A Behavior-Based Web Application Firewall Total ... - Google Sites

A Behavior-Based Web Application Firewall Total Solution to Detect Various Web Application Service Attacks Shih-Jen Chen 1, Shao-Wei Lan 2, Hui-Lan Chi3, Chien-Ting Kuo4 Smart Network System Institute, Institute for Information Industry, Taipei 105, Taiwan, R.O.C. { sjchen 1, shao-wei 2, huilan3, ctkuo4}@nmi.iii.org.tw

Abstract. In this paper, we focus on defending the web application service attacks which have caused many famous website enormous losses in recent years. We propose a behavior-based web application firewall total solution to analyze incoming requests to distinguish malicious requests. To evaluate the effectiveness of this solution, we use the network hardware stress testing tool, Avalanche, to evaluate the performance. The proposed behavior-based Web Application Firewall total solution not only effectively defenses against the malicious requests from crackers with various techniques, but also provides high performance for normal request forwarding. Furthermore, we have experiments to proof this Web Application Firewall performs high quality to defense various type of web application attacks. Keywords: Web vulnerability

1

application

attacks,

web

application

firewall,

web

Introduction

With the vigorous development of network applications and the usage of internet, the threats and network vulnerabilities are more and more various, and the network attack skills also increase faster and faster [1-2]. In the past years, the network security issues are count on the traditional network firewall, Intrusion detection system (IDS), and the technology of cryptography. Nowadays, the crackers almost focus on the vulnerability of network application service. Some of the famous types of network application attacks such as SQL injection, cross site script (XSS) and so on, make a lot of damages to industries all over the world. According to the OWASP TOP 10 [3] report, the top 10 threats proposed by Open Web Application Security Project, the network application attacks increase year by year. One of the reasons is the bad source code writing habits. Because of those vulnerabilities, the crackers could trigger some web server system to response the secure information or get the privilege of the system. It is also a serious problem of the network application services around the world. Because crackers may use the injection skill (ex: SQL Injection) to access web pages, retrieve users’ information or even modify some database values. To detect and prevent vulnerabilities, we implement a behavior-based web application firewall total solution, which focus on monitoring packet behavior at application layer. In this paper, we will introduce not only the main modules of this

WAF, but also the experimental environment to test the availability and performance of WAF, and show the experiment results in the end.

2

Related Study

. To prevent network application attacks, one may adopt methods such as firewalls [4-8] or intrusion detection system (IDS), which are effective at network layer. The traditional firewalls mostly use packet filtering technology which works at the network layer and transport layer of the OSI model. The filter analyzes information within the coming packets such as source IP, destination IP, header, or the protocol. In recent years, more and more network attackers trend to exploit the application layer vulnerabilities. Some famous types of security risks such as Cross Site Script (XSS) and SQL injection use the vulnerabilities on the web servers and trick the packets at the network layer and transport layer which look like normal packets. Unfortunately, the traditional firewall could not detect these network application attacks. For this reason the technology of web application firewall becomes more and more important and popular to identify and block attacks. In this paper, we focus on the web application service attacks and aim to categorize HTTP requests into normal requests and illegal requests. We analyze the behavior of the incoming requests and use the web attack signatures to identify the illegal requests. The illegal requests will be pushed into the block-module and won’t response any services from the web servers.

3

Structure of the Web Application Firewall total solution

We design the structure of behavior-based Web Application Firewall (WAF) total solution system to detect intrusions. In WAF System, a number of design goals should be taken care of when implementing it. 1. 2. 3. 4.

It needs a block and forward module to separate the malicious requests and normal requests to the web service servers. It needs an attack signatures database to determine the signature of malicious request. It needs the filter module as a classifier to differentiate among the diversity malicious requests. It needs an access list setting from the administrator.

Fig.1 shows the structure of the behavior-based Web Application Firewall total solution following above four design goals. There are five components in this structure those are positive behavior filter, negative behavior filter, positive profiles, web attack signatures database, and block/forward module.

Positive Behavior Filter

HTTP Request

Start/Deny URLs Validation URL Closure Module

Data Consistency Checker Positive Profiles

Illegal URL against positive behavior

User define Error Msg

Negative Behavior Filter Buffer Overflow Checker

Command Injection Filter

XPath Injection Filter

Blind SQL/SQL Injection Filter

Custom Pattern Filter

LDAP Injection Filter

Cross Site Script Filter

Malicious File Filter

Path/Directory Traversal Filter

Header Analysis Filter

Web Attack Signature Database

Block / Forward Module

Web Service Server

Figure. 1. The Structure of Web Application Firewall total solution The positive behavior filter will check the HTTP request by three functions: start and deny URLs validation, URL closure module, and data consistency checker. The positive behavior filter uses the black list and white list to exam the HTTP request is an illegal URL behavior or not. After checking from the positive behavior filter, if the coming HTTP request is an illegal URL it will send this illegal URL to the block/forward module to do more process. If the coming HTTP request is a normal request checked by positive behavior filter, the process will go into the negative behavior filter. The negative behavior filter will check the web attack signatures from the signatures database. The negative behavior filter inspects every request by using the signature patterns matching technique. After the process of positive and negative behavior filtering, the request will then be logged by block/forward module in which the log alert mechanism exists. When the attack happened, the alert mechanism will send email to warning the administrator.

4

Experiment Environment

In this paper, we deploy an experimental environment on the physical network environment. We use the Avalanche [10], a hardware stressing testing tool, to test the performance of behavior-based WAF. The network topology is shown as Fig. 2. There are three web servers protected by behavior-based WAF. One DNS server is used to redirect the network address with domain names and one mail server is used to verify and send the e-mail alert from WAF. We also have three clients each act as

attacker, administrator, and normal user in our scenario. In this environment, we examine the availably by controlling the attacker to generate seven types (as Table 1) of web application attacks. According to the alert mail, we can validate these attacks have been detected or not. Under the same environment, we examine the number of max new connection rate, max concurrent connection rate, and max network throughputs.

Avalanche Stress  Test  Server DNS_SERVER

WebApp_SERVER1

TEST_CLIENT1 Attacker Mail_SERVER

WebApp_SERVER2

TEST_CLIENT2 Administrator

CWAF WebApp_SERVER3 TEST_CLIENT3 Normal  User

Figure.2. Experiment environment structure .

5

Experiment Results

Table-1 shows the pattern amount of each attack type. According to the experiment, all of the attack signatures which list in Table 1 can be detected and blocked. Those attack patterns are collected from several security organizations and third party corporations in the recent years. The pattern number of each attack signatures is still growing and been updated by some important security news sources. Table 1.

The pattern number of each attack types

Type Blind SQL Injection SQL Injection Command Injection Cross Site Script Dir/Path Traversal LDAP Injection XPath Injection

Total Number 80 141 67 41 38 18 16

Fig. 3 shows the number of max new connection rate when using the behaviorbased Web Application Firewall. It shows the max new connection rate at the stable status is near 400 (connection/sec). It means the behavior-based Web Application Firewall could accept 400 new links per minute. Fig. 4 shows the number of concurrent connection rate when using the behavior-based Web Application Firewall. It shows the max concurrent connection rate at the stable status is near 1800 (connection/sec). This means the behavior-based Web Application Firewall could accept 1800 concurrent connections. Fig. 5 shows the number of network throughput when using the behavior-based Web Application Firewall. It shows the max network throughput at the stable status is near 600Mbps. This means the behavior-based Web Application Firewall can sustain around 600Mbps network load when request for 3M content size web-page. We conclude that our behavior-based Web Application Firewall has effective performance even under the heavy network load.

6

Discussion

In this paper, we propose a structure to implement the behavior-based web application firewall system. We implement the concept of the behavior-based web application firewall to effectively prevent the web service from attacks and web application threats. The experimental results show our behavior-based web application firewall achieves the goals of implementation of a firewall to successful and efficiently detect and block the web application service attacks. In the future, we plan to deliver this structure into the cloud as a service, and enhance the performance for the cloud service environment. Besides, we keep updating the attack signatures database for the various types of web application to strengthen the attack-defense ability.

Fig. 3. The number of max new connection rate (Conn./sec.)

Fig. 4. The number of max concurrent connection rate

Fig. 5. The number of max network throughputs

References 1. T. Holz, S. Marechal, and F. Raynal, “New threats and attacks on the World Wide Web,” Security & Privacy, IEEE Volume 4, Issue 2, March-April 2006, pp.72 – 75 2. Lawrence A. Gordon, Martin P. Loeb,William Lucyshyn and Robert Richardson, “CSI/FBI Computer Crime and Security Survey,” 2005. Available at http://www.cpppe.umd.edu/Bookstore/Documents/2005CSISurvey.pdf. 3. Open Web Application Security Project (OWASP), http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project. 4. Lin, C.-H., Liu, J.-C., Kuo, C.-T., Chou, M.-C., Yang, T.-C.: Safeguard Intranet Using Embedded and Distributed Firewall System. In: International Journal of Future Generation Communication and Networking, (IJFGCN), Vol. 2, No. 1, March, 2009. 5. Lin, C.-H., Liu, J.-C., Kuo, C.-T., Chou, M.-C., Yang, T.-C.: Safeguard Intranet Using Embedded and Distributed Firewall System. In: 2008 Second International Conference on Future Generation Communication and Networking (FGCN 2008), pp.489--492. IEEE Press, (2008) 6. R. W. Cheswick and S. M. Bellovin, “Firewalls and Internet Security: Repelling the Wily Hacker.”, Addison-Wesley, 1994. 7. M. R. Lyu, and L. K. Y. Lau, “firewall Security: policies, testing and performance evaluation,” The 24th Annual International Computer Software and Application Conference, COMPSAC 2000, pp.116-121. 8. R. Zalenski, “Firewall technologies,” IEEE Potentials, Vol. 21, Issue 1, 2002, pp.24-29. 9. Linux Firewall Project: Available at http://www.linuxfirewall.org 10. http://www.spirent.com/Solutions-Directory/Avalanche.aspx