Imperva waf

Click here to load reader

  • date post

    16-Jun-2015
  • Category

    Technology

  • view

    414
  • download

    8

Embed Size (px)

description

Презентация продукта Web Application Firewall (WAF) от одного из "пионеров" и нынешнего лидера* отрасли (*по версии квадранта Gartner для WAF от 2014 года) Russian presentation of WAF solution from the leader of the market (*according to Gartner MG from 2014).

Transcript of Imperva waf

  • 1. Imperva WAF - -. Web RSD RussiaAlexandr.Shakhlevich@imperva.com 2014 Imperva, Inc. All rights reserved.1 Confidential

2. ? 2014 Imperva, Inc. All rights reserved.2 Confidential 3. 2014 Imperva, Inc. All rights reserved.Industrializationof HackingFraudHacktivismDDoS 4. Verizon DBIR 2014 2014 Imperva, Inc. All rights reserved.4 Confidential 5. , % 2014 Imperva, Inc. All rights reserved.5 Confidential 6. , % 2014 Imperva, Inc. All rights reserved.6 Confidential 7. Web 2014 Imperva, Inc. All rights reserved.7 Confidential 8. 2014 Imperva, Inc. All rights reserved.8 Confidential 9. CISO Survey 2013: The CISOs see more than 50% of their securityrisks coming from application security 2014 Imperva, Inc. All rights reserved.9 Confidentialhttps://owasp.org/index.php/CISO_Survey_2013:_Threats_and_risksExternal threats are on the riseMore than 70% of CISOs noted that internalthreats are staying pretty much on the samelevel, while over 80% can see external threatsclearly on the riseWhen reviewing which areas are the mainareas of risk for their organizations, CISOs werevery clear that Application Security concerns arenow taking center stage in their riskmanagementCISOs could in fact clearly confirm that thesethreats are having negative impacts for theircompanies 10. Imperva SecureSphere WAF 2014 Imperva, Inc. All rights reserved.10 Confidential 11. , Verizon DBIR 2013 2014 Imperva, Inc. All rights reserved. ,, 12. , , ! 2014 Imperva, Inc. All rights reserved. 13. - 2014 Imperva, Inc. All rights reserved.InternalEmployeesMalicious InsidersCompromised InsidersData CenterSystems and AdminsAuditing andReportingAttackProtectionUsageAuditUser RightsManagementAccessControlTech. AttackProtectionLogic AttackProtectionFraudPreventionExternalCustomersStaff, PartnersHackersUser RightsManagementAssessment & Risk Management 14. Imperva SecureSphere , 17, 21 2014 Imperva, Inc. All rights reserved. 15. Imperva SecureSphere Web Application Firewall Dynamic Profiling 2014 Imperva, Inc. All rights reserved. ... 16. Dynamic ProfilingAttack SignaturesHTTP Protocol ValidationCookie ProtectionIP ReputationAnti-Scraping PoliciesBot Mitigation PoliciesWeb Fraud Detection 2014 Imperva, Inc. All rights reserved.Technical AttackProtectionBusiness LogicAttack ProtectionFraud PreventionCorrelated Attack ValidationIP Geolocation 17. Imperva ImpervaADC 2014 Imperva, Inc. All rights reserved.Imperva ApplicationDefense CenterInternal UsersWeb ServersSecureSphereINTERNETSecureSphere 18. SecureSphere SQL Injection, XSSHacker SecureSphere 2014 Imperva, Inc. All rights reserved.WAF/login.php?ID=5 or 1=1SQL InjectionEngine SQL Injection SQL InjectionEngine withProfile AnalysisSignature,ProtocolViolations, WebServer 19. SecureSphere , SecureSphere 2014 Imperva, Inc. All rights reserved. DirectoriesURLs , 20. 5-15 5-30 700600500400300200100063624332337655 40 25 21 11 13 28 24 181-Jun 6-Jun 11-Jun 16-Jun 21-Jun 26-Jun 2014 Imperva, Inc. All rights reserved.417 4 5 7 4 8 11 15 2 3 4 1 21. : 2014 Imperva, Inc. All rights reserved.Imperva SecureSphere WAF: Vulnerable Legacy Application 22. IPS & NG Firewall Web Security FeaturesDynamic ProfilingAttack SignaturesHTTP Protocol ValidationCookie ProtectionIP ReputationAnti-Scraping PoliciesBot Mitigation PoliciesWeb Fraud Detection 2014 Imperva, Inc. All rights reserved.Technical AttackProtectionBusiness LogicAttack ProtectionFraud PreventionIP GeolocationCorrelation (Web Profile Correlation) - - 23. Imperva WAF Gartner 2014 Imperva, Inc. All rights reserved. 24. Gartner MQ for Web Application Firewalls 2014 Imperva, Inc. All rights reserved.24 ConfidentialImperva SecureSphereWAF web-* 25. WAF Testing Framework (WTF) IPSNGFWWAF : (False Positives) (False Negatives) ! 2014 Imperva, Inc. All rights reserved. 26. OWASP-TOP10, 2013 2014 Imperva, Inc. All rights reserved.26 Confidential 27. OWASP Top 10? 2014 Imperva, Inc. All rights reserved.27 Confidential 28. OWASP 2013 List 2014 Imperva, Inc. All rights reserved.28 Confidentialhttps://owasp.org/index.php/CISO_Survey_2013:_Threats_and_risks 29. A1-InjectionOWASP Top 10 DefinitionInjection flaws, such as SQL, OS, and LDAP injection, occur when an applicationsends untrusted data to an interpreter as part of a command or query. Theattackers hostile data can trick the interpreter into executing unintendedcommands or accessing data without proper authorization.Injection flaws are very prevalent, particularly in legacy code. The impact isusually very severe as the entire database can be read or modified. 2014 Imperva, Inc. All rights reserved.29 Confidential 30. A1 Web Correlation PolicyThe SQL injection defense algorithm developed by the ADC combines information fromthe Web Application Profile (positive security model) and matches this information withAttack Signatures (negative security model) using SecureSpheres Correlated AttackValidation engine. SecureSphere using pre-defined signatures blocks additional injectionattacks such as LDAP, XPath, and OS injection.Examples of anomalies detected by the Web application profile security rules include: If an attacker attempts to change the values of parameters that were fixed by the Webapplication and should not be changed, SecureSphere will alert and block the request If a parameter length exceeds the expected maximum length, SecureSphere will alertand block such an evasion attempt If a parameter includes unexpected characters, such as quotation marks, angle brackets,and asterisks, that do not fit the application profile, SecureSphere will alert and blockthe request 2014 Imperva, Inc. All rights reserved.30 Confidential 31. A2 Broken Authentication and Session ManagementOWASP Top 10 DefinitionApplication functions related to authentication and session management are oftennot implemented correctly, allowing attackers to compromise passwords, keys, orsession tokens, or to exploit other implementation flaws to assume other usersidentities.Developers frequently build custom authentication and session managementschemes, but building these correctly is hard. Authentication flaws may allow some oreven all accounts to be attacked. Once successful, the attacker can do anything thevictim could do. Privileged accounts are frequently targeted. 2014 Imperva, Inc. All rights reserved.31 Confidential 32. A2 Broken Authentication and Session Management cont.Web Correlation Policy - Session Attribute Changes Source IP Set to Exact Source IPCookie Signing Policy Set Encrypt Cookie Value Cookie Set to sessionidSecureSphere stops session attacks such as: Session hijacking Session fixation Session tamperingWeb Profile Policy Cookie Injection enabled Cookie Tampering enabled Sessionid set to protect and injection selected SecureSphere Tracks and Enforces Session Variables. It learns Cookies and monitors cookie Tampering and Injection. Application User Tracking attaches User to a session and associates a User with subsequent activity. In Reverse Proxy, SecureSphere can sign and encrypt cookies. 2014 Imperva, Inc. All rights reserved.32 Confidential 33. A3 Cross-Site Scripting (XSS)OWASP Top 10 DefinitionCross-Site Scripting (XSS) is the most prevalent Web application security flaw. XSSflaws occur whenever an application takes untrusted data and sends it to a Webbrowser without proper validation or escaping. XSS allows attackers to executescripts in the victims browser which can hijack user sessions, deface Web sites, orredirect the user to malicious sites.Detection of most XSS flaws is fairly easy via testing or code analysis 2014 Imperva, Inc. All rights reserved.33 Confidential 34. A3 Web Correlation PolicySecureSphere Mitigation Summary Utilizing Positive (White List) and Negative (Black list) detection techniques Accurate detection of suspicious XSS Keywords, Patterns and Signatures. Dynamic Profiling builds accurate parameter usage baseline. Input is normalized to detect different evasion attempts (HTML, Hex and Unicode encoding) Out-Of-The-Box Web-Correlation XSS policy. 2014 Imperva, Inc. All rights reserved.34 Confidential 35. ? www.imperva.com Alexandr.shakhlevich@imperva.com 2014 Imperva, Inc. All rights reserved.35 Confidential