This webinar discusses how analytics-driven web application firewalls can help prevent threats. It covers why application security has become critical due to widespread data breaches. The webinar demonstrates NSX Advanced Load Balancer's web application firewall capabilities, including automated policy creation, advanced learning, and real-time insights. It also discusses a customer success story where NSX Advanced Load Balancer helped a lottery company reduce costs and simplify operations through elastic scaling and security analytics.

1. Confidential │ ©2019 VMware, Inc.
Webinar
Christian Treutler
R&D Security Engineer – NSBU,
VMwareSeptember 5th 2019
Prevent Threats with
Analytics-Driven Web
Application Firewall

2. Confidential │ ©2019 VMware, Inc.
Agenda
2
Why Application Security has become Critical
Need for Analytics-driven Application Security
Prevent Threats with Analytics-Driven Web Application Firewall
Live Demos
Customer success story
Summary & Next Steps

3. 3Confidential │ ©2019 VMware, Inc.
We live in a time of data
breaches.

4. Confidential │ ©2019 VMware, Inc. 4
Correlation of incidents into breaches
Source: Verizon Data Breach Investigations Report (DBIR) 2019
Cost of a Data Breach report 2019 – Ponemon Institute
Web Application Breaches and Cost
$3.92M
Average total cost of a data
breach

5. Confidential │ ©2019 VMware, Inc. 5
Application Security is part
of all of our lives.
Breaches affect
everybody.

6. 6Confidential │ ©2019 VMware, Inc.
“The biggest
threat to
security is the
hyper-focus on
security
threats.”
Pat Gelsinger - RSA conference
2019
Focus on
Applications
Make security
intrinsic ___
Invest in Prevention

7. 7Confidential │ ©2019 VMware, Inc.
NSX Advanced Load Balancer
& Web Application Firewall
Technology overview

8. Confidential │ ©2019 VMware, Inc. 8
Why is WAF not Pervasively Deployed
Rule
Complexity
Lack of
Visibility
Poor
Scalability

9. Confidential │ ©2019 VMware, Inc. 9
BARE METAL VIRTUALIZED CONTAINERSON PREMISES PUBLIC CLOUDVIRTUALIZED CONTAINERS
Modern, Scalable, Multi-Cloud Architecture
CONTROLLER
SERVICE
ENGINE
SEPARATE CONTROL
& DATA PLANE
ELASTICITY
INTELLIGENCE AUTOMATIONMULTI-CLOUD

10. Confidential │ ©2019 VMware, Inc. 10
Comprehensive Security Stack
NSX Advanced Load Balancer
Encryption
SSL/TLS
L3/4 Firewall Rules
IP-Port based Security Rules
L7 Firewall Rules
Content (URI) based security rules
DDoS Protection
DDoS detection and mitigation with elastic scaling
Application Rate Limiting
Control and restrict by application or tenants
Security
Insights
Security score
Attack insights
SSL Insights
WAF analytics
Web Application Firewall
OWASP TOP 10, Application protection, Attack Analytics
Centralized Management
Multi-Cloud Elastic Fabric
Automation & Programmability
Real Time Visibility & Analytics
REST API
Data Center Private Cloud Public Cloud

11. Confidential │ ©2019 VMware, Inc. 11
NSX Advanced Load Balancer WAF - Core Design Principles
Automated Policy Creation
Native OWASP Top 10 Protection
Advanced Learning
One-click Policy Tuning
Real-time Insights
Intelligence on Attacks, Application Behavior,
and Rule Matches
Elasticity and Automation
High-Performance
Auto-Scaling
API-First Platform

12. Confidential │ ©2019 VMware, Inc. 12
Avi’s WAF Capabilities
Application defense in depth
• Application Learning and Positive Security
• OWASP Top 10 Protection
• Signatures and app-specific rules
• HTTP protocol enforcement and input
Validation – XSS, SQLi, etc.
• Virtual patching using scripting for
application logic flaws
• API protection for JSON, XML
• Metrics and statistics about the current
application attack surface
• Bot detection
Backend
Application
Untrusted Trusted
WAN

13. Confidential │ ©2019 VMware, Inc.
iWAF policy checks
Whitelist
• High performance for trusted traffic
• Match Criteria: Headers, IP, Path and more
• Similar to HTTP policy matching
PSM
• Positive definition of Application behavior
• Zero-day attacks defence and performance
• Rules: Learning, Scanners, Manual
Signatures
• Scans for common attack patterns
• Rules: OWASP Top 10 protection rules

14. Confidential │ ©2019 VMware, Inc. 14
Automating Application Security using ML
FastPas
s
Deep Inspection
Negative Security
Deny
Allow
Traffic
ML Classifier

15. Confidential │ ©2019 VMware, Inc. 15
Client
AppResponse
Security
Application defense in depth
Analytics Driven Security
Application
All metrics are
accessible via
API and can be
used for policy
updates.
Analytics
Engine
supports over
1k data points

16. Confidential │ ©2019 VMware, Inc. 16
Application Security Automation
CONTROLLER
Deploy
Anywhere
CICD-capable
Shift Left
Security
Scanner
Integrations
Metrics Engine App Behavior
Learning
Automated
App Rule
Updates
Integrated Machine Learning
Control Analytics

17. 17Confidential │ ©2019 VMware, Inc.
Demo
WAF Introduction
WAF Learning & Protection

18. 18Confidential │ ©2019 VMware, Inc.
Customer success
Swisslos & Avi - A continuing success story

19. Confidential │ ©2019 VMware, Inc. 19
Challenges (2017)
• Avi - easy to deploy very user friendly
• Detailed analytics for cost reduction
• API-first model for automation and self-
service
Solution (2017)
• Avi has successfully handled all
scaling requirements
• Traffic peaks are seasonal; scale-out
and scale-in continues to reduce costs
Solution (2019)
• 60% operational savings
• Analytics and Insights simplify daily
operations and troubleshooting
• East Policy tuning
Impact
Location: Basel, Switzerland
Securing the lottery - The Swisslos story
Products Strategic Priorities
Avi Networks ADC
Avi Networks iWAF
Software defined network and datacenter
Secure all internet-facing applications
Lotteries, sport bets and instant tickets for Switzerland
 Modernizing DC to replace legacy HW
 Appliance-based WAF
 Lack of elasticity and poor
performance => bad customer
experience
“The iWAF is so well integrated in
the Avi solution that not using it
would be a crime. It is not only
protecting our applications but
giving us loads of insights about
threats and attacks thanks to the
out of the box analytics.”
JORIS VUFFRAY,
HEADNETWORK & SYSTEM
MANAGEMENT

20. 20Confidential │ ©2019 VMware, Inc.
Summary

21. 21Confidential │ ©2019 VMware, Inc.
Focus on Applications
Make security intrinsic ____
Invest in Preventioneducing attack surface by adding WAF protection___________________________________
Learning application behavior to auto tune security policy_________________________
Security build into NSX Advanced Load Balancer by default ___________________
“NSX Advanced Load Balancer focuses
on the application."

22. Confidential │ ©2019 VMware, Inc.
Thank You