Watch on-demand here https://info.avinetworks.com/webinars/intelligent-waf
Web application attacks are becoming #1 in terms of breaches. It’s critical to deploy web application firewall (WAF) to secure your applications. However, 90% of organizations find it complex. Why?
Avi Networks, now part of VMware, offers advanced load balancing and intelligent WAF to address three top challenges: policy complexity, lack of visibility and low performance. You will learn about:
- An optimized security pipeline composed of whitelist, positive security and signature engines
- An analytics-driven close loop that allows automatic application learning to create policies
- A comprehensive security stack from L4/L7 firewall and DDoS protection to rate limiting and WAF
- An elastic fabric to autoscale or burst capacity into cloud in case of unpredictable traffic loads
Hardly a week goes by without another big data breach. It is as common as rain in todays hyperconnected world.
Many companies in the security industry are keeping score of these breaches. One well known source is the Verizon data breach report.
Again in their 2019 report most breaches (ca 30%) result from attacks on web applications. They claim the top spot.
Furthermore the cost of a databreach can quickly go into the tens or hundrets of millions of dollars and will damage a companies reputation and customer trust.
And since Web Applications are responsible for such a high rate of breaches deploying a Web Application Firewall in front of them is a critical part to the security best practices of application owners.
Discovery with customer: Using or looking on-prem or cloud WAF?
Talking points
Why arent WAFs deployed everywhere? The reasons are diverse, but boil down to these 3 main issues.
General:
Policy complexity
Lack of visibility
Poor scalability
On-prem
Appliance vendors have added more and more knobs to their policies and made them really complex. -> usually only a minimal policy set is used.
Complex to create new rules (essentially go back to the vendor), which is true for Avi as well, but Avi has taken steps reduce that burden.
Black Box visibility, not enough compute to run best in class analytics. CPU for handling traffic conflicts with CPU needs for analytics.
Usually scalability in WAF meant that if you have a 10Gig box and enable WAF performance goes down drastically. -> The answer was usually buy a bigger box. That does not always work and is not cost effective.
Highlight F5 / Imperva
Cloud based
On the other hand cloud vendors have maybe addresses the issue of scalability but reduced the complexity at the cost of security. the common solution in cloud WAFs to mitigate a false positive is to disable that rule. Or even completely ignoring security functionality like response filtering.
Highlight Akamai / Imperva / Cloud Flare - Signal Sciences – what to say about them
Why have we built iWAF with these Core Design Principles?
Focusing on the demands on modern web application builders and operators.
As we discussed in the challenges "why WAFs are not deployed everywhere", we focused on these 3 core design principles.
First, we wanted to address the complexity of WAFs. WAF admins perceive it as complex and experience frustration with their work on legacy WAFs. Therefore we focused on a simplified, but comprehensive security with automatic application learning, app specific policies and easy to tune signatures.
Second because we understood that visibility and insights is crucial for the admins to be able to assess the security stance of their application and make good security decisions quickly, we made sure that iWAF has real time intelligence, attack pattern analysis, fine grained logging and log correlation built in.
Third since admins are used to having huge issues with scaling of WAFs, iWAF uses the horizontal scaling of the platform and we then focused on making performance optimizations in all parts of the WAF workload.
With these corner stones we are addressing the most common objections against WAFs and give admins a tool that can fully support their needs for modern application protection.
So lets start by looking at the intelligent Web Application Firewall.
Preface: If people have already seen that, skip this slide.
Key talking points
Software defined (single point of control vs. hundreds of LB pairs)
Elastic fabric (on-demand capacity scaling up and down)
Multi-cloud (on-prem and cloud, bare metal / VM / container)
Intelligence (real-time analytics, rich logging and fast troubleshooting)
Automation (full lifecycle automation, 100% REST APIs)
Transcription
So what Avi's done is Avi's really gone back to the drawing board a bit and we really wiped things out. Let's start over from scratch and say no where the load bouncing space has been 25 years ago, but it look at it where it is today and where it's going and take advantage of a lot of technologies that are being adopted throughout the industry, but not necessarily in the load balancing space.
So where the first thing that we've done is we are software. We don't sell any hardware, but the software part isn't necessarily the value. It's what you can do with software that becomes interesting. Now that Avi's all software, this enables us to do a couple of things. First off, we separated the control plane from the data plane. This means that you can manage all of Avi out the Avi controller and then the Avi controller will then proxy that management and then they will be the one that's managing the service engines.
The service engines are the ones that are doing the data plane, the load balancing, the web application firewalling, but you just need to manage the controller and the controller will manage the service tensions for you. By doing this, this enables us to elastically scale up capacity, so having one load balancer versus a hundred load balancers. It is exactly the same amount of complexity, same amount of time that it would take you, which means going from one load balancer to a hundred it doesn't necessarily change anything for you. You just simply have a larger fabric.
What this also means is that if you have a hundred load balancers in your environment and one of them fails, you lost 1% of the capacity in your environment. This is a fully active fabric, so you've lost 1% capacity. The control will see that. It will self-heal, spin up a new load balancer, and a moment later, you're right back to the capacity that you needed before. So, if capacity increases, decreases, the service engine fabric will increase and decrease automatically based upon the controller managing this for you.
What this also allows us to do is this allows us to deploy these service engines in whatever environment that they need to deploy in, on premise and virtualized environments or in container environments. It could also be in public clouds and virtual and container, et cetera. The point is, though, that you are just managing one load bouncing fabric. Regardless of the fact that these are in different data centers, these are in different environments, the controller knows how to talk to the APIs of those environments and proxy those APIs and proxy those management requests for you, which means you just simply say, how are my applications doing? And if they're not doing good, let me go and resolve what's going on with them. Each of these individual service engines are grabbing a lot of metadata from the client connections that are flowing through them, their full application proxy, a full load balancer.
They're then taking that metadata back to the controller and the controller can now sit out of bound and really be able to understand the health of the applications, the health of the client interaction with these applications, and tell you if there's an issue, what it is, and potentially how to solve that. So it has very, very rich metrics, very rich analytics, and very, very rich logging. That's really unprecedented in this industry. This allows us to do much faster troubleshooting.This also allows us and enables us to then take this intelligence and roll this into automation. Avi is built on top of a REST API. And then with that, we're now able to take this and tie this back into automation against the environments that we sit in. If that's something that vCenter, if that's AWS or Azure, that could also be the automation by talking to environments such as Terraform, maybe Python or other environments like this where you can build something custom. So what's really interesting about this as the level of automation that Avi already has natively big baked into product is really quite unprecedented as well.
It's really important to go through this architecture a bit because once we get into the demo, the demo really masks a lot of the complexity, so it's nice to be able to see up front what's actually happening when we do go through the demo.
Finishing up this section we look at an overview of the security stack built into the NSX Advanced Load Balancer.
Transcription
Another use case here is around application security. This is going to be web application firewall. This could be around SSL termination and visibility. This could be run under other elements of this if they have something customer proprietary. Avi can absolutely play in this and these use cases. So if you want to get into things like web application firewall, it's definitely not for the faint of heart. Application security means you need to have a pretty rich understanding of the applications, generally HTTP and it can get pretty complex pretty fast. But the point is Avi can absolutely play in these use cases and absolutely play a role.
TODO news new transcription
Key talking points
This is the optimized iWAF pipeline.
Consists of 3 building blocks. Combination provides security, false positive reduction, elastic WAF. Each of those parts will be looking at separately.
For constant threat updates the Avi Pulse Cloud service is available to push the latest threat databases directly to the Controller. This includes IP Reputation, Bot Detection and Signatures.
Lets dive into each one and then how they all play together.
Key talking points
1st step of the pipeline
Consists of filters to allow known good traffic and subsequently bypass it from the other WAF handling.
Known good traffic is handled very fast.
A few use-cases mentioned:
Bypass static content sources -> Static get requests do not have an attack vector. They can be bypassed to save performance. Example: Bypass all css files in path /css
Bypass upload directory -> Sending gigabytes through a WAF will not yield good results. The WAF will try to cache the upload for checking, but then probably hit the max file upload limits. It makes more sense to bypass using a whitelist entry.
Security (DAST) scanner is supposed to scan the actual application and not the WAF protection. Therefore it is allowed that this IP address(es) can bypass the WAF via a Whitelist rule.
dKey talking points
This is the full pipeline. It has been designed to be most efficient and provide the best security.
Positive Security with Learning input should check a high percentage of all parameters and therefore reduce the impact of the signature checking.
All learned and enforced traffic by the positive security engine is much faster in operation than signature checks, which are the most expensive.
Since generic signatures are the most common cause for false positives, they get also reduced by not running the signature engine on all request parameters.
Customer take aways:
0 day attacks blocked
Automatic false positive reduction through auto programmed rules
High performance implementation
In case anybody asks:
Standard WAF checks include.
HTTP checks (enforcing the HTTP standard)
Encoding bypass checks (multiple encoding attempts)
Restricted files / extensions (in case the developer forgot to delete the .bak files for example)
The Demo will walk through the Pipeline explaining the individual steps.
Key talking points
Summary slide. WAF challenges have been addressed.
Demo has shown the simplicity and visibility.
iWAF focuses on Simplicity, Visibility and Scalability.
It makes it easy to deploy iWAF with confidence.
https://info.avinetworks.com/hubfs/Avi_Website_Resource_Center/swissloss-and-intelligent-web-appliation-firewall-case-study.pdf