6. Almost half (48%) anticipate migrating up to
20% of their applications to the cloud
About one in ten (12%) plan to migrate
more than half of their applications to the
cloud.
Complexity in managing security policies is
the #1 security challenge
Migration to the Cloud Continues
Attackers can now target premise- and cloud-based applications
0%, 23%
1-20%, 48%
21-50%, 18%
51-75%, 6%
76-99%, 2%
100%, 4%
2015 (n=311)
Q: In the next 12-14 months, what percentage of your applications do you
envision migrating to the cloud?
7. Rise in Popularity of Web Based Attacks
Denial of Service
25%
SQL Injection
24%
Cross Site
Scripting (XSS)
8.9%
4.8%
3.8%
3.7%
3%
2.8%
2.1%1.9%
Top 10 Web Attack Methods
Denial of Service
SQL Injection
Cross Site Scripting (XSS)
Brute Force
Predictable Resource Location
Stolen Credentials
Unintentional Information
Disclosure
Banking Trojan
Credential/Session Prediction
Cross Site Request Forgery (CSRF)
Web attacks - most common attack
vector
OWASP Top 10 attacks
Availability based attacks
Source: Web Hacking Incident Database (WHID), Feb. 2013
7
8. “Low & Slow” DoS
attacks (e.g.Slowloris)
Complexity of Attacks Continues to Grow
Multi-vector attacks target all layers of the infrastructure
IPS/IDS
Large volume network
flood attacks
Syn
Floods
Network
Scan
HTTP Floods
SSL Floods App Misuse
Brute Force
On-Demand Cloud DDoS DoS protection Behavioral analysis IPS WAFSSL protection
Internet Pipe Firewall Load Balancer/ADC Server Under Attack SQL Server
8
XSS, CSRFSQL Injections
9. Existing Solutions Still Mostly Manual
Over 80% of solutions require a medium to
high degree of manual tuning
Less than 20% require a low degree and are
considered mostly automatic
High degree,
24%
Medium
degree, 58%
Low degree,
17%
2015 (n=311)
Q.22: What degree of manual tuning or configuration does your current solution require?
9
10. The Web Security Challenge
Growing number of
web applications to
protect
More sophisticated
web attacks and
“bad” bots
More disaggregated
networks leads to less
control
Need for Adaptive & Automated Web Security Protection
Most solutions are
still very manual
10
13. Unmatched Web Application Protection
Best-of-breed WAF
(Physical or Virtual Appliance)
Cloud WAF Service
Full coverage of OWASP Top-10
ICSA Labs Certification
Auto Generated Policy
Negative & Positive security models
Hybrid, single technology solution to protect both on-premise and cloud-based applications
13
Radware Cloud WAF
15. Radware’s Web Application Firewall (WAF)
Complete web application protection
Line speed availability attack mitigation
All-in-one application delivery & security
Shortest time to security
Compliance and auditing
Multi-vector role-based security policy
AppWall
15
16. Complete Web Application Protection
Full coverage of OWASP
Top-10 by negative &
positive security models
Protection against dozens of
attack vectors listed on WASC
Threat Classification
Efficient, accurate and
difficult to evade out-of-the-box
negative security
• Terminating TCP connections
• Normalizing client encoded traffic
• Blocking various evasion technics
16
17. Complete Web Application Protection
Terminate TCP,
Normalize, HTTP RFC
Evasions
HTTP response splitting (HRS)
Signatures applied on Normalized traffic
URL / Base 64 / UTF-8 encoded Injections
Signature &
Rule Protection
Cross site scripting (XSS)
SQL injection, LDAP injection, OS commanding
Data Leak Prevention
Credit card number (CCN)
Social Security (SSN)
Regular Expression
17
18. Complete Web Application Protection
Parameters Inspection
Buffer overflow (BO)
Zero-day attacks
User Behavior
Cross site request forgery
Cookie poisoning, session hijacking
Layer 7 ACL
Application / folder / file / param level access control
White listing or black listing
XML, JSON & Web Services XML & JSON Validity and schema enforcement
Role Based Policy
Authentication
User Tracking
18
19. Line Speed Availability Attack Mitigation
Detecting and Blocking
Attacks on web apps behind CDNs
Advanced HTTP attacks
Slowloris
Http dynamic floods
Brute force attacks on login pages
SSL attacks
Line Speed Mitigation
Up to 300 Gbps
Up to 230M DDoS PPS
60 micro seconds latency
Multi Layer Detection and Mitigation
19
20. Radware’s WAF is implemented out-of-path in span-port. Attacker launches web-application attack.
Out-of-Path Deployment: Protection Against DDoS Attacks
Cloud Perimeter LAN
Attack Mitigation
Device
Radware’s WAF detects the web-application attackRadware’s WAF signals attack information to the perimeter Attack Mitigation Device
Defense Messaging
Radware’s Attack Mitigation Device mitigates the attack at the Perimeter
WAF
No Performance Impact. No Risk.
20
21. All-in-One Application Delivery and Security
Out-of-path or inline deployment
Deployed on multiple platforms
Delivered on platforms supporting up to
80 Gbps
Fault Isolation
SLA Assurance
High Platform Density
Fast Reliable Secure
21
22. Shortest Time to Security
App Mapping Threat Analysis Policy Generation Policy Activation
SHORTEST TIME TO PROTECTION
Only 1 week
For known attacks
50% FASTER
then other leading WAFs
BEST SECURITY COVEREGE
Auto threat analysis
No admin intervention
OVER 150
Attack vectors COVERAGE
False positives
LOWEST FALSE-POSITIVES
THROUGH
Auto-optimization of
out-of-box rules
SECURITY ASSURANCE
Automatic detection of web
application changes
assuring security
POST-DEVELOPMENT PEACE OF MIND
THROUGHOUT THE APPLICATION’S
DEVELOPMENT LIFECYCLE
22
23. Multi-Vector Role Based Security Policy
Authentication and login detection
Authorization and access control
Accounting and Auditing
Web based Single Sign On
Segregation of duties
Web Role
IP & Geo Location
CONTEXT
Block
Report
ACTION
Application Access Control
Data Access and Visibility
Web Security, XSS, SQL Inj.
SECURITY POLICY
23
24. IP-Agnostic Device Fingerprinting & Tracking
Operating System
IP address based identification and blocking has
become obsolete
- Attackers dynamically change IPs
- DHCP, anonymous proxies, CDN, NAT
Appwall goes beyond IP address—uses detailed device
fingerprint from over 2 dozen parameters
Device fingerprint enables precise activity tracking
over time and development of Device Reputation
Provides advanced protection from:
- Website Scraping
- Brute Force Attacks
- HTTP Dynamic Floods
System Fonts
Browser Plug-ins
Screen Resolution
Local IPs
Improved Bot Detection and Blocking
24
25. Compliance and Auditing
PCI DSS section 6.6 requirements
- Audit ready environment for PCI DSS compliance
- Security policies analysis
- Action plan for compliance
Advanced security graphical reports
Enhanced visibility into the application security and the detected attacks
25
26. Why Radware’s WAF?
Attack Mitigation
Mitigating attacks on web applications behind CDNs
Blocking the attack source at the perimeter
Multi-layer detection and mitigation
Application Security & Delivery
AppWall out-of-path and inline deployment modes
Delivered on platforms supporting up to 80Gbps
Compliance
Action plan for compliance
Advanced security graphical reports
Web Security
Short time to protection
Low false positive and false negative rates
Auto-detection of web application changes
Segregation of Duties
Mapping security web roles to LDAP organizational units or attributes
Multi vector security policies: application access, data visibility etc.
26
27. Summary – More Than Just a WAF
Multi layered attack detection and mitigation
Out-of-path deployment with no performance impact or risk
Fast, reliable, and secure delivery of mission-critical web applications
Low maintenance costs and post deployment peace of mind
Audit ready and visibility into application security
Fastest to
Deploy
Easiest to
Maintain
Best Security
Coverage
27
29. Based on Radware’s ICSA Labs certified WAF
Auto policy generation engine for 0-day attack protection
Fully managed security service, beyond 24x7
Easy, flexible model
Integrated CPE and Cloud WAF Technologies
Always-on Behavioral-based DDoS protection
Radware Cloud WAF Service
Unmatched Web Security Protection
29
Radware Cloud WAF
30. Radware Cloud
WAF
Web-based attack is launched and detected by Radware’s Cloud WAFAttack is mitigated and clean traffic is relayed to the customer’s cloud and premise
Radware Cloud WAF Service
Organization’s Cloud Applications
Organization’s Premise
Data Center
30
Public Cloud
31. Full coverage of ALL OWASP Top-10
ICSA Labs certification
Auto-policy generation
Supports negative & positive security models
Unmatched Web Security Protection
Attack Categories Covered
TCP Termination & Normalization
HTTP Protocol attack (e.g. HRS)
Path traversal
Base 64 and encoded attacks
JSON and XML attacks
Login Protection
Password cracking – Brute Force
Attack Signature and Rules
Cross site scripting (XSS)
Injections: SQL, LDAP
OS commanding
Server Side Includes (SSI)
LFI/RFI Protection
Local File Inclusion
Remote File Inclusion
Session Protection
Cookie Poisoning
Session Hijacking
Data Leak Prevention
Credit card number (CCN)
Social Security (SSN)
Regular Expression
Access Control
Predictable Resource Location
Backdoor and debug resources
File Upload attacks
DDoS Protection
Behavioral Network DDoS
Behavioral Application DDoS
Network Challenge Response
HTTP Challenge Response
Access List
Volumetric DDoS (add-on)
31
32. 0-Day Attack Protection: Shortest Time to Security
App Mapping Threat Analysis Policy Generation Policy Activation
SHORTEST TIME TO PROTECTION
Only 1 week
For known attacks
50% FASTER
then other leading WAFs
BEST SECURITY COVEREGE
Auto threat analysis
No admin intervention
OVER 150
Attack vectors COVERAGE
False positives
LOWEST FALSE-POSITIVES
THROUGH
Auto-optimization of
out-of-box rules
SECURITY ASSURANCE
Automatic detection of web
application changes
assuring security
POST-DEVELOPMENT PEACE OF MIND
THROUGHOUT THE APPLICATION’S
DEVELOPMENT LIFECYCLE
32
33. Fully Managed Security Service, Beyond 24x7
33
24x7 support System monitoring
and auto policy
generation
Proactive analysis
including policy
optimization and logs
review
Backed by Radware's
Emergency Response
Team (ERT)
34. Simple setup - nothing to download or install
Phased and risk free onboarding
– 3 step process
– Every new policy is initially introduced in Span Port
– 7 days for new policy activation
OPEX-based model
3 levels of service offering (Silver, Gold & Platinum)
Flexibility in growth options
Easy, Flexible Model
Out-of-path
Auto Policy
Inline passive
mode
Inline protective
mode
34
35. Only solution to integrate with on-premise security devices
Increased visibility and control in disaggregated application-delivery
environments
Cloud-to-premise attack messaging to further secure data centers
Allow for ease and speed of security policy orchestration & automation
Integrated CPE and Cloud WAF Technologies
Unified, hybrid solution supporting your cloud migration path
35
36. Based on Radware's attack mitigation device (DefensePro)
Includes Anti DDoS, NBA and IPS protection
Adaptive behavioral analysis and challenge response technologies
Always-On Behavioral-Based DDoS Protection
36
37. Radware Cloud
WAF
Data Center
Volumetric DDoS Attack Protection
Volumetric attack is launched on the customer environmentAttack is detected by Radware’s attack mitigation device in the Radware Cloud POPAttack baseline is synchronized to Radware’s Scrubbing Center and traffic redirected
Defense
Messaging
Traffic is cleaned by Scrubbing Center and sent to customer cloud and premise
Radware
Cloud
Scrubbing
Public Cloud
Organization’s Cloud Applications
Organization’s Premise
38. Service Monitoring: Traffic Volume Monitoring, HTTP Heath-checks
Redundancy: for all network components – No single point of failure
Failover: Auto failover based on Active – standby
Disaster Recovery: DNS redirection to secondary site; Tier 1 DNS
Scalability and Availability
38
39. Service available in three packages:
DDoS protection of up-to 1 Gbps of attack traffic is included in all packages
Volumetric DDoS-attack protection available at additional cost
Offering Sets
Silver
• Single shared policy for multiple
web applications
• Basic security offering to secure
against common web attacks
Gold
• Dedicated policy for each web
application
• PCI Compliance ready policy
• Added protection from data
and access centric attacks
Platinum
• OWASP Top 10 coverage
• Extended security policy
• Zero-day attack protection
• Advanced attack protection
39
40. Why Radware Cloud WAF?
Integrated CPE and Cloud WAF Technologies
Only solution with same technology to protect both
cloud-based and on-premise applications
Unmatched Web Application Protection
Full OWASP Top 10 coverage
Auto policy generation; ICSA Labs certification
Fully Managed Security Service
24x7 Support
Backed by Radware’s ERT security experts
Easy, Flexible Model
Simple, no setup
OPEX based with 3 offerings to chose from
Always-On Behavioral-Based DDoS Protection
Based on Radware’s attack mitigation device
Minimal false positives; no impact on legitimate traffic
40
42. Radware Cloud WAF Service Full SLA
Security Offerings – DDoS Features Silver Gold Platinum
Behavioral Network Layer DDoS
Protection
Yes Yes Yes
Behavioral Application Layer DDoS
Protection
Yes Yes Yes
Network Challenge Response Yes Yes Yes
HTTP Challenge Response Yes Yes Yes
Access List – on demand up to 1 list per
month
Up to 100
entries
Up to 100
entries
Up to 100
entries
Weekly Security Update Subscription Yes Yes Yes
Attack volume supported Up to 1G Up to 1G Up to 1G
Security Offerings – WAF Features Silver Gold Platinum
HTTP Protocol Manipulation Yes Yes Yes
Error info leakage & fingerprinting Yes Yes Yes
Known Vulnerabilities & Custom Rules Yes Yes Yes
SQL, OS and LDAP Injection Yes Yes Yes
Cross Site Scripting (XSS) Yes Yes Yes
SSL (including custom certificate) Yes Yes Yes
Geo Location, Anonymous proxies Yes Yes Yes
Credit Card Number Leakage No Yes Yes
CSRF No Yes Yes
Access Control (White & Black list) No Yes Yes
Brute Force No Yes Yes
Session attacks (hijacking, cookie
poisoning)
No No Yes
Zero Day Protection; Parameter policy No No Yes
XML and Web Service No No Yes
42
43. Radware Cloud WAF Service Full SLA
Service Offerings - Service Silver Gold Platinum
24 X 7 support Yes Yes Yes
Managed Security Service Yes Yes Yes
logs review and system monitoring Yes Yes Yes
Customized Weekly Scheduled Reports Yes Yes Yes
Tenant-based Policy (shared Policy for multiple apps) Yes No No
Application Based policy No Yes Yes
Auto Policy Generation Yes Yes Yes
Dedicated WAF instance No No Yes
At least once a month Proactive Security Policy Review and
optimization
No No Yes
2 Forensics Reports per year No No Yes
Emergency Response Attack Mitigation Yes Yes Yes
Pre-attack high risk alerts Yes Yes Yes
Post attack report and recommendations Yes Yes Yes
Time to Security Expert response SLA Best Effort Best Effort Best Effort
Number of DDoS Protection policy changes per calendar
month (non-cumulative)
1 1 1
43
Hinweis der Redaktion
The Perimeter is disappearing - With the development of private and public clouds, more and more organizations are transitioning towards virtualizing their services.
The hosting of applications is often distributed – while some applications are migrated to the cloud, others are still in transition or will always remain on-premise. Organizations are now faced with needing to protect their applications everywhere – on-premise and in-the-cloud.
As more services are moved outside of the enterprise perimeter and on to the cloud, this opens the door for attackers to target enterprise applications in the cloud where the on-premise attack mitigation tools are ineffective.
Organizations that rely solely on on-premise attack mitigation are leaving their cloud-based applications vulnerable to attacks.
The threat landscape is evolving.
The task of ensuring application availability is becoming more complex.
As attacks are getting longer, larger and more sophisticated, organizations need to be able to protect their applications from a large variety of security threats including:
Web-based attacks
Mostly known through the Open Web Application Security Project (OWASP) Top 10 which lists out the most common web-based threats.
Includes threats such as SQL Injections, Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF), which are typically not covered by traditional firewalls and intrusion detection systems (IDS).
Availability based attacks –
Distributed Denial of Service (DDoS) attacks at both the network and application layers.
Includes the use of automated programs (bots) as well as humans to launch attacks aimed at exhausting application resources.
Attackers are deploying multi-vulnerability attack campaigns by increasing the number of attack VECTORS they launch in parallel. To target your blind spot, different attack vectors target different layers of the network and data center, for example Net DDoS, App DDoS, Low & slow, SSL attacks and Web attacks. Even If only one vector will go undetected then the attack is successful and the result is highly destructive
To effectively mitigate all type of DoS/DDoS attacks you need to use multiple protection tools, such as:
DoS protection to detect and mitigate all type of network DDoS attacks
Behavioral Analysis to protect against application DDoS and misuse attacks. Behavioral-based real-time signatures and challenge-response mechanism can block the attack traffic accurately without blocking legitimate user traffic.
IPS to block known attack tools and the low and slow attacks
SSL protection to protect against encrypted flood attacks
WAF, web application firewall, to prevent web application vulnerability exploitations
All these protection tools are needed ON PREMISE to detect attacks in real-time and mitigate them immediately. But on premise protections tools are not enough. About 15% of all DDoS attacks are volumetric attacks that threaten to saturate the internet pipe. In these cases, you need to move mitigation to the CLOUD DDoS scrubbing.
You need cloud DDoS protection to mitigation volumetric DDoS attacks.
But that alone is not enough. You also need these other tools & technologies to provide full protection from today’s complex, multi-vector threats – and you need them on premise. To provide real-time detection and mitigation.
Radware offers a complete, hybrid solution integrating
on-premises detection & mitigation that is always-on
cloud-based volumetric attack scrubbing on-demand when needed
Its a single-vendor, real time solution that includes all the protection tools needed
Providing protection from web-based attacks is a core part of Radware’s attack mitigation solution.
We offer this protection through our Web Application Firewall – a best of breed WAF that:
Provides full coverage of all the OWASP top-10 threats,
Is ICSA Labs certified
Has the unique ability to auto generate policies
And supports both negative and positive security models
In addition, we also offer a hybrid cloud WAF service – a fully managed cloud service that provides all the protections of a best-of-bread web application firewall but in an easy-to-use way.
Radware is the only vendor to have integrated CPE and Cloud WAF technologies and offers a single vendor solution to protect both your cloud-based and on-premise applications. It gives your more control and visibility into your on-premise and cloud-based applications and allows for ease and speed of security policy orchestration & automation between on-premise and cloud.
Radware’s Hybrid Cloud WAF Service provides a fully managed and always-on, cloud-based web application firewall service.
It’s the industry's first hybrid-based Cloud WAF service that integrates with Radware's on-premise devices to provide comprehensive coverage.
The service provides full and unparalleled protection from web application-based attacks and is based on Radware’s Attack Mitigation Solution that is comprised of Radware's AppWall, DefensePro and DefensePipe products
Easy to set up – no user interaction
Wide coverage of both common and advanced web attacks as well as DDoS attacks.
The Hybrid Cloud WAF Service is based primarily on Radware's web application firewall – AppWall.
Provides FULL coverage from ALL the OWASP top-10 attacks
Is ICSA Labs certified
Supports both negative and positive security models:
Positive security policies are based on behavioral analysis technology. The security technology learns what the possible inputs per each web page are and what the typical values per each input field are. It then locks the policy to the allowed ranges of values. positive security profiles are a proven protection against zero-day attacks.
Negative security policies are based on static signature detection technology. The WAF module stores a signature file that covers thousands of known application vulnerabilities and exploits that are checked against every user transaction. Once a signature match is found – the session is terminated and the attack is blocked
Has the unique ability to generate policies automatically:
Patent-protected technology to create and maintain security policies for the widest security coverage with the lowest false positives and lowest operational effort.
A four step flow to create and maintain security policies – Application Mapping, Threat Analysis, Policy Generation, Policy Activation
No other WAF can do that and it eliminates many of the complexities involved with setting up and configuring existing WAF solutions.
It’s a fully managed service. It gives organizations full support and service before, during and after attacks – so customers don’t have to deal with anything.
This includes 24x7 support, proactive log review and analysis, system monitoring and auto policy generation.
And its supported by Radware's Emergency Response Team (ERT) – a dedicated group of security experts that actively monitor and mitigate attacks in real time.
The service is EASY. This is a very important point. Its gives the customer all the protections of a best-of-bread web application firewall but in an easy-to-use way.
The service is offered in a simple, OPEX-based model with 3 packages to choose from (Silver, Gold & Platinum detailed below).
It is very simple to setup with no deployment process or download/install of items needed.
And once its setup, Radware's security experts have immediate access and require no customer interaction or resources to get started
First, this is the only solution with integrated CPE and Cloud WAF technologies and offers a single vendor solution to protect both your cloud-based and on-premise applications.
Its important that this solution is a hybrid solution. In a non hybrid solution -the burden is on the customer to integrate at minimum two vendor solutions – to fully protect their on-premise and cloud applications. So the customer has to deal with managing different vendors, roadmap integrations, blind spots and varying degree of protection features between the offerings.
It also limits the visibility and control you have on your network - Organizations cannot look at attacks that occur in the cloud and differentiate them from attacks on-premise. Was it the same vulnerability? Was it the same perpetrator in both attacks? These questions simply cannot be answered because your quality of detection is limited.
Additionally – the quality of mitigation is also limited – How does one mitigate a security problem on-premise when discovered in cloud? Vice versa?
So having ONE technology that protects both your CPE and Cloud based applications is important. It allows for worldwide mitigation of threats detected in the cloud via messaging to Radware's on-premise security devices, as well as ease and speed of security policy orchestration & automation.
And it is supported by Radware's attack mitigation device - DefensePro to provide ddos protection. That includes all the tools and technologies supported by DefensePro including anti- DDoS, NBA and IPS protection to provide comprehensive coverage with minimal false positives and no impact on legitimate traffic.
Employs multiple detection & mitigation modules including adaptive behavioral analysis and challenge response technologies in addition to signature detection
Minimal false positive and no impact on legitimate traffic
Unique messaging maximizes protection against web based attacks
You can see in this scenario how a volumetric attack is detected by the Radware Cloud and traffic is redirected to the scrubbing center for mitigation. This assumes that the customer has purchased the additional cloud scrubbing protection offering.
We build this service with an emphasis on availability. We have lots of checks and redundancies in place to make sure it operates and provides the best SLA to customers.
Radware's Hybrid Cloud WAF offers best of breed, enterprise grade WAF and DDoS protection in a fully-managed cloud solution.