Assignment No. 04 SEMESTER Fall 2010 CS507- Information Systems
Total Marks: 10
Due Date: 24/1/2011
InstructionsPlease read the following instructions carefully before solving & submitting assignment:
It should be clear that your assignment will get zero marks if:
o The assignment is submitted after due date.
o The submitted assignment does not open or file is corrupt.
o The assignment is copied (from other student or ditto copy from handouts or internet).
o Student ID is not mentioned in the assignment File or name of file is other than student ID.
Note:Your answer must follow the below given specifications. You will be assigned zero marks if you do not follow these instructions.
• Font style: "Times New Roman"
• Font color: "Black"
• Font size: "12"
• Bold for heading only.
• Font in Italic is not allowed at all.
Do not put any query at MDB about this assignment, if you have any query then contact at cs507@vu.edu.pk
DeadlineYour assignment must be uploaded/submitted at or before Monday, January 24, 2011.
Marks: 10
Dear Student
You have learned in this course about the system security risks and vulnerabilities.
That when any system goes online so it is more likely be attacked by hackers.
Hackers try to attack at the application layer of network system. Just to get into the database of system, as application layer is the bottom layer from which any computer can access to let the data traffic comes in.
You have learned about the various technical controls that ensure security like:
• Firewall
• Antivirus software
• Network security scanners etc
From the figure, it is clear that the network firewall do not protect a web application they are only designed for network level security. It blocks unwanted traffic and activity and allow legitimate traffic in.
Antivirus software detects system level issues, not the browser.
Whereas, network security scanners are a good choice to secure network services. But they do not launch any security checks to check the vulnerabilities in web applications.
Hackers can easily hack web application firewalls as they won't fix security holes in web applications and are not immune to attacks. Common attacks are:
1) Cross site scripting (XSS)
2) Cross site request forgery (CSRF)
3) SQL injection (SQL)
4) Buffer overflow etc
Question:What are the challenges faced by WAFs (Web Application Firewalls) in order to secure the web applications? Write only five challenges. [ 10 marks]
Note: Write only precise answer and avoid giving extra details.
Firewall
Database server
Web application server
Hacker
Internet
..............................
Solution:
1.injection application
2. cross-site scripting (XSS)
3. broken authentication and session management
4. insecure direct object references 5. cross-site request forgery (CSRF)
6. security misconfiguration
7. insecure cryptographic storage
8. failure to restrict URL access
9. insufficient transport layer protection
10. unvalidated redirects and forwards
................
Why is this of interest to the WAF community? The naive answer would be that scanners and WAFs are alternatives. While they do not perform the same function, they compete for the same budget and are offered as alternatives by PCI DSS. If scanners are not as good as expected, WAF might be the right solution after all. This is especially important as WAFs are usually under more fire than scanners as it is much simpler to find a fault in a WAF - just find the right evasion vector. For a scanner a full analysis as done by Suto is required.
However the paper has other more far reaching conclusions on the state of security products in general and therefore WAFs:
No single security solution is sufficient. Only combining multiple defense mechanism would provide adequate security, which still does not imply 100%
Security products do differ in the security functionality they provide. Many times customers select security products according to every other feature but security assuming that the security aspect of the product are performed adequately by all. However Suto's paper shows that this may not be the case.
The lack of scrutiny of the security features drive security vendors to neglect security and focus on other areas such as GUI, reporting or manageability. This is shown in its extreme by the inability of some scanners to find existing vulnerabilities in sites provides for testing by the vendor itself.
All this is true for the WAF market as much as it is true to the scanner market. The WAF market is eagerly expecting its Larry Suto. Some vendors may bleed, but finally gold and iron would be differentiable.
.................
Obstacles for WAFs:
Web application firewalls (WAFs) take a different approach. WAFs inspect inbound and outbound traffic to an application and enforce a security policy meant to prevent attackers from compromising the site. Security techniques implemented by WAFs vary, but most WAFs will include positive security (allow only that which is known to be good usage) and negative security (block usage that is known to be malicious).
Advanced WAFs combine these two types of security rules as well as correlate multiple user behaviors to increase accuracy. Proponents of WAFs (and I am one of them) will argue that WAFs provide the most effective mechanism to immediately address security issues, as the security rule set can be adjusted to prevent new attack types without the time required to change application code. The common objections to WAF technology are:
• Some issues can only be corrected in code. The most commonly cited example is logical flaws in the application, meaning that if the application was intentionally built to do something insecure, only rewriting the application can fix this issue. This is true to some extent, but a good WAF will provide ongoing monitoring information that helps to identify when logical flaws are being exploited.
• WAFs can’t understand enough about the application to be effective and accurate. The answer to this is that some WAFs indeed can’t. As with any technology product, it’s important to pick a good one.
What to Do?
Given these differences, how is someone faced with PCI’s dilemma, false or not, to choose?
For those only concerned with compliance, the answer is simple: WAF. Because a WAF can be
deployed without affecting the application and without engaging outside consultants to review
application code, WAF is a faster and more costeffective approach to meeting the letter of the law.
For those concerned with actually doing the right thing and asking “which first?” rather than “which?” the answer is actually the same: WAF. That’s because a WAF can be deployed to provide immediate protection, and a WAF can be quickly configured to adjust as applications and application attacks change. WAFs not only provide the most cost-effective first step, but a sound building block for the second step. Once a WAF is in place, code review projects can proceed at a controlled pace, reducing the risk of errors. WAFs also provide critical information on usage patterns and changes in usage patterns that can guide code review teams and point out obvious problems.
An instructive analogy can be found in application performance Verio brings something extra to Linux:
Reliability. Click to learn about free test.
Tuning. Re-coding slow parts of an application is a great way to improve system performance. However, finding those slow parts requires a performance measurement tool and sometimes a little extra help -- in the form of content acceleration techniques like caching and compression -- is warranted. WAFs serve a similar function for application vulnerability assessment by providing a roadmap that code reviewers can follow to find and fix underlying logical issues.
...............
WAFS concept (understanding) of:
Hacker’s attackers / H TTP (port 80) and HTTPS (port 443) through channel attacks Web server, which was never designed for safety. Thus we often see Web server requests delivery strange SQL, authorization or cookie injection attack. Many cross the attack site. As a result, the security industry is a new field. Name of Web Application Firewalls (WAF), which means actually the Web. Demand, as more traditional network firewalls, which just looking at HTTP Or HTTPS (excellent), but it really does not understand the purpose and content.
WAF, on the other hand, web applications and learning HTTP / HTTPS understand
Traffic in strength and, as some web application will respond well to understand Question. WAFS is not easy to implement and the implementation plan for thought. And third-party developers, engineers, security, network engineers, includes all Managers and business owners.
Here are some web applications Firewalls problems:
1. Providing comprehensive network security.
2. Inform / improve security flaws.
3. The right speed, reliability, integrity, delivery and redundancy.
4. Management capacity of the ports.
5. The best investment in data and seal deals.
6. The search for protected area (IDS) system should work.
7. For the data theft, hacking, preventing holiday setting.
8. To effectively a high balance of cash and spirit.
9. Effectively protects the network from CSS, CSRF, SQL injection, buffer overflow Safe.
10. Continuously monitor network