Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

QualysGuard InfoDay 2013 - Web Application Firewall


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

QualysGuard InfoDay 2013 - Web Application Firewall

  1. 1. Web Application Firewall as-a-service Qualys GmbH September, 2013
  2. 2. Web Applications •  Are everywhere: Webmail, CMS, CRM, Corporate WWW etc. •  HTTP is powering all new applications using new data format like XML and JSON •  Organisations are publishing data for B2B through APIs using HTTP and XML/JSON or SOAP •  Mobile applications usually connect to APIs or Web Applications using HTTP
  3. 3. New security issues •  Network firewalls are useless, they can’t inspect HTTP Protocol •  Web Applications can be developed in-house or provided by software editor, with closed or open source code •  Each web applications is different, depending on the business logic, development framework and data used and stored •  To secure Web applications, a WAF (Web Application Firewal) Must be deployed additionnaly to network firewall
  4. 4. Existing solutions •  From network security, application delivery and compliance –  Fortinet, SonicWall, Deny All, imperva –  F5, Citrix Netscaler, Radware, BeeWare –  Mod_security •  Saas vendors –  Cloudflare, incapsula, –  Art of defense –  Trend Micro –  Akamai Kona Hard to maintain and operate, security, development, infrastructure team are involved, policies are unique and not shared between customers Few clic deployment, no expertise needed, security is compiled from all website knowledge, but traffic MUST be processed in the cloud
  5. 5. Technical Challenge •  Web application security policies are complex –  Need to use regular expression –  Need to understand how the application works •  Today, WAF are too complex to maintain and operate. Vendors are adding others feature to make it a must have product •  Qualys stay focused on WAF security features but dramaticaly reduce TCO of this kind of protection by providing a distributed solution.
  6. 6. Qualys alternative •  Qualys Distributed WAF –  Security ruleset provided from all Qualys WAF feedback –  Virtual Appliance deployment, you keep managing your traffic •  Available as –  Amazon EC2 AMI (beta) –  VMware image (beta) –  GA Planned to early december –  HW WAF Appliance is under development for 2014 •  Manage security events and rules from a single UI •  With Qualys WAF, you don’t spend time on managing rules, you can stay focused on managing security events
  7. 7. Qualys Web Application Firewall 
 Beta available WAF Provides protection against known 
 and emerging web application threats, and helps increase web site performance through caching, compression and content optimization, with no equipment needed. Benefits Zero-footprint, low cost deployment Ease of use, ease of maintenance Real-time attack prevention
 Virtual patching and application hardening
  8. 8. Qualys Web Application Firewall 
 Beta available

  9. 9. Qualys Security intelligence •  A team of dedicated security researchers computing rules for industry standard web applications •  Blocking attacks according to OWASP TOP10 and WASC TCv2 •  Correlating security events on Qualys sensors all around the world •  Detecting and researching 0-days
  10. 10. Qualys distributed WAF
  11. 11. Security Features •  Always up-to-date WAF –  Qualys is directly managing the security engine and ruleset, they are updated in less than 5 minutes when a security or maintenance fix is avaible •  Qualys Security Ruleset –  Provided by Qualys Security Researcher Team, this ruleset is the default security policy avalaible on all WAF. It’s blocking injection attacks like command, SQL, Javascript, Files etc. •  Custom Security rules –  Provided by the customer or partner, these rules are adapted to the website specific design and can be setup depending on each HTTP Request field. •  Integration with QualysGuard WAS* –  No need to setup twice your web applications in these security tools, it’s automaticaly provisionned and the WAF deployment made easy from what the Web Application Scanner found. •  HTTP Security –  HTTP protocol can be implemented in different ways depending on web server and browsers. To avoid some attack based on bad implementation, the Qualys WAF will verify the protocol is correctly used. •  IP/Country Blacklist –  Depending on your activity, you may not want some request from specific countries or IP. The Qualys WAF is able to increase/decrease the request score, or directly block depending of source IP or country. •  Information leakage –  By doing Web Cloaking, the Qualys WAF is able to shadow all critical informations sent by the Web Server, Application server or development framwork used to develop the web application •  Reporting –  Build your own report containing key indicators you need to speak with managers •  Session tracking
  12. 12. Deployment •  Virtual appliance available –  On EC2 as an AMI you can instanciate –  On VMWare vCenter as an image you can run •  Mode of operation –  Reverse-Proxy:Terminating TCP connection –  Out-of-Band*: Sniffing traffic (Passive device) •  Available as OpenSource –  IronBee project
  13. 13. Qualys advantage •  Always uptodate & Always at maximum efficiency –  Get the latest security rules and engine on your WAF •  Prevention with WAS and Protection with WAF available in the same UI and security suite •  Available as subscription (Pay per year) OPEX vs CAPEX •  All the SaaS advantage on a virtual appliance product
  14. 14. Release schedule 2013 Amazon EC2 Beta 1 Limited to first 10 subscribers August 1st Amazon EC2 Beta 2 Limited to first 100 subscribers October 1st WAF GA* VMWare & EC2 December 1st November 1st VMWare Beta 2 Limited to first 100 subscribers September 1st VMWare beta 1 Limited to first 10 subscribers *: can be delayed until we reach 100% quality and availibility
  15. 15. Next releases •  Advanced reporting •  SSL Support •  Integration between WAF and WAS •  Qualys WAF Microsoft Edition for Exchange and Sharepoint