1 / 17

Securing Legacy Software SoBeNet User group meeting 25/06/2004

Securing Legacy Software SoBeNet User group meeting 25/06/2004. Objectives. Existing applications are enabled to operate in a networked environment Adapter Suites Application Platform Suites (J2EE, .NET,…) Application Servers Enterprise Portals Integration Suites

kerri
Download Presentation

Securing Legacy Software SoBeNet User group meeting 25/06/2004

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing Legacy SoftwareSoBeNet User group meeting25/06/2004

  2. Objectives • Existing applications are enabled to operate in a networked environment • Adapter Suites • Application Platform Suites (J2EE, .NET,…) • Application Servers • Enterprise Portals • Integration Suites • Message-Oriented Middleware • Object-Request Brokers • Transaction Processing Monitors  Preserve Security Level  Compliance with Security Standards and regulations  Manageable

  3. Ubizen – trusted partner in IT Security • Ubizen has a vast experience in Application Security • Via a highly qualified consultancy team • Risk Management, Security Policies, Procedures and Standards • Architecture Review and Infrastructure design • Penetration testing • Application Vulnerability Assessment • Implementation of best of breed security products • Via product development • AAA products • Web Shielding (DMZ/ShieldTM) • Proven Track record in IT Security • Top-3 Managed Security Service Provider World-wide • Number 1 in Europe • > 3200 devices under management • Incident Response • Forensics Investigation

  4. Three research tracks for securing existing applications • Protect all access paths to and from the application • Interception and validation of the communication between components,modules and systems • Shielding components, module and systems from malicious traffic • Apply automatic protocol security • Moving to a more formal model for protocol description and automatic application of protocol security at different layers of the stack. • Monitoring and managing • Introduction of security infrastructure is only the first step… Keeping it properly configured and monitored 24 by 7 by experienced security experts is the second.

  5. MULTI LAYER approach to Application Security • Deep Packet Inspection • Protection at the network layer • Protection at the transport layer • Protection at the application layer • Defense in depth • Perimeter • Demilitarized Zone  Transactional Zone • Multi-tier architecture • Coordination of Security Information between # tiers (e.g. SAML) • Protection of end points • Not all layers on the #tiers are under control (e.g. OS, Language execution environment, App Server) Introduction of HIDS, Policy Compliance Modules,…

  6. 2 dimensional multi layer approach Deep Packet Inspection 7 GUI Deep Packet Inspection 7 Presentation Logic Deep Packet Inspection 7 Business Logic Deep Packet Inspection 7 Data Access Deep Packet Inspection 7 Data Layer 6 6 6 6 6 5 5 5 5 5 4 4 4 4 4 3 3 3 3 3 2 2 2 2 2 1 1 1 1 1 Security Context and Coordination Defense In Depth

  7. In practice … Deep Packet Inspection 7 GUI Deep Packet Inspection 7 Presentation Logic Deep Packet Inspection 7 Business Logic Deep Packet Inspection 7 Data Access Deep Packet Inspection 7 Data Layer 6 6 6 6 6 5 5 5 5 5 4 4 4 4 4 3 3 3 3 3 2 2 2 2 2 1 1 1 1 1 Security Context and Coordination Defense In Depth

  8. Deep Packet Inspection 7 GUI Deep Packet Inspection 7 Presentation Logic Deep Packet Inspection 7 Business Logic Deep Packet Inspection 7 Data Access Deep Packet Inspection 7 Data Layer 6 6 6 6 6 5 5 5 5 5 4 4 4 4 4 3 3 3 3 3 2 2 2 2 2 1 1 1 1 1 Security Context and Coordination Defense In Depth Interception and Shielding in SoBeNet

  9. Interception Techniques • Centralized applications • Interception of method invocations/library calls/system calls System based interception and shielding • Distributed or multi-tier applications • Interception of traffic using standard internet protocols • Interception of Remote Method Invocations Network based interception and shielding

  10. System based interception • Interception at the Operating System Level • Plug-able services of the OS (e.g. network or file io) • Host Intrusion Detection and Prevention Systems work at this level • Library Level • Dynamical loaded libraries can be replaced with more secure versions • Language Runtime Support • E.g. Load time modification of binary code • Validation of pre and post conditions • Audit-ability and forensics • Application Platform Suite • J2EE container services and components • Microsoft .NET services and components

  11. Network based interception • Proxy Architectures… • Asymmetric Proxy (protocol encapsulates proxy support), no modification of client software • Reverse Proxy • Symmetric Proxy (general applicable but has influence on client software) • Transparency • Link, network, transport level • Application Protocol level (e.g. HTTP,…) • User Application level

  12. Scope definition for maximum valorization of the results? • Target is “Protecting” Legacy Applications … • … but these are built on evolving components • Web Application  HTTP Firewalls • Service Oriented Architectures  XML Firewalls • Application Platform Suites  J2EE, .NET Fall back on industry adapted standards

  13. Internet Application Protocols … • The most important internet protocols were never designed with security in mind • RFC’s describing the protocols allow often ambiguous interpretation  Vendors choose for interoperability instead of security • Most applications use only a small part of the protocol definition … and vulnerabilities are often in the non-used protocol functionality

  14. User Application Protocols … • Communication protocols at application level are rarely specified, nor formalized • User Application protocols get less attention because they are typically used once for a specific application • User Application protocols are more complex because of their dependency of a (huge) internal state  combinatorial explosion of cases

  15. Automatic protocol security Protocol = set of rules between communicating parties Form and content Sequence Formalization(Strong Typing, XML Schema,…) Formalization (State Charts, Sequence and Collaboration Diagrams, …) SANITY Checking Shields 4 of the Top 10 Vulnerabilities in application

  16. Manageability and Monitoring • Keeping the configuration up to date • Default Deny Policy • Automatic Learning of normal behavior • Configuration automation policy proposals • Monitoring of all the alerts triggered by the devices • Correlation of events from security components • Coordination and exchange of security state between devices reduces the false positives • Anomaly detection • Audit Trail • What information is required for Forensics • Performance Management

  17. www.ubizen.com

More Related