Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Product Manager at WTR Services
Radware Web Application Protection
Offerings
Deivid Toledo
January 8, 2016
About Radware
Our Track Record
Global Technology Partners
Over 10,000 Customers
3
43.7
54.8
68.4
77.6 81.4
88.6
94.6
108.9
144.1
167.0
1...
Market Leading WAF Offering
Banking & Finance Gov’t & Enterprise Telco & Cloud Service
Providers
4
Retail/eCommerce
Current Trends
Almost half (48%) anticipate migrating up to
20% of their applications to the cloud
About one in ten (12%) plan to migrate...
Rise in Popularity of Web Based Attacks
Denial of Service
25%
SQL Injection
24%
Cross Site
Scripting (XSS)
8.9%
4.8%
3.8%
...
“Low & Slow” DoS
attacks (e.g.Slowloris)
Complexity of Attacks Continues to Grow
Multi-vector attacks target all layers of...
Existing Solutions Still Mostly Manual
Over 80% of solutions require a medium to
high degree of manual tuning
Less than 20...
The Web Security Challenge
Growing number of
web applications to
protect
More sophisticated
web attacks and
“bad” bots
Mor...
Radware’s Web Application Firewall
Offering
11
Radware’s Hybrid Attack Mitigation Solution
On-Demand Cloud DDoS SSL protectionDoS protection Behavioral analysis IPS WAF
...
Unmatched Web Application Protection
Best-of-breed WAF
(Physical or Virtual Appliance)
Cloud WAF Service
Full coverage of ...
Best-of-Breed WAF
14
Radware’s Web Application Firewall (WAF)
Complete web application protection
Line speed availability attack mitigation
All...
Complete Web Application Protection
Full coverage of OWASP
Top-10 by negative &
positive security models
Protection agains...
Complete Web Application Protection
Terminate TCP,
Normalize, HTTP RFC
Evasions
HTTP response splitting (HRS)
Signatures a...
Complete Web Application Protection
Parameters Inspection
Buffer overflow (BO)
Zero-day attacks
User Behavior
Cross site r...
Line Speed Availability Attack Mitigation
Detecting and Blocking
Attacks on web apps behind CDNs
Advanced HTTP attacks
Slo...
Radware’s WAF is implemented out-of-path in span-port. Attacker launches web-application attack.
Out-of-Path Deployment: P...
All-in-One Application Delivery and Security
Out-of-path or inline deployment
Deployed on multiple platforms
Delivered on ...
Shortest Time to Security
App Mapping Threat Analysis Policy Generation Policy Activation
SHORTEST TIME TO PROTECTION
Only...
Multi-Vector Role Based Security Policy
Authentication and login detection
Authorization and access control
Accounting and...
IP-Agnostic Device Fingerprinting & Tracking
Operating System
IP address based identification and blocking has
become obso...
Compliance and Auditing
PCI DSS section 6.6 requirements
- Audit ready environment for PCI DSS compliance
- Security polic...
Why Radware’s WAF?
Attack Mitigation
Mitigating attacks on web applications behind CDNs
Blocking the attack source at the ...
Summary – More Than Just a WAF
Multi layered attack detection and mitigation
Out-of-path deployment with no performance im...
Radware Cloud WAF Service
28
Based on Radware’s ICSA Labs certified WAF
Auto policy generation engine for 0-day attack protection
Fully managed securit...
Radware Cloud
WAF
Web-based attack is launched and detected by Radware’s Cloud WAFAttack is mitigated and clean traffic is...
Full coverage of ALL OWASP Top-10
ICSA Labs certification
Auto-policy generation
Supports negative & positive security mod...
0-Day Attack Protection: Shortest Time to Security
App Mapping Threat Analysis Policy Generation Policy Activation
SHORTES...
Fully Managed Security Service, Beyond 24x7
33
24x7 support System monitoring
and auto policy
generation
Proactive analysi...
Simple setup - nothing to download or install
Phased and risk free onboarding
– 3 step process
– Every new policy is initi...
Only solution to integrate with on-premise security devices
Increased visibility and control in disaggregated application-...
Based on Radware's attack mitigation device (DefensePro)
Includes Anti DDoS, NBA and IPS protection
Adaptive behavioral an...
Radware Cloud
WAF
Data Center
Volumetric DDoS Attack Protection
Volumetric attack is launched on the customer environmentA...
Service Monitoring: Traffic Volume Monitoring, HTTP Heath-checks
Redundancy: for all network components – No single point ...
Service available in three packages:
DDoS protection of up-to 1 Gbps of attack traffic is included in all packages
Volumet...
Why Radware Cloud WAF?
Integrated CPE and Cloud WAF Technologies
Only solution with same technology to protect both
cloud-...
Radware Cloud WAF Service Full SLA
Security Offerings – DDoS Features Silver Gold Platinum
Behavioral Network Layer DDoS
P...
Radware Cloud WAF Service Full SLA
Service Offerings - Service Silver Gold Platinum
24 X 7 support Yes Yes Yes
Managed Sec...
Radware - WAF (Web Application Firewall)
Upcoming SlideShare
Loading in …5
×

Radware - WAF (Web Application Firewall)

3,567 views

Published on

WAF with zero latency.

Published in: Technology
  • Be the first to comment

Radware - WAF (Web Application Firewall)

  1. 1. Product Manager at WTR Services Radware Web Application Protection Offerings Deivid Toledo January 8, 2016
  2. 2. About Radware
  3. 3. Our Track Record Global Technology Partners Over 10,000 Customers 3 43.7 54.8 68.4 77.6 81.4 88.6 94.6 108.9 144.1 167.0 189.2 193.0 221.9 1% 25% 25% 13% 5% 9% 7% 15% 32% 16% 13% 2% 15% 50.00 100.00 150.00 200.00 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 USD Millions Company Growth
  4. 4. Market Leading WAF Offering Banking & Finance Gov’t & Enterprise Telco & Cloud Service Providers 4 Retail/eCommerce
  5. 5. Current Trends
  6. 6. Almost half (48%) anticipate migrating up to 20% of their applications to the cloud About one in ten (12%) plan to migrate more than half of their applications to the cloud. Complexity in managing security policies is the #1 security challenge Migration to the Cloud Continues Attackers can now target premise- and cloud-based applications 0%, 23% 1-20%, 48% 21-50%, 18% 51-75%, 6% 76-99%, 2% 100%, 4% 2015 (n=311) Q: In the next 12-14 months, what percentage of your applications do you envision migrating to the cloud?
  7. 7. Rise in Popularity of Web Based Attacks Denial of Service 25% SQL Injection 24% Cross Site Scripting (XSS) 8.9% 4.8% 3.8% 3.7% 3% 2.8% 2.1%1.9% Top 10 Web Attack Methods Denial of Service SQL Injection Cross Site Scripting (XSS) Brute Force Predictable Resource Location Stolen Credentials Unintentional Information Disclosure Banking Trojan Credential/Session Prediction Cross Site Request Forgery (CSRF) Web attacks - most common attack vector OWASP Top 10 attacks Availability based attacks Source: Web Hacking Incident Database (WHID), Feb. 2013 7
  8. 8. “Low & Slow” DoS attacks (e.g.Slowloris) Complexity of Attacks Continues to Grow Multi-vector attacks target all layers of the infrastructure IPS/IDS Large volume network flood attacks Syn Floods Network Scan HTTP Floods SSL Floods App Misuse Brute Force On-Demand Cloud DDoS DoS protection Behavioral analysis IPS WAFSSL protection Internet Pipe Firewall Load Balancer/ADC Server Under Attack SQL Server 8 XSS, CSRFSQL Injections
  9. 9. Existing Solutions Still Mostly Manual Over 80% of solutions require a medium to high degree of manual tuning Less than 20% require a low degree and are considered mostly automatic High degree, 24% Medium degree, 58% Low degree, 17% 2015 (n=311) Q.22: What degree of manual tuning or configuration does your current solution require? 9
  10. 10. The Web Security Challenge Growing number of web applications to protect More sophisticated web attacks and “bad” bots More disaggregated networks leads to less control Need for Adaptive & Automated Web Security Protection Most solutions are still very manual 10
  11. 11. Radware’s Web Application Firewall Offering 11
  12. 12. Radware’s Hybrid Attack Mitigation Solution On-Demand Cloud DDoS SSL protectionDoS protection Behavioral analysis IPS WAF Radware provides complete hybrid protection In-the-Cloud On-Demand Always-On Always-On DDoS and WAF on-premise with DDoS in-the-cloud activated on-demand 12 On-Premise
  13. 13. Unmatched Web Application Protection Best-of-breed WAF (Physical or Virtual Appliance) Cloud WAF Service Full coverage of OWASP Top-10 ICSA Labs Certification Auto Generated Policy Negative & Positive security models Hybrid, single technology solution to protect both on-premise and cloud-based applications 13 Radware Cloud WAF
  14. 14. Best-of-Breed WAF 14
  15. 15. Radware’s Web Application Firewall (WAF) Complete web application protection Line speed availability attack mitigation All-in-one application delivery & security Shortest time to security Compliance and auditing Multi-vector role-based security policy AppWall 15
  16. 16. Complete Web Application Protection Full coverage of OWASP Top-10 by negative & positive security models Protection against dozens of attack vectors listed on WASC Threat Classification Efficient, accurate and difficult to evade out-of-the-box negative security • Terminating TCP connections • Normalizing client encoded traffic • Blocking various evasion technics 16
  17. 17. Complete Web Application Protection Terminate TCP, Normalize, HTTP RFC Evasions HTTP response splitting (HRS) Signatures applied on Normalized traffic URL / Base 64 / UTF-8 encoded Injections Signature & Rule Protection Cross site scripting (XSS) SQL injection, LDAP injection, OS commanding Data Leak Prevention Credit card number (CCN) Social Security (SSN) Regular Expression 17
  18. 18. Complete Web Application Protection Parameters Inspection Buffer overflow (BO) Zero-day attacks User Behavior Cross site request forgery Cookie poisoning, session hijacking Layer 7 ACL Application / folder / file / param level access control White listing or black listing XML, JSON & Web Services XML & JSON Validity and schema enforcement Role Based Policy Authentication User Tracking 18
  19. 19. Line Speed Availability Attack Mitigation Detecting and Blocking Attacks on web apps behind CDNs Advanced HTTP attacks Slowloris Http dynamic floods Brute force attacks on login pages SSL attacks Line Speed Mitigation Up to 300 Gbps Up to 230M DDoS PPS 60 micro seconds latency Multi Layer Detection and Mitigation 19
  20. 20. Radware’s WAF is implemented out-of-path in span-port. Attacker launches web-application attack. Out-of-Path Deployment: Protection Against DDoS Attacks Cloud Perimeter LAN Attack Mitigation Device Radware’s WAF detects the web-application attackRadware’s WAF signals attack information to the perimeter Attack Mitigation Device Defense Messaging Radware’s Attack Mitigation Device mitigates the attack at the Perimeter WAF No Performance Impact. No Risk. 20
  21. 21. All-in-One Application Delivery and Security Out-of-path or inline deployment Deployed on multiple platforms Delivered on platforms supporting up to 80 Gbps Fault Isolation SLA Assurance High Platform Density Fast Reliable Secure 21
  22. 22. Shortest Time to Security App Mapping Threat Analysis Policy Generation Policy Activation SHORTEST TIME TO PROTECTION Only 1 week For known attacks 50% FASTER then other leading WAFs BEST SECURITY COVEREGE Auto threat analysis No admin intervention OVER 150 Attack vectors COVERAGE False positives LOWEST FALSE-POSITIVES THROUGH Auto-optimization of out-of-box rules SECURITY ASSURANCE Automatic detection of web application changes assuring security POST-DEVELOPMENT PEACE OF MIND THROUGHOUT THE APPLICATION’S DEVELOPMENT LIFECYCLE 22
  23. 23. Multi-Vector Role Based Security Policy Authentication and login detection Authorization and access control Accounting and Auditing Web based Single Sign On Segregation of duties Web Role IP & Geo Location CONTEXT Block Report ACTION Application Access Control Data Access and Visibility Web Security, XSS, SQL Inj. SECURITY POLICY 23
  24. 24. IP-Agnostic Device Fingerprinting & Tracking Operating System IP address based identification and blocking has become obsolete - Attackers dynamically change IPs - DHCP, anonymous proxies, CDN, NAT Appwall goes beyond IP address—uses detailed device fingerprint from over 2 dozen parameters Device fingerprint enables precise activity tracking over time and development of Device Reputation Provides advanced protection from: - Website Scraping - Brute Force Attacks - HTTP Dynamic Floods System Fonts Browser Plug-ins Screen Resolution Local IPs Improved Bot Detection and Blocking 24
  25. 25. Compliance and Auditing PCI DSS section 6.6 requirements - Audit ready environment for PCI DSS compliance - Security policies analysis - Action plan for compliance Advanced security graphical reports Enhanced visibility into the application security and the detected attacks 25
  26. 26. Why Radware’s WAF? Attack Mitigation Mitigating attacks on web applications behind CDNs Blocking the attack source at the perimeter Multi-layer detection and mitigation Application Security & Delivery AppWall out-of-path and inline deployment modes Delivered on platforms supporting up to 80Gbps Compliance Action plan for compliance Advanced security graphical reports Web Security Short time to protection Low false positive and false negative rates Auto-detection of web application changes Segregation of Duties Mapping security web roles to LDAP organizational units or attributes Multi vector security policies: application access, data visibility etc. 26
  27. 27. Summary – More Than Just a WAF Multi layered attack detection and mitigation Out-of-path deployment with no performance impact or risk Fast, reliable, and secure delivery of mission-critical web applications Low maintenance costs and post deployment peace of mind Audit ready and visibility into application security Fastest to Deploy Easiest to Maintain Best Security Coverage 27
  28. 28. Radware Cloud WAF Service 28
  29. 29. Based on Radware’s ICSA Labs certified WAF Auto policy generation engine for 0-day attack protection Fully managed security service, beyond 24x7 Easy, flexible model Integrated CPE and Cloud WAF Technologies Always-on Behavioral-based DDoS protection Radware Cloud WAF Service Unmatched Web Security Protection 29 Radware Cloud WAF
  30. 30. Radware Cloud WAF Web-based attack is launched and detected by Radware’s Cloud WAFAttack is mitigated and clean traffic is relayed to the customer’s cloud and premise Radware Cloud WAF Service Organization’s Cloud Applications Organization’s Premise Data Center 30 Public Cloud
  31. 31. Full coverage of ALL OWASP Top-10 ICSA Labs certification Auto-policy generation Supports negative & positive security models Unmatched Web Security Protection Attack Categories Covered TCP Termination & Normalization  HTTP Protocol attack (e.g. HRS)  Path traversal  Base 64 and encoded attacks  JSON and XML attacks Login Protection  Password cracking – Brute Force Attack Signature and Rules  Cross site scripting (XSS)  Injections: SQL, LDAP  OS commanding  Server Side Includes (SSI) LFI/RFI Protection  Local File Inclusion  Remote File Inclusion Session Protection  Cookie Poisoning  Session Hijacking Data Leak Prevention  Credit card number (CCN)  Social Security (SSN)  Regular Expression Access Control  Predictable Resource Location  Backdoor and debug resources  File Upload attacks DDoS Protection  Behavioral Network DDoS  Behavioral Application DDoS  Network Challenge Response  HTTP Challenge Response  Access List  Volumetric DDoS (add-on) 31
  32. 32. 0-Day Attack Protection: Shortest Time to Security App Mapping Threat Analysis Policy Generation Policy Activation SHORTEST TIME TO PROTECTION Only 1 week For known attacks 50% FASTER then other leading WAFs BEST SECURITY COVEREGE Auto threat analysis No admin intervention OVER 150 Attack vectors COVERAGE False positives LOWEST FALSE-POSITIVES THROUGH Auto-optimization of out-of-box rules SECURITY ASSURANCE Automatic detection of web application changes assuring security POST-DEVELOPMENT PEACE OF MIND THROUGHOUT THE APPLICATION’S DEVELOPMENT LIFECYCLE 32
  33. 33. Fully Managed Security Service, Beyond 24x7 33 24x7 support System monitoring and auto policy generation Proactive analysis including policy optimization and logs review Backed by Radware's Emergency Response Team (ERT)
  34. 34. Simple setup - nothing to download or install Phased and risk free onboarding – 3 step process – Every new policy is initially introduced in Span Port – 7 days for new policy activation OPEX-based model 3 levels of service offering (Silver, Gold & Platinum) Flexibility in growth options Easy, Flexible Model Out-of-path Auto Policy Inline passive mode Inline protective mode 34
  35. 35. Only solution to integrate with on-premise security devices Increased visibility and control in disaggregated application-delivery environments Cloud-to-premise attack messaging to further secure data centers Allow for ease and speed of security policy orchestration & automation Integrated CPE and Cloud WAF Technologies Unified, hybrid solution supporting your cloud migration path 35
  36. 36. Based on Radware's attack mitigation device (DefensePro) Includes Anti DDoS, NBA and IPS protection Adaptive behavioral analysis and challenge response technologies Always-On Behavioral-Based DDoS Protection 36
  37. 37. Radware Cloud WAF Data Center Volumetric DDoS Attack Protection Volumetric attack is launched on the customer environmentAttack is detected by Radware’s attack mitigation device in the Radware Cloud POPAttack baseline is synchronized to Radware’s Scrubbing Center and traffic redirected Defense Messaging Traffic is cleaned by Scrubbing Center and sent to customer cloud and premise Radware Cloud Scrubbing Public Cloud Organization’s Cloud Applications Organization’s Premise
  38. 38. Service Monitoring: Traffic Volume Monitoring, HTTP Heath-checks Redundancy: for all network components – No single point of failure Failover: Auto failover based on Active – standby Disaster Recovery: DNS redirection to secondary site; Tier 1 DNS Scalability and Availability 38
  39. 39. Service available in three packages: DDoS protection of up-to 1 Gbps of attack traffic is included in all packages Volumetric DDoS-attack protection available at additional cost Offering Sets Silver • Single shared policy for multiple web applications • Basic security offering to secure against common web attacks Gold • Dedicated policy for each web application • PCI Compliance ready policy • Added protection from data and access centric attacks Platinum • OWASP Top 10 coverage • Extended security policy • Zero-day attack protection • Advanced attack protection 39
  40. 40. Why Radware Cloud WAF? Integrated CPE and Cloud WAF Technologies Only solution with same technology to protect both cloud-based and on-premise applications Unmatched Web Application Protection Full OWASP Top 10 coverage Auto policy generation; ICSA Labs certification Fully Managed Security Service 24x7 Support Backed by Radware’s ERT security experts Easy, Flexible Model Simple, no setup OPEX based with 3 offerings to chose from Always-On Behavioral-Based DDoS Protection Based on Radware’s attack mitigation device Minimal false positives; no impact on legitimate traffic 40
  41. 41. Radware Cloud WAF Service Full SLA Security Offerings – DDoS Features Silver Gold Platinum Behavioral Network Layer DDoS Protection Yes Yes Yes Behavioral Application Layer DDoS Protection Yes Yes Yes Network Challenge Response Yes Yes Yes HTTP Challenge Response Yes Yes Yes Access List – on demand up to 1 list per month Up to 100 entries Up to 100 entries Up to 100 entries Weekly Security Update Subscription Yes Yes Yes Attack volume supported Up to 1G Up to 1G Up to 1G Security Offerings – WAF Features Silver Gold Platinum HTTP Protocol Manipulation Yes Yes Yes Error info leakage & fingerprinting Yes Yes Yes Known Vulnerabilities & Custom Rules Yes Yes Yes SQL, OS and LDAP Injection Yes Yes Yes Cross Site Scripting (XSS) Yes Yes Yes SSL (including custom certificate) Yes Yes Yes Geo Location, Anonymous proxies Yes Yes Yes Credit Card Number Leakage No Yes Yes CSRF No Yes Yes Access Control (White & Black list) No Yes Yes Brute Force No Yes Yes Session attacks (hijacking, cookie poisoning) No No Yes Zero Day Protection; Parameter policy No No Yes XML and Web Service No No Yes 42
  42. 42. Radware Cloud WAF Service Full SLA Service Offerings - Service Silver Gold Platinum 24 X 7 support Yes Yes Yes Managed Security Service Yes Yes Yes logs review and system monitoring Yes Yes Yes Customized Weekly Scheduled Reports Yes Yes Yes Tenant-based Policy (shared Policy for multiple apps) Yes No No Application Based policy No Yes Yes Auto Policy Generation Yes Yes Yes Dedicated WAF instance No No Yes At least once a month Proactive Security Policy Review and optimization No No Yes 2 Forensics Reports per year No No Yes Emergency Response Attack Mitigation Yes Yes Yes Pre-attack high risk alerts Yes Yes Yes Post attack report and recommendations Yes Yes Yes Time to Security Expert response SLA Best Effort Best Effort Best Effort Number of DDoS Protection policy changes per calendar month (non-cumulative) 1 1 1 43

×