fortiweb for isp -...

© Copyright Fortinet Inc. All rights reserved.

FortiWeb for ISP Web Application Firewall

2

Introduction to FortiWeb Highlights Main Features Additional FortiWEB Services for the ISP FortiWeb Family

Agenda

Introduction to FortiWeb

4

Scope/Definition of WAFs

§ Protects web-based applications from code-based attacks

»  SQL Injection or other injection types »  Cross Site Scripting and Request Forgery »  Layer 7 DoS/DDoS attacks »  Cookie/schema poisoning

§ Protects against application vulnerabilities in custom code and commercial platforms

§ Understands/learns “normal” behaviors and stops anomalies

»  URL parameters, HTTP methods, session IDs, cookies, schema, etc.

Can’t a Firewall or IPS do this? §  Firewalls look for network-based attacks §  IPS Signatures detect only known problems

»  No protection of SSL traffic »  No application or user awareness

FortiWeb WAF!

Web Application"Servers"

SQL Injection, XSS…

INTERNET

5

WAF Drivers/Challenges

§ Protect current and existing applications from code-based vulnerabilities

§ Meet PCI Compliance (5.5 and 6.6) for credit card and healthcare data

§ Address OWASP Top 10 Application Vulnerabilities

§  Identify and address web application vulnerabilities

§ Website publishing for Microsoft and other applications

§ Protect against website defacement

Who Needs it? §  Any organization that processes

credit cards and/or has PCI requirements

§  Large internal or external applications

§  Sensitive/proprietary information §  Mission-critical business applications Who Needs it Most? §  MSPs/Hosting Companies §  E-commerce/online services §  Retail, Food Service, Hospitality §  Financial services §  Healthcare

6

FortiWeb – Web Application Firewalls

§ 4 models from 100 Mbps to 4 Gbps HTTP throughput

§ Up to 6x GE and models with 2x 10GE SFP+ ports

§  Included vulnerability scanning and antivirus

§ Hardware and VM options (VMware, Hyper-V)

§  Automatic behavior-based scanning

§  Auto setup/learning mode

§  Layer 7 DDoS protection

§  FortiGuard antivirus/IP reputation

§  Transparent, reverse and non-inline deployment options

§  Central Management/ADOMs

§  Advanced real-time reporting

§  SSL offloading/compression

§  SSO/Authentication

§  Layer 7 load balancing

§  NSS recommended

Complete WAF Solution

7

FortiWeb Benefits

§ Protect custom and commercial applications with automatic usage profiling

§ Meet PCI Compliance (5.5 and 6.6) with behavior-based attack detection and mitigation

§ Protection against OWASP Top 10 Application Vulnerabilities

§  Identify web application security weaknesses with vulnerability scanning § Website publishing with Single Sign On/Authentication § Restore website pages from attacks with Anti-Defacement Protection § Block botnets and attacks from known rogue and malicious sources with

FortiGuard IP Reputation

8

•  Layer II - Transparent Inspection and True Transparent Proxy

•  Easy deployment - No need to re-architect network, full transparency

•  Fail Open Interface

•  Reverse Proxy •  Supports content modification for both requests and

replies from the server •  Advanced URL rewriting capabilities •  HTTPS offloading •  Enhanced load balancing schemes

•  Non Inline Deployment – SPAN port •  Zero network latency •  Blocking capabilities using TCP resets •  Ideal for initial product evaluations, non-intrusive

network deployment

Deployment Options

Web Application"Servers"

FortiWeb!

FortiWeb!

Highlights Main Features

10

Web Application Firewall - WAF Secures web applications to help customers meet compliance requirements

Secures Web Applications

Scans and Detects Web Vulnerabilities

Optimizes Application Delivery

Web Vulnerability Scanner Scans, analyzes and detects web application vulnerabilities

Application Delivery Assures availability and accelerates performance of critical web applications

WAF

FortiWeb Application Delivery

11







WAF

FortiWeb Application Delivery

12

SSL Offloading & Acceleration

SSL Offloading •  Integrated ASIC based hardware •  Hardware-based key exchange and bulk

encryption •  Purpose built SSL processing

CA Management •  Full certificate management •  Advanced certification verification and

revocation capabilities

TCP Connection Multiplexing

ü Offload CPU intensive SSL computing from server to FortiWeb

FortiASIC CP8 SSL Acceleration Chip

13

Layer 7 Load Balancing •  Methods: Weighted Round Robin, Round-

Robin, Least Connection, HTTP session round robin

•  Connection persistence with timeout value •  Probes & Health Checks: TCP, HTTP/

HTTPS, PING. •  Content based health checks

Server Load Balancing

ü Intelligent, application aware layer 7 load balancing

14

Advanced Routing and Rewriting capabilities •  Route traffic based on: IP, Host, URL •  Rewriting and Redirection: Host, URL,

Referrers

Rewrite Reply Content •  Rewrite absolute links •  Any required content •  Multiple content types supported

URL Routing/Rewriting

15







WAF

FortiWeb main features

16

Vulnerability Assessment

Easily Scan your web applications •  Common vulnerabilities •  SQL Injection •  Cross Site Scripting •  Source code disclosure •  OS Commanding

Enhanced/Basic Mode •  Crawling information •  URLs accepting input •  External Links

Authentication Options

Scheduled and on Demand Scanning FortiWeb

17

Vulnerability Reports •  Scan summary •  Vulnerability by severity •  Vulnerability by categories •  Application Vulnerabilities •  Common Vulnerabilities

Server Information •  Crawling information •  URLs accepting input •  External Links

Provides Recommendations and Graphs

Updates via FortiGuard

Vulnerability Assessment

18







WAF

FortiWeb main features

19

FortiWeb Protection at all Layers

ATTACKS/THREATS

APPLICATION

IP REPUTATION

DDOS PROTECTION

PROTOCOL VALIDATION

ATTACK SIGNATURES

ANTIVIRUS/DLP

BEHAVIORAL VALIDATION

CO

RR

ELAT

ION

BOTNETS, MALICIOUS HOSTS, ANONYMOUS PROXIES, DDOS SOURCES

APPLICATION LEVEL DDOS ATTACKS

IMPROPER HTTP RFC

KNOWN APPLICATION ATTACK TYPES

VIRUSES, MALWARE, LOSS OF DATA

UNKNOWN APPLICATION ATTACKS

20

FortiGuard Ip Reputation

Threats •  DDoS •  Phishing •  Botnets

IP Reputation Service •  Daily feed updates •  Automated downloads •  Immediate protection •  Visibility and reporting

FortiGuard Techniques •  FortiGuard historical analysis •  Honeypots •  Botnet analysis

FortiGuard IP Reputation Service: Protect against automated attacks and malicious source

•  Anonymous Proxy access •  Infected source •  SPAM hosts

•  Anonymous proxies •  Third party sources

21

Bot Identification and Protection

Enhanced Bot Identification •  Known search engines •  Bad robots (scanners, crawlers,

spiders)

Protection Accuracy •  Bypass threshold based policies

(DoS, Brute force) for known search engines

Bot Analysis •  Bot dashboard provides

overview of all traffic with breakdown for bad robots and known search engines

ü Analyze traffic from malicious robots, scanners, crawlers and known search engines

22

Protection Policies

Application Layer •  HTTP request limit per source •  TCP connections using the same cookie •  HTTP requests using the same cookie •  Challenge Response – validate whether

the user is real or automated

Network Layer •  TCP connections limit per source •  SYN Cookie – SYN flood protection

ü Analyze requests originating from different users based on different characteristics such as IP and cookie

ü Sophisticated mechanism identifies real users from automated attacks

23

Intrusion Prevention

FortiGuard Labs •  Weekly updates •  Automatic download

Wide coverage •  Various categories •  Thousands of signatures •  Action rules per category •  Information about each

signature •  Sample match •  Location where inspected

Exceptions/Whitelist •  Create exceptions down to

the signature •  User regex to cover more

URLs ü Flexible and granular signature interface

24

FortiWeb Auto Learn

þ þ þ þ ý ý ý þ

þ þ þ þ þ þ þ þ

Understand Application Structure •  Models elements from actual traffic •  Builds baseline based on URLs,

parameters, HTTP methods

Automatically Understands Real Behavior •  Can form fields/parameters be modified

by users? •  What are the length and type of each

form field? •  What characters are acceptable (min,

max, average)? •  Is a form field required or optional?

Provides Recommendations and Graphs

25

FortiWeb Auto Learn

•  Learns the protected applications structure

•  URLs •  Parameters •  Expected behavior

•  Analyzes: •  Visits •  Attacks

•  Provides automatic rules •  Exportable to PDF

26

§ FortiGuard Labs » Award-winning threat

research services » Dynamic/automated

updates for FortiWeb » Automatic downloads » Always up-to-date

§ Subscription Based » Available per device » Select services that are needed » Annual renewals

FortiGuard Services

Security Service •  Application layer

signatures

•  Malicious bots

•  Suspicious URL pattern

•  Web vulnerability scanner updates

IP Reputation •  Protection for

automated attacks and malicious sources

•  DDoS, Phishing, Botnet, Spam, Anonymous proxies and infected sources

Antivirus •  Scan file uploads

•  Regular and extended AV databases

Additional FortiWEB Services for the ISP

28

On Premise Web Application

§ FortiWeb is configured in Reverse Proxy mode § A cloud WAF solution allows customers to have

an external device scan their traffic without the need to deploy any SW/HW in their environment

§ End customer change their application’s DNS entry to point to the cloud WAF which scans the traffic and forwards it to the application

§ The solution provides each customer: » Application security » Performance acceleration (caching, compression, etc) » UI access dashboard – Traffic graphs, alerts, minimal

configuration

Customer A!Customer B!

Cloud WAF!

29

Hosted Web Application

§ FortiWeb is configured in True Transparent Proxy mode

§ This solution gives the ISP additional revenue by offering WAF services to its hosted applications

§ All applications are hosted at the ISP infrastructure

§ Managed by ISP, no UI access for end customers

§ The solution provides each customer: » Application security » Performance acceleration (possibly) » Reports via email

Customer !Applications 1-N!

MSSP Site!

30

Multi-tenancy

Administrative Domains •  Controls privileges and permissions

across the organization •  True role based access control (RBAC) •  Global and per-ADOM settings •  Per ADOM logging and reporting

MSSP Features •  Protect multiple customers with one

FortiWeb appliance •  Allow customers to securely access their

own logs and reports •  Per user read/write permissions

ü Provides multiple logical entities in a single physical unit

ü Out-of-the box Multi-tenant solution

Customer 1,2,3,4..N

31

High Availability

Active/Passive Failover •  Full configuration synchronization •  Seamless failover •  No downtime

Configuration-Sync •  Sync FortiWeb devices across networks •  Allows managing policies across multiple

devices from a central location •  Seamless integration into already existing

HA/LB environments •  Support for DR environments

FortiWeb!

Disaster Recovery

ü Use Active/Passive failover or simply sync policies across multiple data centres, regardless of location

32

FortiWeb for Virtual Datacenter

Virtual WAF for VDC § Deploy WAFs without extra hardware § Dynamic expansion in VM environments § Resource efficiency with uncompromised WAF

functionality § Virtualization Environment:

» VMware ESX / ESXi / 4.0 / 4.1 / 5.0 / 5.1 / 5.5, » Microsoft Hyper-V, » Citrix XenServer 6.2 » Open Source Xen 4.2

Desktops / Private

Servers / DMZ FortiWeb Virtual

Appliance

Virtualized Data Center

Public Zone DMZ

FortiWeb Family

34

Perf

orm

ance

& S

cala

bilit

y

WAF < 1 Gbps 1 – 2 Gbps 3+ Gbps

SSL Software ASIC ASIC

Ports GE GE/10GE GE/10GE

FortiWeb Product Lineup

FWB-1000D

FWB-400C

FWB-3000DFsx

FWB-3000D

FWB-4000D

35

FortiWeb Product Matrix

400C 1000D 3000D 3000DFsx 4000D

WAF Throughput 100 Mbps 750 Mbps 1.5 Gbps 1.5 Gbps 4.0 Gbps

Latency Sub-ms Sub-ms Sub-ms Sub-ms Sub-ms

SSL Software ASIC ASIC ASIC ASIC

L7 Load Balancing P P P P P

L7 DoS Protection P P P P P

Site Publishing/SSO P P P P P

Vulnerability Scanner P P P P P

Antivirus/antimalware P P P P P

GE Port 4 6 6 6 8

GE Bypass 0 4 2 0 2

GE-SX Bypass 0 0 0 0 2

GE SFP 0 2 0 0 0

10GE SFP+ Bypass 0 0 0 2 2

36

FortiWeb Virtual Appliances

Virtual WAF § Deploy WAFs without extra hardware

§ Dynamic expansion in VM environments

§ Resource efficiency with uncompromised WAF functionality

§ VMware ESX / ESXi / 4.0 / 4.1 / 5.0 / 5.1 / 5.5, Microsoft Hyper-V, Citrix XenServer 6.2, Open Source Xen 4.2

Technical Specifications FortiWeb VM01 FortiWeb VM02 FortiWeb VM04 FortiWeb VM08 vCPU Support (Max) 1 2 4 8

Memory Support (Max) Unlimited Unlimited Unlimited Unlimited

Network Interface Support (Max) 4 4 4 4

Storage Support (Min / Max) 40 GB / 1TB 40 GB / 1TB 40 GB / 1TB 40 GB / 1TB

fortiweb for isp -...

Documents