configuring webapp secure to protect against credential attacks · 2014-09-22 · application note...
TRANSCRIPT
APPLICATION NOTE
Copyright © 2014, Juniper Networks, Inc. 1
CONFIGURING WEBAPP SECURE TO PROTECT AGAINST CREDENTIAL ATTACKSProtect your Web Applications from Brute Force Credential Attacks Using WebApp Secure and Intrusion Deception Technology
2 Copyright © 2014, Juniper Networks, Inc.
APPLICATION NOTE - Configuring DDoS Secure to Decrypt SSL Traffic
Table of ContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Design Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Description and Deployment Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Analyzing a “Failed” Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Analyzing a “Successful” Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Deployment and Configuration Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
About Juniper Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Copyright © 2014, Juniper Networks, Inc. 3
APPLICATION NOTE - Configuring WebApp Secure to Protect Against Credential Attacks
IntroductionGiven the common reuse of login credentials across Web applications, your company’s Web applications face imminent risk
of attack whenever usernames, e-mail addresses, and passwords are lost in a data breach. Attackers will use a large set of
stolen credentials, distribute them to a botnet, and then use the botnet to launch automated attacks that attempt to find a
small set of “valid credentials” for another Web application.
Juniper Networks® WebApp Secure can add a layer of protection for your Web applications with innovative Intrusion
Deception™ technology. By default, WebApp Secure will provide protection from credential attacks by breaking the
automated attacks with a captcha and causing them to error out. But in these cases, the attacker will just try again.
WebApp Secure detects the brute force credential attack, whether the attack originates from a distributed botnet or
whether the attack is cycling through a list of usernames (trying each username only once, which is harder for most Web
applications to detect). This application note takes the protection one step further, by showing how WebApp Secure allows
the automation to continue, but deceives attackers, causing their attacks to be unsuccessful (all the stolen credentials will
be invalid). In these cases, attacks are completely unsuccessful and the attacker will not try again.
Scope This document describes only one of the Intrusion Deception technologies used by WebApp Secure. The features covered
include the WebApp Secure security processor called “Login Processor,” a preconfigured WebApp Secure counterresponse
called “Break Authentication,” and a manually created “Auto Response.” The “Login Processor” needs to be configured so
that WebApp Secure understands successful and failed login attempts, based on the customer’s Web application. The
manually created “Auto Response” needs to be modified based on the customer environment and the frequency of attacks.
This document does not cover the ways that WebApp Secure can be deployed within each customer’s specific network.
Design ConsiderationsIn order for the WebApp Secure Login Processor to be configured correctly, the security administrator must understand the
customer’s Web applications and login process, and must be able to analyze each Web application’s HTTP response codes
and headers. The response codes and headers will be used as part of the WebApp Secure configuration, which requires the
settings for properties that make up a “failed login” and a “successful login.”
Hardware Requirements: All WebApp Secure form factors, including hardware and virtual machines
Software Requirements: Juniper Networks WebApp Secure version 5.0 or later
Description and Deployment ScenarioDescriptionBefore configuring WebApp Secure to detect invalid login attempts and credential attacks, the security administrator must
first use an HTTP debugger to analyze and compare the properties of a successful and failed login. For example, successful
logins usually return a specific HTTP status code or HTTP header, while failed logins return a different code or header. The
three high-level steps are:
1. Edit the “Login Processor” and create a “Protected Login Page.”
2. Under “Response Rules,” create a new “Autoresponse.”
3. Test the new Autoresponse.
PrerequisitesBefore configuration of WebApp Secure, analysis must be performed that clearly details how the Web application responds
to a failed login and a successful login. The example in Figure 1 shows one way to perform this analysis, using information
that is displayed by an HTTP debugger called Live HTTP Headers, which is an add-on available for Firefox. Other HTTP
debuggers that can be used include Charles Proxy, Fiddler, and Firebug. To view the debugging information, you need
to enable the tool, then use the browser to unsuccessfully log into the Web application (on the left of Figure 1), then
successfully log into the Web application (on the right of Figure 1).
4 Copyright © 2014, Juniper Networks, Inc.
APPLICATION NOTE - Configuring DDoS Secure to Decrypt SSL Traffic
Analyzing a “Failed” Login Analyzing a “Successful” Login
Unsuccessful login:
1. Login url: wp-login.php
2. Type of login: POST
3. Parameter for the “username”: log=
4. Parameter for the “password”: pwd=
5. Response code: 200 OK
Successful login:
1. Login url: not shown, but same as before
2. Type of login: POST
3. Parameter for the “username”: log=
4. Parameter for the “password”: pwd=
5. Response code: 302 Moved Temporarily
Figure 1. Analyzing failed and successful logins
The information highlighted above is needed to configure WebApp Secure, and these steps are described in
detail below.
Note: Your information may be different, depending on your Web application
Deployment and Configuration ScenarioLog into the WebApp Secure graphical interface and perform the following:
1. Edit the “Login Processor” and create a “Protected Login Page.”
- Under the Configuration Panel, click on “Processors”
Copyright © 2014, Juniper Networks, Inc. 5
APPLICATION NOTE - Configuring WebApp Secure to Protect Against Credential Attacks
- Scroll down and find “Login Processor,” then click on “Edit Settings”
- Scroll down and find “PROTECTED LOGIN PAGES” and click “Add”
- Configure the login page as described below:
› Name: Enter a name for the login page, e.g., “WP-login”
› URL Pattern: Type “wp-login.php” (this could be different for your Web application)
6 Copyright © 2014, Juniper Networks, Inc.
APPLICATION NOTE - Configuring DDoS Secure to Decrypt SSL Traffic
- Configure information about the username and password fields. Set the following:
› Username Field Type: Select “POST Parameter”
› Username Field Name Pattern: Type “log”
› Username Field Value Pattern: Type “.*”
› Username Field Encoding: Select “Ascii”
› Password Field Type: Select “POST Parameter”
› Password Field Name Pattern: Type “pwd”
› Password Field Value Pattern: Type “.*”
› Password Field Encoding: Select “Ascii”
Copyright © 2014, Juniper Networks, Inc. 7
APPLICATION NOTE - Configuring WebApp Secure to Protect Against Credential Attacks
- Configure information describing a failed login and a successful login by setting the values below:
› Failure Pattern Target: Select “Status”
› Failure Pattern: Type “200”
› Failure Pattern Condition: Select “Failure On Match”
› Success Pattern Target: Select “Status”
› Success Pattern: Type “302”
› Success Pattern Condition: Select “Success On Match”
› Require Captcha After: Leave at “3”
› Click Save
8 Copyright © 2014, Juniper Networks, Inc.
APPLICATION NOTE - Configuring DDoS Secure to Decrypt SSL Traffic
2. Under “Response Rules,” create a new autoresponse.
- Under the Configuration Panel, click on “Response Rules”
- In the “Autoresponse” screen, click on “Add Autoresponse”
- In the Basic tab, do the following:
› In the name field, type “Break Authentication”
› In the description field, type: “Triggers when a brute force credential attack is detected. The autoresponse will
deceive the attacker into thinking all their stolen credentials are invalid, even if there is a valid set.”
› Check the “Enabled” checkbox
› Uncheck the “Safe mode” checkbox
› Click Save
Copyright © 2014, Juniper Networks, Inc. 9
APPLICATION NOTE - Configuring WebApp Secure to Protect Against Credential Attacks
- In the Code tab, do the following:
› Paste the following code:
if ( profile.getIncidentTypes(“isCode(‘23008’) && isCount(‘>=’,’1’)”).length > 0 && profile.getSessions(“isRequestCount(‘>’,’50’)”).length > 0 && profile.getResponses(“isCode(‘BA’) && isActive()”).length == 0) // Make sure we did not trigger Break Authentication. { mykonos.activateResponseCfg(“BA”, “<config message=’Stop the Credential Attack!’ />”); console.log(‘data’);} › Note: If you want to be less aggressive, change the comparison checks listed below:
• isCount(‘>=’,’1’) checks for the number of “Site Login Username scan” incidents.
• isRequestCount(‘>’,’50’) checks for the number of login requests for that session.
› Then click Save
10 Copyright © 2014, Juniper Networks, Inc.
APPLICATION NOTE - Configuring DDoS Secure to Decrypt SSL Traffic
- In the Events tab, do the following:
› Enable the “Run analyzer on profile when it observes a new incident (newincident)” checkbox
› Enable the “Run analyzer on profile when it observes any new traffic (newtraffic)” checkbox
› Then click Save
3. Test the new Autoresponse by using an attack tool like w3af, or manually enter invalid credentials through a
browser.
Summary The steps described in this application note can be used to configure WebApp Secure to protect your Web applications
from brute force credential attacks. After configuration of the Login Processor, WebApp Secure will cause automated
credential attacks to fail with errors by responding with a captcha by default. By taking an additional step to configure the
“Break Authentication Autoresponse,” WebApp Secure will apply Intrusion Deception that allows the automated attack to
continue and finish, but the attack will not be successful since all of the attacker’s credentials will be marked “invalid.”
Copyright © 2014, Juniper Networks, Inc. 11
APPLICATION NOTE - Configuring WebApp Secure to Protect Against Credential Attacks
3500217-001-EN Jan 2014
Copyright 2014 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
APAC and EMEA Headquarters
Juniper Networks International B.V.
Boeing Avenue 240
1119 PZ Schiphol-Rijk
Amsterdam, The Netherlands
Phone: 31.0.207.125.700
Fax: 31.0.207.125.701
Corporate and Sales Headquarters
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089 USA
Phone: 888.JUNIPER (888.586.4737)
or 408.745.2000
Fax: 408.745.2100
www.juniper.net
To purchase Juniper Networks solutions,
please contact your Juniper Networks
representative at 1-866-298-6428 or
authorized reseller.
Printed on recycled paper
About Juniper NetworksJuniper Networks is in the business of network innovation. From devices to data centers, from consumers to cloud
providers, Juniper Networks delivers the software, silicon and systems that transform the experience and economics of
networking. The company serves customers and partners worldwide. Additional information can be found at
www.juniper.net.