Upload
marc-andre-heroux
View
499
Download
2
Tags:
Embed Size (px)
DESCRIPTION
In this article we explain how to increase your security posture against online spoofing.
Citation preview
Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEMLinkedIn: http://ca.linkedin.com/in/herouxmaTwitter: @herouxma | IRC: herouxma on irc.freenode.net
There are many types of spoofing attacks onlineIn this article we explain how to increase your security posture against online spoofingDate: May 16th, 2014Draft Version
1
5/1
7/2
01
4M
arc
-An
dre
Hero
ux,
Dra
ft V
ers
ion
Online AuthenticationFederated information technology systems
Prerequisites• In this presentation, the clients and servers were not compromised;
• for critical Web applications, all communications must be in a tunnel (ex.: VPN);
• for critical activities accessing sensitive information, using a RSA Secure ID is strongly suggested;
• all exchanges must be done with the corrected SSL if not in a tunnel.
2
5/1
7/2
01
4M
arc
-An
dre
Hero
ux,
Dra
ft V
ers
ion
Validating against a server, a nonce at layer 5 can prevent: CSRF and spoofing (ex.: SAML).
Web servers cluster
Identity Provider (IdP)
Deliver nonce (a secret)
If authentication successful (receive secret)
Receive requests based on a secret
Verify and validate Secret (ex.: SAML ID)
Use Web ApplicationVerify and
validate
credentials
Directory (ex.: secure LDAP)
State
-full
packet
firewall
WAF/IDS/IP
S
INTERNET
1
2
3
4
Trusted?
Trusted?
Deliver authorized content 6
Server validation (SAML)
Threat Agent
Sends email with malicious codes and conduct various external attacks from layer 3 to 7.
3
5/1
7/2
01
4M
arc
-An
dre
Hero
ux,
Dra
ft V
ers
ion
JavaScript/Ajax Authentication
Hijacking
5
<script>malicious codes</script>
● Comparing server generated nonce vs nonce submitted in hidden HTML form field value is also considered a good practice;
● then we have Web authentication as follow: something you receive from web server (nonce) and something you send to web server as a client (nonce).
Server validation (CSRF)
ThreatThreat
Web ServerWeb Server
SAML TTLSAML TTL
Web ServerWeb Server
Read cookieRead cookie
SAML IDSAML ID
Cookie in browser
Cookie in browser
Web BrowerWeb
Brower
Nonce hidden field
Nonce hidden field
Malicious code sent in custom form and post to Web server
1. The attacker doesn’t know the nonce;
2. The attacker can’t guess the nonce;
3. The attacker cannot send the nonce in a hidden field;
4. Server or WAF reject the post.Confidentiality, integrity and accessibility of
the SAML ID1. The IdP must always be available so well
protected (hardened, monitored, etc.);2. The ID can be retrieve in header by a
Man-in-the-middle attack (VPN and correct SSL can protect);
3. The ID must be long enough and not be guessable;
4. The ID must be compared between Web server and IdP before authorizing access.
Likelihood of the attackIf the SAML ID is compromised:1. The attacker will gain access to your Web
application for the time-to-live of the SAML ID;
2. If the IdP or the LDAP server are compromised, the overall solution is compromised;
3. To prevent a complete take over of your infrastructure by an attacker, never use a critical account without a RSA Secure ID.
Compare nonce post vs set by
server
Compare nonce post vs set by
server
Success
4
CookieCookie
5/1
7/2
01
4M
arc
-An
dre
Hero
ux,
Dra
ft V
ers
ion
Subject and object: always make sure to identify and authenticate your subject or your object and provide proper authorization to reduce potential false negative results and security incidents;
JavaScript/AJAX: can be easily injected and you cannot rely on it without server validation (ex: IdP);
The cookie: name and values must not be guessable or stealable;
The maximum cookie size: about 4K.
Few basics principles
Marc
-An
dre
Hero
ux,
Dra
ft V
ers
ion
5
5/1
7/2
01
4
Among others, when using cookies its important to follow these principles:
• Limit the amount of sensitive information stored in the cookie;
• Limit the subdomains and paths to prevent interception by another application;
• Enforce SSL so the cookie isn’t sent in cleartext;
• Use values hard to guess (name, IDs, etc.) and set expiration value (the more critical, the shorter);
• Make the cookie HttpOnly so its not accessible to javascript. 6
Who stole my cookies? 5/1
7/2
01
4M
arc
-An
dre
Hero
ux,
Dra
ft V
ers
ion
If form hidden nonce value different than server nonce set for current client session, it's a threat;
if SAML ID in header is different than server xml http request result of ID stored @identity server provider, a threat tried to forged the SAML ID;
else, the context can be considered acceptable.
Exemple of a SAML ID:
<saml:Assertion ID="_b07b205c-7c29-gr16-4300-5f3e6f7923vc " IssueInstant="2014-18-05T18:35:10.728Z" Version="2.0"> <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> https://saml.oracle.com </saml:Issuer>
Pseudocode
7
5/1
7/2
01
4M
arc
-An
dre
Hero
ux,
Dra
ft V
ers
ion
Also and not new: most common IP spoofing can usually be dropped and logged by a basic packet layer 3 firewall.
# netfilter/iptablesRule 0 (eth0)# # anti spoofing rule# $IPTABLES -N In_RULE_0$IPTABLES -A INPUT -i eth0 -s 192.0.2.1 -j In_RULE0 $IPTABLES -A INPUT -i eth0 -s 192.168.1.1 -j In_RULE_0 $IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -j In_RULE_0 $IPTABLES -A FORWARD -i eth0 -s 192.0.2.1 -j In_RULE_0 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.1 -j In_RULE_0 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -j In_RULE_0 $IPTABLES -A In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY "$IPTABLES -A In_RULE_0 -j DROP
! Cisco Rule 0 (Ethernet1/0)! anti-spoofing rule! access-list outside_acl_in remark 0 (Ethernet1/0)access-list outside_acl_in remark anti-spoofing ruleaccess-list outside_acl_in deny ip host 192.0.2.1 any access-list outside_acl_in deny ip host 192.168.2.1 any access-list outside_acl_in deny ip host 192.168.1.1 any access-list outside_acl_in deny ip 192.168.1.0 255.255.255.0 any
access-group outside_acl_in in interface outside
Here is an example of iptables and cisco rules for internal network (match all addresses of the firewall (192.168.1.1, 192.0.2.1) and network behind it (192.168.1.0/24):
State-full Packet firewall
8
5/1
7/2
01
4M
arc
-An
dre
Hero
ux,
Dra
ft V
ers
ion
Integrity and confidentiality are very important in the authentication process and avoid the use of cookies is suggested, especially for critical applications;
In order to support the authentication, authentication systems must be available at all time (ex: IdP server);
The likelihood of an attack in this scenario is considered the duration of the session SAML ID key, little bit similar to the likelihood of a RSA secure ID token;
Restrict POST from legitimate and acceptable source only and use nonce;
While using an RSA Secure ID device for critical activities, we increase the security posture to a very interesting level;
Many security appliances are using the same CA private key across all devices. This is particularly dangerous, since the universal CA private key can be extracted from any single device by an attacker. With the private key, the attacker can be seen as trustable by all devices using the public key to secure transport as well as payload.
Conclusion
9
5/1
7/2
01
4M
arc
-An
dre
Hero
ux,
Dra
ft V
ers
ion
Carnegie Mellon University, Analyzing Forged SSL Certificates in the Wild,Lin-Shung Huang, Alex Rice, Erling Ellingsen, Collin Jackson
Oracle, Developing Security Providers for WebLogic Server, Identity Assertion Providers,http://docs.oracle.com/cd/E15051_01/wls/docs103/dvspisec/ia.html
Robert Hafner, How to Create Totally Secure Cookies,http://blog.teamtreehouse.com/how-to-create-totally-secure-cookies
FirewallBuilder, Anti-spoofing rule,http://www.fwbuilder.org/4.0/docs/users_guide5/anti-spoofing-rules.shtml
IBM Research - India, Security Analysis of Web-based Identity Federation,Apurva Kumar
Cisco, SAML SSO Deployment Guide for Cisco Unified Communications,Applications, Release 10.0(1), First Published: December 06, 2013,Last Modified: May 08, 2014
OASIS, Assertions and Protocols for the OASIS, Security Assertion Markup Language, (SAML) V2.0, OASIS Standard, 15 March 2005
I want to thanks the following sources and authors:
10
References 5/1
7/2
01
4M
arc
-An
dre
Hero
ux,
Dra
ft V
ers
ion