Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Partner Webcast – Enhance Security with OCI Web Application Firewall (WAF)

497 views

Published on

Web application & Data security is a growing concern for enterprises. A significant portion of all cyberattacks are directed at web applications, and that rate is increasing. Factors such as the rise of cloud computing, use of open source technologies, the increase in data processing requirements, complexity of web applications, and an increase in the overall sophistication of attackers has led to an extremely challenging environment for IT security leadership.

Read More @ https://blogs.oracle.com/imc/partner-webcast-enhance-security-with-oci-web-application-firewall-waf

Presenter Mihai Dragomir

Published in: Technology
  • If u need a hand in making your writing assignments - visit ⇒ www.HelpWriting.net ⇐ for more detailed information.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Partner Webcast – Enhance Security with OCI Web Application Firewall (WAF)

  1. 1. Mihai Dragomir Cloud Adoption and Implementation Consultant OPN Innovation and Modernization Center, EMEA A&C Alexandru Ciachir Security Solution Engineer Solution Engineering Hub November, 2019 Enhance Security with OCI Web Application Firewall 2 Copyright © 2019 Oracle
  2. 2. Safe harbor statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, timing, and pricing of any features or functionality described for Oracle’s products may change and remains at the sole discretion of Oracle Corporation. 3 Copyright © 2019 Oracle
  3. 3. Cybersecurity landscape Program agenda 1 2 3 4 5 Intro to OCI Security Overview of the Web Application Firewall Service Key capabilities of the Web Application Firewall Demo 4 Copyright © 2019 Oracle 6 Summary and Q&A
  4. 4. Cybersecurity landscape Program agenda 1 5 Copyright © 2019 Oracle
  5. 5. Cybersecurity landscape Enhance Security with OCI Web Application Firewall 6 Copyright © 2019 Oracle
  6. 6. Oracle and KMPG Cloud Threat Report 2019 Read the full report here: https://www.oracle.com/cloud/cloud-threat-report/ The Oracle and KMPG Cloud Threat Report 2019 examines emerging cyber security challenges and risks that businesses are facing as they embrace cloud services at an accelerating pace 7 Copyright © 2019 Oracle
  7. 7. Oracle and KPMG CTR 2019 – Executive Summary 8 Confidential – © 2019 Oracle Internal/Restricted/Highly Restricted ▪ Cloud services adoption is enabling improved speed and agility yet brings an expectation of greater security to protect organizations. ▪ Confusion with shared responsibility model causing cloud security failures ▪ Lack of visibility creating unnecessary cloud security risks and threat exposure ▪ Rogue cloud application usage and lacking security controls putting data at risk
  8. 8. Cloud Platform Security: Shared Responsibilities 9 Copyright © 2019 Oracle Identity | Security GRC | Configurations Data Application Runtime Middleware Database OS Virtualization Server Storage Network Datacenter Physical On-Premises Identity | Security GRC | Configurations Data Application Runtime Middleware Database OS Virtualization Server Storage Network Datacenter Physical IaaS Identity | Security GRC | Configurations Data Application Runtime Middleware Database OS Virtualization Server Storage Network Datacenter Physical PaaS Identity | Security GRC |Configurations Data Application Runtime Middleware Database OS Virtualization Server Storage Network Datacenter Physical SaaS Customer Shared Cloud Provider Responsibility SECURITY IN THE CLOUD SECURITY OF THE CLOUD
  9. 9. What is the shared responsibility model for Oracle Cloud Infrastructure WAF? 10 Copyright © 2019 Oracle Responsibility Oracle Customer Onboard/configure the WAF policy for the web application No Yes Configure WAF onboarding dependencies (DNS, ingress rules, network) No Yes Provide high availability (HA) for the WAF Yes No Monitor for distributed denial of service (DDoS) attacks Yes No Keep WAF infrastructure patched and up-to-date Yes No Monitor data-plane logs for abnormal, undesired behavior Yes Yes Construct new rules based on new vulnerabilities and mitigations Yes No Review and accept new recommended rules No Yes Tune the WAF's access rules and bot management strategies for your traffic No Yes https://www.oracle.com/cloud/security/cloud-services/web-application-firewall-faq.html
  10. 10. Edge-based Controls Are Essential Security Technologies 11 Copyright © 2019 Oracle
  11. 11. Our Reality: Why Hackers Target Data and Resources 12 Copyright © 2019 Oracle Exploit Data: Steal personal data, usernames and passwords to get to more important data Hold Data Ransom: Steal records, personal data, usernames and passwords and charge the organization to give it back Steal Infrastructure: Take control of an organization's compute, storage and network resources so not to pay for them Deny Service: Prevent web services from working to impact organization's reputation or bottom line
  12. 12. Factors Contributing to the Rise of Attacks 13 Copyright © 2019 Oracle Cloud Computing Open Source Increased Data Processing Requirements Complex Web Applications Attack Sophistication
  13. 13. Core-to-Edge Verifications 14 Copyright © 2019 Oracle Traffic Steering Application Protection Access Volumetric Attack Protection Data Integrity Access EncryptionCredentials Isolated Network Virtualization Root of Trust Top-down Threats External Threats Bottom-up Threats Internal Threats
  14. 14. External Threats – Threat Profiles 15 Copyright © 2019 Oracle ▪ Distributed Denial of Service Bots flood a website with fake traffic, overloading system resources. This causes outages, blocking legitimate traffic from getting through. ▪ Infiltration Bots constantly probe websites for vulnerabilities like default passwords and out- of-date software ▪ Data Breach When bots discover a vulnerability, they can leverage it to expose data, erase it, or make it unavailable until a ransom is paid.
  15. 15. External Threats – Layers of Security 16 Copyright © 2019 Oracle ▪ DDoS Attack Protection ▪ Bot Management & Mitigation ▪ Web Application Security ▪ Managed DNS ▪ Credentials Controls ▪ Endpoint Device Protection ▪ Identity Management Modern Defense In-Depth: A Briefing on Cybersecurity in the Era of Cloud
  16. 16. Program agenda 2 Intro to OCI Security 17 Copyright © 2019 Oracle
  17. 17. Intro to OCI Security Enhance Security with OCI Web Application Firewall 18 Copyright © 2019 Oracle
  18. 18. Architecture Goals for OCI 19 Copyright © 2019 Oracle ▪ Great for Cloud-Native and Next-Gen Workloads ▪ Great for Traditional Workloads ▪ Security First Approach ▪ Enabling Compliance
  19. 19. Least Trust Design – Assumption of Compromise 20 Copyright © 2019 Oracle Isolated Servers Tenants Hypervisors
  20. 20. A tale of Two Clouds 21 Copyright © 2019 Oracle Isolated Network Virtualization To / From Other Tenants To / From Other Tenants 1st Generation Clouds: Most Prevalent Today 2nd Generation Cloud: Oracle Cloud Infrastructure Wide Host OS/Kernel Network Virtualization Hypervisor Server Virtualization Separates Network and Tenant Environment Server Virtualization Hypervisor Network Virtualization VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS Host OS/Kernel Network Virtualization Host OS/Kernel Hypervisor Container (Optional) VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS
  21. 21. Isolation: Threat Containment & Reduced Risk 22 Copyright © 2019 Oracle Host OS/Kernel Network Virtualization Hypervisor Server Virtualization Server Virtualization Hypervisor Network Virtualization Host OS/Kernel Isolated Network Virtualization Host OS/Kernel Hypervisor Container (Optional) Server Virtualization Hypervisor Network Virtualization Network Virtualization Hypervisor Server Virtualization Server Virtualization Hypervisor Network Virtualization Server Virtualization Hypervisor Network Virtualization 1st Generation Cloud Oracle 2nd Generation Cloud VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS Isolated Network Virtualization Security Prevents Lateral Movement VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OSVM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS Isolated Network Virtualization Host OS/Kernel Hypervisor Container (Optional) VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS VM/ Guest OS
  22. 22. OCI Security Portfolio 23 Copyright © 2019 Oracle OF THE CLOUD Secure the Cloud Platform ON THE CLOUD Secure Identity, Apps. and Data on the Cloud Platform CROSS CLOUD Protections and Monitoring Between Clouds and Premises
  23. 23. Oracle Security Layered Cyber Defenses Integrated Security and Services Cloud and On-Premises Visibility and Monitoring Identity and Access Management Users Applications Data Infrastructure Data Security Application Security and Resilience Compliance Copyright © 2019 Oracle
  24. 24. OCI Security Capabilities at a Glance 25 Copyright © 2019 Oracle Data Encryption Security Controls Visibility Secure Hybrid Cloud Customer Isolation High Availability Verifiably Secure Infrastructure 1 2 3 4 5 6 7 Default Storage Encryption, KMS, Database Encryption User Authentication, Instance Principals, Authorization, Network Security Controls, Web Application Firewall and Edge Security Controls Audit Logs, CASB-Based Monitoring Identity Federation, Third-Party Security Solutions Security Connectivity using VPN and FastConnect Bare Metal Instances, VM Instances, VCN, IAM Compartments 3 Options for HA: multi-region, multi-AD, multi-fault domain within an AD SLAs Security Operations, Compliance Certifications and Attestations, Customer Penetration and Vulnerability Testing, Secure Software Development
  25. 25. Deeper Customer Isolation 26 Copyright © 2019 Oracle I want to isolate my cloud resources from other tenants, Oracle staff, and external threat actors, so we can meet our security and compliance requirements. I want to isolate different departments from each other, so visibility and access to resources can be compartmentalized. Compute • Bare Metal Instances | VM Instances Network • VCN and Subnets Data • Data-at-rest encryption using customer- controlled keys Back-end Infrastructure • Secure isolation between customer instances and back-end hosts • Isolated Network Virtualization Identity and Access Management • Compartments and IAM policies
  26. 26. Defense in Depth: WAF, API Security, DDoS 27 Copyright © 2019 Oracle
  27. 27. Copyright © 2019 Oracle28 ▪ OCI has rethought security in the cloud ▪ OCI been built based using the least-trust approach ▪ OCI has hardware-powered security isolation and network virtualization ▪ OCI’s security direction is about • security automation • seamless integration with on-premises security solutions • making security truly easy to use Key Takeaways
  28. 28. Program agenda 3 Overview of the Web Application Firewall Service 29 Copyright © 2019 Oracle
  29. 29. Overview of the Web Application Firewall Service Enhance Security with OCI Web Application Firewall 30 Copyright © 2019 Oracle
  30. 30. What is OCI Web Application Firewall? 31 Copyright © 2019 Oracle ▪ Enterprise-grade, cloud-based, globally deployed security solution designed to protect business-critical web applications from malicious cyber-attacks. ▪ Web application security for OCI workloads and more - simultaneously protects web applications located on OCI, on-premises, and/or within multi-cloud environments
  31. 31. Copyright © 2019 Oracle32 WEB APPLICATION FIREWALL POLICY WAF policies encompass the overall configuration of your WAF service, including origin management, protection rule settings, and bot detection features. ORIGIN Your web application's origin host server. An origin must be defined in your WAF policy in order to set up protection rules or other features. PROTECTION RULES Protection rules can be configured to either allow, block, or log network requests when they meet the specified criteria of a protection rule. The WAF will observe traffic to your web application over time and suggest new rules to apply. BOT MANAGEMENT The WAF service includes several features that allow you to detect and either block or allow identified bot traffic to your web applications. Bot management features include: JavaScript Challenge, CAPTCHA Challenge, and GoodBot whitelists. Web Application Firewall Service Components
  32. 32. Oracle Cloud-Based WAF Protects Data Wherever it Resides 33 Copyright © 2019 Oracle Cloud-based Data On-Premises Database OCI Cloud-based Data Bad Bots Hackers Good Visitors Good Bots Spammers Layered approach to protect web applications against cyberattacks
  33. 33. Adding the Oracle WAF to Your Security Strategy 34 Copyright © 2019 Oracle Real-time updates with cloud-based WAF Highly-distributed, cloud-based security platform-as-a-service designed to address today’s web application challenges. High-availability for applications through automated DNS routing Scalable workload resources with on- demand threat detection
  34. 34. How It Works 35 Copyright © 2019 Oracle Customer Applications Oracle Cloud Infrastructure • Hides the origin server • Inspects traffic as it tries to access the server or as it leaves the server • Identifies whether request are from a human or a machine • Controls or blocks non-human suspicious requests • Restrict or control access to critical Web applications, data and service
  35. 35. Stopping Attacks at the Edge: Use Cases 36 Copyright © 2019 Oracle System Integration Machine-to-machine integration with existing back-end systems Cyber-attack Protection Over 250 Rule Sets to protect against cyber-attacks Access Control Restrict access to critical web apps, data and services Bot Management Let necessary good bots in and keep bad bots out Multi-cloud Support WAF for OCI, on- premises and other vendor cloud workloads
  36. 36. Program agenda 4 Key capabilities of the Web Application Firewall 37 Copyright © 2019 Oracle
  37. 37. Key capabilities of the Web Application Firewall Enhance Security with OCI Web Application Firewall 38 Copyright © 2019 Oracle
  38. 38. Oracle Cloud-Based WAF Protects Data Wherever it Resides 39 Copyright © 2019 Oracle WAF and Anti-Bot Protection Cloud-based Data On-Premises Database OCI Cloud-based Data Bad Bots Hackers Good Visitors Good Bots Spammers Access Control Restrict Country, URL, IP, User agent
  39. 39. Oracle Cloud-Based WAF Protects Data Wherever it Resides 40 Copyright © 2019 Oracle WAF and Anti-Bot Protection Cloud-based Data On-Premises Database OCI Cloud-based Data Bad Bots Hackers Good Visitors Good Bots Spammers Access Control Threat intelligence Restrict Country, URL, IP, User agent Block newest threats and vulnerabilities from exploits
  40. 40. Oracle Cloud-Based WAF Protects Data Wherever it Resides 41 Copyright © 2019 Oracle WAF and Anti-Bot Protection Cloud-based Data On-Premises Database OCI Cloud-based Data Bad Bots Hackers Good Visitors Good Bots Spammers Access Control Threat intelligence Bot Challenges Restrict Country, URL, IP, User agent Block newest threats and vulnerabilities from exploits Traffic behavior analysis to block bad bots
  41. 41. Oracle Cloud-Based WAF Protects Data Wherever it Resides 42 Copyright © 2019 Oracle WAF and Anti-Bot Protection Cloud-based Data On-Premises Database OCI Cloud-based Data Bad Bots Hackers Good Visitors Good Bots Spammers Access Control Threat intelligence Bot Challenges WAF OWASP Top 10 Protection Restrict Country, URL, IP, User agent Block newest threats and vulnerabilities from exploits Traffic behavior analysis to block bad bots Data breach and HTTP attack protection
  42. 42. Oracle Cloud-Based WAF Protects Data Wherever it Resides 43 Copyright © 2019 Oracle WAF and Anti-Bot Protection Cloud-based Data On-Premises Database OCI Cloud-based Data Bad Bots Hackers Good Visitors Good Bots Spammers Access Control Threat intelligence Bot Challenges WAF OWASP Top 10 Protection Restrict Country, URL, IP, User agent Block newest threats and vulnerabilities from exploits Traffic behavior analysis to block bad bots Data breach and HTTP attack protection Intelligence Team Experts mobilized for extreme cases
  43. 43. Access Control 44 Copyright © 2019 Oracle ▪ Restrict or control access to your critical web applications, data and services ▪ Restrict access to data from certain geographical regions or specific countries ▪ Meet General Data Protection Regulations (GDPR) compliance requirements
  44. 44. Copyright © 2019 Oracle45 Control access to resources housed in the Oracle Cloud Infrastructure based on location of user. User from non-risky location is able to access assets. Users from risky locations are denied access to assets. Protect Your Web Assets from Risky Traffic
  45. 45. Cyber-Attack Protection 46 Copyright © 2019 Oracle ▪ Over 250 rule sets and Open Web Access Security Project (OWASP) rule sets ▪ Compared against incoming traffic to determine if request contains attack payload ▪ WAF will block and/or alert on the requests: SQL injection, cross-site scripting, HTML injection and many more
  46. 46. Bot Management 47 Copyright © 2019 Oracle ▪ Configurable JavaScript and CAPTCHA challenges help deter non-human entities ▪ Good bot whitelisiting allows users to select which bots have access to assets ▪ Use challenges and whitelisting with WAF rule sets to further detect and block bad bots and let good bots through
  47. 47. How do you catch a bad bot? 48 Copyright © 2019 Oracle Device Fingerprinting Captcha ChallengeGood Bot Whitelisting Human Interaction Challenge IP Rate Limiting/Bot Traffic Shaping JavaScript Challenge
  48. 48. Good bot access web-based resources for business relevant reasons BAD ACTOR USER Bots can be created easily by bad actors and be used for malicious purposes (Bad bots) Utilize Captcha, Javascript and Human Interaction challenges to determine if request is bot or human Block malicious bot traffic with cloud-based web application firewall and bot management while allowing good bot traffic to pass through Bot traffic has surpassed human traffic on the Internet. Use the JavaScript challenge, CAPTCHA challenge, and whitelisting capabilities in conjunction with the WAF rule sets to block bad bots while allowing good bots through. Let the Good Bots In / Keep the Bad Bots Out
  49. 49. System Connectivity 50 Copyright © 2019 Oracle ▪ RESTful API provide machine-to-machine interface ▪ Integrate with existing back-end management systems ▪ Minimize user interface clutter
  50. 50. Multi-Cloud Support 51 Copyright © 2019 Oracle ▪ OCI, on-premises, hybrid cloud and multi- cloud support ▪ Secure applications as they migrate to the cloud ▪ Supports applications as they evolve in the future
  51. 51. Program agenda 5 Demo 52 Copyright © 2019 Oracle
  52. 52. Demo Enhance Security with OCI Web Application Firewall 53 Copyright © 2019 Oracle
  53. 53. Program agenda 54 Copyright © 2019 Oracle 6 Summary and Q&A
  54. 54. Summary and Q&A Enhance Security with OCI Web Application Firewall 55 Copyright © 2019 Oracle
  55. 55. Benefits 56 Copyright © 2019 Oracle Block malicious traffic before it reaches your application and data servers Protection for Oracle Cloud Infrastructure, on-premises, hybrid, and multicloud workloads RESTful APIs, SDK, and Terraform support Lower TCO – ease of deployment and predictable subscription pricing Keep bad actors and threats well away from your web applications – don’t let them in One platform to protect all your web properties Provides flexibility and easy integration with other systems No upfront hardware, software, ongoing maintenance costs or staffing investments
  56. 56. EMEA Innovation & Modernization Center 57 Copyright © 2019 Oracle Partner.IMC@beehiveonline.oracle.com blogs.oracle.com/imc twitter.com/OracleIMC facebook.com/OracleIMC github.com/OracleIMC youtube.com/user/OracleIMCTeam linkedin.com/groups/4535240
  57. 57. Thank you 58 Copyright © 2019 Oracle Mihai Dragomir Alexandru Ciachir

×