dss itsec conference 2012 - radware waf tech
DESCRIPTION
Presentation from Riga, Latvia. "Data Security Solutions" Ltd. ITSEC Conference.TRANSCRIPT
Mitigating Attacks on your Applications & Data
With
AppWall
Igor Kontsevoy
November, 2012
Agenda
• The Solution: AppWall Web Application Firewall
– Product overview
– Security
– Auto Policy Generation
– Security & Compliance Reporting
– Role Based Policy
• Summary
Slide 2
The Solution:
AppWall
Introducing AppWall
• AppWallTM is a WAF that secures Web applications
and enables PCI compliance by:
– Blocking attacks on Web application
– Preventing data theft and manipulation of sensitive data
• Available either as Physical or Virtual Appliance.
Slide 4
Introducing AppWall
• AppWallTM is a WAF that secures Web applications
and enables PCI compliance by:
– Blocking attacks on Web application
– Preventing data theft and manipulation of sensitive data
• Available either as Physical or Virtual Appliance.
Slide 5
APSolute Vision SIEM
AppWall
Complete Web App Protection • Full coverage of OWASP Top-10
• Negative & positive security models
Risk Management • Unified and
Correlated reporting
across the network
• Security reporting
Fast Implementation • Simple initial deployment
• Best in class Auto-Policy Generation
Scalability • Cluster deployment
• Centralized policy management
• Scalable by Device
Out-of-the-Box PCI Compliance • WAF + IPS (PCI 6.6 & 11.4)
• PCI Compliance Reporting
AppWall Overview
• Cross site scripting (XSS)
• SQL injection, LDAP injection, OS commanding
Signature & Rule
Protection
• Evasions
• HTTP response splitting (HRS)
Terminate TCP,
Normalize, HTTP RFC
• Credit card number (CCN) / Social Security (SSN)
• Regular Expression
Data Leak Prevention
Complete Web Application Protection
• Buffer overflow (BO)
• Zero-day attacks
Parameters Inspection
• Cross site request forgery
• Cookie poisoning, session hijacking
User Behavior
• Folder / file level access control
• White listing or black listing Layer 7 ACL
• XML Validity and schema enforcement
XML & Web Services
• Authentication
• User Tracking
Role Based Policy
Complete Web Application Protection
Flexible Deployment Strategies
• Transparent bridge mode – No network topology changes required
– Transparent to non-HTTP traffic
– Fail-open interfaces
• Transparent Reverse proxy – HTTP Proxy for maximum security
– Preserves Original Client IP address
• Reverse proxy – HTTP Proxy for maximum security
• Cluster deployment – ADC farm deployment
– Auto policy synchronization within the farm
Internet
Access
Router
Web
Servers
Firewall
AppWall Array
Public IP Public IP Virtual IP
AppWall
ADC
AppWall IP
Slide 9
Multi-Tenancy
• AppWall defines web application by any
combination of:
– Secured Web Server IP/Port
– Secured Host name
– Secured Application Tree (Folder)
• AppWall enables complete multi-tenancy with:
– Policy separation per Web Application
– RBAC per Web Application
– Reporting per Web Application
Slide 10
Patent Protected “App Path” Technology
Lightweight Policy,
Negative security
Policy only.
Negative + Positive
Intensive security
Inspection
Fully restricted
access for others
than the App Admin.
AppWall Policy
Application
Scope
Policy
Other WAFs
Slide 11
AppWall’s
Adaptive Auto Policy Generation and
Application Visibility
Reservations.com
/config/
/hotels/
/register/
/info/
/reserve/
Adaptive Auto Policy Generation (1 of 4)
App
Mapping
/admin/
Slide 13
Reservations.com
/config/
/hotels/
/register/
/info/
/reserve/
SQL Injection
CCN breach
Buffer Overflow
Directory Traversal
Adaptive Auto Policy Generation (2 of 4)
App
Mapping
Information leakage
Gain root access control
Unexpected application
behavior, system crash, full
system compromise
Threat
Analysis
Risk analysis per “ application-path”
/admin/
Spoof identity, steal user
information, data tampering
Slide 14
Reservations.com
/config/
/hotels/
/admin/
/register/
/info/
/reserve/
SQL Injection
CCN breach
Buffer Overflow
Directory Traversal
***********9459
P
Adaptive Auto Policy Generation (3 of 4)
App
Mapping
Policy
Generation
Prevent access to
sensitive app sections
Mask CCN, SSN, etc. in
responses.
Parameters inspection
Threat
Analysis
Traffic normalization &
HTTP RFC validation
Slide 15
Reservations.com
/config/
/hotels/
/admin/
/register/
/info/
/reserve/
SQL Injection
CCN breach
Buffer Overflow
Directory Traversal
Adaptive Auto Policy Generation (4 of 4)
Time to protect
App
Mapping
Policy
Activation
Add
tailored
application
rules
Optimize
rules for
best
accuracy
Policy
Generation Threat
Analysis
***********9459
Virtually zero false positive
Best Security coverage Slide 16
P
Application Visibility – Application Tree View
Slide 17
Query Parameter
Cookie
Path Parameter
Application Visibility – Parameters View
Slide 18
Authentication
Single-Sing-On
Role Based Policy
Slide 19
AppWall Role Based Policy
AppWall Role Based Policy
Enables defining different security policies for different users
To provide flexible access to web application
While properly securing the application.
Slide 20
Role Based Policy Delivers:
Authentication and login detection
Authorization and access control
Accounting and Auditing
Web based Single Sign On
Separation of duties
Application Content Control
Slide 21
Role Based Policy
• Defining web app role based security policy
• Retrieving the users’ group association from LDAP.
• Configure different policies for different roles:
– Admin
– Employee
– Partner
– Customer
– Public
Slide 22
Radware.com - Employee
Slide 23
Radware.com – admin user
Slide 24
Slide 25
Role Based Policy
Slide 26
Sharing Policy Among Roles
Slide 27
Shared Policy Across Roles (new)
Different Policies (old):
• Customer – Access Prohibited
• Partner - Access allowed but CCN Masked
• Employee - Access allowed and see CNN
Security & Compliance Reporting
Best Security & Compliance Reports
• Network and application security correlation
reports
• Dozens of predefined security reports
• Learning reports detailing learned app resources
• Audit and access reports
• PCI Compliance reports
Slide 29
AppWall & DefensePro Correlation
AppWall
Blocked
Attacks
DefensePro
Blocked
Attacks
Slide 30
The Reporting Dashboard
Slide 31
Top Attacks by Source
Slide 32
PCI Compliance Summary Report
PCI
Requirement
Analysis Info
Action Plan
Slide 33
Compliance
Status
Summary
The Cost of Insecurity
035
AppWall Distinctive Competence
• Cloud Ready Complete ADC solution
• Unique Network & Application Attack mitigation
• Adaptive Auto Policy Generation
• Best security & compliance reports
• Reduced Cost of Ownership
Slide 36
The End