imperva securesphere web application firewall · © 2013 imperva, inc. all rights reserved. phase...
Post on 21-Apr-2018
243 Views
Preview:
TRANSCRIPT
© 2013 Imperva, Inc. All rights reserved.
Imperva SecureSphere
Web Application Firewall
Alessadro Colombelli System Engineering Exclusive-Networks
© Copyright 2012 Imperva, Inc. All rights reserved. Imperva, the Imperva logo and
SecureSphere are trademarks of Imperva, Inc. All other brand or product names are
trademarks or registered trademarks of their respective holders.
1 Confidential
© 2013 Imperva, Inc. All rights reserved.
Internal Employees
Malicious Insiders Compromised Insiders
Data Center Systems and Admins
Usage
Audit
User Rights
Management
Access
Control
Tech. Attack
Protection
Logic Attack
Protection
Fraud
Prevention
External Customers
Staff, Partners Hackers
Next Generation Threats - New Approach
Confidential
Imperva’s Mission is to Provide a Complete Solution
2
© 2013 Imperva, Inc. All rights reserved.
Application Virtual Patching
DDoS Protection IT Operations
Site Scraping Prevention
Fraud Prevention
Legacy Application Security
Hosted Application Protection
Web Application Protection Security and
Compliance
Line of
Business
Web Application Security Use Cases
Confidential 3
© 2013 Imperva, Inc. All rights reserved.
Web Application Protection Use Case
4
Anonymous Attack on Customer Site
PHASE I
PHASE III
PHASE II
Scanners such
as Nikto
Havij SQL
injection tool
LOIC application
SecureSphere stopped
all phases of attack
Business Logic
Attack Technical Attack
Technical Attack
Confidential
© 2013 Imperva, Inc. All rights reserved.
Dynamic Profiling
Attack Signatures
HTTP Protocol Validation
Cookie Protection
Web Fraud Detection
Fraud Prevention
Technical Attack
Protection
IP Geolocation
IP Reputation
Anti-Scraping Policies
Bot Mitigation Policies
The Defenses Required to Protect Web Apps
5
Business Logic
Attack Protection
Confidential
Co
rrela
ted
Att
ack V
alid
ati
on
© 2013 Imperva, Inc. All rights reserved.
Phase I: Attack Signatures Detect Recon and Attacks
6
Imperva Application
Defense Center
Internal Users
SecureSphere
Web Servers
INTERNET
SecureSphere appliances
updated with latest
defenses
Signatures detect scanner agent & attacks
The Imperva ADC
investigates new
threats reported
around the world
Confidential
© 2013 Imperva, Inc. All rights reserved.
Phase II: SecureSphere Stops SQL Injection, XSS
7
Hacker SecureSphere
WAF
/login.php?ID=5 or 1=1
SQL Injection SQL Injection
Engine with Profile
Analysis
Signature, Protocol
Violations
Blocks definitive
matches, sends
suspicious requests to
SQL Injection Engine
Advanced analysis drastically reduces
false positives and negatives
SQL Injection
Engine blocks
custom attacks
Web Server
Confidential
© 2013 Imperva, Inc. All rights reserved.
Phase III: How SecureSphere Stops Application DDoS
8
Low-Orbit Ion Cannon
(LOIC) DDoS Tool
• Creates 200 requests per
second per browser window
Custom DDoS policy detects excessive requests in a period,
malformed URL, unknown HTTP method
Confidential
© 2013 Imperva, Inc. All rights reserved.
Web Application Protection Use Case
9
In 2011, an enterprise:
Suffered SQL injection by
LulzSec
Had traditional network security,
but NO WAF
Example of SQL injection
Impact:
101M records breached
Fines, lawsuits
Cost: $200M - $1Billion
Confidential
The Impact of Not Having a Web Application Firewall
© 2013 Imperva, Inc. All rights reserved.
IPS & NG Firewall Web Security Features
10
Dynamic Profiling
Attack Signatures
HTTP Protocol Validation
Cookie Protection
Web Fraud Detection
Fraud Prevention
Technical Attack
Protection
Co
rrela
ted
Att
ack V
alid
ati
on
IP Geolocation
IP Reputation
Anti-Scraping Policies
Bot Mitigation Policies
Business Logic
Attack Protection
High rate of false positives and negatives
because of lack of app awareness
Easy for hackers to evade via encoding,
custom app vulnerabilities
Confidential
© 2013 Imperva, Inc. All rights reserved.
By analyzing traffic, SecureSphere
automatically learns…
Directories
URLs
Parameters Expected user
input
So it can alert on or block abnormal requests
SecureSphere Learns Protected Application
11 Confidential
© 2013 Imperva, Inc. All rights reserved.
Dynamic Profiling Over Time
12
Cuts deployment time from months to days
Eliminates ongoing administration burden
• 5-15 changes per week equals 5-30 man hours of configuration
0
100
200
300
400
500
600
700
1-giu 6-giu 11-giu 16-giu 21-giu 26-giu
636
243
32 33
76 55
40 25 21 11 13 28 24 18
41 7 4 5 7 4 8 11 15 2 3 4 1
Date
Pro
file
Changes
Understands the
application and usage
Adapts to ongoing
application changes
Confidential
© 2013 Imperva, Inc. All rights reserved.
1. Collects attack data
from WAF community
& 3rd party providers
ThreatRadar Servers
Phishing Sites
Malicious IPs, TOR IPs, & Anonymous Proxy
Web Servers
Community Defense
3. Blocks malicious sources and
emerging threats
2. Distributes feeds to
SecureSphere WAF
How ThreatRadar Reputation Works
13 Confidential
© 2013 Imperva, Inc. All rights reserved.
IP geolocation enables monitoring and blocking by country
• Can be combined with bot rules for granular control
• Reduces unwanted traffic to Website
Geolocation helps with export compliance (EAR, OFAC)
• Banks may be fined for wire transfers
to sanctioned countries
Restrict Access By Country
14
Geolocation rules Geolocation data in
security alerts
Confidential
© 2013 Imperva, Inc. All rights reserved.
Site Scraping Use Case
15
Financial company’s challenges:
Site scrapers copy and republish the
stock picks
Spammers inject ads into forums
Existing IPS “just created noise”
SecureSphere WAF
Comment spam in forums
Site scrapers stealing data
SecureSphere WAF:
Blocks scraping and comment spam
Accurately stops Web attacks
Confidential
© 2013 Imperva, Inc. All rights reserved.
Bot mitigation technology detects scraping bots
Anti-scraping policy detects excessive unique page
requests
Custom rules combine multiple defenses
Human
Bot
Defenses to Stop Site Scraping
16
SecureSphere WAF
Confidential
© 2013 Imperva, Inc. All rights reserved.
Virtual Patching Use Case
17
Challenges for payment
processor:
Costly, time-consuming
vulnerability fix cycles
Target of Web attacks
Vulnerabilities imported into WAF
Company scans site
with app scanner
SecureSphere:
Reduces window of exposure,
cost of manual app fixes
Offers visibility for developers
Confidential
© 2013 Imperva, Inc. All rights reserved.
Virtual Patching Through Scanner Integration
Confidential 18
SecureSphere can import scan results
and instantly create mitigation policies
Eliminated payment processors’
emergency fix and test cycles
Customer
Site
Scanner finds
vulnerabilities
SecureSphere imports scan results
Web applications are
protected
© 2013 Imperva, Inc. All rights reserved.
Quickly & Cost Effectively Secure Applications
Confidential 19
116 Days: average time to fix all vulnerabilities1
SecureSphere’s default security policies and virtual patching reduces window from 116 days to 0-5 days
SecureSphere can mitigate vulnerabilities not found by scanners
Vulnerability found Code fix developed and tested
System protected
Vulnerability found
Virtual Patch System protected
1 WhiteHat Website Security Statistics Report, Winter 2011
© 2013 Imperva, Inc. All rights reserved. 20
DEPLOY TEST Test for
vulnerabilities
DESIGN &
CODE
Virtually patch
vulnerabilities
Block attacks
Monitor and report
exploits
Detect leaks, errors
Software Development Lifecycle
Architect and
implement code
Fix errors and
vulnerabilities
Imperva SecureSphere
Manual processes or third party tools
Improve Application Development Processes
Confidential
© 2013 Imperva, Inc. All rights reserved.
Fraud Prevention Use Case
Confidential 21
A bank needed to:
Stop Man-in-the-Browser attacks
& high risk transactions
Address FFIEC compliance
SecureSphere
Tracks Fraud Details
Client
Devices
SecureSphere
ThreatRadar Fraud Prevention :
Detected malware and suspicious devices
Required no changes to apps for initial
rollout or policy changes
© 2013 Imperva, Inc. All rights reserved.
ThreatRadar Fraud Prevention
Confidential 22
SecureSphere integrates with Trusteer, ThreatMetrix, and iovation to detect fraud malware and fraudulent devices
Pass / Block
1. User accesses Website
2. SecureSphere redirects browser to ThreatRadar Cloud
3. Browser downloads code, checks device
4. Result sent to WAF ThreatRadar Fraud Prevention Cloud
© 2013 Imperva, Inc. All rights reserved.
DDoS Protection Use Case
Confidential 23
DDoS attack traffic is
blocked
Websites
2 Gbps
20 Mbps
Imperva Incapsula:
Stopped SYN Flood in less
than 2 hours from phone call
Stopped follow-on attack
RV manufacturer:
Received DDoS that took
down Website for 3 days
© 2013 Imperva, Inc. All rights reserved.
Imperva Incapsula DDoS Protection
Confidential 24
Stops all DDoS threats
• Application & network attacks
• Proprietary technology
differentiates humans from bots
Analyzes HTTP redirect, cookie,
and JavaScript execution capabilities
Scales beyond your Internet
connection limit
• Stops multi-gigabit DDoS attacks
Incapsula Dashboard
Attacker Malicious Bot
Search Engine
© 2013 Imperva, Inc. All rights reserved.
Hosted Application Protection Use Case
Confidential 25
Retailer:
Had upcoming PCI audit
Needed to protect Website
and meet PCI 6.6
Hosted apps in the cloud
Company’s
Website
Bots
Hackers
Legitimate Users
Scrapers
Comment Spammers
Imperva Incapsula Dashboard
Imperva Incapsula:
Helped retailer meet PCI
Fast, easy deployment
© 2013 Imperva, Inc. All rights reserved.
Deployment and Management
Confidential 26
© 2013 Imperva, Inc. All rights reserved.
Web Application
Firewall
Management Server (MX)
Users
Web
Servers
Web
Servers
Web Application
Firewall
Web
Servers
Web Application
Firewall
Inline, Non-inline, and Virtual Options
Confidential 27
© 2013 Imperva, Inc. All rights reserved.
Non-Inline Deployment Reverse Proxy Deployment
Inline Bridge Deployment
Broadest Deployment Options in Industry
Confidential 28
Switch
SecureSphere
Data Center
SecureSphere
INTERNET
Transparent inline bridge
• Supports full enforcement
• High performance, low latency
• Fail-open interfaces
Transparent and reverse proxy
• High performance for
content modification
• URL rewriting, cookie signing,
SSL termination
Non-inline deployment
• Primarily for monitoring, zero network latency
© 2013 Imperva, Inc. All rights reserved.
Scalable Centralized Management
Confidential 29
MX Management Server
• Centralized management for
Web, database and file
products
• Integrated alerting and
reporting
Granular role-based access
• LDAP, Certificate Auth
SecureSphere Operations
Manager
• Manager of Managers
• System-wide health monitoring
MX Server
SecureSphere Operations Manager
MX Server
© 2013 Imperva, Inc. All rights reserved.
Real-time Dashboard
Confidential 30
The configurable live dashboard shows…
System utilization
The latest security alerts
And system events
© 2013 Imperva, Inc. All rights reserved.
Graphical Security Reports
Confidential 31
Pre-defined reports
Custom reports
Reports created
on demand or emailed
daily, weekly, or monthly
PDF and CSV (Excel)
format
Integration with
3rd party reporting and
SIEM tools
© 2013 Imperva, Inc. All rights reserved.
Imperva Web Application Security Products
SecureSphere Web
Application Firewall Accurate, automated protection against
online threats
Reputation Services Near real-time user reputation data
stops bots and automated attacks
Fraud Prevention Block Man-in-the-Browser attacks
and fraudulent devices
Incapsula • Simple, affordable cloud-
based Web application
firewall service
• Ironclad DDoS protection
• Website performance
acceleration
Thre
atR
ad
ar
Incapsula
32 Confidential
© 2013 Imperva, Inc. All rights reserved.
Imperva SecureSphere Advantages
Accuracy With multiple layers of defense and correlation
Application Security Knowledge With security research from the Imperva ADC
Centralized Management Unified configuration, monitoring, and reporting
Transparent Deployment Drop-in deployment with bridge, proxy & non-inline
End-to-End Protection For Web applications, databases and files
© 2013 Imperva, Inc. All rights reserved.
Known Attackers
Bots
Web Attacks
Undesirable Countries
Web Fraud
App DDoS
Scrapers
Phishing Sites
Comment Spammers
Vulnerabilities
Web Apps
SecureSphere
Complete Protection Against Web Threats
Confidential 34
© 2013 Imperva, Inc. All rights reserved.
Q & A
35 Confidential
© 2013 Imperva, Inc. All rights reserved.
Thank You
36 Confidential
top related