2. 2
Scope/Definition of WAFs
Protects web-based applications
from code-based attacks
» SQL Injection or other injection types
» Cross Site Scripting and Request Forgery
» Layer 7 DoS/DDoS attacks
» Cookie/schema poisoning
Protects against application
vulnerabilities in custom code
and commercial platforms
Understands/learns “normal”
behaviors and stops anomalies
» URL parameters, HTTP methods,
session IDs, cookies, schema, etc.
Dynamic and adaptive to adjust
to new threats
Can’t a Firewall or IPS do this?
Firewalls look for network-based attacks
IPS Signatures detect only known
problems
» High rate of false positives
» No protection of SSL traffic
» No application or user awareness
FortiWeb WAF
Web Application
Servers
SQL Injection, XSS…
INTERNET
Web Application Firewalls
3. 3
WAF Drivers/Challenges
Protect current and existing
applications from code-based
vulnerabilities
Meet PCI Compliance (5.5 and
6.6) for credit card and
healthcare data
Address OWASP Top 10
Application Vulnerabilities
Identify and address web
application vulnerabilities
Website publishing for Microsoft
and other applications
Protect against website
defacement
Who Needs it?
Any organization that processes
credit cards and/or has PCI
requirements
Large internal or external
applications
Sensitive/proprietary information
Mission-critical business
applications
Who Needs it Most?
MSPs/Hosting Companies
E-commerce/online services
Retail, Food Service, Hospitality
Financial services
Healthcare
Web Application Firewalls
4. 4
Emerging Requirements/Trends
WAFs are converging other technologies
» High-end products adding web application firewall (WAF) and
traditional firewall technologies
» Low end is quickly adding high end features (WAF, scripting,
etc.)
Business adoption increasing
» Awareness of threats and benefit of WAF increasingly
understood
» 96% of applications have been attacked in 2013
» Gartner expects over 80% of organizations will have a WAF by
2018 (60% today)
WAF market continues to grow
» IDC 2014 market size: $1.0 billion
» 6.9% CAGR through 2017
Web Application Firewalls
5. 5
FortiWeb – Web Application Firewalls
6 models from 25 Mbps to 4 Gbps HTTP throughput
Up to 6x GE and models with 2x 10GE SFP+ ports
Included vulnerability scanning and antivirus
Hardware and VM options
(VMware, Hyper-V and AWS)
AWS On-demand Pricing
Automatic behavior-based
scanning
Auto setup/learning mode
Layer 7 DDoS protection
FortiGuard antivirus/IP reputation
Transparent, reverse and non-
inline deployment options
Central Management/ADOMs
Advanced real-time reporting
SSL offloading/compression
SSO/Authentication
Layer 7 load balancing
NSS recommended
Complete WAF Solution for
PCI DSS Compliance
Web Application Firewalls
6. 6
FortiWeb Benefits
Protect custom and commercial applications with automatic usage
profiling and anomaly scanning
Meet PCI Compliance (5.5 and 6.6) with behavior-based attack
detection and mitigation
Protection against OWASP Top 10 Application Vulnerabilities
Identify web application security weaknesses with vulnerability
scanning
Website publishing with Single Sign On/Authentication
Restore website pages from attacks with Anti-Defacement Protection
Block botnets and attacks from known rogue and malicious sources
with FortiGuard IP Reputation
Web Application Firewalls
8. 8
FortiWeb Product Matrix
100D 400C 1000D 3000D 3000DFsx 4000D
WAF Throughput 25 Mbps 100 Mbps 750 Mbps 1.5 Gbps 1.5 Gbps 4.0 Gbps
Latency Sub-ms Sub-ms Sub-ms Sub-ms Sub-ms Sub-ms
SSL Software Software ASIC ASIC ASIC ASIC
L7 Load Balancing P P P P P P
L7 DoS Protection P P P P P P
Site Publishing/SSO P P P P P P
Vulnerability
Scanner
P P P P P P
Antivirus/antimalwa
re
P P P P P P
Form Factor Desktop 1U 2U 2U 2U 2U
GE Port 4 4 6 6 6 8
GE Bypass 0 0 4 2 0 2
GE-SX Bypass 0 0 0 0 0 2
GE SFP 0 0 2 0 0 0
10GE SFP+ Bypass 0 0 0 0 2 2
ADOMs N/a 32 64 64 64 64
Web Application Firewalls
9. 9
FortiWeb Virtual Appliances
Enterprise grade virtual WAF
Deploy WAFs without extra hardware
Dynamic expansion in VM environments
Resource efficiency with uncompromised WAF functionality
VMware ESX / ESXi / 4.0 / 4.1 / 5.0 / 5.1 / 5.5, Microsoft Hyper-V,
Citrix XenServer 6.2, Open Source Xen 4.2, AWS (BYOL/On-Demand)
Technical
Specifications FortiWeb VM01 FortiWeb VM02 FortiWeb VM04 FortiWeb VM08
vCPU Support (Max) 1 2 4 8
Memory Support (Max) Unlimited Unlimited Unlimited Unlimited
Network Interface Support (Max) 4 4 4 4
Storage Support (Min / Max) 40 GB / 1TB 40 GB / 1TB 40 GB / 1TB 40 GB / 1TB
Web Application Firewalls
10. 10
FortiWeb Protection at all Layers
ATTACKS/THREATS
APPLICATION
IP REPUTATION
DDOS PROTECTION
PROTOCOL VALIDATION
ATTACK SIGNATURES
ANTIVIRUS/DLP
BEHAVIORAL VALIDATION
CORRELATION
BOTNETS, MALICIOUS HOSTS,
ANONYMOUS PROXIES, DDOS SOURCES
APPLICATION LEVEL
DDOS ATTACKS
IMPROPER
HTTP RFC
KNOWN APPLICATION
ATTACK TYPES
VIRUSES, MALWARE,
LOSS OF DATA
UNKNOWN APPLICATION
ATTACKS
11. 11
Auto Setup and Protection
Key Features
» Auto learn
» Completely transparent
» Traffic pattern monitoring
» Models application
based
on usage patterns
» Understands real
behavior
Benefits
» No application changes
» Traffic anomalies
trigger actions
» Protects against
unknown vulnerabilities
and
zero-day attacks
Web Application Firewalls
12. 12
Key Features
» Scans all application
elements
» Granular crawling
capabilities
» Scheduled or on demand
» Recommendation reporting
» FortiGuard updates
Benefits
» Automated vulnerability
reporting
» Complements WAF for PCI
DSS compliance
Vulnerability Scanning
Web Application Firewalls
13. 13
FortiGuard Labs
» Award-winning threat
research services
» Dynamic/automated
updates for FortiWeb
» Automatic downloads
» Always up-to-date
Subscription Based
» Available per device
» Select services that are
needed
» Annual renewals
FortiGuard Services
Security Service
• Application layer
signatures
• Malicious bots
• Suspicious URL
pattern
• Web vulnerability
scanner updates
IP Reputation
• Protection for
automated
attacks and
malicious sources
• DDoS, Phishing,
Botnet, Spam,
Anonymous
proxies and
infected sources
Antivirus
• Scan file uploads
• Regular and
extended AV
databases
Web Application Firewalls
14. 14
FortiWeb Recommended by NSS Labs
SVM Published on September 30,
2014
Test Categories
» Security: URL Parameter manipulation,
form/hidden field manipulation,
cookie/session poisoning, cross-site scripting,
directory traversal, SQL injection and padding
Oracle attacks
» Evasions: packet fragmentation reassembly,
stream segmentation, URL obfuscation
» Performance: stability, reliability and
connections per second
Fortinet FortiWeb-1000D earned a
Recommended rating
Strong performance with 99.85%
block rate and 15,865
connections/second
Passed all tests for evasion
techniques and for stability and
reliability
0.366% false positive detection rate
Web Application Firewalls
15. 15
Purchase price includes:
» Hardware: appliance,
mounting hardware, etc.
» VM: Downloadable software
and license
» 90 days of FortiCare 8x5 support
FortiCare
(1, 2 and 3 year increments):
» 8x5 Enhanced
» 24x7 Comprehensive
FortiGuard (1 year only)
» IP reputation
» FortiWeb Security Service
(signatures)
» Antivirus
Central Management
(separate)
» Up to 10 FortiWeb appliances
» Unlimited option
AWS
» Bring Your Own License (BYOL)
» On-demand licensing through
AWS marketplace
Pricing/Licensing
Web Application Firewalls
16. 16
Complementary/Related Products
FortiADC Application Delivery Controllers
» Server load balancing
» Layer 7 content-based routing and SSL offloading
FortiDDoS DDoS Attack Mitigation Appliances
» Full layer 3, 4 and advance layer 7 DDoS attack mitigation
» 100% hardware and behavior-based detection and mitigation
AscenLink/FortiWAN Link Load Balancers
» Advanced link load balancing up to 50 links
» Patented tunnel routing
Web Application Firewalls
17. 17
Objection Handling
We regularly review our applications for security flaws, we don’t need
a WAF
» A WAF can automatically protect applications without the need to constantly
manage existing older applications; frees up resources
Only our developers know the code well enough to address security
issues
» Even the best of programmers can’t account for every possible vulnerability, and they
can’t predict unknown problems in advance
We’ve never had a data breach and our other security measures are
good enough
» Over 96% of all web-based applications have been attacked in 2013. Chances are
you have been attacked and may not have known about it.
I’ve never heard of FortiWeb (Fortinet) for WAF? Why should I look at a
FortiWeb WAF?
» FortiWeb has been in the WAF market for over 5 years. We’re a leader according to
NSS labs with over 99.85% security effectiveness against today’s latest web application
threats.
Web Application Firewalls
18. 18
Qualifying Questions
How do you protect your mission critical web-based applications from
attacks today?
» Look for opportunities to have a WAF automate manual processes like application
security patches and code changes on older applications.
Do you regularly conduct code security reviews and if so, how often?
» If they’re not doing it, they’re most likely at risk. If they are, they are most likely spending
a lot of effort to conduct these reviews. A WAF can automate and protect better.
Do you need to meet PCI DSS compliance standards? What were the
results of your last PCI DSS audit?
» If yes, they most likely need a WAF for PCI DSS 6.6. If not, then it’s a harder sell to
protect applications, however focus on mission critical systems, sensitive user and
proprietary data protection.
Are you concerned about data breaches of sensitive customer or
proprietary information through your web-based applications?
» The answer should be “yes”. If so, only a WAF can protect against application specific
attacks.
Web Application Firewalls
19. 19
Additional Resources
White Papers
» Beyond the Firewall
» WAF or NFGW with IPS to Protect Applications
Solution Guides/Briefs
» Fortinet Virtual Appliance Solutions (AWS)
» Protecting Against Layer 7 DoS Attacks with FortiWeb
» OWASP 2013 and FortiWeb
Deployment Guides:
» Replacing Microsoft TMG with FortiWeb for Publishing
applications
Positioning Guides/Responses:
» NSS Labs WAF SVM Talking Points
» NSS WAF SVM and Product Analysis Report
Web Application Firewalls
20. Lan & Wan Solutions
Innovare la tua Azienda. La nostra sfida
Via dell’Artigianato, 62 - 35010 Saletto di Vigodarzere (PD)
Tel. +39 049 8843198 digit 5
E-mail contacts@lanewan.it