[OWASP Poland Day] Web App Security Architectures
2 likes•460 views
The document discusses web application security architectures and their components. It provides an example of a practical web application security architecture that includes: network firewalls separating different zones, web applications and services located in a DMZ zone, a web application firewall, centralized user identities stored in Active Directory, single sign-on authentication, and identity federation components. It also discusses managed security services and a security operations center.
[OWASP Poland Day] Web App Security Architectures
- 1. Teammeeting Application Security Oktober 2016 Michael Schläpfer Web App Security Architectures Cracow, October 2017 Michael Schläpfer
- 2. Seite 2 The Need for a Web Application Security Architecture
- 3. Office Home En Route Apps are usually embedded into a larger system Seite 3 Workstation Notebook Mobile Tablet Email Time Schedulie Intranet Applications Users Devices Entry Points Services Employees Field Worker Externals Specialists Guests Threat Agents
- 4. Web Application Security Architecture Components Seite 4 Cloud Services Internal Network Web Applications Web Applications Service Provider Employees / Customers / Partners (External) Central Identity Store Employees (Internal) Intranet 2FA Provider Internet IdM Solution WAF Auth IdP
- 5. United Security Providers’ Products and Services Firewall Wide Area Network Remote Access Mail Gateway Network Access Web Proxy Web Application Firewall Web Authenti- cation 600 world wide customer locations 850’000 end users 7x24h security operations
- 6. www.bluesec.pl BLUEsec is a team of professionals working in the field of information security. Our goal is to provide the highest possible level of cybernetic security for organization assets. We provide a wide range of high-quality services and products to build an adequate to needs security model. Our values are knowledge, responsibility and trust. We always seek to be the best. We perform projects in the areas of critical infrastructure and in the field of systems and special purpose infrastructure. We worked for organizations from the energy, finance, public administration, government, health and construction sectors. We are a part of BLUE energy, a Polish consulting company operating in the fields of management, organization, security, strategy and development. The mission of BLUE energy is to develop Polish entrepreneurship by providing efficient and innovative business, organizational and IT solutions and by improve efficiency of communication between business and the public sector. BLUE energy – polish consulting company| BLUEsec – cybernetic security
- 8. www.bluesec.pl SELECTED PROJECTS IN THE AREA OF IT SECURITY
- 9. Web Application Security Architecture Components Seite 9 Cloud Services Internal Network Web Applications Web Applications Service Provider Employees / Customers / Partners (External) Central Identity Store Employees (Internal) Intranet 2FA Provider Internet IdM Solution WAF Auth IdP
- 10. Goals 1 You know how a (typical) Web Application Security Architecture looks like and what components it (usually) consists of. 2 You know how to integrate your applications into such an environment.
- 11. Agenda 1. Web Application Security Architecture Components 2. Integration Tips & Tricks
- 12. A Practical Example of a Web Application Security Architecture Seite 12 Field Workers DMZ (Dual-Homed) Server Zone USP Client Zone SMS-Provider / YubiCloud / … OWA Portal App AD (LDAPS) Customer’s trusted devices (EMM), in a «trusted» IP- Subnet DMZ IP (shared) Internal IP 1 Internal IP 2 Public IP / Port- Forwarding (80/443) SaaS App 1 SaaS App 2 SAML SPs SAML IdP BYOD, in an «untrusted» IP-Subnet portal.customer.com => WAF’s Public IP portal.customer.com => WAF’s DMZ IP Mgmt-Access SOC Internet active passiveAccessWAF Managed VPN Remote Access Federate
- 13. A Practical Example – Network Firewalls / Network Zones Seite 13 Field Workers DMZ (Dual-Homed) Server Zone USP Client Zone SMS-Provider / YubiCloud / … OWA Portal App AD (LDAPS) Customer’s trusted devices (EMM), in a «trusted» IP- Subnet DMZ IP (shared) Internal IP 1 Internal IP 2 Public IP / Port- Forwarding (80/443) SaaS App 1 SaaS App 2 SAML SPs SAML IdP BYOD, in an «untrusted» IP-Subnet portal.customer.com => WAF’s Public IP portal.customer.com => WAF’s DMZ IP Mgmt-Access SOC Internet active passiveAccessWAF Managed VPN Remote Access Federate
- 14. A Practical Example – Web Applications and Services Seite 14 Field Workers DMZ (Dual-Homed) Server Zone USP Client Zone SMS-Provider / YubiCloud / … Customer’s trusted devices (EMM), in a «trusted» IP- Subnet DMZ IP (shared) Internal IP 1 Internal IP 2 Public IP / Port- Forwarding (80/443) SaaS App 1 SaaS App 2 SAML SPs SAML IdP BYOD, in an «untrusted» IP-Subnet portal.customer.com => WAF’s Public IP portal.customer.com => WAF’s DMZ IP Mgmt-Access SOC Internet AD (LDAPS) OWA Portal App active passiveAccessWAF Managed VPN Remote Access Federate
- 15. A Practical Example – Web Application Firewall Seite 15 Field Workers DMZ (Dual-Homed) Server Zone USP Client Zone SMS-Provider / YubiCloud / … Customer’s trusted devices (EMM), in a «trusted» IP- Subnet DMZ IP (shared) Internal IP 1 Internal IP 2 Public IP / Port- Forwarding (80/443) SaaS App 1 SaaS App 2 SAML SPs SAML IdP BYOD, in an «untrusted» IP-Subnet portal.customer.com => WAF’s Public IP portal.customer.com => WAF’s DMZ IP Mgmt-Access SOC Internet AD (LDAPS) OWA Portal App active passiveAccessWAF Managed VPN Remote Access Federate
- 16. A Practical Example – Users and Devices Seite 16 DMZ (Dual-Homed) Server Zone USP Client Zone SMS-Provider / YubiCloud / … OWA Portal AppDMZ IP (shared) Internal IP 1 Internal IP 2 Public IP / Port- Forwarding (80/443) SaaS App 1 SaaS App 2 SAML SPs SAML IdP portal.customer.com => WAF’s Public IP portal.customer.com => WAF’s DMZ IP Mgmt-Access SOC Internet AD (LDAPS) Field Workers BYOD, in an «untrusted» IP-Subnet Customer’s trusted devices (EMM), in a «trusted» IP- Subnet active passiveAccessWAF Managed VPN Remote Access Federate
- 17. A Practical Example – User Identities Seite 17 Field Workers DMZ (Dual-Homed) Server Zone USP Client Zone SMS-Provider / YubiCloud / … OWA Portal App Customer’s trusted devices (EMM), in a «trusted» IP- Subnet DMZ IP (shared) Internal IP 1 Internal IP 2 Public IP / Port- Forwarding (80/443) SaaS App 1 SaaS App 2 SAML SPs SAML IdP BYOD, in an «untrusted» IP-Subnet portal.customer.com => WAF’s Public IP portal.customer.com => WAF’s DMZ IP Mgmt-Access SOC Internet AD (LDAPS) active passiveAccessWAF Managed VPN Remote Access Federate
- 18. A Practical Example – Authentication Systems (SSO) Seite 18 Field Workers DMZ (Dual-Homed) Server Zone USP Client Zone OWA Portal App Customer’s trusted devices (EMM), in a «trusted» IP- Subnet DMZ IP (shared) Internal IP 1 Internal IP 2 Public IP / Port- Forwarding (80/443) SaaS App 1 SaaS App 2 SAML SPs SAML IdP BYOD, in an «untrusted» IP-Subnet portal.customer.com => WAF’s Public IP portal.customer.com => WAF’s DMZ IP Mgmt-Access SOC Internet SMS-Provider / YubiCloud / … AD (LDAPS) active passiveAccessWAF Managed VPN Remote Access Federate
- 19. A Practical Example – Identity Federation Components (CDSSO) Seite 19 Field Workers DMZ (Dual-Homed) Server Zone USP Client Zone SMS-Provider / YubiCloud / … OWA Portal App Customer’s trusted devices (EMM), in a «trusted» IP- Subnet DMZ IP (shared) Internal IP 1 Internal IP 2 Public IP / Port- Forwarding (80/443) BYOD, in an «untrusted» IP-Subnet portal.customer.com => WAF’s Public IP portal.customer.com => WAF’s DMZ IP Mgmt-Access SOC Internet SaaS App 1 SaaS App 2 SAML SPs SAML IdP AD (LDAPS) active passiveAccessWAF Managed VPN Remote Access Federate
- 20. A Practical Example – Managed Services and SOC Seite 20 Field Workers DMZ (Dual-Homed) Server Zone Client Zone SMS-Provider / YubiCloud / … OWA Portal App Customer’s trusted devices (EMM), in a «trusted» IP- Subnet DMZ IP (shared) Internal IP 1 Internal IP 2 Public IP / Port- Forwarding (80/443) SaaS App 1 SaaS App 2 SAML SPs SAML IdP BYOD, in an «untrusted» IP-Subnet portal.customer.com => WAF’s Public IP portal.customer.com => WAF’s DMZ IP Internet AD (LDAPS) USP Mgmt-Access SOC active passiveAccessWAF Managed VPN Remote Access Federate
- 21. A Practical Example of a Web Application Security Architecture Seite 21 Field Workers DMZ (Dual-Homed) Server Zone USP Client Zone SMS-Provider / YubiCloud / … OWA Portal App AD (LDAPS) Customer’s trusted devices (EMM), in a «trusted» IP- Subnet DMZ IP (shared) Internal IP 1 Internal IP 2 Public IP / Port- Forwarding (80/443) SaaS App 1 SaaS App 2 SAML SPs SAML IdP BYOD, in an «untrusted» IP-Subnet portal.customer.com => WAF’s Public IP portal.customer.com => WAF’s DMZ IP Mgmt-Access SOC Internet active passiveAccessWAF Managed VPN Remote Access Federate
- 22. Agenda 1. Web Application Security Architecture Components 2. Integration Tips & Tricks
- 23. Secure Gateway in the Middle Seite 23 ApplicationSecure Entry Server POST /web/a/start?action=login HTTP/1.1 Host: www.u-s-p.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept-Language: en-US,en;q=0.5 Cookie: SCDID_S=2YNIgcWege5AjuNFo3jXf7W8... Connection: keep-alive EvilHeader: <script>attack</script> Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass&evilparam=evilvalue HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Secure Entry Server Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>…. <a href=https://www.u-s-p.ch/test>Click me</a> ...</body> </html> POST /web/a/start?action=login HTTP/1.1 Host: internal.host.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: Username=user Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>… <a href=http://internal.host.ch/test>Click me</a> ….</body> </html> 1 Follow standard HTTP specs (RFC)
- 24. Secure Gateway in the Middle Seite 24 ApplicationSecure Entry Server POST /web/a/start?action=login HTTP/1.1 Host: www.u-s-p.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept-Language: en-US,en;q=0.5 Cookie: SCDID_S=2YNIgcWege5AjuNFo3jXf7W8... Connection: keep-alive EvilHeader: <script>attack</script> Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass&evilparam=evilvalue HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Secure Entry Server Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>…. <a href=https://www.u-s-p.ch/test>Click me</a> ...</body> </html> POST /web/a/start?action=login HTTP/1.1 Host: internal.host.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: Username=user Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>… <a href=http://internal.host.ch/test>Click me</a> ….</body> </html> 1 Follow standard HTTP specs (RFC) 2 Don’t create links or cookies in the browser
- 25. Secure Gateway in the Middle Seite 25 ApplicationSecure Entry Server POST /web/a/start?action=login HTTP/1.1 Host: www.u-s-p.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept-Language: en-US,en;q=0.5 Cookie: SCDID_S=2YNIgcWege5AjuNFo3jXf7W8... Connection: keep-alive EvilHeader: <script>attack</script> Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass&evilparam=evilvalue HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Secure Entry Server Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>…. <a href=https://www.u-s-p.ch/test>Click me</a> ...</body> </html> POST /web/a/start?action=login HTTP/1.1 Host: internal.host.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: Username=user Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>… <a href=http://internal.host.ch/test>Click me</a> ….</body> </html> 1 Follow standard HTTP specs (RFC) 2 Don’t create links or cookies in the browser 3 Ensure ways for identity propagation: e.g., header, NTLM, Kerberos
- 26. Secure Gateway in the Middle Seite 26 ApplicationSecure Entry Server POST /web/a/start?action=login HTTP/1.1 Host: www.u-s-p.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept-Language: en-US,en;q=0.5 Cookie: SCDID_S=2YNIgcWege5AjuNFo3jXf7W8... Connection: keep-alive EvilHeader: <script>attack</script> Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass&evilparam=evilvalue HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Secure Entry Server Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>…. <a href=https://www.u-s-p.ch/test>Click me</a> ...</body> </html> POST /web/a/start?action=login HTTP/1.1 Host: internal.host.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: Username=user Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>… <a href=http://internal.host.ch/test>Click me</a> ….</body> </html> 4 Separate sensitive from public data
- 27. Secure Gateway in the Middle Seite 27 ApplicationSecure Entry Server POST /web/a/start?action=login HTTP/1.1 Host: www.u-s-p.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept-Language: en-US,en;q=0.5 Cookie: SCDID_S=2YNIgcWege5AjuNFo3jXf7W8... Connection: keep-alive EvilHeader: <script>attack</script> Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass&evilparam=evilvalue HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Secure Entry Server Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>…. <a href=https://www.u-s-p.ch/test>Click me</a> ...</body> </html> POST /web/a/start?action=login HTTP/1.1 Host: internal.host.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: Username=user Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>… <a href=http://internal.host.ch/test>Click me</a> ….</body> </html> 5 Use correct MIME type headers 4 Separate sensitive from public data
- 28. Secure Gateway in the Middle Seite 28 ApplicationSecure Entry Server POST /web/a/start?action=login HTTP/1.1 Host: www.u-s-p.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept-Language: en-US,en;q=0.5 Cookie: SCDID_S=2YNIgcWege5AjuNFo3jXf7W8... Connection: keep-alive EvilHeader: <script>attack</script> Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass&evilparam=evilvalue HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Secure Entry Server Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>…. <a href=https://www.u-s-p.ch/test>Click me</a> ...</body> </html> POST /web/a/start?action=login HTTP/1.1 Host: internal.host.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: Username=user Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>… <a href=http://internal.host.ch/test>Click me</a> ….</body> </html> 6 Use relative paths 7 Don’t use <base href= …> tags 5 Use correct MIME type headers 4 Separate sensitive from public data
- 29. Secure Gateway in the Middle Seite 29 ApplicationSecure Entry Server POST /web/a/start?action=login HTTP/1.1 Host: www.u-s-p.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept-Language: en-US,en;q=0.5 Cookie: SCDID_S=2YNIgcWege5AjuNFo3jXf7W8... Connection: keep-alive EvilHeader: <script>attack</script> Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass&evilparam=evilvalue HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Secure Entry Server Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>…. <a href=https://www.u-s-p.ch/test>Click me</a> ...</body> </html> POST /web/a/start?action=login HTTP/1.1 Host: internal.host.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: Username=user Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>… <a href=http://internal.host.ch/test>Click me</a> ….</body> </html> 8 Return proper HTTP error codes 9 Trigger proper relogin for asynchronous requests
- 30. Seite 30 Happy Coding within a Web Application Security Architecture!
- 31. Teammeeting Application Security Oktober 2016 Michael Schläpfer phone: 61/ 643 51 98 ul. Towarowa 35 61-896 Poznań Michael Schläpfer Senior Manager Application Security Dr. sc. ETH Zürich United Security Providers AG Förrlibuckstrasse 70 CH-8005 Zürich Fon: +41 44 496 61 37 Mobile: +41 79 305 57 12 eMail: [email protected] Web: www.united-security-providers.ch