The document provides an overview of web application firewalls (WAFs) and the FortiWeb WAF product. It describes how WAFs protect web applications from code-based attacks like SQL injection and cross-site scripting. It outlines the key features of FortiWeb, including its ability to understand normal traffic patterns and block anomalies. The document also discusses emerging trends in the WAF market and how FortiWeb addresses needs like PCI compliance. It provides details on the FortiWeb product line and summarizes how it provides protection at multiple layers for web applications and servers.

1. © Copyright Fortinet Inc. All rights reserved.
FortiWeb
Web Application Firewalls
Lan & Wan Solutions – Soluzioni Informatiche per Reti Locali & Geografiche

2. 2
Scope/Definition of WAFs
 Protects web-based applications
from code-based attacks
» SQL Injection or other injection types
» Cross Site Scripting and Request Forgery
» Layer 7 DoS/DDoS attacks
» Cookie/schema poisoning
 Protects against application
vulnerabilities in custom code
and commercial platforms
 Understands/learns “normal”
behaviors and stops anomalies
» URL parameters, HTTP methods,
session IDs, cookies, schema, etc.
 Dynamic and adaptive to adjust
to new threats
Can’t a Firewall or IPS do this?
 Firewalls look for network-based attacks
 IPS Signatures detect only known
problems
» High rate of false positives
» No protection of SSL traffic
» No application or user awareness
FortiWeb WAF
Web Application
Servers
SQL Injection, XSS…
INTERNET
Web Application Firewalls

3. 3
WAF Drivers/Challenges
 Protect current and existing
applications from code-based
vulnerabilities
 Meet PCI Compliance (5.5 and
6.6) for credit card and
healthcare data
 Address OWASP Top 10
Application Vulnerabilities
 Identify and address web
application vulnerabilities
 Website publishing for Microsoft
and other applications
 Protect against website
defacement
Who Needs it?
 Any organization that processes
credit cards and/or has PCI
requirements
 Large internal or external
applications
 Sensitive/proprietary information
 Mission-critical business
applications
Who Needs it Most?
 MSPs/Hosting Companies
 E-commerce/online services
 Retail, Food Service, Hospitality
 Financial services
 Healthcare
Web Application Firewalls

4. 4
Emerging Requirements/Trends
 WAFs are converging other technologies
» High-end products adding web application firewall (WAF) and
traditional firewall technologies
» Low end is quickly adding high end features (WAF, scripting,
etc.)
 Business adoption increasing
» Awareness of threats and benefit of WAF increasingly
understood
» 96% of applications have been attacked in 2013
» Gartner expects over 80% of organizations will have a WAF by
2018 (60% today)
 WAF market continues to grow
» IDC 2014 market size: $1.0 billion
» 6.9% CAGR through 2017
Web Application Firewalls

5. 5
FortiWeb – Web Application Firewalls
 6 models from 25 Mbps to 4 Gbps HTTP throughput
 Up to 6x GE and models with 2x 10GE SFP+ ports
 Included vulnerability scanning and antivirus
 Hardware and VM options
(VMware, Hyper-V and AWS)
 AWS On-demand Pricing
 Automatic behavior-based
scanning
 Auto setup/learning mode
 Layer 7 DDoS protection
 FortiGuard antivirus/IP reputation
 Transparent, reverse and non-
inline deployment options
 Central Management/ADOMs
 Advanced real-time reporting
 SSL offloading/compression
 SSO/Authentication
 Layer 7 load balancing
 NSS recommended
Complete WAF Solution for
PCI DSS Compliance
Web Application Firewalls

6. 6
FortiWeb Benefits
 Protect custom and commercial applications with automatic usage
profiling and anomaly scanning
 Meet PCI Compliance (5.5 and 6.6) with behavior-based attack
detection and mitigation
 Protection against OWASP Top 10 Application Vulnerabilities
 Identify web application security weaknesses with vulnerability
scanning
 Website publishing with Single Sign On/Authentication
 Restore website pages from attacks with Anti-Defacement Protection
 Block botnets and attacks from known rogue and malicious sources
with FortiGuard IP Reputation
Web Application Firewalls

7. 7
Performance&Scalability
WAF < 1 Gbps 1 – 2 Gbps 3+ Gbps
SSL Software ASIC ASIC
Ports GE GE/10GE GE/10GE
FortiWeb Product Lineup
FWB-400C
FWB-100D
FWB-3000DFsx
FWB-3000D
FWB-4000D
Web Application Firewalls
FWB-1000D

8. 8
FortiWeb Product Matrix
100D 400C 1000D 3000D 3000DFsx 4000D
WAF Throughput 25 Mbps 100 Mbps 750 Mbps 1.5 Gbps 1.5 Gbps 4.0 Gbps
Latency Sub-ms Sub-ms Sub-ms Sub-ms Sub-ms Sub-ms
SSL Software Software ASIC ASIC ASIC ASIC
L7 Load Balancing P P P P P P
L7 DoS Protection P P P P P P
Site Publishing/SSO P P P P P P
Vulnerability
Scanner
P P P P P P
Antivirus/antimalwa
re
P P P P P P
Form Factor Desktop 1U 2U 2U 2U 2U
GE Port 4 4 6 6 6 8
GE Bypass 0 0 4 2 0 2
GE-SX Bypass 0 0 0 0 0 2
GE SFP 0 0 2 0 0 0
10GE SFP+ Bypass 0 0 0 0 2 2
ADOMs N/a 32 64 64 64 64
Web Application Firewalls

9. 9
FortiWeb Virtual Appliances
Enterprise grade virtual WAF
 Deploy WAFs without extra hardware
 Dynamic expansion in VM environments
 Resource efficiency with uncompromised WAF functionality
 VMware ESX / ESXi / 4.0 / 4.1 / 5.0 / 5.1 / 5.5, Microsoft Hyper-V,
Citrix XenServer 6.2, Open Source Xen 4.2, AWS (BYOL/On-Demand)
Technical
Specifications FortiWeb VM01 FortiWeb VM02 FortiWeb VM04 FortiWeb VM08
vCPU Support (Max) 1 2 4 8
Memory Support (Max) Unlimited Unlimited Unlimited Unlimited
Network Interface Support (Max) 4 4 4 4
Storage Support (Min / Max) 40 GB / 1TB 40 GB / 1TB 40 GB / 1TB 40 GB / 1TB
Web Application Firewalls

10. 10
FortiWeb Protection at all Layers
ATTACKS/THREATS
APPLICATION
IP REPUTATION
DDOS PROTECTION
PROTOCOL VALIDATION
ATTACK SIGNATURES
ANTIVIRUS/DLP
BEHAVIORAL VALIDATION
CORRELATION
BOTNETS, MALICIOUS HOSTS,
ANONYMOUS PROXIES, DDOS SOURCES
APPLICATION LEVEL
DDOS ATTACKS
IMPROPER
HTTP RFC
KNOWN APPLICATION
ATTACK TYPES
VIRUSES, MALWARE,
LOSS OF DATA
UNKNOWN APPLICATION
ATTACKS

11. 11
Auto Setup and Protection
 Key Features
» Auto learn
» Completely transparent
» Traffic pattern monitoring
» Models application
based
on usage patterns
» Understands real
behavior
 Benefits
» No application changes
» Traffic anomalies
trigger actions
» Protects against
unknown vulnerabilities
and
zero-day attacks
Web Application Firewalls

12. 12
 Key Features
» Scans all application
elements
» Granular crawling
capabilities
» Scheduled or on demand
» Recommendation reporting
» FortiGuard updates
 Benefits
» Automated vulnerability
reporting
» Complements WAF for PCI
DSS compliance
Vulnerability Scanning
Web Application Firewalls

13. 13
 FortiGuard Labs
» Award-winning threat
research services
» Dynamic/automated
updates for FortiWeb
» Automatic downloads
» Always up-to-date
 Subscription Based
» Available per device
» Select services that are
needed
» Annual renewals
FortiGuard Services
Security Service
• Application layer
signatures
• Malicious bots
• Suspicious URL
pattern
• Web vulnerability
scanner updates
IP Reputation
• Protection for
automated
attacks and
malicious sources
• DDoS, Phishing,
Botnet, Spam,
Anonymous
proxies and
infected sources
Antivirus
• Scan file uploads
• Regular and
extended AV
databases
Web Application Firewalls

14. 14
FortiWeb Recommended by NSS Labs
 SVM Published on September 30,
2014
 Test Categories
» Security: URL Parameter manipulation,
form/hidden field manipulation,
cookie/session poisoning, cross-site scripting,
directory traversal, SQL injection and padding
Oracle attacks
» Evasions: packet fragmentation reassembly,
stream segmentation, URL obfuscation
» Performance: stability, reliability and
connections per second
 Fortinet FortiWeb-1000D earned a
Recommended rating
 Strong performance with 99.85%
block rate and 15,865
connections/second
 Passed all tests for evasion
techniques and for stability and
reliability
 0.366% false positive detection rate
Web Application Firewalls

15. 15
 Purchase price includes:
» Hardware: appliance,
mounting hardware, etc.
» VM: Downloadable software
and license
» 90 days of FortiCare 8x5 support
 FortiCare
(1, 2 and 3 year increments):
» 8x5 Enhanced
» 24x7 Comprehensive
 FortiGuard (1 year only)
» IP reputation
» FortiWeb Security Service
(signatures)
» Antivirus
 Central Management
(separate)
» Up to 10 FortiWeb appliances
» Unlimited option
 AWS
» Bring Your Own License (BYOL)
» On-demand licensing through
AWS marketplace
Pricing/Licensing
Web Application Firewalls

16. 16
Complementary/Related Products
 FortiADC Application Delivery Controllers
» Server load balancing
» Layer 7 content-based routing and SSL offloading
 FortiDDoS DDoS Attack Mitigation Appliances
» Full layer 3, 4 and advance layer 7 DDoS attack mitigation
» 100% hardware and behavior-based detection and mitigation
 AscenLink/FortiWAN Link Load Balancers
» Advanced link load balancing up to 50 links
» Patented tunnel routing
Web Application Firewalls

17. 17
Objection Handling
 We regularly review our applications for security flaws, we don’t need
a WAF
» A WAF can automatically protect applications without the need to constantly
manage existing older applications; frees up resources
 Only our developers know the code well enough to address security
issues
» Even the best of programmers can’t account for every possible vulnerability, and they
can’t predict unknown problems in advance
 We’ve never had a data breach and our other security measures are
good enough
» Over 96% of all web-based applications have been attacked in 2013. Chances are
you have been attacked and may not have known about it.
 I’ve never heard of FortiWeb (Fortinet) for WAF? Why should I look at a
FortiWeb WAF?
» FortiWeb has been in the WAF market for over 5 years. We’re a leader according to
NSS labs with over 99.85% security effectiveness against today’s latest web application
threats.
Web Application Firewalls

18. 18
Qualifying Questions
 How do you protect your mission critical web-based applications from
attacks today?
» Look for opportunities to have a WAF automate manual processes like application
security patches and code changes on older applications.
 Do you regularly conduct code security reviews and if so, how often?
» If they’re not doing it, they’re most likely at risk. If they are, they are most likely spending
a lot of effort to conduct these reviews. A WAF can automate and protect better.
 Do you need to meet PCI DSS compliance standards? What were the
results of your last PCI DSS audit?
» If yes, they most likely need a WAF for PCI DSS 6.6. If not, then it’s a harder sell to
protect applications, however focus on mission critical systems, sensitive user and
proprietary data protection.
 Are you concerned about data breaches of sensitive customer or
proprietary information through your web-based applications?
» The answer should be “yes”. If so, only a WAF can protect against application specific
attacks.
Web Application Firewalls

19. 19
Additional Resources
 White Papers
» Beyond the Firewall
» WAF or NFGW with IPS to Protect Applications
 Solution Guides/Briefs
» Fortinet Virtual Appliance Solutions (AWS)
» Protecting Against Layer 7 DoS Attacks with FortiWeb
» OWASP 2013 and FortiWeb
 Deployment Guides:
» Replacing Microsoft TMG with FortiWeb for Publishing
applications
 Positioning Guides/Responses:
» NSS Labs WAF SVM Talking Points
» NSS WAF SVM and Product Analysis Report
Web Application Firewalls

20. Lan & Wan Solutions
Innovare la tua Azienda. La nostra sfida
Via dell’Artigianato, 62 - 35010 Saletto di Vigodarzere (PD)
Tel. +39 049 8843198 digit 5
E-mail contacts@lanewan.it