The enterprise perimeter is disappearing. Migration to the cloud means a more distributed network infrastructure. Transition of web based applications to the cloud renders on premise mitigation tools ineffective against web attacks and requires organizations to protect applications both on premise and in-the-cloud.
Introducing Radware's Hybrid Cloud WAF Service - a fully-managed, always on service that integrates cloud-based with on premise protection against a broad range of attack vectors.
Visit here http://www.radware.com/social/hybridcloudwaf/ to read "The Dawn of Hybrid Cloud WAF" and to learn how the industry's first hybrid cloud-based WAF service addresses today's most challenging web-based cyber-attacks.
3. Evolving Threat Landscape
Denial of Service
25%
SQL Injection
24%
Cross Site
Scripting (XSS)
8.9%
4.8%
3.8%
3.7%
3%
2.8%
2.1%1.9%
Top 10 Web Attack Methods
Denial of Service
SQL Injection
Cross Site Scripting (XSS)
Brute Force
Predictable Resource Location
Stolen Credentials
Unintentional Information
Disclosure
Banking Trojan
Credential/Session Prediction
Cross Site Request Forgery (CSRF)
No one is immune – more industries are at risk
Web attacks - most common attack vector
– 1 in every 4 web-based attacks are HTTPS
Most common attack vectors:
– SQL Injections
– Cross Site Scripting (XSS)
– Denial of Service (DoS)
Source: Web Hacking Incident Database (WHID), Feb. 2013
3
4. Multi-Vectors Attacks
IPS/IDS
“Low & Slow” DoS
attacks (e.g.Sockstress)
Large volume network
flood attacks
Syn
Floods
Network
Scan
HTTP Floods
SSL Floods App Misuse
Brute Force
Cloud DDoS protection DoS protection Behavioral analysis IPS WAF SSL protection
Internet Pipe Firewall Load Balancer/ADC Server Under Attack SQL Server
4
XSS, CSRFSQL Injections
5. Enterprise Cloud Migration
Internet Customer Premise
Cloud Service Provider
Data Center
Enterprises expand application resources to the cloud
Multi-vector attacks target enterprise applications everywhere
On-premises mitigation tools alone are ineffective against cloud-based attacks
5
6. Today’s Challenges
6
Evolving Threat Landscape
Attacks last longer and include multi-vectors
Web application attacks most popular
Enterprise Perimeter Disappearing
Infrastructure is spread
Mixed environment – cloud and premise based applications
Hosting Across Multiple Vendors
Harder to protect & manage multiple instances
Varying degree of protection offered by cloud vendors
Need for a hybrid, easy and fully managed solution
that provides full protection from web-based attacks
7. No single vendor exists today with both a CPE & Cloud WAF offering
Multiple challenges with a non-hybrid, multi-vendor WAF solution:
– Limited visibility (detection) and control (mitigation)
– Blind spots between technologies
– Vendor roadmap integration issues
– Vendor (problem) management processes
Why Hybrid?
7
9. Fully managed & always-on cloud service
Provides WAF and DDoS protection
Based on Radware’s widely adopted Attack Mitigation Solution
Scalable cloud-based configuration
Optimal for detecting and mitigating a vast array of attack vectors
– Common web attacks (e.g. SQL Injections, Cross-Site Scripting)
– Advanced web attacks (e.g. Cookie Poisoning, XML and web services attacks)
– DDoS attacks targeting data center infrastructure
– Volumetric DDoS attacks aiming to saturate the internet link (optional add-on
protection)
Radware’s Hybrid Cloud WAF
9
10. Cloud WAFAttack Mitigation
Device
Radware Security Cloud POP
Web-based attack is launched and detected by Radware’s Cloud WAF
Attack is mitigated and clean traffic is relayed to the private cloud and premise
Radware’s Hybrid Cloud WAF
Public Cloud
VPC / Private Cloud
Customer Premise
Data Center
10
11. Why Radware’s Hybrid Cloud WAF?
Integrated CPE and Cloud WAF Technologies
Unmatched Web Application Protection
Fully Managed Security Service
Easy, Flexible Model
Always-On DDoS Protection
11
12. Only solution to integrate with on-premise security devices
Gain more visibility and control in disaggregated application-delivery
environments
Messaging to enable threats detected in the cloud can be mitigated by on-
premise attack mitigation devices
Allow for ease and speed of security policy orchestration & automation
Why Radware’s Hybrid Cloud WAF?
Integrated CPE and Cloud WAF Technologies
12
13. Based on Radware’s WAF - AppWall
The only WAF in the Cloud with:
– Full coverage of ALL OWASP Top-10
– ICSA Labs Certification
– Auto Generated Policy
– Negative & Positive security models
Why Radware’s Hybrid Cloud WAF?
Unmatched Web Application Protection
Attack Categories Covered
TCP Termination & Normalization
HTTP Protocol attack (e.g. HRS)
Path traversal
Base 64 and encoded attacks
JSON and XML attacks
Login Protection
Password cracking – Brute Force
Attack Signature and Rules
Cross site scripting (XSS)
Injections: SQL, LDAP
OS commanding
Server Side Includes (SSI)
LFI/RFI Protection
Local File Inclusion
Remote File Inclusion
Session Protection
Cookie Poisoning
Session Hijacking
Data Leak Prevention
Credit card number (CCN)
Social Security (SSN)
Regular Expression
Access Control
Predictable Resource Location
Backdoor and debug resources
File Upload attacks
DDoS Protection
Behavioral Network DDoS
Behavioral Application DDoS
Network Challenge Response
HTTP Challenge Response
Access List
Volumetric DDoS (add-on)
13
14. 24x7 support
System monitoring and auto policy generation
Proactive analysis including policy optimization and logs review
Backed by Radware's Emergency Response Team (ERT)
Why Radware’s Hybrid Cloud WAF?
Fully Managed Security Service
14
15. Simple setup - nothing to download or install
Phased and risk free onboarding
– 3 step process
– Every new policy is initially introduced in Span Port
– 7 days for new policy activation
OPEX-based model
3 levels of service offering (Silver, Gold & Platinum)
Flexibility in growth options
Why Radware’s Hybrid Cloud WAF?
Easy, Flexible Model
Out-of-path
Auto Policy
Inline passive
mode
Inline protective
mode
15
16. Based on Radware's attack mitigation device (DefensePro)
Includes Anti DDoS, NBA and IPS protection
Adaptive behavioral analysis and challenge response technologies
Why Radware’s Hybrid Cloud WAF?
Always-On DDoS Protection
16
17. Cloud WAFAttack Mitigation
Device
Radware Security Cloud POP
VPC / Private Cloud
Customer Premise
Data Center
Volumetric DDoS Attack Protection
Public Cloud
Volumetric attack is launched on the Radware Security Cloud POP
Attack is detected by the Radware Cloud IPS
Attack baseline is synchronized to DefensePipe and traffic redirected to scrubbing center
Defense Messaging
Traffic is scrubbed by DefensePipe and relayed clean to the private cloud and premise
Radware
Cloud
Scrubbing
18. Service Monitoring: Traffic Volume Monitoring, HTTP Heath-checks
Redundancy: for all network components – No single point of failure
Failover: Auto failover based on Active – standby
Disaster Recovery: DNS redirection to secondary site; Tier 1 DNS
Scalability and Availability
18
19. Service available in three packages:
DDoS protection of up-to 1 Gbps of attack traffic is included in all packages
Volumetric DDoS-attack protection available at additional cost
Offering Sets
Silver
• Single shared policy for multiple
web applications
• Basic security offering to secure
against common web attacks
Gold
• Dedicated policy for each web
application
• PCI Compliance ready policy
• Added protection from data
and access centric attacks
Platinum
• OWASP Top 10 coverage
• Extended security policy
• Zero-day attack protection
• Advanced attack protection
19
20. Service Full SLA
Security Offerings – DDoS Features Silver Gold Platinum
Behavioral Network Layer DDoS
Protection
Yes Yes Yes
Behavioral Application Layer DDoS
Protection
Yes Yes Yes
Network Challenge Response Yes Yes Yes
HTTP Challenge Response Yes Yes Yes
Access List – on demand up to 1 list per
month
Up to 100
entries
Up to 100
entries
Up to 100
entries
Weekly Security Update Subscription Yes Yes Yes
Attack volume supported Up to 1G Up to 1G Up to 1G
Security Offerings – WAF Features Silver Gold Platinum
HTTP Protocol Manipulation Yes Yes Yes
Error info leakage & fingerprinting Yes Yes Yes
Known Vulnerabilities & Custom Rules Yes Yes Yes
SQL, OS and LDAP Injection Yes Yes Yes
Cross Site Scripting (XSS) Yes Yes Yes
SSL (including custom certificate) Yes Yes Yes
Geo Location, Anonymous proxies Yes Yes Yes
Credit Card Number Leakage No Yes Yes
CSRF No Yes Yes
Access Control (White & Black list) No Yes Yes
Brute Force No Yes Yes
Session attacks (hijacking, cookie
poisoning)
No No Yes
Zero Day Protection; Parameter policy No No Yes
XML and Web Service No No Yes
20
21. Service Full SLA
Service Offerings - Service Silver Gold Platinum
24 X 7 support Yes Yes Yes
Managed Security Service Yes Yes Yes
logs review and system monitoring Yes Yes Yes
Customized Weekly Scheduled Reports Yes Yes Yes
Tenant-based Policy (shared Policy for multiple apps) Yes No No
Application Based policy No Yes Yes
Auto Policy Generation Yes Yes Yes
Dedicated WAF instance No No Yes
At least once a month Proactive Security Policy Review and
optimization
No No Yes
2 Forensics Reports per year No No Yes
Emergency Response Attack Mitigation Yes Yes Yes
Pre-attack high risk alerts Yes Yes Yes
Post attack report and recommendations Yes Yes Yes
Time to Security Expert response SLA Best Effort Best Effort Best Effort
Number of DDoS Protection policy changes per calendar
month (non-cumulative)
1 1 1
21
23. Summary
Integrated CPE and Cloud WAF Technologies
Only solution with same technology to protect both
cloud-based and on-premise applications
Unmatched Web Application Protection
Full OWASP Top 10 coverage
Auto policy generation; ICSA Labs certification
Fully Managed Security Service
24x7 Support
Backed by Radware’s ERT security experts
Easy, Flexibly Model
Simple, no setup
OPEX based with 3 offerings to chose from
Always-On DDoS Protection
Based on Radware’s attack mitigation device
Minimal false positives; no impact on legitimate traffic