WAF(Web Application Firewall) Cloud Computing Service

Duk Soo Kim, dskim@pentasecurity.com2010.06.01

Cloud Computing

DefinitionCloud computing is a general term for anything that involves delivering hosted

services over the Internet. These services are broadly divided into three categories: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS).

Visual Model of NIST Working Definition

WAF Cloud Computing Service

Source:

Source: http://csrc.nist.gov/groups/SNS/cloud-computing/index.html

Security as a Service (1/2)

Why turn to Security as a Service(or Security Saas)?

WAF Cloud Computing Service

Source: Enterprise Management Associates(EMA), “Security as a Service” survey, Q1 2010

Security as a Service (2/2)

Why turn to Security as a Service(or Security Saas)?

WAF Cloud Computing Service

Source: Enterprise Management Associates(EMA), “Security as a Service” survey, Q1 2010

Present Web Security SaaS (1/2)

There exists only end-user protection, but web application protection.

Websense and Webroot are providing web security services for enterprises. Their protection is focused on ‘end-user protection’

Outbound security : Enforcing web filtering policies Inbound security : Blocking viruses, spyware and other web-based threats

They adopted ‘Hybrid deployment model’. Platforms : Security-as-a-Service, Dedicated Appliance For a fast and easy deployment, Security SaaS is offered, and for a high performance,

appliance is offered with management service. Appliance offering can be considered as cloud computing service in a broad sense. However, it is almost close to ‘Managed Security Service’ that is monthly charged(‘pay-as-you-go’ model).

WAF Cloud Computing Service

Web server

UserInbound ProtectionOutbound Control

Security-as-a-Service If a user accesses provider’s service web site, a software is installed and shifts all of web

traffics from the customer’s location to available datacenters ‘in the cloud.’ Provider’s web site provides management process including policy settings.

Dedicated Appliance Dedicated appliance is installed in the customer’s network and provider offers ‘Managed

Security Service’ over Internet.

Present Web Security SaaS (2/2)

WAF Cloud Computing Service

Web server

User

Provider’s cloud

Security Solution

Web server

User

Provider’s cloud

Appliance

Managed remotelyCustomer Enterprise Network Management Solution

There exist only appliance-based WAF service. A few companies claimed that they provided WAF SaaS, but it was appliance-

based service. Savvis introduced WAF as a ‘IT infrastructure-as-a-service’. However, it was almost

close to ‘Managed Security Service’ that a little far from cloud computing characteristics.Ref.) http://www.imperva.com/docs/Savvis_WebApplicationFirewallService.pdf

Art of defence allegedly announced the industry's first cloud-based SaaS solution. However it was a WAF software image for GoGrid cloud. GoGrid users only can use it.Ref.) http://www.darkreading.com/securityservices/security/perimeter/showArticle.jhtml?articleID=223400027

WAF SaaS

WAF Cloud Computing Service

Web serverUser

Provider’s cloud

Management Solution

Appliance(WAF)

Customer Enterprise Network

Managed remotely

Our Approach (1/2)

Hybrid deployment model We adopt the hybrid depolyment model like web security SaaS companies such

as Websense, and Webroot. Security-as-a-Service

To shift web traffics to our cloud, we change URI-IP mapping entry registered in DNS. After changing DNS, all of traffics for target web server is forwarded to WAPPLES cloud.

Dedicated Appliance WAPPLES is offered to customer as a dedicated appliance and WAPPLES MS is

installed in cloud as a management solution.

WAF Cloud Computing Service

Web server

User

Provider’s cloud

WAF

Original pathbefore changing DNS

New pathafter changing DNS

Our Approach (2/2)

Challenges How do we control DNS changes?

How much time does it take for DNS changes to be reflected in end-user environment?

Usually within 1~24 hours, but 24~72 hours for global propagation

Can we provide automated DNS change?

How can we eliminate concerns about traffic latency and increase of bandwidth?

For very small web sites this is not an issue, however for medium and large sites this can be considered seriously. We need verification in(or nearly close to) real environment. Another option is to offer dedicated appliance service model.

To Do Building a web site for user interaction interface Implementing a provisioning tool for DNS control

WAF Cloud Computing Service

WAF Cloud Computing Service

韓国本社

韓国ソウル市永登浦区汝矣島 25-11 韓進海運ビル 20階

TEL: 82-2-780-7728 FAX: 82-2-786-5281

www.pentasecurity.com

ペンタセキュリティシステムズ ( 株 )

韓国本社

韓国ソウル市永登浦区汝矣島 25-11 韓進海運ビル 20階

TEL: 82-2-780-7728 FAX: 82-2-786-5281

www.pentasecurity.com

ペンタセキュリティシステムズ ( 株 )

日本本社

東京都千代田区霞ヶ関 3-3-2新霞ヶ関ビル１８階　ＫＯＴＲＡ東京

TEL: 81-3-5511-1093 FAX: 81-3-5511-1092

www.pentasecurity.co.jp

日本本社

東京都千代田区霞ヶ関 3-3-2新霞ヶ関ビル１８階　ＫＯＴＲＡ東京

TEL: 81-3-5511-1093 FAX: 81-3-5511-1092

www.pentasecurity.co.jp