WebApp Security in the Digital Age - Cisco · F5 Networks Positioned as a Leader in 2017 Gartner...
Transcript of WebApp Security in the Digital Age - Cisco · F5 Networks Positioned as a Leader in 2017 Gartner...
• Introduction• Who needs WAF anyway?
• The Death of WAF?
• Advanced WAF
• Why F5?
https://laurent22.github.io/so-injections/
https://laurent22.github.io/so-injections/
• 13 major airlines
• flight information
• credit card
• personal data
• 1,5 year
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
https://www.paloaltonetworks.com/content/dam/paloaltonetworks-
com/en_US/assets/pdf/tech-briefs/paloaltonetworks-vs-waf.pdf
Data Leak Protection
Prevent Bot Attack
(DDOS, VA tools, web scraping, brute force, etc.)
Protect Web/API
from L7 AttackStop bad
Users(Device ID)
BIG-IP ASM extends protection to more than application vulnerabilities
Attack Visibility & Logging
Automatic Policy
Builiding (Dynamic
configuration)
Automatic Policy Building1
/images/banner.jpg
/login.php
/css/design.css
/app/app.php
/js/jquery.js
URLs & File Types
name={alphanumeric, len=16}
address={any char, len=100}
file={multipart/form-data,
maxSize=10MB}
price={numeric, tampering protection=on,
len=10 }
Parameters
Cookie: name=value
Cookie:JSESSIONID=1A5306372...
Cookie: price=399;total=1399
Cookies
.exe
/admin/wp-admin
/login.php?name=jerrick; ls /etc/
(+) sec model : enforcing legitimate traffic only
Server Technologies
Protect Web/API from
Known Attack2
/etc/passwd
‘ OR 1=1 --;
OWASP top 10 Buffer overflowsParser Attacks Zero-day attacks
CSRF Parameter tamperingCross-site scripting Evasion technique
Forceful browsing
Information Leakage
Malformed headers RFI
Session Hijacking
SQL injections
Command injection Many more …
(-) sec model : protecting against known attacks
%2527%2BOR%2B1%253D1%2B%2523;
‘ OR 1=1 --;
48%
23%
29%
Humans Good Bots Bad Bots
Traffic generated by Humans
Traffic generated by Good Bots like Bing, Google Bot…
Traffic generated by Bad Bots like scanners, password guessing…
29%
48%
23%
Incapsula Bot Traffic Report 2016
Prevent Bot Attack3
Prevent Bot Attack3
Good Bot
Human
Bad Bot
Validate bot or human on initial site access
Differentiate good bots and bad bots
Real time challenge (js and captcha)
Scraping and brute force protection
Stop Bad Users4
Stop users from specific country/region (Geolocation)
Stop users/sessions that trigger violation
(session tracking)
Stop users with badIP reputation
Persistent Attacker
AnonymousProxy
VulnerabilityScanner
Stop unique device/browser access(Browser fingerprinting)
Stop Bad Users4
Mask Sensitive Data5
Cc=4012 8888 9999 1881Cc=#### #### #### ####
See Hostile Traffic6
See Hostile Traffic6
Network Firewall
Regular user
Web server
Allow TCP/80, TCP/443
DB serverApp server
Regular user
80%
80/20 RULE
• Cross-Site Scripting
• Information Leakage
• Injection
Responsible
for 78% of all
vulnerabilities
•
•
•
••
WHY F5?
F5 is the only vendor who uses the same product for cloud- based as on-premises,
which enables simple policy sharing and improved security effectiveness
Virtual Edition
Secures applications deployed in Virtualized and
IaaS environments
Datacenter Appliance
Protects business critical applications in the
datacenter
Immediately turn on new services or scale existing protections without capital investment and resource
requirements
WAF as a Service
Gartner Magic Quadrant for WAF
F5 is highest in execution within the
Leaders Quadrant.
F5 Networks Positioned as a
Leader in 2017 Gartner Magic
Quadrant for Web Application
Firewalls*
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from F5 Networks. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
* Gartner, Magic Quadrant for Web Application Firewalls,
Jeremy D’Hoinne, Adam Hils, Claudio Neiva, 7 August 2017
Gartner Magic Quadrant for ADC+WAF?Figure 1. Magic Quadrant for Application Delivery Controllers
Source: Gartner (August 2016)
Tzoori Tamam
F5 WAF Product Manager
DevCentral https://devcentral.f5.com/
AskF5/Support https://ask.f5.com/
iHealth https://ihealth.f5.com/
University https://university.f5.com/