SlideShare ist ein Scribd-Unternehmen logo
1 von 43
Downloaden Sie, um offline zu lesen
Product Manager at WTR Services
Radware Web Application Protection
Offerings
Deivid Toledo
January 8, 2016
About Radware
Our Track Record
Global Technology Partners
Over 10,000 Customers
3
43.7
54.8
68.4
77.6 81.4
88.6
94.6
108.9
144.1
167.0
189.2 193.0
221.9
1%
25%
25%
13% 5%
9% 7%
15%
32%
16%
13% 2%
15%
50.00
100.00
150.00
200.00
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
USD
Millions
Company Growth
Market Leading WAF Offering
Banking & Finance Gov’t & Enterprise Telco & Cloud Service
Providers
4
Retail/eCommerce
Current Trends
Almost half (48%) anticipate migrating up to
20% of their applications to the cloud
About one in ten (12%) plan to migrate
more than half of their applications to the
cloud.
Complexity in managing security policies is
the #1 security challenge
Migration to the Cloud Continues
Attackers can now target premise- and cloud-based applications
0%, 23%
1-20%, 48%
21-50%, 18%
51-75%, 6%
76-99%, 2%
100%, 4%
2015 (n=311)
Q: In the next 12-14 months, what percentage of your applications do you
envision migrating to the cloud?
Rise in Popularity of Web Based Attacks
Denial of Service
25%
SQL Injection
24%
Cross Site
Scripting (XSS)
8.9%
4.8%
3.8%
3.7%
3%
2.8%
2.1%1.9%
Top 10 Web Attack Methods
Denial of Service
SQL Injection
Cross Site Scripting (XSS)
Brute Force
Predictable Resource Location
Stolen Credentials
Unintentional Information
Disclosure
Banking Trojan
Credential/Session Prediction
Cross Site Request Forgery (CSRF)
Web attacks - most common attack
vector
OWASP Top 10 attacks
Availability based attacks
Source: Web Hacking Incident Database (WHID), Feb. 2013
7
“Low & Slow” DoS
attacks (e.g.Slowloris)
Complexity of Attacks Continues to Grow
Multi-vector attacks target all layers of the infrastructure
IPS/IDS
Large volume network
flood attacks
Syn
Floods
Network
Scan
HTTP Floods
SSL Floods App Misuse
Brute Force
On-Demand Cloud DDoS DoS protection Behavioral analysis IPS WAFSSL protection
Internet Pipe Firewall Load Balancer/ADC Server Under Attack SQL Server
8
XSS, CSRFSQL Injections
Existing Solutions Still Mostly Manual
Over 80% of solutions require a medium to
high degree of manual tuning
Less than 20% require a low degree and are
considered mostly automatic
High degree,
24%
Medium
degree, 58%
Low degree,
17%
2015 (n=311)
Q.22: What degree of manual tuning or configuration does your current solution require?
9
The Web Security Challenge
Growing number of
web applications to
protect
More sophisticated
web attacks and
“bad” bots
More disaggregated
networks leads to less
control
Need for Adaptive & Automated Web Security Protection
Most solutions are
still very manual
10
Radware’s Web Application Firewall
Offering
11
Radware’s Hybrid Attack Mitigation Solution
On-Demand Cloud DDoS SSL protectionDoS protection Behavioral analysis IPS WAF
Radware provides complete hybrid protection
In-the-Cloud
On-Demand Always-On
Always-On DDoS and WAF on-premise with
DDoS in-the-cloud activated on-demand
12
On-Premise
Unmatched Web Application Protection
Best-of-breed WAF
(Physical or Virtual Appliance)
Cloud WAF Service
Full coverage of OWASP Top-10
ICSA Labs Certification
Auto Generated Policy
Negative & Positive security models
Hybrid, single technology solution to protect both on-premise and cloud-based applications
13
Radware Cloud WAF
Best-of-Breed WAF
14
Radware’s Web Application Firewall (WAF)
Complete web application protection
Line speed availability attack mitigation
All-in-one application delivery & security
Shortest time to security
Compliance and auditing
Multi-vector role-based security policy
AppWall
15
Complete Web Application Protection
Full coverage of OWASP
Top-10 by negative &
positive security models
Protection against dozens of
attack vectors listed on WASC
Threat Classification
Efficient, accurate and
difficult to evade out-of-the-box
negative security
• Terminating TCP connections
• Normalizing client encoded traffic
• Blocking various evasion technics
16
Complete Web Application Protection
Terminate TCP,
Normalize, HTTP RFC
Evasions
HTTP response splitting (HRS)
Signatures applied on Normalized traffic
URL / Base 64 / UTF-8 encoded Injections
Signature &
Rule Protection
Cross site scripting (XSS)
SQL injection, LDAP injection, OS commanding
Data Leak Prevention
Credit card number (CCN)
Social Security (SSN)
Regular Expression
17
Complete Web Application Protection
Parameters Inspection
Buffer overflow (BO)
Zero-day attacks
User Behavior
Cross site request forgery
Cookie poisoning, session hijacking
Layer 7 ACL
Application / folder / file / param level access control
White listing or black listing
XML, JSON & Web Services XML & JSON Validity and schema enforcement
Role Based Policy
Authentication
User Tracking
18
Line Speed Availability Attack Mitigation
Detecting and Blocking
Attacks on web apps behind CDNs
Advanced HTTP attacks
Slowloris
Http dynamic floods
Brute force attacks on login pages
SSL attacks
Line Speed Mitigation
Up to 300 Gbps
Up to 230M DDoS PPS
60 micro seconds latency
Multi Layer Detection and Mitigation
19
Radware’s WAF is implemented out-of-path in span-port. Attacker launches web-application attack.
Out-of-Path Deployment: Protection Against DDoS Attacks
Cloud Perimeter LAN
Attack Mitigation
Device
Radware’s WAF detects the web-application attackRadware’s WAF signals attack information to the perimeter Attack Mitigation Device
Defense Messaging
Radware’s Attack Mitigation Device mitigates the attack at the Perimeter
WAF
No Performance Impact. No Risk.
20
All-in-One Application Delivery and Security
Out-of-path or inline deployment
Deployed on multiple platforms
Delivered on platforms supporting up to
80 Gbps
Fault Isolation
SLA Assurance
High Platform Density
Fast Reliable Secure
21
Shortest Time to Security
App Mapping Threat Analysis Policy Generation Policy Activation
SHORTEST TIME TO PROTECTION
Only 1 week
For known attacks
50% FASTER
then other leading WAFs
BEST SECURITY COVEREGE
Auto threat analysis
No admin intervention
OVER 150
Attack vectors COVERAGE
False positives
LOWEST FALSE-POSITIVES
THROUGH
Auto-optimization of
out-of-box rules
SECURITY ASSURANCE
Automatic detection of web
application changes
assuring security
POST-DEVELOPMENT PEACE OF MIND
THROUGHOUT THE APPLICATION’S
DEVELOPMENT LIFECYCLE
22
Multi-Vector Role Based Security Policy
Authentication and login detection
Authorization and access control
Accounting and Auditing
Web based Single Sign On
Segregation of duties
Web Role
IP & Geo Location
CONTEXT
Block
Report
ACTION
Application Access Control
Data Access and Visibility
Web Security, XSS, SQL Inj.
SECURITY POLICY
23
IP-Agnostic Device Fingerprinting & Tracking
Operating System
IP address based identification and blocking has
become obsolete
- Attackers dynamically change IPs
- DHCP, anonymous proxies, CDN, NAT
Appwall goes beyond IP address—uses detailed device
fingerprint from over 2 dozen parameters
Device fingerprint enables precise activity tracking
over time and development of Device Reputation
Provides advanced protection from:
- Website Scraping
- Brute Force Attacks
- HTTP Dynamic Floods
System Fonts
Browser Plug-ins
Screen Resolution
Local IPs
Improved Bot Detection and Blocking
24
Compliance and Auditing
PCI DSS section 6.6 requirements
- Audit ready environment for PCI DSS compliance
- Security policies analysis
- Action plan for compliance
Advanced security graphical reports
Enhanced visibility into the application security and the detected attacks
25
Why Radware’s WAF?
Attack Mitigation
Mitigating attacks on web applications behind CDNs
Blocking the attack source at the perimeter
Multi-layer detection and mitigation
Application Security & Delivery
AppWall out-of-path and inline deployment modes
Delivered on platforms supporting up to 80Gbps
Compliance
Action plan for compliance
Advanced security graphical reports
Web Security
Short time to protection
Low false positive and false negative rates
Auto-detection of web application changes
Segregation of Duties
Mapping security web roles to LDAP organizational units or attributes
Multi vector security policies: application access, data visibility etc.
26
Summary – More Than Just a WAF
Multi layered attack detection and mitigation
Out-of-path deployment with no performance impact or risk
Fast, reliable, and secure delivery of mission-critical web applications
Low maintenance costs and post deployment peace of mind
Audit ready and visibility into application security
Fastest to
Deploy
Easiest to
Maintain
Best Security
Coverage
27
Radware Cloud WAF Service
28
Based on Radware’s ICSA Labs certified WAF
Auto policy generation engine for 0-day attack protection
Fully managed security service, beyond 24x7
Easy, flexible model
Integrated CPE and Cloud WAF Technologies
Always-on Behavioral-based DDoS protection
Radware Cloud WAF Service
Unmatched Web Security Protection
29
Radware Cloud WAF
Radware Cloud
WAF
Web-based attack is launched and detected by Radware’s Cloud WAFAttack is mitigated and clean traffic is relayed to the customer’s cloud and premise
Radware Cloud WAF Service
Organization’s Cloud Applications
Organization’s Premise
Data Center
30
Public Cloud
Full coverage of ALL OWASP Top-10
ICSA Labs certification
Auto-policy generation
Supports negative & positive security models
Unmatched Web Security Protection
Attack Categories Covered
TCP Termination & Normalization
 HTTP Protocol attack (e.g. HRS)
 Path traversal
 Base 64 and encoded attacks
 JSON and XML attacks
Login Protection
 Password cracking – Brute Force
Attack Signature and Rules
 Cross site scripting (XSS)
 Injections: SQL, LDAP
 OS commanding
 Server Side Includes (SSI)
LFI/RFI Protection
 Local File Inclusion
 Remote File Inclusion
Session Protection
 Cookie Poisoning
 Session Hijacking
Data Leak Prevention
 Credit card number (CCN)
 Social Security (SSN)
 Regular Expression
Access Control
 Predictable Resource Location
 Backdoor and debug resources
 File Upload attacks
DDoS Protection
 Behavioral Network DDoS
 Behavioral Application DDoS
 Network Challenge Response
 HTTP Challenge Response
 Access List
 Volumetric DDoS (add-on)
31
0-Day Attack Protection: Shortest Time to Security
App Mapping Threat Analysis Policy Generation Policy Activation
SHORTEST TIME TO PROTECTION
Only 1 week
For known attacks
50% FASTER
then other leading WAFs
BEST SECURITY COVEREGE
Auto threat analysis
No admin intervention
OVER 150
Attack vectors COVERAGE
False positives
LOWEST FALSE-POSITIVES
THROUGH
Auto-optimization of
out-of-box rules
SECURITY ASSURANCE
Automatic detection of web
application changes
assuring security
POST-DEVELOPMENT PEACE OF MIND
THROUGHOUT THE APPLICATION’S
DEVELOPMENT LIFECYCLE
32
Fully Managed Security Service, Beyond 24x7
33
24x7 support System monitoring
and auto policy
generation
Proactive analysis
including policy
optimization and logs
review
Backed by Radware's
Emergency Response
Team (ERT)
Simple setup - nothing to download or install
Phased and risk free onboarding
– 3 step process
– Every new policy is initially introduced in Span Port
– 7 days for new policy activation
OPEX-based model
3 levels of service offering (Silver, Gold & Platinum)
Flexibility in growth options
Easy, Flexible Model
Out-of-path
Auto Policy
Inline passive
mode
Inline protective
mode
34
Only solution to integrate with on-premise security devices
Increased visibility and control in disaggregated application-delivery
environments
Cloud-to-premise attack messaging to further secure data centers
Allow for ease and speed of security policy orchestration & automation
Integrated CPE and Cloud WAF Technologies
Unified, hybrid solution supporting your cloud migration path
35
Based on Radware's attack mitigation device (DefensePro)
Includes Anti DDoS, NBA and IPS protection
Adaptive behavioral analysis and challenge response technologies
Always-On Behavioral-Based DDoS Protection
36
Radware Cloud
WAF
Data Center
Volumetric DDoS Attack Protection
Volumetric attack is launched on the customer environmentAttack is detected by Radware’s attack mitigation device in the Radware Cloud POPAttack baseline is synchronized to Radware’s Scrubbing Center and traffic redirected
Defense
Messaging
Traffic is cleaned by Scrubbing Center and sent to customer cloud and premise
Radware
Cloud
Scrubbing
Public Cloud
Organization’s Cloud Applications
Organization’s Premise
Service Monitoring: Traffic Volume Monitoring, HTTP Heath-checks
Redundancy: for all network components – No single point of failure
Failover: Auto failover based on Active – standby
Disaster Recovery: DNS redirection to secondary site; Tier 1 DNS
Scalability and Availability
38
Service available in three packages:
DDoS protection of up-to 1 Gbps of attack traffic is included in all packages
Volumetric DDoS-attack protection available at additional cost
Offering Sets
Silver
• Single shared policy for multiple
web applications
• Basic security offering to secure
against common web attacks
Gold
• Dedicated policy for each web
application
• PCI Compliance ready policy
• Added protection from data
and access centric attacks
Platinum
• OWASP Top 10 coverage
• Extended security policy
• Zero-day attack protection
• Advanced attack protection
39
Why Radware Cloud WAF?
Integrated CPE and Cloud WAF Technologies
Only solution with same technology to protect both
cloud-based and on-premise applications
Unmatched Web Application Protection
Full OWASP Top 10 coverage
Auto policy generation; ICSA Labs certification
Fully Managed Security Service
24x7 Support
Backed by Radware’s ERT security experts
Easy, Flexible Model
Simple, no setup
OPEX based with 3 offerings to chose from
Always-On Behavioral-Based DDoS Protection
Based on Radware’s attack mitigation device
Minimal false positives; no impact on legitimate traffic
40
Radware - WAF (Web Application Firewall)
Radware Cloud WAF Service Full SLA
Security Offerings – DDoS Features Silver Gold Platinum
Behavioral Network Layer DDoS
Protection
Yes Yes Yes
Behavioral Application Layer DDoS
Protection
Yes Yes Yes
Network Challenge Response Yes Yes Yes
HTTP Challenge Response Yes Yes Yes
Access List – on demand up to 1 list per
month
Up to 100
entries
Up to 100
entries
Up to 100
entries
Weekly Security Update Subscription Yes Yes Yes
Attack volume supported Up to 1G Up to 1G Up to 1G
Security Offerings – WAF Features Silver Gold Platinum
HTTP Protocol Manipulation Yes Yes Yes
Error info leakage & fingerprinting Yes Yes Yes
Known Vulnerabilities & Custom Rules Yes Yes Yes
SQL, OS and LDAP Injection Yes Yes Yes
Cross Site Scripting (XSS) Yes Yes Yes
SSL (including custom certificate) Yes Yes Yes
Geo Location, Anonymous proxies Yes Yes Yes
Credit Card Number Leakage No Yes Yes
CSRF No Yes Yes
Access Control (White & Black list) No Yes Yes
Brute Force No Yes Yes
Session attacks (hijacking, cookie
poisoning)
No No Yes
Zero Day Protection; Parameter policy No No Yes
XML and Web Service No No Yes
42
Radware Cloud WAF Service Full SLA
Service Offerings - Service Silver Gold Platinum
24 X 7 support Yes Yes Yes
Managed Security Service Yes Yes Yes
logs review and system monitoring Yes Yes Yes
Customized Weekly Scheduled Reports Yes Yes Yes
Tenant-based Policy (shared Policy for multiple apps) Yes No No
Application Based policy No Yes Yes
Auto Policy Generation Yes Yes Yes
Dedicated WAF instance No No Yes
At least once a month Proactive Security Policy Review and
optimization
No No Yes
2 Forensics Reports per year No No Yes
Emergency Response Attack Mitigation Yes Yes Yes
Pre-attack high risk alerts Yes Yes Yes
Post attack report and recommendations Yes Yes Yes
Time to Security Expert response SLA Best Effort Best Effort Best Effort
Number of DDoS Protection policy changes per calendar
month (non-cumulative)
1 1 1
43

Más contenido relacionado

Was ist angesagt?

Open Source Soc Araçları Eğitimi 2020-II
Open Source Soc Araçları Eğitimi 2020-IIOpen Source Soc Araçları Eğitimi 2020-II
Open Source Soc Araçları Eğitimi 2020-IIBGA Cyber Security
 
FireEye Advanced Threat Protection - What You Need to Know
FireEye Advanced Threat Protection - What You Need to KnowFireEye Advanced Threat Protection - What You Need to Know
FireEye Advanced Threat Protection - What You Need to KnowFireEye, Inc.
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Empower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMEmpower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMElasticsearch
 
Introduction to Tenable
Introduction to TenableIntroduction to Tenable
Introduction to TenableBharat Jindal
 
The WAF book (Web App Firewall )
The WAF book  (Web App Firewall )The WAF book  (Web App Firewall )
The WAF book (Web App Firewall )Lior Rotkovitch
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introductionJimmy Saigon
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewalldavidjohnrace
 
Hacking Oracle Web Applications With Metasploit
Hacking Oracle Web Applications With MetasploitHacking Oracle Web Applications With Metasploit
Hacking Oracle Web Applications With MetasploitChris Gates
 
What is SASE and How Can Partners Talk About it?
What is SASE and How Can Partners Talk About it?What is SASE and How Can Partners Talk About it?
What is SASE and How Can Partners Talk About it?QOS Networks
 
Fortinet FortiOS 5 Presentation
Fortinet FortiOS 5 PresentationFortinet FortiOS 5 Presentation
Fortinet FortiOS 5 PresentationNCS Computech Ltd.
 
FortiGate_Sec_02_Security Fabric (1).pptx
FortiGate_Sec_02_Security Fabric (1).pptxFortiGate_Sec_02_Security Fabric (1).pptx
FortiGate_Sec_02_Security Fabric (1).pptxNajahIdrissiMoulayRa
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
F5's IP Intelligence Service
F5's IP Intelligence ServiceF5's IP Intelligence Service
F5's IP Intelligence ServiceF5 Networks
 
Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Cloudflare
 
Transform your enterprise branch with secure sd-wan
Transform your enterprise branch with secure sd-wanTransform your enterprise branch with secure sd-wan
Transform your enterprise branch with secure sd-wanDATA SECURITY SOLUTIONS
 
Tenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud SecurityTenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud SecurityMarketingArrowECS_CZ
 

Was ist angesagt? (20)

Open Source Soc Araçları Eğitimi 2020-II
Open Source Soc Araçları Eğitimi 2020-IIOpen Source Soc Araçları Eğitimi 2020-II
Open Source Soc Araçları Eğitimi 2020-II
 
FireEye Advanced Threat Protection - What You Need to Know
FireEye Advanced Threat Protection - What You Need to KnowFireEye Advanced Threat Protection - What You Need to Know
FireEye Advanced Threat Protection - What You Need to Know
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Broken access controls
Broken access controlsBroken access controls
Broken access controls
 
Empower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMEmpower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEM
 
Introduction to Tenable
Introduction to TenableIntroduction to Tenable
Introduction to Tenable
 
The WAF book (Web App Firewall )
The WAF book  (Web App Firewall )The WAF book  (Web App Firewall )
The WAF book (Web App Firewall )
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introduction
 
Akamai waf
Akamai wafAkamai waf
Akamai waf
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewall
 
Hacking Oracle Web Applications With Metasploit
Hacking Oracle Web Applications With MetasploitHacking Oracle Web Applications With Metasploit
Hacking Oracle Web Applications With Metasploit
 
What is SASE and How Can Partners Talk About it?
What is SASE and How Can Partners Talk About it?What is SASE and How Can Partners Talk About it?
What is SASE and How Can Partners Talk About it?
 
Fortinet FortiOS 5 Presentation
Fortinet FortiOS 5 PresentationFortinet FortiOS 5 Presentation
Fortinet FortiOS 5 Presentation
 
FortiGate_Sec_02_Security Fabric (1).pptx
FortiGate_Sec_02_Security Fabric (1).pptxFortiGate_Sec_02_Security Fabric (1).pptx
FortiGate_Sec_02_Security Fabric (1).pptx
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
F5's IP Intelligence Service
F5's IP Intelligence ServiceF5's IP Intelligence Service
F5's IP Intelligence Service
 
Aruba Networks - Overview ClearPass
Aruba Networks - Overview ClearPassAruba Networks - Overview ClearPass
Aruba Networks - Overview ClearPass
 
Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)
 
Transform your enterprise branch with secure sd-wan
Transform your enterprise branch with secure sd-wanTransform your enterprise branch with secure sd-wan
Transform your enterprise branch with secure sd-wan
 
Tenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud SecurityTenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud Security
 

Ähnlich wie Radware - WAF (Web Application Firewall)

Radware Hybrid Cloud Web Application Firewall and DDoS Protection
Radware Hybrid Cloud Web Application Firewall and DDoS ProtectionRadware Hybrid Cloud Web Application Firewall and DDoS Protection
Radware Hybrid Cloud Web Application Firewall and DDoS ProtectionAndy Ellis
 
Radware Hybrid Cloud WAF Service
Radware Hybrid Cloud WAF ServiceRadware Hybrid Cloud WAF Service
Radware Hybrid Cloud WAF ServiceRadware
 
PLNOG 17 - Marek Karczewski - Mity i fakty skutecznej ochrony aplikacji inter...
PLNOG 17 - Marek Karczewski - Mity i fakty skutecznej ochrony aplikacji inter...PLNOG 17 - Marek Karczewski - Mity i fakty skutecznej ochrony aplikacji inter...
PLNOG 17 - Marek Karczewski - Mity i fakty skutecznej ochrony aplikacji inter...PROIDEA
 
A Different Approach to Securing Your Cloud Journey
A Different Approach to Securing Your Cloud JourneyA Different Approach to Securing Your Cloud Journey
A Different Approach to Securing Your Cloud JourneyCloudflare
 
Strengthening security posture for modern-age SaaS providers
Strengthening security posture for modern-age SaaS providersStrengthening security posture for modern-age SaaS providers
Strengthening security posture for modern-age SaaS providersCloudflare
 
Securing Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureQualys
 
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...Amazon Web Services
 
AWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App SecurityAWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App SecurityAmazon Web Services
 
PCI & Serverless - Everything you need to know
PCI & Serverless - Everything you need to knowPCI & Serverless - Everything you need to know
PCI & Serverless - Everything you need to knowPureSec
 
What’s new in VMware vShield 5 - Customer Presentation
What’s new in VMware vShield 5 - Customer PresentationWhat’s new in VMware vShield 5 - Customer Presentation
What’s new in VMware vShield 5 - Customer PresentationSuministros Obras y Sistemas
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & ComplianceAmazon Web Services
 
Cisco Connect 2018 Malaysia - Secure data center and mobility solutions
Cisco Connect 2018 Malaysia - Secure data center and mobility solutionsCisco Connect 2018 Malaysia - Secure data center and mobility solutions
Cisco Connect 2018 Malaysia - Secure data center and mobility solutionsNetworkCollaborators
 
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...apidays
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsBen Rothke
 
Security Operations
Security OperationsSecurity Operations
Security Operationsankitmehta21
 
Crush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XCrush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XPrime Infoserv
 
How to Build a Practical and Cost-Effective Security Strategy
How to Build a Practical and Cost-Effective Security StrategyHow to Build a Practical and Cost-Effective Security Strategy
How to Build a Practical and Cost-Effective Security StrategyCloudflare
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Amazon Web Services
 

Ähnlich wie Radware - WAF (Web Application Firewall) (20)

Radware Hybrid Cloud Web Application Firewall and DDoS Protection
Radware Hybrid Cloud Web Application Firewall and DDoS ProtectionRadware Hybrid Cloud Web Application Firewall and DDoS Protection
Radware Hybrid Cloud Web Application Firewall and DDoS Protection
 
Radware Hybrid Cloud WAF Service
Radware Hybrid Cloud WAF ServiceRadware Hybrid Cloud WAF Service
Radware Hybrid Cloud WAF Service
 
PLNOG 17 - Marek Karczewski - Mity i fakty skutecznej ochrony aplikacji inter...
PLNOG 17 - Marek Karczewski - Mity i fakty skutecznej ochrony aplikacji inter...PLNOG 17 - Marek Karczewski - Mity i fakty skutecznej ochrony aplikacji inter...
PLNOG 17 - Marek Karczewski - Mity i fakty skutecznej ochrony aplikacji inter...
 
A Different Approach to Securing Your Cloud Journey
A Different Approach to Securing Your Cloud JourneyA Different Approach to Securing Your Cloud Journey
A Different Approach to Securing Your Cloud Journey
 
Strengthening security posture for modern-age SaaS providers
Strengthening security posture for modern-age SaaS providersStrengthening security posture for modern-age SaaS providers
Strengthening security posture for modern-age SaaS providers
 
Securing Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud Infrastructure
 
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...
 
AWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App SecurityAWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App Security
 
PCI & Serverless - Everything you need to know
PCI & Serverless - Everything you need to knowPCI & Serverless - Everything you need to know
PCI & Serverless - Everything you need to know
 
What’s new in VMware vShield 5 - Customer Presentation
What’s new in VMware vShield 5 - Customer PresentationWhat’s new in VMware vShield 5 - Customer Presentation
What’s new in VMware vShield 5 - Customer Presentation
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & Compliance
 
Cisco Connect 2018 Malaysia - Secure data center and mobility solutions
Cisco Connect 2018 Malaysia - Secure data center and mobility solutionsCisco Connect 2018 Malaysia - Secure data center and mobility solutions
Cisco Connect 2018 Malaysia - Secure data center and mobility solutions
 
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
 
Security Operations
Security OperationsSecurity Operations
Security Operations
 
Crush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XCrush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield X
 
How to Build a Practical and Cost-Effective Security Strategy
How to Build a Practical and Cost-Effective Security StrategyHow to Build a Practical and Cost-Effective Security Strategy
How to Build a Practical and Cost-Effective Security Strategy
 
Forti web
Forti webForti web
Forti web
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
 

Último

Patch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updatePatch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updateadam112203
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameKapil Thakar
 
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxEmil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxNeo4j
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingFrancesco Corti
 
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0DanBrown980551
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingMAGNIntelligence
 
Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfInfopole1
 
.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptxHansamali Gamage
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxSatishbabu Gunukula
 
2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdfThe Good Food Institute
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechProduct School
 
EMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarEMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarThousandEyes
 
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfQ4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfTejal81
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Muhammad Tiham Siddiqui
 
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTxtailishbaloch
 
From the origin to the future of Open Source model and business
From the origin to the future of  Open Source model and businessFrom the origin to the future of  Open Source model and business
From the origin to the future of Open Source model and businessFrancesco Corti
 
Technical SEO for Improved Accessibility WTS FEST
Technical SEO for Improved Accessibility  WTS FESTTechnical SEO for Improved Accessibility  WTS FEST
Technical SEO for Improved Accessibility WTS FESTBillieHyde
 

Último (20)

Patch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updatePatch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 update
 
SheDev 2024
SheDev 2024SheDev 2024
SheDev 2024
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First Frame
 
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxEmil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is going
 
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced Computing
 
Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdf
 
.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptx
 
2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
 
EMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarEMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? Webinar
 
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfQ4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)
 
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
 
From the origin to the future of Open Source model and business
From the origin to the future of  Open Source model and businessFrom the origin to the future of  Open Source model and business
From the origin to the future of Open Source model and business
 
Technical SEO for Improved Accessibility WTS FEST
Technical SEO for Improved Accessibility  WTS FESTTechnical SEO for Improved Accessibility  WTS FEST
Technical SEO for Improved Accessibility WTS FEST
 

Radware - WAF (Web Application Firewall)

  • 1. Product Manager at WTR Services Radware Web Application Protection Offerings Deivid Toledo January 8, 2016
  • 3. Our Track Record Global Technology Partners Over 10,000 Customers 3 43.7 54.8 68.4 77.6 81.4 88.6 94.6 108.9 144.1 167.0 189.2 193.0 221.9 1% 25% 25% 13% 5% 9% 7% 15% 32% 16% 13% 2% 15% 50.00 100.00 150.00 200.00 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 USD Millions Company Growth
  • 4. Market Leading WAF Offering Banking & Finance Gov’t & Enterprise Telco & Cloud Service Providers 4 Retail/eCommerce
  • 6. Almost half (48%) anticipate migrating up to 20% of their applications to the cloud About one in ten (12%) plan to migrate more than half of their applications to the cloud. Complexity in managing security policies is the #1 security challenge Migration to the Cloud Continues Attackers can now target premise- and cloud-based applications 0%, 23% 1-20%, 48% 21-50%, 18% 51-75%, 6% 76-99%, 2% 100%, 4% 2015 (n=311) Q: In the next 12-14 months, what percentage of your applications do you envision migrating to the cloud?
  • 7. Rise in Popularity of Web Based Attacks Denial of Service 25% SQL Injection 24% Cross Site Scripting (XSS) 8.9% 4.8% 3.8% 3.7% 3% 2.8% 2.1%1.9% Top 10 Web Attack Methods Denial of Service SQL Injection Cross Site Scripting (XSS) Brute Force Predictable Resource Location Stolen Credentials Unintentional Information Disclosure Banking Trojan Credential/Session Prediction Cross Site Request Forgery (CSRF) Web attacks - most common attack vector OWASP Top 10 attacks Availability based attacks Source: Web Hacking Incident Database (WHID), Feb. 2013 7
  • 8. “Low & Slow” DoS attacks (e.g.Slowloris) Complexity of Attacks Continues to Grow Multi-vector attacks target all layers of the infrastructure IPS/IDS Large volume network flood attacks Syn Floods Network Scan HTTP Floods SSL Floods App Misuse Brute Force On-Demand Cloud DDoS DoS protection Behavioral analysis IPS WAFSSL protection Internet Pipe Firewall Load Balancer/ADC Server Under Attack SQL Server 8 XSS, CSRFSQL Injections
  • 9. Existing Solutions Still Mostly Manual Over 80% of solutions require a medium to high degree of manual tuning Less than 20% require a low degree and are considered mostly automatic High degree, 24% Medium degree, 58% Low degree, 17% 2015 (n=311) Q.22: What degree of manual tuning or configuration does your current solution require? 9
  • 10. The Web Security Challenge Growing number of web applications to protect More sophisticated web attacks and “bad” bots More disaggregated networks leads to less control Need for Adaptive & Automated Web Security Protection Most solutions are still very manual 10
  • 11. Radware’s Web Application Firewall Offering 11
  • 12. Radware’s Hybrid Attack Mitigation Solution On-Demand Cloud DDoS SSL protectionDoS protection Behavioral analysis IPS WAF Radware provides complete hybrid protection In-the-Cloud On-Demand Always-On Always-On DDoS and WAF on-premise with DDoS in-the-cloud activated on-demand 12 On-Premise
  • 13. Unmatched Web Application Protection Best-of-breed WAF (Physical or Virtual Appliance) Cloud WAF Service Full coverage of OWASP Top-10 ICSA Labs Certification Auto Generated Policy Negative & Positive security models Hybrid, single technology solution to protect both on-premise and cloud-based applications 13 Radware Cloud WAF
  • 15. Radware’s Web Application Firewall (WAF) Complete web application protection Line speed availability attack mitigation All-in-one application delivery & security Shortest time to security Compliance and auditing Multi-vector role-based security policy AppWall 15
  • 16. Complete Web Application Protection Full coverage of OWASP Top-10 by negative & positive security models Protection against dozens of attack vectors listed on WASC Threat Classification Efficient, accurate and difficult to evade out-of-the-box negative security • Terminating TCP connections • Normalizing client encoded traffic • Blocking various evasion technics 16
  • 17. Complete Web Application Protection Terminate TCP, Normalize, HTTP RFC Evasions HTTP response splitting (HRS) Signatures applied on Normalized traffic URL / Base 64 / UTF-8 encoded Injections Signature & Rule Protection Cross site scripting (XSS) SQL injection, LDAP injection, OS commanding Data Leak Prevention Credit card number (CCN) Social Security (SSN) Regular Expression 17
  • 18. Complete Web Application Protection Parameters Inspection Buffer overflow (BO) Zero-day attacks User Behavior Cross site request forgery Cookie poisoning, session hijacking Layer 7 ACL Application / folder / file / param level access control White listing or black listing XML, JSON & Web Services XML & JSON Validity and schema enforcement Role Based Policy Authentication User Tracking 18
  • 19. Line Speed Availability Attack Mitigation Detecting and Blocking Attacks on web apps behind CDNs Advanced HTTP attacks Slowloris Http dynamic floods Brute force attacks on login pages SSL attacks Line Speed Mitigation Up to 300 Gbps Up to 230M DDoS PPS 60 micro seconds latency Multi Layer Detection and Mitigation 19
  • 20. Radware’s WAF is implemented out-of-path in span-port. Attacker launches web-application attack. Out-of-Path Deployment: Protection Against DDoS Attacks Cloud Perimeter LAN Attack Mitigation Device Radware’s WAF detects the web-application attackRadware’s WAF signals attack information to the perimeter Attack Mitigation Device Defense Messaging Radware’s Attack Mitigation Device mitigates the attack at the Perimeter WAF No Performance Impact. No Risk. 20
  • 21. All-in-One Application Delivery and Security Out-of-path or inline deployment Deployed on multiple platforms Delivered on platforms supporting up to 80 Gbps Fault Isolation SLA Assurance High Platform Density Fast Reliable Secure 21
  • 22. Shortest Time to Security App Mapping Threat Analysis Policy Generation Policy Activation SHORTEST TIME TO PROTECTION Only 1 week For known attacks 50% FASTER then other leading WAFs BEST SECURITY COVEREGE Auto threat analysis No admin intervention OVER 150 Attack vectors COVERAGE False positives LOWEST FALSE-POSITIVES THROUGH Auto-optimization of out-of-box rules SECURITY ASSURANCE Automatic detection of web application changes assuring security POST-DEVELOPMENT PEACE OF MIND THROUGHOUT THE APPLICATION’S DEVELOPMENT LIFECYCLE 22
  • 23. Multi-Vector Role Based Security Policy Authentication and login detection Authorization and access control Accounting and Auditing Web based Single Sign On Segregation of duties Web Role IP & Geo Location CONTEXT Block Report ACTION Application Access Control Data Access and Visibility Web Security, XSS, SQL Inj. SECURITY POLICY 23
  • 24. IP-Agnostic Device Fingerprinting & Tracking Operating System IP address based identification and blocking has become obsolete - Attackers dynamically change IPs - DHCP, anonymous proxies, CDN, NAT Appwall goes beyond IP address—uses detailed device fingerprint from over 2 dozen parameters Device fingerprint enables precise activity tracking over time and development of Device Reputation Provides advanced protection from: - Website Scraping - Brute Force Attacks - HTTP Dynamic Floods System Fonts Browser Plug-ins Screen Resolution Local IPs Improved Bot Detection and Blocking 24
  • 25. Compliance and Auditing PCI DSS section 6.6 requirements - Audit ready environment for PCI DSS compliance - Security policies analysis - Action plan for compliance Advanced security graphical reports Enhanced visibility into the application security and the detected attacks 25
  • 26. Why Radware’s WAF? Attack Mitigation Mitigating attacks on web applications behind CDNs Blocking the attack source at the perimeter Multi-layer detection and mitigation Application Security & Delivery AppWall out-of-path and inline deployment modes Delivered on platforms supporting up to 80Gbps Compliance Action plan for compliance Advanced security graphical reports Web Security Short time to protection Low false positive and false negative rates Auto-detection of web application changes Segregation of Duties Mapping security web roles to LDAP organizational units or attributes Multi vector security policies: application access, data visibility etc. 26
  • 27. Summary – More Than Just a WAF Multi layered attack detection and mitigation Out-of-path deployment with no performance impact or risk Fast, reliable, and secure delivery of mission-critical web applications Low maintenance costs and post deployment peace of mind Audit ready and visibility into application security Fastest to Deploy Easiest to Maintain Best Security Coverage 27
  • 28. Radware Cloud WAF Service 28
  • 29. Based on Radware’s ICSA Labs certified WAF Auto policy generation engine for 0-day attack protection Fully managed security service, beyond 24x7 Easy, flexible model Integrated CPE and Cloud WAF Technologies Always-on Behavioral-based DDoS protection Radware Cloud WAF Service Unmatched Web Security Protection 29 Radware Cloud WAF
  • 30. Radware Cloud WAF Web-based attack is launched and detected by Radware’s Cloud WAFAttack is mitigated and clean traffic is relayed to the customer’s cloud and premise Radware Cloud WAF Service Organization’s Cloud Applications Organization’s Premise Data Center 30 Public Cloud
  • 31. Full coverage of ALL OWASP Top-10 ICSA Labs certification Auto-policy generation Supports negative & positive security models Unmatched Web Security Protection Attack Categories Covered TCP Termination & Normalization  HTTP Protocol attack (e.g. HRS)  Path traversal  Base 64 and encoded attacks  JSON and XML attacks Login Protection  Password cracking – Brute Force Attack Signature and Rules  Cross site scripting (XSS)  Injections: SQL, LDAP  OS commanding  Server Side Includes (SSI) LFI/RFI Protection  Local File Inclusion  Remote File Inclusion Session Protection  Cookie Poisoning  Session Hijacking Data Leak Prevention  Credit card number (CCN)  Social Security (SSN)  Regular Expression Access Control  Predictable Resource Location  Backdoor and debug resources  File Upload attacks DDoS Protection  Behavioral Network DDoS  Behavioral Application DDoS  Network Challenge Response  HTTP Challenge Response  Access List  Volumetric DDoS (add-on) 31
  • 32. 0-Day Attack Protection: Shortest Time to Security App Mapping Threat Analysis Policy Generation Policy Activation SHORTEST TIME TO PROTECTION Only 1 week For known attacks 50% FASTER then other leading WAFs BEST SECURITY COVEREGE Auto threat analysis No admin intervention OVER 150 Attack vectors COVERAGE False positives LOWEST FALSE-POSITIVES THROUGH Auto-optimization of out-of-box rules SECURITY ASSURANCE Automatic detection of web application changes assuring security POST-DEVELOPMENT PEACE OF MIND THROUGHOUT THE APPLICATION’S DEVELOPMENT LIFECYCLE 32
  • 33. Fully Managed Security Service, Beyond 24x7 33 24x7 support System monitoring and auto policy generation Proactive analysis including policy optimization and logs review Backed by Radware's Emergency Response Team (ERT)
  • 34. Simple setup - nothing to download or install Phased and risk free onboarding – 3 step process – Every new policy is initially introduced in Span Port – 7 days for new policy activation OPEX-based model 3 levels of service offering (Silver, Gold & Platinum) Flexibility in growth options Easy, Flexible Model Out-of-path Auto Policy Inline passive mode Inline protective mode 34
  • 35. Only solution to integrate with on-premise security devices Increased visibility and control in disaggregated application-delivery environments Cloud-to-premise attack messaging to further secure data centers Allow for ease and speed of security policy orchestration & automation Integrated CPE and Cloud WAF Technologies Unified, hybrid solution supporting your cloud migration path 35
  • 36. Based on Radware's attack mitigation device (DefensePro) Includes Anti DDoS, NBA and IPS protection Adaptive behavioral analysis and challenge response technologies Always-On Behavioral-Based DDoS Protection 36
  • 37. Radware Cloud WAF Data Center Volumetric DDoS Attack Protection Volumetric attack is launched on the customer environmentAttack is detected by Radware’s attack mitigation device in the Radware Cloud POPAttack baseline is synchronized to Radware’s Scrubbing Center and traffic redirected Defense Messaging Traffic is cleaned by Scrubbing Center and sent to customer cloud and premise Radware Cloud Scrubbing Public Cloud Organization’s Cloud Applications Organization’s Premise
  • 38. Service Monitoring: Traffic Volume Monitoring, HTTP Heath-checks Redundancy: for all network components – No single point of failure Failover: Auto failover based on Active – standby Disaster Recovery: DNS redirection to secondary site; Tier 1 DNS Scalability and Availability 38
  • 39. Service available in three packages: DDoS protection of up-to 1 Gbps of attack traffic is included in all packages Volumetric DDoS-attack protection available at additional cost Offering Sets Silver • Single shared policy for multiple web applications • Basic security offering to secure against common web attacks Gold • Dedicated policy for each web application • PCI Compliance ready policy • Added protection from data and access centric attacks Platinum • OWASP Top 10 coverage • Extended security policy • Zero-day attack protection • Advanced attack protection 39
  • 40. Why Radware Cloud WAF? Integrated CPE and Cloud WAF Technologies Only solution with same technology to protect both cloud-based and on-premise applications Unmatched Web Application Protection Full OWASP Top 10 coverage Auto policy generation; ICSA Labs certification Fully Managed Security Service 24x7 Support Backed by Radware’s ERT security experts Easy, Flexible Model Simple, no setup OPEX based with 3 offerings to chose from Always-On Behavioral-Based DDoS Protection Based on Radware’s attack mitigation device Minimal false positives; no impact on legitimate traffic 40
  • 42. Radware Cloud WAF Service Full SLA Security Offerings – DDoS Features Silver Gold Platinum Behavioral Network Layer DDoS Protection Yes Yes Yes Behavioral Application Layer DDoS Protection Yes Yes Yes Network Challenge Response Yes Yes Yes HTTP Challenge Response Yes Yes Yes Access List – on demand up to 1 list per month Up to 100 entries Up to 100 entries Up to 100 entries Weekly Security Update Subscription Yes Yes Yes Attack volume supported Up to 1G Up to 1G Up to 1G Security Offerings – WAF Features Silver Gold Platinum HTTP Protocol Manipulation Yes Yes Yes Error info leakage & fingerprinting Yes Yes Yes Known Vulnerabilities & Custom Rules Yes Yes Yes SQL, OS and LDAP Injection Yes Yes Yes Cross Site Scripting (XSS) Yes Yes Yes SSL (including custom certificate) Yes Yes Yes Geo Location, Anonymous proxies Yes Yes Yes Credit Card Number Leakage No Yes Yes CSRF No Yes Yes Access Control (White & Black list) No Yes Yes Brute Force No Yes Yes Session attacks (hijacking, cookie poisoning) No No Yes Zero Day Protection; Parameter policy No No Yes XML and Web Service No No Yes 42
  • 43. Radware Cloud WAF Service Full SLA Service Offerings - Service Silver Gold Platinum 24 X 7 support Yes Yes Yes Managed Security Service Yes Yes Yes logs review and system monitoring Yes Yes Yes Customized Weekly Scheduled Reports Yes Yes Yes Tenant-based Policy (shared Policy for multiple apps) Yes No No Application Based policy No Yes Yes Auto Policy Generation Yes Yes Yes Dedicated WAF instance No No Yes At least once a month Proactive Security Policy Review and optimization No No Yes 2 Forensics Reports per year No No Yes Emergency Response Attack Mitigation Yes Yes Yes Pre-attack high risk alerts Yes Yes Yes Post attack report and recommendations Yes Yes Yes Time to Security Expert response SLA Best Effort Best Effort Best Effort Number of DDoS Protection policy changes per calendar month (non-cumulative) 1 1 1 43

Hinweis der Redaktion

  1. The Perimeter is disappearing - With the development of private and public clouds, more and more organizations are transitioning towards virtualizing their services. The hosting of applications is often distributed – while some applications are migrated to the cloud, others are still in transition or will always remain on-premise. Organizations are now faced with needing to protect their applications everywhere – on-premise and in-the-cloud. As more services are moved outside of the enterprise perimeter and on to the cloud, this opens the door for attackers to target enterprise applications in the cloud where the on-premise attack mitigation tools are ineffective. Organizations that rely solely on on-premise attack mitigation are leaving their cloud-based applications vulnerable to attacks.
  2. The threat landscape is evolving. The task of ensuring application availability is becoming more complex. As attacks are getting longer, larger and more sophisticated, organizations need to be able to protect their applications from a large variety of security threats including: Web-based attacks Mostly known through the Open Web Application Security Project (OWASP) Top 10 which lists out the most common web-based threats. Includes threats such as SQL Injections, Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF), which are typically not covered by traditional firewalls and intrusion detection systems (IDS). Availability based attacks – Distributed Denial of Service (DDoS) attacks at both the network and application layers. Includes the use of automated programs (bots) as well as humans to launch attacks aimed at exhausting application resources.
  3. Attackers are deploying multi-vulnerability attack campaigns by increasing the number of attack VECTORS they launch in parallel. To target your blind spot, different attack vectors target different layers of the network and data center, for example Net DDoS, App DDoS, Low & slow, SSL attacks and Web attacks. Even If only one vector will go undetected then the attack is successful and the result is highly destructive To effectively mitigate all type of DoS/DDoS attacks you need to use multiple protection tools, such as:  DoS protection to detect and mitigate all type of network DDoS attacks  Behavioral Analysis to protect against application DDoS and misuse attacks. Behavioral-based real-time signatures and challenge-response mechanism can block the attack traffic accurately without blocking legitimate user traffic.  IPS to block known attack tools and the low and slow attacks  SSL protection to protect against encrypted flood attacks  WAF, web application firewall, to prevent web application vulnerability exploitations All these protection tools are needed ON PREMISE to detect attacks in real-time and mitigate them immediately. But on premise protections tools are not enough. About 15% of all DDoS attacks are volumetric attacks that threaten to saturate the internet pipe. In these cases, you need to move mitigation to the CLOUD DDoS scrubbing.
  4. You need cloud DDoS protection to mitigation volumetric DDoS attacks. But that alone is not enough. You also need these other tools & technologies to provide full protection from today’s complex, multi-vector threats – and you need them on premise. To provide real-time detection and mitigation. Radware offers a complete, hybrid solution integrating on-premises detection & mitigation that is always-on cloud-based volumetric attack scrubbing on-demand when needed Its a single-vendor, real time solution that includes all the protection tools needed
  5. Providing protection from web-based attacks is a core part of Radware’s attack mitigation solution. We offer this protection through our Web Application Firewall – a best of breed WAF that: Provides full coverage of all the OWASP top-10 threats, Is ICSA Labs certified Has the unique ability to auto generate policies And supports both negative and positive security models In addition, we also offer a hybrid cloud WAF service – a fully managed cloud service that provides all the protections of a best-of-bread web application firewall but in an easy-to-use way. Radware is the only vendor to have integrated CPE and Cloud WAF technologies and offers a single vendor solution to protect both your cloud-based and on-premise applications. It gives your more control and visibility into your on-premise and cloud-based applications and allows for ease and speed of security policy orchestration & automation between on-premise and cloud.
  6. Radware’s Hybrid Cloud WAF Service provides a fully managed and always-on, cloud-based web application firewall service. It’s the industry's first hybrid-based Cloud WAF service that integrates with Radware's on-premise devices to provide comprehensive coverage. The service provides full and unparalleled protection from web application-based attacks and is based on Radware’s Attack Mitigation Solution that is comprised of Radware's AppWall, DefensePro and DefensePipe products Easy to set up – no user interaction Wide coverage of both common and advanced web attacks as well as DDoS attacks.
  7. The Hybrid Cloud WAF Service is based primarily on Radware's web application firewall – AppWall. Provides FULL coverage from ALL the OWASP top-10 attacks Is ICSA Labs certified Supports both negative and positive security models: Positive security policies are based on behavioral analysis technology. The security technology learns what the possible inputs per each web page are and what the typical values per each input field are. It then locks the policy to the allowed ranges of values. positive security profiles are a proven protection against zero-day attacks. Negative security policies are based on static signature detection technology. The WAF module stores a signature file that covers thousands of known application vulnerabilities and exploits that are checked against every user transaction. Once a signature match is found – the session is terminated and the attack is blocked Has the unique ability to generate policies automatically: Patent-protected technology to create and maintain security policies for the widest security coverage with the lowest false positives and lowest operational effort. A four step flow to create and maintain security policies – Application Mapping, Threat Analysis, Policy Generation, Policy Activation No other WAF can do that and it eliminates many of the complexities involved with setting up and configuring existing WAF solutions.
  8. It’s a fully managed service. It gives organizations full support and service before, during and after attacks – so customers don’t have to deal with anything. This includes 24x7 support, proactive log review and analysis, system monitoring and auto policy generation. And its supported by Radware's Emergency Response Team (ERT) – a dedicated group of security experts that actively monitor and mitigate attacks in real time.
  9. The service is EASY. This is a very important point. Its gives the customer all the protections of a best-of-bread web application firewall but in an easy-to-use way. The service is offered in a simple, OPEX-based model with 3 packages to choose from (Silver, Gold & Platinum detailed below). It is very simple to setup with no deployment process or download/install of items needed. And once its setup, Radware's security experts have immediate access and require no customer interaction or resources to get started
  10. First, this is the only solution with integrated CPE and Cloud WAF technologies and offers a single vendor solution to protect both your cloud-based and on-premise applications. Its important that this solution is a hybrid solution. In a non hybrid solution -the burden is on the customer to integrate at minimum two vendor solutions – to fully protect their on-premise and cloud applications. So the customer has to deal with managing different vendors, roadmap integrations, blind spots and varying degree of protection features between the offerings. It also limits the visibility and control you have on your network - Organizations cannot look at attacks that occur in the cloud and differentiate them from attacks on-premise. Was it the same vulnerability? Was it the same perpetrator in both attacks? These questions simply cannot be answered because your quality of detection is limited. Additionally – the quality of mitigation is also limited – How does one mitigate a security problem on-premise when discovered in cloud? Vice versa? So having ONE technology that protects both your CPE and Cloud based applications is important. It allows for worldwide mitigation of threats detected in the cloud via messaging to Radware's on-premise security devices, as well as ease and speed of security policy orchestration & automation.
  11. And it is supported by Radware's attack mitigation device - DefensePro to provide ddos protection. That includes all the tools and technologies supported by DefensePro including anti- DDoS, NBA and IPS protection to provide comprehensive coverage with minimal false positives and no impact on legitimate traffic. Employs multiple detection & mitigation modules including adaptive behavioral analysis and challenge response technologies in addition to signature detection Minimal false positive and no impact on legitimate traffic Unique messaging maximizes protection against web based attacks
  12. You can see in this scenario how a volumetric attack is detected by the Radware Cloud and traffic is redirected to the scrubbing center for mitigation. This assumes that the customer has purchased the additional cloud scrubbing protection offering.
  13. We build this service with an emphasis on availability. We have lots of checks and redundancies in place to make sure it operates and provides the best SLA to customers.
  14. Radware's Hybrid Cloud WAF offers best of breed, enterprise grade WAF and DDoS protection in a fully-managed cloud solution.