akamai kona WAF Help Manual
description
Transcript of akamai kona WAF Help Manual
Web Application Firewall
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
What We’re Seeing Attacks Are Happening On Multiple Levels
Target of Traditional DDoS Attacks
Network Layer
(Layers 3/4)
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
What We’re Seeing Attacks Are Happening On Multiple Levels
Target of Traditional DDoS Attacks
Network Layer
(Layers 3/4)
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
What We’re Seeing Attacks Are Happening On Multiple Levels
Target of Traditional DDoS Attacks
Network Layer
(Layers 3/4)
Application Layer
(Layer 7)
Where increasing number of attacks are focused
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
Web Attacks Are Getting More Sophisticated (e.g. multi-vector) Layers 3&4, Layer 7, DNS, Direct-to-Origin, Large, Small & Stealthy
Unreported 37%
SQL Injection (SQLi) 27%
Denial of Service 23%
Banking Trojan, 3%
Brute Force, 3%
Cross-Site Request Forgery, 2%
Predictable Resource
Location, 2% Stolen Credentials, 2% Clickjacking, 1%
What Attack Methods do Hackers Use?
Source: TrustWave Spider Labs - 2011 - Web Hacking Incident Database
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
Web Applications (Layer 7) Are Increasingly Targeted ~10,000,000 More Attacks in 1H2011 over 1H2010 (~45% increase)
0
5,000,000
10,000,000
15,000,000
20,000,000
25,000,000
30,000,000
35,000,000
2009 2010 1H2011
Total # Web Application Attacks at Mid-Year 2009–2011
Source: HP CyberSecurity Risks Report 1H2011
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
Web Applications (Layer 7) Are Increasingly Targeted ~10,000,000 More Attacks in 1H2011 over 1H2010 (~45% increase)
63%
37%
Layer 3/4 Attacks versus non-Web Layer 7 Attacks 1H2011
Layer 3/4 Attacks
Layer 7 Attacks
0
5,000,000
10,000,000
15,000,000
20,000,000
25,000,000
30,000,000
35,000,000
2009 2010 1H2011
Total # Web Application Attacks at Mid-Year 2009–2011
Source: HP CyberSecurity Risks Report 1H2011
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
On the Web, the Application is the Perimeter
Firewall
Hardware WAF
App server DB Web server
Traditional Data Center Security
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
In-The-Cloud Security
On the Web, the Application is the Perimeter
Firewall
Hardware WAF
App server DB Web server
Traditional Data Center Security
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
In-The-Cloud Security
On the Web, the Application is the Perimeter
The threats are distributed, your response needs to be distributed!
Firewall
Hardware WAF
App server DB Web server
Traditional Data Center Security
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
Akamai Intelligent Platform™ Deflecting Network Layer Attacks at the Edge
Network Layer attack mitigation § Built-in protection is “always on” § Only Port 80 (HTTP) or Port 443 (HTTPS) traffic
allowed on Platform o All other traffic dropped at the Akamai Edge
• Attack traffic never makes it onto Platform • Customer not charged for traffic dropped at Edge
o Absorbs attack requests without requiring identification o Requires CNAME onto Akamai Intelligent Platform
Absorbs attacks through massive scale § ~5.5 Tbps average throughput; up to 8Tbps § Distribution of HTTP request traffic across 100,000+
servers; 1,100+ networks § No re-routing, added latency, or point of failure
Examples of attacks types dropped at Akamai Edge § UDP Fragments § ICMP Floods § SYN Floods § ACK Floods § RESET Floods § UDP Floods
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
Web Application Protection Web Application Firewall
Application-layer controls § Does deep packet inspection to protect
against attacks such as SQL Injections & Cross-Site Scripts
Custom Rules § Create policy-based rules that are
enforced before or after execution of the application layer controls
§ Serve as “Virtual Patches” for new website vulnerabilities
Network Layer Controls § Allow or restrict requests from
specific IP addresses • Protect customer Origin from
application layer attacks
§ Implements IP Blacklists & Whitelist
§ Geo blocking
§ 10,000 CIDR entries supported • Named lists — e.g., Tor exit nodes • 30 — 45 minute deployment
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
Custom Rules Web Application Firewall
Description § WAF Custom Rules implemented
in Akamai metadata written by Akamai Professional Services
§ Rules are created and managed in customer portal
§ Rules are then associated with firewall policies and deployed with WAF in 45 minutes
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
Custom Rules Web Application Firewall
Description § WAF Custom Rules implemented
in Akamai metadata written by Akamai Professional Services
§ Rules are created and managed in customer portal
§ Rules are then associated with firewall policies and deployed with WAF in 45 minutes
The Result § New rule logic can be built to handle
specific use cases for the customer § Rules can be built that execute when
one or more baseline rules or rate control rules match
§ Output of application vulnerability products can be implemented as “virtual patches”
§ Advanced piping to user validation actions can be achieved (prioritization)
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
Custom Rules Web Application Firewall
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
Adaptive Rate Controls Malicious Behavior Detection
§ Specify number of requests per second against a given URL o Controls requests based on behavior
pattern — not request structure • Use client IP address, session ID, cookies, etc.
§ Configure rate categories to control request rates against digital properties • Mitigate rate-based DDoS attacks
§ Statistics collected for 3 request phases o Client Request — Client to Akamai Server o Forward Request — Akamai Server to Origin o Forward Response — Origin to Akamai Server
§ Statistics collected allow us to ignore large proxies and pick out a malicious user hiding behind a proxy
§ Statistics collected allow for detection of pathological behavior by a client o Request rate is excessive for any stage o Requests causing too many Origin errors
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
Adaptive Rate Controls Malicious Behavior Detection
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
Adaptive Rate Controls Malicious Behavior Detection
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
Rate Controls Use Case: Blocking IPs Causing Origin Errors
1. Count the number of Forward Responses that return a 404 error code 2. Block any IP address that exceeds 5 errors per second
Client Request
Forward Request
Response code 404
Customer Origin
Akamai Edge Server
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
Rate Controls Use Case: Blocking IPs Causing Origin Errors
1. Count the number of Forward Responses that return a 404 error code 2. Block any IP address that exceeds 5 errors per second
Client Request
Forward Request
Response code 404
Customer Origin
Akamai Edge Server
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
Rate Controls Use Case: Blocking IPs Causing Origin Errors
1. Count the number of Forward Responses that return a 404 error code 2. Block any IP address that exceeds 5 errors per second
Client Request
Forward Request
Response code 404
Customer Origin
Akamai Edge Server
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
Rate Controls Use Case: Blocking IPs Causing Origin Errors
1. Count the number of Forward Responses that return a 404 error code 2. Block any IP address that exceeds 5 errors per second
Client Request
Forward Request
Response code 404
Customer Origin
Akamai Edge Server
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
Rate Controls Use Case: Blocking IPs Causing Origin Errors
1. Count the number of Forward Responses that return a 404 error code 2. Block any IP address that exceeds 5 errors per second
Client Request
Forward Request
Response code 404
Customer Origin
Akamai Edge Server
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
Rate Controls Use Case: Blocking IPs Causing Origin Errors
1. Count the number of Forward Responses that return a 404 error code 2. Block any IP address that exceeds 5 errors per second
Client Request
Forward Request
Response code 404
Customer Origin
Akamai Edge Server
X Custom Error page
Automatic Origin Abuse Mitigation!
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
Use Case 2: Validate IPs Causing High Origin Load
1. Count the number of Forward Requests 2. Validate any IP address that exceeds 20 Forward Requests per second
Forward Request
Forward Response
Customer Origin
Akamai Edge Server Client
Request
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
Use Case 2: Validate IPs Causing High Origin Load
1. Count the number of Forward Requests 2. Validate any IP address that exceeds 20 Forward Requests per second
Forward Request
Customer Origin
Akamai Edge Server Client
Request
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
Use Case 2: Validate IPs Causing High Origin Load
1. Count the number of Forward Requests 2. Validate any IP address that exceeds 20 Forward Requests per second
Forward Request
Customer Origin
Akamai Edge Server Client
Request
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
Use Case 2: Validate IPs Causing High Origin Load
1. Count the number of Forward Requests 2. Validate any IP address that exceeds 20 Forward Requests per second
Forward Request
Customer Origin
Akamai Edge Server Client
Request
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
Use Case 2: Validate IPs Causing High Origin Load
1. Count the number of Forward Requests 2. Validate any IP address that exceeds 20 Forward Requests per second
Customer Origin X
Custom Error page
Automatic Origin Overload Prevention!
Akamai Edge Server Client
Request
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
Security Monitor (1 of 3)
Timeline of Requests by Hour
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
Security Monitor (1 of 3)
Visual Display of Requests by Geography
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
Security Monitor (1 of 3)
Requests by WAF Rule ID
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
Security Monitor (1 of 3)
Requests by WAF Message
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
Security Monitor (1 of 3)
Requests by WAF Tag
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
Security Monitor (2 of 3)
Multiple ways to display
request statistics
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
Security Monitor (3 of 3)
Requests by City
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
Security Monitor (3 of 3)
Requests by Client IP address
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
Security Monitor (3 of 3)
ARLs being attacked
©2012 Akamai FASTER FORWARDTM Web Application Firewall Compliance Payment
Tokenization Web Application
Firewall Website Defense
Any experience. Any device. Anywhere.