challenge to keeping individual servers secure from threats is to segregate them
from access by unauthorized users. One method to accomplish this is to mask the individual server ID by
rewriting content—such as headers and other identifying information—to a single IP address when data
is transmitted outside the internal network (Figure 11).
Benefits. By masking individual server IDs behind the ID of the ADC routing data to individual
servers, all data flows through the ADC, reducing chances for external threats to gain access to
individual servers without passing through network security inspections.
Figure 11. Server ID masking with ADC.
16 |
Quality of Service (QoS). One of the challenges to the seemingly constant increase in data traffic as
society becomes more mobile and more web- and application-enabled is identifying and prioritizing
important traffic over routine or less important traffic. QoS is managed by configuring rules and policies
for traffic policing, traffic shaping, and queuing that ensure the most important traffic for the
organization is prioritized above other data.
Benefits. QoS results in higher quality data flow for the most critical traffic based on
organization priorities, whether it be VoIP for sales and customer support, eCommerce
transactions, or corporate file transfers. By setting the appropriate rules and policies in the ADC,
organization and user quality of service—and efficiency and satisfaction—may be enhanced.
Link Load Balancing (LLB). LLB addresses the issues of bandwidth and redundancy by using multiple
WAN links. A link load balancer connects many WAN links to the network and routes inbound and
outbound traffic based on criteria like availability, performance, or business rules to use lowest-cost
links. If a link should fail, traffic is routed to others to ensure your application remains available to users.
Benefits. LLB provides redundancy to maintain application availability by rerouting traffic to

users via another available link. By selectively routing traffic over the most available and
appropriate links based on programmed rules and policies, LLB optimizes bandwidth use,
reducing bandwidth needs. These two features both serve to influence improved application
response times to users.
Summary
Because applications are a primary method by which users of all types create, access, transmit, and
store data, application security is a critical concern for modern and future technology—from personal to
corporate use, handheld to mainframes, and small to multinational global scopes. Application threats
evolve along with applications and technology. Complex threats—such as Distributed Denial of Service
(DDoS) attacks—require new and robust protections and countermeasures. Developments like IPv6,
Web Application Firewalls (WAF), and use of Application Delivery Controllers (ADC) in integrated
Application Delivery Networks (ADN) provide layered defenses to protect the integrity and operability of
application functions in OSI levels 3-7. Building on these protections and those discussed in previous
modules, the final module will focus on management of security apparatus and the importance of
analytics in network management.
17 |
Key Acronyms
AAA Authentication, Authorization, and HTML Hypertext Markup Language
Accounting
HTTP Hypertext Transfer Protocol
AD Active Directory
HTTPS Hypertext Transfer Protocol Secure
ADC Application Delivery Controller
IaaS Infrastructure as a Service
ADN Application Delivery Network
ICMP Internet Control Message Protocol
ADOM Administrative Domain
ICSA International Computer Security
AM Antimalware Association
API Application Programming Interface ID Identification
APT Advanced Persistent Threat IDC International Data Corporation
ASIC Application-Specific Integrated Circuit IDS Intrusion Detection System
ASP Analog Signal Processing IM Instant Messaging
ATP Advanced Threat Protection IMAP Internet Message Access Protocol
AV Antivirus IMAPS Internet Message Access Protocol
Secure
AV/AM Antivirus/Antimalware
IoT Internet of Things
BYOD Bring Your Own Device
IP Internet Protocol
CPU Central Processing Unit
IPS Intrusion Prevention System
DDoS Distributed Denial of Service
IPSec Internet Protocol Security
DLP Data Leak Prevention
IPTV Internet Protocol Television
DNS Domain Name System
IT Information Technology
DoS Denial of Service
J2EE Java Platform Enterprise Edition
DPI Deep Packet Inspection
LAN Local Area Network
DSL Digital Subscriber Line
LDAP Lightweight Directory Access Protocol
FTP File Transfer Protocol
LLB Link Load Balancing
FW Firewall
LOIC Low Orbit Ion Cannon
Gb Gigabyte
MSP Managed Service Provider
GbE Gigabit Ethernet
MSSP Managed Security Service Provider
Gbps Gigabits per second
NGFW Next Generation Firewall
GSLB Global Server Load Balancing
NSS NSS Labs
GUI Graphical User Interface
OSI Open Systems Infrastructure
18 |
OTS Off the Shelf SPoF Single Point of Failure
PaaS Platform as a Service SQL Structured Query Language
PC Personal Computer SSL Secure Socket Layer
PCI DSS Payment Card Industry Data Security SWG Secure Web Gateway
Standard
SYN Synchronization packet in TCP
PHP PHP Hypertext Protocol
Syslog Standard acronym for Computer
POE Power over Ethernet Message Logging
POP3 Post Office Protocol (v3) TCP Transmission Control Protocol
POP3S Post Office Protocol (v3) Secure TCP/IP Transmission Control Protocol/Internet
Protocol (Basic Internet Protocol)
QoS Quality of Service
TLS Transport Layer Security
Radius Protocol server for UNIX systems
TLS/SSL Transport Layer Security/Secure Socket
RDP Remote Desktop Protocol Layer Authentication
SaaS Software as a Service UDP User Datagram Protocol
SDN Software-Defined Network URL Uniform Resource Locator
SEG Secure Email Gateway USB Universal Serial Bus
SFP Small Form-Factor Pluggable UTM Unified Threat Management
SFTP Secure File Transfer Protocol VDOM Virtual Domain
SIEM Security Information and Event VM Virtual Machine
Management
VoIP Voice over Internet Protocol
SLA Service Level Agreement
VPN Virtual Private Network
SM Security Management
WAF Web Application Firewall
SMB Small & Medium Business
WANOpt Wide Area Network Optimization
SMS Simple Messaging System
WLAN Wireless Local Area Network
SMTP Simple Mail Transfer Protocol
WAN Wide Area Network
SMTPS Simple Mail Transfer Protocol Secure
XSS Cross-site Scripting
SNMP Simple Network Management Protocol
19 |
Glossary
ADC. An Application Delivery Controller (ADC) is a network device that manages client connections to
complex Web and enterprise applications. An ADC essentially functions as a load balancer, optimizing
end-user performance, reliability, data center resource use and security for enterprise applications. An
ADC can be physical (hardware appliance) or virtual (software program).
ADN. An Application Delivery Network (ADN) is a suite of technologies that together provide application
availability, security, visibility, and acceleration. Gartner defines Application Delivery Networking as the
combination of WAN Optimization Controllers (WOCs) and Application Delivery Controllers (ADCs) [8]. At
the data center end of an ADN is the Application Delivery Controller (ADC). In the branch office portion
of an ADN is the WAN optimization controller (WOC), which shapes TCP traffic using prioritization and
other optimization techniques.
APT. An Advanced Persistent Threat is a network attack in which an unauthorized person gains access to
a network and stays there undetected for a long period of time. The intention of an APT attack is to steal
data rather than to cause damage to the network or organization. APT attacks target organizations in
sectors with high-value information, such as national defense, manufacturing and the financial industry.
Bot. An Internet bot, also known as web robot, WWW robot or simply bot, is a software application that
runs automated tasks over the Internet. Typically, bots perform tasks that are both simple and
structurally repetitive, at a much higher rate than would be possible for a human alone. The largest use
of bots is in web spidering, in which an automated script fetches, analyses and files information from
web servers at many times the speed of a human.
DoS. Denial of Service (DoS) attacks aim increasingly at denying use of a network to outside users by
flooding it with useless traffic, often exploiting limitations in the TCP/IP protocols. For all known DoS
attacks, there are software fixes that system administrators can install to limit the damage caused by
the attacks; however, like viruses new DoS attacks are constantly being developed.
DDoS. Distributed Denial of Serivce (DDoS) attacks are a type of DoS attack where multiple
compromised systems, which are often infected with a Trojan, are used to target a single system causing
a Denial of Service (DoS) attack. Victims of a DDoS attack consist of both the end targeted system and all
systems maliciously used and controlled by the hacker in the distributed attack.
NGFW. Next Generation Firewall provides multi-layered capabilities in a single firewall appliance instead
of a basic firewall and numerous add-on appliances. NGFW integrates the capabilities of a traditional
firewall with advanced features including:
 Intrusion Prevention (IPS)  Deep Packet Inspection  Network App ID & Control
(DPI)
 Access Enforcement  Distributed Enterprise  “Extra Firewall” Intelligence
Capability
 Third Party Management  VPN  Application Awareness
Compatibility
20 |
OWASP. The Open Web Application Security Project (OWASP) is an open community dedicated to
enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be
trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone
interested in improving application security.
Ransomware. Ransomware is a form of malware in which rogue software code effectively holds a user's
computer hostage until a "ransom" fee is paid. Ransomware often infiltrates a PC as a computer worm
or Trojan that takes advantage of open security vulnerabilities. Upon compromising a computer,
ransomware will typically either lock a user's system or encrypt files on the computer and then demand
payment before the system or files will be restored.
Spam. Spam is usually considered to be electronic junk mail or junk newsgroup postings. Some people
define spam even more generally as any unsolicited email. Spam is generally email advertising for some
product sent to a mailing list or newsgroup.
Virus. A computer virus is a program or piece of code that is loaded onto your computer without your
knowledge and runs against your wishes. Viruses can also replicate themselves. All computer viruses are
man-made. A simple virus that can make a copy of itself over and over again is relatively easy to
produce. Even such a simple virus is dangerous because it will quickly use all available memory and bring
the system to a halt. An even more dangerous type of virus is one capable of transmitting itself
across networks and bypassing security systems.
VPN. Virtual Private Network (VPN) is a network that is constructed by using public wires — usually the
Internet — to connect to a private network, such as a company's internal network. VPNs use
encryption and other security mechanisms to ensure that only authorized users can access the network
and that the data cannot be intercepted.
Web Application Firewall (WAF). A WAF is designed to provide protection for web applications and
related database content.
UTM. Unified Threat Management (UTM) provides administrators the ability to monitor and manage
multiple, complex security-related applications and infrastructure components through a single
management console. The advantage to UTM is that it goes beyond the NGFW focus of high
performance protection of data centers by incorporating a broader range of security capabilities as
either cloud services or network appliances, integrating:
 Intrusion Prevention (IPS)  Content Filtering  Quality of Service (QoS)

 Anti-Malware  VPN Capabilities  SSL/SSH Inspection
 Anti-Spam  Load Balancing  Application Awareness
 Identity-based Access
Control
21 |
References
1. Rischbeck, T. XML Appliances for Service-Oriented Architectures. SOA Magazine, 2010.
2. Tam, K., et al., UTM Security with Fortinet: Mastering FortiOS. 2013, Waltham, MA: Elsevier.
3. OWASP. About the Open Web Application Security Project. 2014 [cited 2014 October 31];
Available from: https://www.owasp.org/index.php/About_OWASP.
4. Maiwald, E., Network Security: A Beginner's Guide. 3rd ed. 2013, New York, NY: McGraw-Hill.
5. Nichols, S. Peak IPv4? Global IPv6 traffic is growing, DDoS dying, says Akamai. The Register,
2014.
6. Rouse, M. Application Delivery Controller. Essential Guide 2013 [cited 2014 October 15];
Available from: http://searchnetworking.techtarget.com/definition/Application-delivery-
controller.
7. Council, P.S.S., PCI Quick Reference Guide. 2008.
8. Gartner, Gartner Says Worldwide Application Acceleration Market Will Reach $3.7 Billion in
2008. 2006, Gartner: Stamford, CT.
22 |

NSE1 Application Security

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

NSE1 Application Security

Diunggah oleh

Hak Cipta:

Format Tersedia

Study Guide for NSE 1: Application Security 2016

Study Guide February 1

Table 1. Comparative models for layers and protocols.

Application Challenges to Meeting User Needs

Table 2. Translation of ISO/OSI layers to TCP/IP model.

Application Layers: The OSI Model

 Bots  Ransomware  Advanced Persistent Threats (APT)

OWASP is an open community dedicated to enabling organizations to conceive, develop,

Table 4. OWASP top 10 2010 vs. 2013 comparison.

 SQL Injection  Cross-site Scripting (XSS)

Figure 1. DDoS architecture.

SYN Flood. This attack consists of an

Figure 2. SYN Flood DDoS attack.

ICMP Flood. This attack results from

Figure 3. ICMP Flood DDoS attack.

Zombie Attack. This attack results when

Figure 4. Zombie DDoS attack.

Application Security Solutions

Application Delivery Controllers (ADC)

Figure 5. Application Delivery Controller (ADC).

Figure 6. Typical Application Delivery Network (ADN) infrastructure.

Figure 7. Intelligent Load Balancing.

Figure 8. SSL offloading and HTTP compression.

Web Application Firewall (WAF) Characteristics

Figure 9. Web Application Firewall (WAF).

WAFs and PCI DSS Compliance

ADC: Solutions and Benefits Part II

Figure 10. Global Server Load Balancing (GSLB).

Figure 11. Server ID masking with ADC.

Benefits. LLB provides redundancy to maintain application availability by rerouting traffic to

 Intrusion Prevention (IPS)  Content Filtering  Quality of Service (QoS)

Anda mungkin juga menyukai