Advanced Web Application Security with an Intelligent WAF
•Download as PPTX, PDF•
0 likes•298 views
Watch on-demand here https://info.avinetworks.com/webinars/intelligent-waf Web application attacks are becoming #1 in terms of breaches. It’s critical to deploy web application firewall (WAF) to secure your applications. However, 90% of organizations find it complex. Why? Avi Networks, now part of VMware, offers advanced load balancing and intelligent WAF to address three top challenges: policy complexity, lack of visibility and low performance. You will learn about: - An optimized security pipeline composed of whitelist, positive security and signature engines - An analytics-driven close loop that allows automatic application learning to create policies - A comprehensive security stack from L4/L7 firewall and DDoS protection to rate limiting and WAF - An elastic fabric to autoscale or burst capacity into cloud in case of unpredictable traffic loads
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Advanced Web Application Security with an Intelligent WAF
Similar to Advanced Web Application Security with an Intelligent WAF (20)
More from Avi Networks
More from Avi Networks (20)
Recently uploaded
Recently uploaded (20)
Advanced Web Application Security with an Intelligent WAF
- 1. Confidential │ ©2020 VMware, Inc. Advanced Web App Security with an Intelligent WAF Lei Yang Sr. Product Marketing Manager Feb 19, 2020 Ashutosh Gupta Lead, Analytics & Security
- 2. Confidential │ ©2020 VMware, Inc. 2 Web Application Breaches and Cost Source: Verizon Data Breach Investigations Report (DBIR) 2019 Web application attacks have risen to #1 in terms of breaches. WAF is a critical part of security best- practices to defend against web application attacks.
- 3. Confidential │ ©2020 VMware, Inc. 3 iWAF – a modern application security solution Why are WAFs not pervasively deployed? of all organizations state that WAFs are complex. 90% Lack of visibility Poor performance and scalability Policy complexity ? Survey result:
- 4. Confidential │ ©2020 VMware, Inc. 4 iWAF - Core Design Principles Simplified & Comprehensive Security Automatic App Learning App-Specific Policy OWASP Top 10 Signatures Rich Visibility and Insights Real-time intelligence on attack patterns Accurate modeling of attacker behaviors Fast response and fine-grained logging Elastic Scale & High Performance Platform scales horizontally High-performance engines Optimized security pipeline Policy Complexity Lack of Visibility Poor performance and scalability Unvalidated traffic Validated traffic
- 5. 5Confidential │ ©2020 VMware, Inc. Intelligent WAF (iWAF) Technology overview
- 6. Confidential │ ©2020 VMware, Inc. 6 BARE METAL VIRTUALIZED CONTAINERSON PREMISES PUBLIC CLOUDVIRTUALIZED CONTAINERS INTELLIGENCE ELASTICITY AUTOMATIONMULTI-CLOUD SEPARATE CONTROL & DATA PLANE Modern, Scalable, Multi-Cloud Architecture CONTROLLER SERVICE ENGINE
- 7. Confidential │ ©2020 VMware, Inc. 7 Application Security and Web Application Firewall Comprehensive Security Stack SSL / TLS Auth / Encryption L3 / 4 Firewall / DDoS Protection L7 Firewall / DDoS Protection Application Rate Limiting Visibility and Security Insights Security score Attack insights SSL Insights WAF analytics Web Application Firewall Centralized Management Multi-Cloud Elastic Fabric Automation & Programmability Real Time Visibility REST API Data Center Private Cloud Public Cloud User Authentication / Authorization
- 8. Confidential │ ©2020 VMware, Inc. 8 Logs & Analytics iWAF Security Engines Avi Pulse Services IP Reputation* * Currently under development Whitelist Positive Security Signatures IP Reputation* Bot Detection* Signatures LIVE FEED
- 9. Confidential │ ©2020 VMware, Inc. 9 Whitelist Positive Security Signatures Logs & Analytics Whitelist Engine Analytics-driven Security Operations • Allow request filters • Traffic sampling * • Change WAF mode to Detection Examples • Bypass static content sources • Bypass upload paths • DAST Scanner IP addresses Avi Pulse Services IP Reputation* * Currently under development LIVE FEED
- 10. Confidential │ ©2020 VMware, Inc. 10 Learning Engine Logs & Analytics Positive Security Engine Analytics-driven Security Whitelist Positive Security Signatures DAST Admin Manual Policy Scanning Output IP Reputation* Bot Detection* Learned Data Avi Pulse Services * Currently under development LIVE FEED App Analytics Learned App Rules
- 11. Confidential │ ©2020 VMware, Inc. 11 Logs & Analytics Signature Engine Analytics-driven Security IP Reputation* Bot Detection* Signatures Whitelist Positive Security Signatures App 1 Rules App 2 Rules App 3 Rules App-specific Rule Sets Core Rule Set Avi Pulse Services * Currently under development UPDATES
- 12. Confidential │ ©2020 VMware, Inc. 12 iWAF Security Pipeline Whitelist Positive Security Signatures Validated traffic Rejectedtraffic Rejectedtraffic Unvalidated traffic Unvalidated traffic Unvalidated traffic Validated traffic Validated traffic Scales with High Performance Reduces False Positives Blocks Zero-Day Attacks
- 13. 13Confidential │ ©2020 VMware, Inc. Demo Part 1: WAF autoscaling (DDoS) Part 2: PSM with learning mode
- 14. Confidential │ ©2020 VMware, Inc. 14 Avi iWAF – Modern Application Security Deploy WAF with confidence ScalabilitySimplicity Visibility We saved over 50% to 60% in application troubleshooting time and effort. We quickly ran into performance issues with our appliance-based load balancer and WAF solutions. “ “
- 15. Confidential │ ©2020 VMware, Inc. 15 How to Engage Sep 1, 2019 VMware Price List Oct 1, 2019 Partner Price List Nov 1, 2019 Partner Central LEARN HOL TRAIN avinetworks.com/ docs | webinars vmware.com/go/try-avi- networks avinetworks.com/wo rkshops
- 16. Confidential │ ©2020 VMware, Inc. Thank You
Editor's Notes
- Hardly a week goes by without another big data breach. It is as common as rain in todays hyperconnected world. Many companies in the security industry are keeping score of these breaches. One well known source is the Verizon data breach report. Again in their 2019 report most breaches (ca 30%) result from attacks on web applications. They claim the top spot. Furthermore the cost of a databreach can quickly go into the tens or hundrets of millions of dollars and will damage a companies reputation and customer trust. And since Web Applications are responsible for such a high rate of breaches deploying a Web Application Firewall in front of them is a critical part to the security best practices of application owners.
- Discovery with customer: Using or looking on-prem or cloud WAF? Talking points Why arent WAFs deployed everywhere? The reasons are diverse, but boil down to these 3 main issues. General: Policy complexity Lack of visibility Poor scalability On-prem Appliance vendors have added more and more knobs to their policies and made them really complex. -> usually only a minimal policy set is used. Complex to create new rules (essentially go back to the vendor), which is true for Avi as well, but Avi has taken steps reduce that burden. Black Box visibility, not enough compute to run best in class analytics. CPU for handling traffic conflicts with CPU needs for analytics. Usually scalability in WAF meant that if you have a 10Gig box and enable WAF performance goes down drastically. -> The answer was usually buy a bigger box. That does not always work and is not cost effective. Highlight F5 / Imperva Cloud based On the other hand cloud vendors have maybe addresses the issue of scalability but reduced the complexity at the cost of security. the common solution in cloud WAFs to mitigate a false positive is to disable that rule. Or even completely ignoring security functionality like response filtering. Highlight Akamai / Imperva / Cloud Flare - Signal Sciences – what to say about them
- Why have we built iWAF with these Core Design Principles? Focusing on the demands on modern web application builders and operators. As we discussed in the challenges "why WAFs are not deployed everywhere", we focused on these 3 core design principles. First, we wanted to address the complexity of WAFs. WAF admins perceive it as complex and experience frustration with their work on legacy WAFs. Therefore we focused on a simplified, but comprehensive security with automatic application learning, app specific policies and easy to tune signatures. Second because we understood that visibility and insights is crucial for the admins to be able to assess the security stance of their application and make good security decisions quickly, we made sure that iWAF has real time intelligence, attack pattern analysis, fine grained logging and log correlation built in. Third since admins are used to having huge issues with scaling of WAFs, iWAF uses the horizontal scaling of the platform and we then focused on making performance optimizations in all parts of the WAF workload. With these corner stones we are addressing the most common objections against WAFs and give admins a tool that can fully support their needs for modern application protection.
- So lets start by looking at the intelligent Web Application Firewall.
- Preface: If people have already seen that, skip this slide. Key talking points Software defined (single point of control vs. hundreds of LB pairs) Elastic fabric (on-demand capacity scaling up and down) Multi-cloud (on-prem and cloud, bare metal / VM / container) Intelligence (real-time analytics, rich logging and fast troubleshooting) Automation (full lifecycle automation, 100% REST APIs) Transcription So what Avi's done is Avi's really gone back to the drawing board a bit and we really wiped things out. Let's start over from scratch and say no where the load bouncing space has been 25 years ago, but it look at it where it is today and where it's going and take advantage of a lot of technologies that are being adopted throughout the industry, but not necessarily in the load balancing space. So where the first thing that we've done is we are software. We don't sell any hardware, but the software part isn't necessarily the value. It's what you can do with software that becomes interesting. Now that Avi's all software, this enables us to do a couple of things. First off, we separated the control plane from the data plane. This means that you can manage all of Avi out the Avi controller and then the Avi controller will then proxy that management and then they will be the one that's managing the service engines. The service engines are the ones that are doing the data plane, the load balancing, the web application firewalling, but you just need to manage the controller and the controller will manage the service tensions for you. By doing this, this enables us to elastically scale up capacity, so having one load balancer versus a hundred load balancers. It is exactly the same amount of complexity, same amount of time that it would take you, which means going from one load balancer to a hundred it doesn't necessarily change anything for you. You just simply have a larger fabric. What this also means is that if you have a hundred load balancers in your environment and one of them fails, you lost 1% of the capacity in your environment. This is a fully active fabric, so you've lost 1% capacity. The control will see that. It will self-heal, spin up a new load balancer, and a moment later, you're right back to the capacity that you needed before. So, if capacity increases, decreases, the service engine fabric will increase and decrease automatically based upon the controller managing this for you. What this also allows us to do is this allows us to deploy these service engines in whatever environment that they need to deploy in, on premise and virtualized environments or in container environments. It could also be in public clouds and virtual and container, et cetera. The point is, though, that you are just managing one load bouncing fabric. Regardless of the fact that these are in different data centers, these are in different environments, the controller knows how to talk to the APIs of those environments and proxy those APIs and proxy those management requests for you, which means you just simply say, how are my applications doing? And if they're not doing good, let me go and resolve what's going on with them. Each of these individual service engines are grabbing a lot of metadata from the client connections that are flowing through them, their full application proxy, a full load balancer. They're then taking that metadata back to the controller and the controller can now sit out of bound and really be able to understand the health of the applications, the health of the client interaction with these applications, and tell you if there's an issue, what it is, and potentially how to solve that. So it has very, very rich metrics, very rich analytics, and very, very rich logging. That's really unprecedented in this industry. This allows us to do much faster troubleshooting. This also allows us and enables us to then take this intelligence and roll this into automation. Avi is built on top of a REST API. And then with that, we're now able to take this and tie this back into automation against the environments that we sit in. If that's something that vCenter, if that's AWS or Azure, that could also be the automation by talking to environments such as Terraform, maybe Python or other environments like this where you can build something custom. So what's really interesting about this as the level of automation that Avi already has natively big baked into product is really quite unprecedented as well. It's really important to go through this architecture a bit because once we get into the demo, the demo really masks a lot of the complexity, so it's nice to be able to see up front what's actually happening when we do go through the demo.
- Finishing up this section we look at an overview of the security stack built into the NSX Advanced Load Balancer. Transcription Another use case here is around application security. This is going to be web application firewall. This could be around SSL termination and visibility. This could be run under other elements of this if they have something customer proprietary. Avi can absolutely play in this and these use cases. So if you want to get into things like web application firewall, it's definitely not for the faint of heart. Application security means you need to have a pretty rich understanding of the applications, generally HTTP and it can get pretty complex pretty fast. But the point is Avi can absolutely play in these use cases and absolutely play a role. TODO news new transcription
- Key talking points This is the optimized iWAF pipeline. Consists of 3 building blocks. Combination provides security, false positive reduction, elastic WAF. Each of those parts will be looking at separately. For constant threat updates the Avi Pulse Cloud service is available to push the latest threat databases directly to the Controller. This includes IP Reputation, Bot Detection and Signatures. Lets dive into each one and then how they all play together.
- Key talking points 1st step of the pipeline Consists of filters to allow known good traffic and subsequently bypass it from the other WAF handling. Known good traffic is handled very fast. A few use-cases mentioned: Bypass static content sources -> Static get requests do not have an attack vector. They can be bypassed to save performance. Example: Bypass all css files in path /css Bypass upload directory -> Sending gigabytes through a WAF will not yield good results. The WAF will try to cache the upload for checking, but then probably hit the max file upload limits. It makes more sense to bypass using a whitelist entry. Security (DAST) scanner is supposed to scan the actual application and not the WAF protection. Therefore it is allowed that this IP address(es) can bypass the WAF via a Whitelist rule.
- dKey talking points This is the full pipeline. It has been designed to be most efficient and provide the best security. Positive Security with Learning input should check a high percentage of all parameters and therefore reduce the impact of the signature checking. All learned and enforced traffic by the positive security engine is much faster in operation than signature checks, which are the most expensive. Since generic signatures are the most common cause for false positives, they get also reduced by not running the signature engine on all request parameters. Customer take aways: 0 day attacks blocked Automatic false positive reduction through auto programmed rules High performance implementation In case anybody asks: Standard WAF checks include. HTTP checks (enforcing the HTTP standard) Encoding bypass checks (multiple encoding attempts) Restricted files / extensions (in case the developer forgot to delete the .bak files for example)
- The Demo will walk through the Pipeline explaining the individual steps.
- Key talking points Summary slide. WAF challenges have been addressed. Demo has shown the simplicity and visibility. iWAF focuses on Simplicity, Visibility and Scalability. It makes it easy to deploy iWAF with confidence. https://info.avinetworks.com/hubfs/Avi_Website_Resource_Center/swissloss-and-intelligent-web-appliation-firewall-case-study.pdf