Product Manager at WTR Services

Radware Web Application Protection OfferingsDeivid Toledo

May 3, 2023

About Radware

Our Track Record

Global Technology Partners

Over 10,000 Customers

3

43.7 54.8

68.4 77.6 81.4

88.6 94.6 108.9

144.1

167.0

189.2 193.0

221.9

1%25%

25%13% 5%

9% 7%15%

32%

16%

13% 2%

15%

50.00

100.00

150.00

200.00

2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014

USD Millions

Company Growth

Market Leading WAF OfferingBanking & Finance Gov’t & Enterprise Telco & Cloud Service

Providers

4

Retail/eCommerce

Current Trends

Almost half (48%) anticipate migrating up to 20% of their applications to the cloud About one in ten (12%) plan to migrate more than half of their applications to the cloud.Complexity in managing security policies is the #1 security challenge

Migration to the Cloud ContinuesAttackers can now target premise- and cloud-based applications

0%; 23%

1-20%; 48%

21-50%; 18%

51-75%; 6%76-99%; 2%

100%; 4%

2015 (n=311)

Q: In the next 12-14 months, what percentage of your applications do you envision migrating to the cloud?

Rise in Popularity of Web Based Attacks

Denial of

Ser-vice25%

SQL Injection24%

Cross Site

Scripting (XSS)8.9%

4.8%

3.8%

3.7%3%

2.8%2.1% 1.9%

Top 10 Web Attack Methods

Denial of Service

SQL Injection

Cross Site Scripting (XSS)

Brute Force

Predictable Resource Location

Stolen Credentials

Unintentional Information Dis-closure

Banking Trojan

Credential/Session Prediction

Cross Site Request Forgery (CSRF)

Web attacks - most common attack vector

OWASP Top 10 attacksAvailability based attacks

Source: Web Hacking Incident Database (WHID), Feb. 2013

7

“Low & Slow” DoS attacks (e.g.Slowloris)

Complexity of Attacks Continues to GrowMulti-vector attacks target all layers of the infrastructure

IPS/IDS

Large volume network flood attacks

Syn Floods

Network Scan

HTTP Floods

SSL Floods App Misuse

Brute Force

On-Demand Cloud DDoS DoS protection Behavioral analysis IPS WAFSSL protection

Internet Pipe Firewall Load Balancer/ADC Server Under Attack SQL Server

8

XSS, CSRFSQL Injections

Existing Solutions Still Mostly Manual

Over 80% of solutions require a medium to high degree of manual tuning

Less than 20% require a low degree and are considered mostly automatic

High de-gree; 24%

Medium degree; 58%

Low de-gree; 17%

2015 (n=311)

Q.22: What degree of manual tuning or configuration does your current solution require?

9

The Web Security Challenge

Growing number of web applications to

protect

More sophisticated web attacks and

“bad” bots

More disaggregated networks leads to less

control

Need for Adaptive & Automated Web Security Protection

Most solutions are still very manual

10

Radware’s Web Application Firewall Offering

11

Radware’s Hybrid Attack Mitigation Solution

On-Demand Cloud DDoS SSL protectionDoS protection Behavioral analysis IPS WAF

Radware provides complete hybrid protection

In-the-Cloud

On-Demand Always-On

Always-On DDoS and WAF on-premise with DDoS in-the-cloud activated on-demand

12

On-Premise

Unmatched Web Application Protection

Best-of-breed WAF (Physical or Virtual Appliance)

Cloud WAF Service

Full coverage of OWASP Top-10ICSA Labs CertificationAuto Generated PolicyNegative & Positive security models

Hybrid, single technology solution to protect both on-premise and cloud-based applications

13

Radware Cloud WAF

Best-of-Breed WAF

14

Radware’s Web Application Firewall (WAF)

Complete web application protection

Line speed availability attack mitigation

All-in-one application delivery & security

Shortest time to security

Compliance and auditing

Multi-vector role-based security policy

AppWall

15

Complete Web Application Protection

Full coverage of OWASP Top-10 by negative & positive security models

Protection against dozens of attack vectors listed on WASC Threat Classification

Efficient, accurate and difficult to evade out-of-the-box negative security• Terminating TCP connections • Normalizing client encoded traffic• Blocking various evasion technics

16

Complete Web Application Protection

Terminate TCP, Normalize, HTTP RFC

EvasionsHTTP response splitting (HRS)Signatures applied on Normalized trafficURL / Base 64 / UTF-8 encoded Injections

Signature & Rule Protection

Cross site scripting (XSS)SQL injection, LDAP injection, OS commanding

Data Leak PreventionCredit card number (CCN)Social Security (SSN)Regular Expression

17

Complete Web Application ProtectionParameters Inspection Buffer overflow (BO)

Zero-day attacks

User Behavior Cross site request forgeryCookie poisoning, session hijacking

Layer 7 ACL Application / folder / file / param level access controlWhite listing or black listing

XML, JSON & Web Services XML & JSON Validity and schema enforcement

Role Based Policy AuthenticationUser Tracking

18

Line Speed Availability Attack Mitigation

Detecting and Blocking

Attacks on web apps behind CDNs

Advanced HTTP attacks

Slowloris

Http dynamic floods

Brute force attacks on login pages

SSL attacks

Line Speed Mitigation

Up to 300 Gbps

Up to 230M DDoS PPS

60 micro seconds latency

Multi Layer Detection and Mitigation

19

Radware’s WAF is implemented out-of-path in span-port. Attacker launches web-application attack.

Out-of-Path Deployment: Protection Against DDoS AttacksCloud Perimeter LAN

Attack Mitigation Device

Radware’s WAF detects the web-application attackRadware’s WAF signals attack information to the perimeter Attack Mitigation Device

Defense Messaging

Radware’s Attack Mitigation Device mitigates the attack at the Perimeter

WAF

No Performance Impact. No Risk.

20

All-in-One Application Delivery and Security

Out-of-path or inline deployment

Deployed on multiple platforms

Delivered on platforms supporting up to 80 Gbps

Fault Isolation

SLA Assurance

High Platform Density

Fast Reliable Secure

21

Shortest Time to Security

App Mapping Threat Analysis Policy Generation Policy Activation

SHORTEST TIME TO PROTECTION

Only 1 weekFor known attacks

50% FASTERthen other leading WAFs

BEST SECURITY COVEREGE

Auto threat analysisNo admin intervention

OVER 150Attack vectors COVERAGE

False positives

LOWEST FALSE-POSITIVES

THROUGH

Auto-optimization of out-of-box rules

SECURITY ASSURANCE

Automatic detection of web application changes assuring security

POST-DEVELOPMENT PEACE OF MIND

THROUGHOUT THE APPLICATION’S DEVELOPMENT LIFECYCLE

22

Multi-Vector Role Based Security PolicyAuthentication and login detectionAuthorization and access controlAccounting and AuditingWeb based Single Sign OnSegregation of duties

Web RoleIP & Geo Location

CONTEXT

BlockReport

ACTION

Application Access ControlData Access and VisibilityWeb Security, XSS, SQL Inj.

SECURITY POLICY

23

IP-Agnostic Device Fingerprinting & Tracking

Operating System

IP address based identification and blocking has become obsolete- Attackers dynamically change IPs- DHCP, anonymous proxies, CDN, NAT

Appwall goes beyond IP address—uses detailed device fingerprint from over 2 dozen parametersDevice fingerprint enables precise activity tracking over time and development of Device ReputationProvides advanced protection from:- Website Scraping- Brute Force Attacks- HTTP Dynamic Floods

System Fonts

Browser Plug-ins

Screen Resolution

Local IPs

Improved Bot Detection and Blocking

24

Compliance and Auditing

PCI DSS section 6.6 requirements

- Audit ready environment for PCI DSS compliance

- Security policies analysis

- Action plan for compliance

Advanced security graphical reports

Enhanced visibility into the application security and the detected attacks

25

Why Radware’s WAF?Attack Mitigation

Mitigating attacks on web applications behind CDNsBlocking the attack source at the perimeterMulti-layer detection and mitigation

Application Security & Delivery AppWall out-of-path and inline deployment modesDelivered on platforms supporting up to 80Gbps

Compliance Action plan for complianceAdvanced security graphical reports

Web SecurityShort time to protectionLow false positive and false negative ratesAuto-detection of web application changes

Segregation of Duties Mapping security web roles to LDAP organizational units or attributesMulti vector security policies: application access, data visibility etc.

26

Summary – More Than Just a WAF

Multi layered attack detection and mitigation Out-of-path deployment with no performance impact or riskFast, reliable, and secure delivery of mission-critical web applicationsLow maintenance costs and post deployment peace of mind Audit ready and visibility into application security

Fastest toDeploy

Easiest toMaintain

Best SecurityCoverage

27

Radware Cloud WAF Service

28

Based on Radware’s ICSA Labs certified WAF

Auto policy generation engine for 0-day attack protection

Fully managed security service, beyond 24x7

Easy, flexible model

Integrated CPE and Cloud WAF Technologies

Always-on Behavioral-based DDoS protection

Radware Cloud WAF ServiceUnmatched Web Security Protection

29

Radware Cloud WAF

Radware Cloud WAF

Web-based attack is launched and detected by Radware’s Cloud WAFAttack is mitigated and clean traffic is relayed to the customer’s cloud and premise

Radware Cloud WAF Service

Organization’s Cloud Applications

Organization’s Premise

Data Center

30

Public Cloud

Full coverage of ALL OWASP Top-10

ICSA Labs certification

Auto-policy generation

Supports negative & positive security models

Unmatched Web Security ProtectionAttack Categories Covered

TCP Termination & Normalization HTTP Protocol attack (e.g. HRS) Path traversal Base 64 and encoded attacks JSON and XML attacksLogin Protection Password cracking – Brute Force

Attack Signature and Rules Cross site scripting (XSS) Injections: SQL, LDAP OS commanding Server Side Includes (SSI)

LFI/RFI Protection Local File Inclusion Remote File Inclusion

Session Protection Cookie Poisoning Session Hijacking

Data Leak Prevention Credit card number (CCN) Social Security (SSN) Regular Expression

Access Control Predictable Resource Location Backdoor and debug resources File Upload attacks

DDoS Protection Behavioral Network DDoS Behavioral Application DDoS Network Challenge Response

HTTP Challenge Response Access List Volumetric DDoS (add-on)

31

0-Day Attack Protection: Shortest Time to Security

App Mapping Threat Analysis Policy Generation Policy Activation

SHORTEST TIME TO PROTECTION

Only 1 weekFor known attacks

50% FASTERthen other leading WAFs

BEST SECURITY COVEREGE

Auto threat analysisNo admin intervention

OVER 150Attack vectors COVERAGE

False positives

LOWEST FALSE-POSITIVES

THROUGH

Auto-optimization of out-of-box rules

SECURITY ASSURANCE

Automatic detection of web application changes assuring security

POST-DEVELOPMENT PEACE OF MIND

THROUGHOUT THE APPLICATION’S DEVELOPMENT LIFECYCLE

32

Fully Managed Security Service, Beyond 24x7

33

24x7 support System monitoring and auto policy

generation

Proactive analysis including policy

optimization and logs review

Backed by Radware's Emergency Response

Team (ERT)

Simple setup - nothing to download or install

Phased and risk free onboarding – 3 step process

– Every new policy is initially introduced in Span Port

– 7 days for new policy activation

OPEX-based model

3 levels of service offering (Silver, Gold & Platinum)

Flexibility in growth options

Easy, Flexible Model

Out-of-pathAuto Policy

Inline passive mode

Inline protective

mode

34

Only solution to integrate with on-premise security devices

Increased visibility and control in disaggregated application-delivery environments

Cloud-to-premise attack messaging to further secure data centers

Allow for ease and speed of security policy orchestration & automation

Integrated CPE and Cloud WAF Technologies

Unified, hybrid solution supporting your cloud migration path

35

Based on Radware's attack mitigation device (DefensePro) Includes Anti DDoS, NBA and IPS protectionAdaptive behavioral analysis and challenge response technologies

Always-On Behavioral-Based DDoS Protection

36

Radware Cloud WAF

Data Center

Volumetric DDoS Attack Protection

Volumetric attack is launched on the customer environmentAttack is detected by Radware’s attack mitigation device in the Radware Cloud POPAttack baseline is synchronized to Radware’s Scrubbing Center and traffic redirected

Defense Messaging

Traffic is cleaned by Scrubbing Center and sent to customer cloud and premise

Radware Cloud Scrubbing

Public Cloud

Organization’s Cloud Applications

Organization’s Premise

Service Monitoring: Traffic Volume Monitoring, HTTP Heath-checks

Redundancy: for all network components – No single point of failure

Failover: Auto failover based on Active – standby

Disaster Recovery: DNS redirection to secondary site; Tier 1 DNS

Scalability and Availability

38

Service available in three packages:

DDoS protection of up-to 1 Gbps of attack traffic is included in all packagesVolumetric DDoS-attack protection available at additional cost

Offering Sets

Silver

• Single shared policy for multiple web applications

• Basic security offering to secure against common web attacks

Gold

• Dedicated policy for each web application

• PCI Compliance ready policy • Added protection from data

and access centric attacks

Platinum

• OWASP Top 10 coverage• Extended security policy• Zero-day attack protection• Advanced attack protection

39

Why Radware Cloud WAF?

Integrated CPE and Cloud WAF Technologies Only solution with same technology to protect both cloud-based and on-premise applications

Unmatched Web Application Protection Full OWASP Top 10 coverageAuto policy generation; ICSA Labs certification

Fully Managed Security Service 24x7 SupportBacked by Radware’s ERT security experts

Easy, Flexible Model Simple, no setupOPEX based with 3 offerings to chose from

Always-On Behavioral-Based DDoS Protection Based on Radware’s attack mitigation deviceMinimal false positives; no impact on legitimate traffic

40

Radware Cloud WAF Service Full SLASecurity Offerings – DDoS Features Silver Gold PlatinumBehavioral Network Layer DDoS Protection

Yes Yes Yes

Behavioral Application Layer DDoS Protection

Yes Yes Yes

Network Challenge Response Yes Yes YesHTTP Challenge Response Yes Yes YesAccess List – on demand up to 1 list per month

Up to 100 entries

Up to 100 entries

Up to 100 entries

Weekly Security Update Subscription Yes Yes YesAttack volume supported Up to 1G Up to 1G Up to 1G

Security Offerings – WAF Features Silver Gold PlatinumHTTP Protocol Manipulation Yes Yes YesError info leakage & fingerprinting Yes Yes YesKnown Vulnerabilities & Custom Rules Yes Yes YesSQL, OS and LDAP Injection Yes Yes YesCross Site Scripting (XSS) Yes Yes YesSSL (including custom certificate) Yes Yes YesGeo Location, Anonymous proxies Yes Yes YesCredit Card Number Leakage No Yes YesCSRF No Yes YesAccess Control (White & Black list) No Yes YesBrute Force No Yes YesSession attacks (hijacking, cookie poisoning)

No No Yes

Zero Day Protection; Parameter policy No No YesXML and Web Service No No Yes

42

Radware Cloud WAF Service Full SLAService Offerings - Service Silver Gold Platinum24 X 7 support Yes Yes YesManaged Security Service Yes Yes Yeslogs review and system monitoring Yes Yes YesCustomized Weekly Scheduled Reports Yes Yes YesTenant-based Policy (shared Policy for multiple apps) Yes No No

Application Based policy No Yes YesAuto Policy Generation Yes Yes YesDedicated WAF instance No No YesAt least once a month Proactive Security Policy Review and optimization

No No Yes

2 Forensics Reports per year No No YesEmergency Response Attack Mitigation Yes Yes YesPre-attack high risk alerts Yes Yes YesPost attack report and recommendations Yes Yes YesTime to Security Expert response SLA Best Effort Best Effort Best EffortNumber of DDoS Protection policy changes per calendar month (non-cumulative)

1 1 1

43