radware hybrid cloud waf service
TRANSCRIPT
Radware Hybrid Cloud WAF Service
Market Analysis
2
Evolving Threat Landscape
Denial of Service 25%
SQL Injection 24%
Cross Site Scripting (XSS)
8.9%
4.8%
3.8%
3.7%
3% 2.8%
2.1% 1.9%
Top 10 Web Attack Methods
Denial of Service
SQL Injection
Cross Site Scripting (XSS)
Brute Force
Predictable Resource Location
Stolen Credentials
Unintentional InformationDisclosureBanking Trojan
Credential/Session Prediction
Cross Site Request Forgery (CSRF)
No one is immune – more industries are at risk
Web attacks - most common attack vector
– 1 in every 4 web-based attacks are HTTPS
Most common attack vectors:
– SQL Injections
– Cross Site Scripting (XSS)
– Denial of Service (DoS)
Source: Web Hacking Incident Database (WHID), Feb. 2013
3
Multi-Vectors Attacks
IPS/IDS
“Low & Slow” DoS attacks (e.g.Sockstress)
Large volume network flood attacks
Syn Floods
Network Scan
HTTP Floods
SSL Floods App Misuse
Brute Force
Cloud DDoS protection DoS protection Behavioral analysis IPS WAF SSL protection
Internet Pipe Firewall Load Balancer/ADC Server Under Attack SQL Server
4
XSS, CSRF SQL Injections
Enterprise Cloud Migration
Internet Customer Premise
Cloud Service Provider
Data Center
Enterprises expand application resources to the cloud Multi-vector attacks target enterprise applications everywhere
On-premises mitigation tools alone are ineffective against cloud-based attacks
5
Today’s Challenges
6
Evolving Threat Landscape Attacks last longer and include multi-vectors Web application attacks most popular
Enterprise Perimeter Disappearing Infrastructure is spread Mixed environment – cloud and premise based applications
Hosting Across Multiple Vendors Harder to protect & manage multiple instances Varying degree of protection offered by cloud vendors
Need for a hybrid, easy and fully managed solution that provides full protection from web-based attacks
No single vendor exists today with both a CPE & Cloud WAF offering
Multiple challenges with a non-hybrid, multi-vendor WAF solution:
– Limited visibility (detection) and control (mitigation)
– Blind spots between technologies
– Vendor roadmap integration issues
– Vendor (problem) management processes
Why Hybrid?
7
Hybrid Cloud WAF Offering
8
Fully managed & always-on cloud service
Provides WAF and DDoS protection
Based on Radware’s widely adopted Attack Mitigation Solution
Scalable cloud-based configuration
Optimal for detecting and mitigating a vast array of attack vectors
– Common web attacks (e.g. SQL Injections, Cross-Site Scripting)
– Advanced web attacks (e.g. Cookie Poisoning, XML and web services attacks)
– DDoS attacks targeting data center infrastructure
– Volumetric DDoS attacks aiming to saturate the internet link (optional add-on protection)
Radware’s Hybrid Cloud WAF
9
Cloud WAF Attack Mitigation Device
Radware Security Cloud POP
Web-based attack is launched and detected by Radware’s Cloud WAF Attack is mitigated and clean traffic is relayed to the private cloud and premise
Radware’s Hybrid Cloud WAF
Public Cloud
VPC / Private Cloud
Customer Premise
Data Center
10
Why Radware’s Hybrid Cloud WAF?
Integrated CPE and Cloud WAF Technologies
Unmatched Web Application Protection
Fully Managed Security Service
Easy, Flexible Model
Always-On DDoS Protection
11
Only solution to integrate with on-premise security devices
Gain more visibility and control in disaggregated application-delivery environments
Messaging to enable threats detected in the cloud can be mitigated by on-premise attack mitigation devices
Allow for ease and speed of security policy orchestration & automation
Why Radware’s Hybrid Cloud WAF?
Integrated CPE and Cloud WAF Technologies
12
Based on Radware’s WAF - AppWall
The only WAF in the Cloud with:
– Full coverage of ALL OWASP Top-10
– ICSA Labs Certification
– Auto Generated Policy
– Negative & Positive security models
Why Radware’s Hybrid Cloud WAF?
Unmatched Web Application Protection
Attack Categories Covered
TCP Termination & Normalization HTTP Protocol attack (e.g. HRS) Path traversal Base 64 and encoded attacks JSON and XML attacks Login Protection Password cracking – Brute Force
Attack Signature and Rules Cross site scripting (XSS) Injections: SQL, LDAP OS commanding Server Side Includes (SSI)
LFI/RFI Protection Local File Inclusion Remote File Inclusion
Session Protection Cookie Poisoning Session Hijacking
Data Leak Prevention Credit card number (CCN) Social Security (SSN) Regular Expression
Access Control Predictable Resource Location Backdoor and debug resources File Upload attacks
DDoS Protection Behavioral Network DDoS Behavioral Application DDoS Network Challenge Response
HTTP Challenge Response Access List Volumetric DDoS (add-on)
13
24x7 support
System monitoring and auto policy generation
Proactive analysis including policy optimization and logs review
Backed by Radware's Emergency Response Team (ERT)
Why Radware’s Hybrid Cloud WAF?
Fully Managed Security Service
14
Simple setup - nothing to download or install
Phased and risk free onboarding
– 3 step process
– Every new policy is initially introduced in Span Port
– 7 days for new policy activation
OPEX-based model
3 levels of service offering (Silver, Gold & Platinum)
Flexibility in growth options
Why Radware’s Hybrid Cloud WAF?
Easy, Flexible Model
Out-of-path
Auto Policy
Inline passive mode
Inline protective mode
15
Based on Radware's attack mitigation device (DefensePro)
Includes Anti DDoS, NBA and IPS protection
Adaptive behavioral analysis and challenge response technologies
Why Radware’s Hybrid Cloud WAF?
Always-On DDoS Protection
16
Cloud WAF Attack Mitigation Device
Radware Security Cloud POP
VPC / Private Cloud
Customer Premise
Data Center
Volumetric DDoS Attack Protection
Public Cloud
Volumetric attack is launched on the Radware Security Cloud POP Attack is detected by the Radware Cloud IPS
Attack baseline is synchronized to DefensePipe and traffic redirected to scrubbing center
Defense Messaging
Traffic is scrubbed by DefensePipe and relayed clean to the private cloud and premise
Radware Cloud Scrubbing
Service Monitoring: Traffic Volume Monitoring, HTTP Heath-checks
Redundancy: for all network components – No single point of failure
Failover: Auto failover based on Active – standby
Disaster Recovery: DNS redirection to secondary site; Tier 1 DNS
Scalability and Availability
18
Service available in three packages:
DDoS protection of up-to 1 Gbps of attack traffic is included in all packages
Volumetric DDoS-attack protection available at additional cost
Offering Sets
Silver
• Single shared policy for multiple web applications
• Basic security offering to secure against common web attacks
Gold
• Dedicated policy for each web application
• PCI Compliance ready policy
• Added protection from data and access centric attacks
Platinum
• OWASP Top 10 coverage
• Extended security policy
• Zero-day attack protection
• Advanced attack protection
19
Service Full SLA
Security Offerings – DDoS Features Silver Gold Platinum
Behavioral Network Layer DDoS Protection
Yes Yes Yes
Behavioral Application Layer DDoS Protection
Yes Yes Yes
Network Challenge Response Yes Yes Yes
HTTP Challenge Response Yes Yes Yes
Access List – on demand up to 1 list per month
Up to 100 entries
Up to 100 entries
Up to 100 entries
Weekly Security Update Subscription Yes Yes Yes
Attack volume supported Up to 1G Up to 1G Up to 1G
Security Offerings – WAF Features Silver Gold Platinum
HTTP Protocol Manipulation Yes Yes Yes
Error info leakage & fingerprinting Yes Yes Yes
Known Vulnerabilities & Custom Rules Yes Yes Yes
SQL, OS and LDAP Injection Yes Yes Yes
Cross Site Scripting (XSS) Yes Yes Yes
SSL (including custom certificate) Yes Yes Yes
Geo Location, Anonymous proxies Yes Yes Yes
Credit Card Number Leakage No Yes Yes
CSRF No Yes Yes
Access Control (White & Black list) No Yes Yes
Brute Force No Yes Yes
Session attacks (hijacking, cookie poisoning)
No No Yes
Zero Day Protection; Parameter policy No No Yes
XML and Web Service No No Yes
20
Service Full SLA
Service Offerings - Service Silver Gold Platinum
24 X 7 support Yes Yes Yes
Managed Security Service Yes Yes Yes
logs review and system monitoring Yes Yes Yes
Customized Weekly Scheduled Reports Yes Yes Yes
Tenant-based Policy (shared Policy for multiple apps) Yes No No
Application Based policy No Yes Yes
Auto Policy Generation Yes Yes Yes
Dedicated WAF instance No No Yes
At least once a month Proactive Security Policy Review and optimization
No No Yes
2 Forensics Reports per year No No Yes
Emergency Response Attack Mitigation Yes Yes Yes
Pre-attack high risk alerts Yes Yes Yes
Post attack report and recommendations Yes Yes Yes
Time to Security Expert response SLA Best Effort Best Effort Best Effort
Number of DDoS Protection policy changes per calendar month (non-cumulative)
1 1 1
21
Summary
22
Summary
Integrated CPE and Cloud WAF Technologies Only solution with same technology to protect both
cloud-based and on-premise applications
Unmatched Web Application Protection Full OWASP Top 10 coverage
Auto policy generation; ICSA Labs certification
Fully Managed Security Service 24x7 Support
Backed by Radware’s ERT security experts
Easy, Flexibly Model Simple, no setup
OPEX based with 3 offerings to chose from
Always-On DDoS Protection Based on Radware’s attack mitigation device
Minimal false positives; no impact on legitimate traffic