Kona Web Application Firewall Overview - Akamai at RSA Conference 2013
•
4 likes•4,286 views
Application firewalls protect applications at the layer 7 level where most attacks occur. Akamai's application firewall inspects requests and responses for malicious content and patterns to protect against attacks like SQL injections. It can log or block activities against configurable policies and protects organizations against application layer attacks that propagate over HTTP and HTTPS.
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Kona Web Application Firewall Overview - Akamai at RSA Conference 2013
Similar to Kona Web Application Firewall Overview - Akamai at RSA Conference 2013 (20)
More from Akamai Technologies
More from Akamai Technologies (20)
Recently uploaded
Recently uploaded (20)
Kona Web Application Firewall Overview - Akamai at RSA Conference 2013
- 2. bercrime Landscape in 2013 …and easier t carry ou e re ed...
- 3. From Network to Application Layer Application Layer Where increasing number of a2acks (Layer 7) are focused Target of Network Layer Tradi,onal (Layers 3/4) DDoS A2acks
- 4. pplication Firewall Highlights ates at the network edge – over 100,000 servers cts requests and responses for malicious content and info le cts packets to protect against attacks such as SQL Injections s-Site Scripts gurable to log or block activities against policy cts organizations against application layer attacks propagate P and HTTPS les compliance with PCI DSS 1.2 section 6.6 des advanced rate controls (behavioral based protections) agates quickly (~30 minutes) gured via portal
- 5. ecurity Solutions 2.0 urity Rule Update le Set 2.2.6 CRS support Common Rules n Akamai’s unique view % of internet traffic d Rate Controls ID; Client-IP+User-Agent grade Wizard
- 8. Intelligent Platform™ g Network Layer Attacks at the Edge ayer attack mitigation Examples of attacks types dropped otection is “always on” at Akamai Edge 80 (HTTP) or Port 443 (HTTPS) traffic § UDP Fragments n Platform § ICMP Floods r traffic dropped at the Akamai Edge § SYN Floods k traffic never makes it onto Platform § ACK Floods mer not charged for traffic dropped at Edge s attack requests without requiring identification § RESET Floods s CNAME onto Akamai Intelligent Platform § UDP Floods ttacks through massive scale s average throughput; up to 8Tbps on of HTTP request traffic across 100,000+ ,100+ networks ting, added latency, or point of failure
- 9. Rules plication Firewall tion The Result Custom Rules implemented § New rule logic can be built to mai metadata written by specific use cases for the cus i Professional Services § Rules can be built that execut are created and managed in one or more baseline rules or mer portal control rules match are then associated with § Output of application vulnerab l policies and deployed with products can be implemented n 45 minutes “virtual patches” § Advanced piping to user valid actions can be achieved (prio
- 10. Rules plication Firewall tion The Result Custom Rules implemented § New rule logic can be built to mai metadata written by specific use cases for the cus i Professional Services § Rules can be built that execut are created and managed in one or more baseline rules or mer portal control rules match are then associated with § Output of application vulnerab l policies and deployed with products can be implemented n 45 minutes “virtual patches” § Advanced piping to user valid actions can be achieved (prio
- 11. e Rate Controls s Behavior Detection y number of requests per § Statistics collected for 3 reque d against a given URL o Client Request – Client to Akama ols requests based on behavior o Forward Request – Akamai Serv n – not request structure o Forward Response – Origin to A client IP address, session ID, cookies, etc. § Statistics collected allow us to ure rate categories to large proxies and pick out a m request rates against digital user hiding behind a proxy ties te rate-based DDoS attacks § Statistics collected allow for dete of pathological behavior by a clie o Request rate is excessive for an o Requests causing too many Orig
- 12. e Rate Controls s Behavior Detection y number of requests per § Statistics collected for 3 reque d against a given URL o Client Request – Client to Akama ols requests based on behavior o Forward Request – Akamai Serv n – not request structure o Forward Response – Origin to A client IP address, session ID, cookies, etc. § Statistics collected allow us to ure rate categories to large proxies and pick out a m request rates against digital user hiding behind a proxy ties te rate-based DDoS attacks § Statistics collected allow for dete of pathological behavior by a clie o Request rate is excessive for an o Requests causing too many Orig
- 13. y Monitor (1 of 3) Timeline of Requests by Hour Visual Display of Requests by Geography Requests by WAF Rule ID Requests Requests by WAF Message by WAF Tag
- 14. y Monitor (2 of 3) Multiple ways to display request statistics
- 15. y Monitor (3 of 3) Requests by City Requests by ARLs being Client IP address attacked
Editor's Notes
- NOTE: You can click on the black bars and adjust the length to fit your text. If your main title goes beyond one line, please remember to move the subtitle bar down a bit in order to keep some space between it and the main title bar. If you do not need a subtitle, you can delete that bar entirely.
- Attacks are becoming more sophisticated with multi-vector attacks often hiding the real motivations of attackers. On top of this it has become even easier to carry out different attacks – a quick Google search and anyone with basic tech skills can download these tools and join the fight…
- LOIC basically turns your computer's network connection into a firehose of garbage requests, directed towards a target web server. On its own, one computer rarely generates enough TCP, UDP, or HTTP requests at once to overwhelm a web server—garbage requests can easily ignored while legit requests for web pages are responded to as normal. But when thousands of users run LOIC at once, the wave of requests become overwhelming, often shutting a web server (or one of its connected machines, like a database server) down completely, or preventing legitimate requests from being answered. What is HOIC? - High-speed multi-threaded HTTP Flood - Simultaneously flood up to 256 websites at once - Built in scripting system to allow the deployment of 'boosters', scripts designed to thwart DDoS counter measures and increase DoS output. - Easy to use interface - Can be ported over to Linux/Mac with a few bug fixes (I do not have either systems so I do - Ability to select the number of threads in an ongoing attack - Ability to throttle attacks individually with three settings: LOW, MEDIUM, and HIGH and its written in a language where you can do a bunch of really nifty things just read the RealBasic manual, ;] also no Dependencies (single executable)
- Implemented in 10’000s of Akamai Edge Servers
- We still defend against “old school” DdoS as well as we ever did….distributed networks, offload DNS, caching content. But there are new attacks that we must evolve our defenses to defend. \\These are the things you’ll be able to defend against – stealthier attacks, more advanced attacks: How do we do this, new rules: Slow post, Slow loris, LOIC are now, HOIC Replace RTR with DLR in Security Monitor (is this Channel Partner Foundations – Today there are no tools for partners to implement Kona 2.0. Partner Focused Enhancements. They made some foundational tools.. WAF ModSecurity Core Rule Set 2.2.6 Includes anomaly scoring and migration wizard Anomaly scoring – related to the HTTP request. Adding the ability to score HTTP requests, provides a means to better assess the risk. Configurable policy to deny. WAF common rules sets: we see lots of attacks, create new rules for all of them. With 2.0 (free to 1.0 customers) the rule set is available. Getting the rules probabaly requires PS engagement. Advanced Rate Controls: protect against more sophisticated attacks, helps address malicious behavior --- behavioral controls. For example: (John has details)
- Close on the brand message – you can use the following sample text to speak to this closing brand slide. (Akamai is making your media more mobile, enabling “Any experience, any device, anywhere.” Our goal is to ultimately help you accelerate your business. [Corey]) (Today's best online experiences have been Akamaized . We’re here to help you reach mobile workforces, and 24/7 consumers with any experience on any device, anywhere. And to ultimately help you accelerate your business. [Ravi]) (Akamai’s Application & Cloud Performance Solutions enable you to control your applications, control your costs, and control your cloud, offering you the agility that you need to accelerate your business. [Willie]) (Akamai offers you solutions to revolutionize your media strategy and engage users with any experience, on any device, anywhere, to grow your audience and grow your business. [Bill]) (Mobilize, optimize, and monetize your business, providing a high performance experience to your 24/7 consumers so that you can accelerate your online retail strategies. [Pedro]) (Block threats, not performance, in this ever-evolving hyperconnected world. Securely reach your users on any device, anywhere so you can accelerate your business. [John]) (Akamai helps you connect to users on any device, anywhere, removing the complexities of privacy, security, and rights management, while also allowing businesses to spend advertising dollars more effectively. [Khan])
- Platform provides an additional layer of defense and moves the perimeter of defense out to the Edge of the Internet and then goes into the network layer value of that architecture The Akamai platform automatically (** if you’re buying acceleration…** protects against: SYN flood and other TCP attacks UDP attacks HTTP slow client (“drip feed”) attacks HTTP Request Smuggling attacks HTTP Response Splitting attacks The platform only accepts valid HTTP requests on port 80 and 443!
- Implemented in 10’000s of Akamai Edge Servers Requests causing too many Origin errors (404, 5XX)
- Implemented in 10’000s of Akamai Edge Servers Requests causing too many Origin errors (404, 5XX)
- Close on the brand message – you can use the following sample text to speak to this closing brand slide. (Akamai is making your media more mobile, enabling “Any experience, any device, anywhere.” Our goal is to ultimately help you accelerate your business. [Corey]) (Today's best online experiences have been Akamaized . We’re here to help you reach mobile workforces, and 24/7 consumers with any experience on any device, anywhere. And to ultimately help you accelerate your business. [Ravi]) (Akamai’s Application & Cloud Performance Solutions enable you to control your applications, control your costs, and control your cloud, offering you the agility that you need to accelerate your business. [Willie]) (Akamai offers you solutions to revolutionize your media strategy and engage users with any experience, on any device, anywhere, to grow your audience and grow your business. [Bill]) (Mobilize, optimize, and monetize your business, providing a high performance experience to your 24/7 consumers so that you can accelerate your online retail strategies. [Pedro]) (Block threats, not performance, in this ever-evolving hyperconnected world. Securely reach your users on any device, anywhere so you can accelerate your business. [John]) (Akamai helps you connect to users on any device, anywhere, removing the complexities of privacy, security, and rights management, while also allowing businesses to spend advertising dollars more effectively. [Khan])