deploying the cisco ace xml gateway · x509 certificates saml statements message integrity...

© 2009 Cisco Systems, Inc. All rights reserved. 1BRKAPP-2014 Cisco Public

Deploying the Cisco ACE XML Gateway

BRKAPP-2014

Chris O’BrienCisco

© 2009 Cisco Systems, Inc. All rights reserved.BRKAPP-2014 2Cisco Public

Housekeeping

� We value your feedback- don't forget to complete your online session evaluations after each session & complete the Overall Conference Evaluation which will be available online from Thursday

� Visit the World of Solutions

� Please remember this is a 'non-smoking' venue!

� Please switch off your mobile phones

� Please make use of the recycling bins provided

� Please remember to wear your badge at all times including the Party


WAN Acceleration� Data redundancy elimination

� Window scaling� LZ compression

� Adaptive congestion avoidance

Application Acceleration� Latency mitigation

� Application data cache� Meta data cache� Local services

Application Optimization� Delta encoding

� FlashForward optimization� Application security

� Server offload

Application Networking� Message transformation� Protocol transformation� Message-based security� Application visibility

Application Scalability� Server load-balancing

� Site selection� SSL termination and offload

� Video delivery

Network Classification� Quality of service

� Network-based app recognition� Queuing, policing, shaping� Visibility, monitoring, control

Cisco Application Delivery Networks

WAN


Other Cisco Live Breakout Sessions that You May Want to Attend

BRKAPP-2002 Server Load Balancing Design

BRKAPP-3003 Troubleshooting ACE

BRKAPP-1004 Introduction WAAS

BRKAPP-2005 Deploying WAAS

BRKAPP-3006 Troubleshooting WAAS

BRKAPP-1008 What can Cisco IOS do for my application?

BRKAPP-1009 Introduction to Web Application Security

BRKAPP-2010 How to build and deploy a scalable video communication solution for your organization

BRKAPP-2011 Scaling Applications in a Clustered Environment

BRKAPP-2013 Best Practices for Application Optimization illustrated with SAP, Seibel and Exchange

BRKAPP-2014 Deploying AXG

BRKAPP-1015 Web 2.0, AJAX, XML, Web Services for Network Engineers

BRKAPP-1016 Running Applications on the Branch Router

BRKAPP-2017 Optimizing Application Delivery

BRKAPP-2018 Optimizing Oracle Deployments in Distributed Data Centers

ApplicationsISRGSS WAAS ACE AXGACNS

Relevancy


Data Center Evolution Affects Security

Full circle for Securing your Applications

Full circle for Securing your Applications

Reputation

Regulatory Compliance

Efficient Business

Operations

Limiting Liability


� Siloed� Siloed

� Complex, heterogeneous infrastructure� Complex, heterogeneous infrastructure

� New developments and applications� New developments and applications

Email, File & Print

Email, File & Print

Web/Application Server Farm

Web/Application Server Farm

Blade ServersBlade

ServersDepartmental

ServersDepartmental

ServersIBM Mainframe

with OSAIBM Mainframe

with OSAStorage

& BackupStorage

& BackupPoint

AppliancesPoint

Appliances

The “Accidental Architecture”

� Fragmented Security� Fragmented Security


Introducing Cisco ACE AXG� Builds on top of industry-leading Cisco ACE XML

Gateway platform

� Can be software upgraded to full ACE XML Gateway solution

� Protects your custom HTTP and HTML applications from high-impact Web-borne attacks

SOA, Web Services, and XML Threat Defense � Secures and offloads web services transactions

Web Application Firewall

Extensive HTML and XML Application Security


Platform Specifications

� Specifications1 rack unit

Four 10/100/1000 Gigabit Ethernet ports

4-GB RAM

High-performance dual-core, dual-processor architecture

High-performance cryptography acceleration

Full FIPS 140-2 Level 3 compliance—optional

Hot-swappable dual SAS HDD, fan, and power supplies

Full reverse proxy

Deployable either as firewall, manager, or 2-in-1


Web Application Security ● ●

Privacy ● ●

Encryption & Signature Support ● ●

Hardware SSL Acceleration (optional FIPS) ● ●

Centralized Management, Monitoring, Logging, and Audit ● ●

Policy-based provisioning and versioning

● ●

Protocol, Data and Security Mediation ●

XML Acceleration & Offload ●

Extensibility SDK ●

Content Based Routing ●

WAF and AXG XML Feature Comparison

Features

ACE Web Application

Firewall

ACE Web Application

Firewall w/AXG


Introduction toWeb Services


Applications Transition to SOA & Web 2.0

� Web 1.0Siloed Applications

Making each app work on its own is challenging enough

Limited data sharing between applications

Challenges with Scalability, Security and Control

� Web 2.0 & SOACollaborative personalized User Experience

Inherently Internet/Web Services based

Dynamic Content, Rich Media

Siloed Collaborative


Why XML Web Services?

� XML is plain ASCII� Introduces non-binary messaging

� XML messaging rides on top of existing application protocols

� XML over HTTP solves the problem of distributed applications across firewalls

� Guess what the ‘Web’ in Web Services is for? The communications can run over HTTP. SOAP is XML over HTTP – more on this topic in a few slides …

Loosely-coupled apps that use open standards to describe an interface for accessing them and a messaging format for communication


XML in 10 seconds� HTML = a set of tags to format data (eg: bold <b>, tables <td><tr>,

colors <font>, etc.) – entirely focused on formatting rather than data

� XML = focuses on content rather than format. XML does not have any predefined tags. No such thing as <b>, <h1> etc.

<customer><name><title>Mr.</title><first-name>John</first-name><last-name>Doe</last-name></name><street>123 ABC Street</street><city>Anytown</city><state>Ca</state><zipcode>95134</zipcode></customer>

XML<pre><h1>Customer</h1><h2>Title</h2>Mr.<h2>Name</h2>John Doe<h2>Address</h2>123 ABC StreetAnytownCa95134

HTML


Giving XML meaning: XML Schemas

� Schemas are rules that an XML document must abide by

� Popular ways to define schemas include Document Type Definition (DTD) or W3C XML Schema

� W3C XML Schema fare more prevalent for data-oriented style documents (e.g. restricting content, explicit data types)

� Provides a very convenient way to inform clients about the data types and ranges accepted by my exposed services


Exchanging data in a WS world: SOAP

� Simple Object Access Protocol

� XML-based messaging format

� Rides on top of HTTP

� SOAP = XML over HTTP

http://172.25.89.140/WS/soapheaders.php?ARG=req


Web Services – Extend the protocol stackFrame Preamble Dest Addr Src Addr Type CRCData

IP Datagram

IP Hdr Src IP Addr DataDest IP Addr

TCP Packet

Src Port Dest Port DataSeq # Ack #

Desr Addr [Src Addr] DataHTTP

Request

XML-Sig WS-Addr SOAP DataSOAPMsg Timestamp Kerberos


Web Services In Action

SOAP

SOAP

Databases

Web Service

Web Service

Web Service Consumers


Another Approach: REST

� REpresentational State TransferReaction to complexity of SOAP

� Leverages existing properties of HTTP to build application protocols

URLS name resources

HTTP methods (GET, POST, PUT, DELETE) name operations

XML encodes data

� Simpler to implement but limited to HTTP, no general message meta-data mechanism (SOAP Header)

� Increasingly popular with public web servicesAmazon, eBay, Google, etc


SOA: it’s happening today!

� Salesforce.com: reports on their blog that over 40% of all of Salesforce.com traffic comes from their API.

� Amazon: 140,000 registered developers. Information Week article reported 3rd party sellers generated 28% of Amazon’s Q2 unit sales, or $490 million.

� eBay : Over 25,000 developers with 1,900 certified applications. A TechWeb story notes that during Q4CY05, eBay handled more than 8 billion Web service requests, up from less than 1 billion for the entire CY02.

SOA: capitalizing on the enterprise’s core competency

Some numbers

“XML accounted for 15% of internet traffic in 2005. By 2008, it is expected to account for 50%” – 451 Group

XML usage is increasing

http://blog.programmableweb.com/?p=277


What is the ACE XMLGateway


How can the ACE XML Gateway Help!!

� Proxy server that understands how to process XML and SOAP-based web services

� Provides functions for

Threat Defense

Authentication and Authorization

Server Optimization and Offload

Protocol Mediation


Threat Defense: Structural XML analysis

� XML has a concept of being well-formed, that is, in compliance with all the syntax rules of XML. AXG can enforce that only well-formed documents are accepted

<customer><name><title>Mr.<first-name>John</last-name><last-name>Doe</last-name></name><street>123 ABC Street<city>Anytown<state>Ca</state><zipcode>95134</zipcode></customer>

<customer><name><title>Mr.</title><first-name>John</first-name><last-name>Doe</last-name></name><street>123 ABC Street</street><city>Anytown</city><state>Ca</state><zipcode>95134</zipcode></customer>


Threat Defense: DoS Protection

� AXG provides detection and blocking based on several DoS indicators:

Overall rate

Authentication failures

Per-message AXG CPU usage

Invalid messages

Backend latency

Backend errors

� Recommend deploying in warn-only mode first in order to tune thresholds.


Threat Defense: Content Screening

� Signature-based protection against malicious content or content policy violations

� SQL Injection attack prevention

� Cross-site scripting protection

� Masking of national ID numbers (Social Security in US), email addresses, phone numbers


Authentication and Authorization

� Threat Defense all about what you want to keep out

� Authentication and Authorization all about who you want to let in

� Wider variety of credentials for web services

� SOA architectures often assume identity attached to message at the edge


AuthC/AuthZ: Credential Types

� Vary by level of IP stack

� TCP/IP: IP address

� SSL: Client X.509 certificate

� HTTP: Basic Auth, NTLM/SPEGNO

� XML: Embedded username/password

� SOAP: WS-Security usernames and passwords, X.509 certificates


AuthC/AuthZ: Verification Methods

� Sometimes hard-coded on AXG:Internal or external IP addresses

Client cert from trusted CA

� More frequently, AXG must consult an identity management system

–LDAP (various brands)

–Microsoft Active Directory

–CA SiteMinder

–Tivoli Access Manager

–Oracle CoreID

–Many Others


Offload and Optimization

Move Web Services tasks off the server and into the network

� XSLT

� Schema Validation

� WS-Security

� SSL Termination


Offload: XML Schema Validation

� Provides a way to specify the valid structure of an XML document

which elements can have children,

what children they must have,

how many they can have (zero, one, many),

what attributes are expected, etc

� Additional syntactic validation above what well-formedness provides

� Ensures application only sees valid messages

� Also seen as part of threat defense


Offload: WS-Security� Describes how to secure SOAP messages

� Defines how to identify the creator of the messageCarries multiple credential types including

Usernames & passwordsX509 certificatesSAML statements

� Message IntegrityIntegrity of all or part of a messageBuilds on XML-SignatureSupports multiple and overlapping signatures

� Message ConfidentialityConfidentiality of all or part of a messageBuilds on XML-Encryption

XML Gateway implementations

significantly faster than typical

application server (100x)


<soap:Envelope ..><soap:Header ..>

<wsse:Security ><wsse:BinarySecurityToken ValueType="http://docs.oas is-open.org/wss/2004/01/oasis-

200401-wss-x509-token-profile-1.0#X509v3" EncodingT ype="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message- security-1.0#Base64Binary" wsu:Id="RXFIDZQWHJTB">

MIIENTCCA56gAwIBAgIBEDANBgkqhkiG9w0BAQQFADCBxjELMAkGA1UEBhMCVVMxFjAUBgNVBAgT...</wsse:BinarySecurityToken><Signature xmlns="http://www.w3.org/2000/09/xmldsig #">

<SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org /2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2000/0 9/xmldsig#rsa-sha1"/><Reference URI="# RXFIDYQWHJTB">

<Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml -exc-c14n#"/>

</Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/x mldsig#sha1"/><DigestValue>6mkomjZ5OgAyZbzWZi0lUrieH7o=</DigestVa lue>

</Reference></SignedInfo><SignatureValue>d9scoCXAAEIiECp...</SignatureValue><KeyInfo>

<wsse:SecurityTokenReference><wsse:Reference ValueType="http://docs.oasis-open.or g/wss/2004/01/oasis-200401-

wss-x509-token-profile-1.0#X509v3" URI="#RXFIDZQWHJ TB"/></wsse:SecurityTokenReference>

</KeyInfo></Signature>

</wsse:Security></soap:Header><soap:Body wsu:Id=" RXFIDYQWHJTB" ..>

<retrieveQuoteResponse xmlns="http://oakinsurance.co m/order/"><retrieveQuoteResult>

<quoteId>0</quoteId><quantity>0</quantity>

Example: WS-Security


� Offloads Crypto and connection handling from server

� Enables HTTP/1.1 connection re-use, SSL session re-use, client certificate authentication

� Consolidate private keys on AXG device, use same keys for SSL and WS-Security

Note: ACE can also terminate SSL, will cover when to terminate where in Deployment Considerations

Offload: SSL Termination

HTTPS HTTP


Protocol Mediation

Bridging between differing protocol expectations for webservices consumers and producers

May occur at many levels of the network stack

Examples:

� HTTP Basic Auth to WS-Security

� AJAX to SOAP

� HTTP to MQ

� HTTP to JMS


Introduction toWeb ApplicationSecurity


The Evolution of IntentA Shift to Financial Gain

Threats Are Becoming Increasingly Difficult to Detect and MitigateApplications Are the Primary Targets

Thr

eat S

ever

ity

1990 1995 2000 2005 What’s Next?

Financial:Theft and Damage

Notoriety:Viruses and Malware

Vandalism:Basic Intrusions and Viruses

2007


Build and Maintain a Secure Network

� Install and maintain a firewall configuration to protect data

� Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data and sensitive information across open public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software

6. Develop and maintain secure systems and applications

PCI DSS: Six Sections and Twelve Requirements

Section 6.5: Develop secure web apps, cover prevention of OWASP vulnerabilities

Section 6.6: Ensure all web-facing apps are protected against known attacks using either of the following methods� secure coding practices� installing a Web App FW*

*This becomes a requirement by June 2008


OWASP—2007 Top Ten Attack List

Source: WhiteHat Security

OWASP = Open Web Application Security Project


Traditional Network Firewalls Are Blind to Web Application Attacks

Firewall

Ports 80 and 443

Open

Unfiltered HTTP Traffic

WebClient

WebServer

Application

Application

DatabaseServer


Attacks!

� Unvalidated Input

� Cross-Site Scripting

� SQL Injection

� Cross-Site Request Forgery

� Cookie Tampering


Attack #1—Unvalidated Input

What Is It?

� Web apps use parameters to obtain information from the client

How Is This Vulnerable?� Developers focus on the legal values of parameters and how they

should be utilized

� Too much credit given to client-side browser validation

� Little if any attention is given to the effect of incorrect values

Result� The application acts according to the changed information, potentially

giving access to other user’s accounts, confidentialinfo, or anything else on the computer—vector for 90% of web-based attacks!


Defense: Signature Rules Engine

� Blacklist approach - look for known and possible attacks in request content

� Signatures detect particular attack vectors using pattern matching, regular expressions

� Rules combine signatures to detect and block different types of attacks

� Profiles combine rules and other features and apply them to particular web applications

� Extensible via signature language—customer or partners


Input Normalization: Example

� HTTP provides many ways to encode the same information. Input normalization “undoes” encodings to produce a canonical form of the request

http://foo.com/query?bar=<script

http://foo.com/query?bar=%3c%73%63%72%69%70%74


Signatures

Each Signature Has:

� User-readable name

� Signature ID

� Pattern used for initial match

� Regular expression used to confirm match


Rules

� Rules apply signatures to places in the messageREQUEST_PARAMS sig SQLInject

� Severity level allows user to control strictness of enforcement, likelihood of false positives

� Rules can be written very specificallyREQUEST_PARAMS[’name’].normalize(html)

re ^foo.*


Expression Language

� Variables make any part of the request message or its connection properties available

HTTP headers

HTTP body

Request parameters

Source and destination IP address

SSL properties (version, cipher, etc)

� Operators allow applying checks to the selected part of the message


Attack #2—Cross Site Scripting

What Is It?� User feeds data to the web application

� Web application doesn’t sanitize input and echoes back the query

� The unvalidated data contains a piece of JavaScript that is executed in the context of the user’s browser session

� A carefully formed link sent to a victim (usually by mail) results in the JavaScript code being run in the victim’s browser, sending information to the hacker

Why Does Cross Site Scripting Happen?� Unvalidated input—example: html is permitted into query parameter

� Application blindly echoes request back to browser

Result� “Virtual hijacking” of the session by stealing cookies

� Any information flowing between the legitimate user and site can be manipulated or transmitted to a third party


Cross Site Scripting Applications

� The second a hacker realizes a query parameter accepts HTTP, he can trick your browser into doing virtually anything:

Build hidden forms that submit your cookies

Check your browsing history

Scan your subnet for certain hosts

etc.

� Commonly used in Phishing emails

� Experts estimate 80% of web sites are vulnerable (http://www.whitehatsec.com/downloads/WHXSSThreats.pdf)


Defense: Cross Site Scripting signature set

� Looks for HTML in input stream

� Input decoding shrinks signature set

� But... What if I want to allow image tags?


False Positives – Human Assisted Learning

� Cisco’s Human Assisted Learning lets you place a site in monitor mode

� When in monitor mode, security alerts are reported but traffic isn’t blocked

� You can click on each security incident and instruct the WAF to block traffic matching the pattern that caused the alert, or ignore it (false positive). The exception can be configured either at the profile level, or on a per web form parameter basis!

� HaL integrates the benefit of dynamic learning but removes the guesswork from the equation: you ultimately control what is acceptable or not for your applications


HaL Walkthrough

� Consider a web form with two input boxes. Both accept HTML and display it back to the user (fertile ground for XSS!) but suppose the “name” parameter can be exempted from XSS pattern checks

� This is what the site profile looks like before HaLintervenes:

Modifiers Represent Exceptions to the Classification Process


An XSS Attack Is Detected

� Inside the event log, a “Create Modifier” option appears

Create Modifier Is at the Heart of Hal


Options HaL Provides

Create Modifier Is at the Heart of Hal


Attack #3—SQL Injection

� SQL stands for Structured Query Language

� Allows applications to access a database

� SQL can:

Execute queries against a database

Retrieve data from a database

Insert new records in a database

Delete records from a database

Update records in a database

� Many applications take user input and blindingly send it directly to SQL API!


Anatomy of a SQL Injection Attack:Basic SQL Query for Payment Info

� Typical SQL query

SELECT cc_number FROM users

WHERE username = 'victor'

AND password = '123'

� Typical ASP/MS SQL Server login syntaxvar sql = "SELECT cc_number FROM users

WHERE username = '" + form_user +

"' AND password = '" + form_pwd + "'";


Anatomy of a SQL Injection Attack:SQL Injection—Bypass Login

� Attacker Injects the following:form_user = ' or 1=1 – –

form_pwd = anything

� Final query would look like this:SELECT * FROM users

WHERE username = ' ' or 1=1

– – AND password = 'anything'

� Attacker gains access to the application!

� Not just logins – alter database, dump payment card information…

SQL comment

always true!


Defense: SQL Injection signature set

� Detect SQL in input parameters


Defense: Response Message Rewrite

� Search for and replace questionable content in responses from server


Attack #4—CSRF

� “Whereas cross-site scripting exploits the trust a user has in a website, a cross-site request forgery exploits the trust a Web site has in a user by forging a request from a trusted user.” (source: Wikipedia)

� How does it work:

Bob is logged into his bank’s website

Bob is also chatting/reading a blog at the same time

Hacker posts a comment in the blog inviting Bob to click a link

The link performs an action on Bob’s bank

As Bob is logged in, the action has the potential to succeed

� Simple example: http://www.google.com/setprefs?hl=ga

� Note that Bob doesn’t even have to click a link – a simple <img src="http://example.org/buy.php?item=PS3&qty=500> on a web page could suffice!


Defense: CSRF

� Not trivial, no simple one-stop-solution

� Several server-side solutions:

Generate random tokens for forms or actions so a hacker can’t guess

� make sure the site isn’t XSS-vulnerable

Use CAPTCHAs


Defense: Referrer enforcement

� The browser/client populates the ‘Referer’* header to indicate the address (URI) of the resource from which the Request-URI was obtained

� WAF can require that the header be a link on the same web site

� Not foolproof – spoofing has been demonstrated!

* (sic) – it’s misspelled in the specification


Attack #5—Broken Authentication and Session Management Using Cookie Tampering

What Is It?� A cookie that has had its value changed by the user

� Cookie storage is managed and controlled by the user� Cookies can be viewed and modified by the user� Cookies transferred in the open can be captured and modified by

a third party

Why Does It Happen?� Cookie information is weakly encrypted or hashed

� Web application developers are unaware of the threat or lack thecryptographic expertise to prevent tampering

� The cookie is assumed to contain a certain format of content –an assumption that isn’t verified

Result� Identity theft or impersonation by a third party altering the session id or

authorization information stored in the cookie

� DoS or even remote command execution due to buffer overflows


Defense: Cookie Tampering

� No need to reinvent the wheel—existing proven encryption algorithms available to web application developers

� Use modern development frameworks for session maintenance

� Cisco’s WAF can encrypt cookies, only sending an MD5 hash of the actual cookie

Immune to tampering

Be aware that replay attacks are still possible


Cookie SecuritySigning and Encryption

Clients Web Server

CP_EN7a989b1f1b9e966e47d629eec63302d3571d1677b27fe1bebba48df648b2edc=expires=Mon, 15-Dec-2006 1:03:00 GMT; path=/; domain=.cisco.com; secure

sess1=1800; expires=Mon, 15-Dec-2006 1:03:00 GMT;path=/; domain=.google.com; secure After Encryption


Exception Mapping

� Replace server errors with WAF-generated content


HTTP Header Processing

Server Header Cloaking


Data Overflow Defense


Centralized Management and Deployment


Clustering: Stand-Alone ACE WAF

� Gateway and manager running on same appliance

� Used for demo and proof of concepts situations or development environments


Clustering: Separate Manager

� Two or more appliances running gateway component

� One appliance running manager component

Manager

Gateway

Gateway


Clustering: Integrated Manager

� One appliance running both gateway and manager components

� One or more appliances running only gateway component

Manager and Gateway

Gateway


Deployment Modes� One-armed: single NIC handles all traffic

Same VLAN for pre- and post-Gateway trafficSimplest mode for configuration

� Multi-arm: Multiple NICs for trafficDifferent VLAN on each NIC

Static routes needed in most environmentsSingle routing table/default route for entire system

Decision as to which NIC to use made by Linux kernel based on Layer 3 destination address

Firewall policy has no concept of internal/external addresses!

� In either case, multiple IP’s per VLAN possible for virtual hosting

128.32.65.37

10.7.83.12

128.32.65.37


Perimeter Security: One-Armed Proxy

� Traffic passes through ACE twice

� Easy to insert into existing ACE deployment

� Allows for fail-open or fail-closed configuration


ACE WAFs

Public

Internet

Web Application

Providers

ACE

Application

Switch

Web Application

Consumers

VIP: 63.90.156.60

10.10.1.10

10.30.1.15210.30.1.151

10.10.1.1210.10.1.11

10.20.1.15210.20.1.151

ACE

Application

Switch

10.20.1.1

VIP: 10.20.1.200

10.30.1.1

10.10.1.1

Perimeter Security: Two-Armed Proxy

� Different contexts on same physical ACE can be used on both sides

� Best practice when backend is multiple hops from ACE WAF, need DMZ separation


One-Armed: Terminate SSL at ACE

� Consolidate keys on load balancer

� Use L7 classmap to direct traffic at ACE


One-Armed: Terminate SSL at ACE WAF

� Optionally perform end-to-end SSL to application


Deployment Example


Deployment Example

� Configure WAF network and cluster settings

� Define web application and apply profile

� Deploy in monitor mode and tune

� Re-deploy in enforcement mode

Steps to Deploy:


Network Diagram Before: No WAF

� Standard ACE L7 configuration with SSL termination, TCP reuse


Network Diagram After: with WAF

� Deployment mode: one-armed proxy, terminate SSL at ACE

� Two WAF devices, one acting as firewall, other as joint firewall and manager


Cable Devices

� Four RJ45 Gigabit Ethernet network interfaces

� One LOM NICSee HP DL360 docs

� Serial console

� VGA/keyboard video console

� Dual power supplies

� nCipher card reader (only on FIPS model)

LOM NIC eth0, eth1

RS232 VGA eth2, eth3

PS/2 keyboard

Dual power supplies

nCipher


Configure Network Settings

� Connect KVM or Serial Console

� Log in as “root”

� Set standard IP settings

IP address

Hostname

DNS server

NTP server

� Set as Gateway, Manager, or both


Log in to Manager

� Point browser at machine selected to be Manager, HTTPS, port 8243

https://172.25.91.151:8243/

� Log in as “administrator”, password “swordfish”


Configure as Cluster


Getting Started with the Cisco ACE WAF1. A Wizard Helps You Define the Websites You Want to Protect

Specify the IP Address or Name of the Backend Server

Call the WAF Wizard

Monitor Means the WAF Alerts but Doesn’t Block—Extremely Convenient If You’re Leery of Deploying Inline


Getting Started with the Cisco ACE WAF

You Can Use Regular

Expressions to Define the Site.

You Can Use Additional Parameters

for Classification.

2. If (host + URL) Classification Isn’t Sufficient, an Expert Mode Is Available



Full Classification Customization

3. You Can, for Instance, Require the Presence of a Given HTTP Header



Website Protected by the WAF

Factory-Shipped PCI Profile Applied

4. We Have Defined Our First Protected Web Server (Http://172.25.89.140/)


Protecting the Website from XSS

XSS Protection

5. The WAF Ships with Predefined Profiles That You Can Clone and Edit


Fine-Tuning a Security Profile

XSS Rules Level

Action to Take When a XSS Is Detected

6. Inside a Profile You Find Groups of Rules (Rule = Signature)—Each Group Contains Rules Ranked by Security Level


7. The XSS Group Contains Rules That Are Cisco® Verified Signatures

Fine-Tuning a Security Profile

Hundreds of XSS Rules Are Shipped from the Factory.

Each Rule Has a Unique ID and a Security Level (basic, moderate, and strict).


Profile Ready to Be Deployed

XSS Protection Enabled with Level Strict

8. Here Is What Our Custom Test Profile Looks Like—XSS Protection Is Enabled


Associate the Profile to the Website

Profile “Test” Mapped to Our Website

9. Map the Profile to the Website


Deploy the Policy to the WAF Firewalls

Deltas Between Current Applied Policy and Proposed One Are Highlighted.

10. Cisco ACE WAF Ships with Strong Change Control and Audit LogCapabilities


11. Cisco ACE WAF Alerts You of Risks Associated with Certain Configuration Options

Proactive Notification of Potential Problems

Proactive Performance Warnings


12. Multiunit Deployment + Timestamp and Rollback of Policies

Verification of Successful Deployment

Policies Can Be Deployed to N Gateways

Timestamps


The Website Is Under Attack

Immediate Incident Report View

13. We Are Launching a XSS Attack Against the Website


Let’s Drill Down

The Name of the Attack Vector Is Provided

ID of the Rule that Caused the Alert

14. Let’s See What the Attack Looks Like


Detailed Security Event Drill-Down

Full Dump of Incoming Request

15. Detailed Forensics Are Available for Each Attack


What the User, Hacker, and Victim See

� The error message and HTTP return code are fully customizable; you can return your own HTML code and, for example, redirect the hacker to the main page

16. Default Error Text Is Returned to Browser (Fully Customizable)


Q and A


Source: Cisco Press

Recommended ReadingBRKAPP-3003


Meet The Expert

To make the most of your time at Cisco Networkers 2009, schedule a Face-to-Face Meeting with a top Cisco Expert.

Designed to provide a "big picture" perspective as well as "in-depth" technology discussions, these face-to-face meetings will provide fascinating dialogue and a wealth of valuable insights and ideas.

Visit the Meeting Centre reception desk located in the Meeting Centre in World of Solutions

deploying the cisco ace xml gateway · x509 certificates saml statements message integrity...

Documents