of 35

FortiWeb May 2013

Published on May 2019 | Categories: Documents | Downloads: 3 | Comments: 0
216 views

Comments

Content

FortiWeb Web Application Firewall

May 21, 2013 1

Fortinet Confidential

 Agenda  Age nda

1 2 3 4 5 6 2

Fortinet Confidential



Web Application Security



Deployment and Management

•  A  Application pplication

Delivery



Vuln ulnerability erability Asse Assessment ssment



Protection and Monitoring



Compliance

Latest Trends….

• • • • • •

3

Hackers use attack automation to DDoS organizations Utilize mass hoards of bots Off the shelf attack tool kits make m ake it easy for Hacktivists to join DDoS attacks Rise of layer 7 DDoS Malware infected infected Sources SQL Injection/XSS dominate domi nate

Fortinet Confidential

Web Application Servers

 Application Security Needs New Approach Network Firewall •



Network firewalls detect network attacks Inspect IP and port • IPS products detect known signatures only Signature evasion is possible • No protection of SSL traffic • No real HTTP understanding (headers, • parameters, etc) No application awareness • No user awareness • High rate of false positives •

Only Web Application Firewalls can detect and block application attacks!

4

Fortinet Confidential

IPS/Deep Packet Inspection Firewalls

FortiWeb Web Application Firewall

Network layer (OSI 1-3)

 Application layer (OSI 4-7)

Introducing - FortiWeb Web Application Firewall

WAF

Web Application Firewall - WAF Secures web applications to help customers meet compliance requirements

Web Vulnerability Scanner  Scans, analyzes and detects web application vulnerabilities

Application Delivery  Assures availability and accelerates performance of critical web applications

Secures Web Applications

5

Fortinet Confidential

Scans and Detects Web Vulnerabilities

Optimizes Application Delivery

FortiWeb Customers Worldwide Government

6

Fortinet Confidential

Telco

Retail/Technology/Financial/Other

 Agenda

1 2 3 4 5 6 7

Fortinet Confidential



Web Application Security



Deployment and Management

•  Application

Delivery



Vulnerability Assessment



Protection and Monitoring



Compliance

Deployment Options



Layer II - Transparent Inspection and True Transparent Proxy •





• • •

Easy deployment - No need to re-architect network, full transparency

Web Application Servers

Fail Open Interface Supports content modification for both requests and replies from the server  Advanced URL rewriting capabilities HTTPS offloading Enhanced load balancing schemes

Non Inline Deployment  – SPAN port •

Zero network latency



Blocking capabilities using TCP resets Ideal for initial product evaluations, non-intrusive network deployment



8

FortiWeb

Reverse Proxy •



System Administration

Fortinet Confidential

FortiWeb

FortiWeb Product Family

FortiWeb-400C

FortiWeb-1000C

FortiWeb-3000C/3000CFsx

FortiWeb-4000C 9

Fortinet Confidential

Mid-Enterprise Deployments • 100 Mbps HTTP throughput • 10,000 transactions per second Large Enterprise Deployments •  ASIC based Acceleration - FortiModule-CP7 • 500 Mbps HTTP throughput • 27,000 transactions per second Large Enterprise/ Service Provider Deployments •  ASIC based Acceleration - FortiModule-CP7 • 1 Gbps HTTP throughput • 40,000 transactions per second • Hot-swap redundant AC-Power, 2*1 TB storage • 6 x 10/100/1000 copper (+ 2x Gbps SFP for 3000CFsx) Large Enterprise/ Service Provider Deployments •  ASIC based Acceleration - FortiModule-CP7 • Hardware based DLP acceleration • 2 Gbps HTTP throughput • 70,000 transactions per second • Hot-swap redundant AC-Power, 2*1 TB storage • 6 x 10/100/1000 copper, 2x Gbps SFP interfaces

FortiWeb-VM

Virtual Systems

Deploy FortiWeb in a virtualized environment • • • •

Mitigate blind spots Protects web applications regardless of connection origin Provides visibility to internal connections as well Same functionality as appliance

Requirement

Min needed for FortiWeb-VM

Licenses

2-vCPU, 4-vCPU, 8-vCPU

Hypervisor

VMware ESXi/ESX 3.5/4.0/4.1/5.0/5.1

Memory

Min. 1024

CPU

Min. 2 virtual CPU’s

10/100/1000 Interfaces

Min. 2 M ax. 4virtual NIC’s

Storage Capacity

Min. 40G

10

Fortinet Confidential

DMZ

Servers / DM Z

Virtualized Data Center

Public Zone

FortiWeb Desktops / Virtual Private Appliance

Overview

FortiGuard Services

FortiGuard® Security Subscription Services deliver dynamic, automated updates for Fortinet products. The Fortinet Global Security Research Team creates these updates to ensure up-to-date protection against sophisticated threats

Signatures Security Service •

11

 Application layer signatures



Malicious bots



Suspicious URL pattern



Web vulnerability scanner updates

Fortinet Confidential

Antivirus

IP Reputation •



Protection for automated attacks and malicious sources DDoS, Phishing, Botnet, Spam,  Anonymous proxies and infected sources



Scan file uploads



Regular and extended AV databases

Data Analytics/Geo IP

Log & Report

Analyses web app usage based on geographic location and server access • •

Dissect traffic based on number of hits, data used and attack type Map or list view

Geo IP security • Easily block access from a country using right click  Provides a graphical interface that helps organizations understand application trends both from a user and server perspective

12

Fortinet Confidential

 Agenda

1 2 3 4 5 6 13

Fortinet Confidential



Web Application Security



Deployment and Management

•  Application

Delivery



Vulnerability Assessment



Protection and Monitoring



Compliance

Overview

SSL Offloading & Acceleration

SSL Offloading • • •

Integrated ASIC based hardware Hardware-based key exchange and bulk encryption Purpose built SSL processing

CA Management Full certificate management •  Advanced certification verification and revocation capabilities •

TCP Connection Multiplexing FortiASIC CP8 SSL Acceleration Chip

 Offload CPU intensive SSL computing from server to FortiWeb

14

Fortinet Confidential

Data Compression

Data Compression

Compression •

• •

Compress files using gzip compression • Compression rate depends on data type and character redundency Support for multiple content types Easily exclude specific URLs

Uncompressing •

FortiWeb

Inspect data compressed by server

 Compress poorly optimised content to minimise impact on network resources and reduce application delivery latency  Allows efficient bandwidth utilization and response time to users by compressing data retrieved from servers 15

Fortinet Confidential

Overview

Server Load Balancing

Load Balancing •

• •

16

Methods: Weighted Round Robin, RoundRobin, Least Connection, HTTP session round robin Connection persistence with timeout value Probes & Health Checks: TCP, HTTP/HTTPS, PING. Content based health checks

Fortinet Confidential

 Intelligent, application aware load balancing

Overview

URL Rewriting

Advanced Rewriting capabilities • •

Route traffic based on: IP, Host, URL Rewriting and Redirection: Host, URL, Referrers

Rewrite Reply Content •

Rewrite absolute links •  Any required content • Multiple content types supported

17

Fortinet Confidential

 Agenda

1 2 3 4 5 6 18

Fortinet Confidential



Web Application Security



Deployment and Management

•  Application

Delivery



Vulnerability Assessment



Protection and Monitoring



Compliance

Overview

Vulnerability Assessment

Easily Scan your web applications • • • • •

Common vulnerabilities SQL Injection Cross Site Scripting Source code disclosure OS Commanding

Enhanced/Basic Mode • • •

Crawling information URLs accepting input External Links

Authentication Options Granular Crawling Capabilities Scheduled and on Demand Scanning 19

Fortinet Confidential

FortiWeb

Overview Vulnerability Reports •

Scan summary • Vulnerability by severity • Vulnerability by categories •  Application Vulnerabilities • Common Vulnerabilities

Server Information • • •

Crawling information URLs accepting input External Links

Provides Recommendations and Graphs Updates via FortiGuard Complements WAF for PCI DSS 20

Fortinet Confidential

Vulnerability Assessment

 Agenda

1 2 3 4 5 6 21

Fortinet Confidential



Web Application Security



Deployment and Management

•  Application

Delivery



Vulnerability Assessment



Protection and Monitoring



Compliance

Overview

Application Profiling

Accurate Protection Requires:



Understanding the Protected  Application • •



Understanding Hackers • •

22

 Application structure (URLs, parameters, methods) What is expected and what is suspicious

Popular attack methods, tools, and application vulnerabilities Differentiate between application changes, human errors and real attacks

Fortinet Confidential

FortiWeb Auto Learn

Application Profiling

Understand Application Structure • •

Models elements from actual traffic Builds baseline based on URLs, parameters, HTTP methods

Automatically Understands Real Behavior • • • •

Can form fields/parameters be modified by users? What are the length and type of each form field? What characters are acceptable (min, max, average)? Is a form field required or optional?

Provides Recommendations and Graphs 23

Fortinet Confidential

   

Web Based Attacks •

Denial of Service

 Application based DDoS is on the increase accounting for a quarter of all DDoS attacks



Under



Targeting specific web app/protocol flaws rather than bandwidth consumption • • •



• •

CPU intensive SQL queries to backend DB Writing to hard disks Server specific

Slowloris - Sends legitimate, but partial, never ending requests

Using tools that can be easily downloaded from the internet such as HOIC and LOIC Using botnets and automatic tools to reach mass Sometimes camouflaging real data breach attempts •

24

threshold

Slow based and legitimate request attacks •



the radar’s bandwidth

SQL Injection primarily

Fortinet Confidential

Zombie Botnet Many become one

Protection Policies

Denial of Service

Application Layer • • • •

HTTP request limit per source TCP connections using the same cookie HTTP requests using the same cookie Challenge Response  – validate whether the user is real or automated

Network Layer • •

TCP connections limit per source SYN Cookie – SYN flood protection

 Analyze requests originating from different users based on different characteristics such as IP and cookie  Sophisticated mechanism identifies real users from automated attacks (LOIC, HOIC, etc) 25

Fortinet Confidential

Overview

FortiGuard IP Reputation

Threats • • •

•  Anonymous

DDoS Phishing Botnets

• •

Proxy access Infected source SPAM hosts

IP Reputation Service •

Daily feed updates •  Automated downloads • Immediate protection • Visibility and reporting

FortiGuard Techniques • • •

FortiGuard historical analysis Honeypots Botnet analysis

•  Anonymous •

proxies Third party sources

FortiGuard IP Reputation Intelligence Service: Protect against automated attacks and malicious source 26

Fortinet Confidential

FortiWeb provides protection at all layers

IP Reputation – Automated attacks and compromised host protection Protection against access from Anonymous proxies, malicious hosts and sources identified in DDoS/Phishing attacks



 Antivirus file upload scanning andData Leak Prevention •



Scans uploaded files for viruses and malware (FortiGuard updates) Detects Information Disclosure, credit card and PII leakage

 Application and Network Denial of Service Protection (DoS/DDos protection) •

Detects and aggregates DoS attacks from multiple vectors

 Auto Learn and Validation Rules •

Deviations from norm al user behavior, automa ted and custom er rules

 Application Attack Signatures •



Detects known application attacks FortiGuard updates

Protocol Validation •

27

Fortinet Confidential

Validates HTT P RFC compliance

 Agenda

1 2 3 4 5 6 28

Fortinet Confidential



Web Application Security



Deployment and Management

•  Application

Delivery



Vulnerability Assessment



Protection and Monitoring



Compliance

Fortinet Addresses PCI DSS

• FortiWeb

addresses PCI 6.6



Web Application Firewall - OWASP Top Protection



Web Application Scanner

• FortiDB addresses PCI requirements with Data Activity

and Vulnerability Assessment for Databases

29



Requirement 2 : No vendor supplied defaults for system passwords



Requirement 3 : Stored cardholder data must be protected



Requirement 6 : Develop and maintain secure systems



Requirement 7 : Access to data restricted on a need-to-know basis



Requirement 10 : Track and monitor access to cardholder data



Requirement 11 : Regular systems testing



Requirement 12 : Maintaining an information security policy

Fortinet Confidential

Monitoring

FortiWeb Value Add •

 Application Security HTTP Compliance

Application Signatures

Application Profiling

Dramatically reduce the risk of corporate data loss. •

Data Leak Prevention









IP Reputation

DDoS Protection

 Antivirus •

 Accurate protection with multiple layers of defense Integrated Web Vulnerability Scanner Protects against the OWASP Top 10

Positive and negative security policies  Automated management using Auto Learn Baselining Sophisticated DoS/DDoS protection Layer 7 focus Botnet and malicious sources protection Easily deploys in any environment •



 Application Delivery SSL Offloading an d  Acceleration

FortiClient Desktop

 Authentication

Compression



Load Balancing







Vulnerability Assessment

Multiple deployment options

Data Analytics – Geo IP data analysis and security over the world map  Accelerates applications • • •



30

Fortinet Confidential

 Application aware Load Balancing Compression  ASIC based SSL Acceleration

Helps achieve PCI compliance

Q&A

31

Fortinet Confidential

THIS IS FO RTI WEB

FortiWeb : Additional Features

32

Fortinet Confidential

Overview

AntiVirus

FortiWeb Antivirus • •

Scan file uploads using Fortinet’s antivirus engine Restrict file type uploads

Virus Databases •

Regular and extended virus databases

Updates •

Updates via FortiGuard antivirus service

AV Configuration

33

Fortinet Confidential

Overview

DLP

DLP Identification • • •

Credit card theft/misuse Information Disclosure Server information

Policy Actions •

Rewrite sensitive data with ‘xxxx’ •  Alert, Block

Sensitive info in Logs •  Automatically mark with ‘xxxx’

any sensitive data in FortiWeb logs

 FortiWeb monitors all outgoing web traffic to identify and erase sensitive customer data 34

Fortinet Confidential

Sponsor Documents


Recommended

No recommend documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close