Date post: | 07-Jan-2017 |
Category: |
Technology |
Upload: | brian-a-mchenry |
View: | 134 times |
Download: | 0 times |
Evolution of WAF
Stop Worrying About Vulnerabilities
Who is this guy?
• Brian A. McHenry, Sr. Security Solutions Architect, F5 Networks• 9 years at F5, focused on application security solutions• Regular contributor on DevCentral.f5.com &
InformationSecurityBuzz.com• Follow me on twitter @bamchenry
In the Beginning…
• There were Application Layer Gateways (ALG)
Samples anyone?
© F5 Networks, Inc 4CONFIDENTIAL
Then There Was IPS
And NGFW
© F5 Networks, Inc 6
Change the Way We Deploy WAF
Traditional WAF• Signatures (OWASP Top 10)• DAST Integration• Site Learning• File/URL/Parameter/Header/Cookie Enforcement• Protocol Enforcement• Login Enforcement / Session Tracking• Data Leak Prevention• Flow Enforcement
Advanced WAF• BOT Detection• Web scraping Prevention• Brute Force Mitigation• L7 DDoS Protection• Heavy URL Detection & Protection• Captcha Challenges• CSRF Token Injection• Client fingerprinting
Why Is Bot Detection So Valuable?
Typical Web Traffic
Humans Good Bots Bad Botshttps://www.incapsula.com/blog/bot-traffic-report-2015.html
• Roughly 50% of traffic is human
• About 20% is good bots• Remaining 30% is malicious
bots
How do we differentiate?
Deep Thoughts
• Eliminating 30% of web traffic has serious impact– Capacity and performance improvements are measurable– Budget is always more available than for a security project
• Bot detection requires less per-application customization– Increases operational scale for application security
• Reduces threat model by eliminating most opportunistic attackers– Focus other defenses on vectors for directed attackers
Thank you!
@bamchenry
AppendixExpanded discussion of this topic:http://www.informationsecuritybuzz.com/articles/organic-denial-service-dos-isnt-attack/http://www.informationsecuritybuzz.com/articles/when-a-bot-isnt-a-bot/http://www.informationsecuritybuzz.com/is-bot-detection-the-best-value-in-infosec/http://www.informationsecuritybuzz.com/articles/the-death-of-waf-as-we-know-it/
https://www.youtube.com/watch?v=mB_xGSNm8Z0