fortiweb for isp -...
TRANSCRIPT
© Copyright Fortinet Inc. All rights reserved.
FortiWeb for ISP Web Application Firewall
2
Introduction to FortiWeb Highlights Main Features Additional FortiWEB Services for the ISP FortiWeb Family
Agenda
Introduction to FortiWeb
4
Scope/Definition of WAFs
§ Protects web-based applications from code-based attacks
» SQL Injection or other injection types » Cross Site Scripting and Request Forgery » Layer 7 DoS/DDoS attacks » Cookie/schema poisoning
§ Protects against application vulnerabilities in custom code and commercial platforms
§ Understands/learns “normal” behaviors and stops anomalies
» URL parameters, HTTP methods, session IDs, cookies, schema, etc.
Can’t a Firewall or IPS do this? § Firewalls look for network-based attacks § IPS Signatures detect only known problems
» No protection of SSL traffic » No application or user awareness
FortiWeb WAF!
Web Application"Servers"
SQL Injection, XSS…
INTERNET
5
WAF Drivers/Challenges
§ Protect current and existing applications from code-based vulnerabilities
§ Meet PCI Compliance (5.5 and 6.6) for credit card and healthcare data
§ Address OWASP Top 10 Application Vulnerabilities
§ Identify and address web application vulnerabilities
§ Website publishing for Microsoft and other applications
§ Protect against website defacement
Who Needs it? § Any organization that processes
credit cards and/or has PCI requirements
§ Large internal or external applications
§ Sensitive/proprietary information § Mission-critical business applications Who Needs it Most? § MSPs/Hosting Companies § E-commerce/online services § Retail, Food Service, Hospitality § Financial services § Healthcare
6
FortiWeb – Web Application Firewalls
§ 4 models from 100 Mbps to 4 Gbps HTTP throughput
§ Up to 6x GE and models with 2x 10GE SFP+ ports
§ Included vulnerability scanning and antivirus
§ Hardware and VM options (VMware, Hyper-V)
§ Automatic behavior-based scanning
§ Auto setup/learning mode
§ Layer 7 DDoS protection
§ FortiGuard antivirus/IP reputation
§ Transparent, reverse and non-inline deployment options
§ Central Management/ADOMs
§ Advanced real-time reporting
§ SSL offloading/compression
§ SSO/Authentication
§ Layer 7 load balancing
§ NSS recommended
Complete WAF Solution
7
FortiWeb Benefits
§ Protect custom and commercial applications with automatic usage profiling
§ Meet PCI Compliance (5.5 and 6.6) with behavior-based attack detection and mitigation
§ Protection against OWASP Top 10 Application Vulnerabilities
§ Identify web application security weaknesses with vulnerability scanning § Website publishing with Single Sign On/Authentication § Restore website pages from attacks with Anti-Defacement Protection § Block botnets and attacks from known rogue and malicious sources with
FortiGuard IP Reputation
8
• Layer II - Transparent Inspection and True Transparent Proxy
• Easy deployment - No need to re-architect network, full transparency
• Fail Open Interface
• Reverse Proxy • Supports content modification for both requests and
replies from the server • Advanced URL rewriting capabilities • HTTPS offloading • Enhanced load balancing schemes
• Non Inline Deployment – SPAN port • Zero network latency • Blocking capabilities using TCP resets • Ideal for initial product evaluations, non-intrusive
network deployment
Deployment Options
Web Application"Servers"
FortiWeb!
FortiWeb!
Highlights Main Features
10
Web Application Firewall - WAF Secures web applications to help customers meet compliance requirements
Secures Web Applications
Scans and Detects Web Vulnerabilities
Optimizes Application Delivery
Web Vulnerability Scanner Scans, analyzes and detects web application vulnerabilities
Application Delivery Assures availability and accelerates performance of critical web applications
WAF
FortiWeb Application Delivery
11
Web Application Firewall - WAF Secures web applications to help customers meet compliance requirements
Secures Web Applications
Scans and Detects Web Vulnerabilities
Optimizes Application Delivery
Web Vulnerability Scanner Scans, analyzes and detects web application vulnerabilities
Application Delivery Assures availability and accelerates performance of critical web applications
WAF
FortiWeb Application Delivery
12
SSL Offloading & Acceleration
SSL Offloading • Integrated ASIC based hardware • Hardware-based key exchange and bulk
encryption • Purpose built SSL processing
CA Management • Full certificate management • Advanced certification verification and
revocation capabilities
TCP Connection Multiplexing
ü Offload CPU intensive SSL computing from server to FortiWeb
FortiASIC CP8 SSL Acceleration Chip
13
Layer 7 Load Balancing • Methods: Weighted Round Robin, Round-
Robin, Least Connection, HTTP session round robin
• Connection persistence with timeout value • Probes & Health Checks: TCP, HTTP/
HTTPS, PING. • Content based health checks
Server Load Balancing
ü Intelligent, application aware layer 7 load balancing
14
Advanced Routing and Rewriting capabilities • Route traffic based on: IP, Host, URL • Rewriting and Redirection: Host, URL,
Referrers
Rewrite Reply Content • Rewrite absolute links • Any required content • Multiple content types supported
URL Routing/Rewriting
15
Web Application Firewall - WAF Secures web applications to help customers meet compliance requirements
Secures Web Applications
Scans and Detects Web Vulnerabilities
Optimizes Application Delivery
Web Vulnerability Scanner Scans, analyzes and detects web application vulnerabilities
Application Delivery Assures availability and accelerates performance of critical web applications
WAF
FortiWeb main features
16
Vulnerability Assessment
Easily Scan your web applications • Common vulnerabilities • SQL Injection • Cross Site Scripting • Source code disclosure • OS Commanding
Enhanced/Basic Mode • Crawling information • URLs accepting input • External Links
Authentication Options
Scheduled and on Demand Scanning FortiWeb
17
Vulnerability Reports • Scan summary • Vulnerability by severity • Vulnerability by categories • Application Vulnerabilities • Common Vulnerabilities
Server Information • Crawling information • URLs accepting input • External Links
Provides Recommendations and Graphs
Updates via FortiGuard
Vulnerability Assessment
18
Web Application Firewall - WAF Secures web applications to help customers meet compliance requirements
Secures Web Applications
Scans and Detects Web Vulnerabilities
Optimizes Application Delivery
Web Vulnerability Scanner Scans, analyzes and detects web application vulnerabilities
Application Delivery Assures availability and accelerates performance of critical web applications
WAF
FortiWeb main features
19
FortiWeb Protection at all Layers
ATTACKS/THREATS
APPLICATION
IP REPUTATION
DDOS PROTECTION
PROTOCOL VALIDATION
ATTACK SIGNATURES
ANTIVIRUS/DLP
BEHAVIORAL VALIDATION
CO
RR
ELAT
ION
BOTNETS, MALICIOUS HOSTS, ANONYMOUS PROXIES, DDOS SOURCES
APPLICATION LEVEL DDOS ATTACKS
IMPROPER HTTP RFC
KNOWN APPLICATION ATTACK TYPES
VIRUSES, MALWARE, LOSS OF DATA
UNKNOWN APPLICATION ATTACKS
20
FortiGuard Ip Reputation
Threats • DDoS • Phishing • Botnets
IP Reputation Service • Daily feed updates • Automated downloads • Immediate protection • Visibility and reporting
FortiGuard Techniques • FortiGuard historical analysis • Honeypots • Botnet analysis
FortiGuard IP Reputation Service: Protect against automated attacks and malicious source
• Anonymous Proxy access • Infected source • SPAM hosts
• Anonymous proxies • Third party sources
21
Bot Identification and Protection
Enhanced Bot Identification • Known search engines • Bad robots (scanners, crawlers,
spiders)
Protection Accuracy • Bypass threshold based policies
(DoS, Brute force) for known search engines
Bot Analysis • Bot dashboard provides
overview of all traffic with breakdown for bad robots and known search engines
ü Analyze traffic from malicious robots, scanners, crawlers and known search engines
22
Protection Policies
Application Layer • HTTP request limit per source • TCP connections using the same cookie • HTTP requests using the same cookie • Challenge Response – validate whether
the user is real or automated
Network Layer • TCP connections limit per source • SYN Cookie – SYN flood protection
ü Analyze requests originating from different users based on different characteristics such as IP and cookie
ü Sophisticated mechanism identifies real users from automated attacks
23
Intrusion Prevention
FortiGuard Labs • Weekly updates • Automatic download
Wide coverage • Various categories • Thousands of signatures • Action rules per category • Information about each
signature • Sample match • Location where inspected
Exceptions/Whitelist • Create exceptions down to
the signature • User regex to cover more
URLs ü Flexible and granular signature interface
24
FortiWeb Auto Learn
þ þ þ þ ý ý ý þ
þ þ þ þ þ þ þ þ
Understand Application Structure • Models elements from actual traffic • Builds baseline based on URLs,
parameters, HTTP methods
Automatically Understands Real Behavior • Can form fields/parameters be modified
by users? • What are the length and type of each
form field? • What characters are acceptable (min,
max, average)? • Is a form field required or optional?
Provides Recommendations and Graphs
25
FortiWeb Auto Learn
• Learns the protected applications structure
• URLs • Parameters • Expected behavior
• Analyzes: • Visits • Attacks
• Provides automatic rules • Exportable to PDF
26
§ FortiGuard Labs » Award-winning threat
research services » Dynamic/automated
updates for FortiWeb » Automatic downloads » Always up-to-date
§ Subscription Based » Available per device » Select services that are needed » Annual renewals
FortiGuard Services
Security Service • Application layer
signatures
• Malicious bots
• Suspicious URL pattern
• Web vulnerability scanner updates
IP Reputation • Protection for
automated attacks and malicious sources
• DDoS, Phishing, Botnet, Spam, Anonymous proxies and infected sources
Antivirus • Scan file uploads
• Regular and extended AV databases
Additional FortiWEB Services for the ISP
28
On Premise Web Application
§ FortiWeb is configured in Reverse Proxy mode § A cloud WAF solution allows customers to have
an external device scan their traffic without the need to deploy any SW/HW in their environment
§ End customer change their application’s DNS entry to point to the cloud WAF which scans the traffic and forwards it to the application
§ The solution provides each customer: » Application security » Performance acceleration (caching, compression, etc) » UI access dashboard – Traffic graphs, alerts, minimal
configuration
Customer A!Customer B!
Cloud WAF!
29
Hosted Web Application
§ FortiWeb is configured in True Transparent Proxy mode
§ This solution gives the ISP additional revenue by offering WAF services to its hosted applications
§ All applications are hosted at the ISP infrastructure
§ Managed by ISP, no UI access for end customers
§ The solution provides each customer: » Application security » Performance acceleration (possibly) » Reports via email
Customer !Applications 1-N!
MSSP Site!
30
Multi-tenancy
Administrative Domains • Controls privileges and permissions
across the organization • True role based access control (RBAC) • Global and per-ADOM settings • Per ADOM logging and reporting
MSSP Features • Protect multiple customers with one
FortiWeb appliance • Allow customers to securely access their
own logs and reports • Per user read/write permissions
ü Provides multiple logical entities in a single physical unit
ü Out-of-the box Multi-tenant solution
Customer 1,2,3,4..N
31
High Availability
Active/Passive Failover • Full configuration synchronization • Seamless failover • No downtime
Configuration-Sync • Sync FortiWeb devices across networks • Allows managing policies across multiple
devices from a central location • Seamless integration into already existing
HA/LB environments • Support for DR environments
FortiWeb!
Disaster Recovery
ü Use Active/Passive failover or simply sync policies across multiple data centres, regardless of location
32
FortiWeb for Virtual Datacenter
Virtual WAF for VDC § Deploy WAFs without extra hardware § Dynamic expansion in VM environments § Resource efficiency with uncompromised WAF
functionality § Virtualization Environment:
» VMware ESX / ESXi / 4.0 / 4.1 / 5.0 / 5.1 / 5.5, » Microsoft Hyper-V, » Citrix XenServer 6.2 » Open Source Xen 4.2
Desktops / Private
Servers / DMZ FortiWeb Virtual
Appliance
Virtualized Data Center
Public Zone DMZ
FortiWeb Family
34
Perf
orm
ance
& S
cala
bilit
y
WAF < 1 Gbps 1 – 2 Gbps 3+ Gbps
SSL Software ASIC ASIC
Ports GE GE/10GE GE/10GE
FortiWeb Product Lineup
FWB-1000D
FWB-400C
FWB-3000DFsx
FWB-3000D
FWB-4000D
35
FortiWeb Product Matrix
400C 1000D 3000D 3000DFsx 4000D
WAF Throughput 100 Mbps 750 Mbps 1.5 Gbps 1.5 Gbps 4.0 Gbps
Latency Sub-ms Sub-ms Sub-ms Sub-ms Sub-ms
SSL Software ASIC ASIC ASIC ASIC
L7 Load Balancing P P P P P
L7 DoS Protection P P P P P
Site Publishing/SSO P P P P P
Vulnerability Scanner P P P P P
Antivirus/antimalware P P P P P
GE Port 4 6 6 6 8
GE Bypass 0 4 2 0 2
GE-SX Bypass 0 0 0 0 2
GE SFP 0 2 0 0 0
10GE SFP+ Bypass 0 0 0 2 2
36
FortiWeb Virtual Appliances
Virtual WAF § Deploy WAFs without extra hardware
§ Dynamic expansion in VM environments
§ Resource efficiency with uncompromised WAF functionality
§ VMware ESX / ESXi / 4.0 / 4.1 / 5.0 / 5.1 / 5.5, Microsoft Hyper-V, Citrix XenServer 6.2, Open Source Xen 4.2
Technical Specifications FortiWeb VM01 FortiWeb VM02 FortiWeb VM04 FortiWeb VM08 vCPU Support (Max) 1 2 4 8
Memory Support (Max) Unlimited Unlimited Unlimited Unlimited
Network Interface Support (Max) 4 4 4 4
Storage Support (Min / Max) 40 GB / 1TB 40 GB / 1TB 40 GB / 1TB 40 GB / 1TB