Radware - WAF (Web Application Firewall)
-
Upload
deivid-toledo -
Category
Technology
-
view
1.316 -
download
12
Transcript of Radware - WAF (Web Application Firewall)
Product Manager at WTR Services
Radware Web Application Protection OfferingsDeivid Toledo
May 3, 2023
About Radware
Our Track Record
Global Technology Partners
Over 10,000 Customers
3
43.7 54.8
68.4 77.6 81.4
88.6 94.6 108.9
144.1
167.0
189.2 193.0
221.9
1%25%
25%13% 5%
9% 7%15%
32%
16%
13% 2%
15%
50.00
100.00
150.00
200.00
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
USD Millions
Company Growth
Market Leading WAF OfferingBanking & Finance Gov’t & Enterprise Telco & Cloud Service
Providers
4
Retail/eCommerce
Current Trends
Almost half (48%) anticipate migrating up to 20% of their applications to the cloud About one in ten (12%) plan to migrate more than half of their applications to the cloud.Complexity in managing security policies is the #1 security challenge
Migration to the Cloud ContinuesAttackers can now target premise- and cloud-based applications
0%; 23%
1-20%; 48%
21-50%; 18%
51-75%; 6%76-99%; 2%
100%; 4%
2015 (n=311)
Q: In the next 12-14 months, what percentage of your applications do you envision migrating to the cloud?
Rise in Popularity of Web Based Attacks
Denial of
Ser-vice25%
SQL Injection24%
Cross Site
Scripting (XSS)8.9%
4.8%
3.8%
3.7%3%
2.8%2.1% 1.9%
Top 10 Web Attack Methods
Denial of Service
SQL Injection
Cross Site Scripting (XSS)
Brute Force
Predictable Resource Location
Stolen Credentials
Unintentional Information Dis-closure
Banking Trojan
Credential/Session Prediction
Cross Site Request Forgery (CSRF)
Web attacks - most common attack vector
OWASP Top 10 attacksAvailability based attacks
Source: Web Hacking Incident Database (WHID), Feb. 2013
7
“Low & Slow” DoS attacks (e.g.Slowloris)
Complexity of Attacks Continues to GrowMulti-vector attacks target all layers of the infrastructure
IPS/IDS
Large volume network flood attacks
Syn Floods
Network Scan
HTTP Floods
SSL Floods App Misuse
Brute Force
On-Demand Cloud DDoS DoS protection Behavioral analysis IPS WAFSSL protection
Internet Pipe Firewall Load Balancer/ADC Server Under Attack SQL Server
8
XSS, CSRFSQL Injections
Existing Solutions Still Mostly Manual
Over 80% of solutions require a medium to high degree of manual tuning
Less than 20% require a low degree and are considered mostly automatic
High de-gree; 24%
Medium degree; 58%
Low de-gree; 17%
2015 (n=311)
Q.22: What degree of manual tuning or configuration does your current solution require?
9
The Web Security Challenge
Growing number of web applications to
protect
More sophisticated web attacks and
“bad” bots
More disaggregated networks leads to less
control
Need for Adaptive & Automated Web Security Protection
Most solutions are still very manual
10
Radware’s Web Application Firewall Offering
11
Radware’s Hybrid Attack Mitigation Solution
On-Demand Cloud DDoS SSL protectionDoS protection Behavioral analysis IPS WAF
Radware provides complete hybrid protection
In-the-Cloud
On-Demand Always-On
Always-On DDoS and WAF on-premise with DDoS in-the-cloud activated on-demand
12
On-Premise
Unmatched Web Application Protection
Best-of-breed WAF (Physical or Virtual Appliance)
Cloud WAF Service
Full coverage of OWASP Top-10ICSA Labs CertificationAuto Generated PolicyNegative & Positive security models
Hybrid, single technology solution to protect both on-premise and cloud-based applications
13
Radware Cloud WAF
Best-of-Breed WAF
14
Radware’s Web Application Firewall (WAF)
Complete web application protection
Line speed availability attack mitigation
All-in-one application delivery & security
Shortest time to security
Compliance and auditing
Multi-vector role-based security policy
AppWall
15
Complete Web Application Protection
Full coverage of OWASP Top-10 by negative & positive security models
Protection against dozens of attack vectors listed on WASC Threat Classification
Efficient, accurate and difficult to evade out-of-the-box negative security• Terminating TCP connections • Normalizing client encoded traffic• Blocking various evasion technics
16
Complete Web Application Protection
Terminate TCP, Normalize, HTTP RFC
EvasionsHTTP response splitting (HRS)Signatures applied on Normalized trafficURL / Base 64 / UTF-8 encoded Injections
Signature & Rule Protection
Cross site scripting (XSS)SQL injection, LDAP injection, OS commanding
Data Leak PreventionCredit card number (CCN)Social Security (SSN)Regular Expression
17
Complete Web Application ProtectionParameters Inspection Buffer overflow (BO)
Zero-day attacks
User Behavior Cross site request forgeryCookie poisoning, session hijacking
Layer 7 ACL Application / folder / file / param level access controlWhite listing or black listing
XML, JSON & Web Services XML & JSON Validity and schema enforcement
Role Based Policy AuthenticationUser Tracking
18
Line Speed Availability Attack Mitigation
Detecting and Blocking
Attacks on web apps behind CDNs
Advanced HTTP attacks
Slowloris
Http dynamic floods
Brute force attacks on login pages
SSL attacks
Line Speed Mitigation
Up to 300 Gbps
Up to 230M DDoS PPS
60 micro seconds latency
Multi Layer Detection and Mitigation
19
Radware’s WAF is implemented out-of-path in span-port. Attacker launches web-application attack.
Out-of-Path Deployment: Protection Against DDoS AttacksCloud Perimeter LAN
Attack Mitigation Device
Radware’s WAF detects the web-application attackRadware’s WAF signals attack information to the perimeter Attack Mitigation Device
Defense Messaging
Radware’s Attack Mitigation Device mitigates the attack at the Perimeter
WAF
No Performance Impact. No Risk.
20
All-in-One Application Delivery and Security
Out-of-path or inline deployment
Deployed on multiple platforms
Delivered on platforms supporting up to 80 Gbps
Fault Isolation
SLA Assurance
High Platform Density
Fast Reliable Secure
21
Shortest Time to Security
App Mapping Threat Analysis Policy Generation Policy Activation
SHORTEST TIME TO PROTECTION
Only 1 weekFor known attacks
50% FASTERthen other leading WAFs
BEST SECURITY COVEREGE
Auto threat analysisNo admin intervention
OVER 150Attack vectors COVERAGE
False positives
LOWEST FALSE-POSITIVES
THROUGH
Auto-optimization of out-of-box rules
SECURITY ASSURANCE
Automatic detection of web application changes assuring security
POST-DEVELOPMENT PEACE OF MIND
THROUGHOUT THE APPLICATION’S DEVELOPMENT LIFECYCLE
22
Multi-Vector Role Based Security PolicyAuthentication and login detectionAuthorization and access controlAccounting and AuditingWeb based Single Sign OnSegregation of duties
Web RoleIP & Geo Location
CONTEXT
BlockReport
ACTION
Application Access ControlData Access and VisibilityWeb Security, XSS, SQL Inj.
SECURITY POLICY
23
IP-Agnostic Device Fingerprinting & Tracking
Operating System
IP address based identification and blocking has become obsolete- Attackers dynamically change IPs- DHCP, anonymous proxies, CDN, NAT
Appwall goes beyond IP address—uses detailed device fingerprint from over 2 dozen parametersDevice fingerprint enables precise activity tracking over time and development of Device ReputationProvides advanced protection from:- Website Scraping- Brute Force Attacks- HTTP Dynamic Floods
System Fonts
Browser Plug-ins
Screen Resolution
Local IPs
Improved Bot Detection and Blocking
24
Compliance and Auditing
PCI DSS section 6.6 requirements
- Audit ready environment for PCI DSS compliance
- Security policies analysis
- Action plan for compliance
Advanced security graphical reports
Enhanced visibility into the application security and the detected attacks
25
Why Radware’s WAF?Attack Mitigation
Mitigating attacks on web applications behind CDNsBlocking the attack source at the perimeterMulti-layer detection and mitigation
Application Security & Delivery AppWall out-of-path and inline deployment modesDelivered on platforms supporting up to 80Gbps
Compliance Action plan for complianceAdvanced security graphical reports
Web SecurityShort time to protectionLow false positive and false negative ratesAuto-detection of web application changes
Segregation of Duties Mapping security web roles to LDAP organizational units or attributesMulti vector security policies: application access, data visibility etc.
26
Summary – More Than Just a WAF
Multi layered attack detection and mitigation Out-of-path deployment with no performance impact or riskFast, reliable, and secure delivery of mission-critical web applicationsLow maintenance costs and post deployment peace of mind Audit ready and visibility into application security
Fastest toDeploy
Easiest toMaintain
Best SecurityCoverage
27
Radware Cloud WAF Service
28
Based on Radware’s ICSA Labs certified WAF
Auto policy generation engine for 0-day attack protection
Fully managed security service, beyond 24x7
Easy, flexible model
Integrated CPE and Cloud WAF Technologies
Always-on Behavioral-based DDoS protection
Radware Cloud WAF ServiceUnmatched Web Security Protection
29
Radware Cloud WAF
Radware Cloud WAF
Web-based attack is launched and detected by Radware’s Cloud WAFAttack is mitigated and clean traffic is relayed to the customer’s cloud and premise
Radware Cloud WAF Service
Organization’s Cloud Applications
Organization’s Premise
Data Center
30
Public Cloud
Full coverage of ALL OWASP Top-10
ICSA Labs certification
Auto-policy generation
Supports negative & positive security models
Unmatched Web Security ProtectionAttack Categories Covered
TCP Termination & Normalization HTTP Protocol attack (e.g. HRS) Path traversal Base 64 and encoded attacks JSON and XML attacksLogin Protection Password cracking – Brute Force
Attack Signature and Rules Cross site scripting (XSS) Injections: SQL, LDAP OS commanding Server Side Includes (SSI)
LFI/RFI Protection Local File Inclusion Remote File Inclusion
Session Protection Cookie Poisoning Session Hijacking
Data Leak Prevention Credit card number (CCN) Social Security (SSN) Regular Expression
Access Control Predictable Resource Location Backdoor and debug resources File Upload attacks
DDoS Protection Behavioral Network DDoS Behavioral Application DDoS Network Challenge Response
HTTP Challenge Response Access List Volumetric DDoS (add-on)
31
0-Day Attack Protection: Shortest Time to Security
App Mapping Threat Analysis Policy Generation Policy Activation
SHORTEST TIME TO PROTECTION
Only 1 weekFor known attacks
50% FASTERthen other leading WAFs
BEST SECURITY COVEREGE
Auto threat analysisNo admin intervention
OVER 150Attack vectors COVERAGE
False positives
LOWEST FALSE-POSITIVES
THROUGH
Auto-optimization of out-of-box rules
SECURITY ASSURANCE
Automatic detection of web application changes assuring security
POST-DEVELOPMENT PEACE OF MIND
THROUGHOUT THE APPLICATION’S DEVELOPMENT LIFECYCLE
32
Fully Managed Security Service, Beyond 24x7
33
24x7 support System monitoring and auto policy
generation
Proactive analysis including policy
optimization and logs review
Backed by Radware's Emergency Response
Team (ERT)
Simple setup - nothing to download or install
Phased and risk free onboarding – 3 step process
– Every new policy is initially introduced in Span Port
– 7 days for new policy activation
OPEX-based model
3 levels of service offering (Silver, Gold & Platinum)
Flexibility in growth options
Easy, Flexible Model
Out-of-pathAuto Policy
Inline passive mode
Inline protective
mode
34
Only solution to integrate with on-premise security devices
Increased visibility and control in disaggregated application-delivery environments
Cloud-to-premise attack messaging to further secure data centers
Allow for ease and speed of security policy orchestration & automation
Integrated CPE and Cloud WAF Technologies
Unified, hybrid solution supporting your cloud migration path
35
Based on Radware's attack mitigation device (DefensePro) Includes Anti DDoS, NBA and IPS protectionAdaptive behavioral analysis and challenge response technologies
Always-On Behavioral-Based DDoS Protection
36
Radware Cloud WAF
Data Center
Volumetric DDoS Attack Protection
Volumetric attack is launched on the customer environmentAttack is detected by Radware’s attack mitigation device in the Radware Cloud POPAttack baseline is synchronized to Radware’s Scrubbing Center and traffic redirected
Defense Messaging
Traffic is cleaned by Scrubbing Center and sent to customer cloud and premise
Radware Cloud Scrubbing
Public Cloud
Organization’s Cloud Applications
Organization’s Premise
Service Monitoring: Traffic Volume Monitoring, HTTP Heath-checks
Redundancy: for all network components – No single point of failure
Failover: Auto failover based on Active – standby
Disaster Recovery: DNS redirection to secondary site; Tier 1 DNS
Scalability and Availability
38
Service available in three packages:
DDoS protection of up-to 1 Gbps of attack traffic is included in all packagesVolumetric DDoS-attack protection available at additional cost
Offering Sets
Silver
• Single shared policy for multiple web applications
• Basic security offering to secure against common web attacks
Gold
• Dedicated policy for each web application
• PCI Compliance ready policy • Added protection from data
and access centric attacks
Platinum
• OWASP Top 10 coverage• Extended security policy• Zero-day attack protection• Advanced attack protection
39
Why Radware Cloud WAF?
Integrated CPE and Cloud WAF Technologies Only solution with same technology to protect both cloud-based and on-premise applications
Unmatched Web Application Protection Full OWASP Top 10 coverageAuto policy generation; ICSA Labs certification
Fully Managed Security Service 24x7 SupportBacked by Radware’s ERT security experts
Easy, Flexible Model Simple, no setupOPEX based with 3 offerings to chose from
Always-On Behavioral-Based DDoS Protection Based on Radware’s attack mitigation deviceMinimal false positives; no impact on legitimate traffic
40
Radware Cloud WAF Service Full SLASecurity Offerings – DDoS Features Silver Gold PlatinumBehavioral Network Layer DDoS Protection
Yes Yes Yes
Behavioral Application Layer DDoS Protection
Yes Yes Yes
Network Challenge Response Yes Yes YesHTTP Challenge Response Yes Yes YesAccess List – on demand up to 1 list per month
Up to 100 entries
Up to 100 entries
Up to 100 entries
Weekly Security Update Subscription Yes Yes YesAttack volume supported Up to 1G Up to 1G Up to 1G
Security Offerings – WAF Features Silver Gold PlatinumHTTP Protocol Manipulation Yes Yes YesError info leakage & fingerprinting Yes Yes YesKnown Vulnerabilities & Custom Rules Yes Yes YesSQL, OS and LDAP Injection Yes Yes YesCross Site Scripting (XSS) Yes Yes YesSSL (including custom certificate) Yes Yes YesGeo Location, Anonymous proxies Yes Yes YesCredit Card Number Leakage No Yes YesCSRF No Yes YesAccess Control (White & Black list) No Yes YesBrute Force No Yes YesSession attacks (hijacking, cookie poisoning)
No No Yes
Zero Day Protection; Parameter policy No No YesXML and Web Service No No Yes
42
Radware Cloud WAF Service Full SLAService Offerings - Service Silver Gold Platinum24 X 7 support Yes Yes YesManaged Security Service Yes Yes Yeslogs review and system monitoring Yes Yes YesCustomized Weekly Scheduled Reports Yes Yes YesTenant-based Policy (shared Policy for multiple apps) Yes No No
Application Based policy No Yes YesAuto Policy Generation Yes Yes YesDedicated WAF instance No No YesAt least once a month Proactive Security Policy Review and optimization
No No Yes
2 Forensics Reports per year No No YesEmergency Response Attack Mitigation Yes Yes YesPre-attack high risk alerts Yes Yes YesPost attack report and recommendations Yes Yes YesTime to Security Expert response SLA Best Effort Best Effort Best EffortNumber of DDoS Protection policy changes per calendar month (non-cumulative)
1 1 1
43