Date post: | 03-Jun-2018 |
Category: |
Documents |
Upload: | jose-luis-limon |
View: | 225 times |
Download: | 1 times |
of 35
8/11/2019 FortiWeb May 2013
1/35
8/11/2019 FortiWeb May 2013
2/35
2 Fortinet Confidential
Web Application Security
Deployment and Management
Vulnerability Assessment
Protection and Monitoring
Compliance
12
4
56
Application Delivery3
Agenda
8/11/2019 FortiWeb May 2013
3/35
3 Fortinet Confidential
Hackers use attack automation to DDoS organizations Utilize mass hoards of bots Off the shelf attack tool kits make it easy for Hacktivists
to join DDoS attacks
Rise of layer 7 DDoS Malware infected Sources SQL Injection/XSS dominate
Latest Trends.
Web ApplicationServers
8/11/2019 FortiWeb May 2013
4/35
8/11/2019 FortiWeb May 2013
5/35
5 Fortinet Confidential
Introducing - FortiWeb Web Application Firewall
Web Application Firewall - WAF Secures web applications to help customers meet compliance requirements
Secures WebApplications
Scans and DetectsWeb Vulnerabilities
Optimizes ApplicationDelivery
Web Vulnerability Scanner Scans, analyzes and detects web application vulnerabilities
Application Delivery Assures availability and accelerates performance of critical web applications
WAF
8/11/2019 FortiWeb May 2013
6/35
8/11/2019 FortiWeb May 2013
7/35
7 Fortinet Confidential
Web Application Security
Deployment and Management
Vulnerability Assessment
Protection and Monitoring
Compliance
12
4
56
Application Delivery3
Agenda
8/11/2019 FortiWeb May 2013
8/35
8 Fortinet Confidential
Layer II - Transparent Inspection and TrueTransparent Proxy Easy deployment - No need to re-architect network,
full transparency Fail Open Interface
Reverse Proxy Supports content modification for both requestsand replies from the server Advanced URL rewriting capabilities HTTPS offloading Enhanced load balancing schemes
Non Inline Deployment SPAN port
Zero network latency Blocking capabilities using TCP resets Ideal for initial product evaluations, non-intrusive
network deployment
Deployment Options
Web ApplicationServers
FortiWeb
FortiWeb
System Administration
8/11/2019 FortiWeb May 2013
9/35
9 Fortinet Confidential
FortiWeb Product Family
Large Enterprise Deployments ASIC based Acceleration - FortiModule-CP7 500 Mbps HTTP throughput 27,000 transactions per second
Large Enterprise/ Service Provider Deployments ASIC based Acceleration - FortiModule-CP7 1 Gbps HTTP throughput 40,000 transactions per second Hot-swap redundant AC-Power, 2*1 TB storage 6 x 10/100/1000 copper (+ 2x Gbps SFP for 3000CFsx)
Mid-Enterprise Deployments
100 Mbps HTTP throughput 10,000 transactions per secondFortiWeb-400C
FortiWeb-1000C
FortiWeb-3000C/3000CFsx
FortiWeb-4000C
Large Enterprise/ Service Provider Deployments ASIC based Acceleration - FortiModule-CP7 Hardware based DLP acceleration 2 Gbps HTTP throughput 70,000 transactions per second Hot-swap redundant AC-Power, 2*1 TB storage 6 x 10/100/1000 copper, 2x Gbps SFP interfaces
8/11/2019 FortiWeb May 2013
10/35
10 Fortinet Confidential
FortiWeb-VM
Desktops /Private
Servers / DMZ FortiWebVirtual
Appliance
Virtualized DataCenter
Public ZoneDMZ
Requirement Min needed for FortiWeb-VM
Licenses 2-vCPU, 4-vCPU, 8-vCPU
Hypervisor VMware ESXi/ESX 3.5/4.0/4.1/5.0/5.1
Memory Min. 1024
CPU Min. 2 virtual CPUs
10/100/1000 Interfaces Min. 2 Max. 4virtual NICs
Storage Capacity Min. 40G
Deploy FortiWeb in a virtualizedenvironment Mitigate blind spots Protects web applications regardless of connection origin Provides visibility to internal connections as well Same functionality as appliance
Virtual Systems
8/11/2019 FortiWeb May 2013
11/35
11 Fortinet Confidential
Overview
SignaturesSecurity Service Application layer
signatures Malicious bots Suspicious URL
pattern Web vulnerability
scanner updates
IP Reputation Protection for
automated attacksand malicioussources
DDoS, Phishing,
Botnet, Spam, Anonymous proxiesand infectedsources
Antivirus Scan file uploads Regular and
extended AVdatabases
FortiGuard Services
FortiGuard Security Subscription Services deliver dynamic, automatedupdates for Fortinet products. The Fortinet Global Security Research Team createsthese updates to ensure up-to-date protection against sophisticated threats
8/11/2019 FortiWeb May 2013
12/35
12 Fortinet Confidential
Data Analytics/Geo IP
Provides a graphical interface thathelps organizations understandapplication trends both from auser and server perspective
Log & Report
Analyses web app usage based ongeographic location and serveraccess Dissect traffic based on number of hits,
data used and attack type Map or list view
Geo IP security Easily block access from a country
using right click
8/11/2019 FortiWeb May 2013
13/35
13 Fortinet Confidential
Web Application Security
Deployment and Management
Vulnerability Assessment
Protection and Monitoring
Compliance
12
4
56
Application Delivery3
Agenda
8/11/2019 FortiWeb May 2013
14/35
14 Fortinet Confidential
Overview SSL Offloading & Acceleration
SSL Offloading Integrated ASIC based hardware Hardware-based key exchange and bulk
encryption Purpose built SSL processing
CA Management Full certificate management Advanced certification verification and
revocation capabilities
TCP Connection Multiplexing
Offload CPU intensive SSL computing from server to FortiWeb
FortiASIC CP8 SSLAcceleration Chip
8/11/2019 FortiWeb May 2013
15/35
15 Fortinet Confidential
Data Compression
FortiWeb
Data Compression
Compression Compress files using gzip compression
Compression rate depends on datatype and character redundency
Support for multiple content types
Easily exclude specific URLsUncompressing Inspect data compressed by server
Compress poorly optimised content to minimise impact on networkresources and reduce application delivery latency
Allows efficient bandwidth utilization and response time to users bycompressing data retrieved from servers
8/11/2019 FortiWeb May 2013
16/35
16 Fortinet Confidential
Load Balancing Methods: Weighted Round Robin, Round-
Robin, Least Connection, HTTP sessionround robin
Connection persistence with timeout value
Probes & Health Checks: TCP,HTTP/HTTPS, PING.Content based health checks
Overview
Intelligent, application awareload balancing
Server Load Balancing
8/11/2019 FortiWeb May 2013
17/35
17 Fortinet Confidential
Overview URL Rewriting
Advanced Rewriting capabilities Route traffic based on: IP, Host, URL Rewriting and Redirection: Host, URL,
Referrers
Rewrite Reply Content Rewrite absolute links Any required content Multiple content types supported
8/11/2019 FortiWeb May 2013
18/35
18 Fortinet Confidential
Web Application Security
Deployment and Management
Vulnerability Assessment
Protection and Monitoring
Compliance
12
4
56
Application Delivery3
Agenda
8/11/2019 FortiWeb May 2013
19/35
19 Fortinet Confidential
Overview Vulnerability Assessment
Easily Scan your web
applications Common vulnerabilities SQL Injection Cross Site Scripting Source code disclosure OS Commanding
Enhanced/Basic Mode Crawling information URLs accepting input External Links
Authentication Options
Granular Crawling Capabilities
Scheduled and on DemandScanning
FortiWeb
8/11/2019 FortiWeb May 2013
20/35
20 Fortinet Confidential
Overview Vulnerability Assessment
Vulnerability Reports Scan summary Vulnerability by severity Vulnerability by categories Application Vulnerabilities Common Vulnerabilities
Server Information Crawling information URLs accepting input External Links
Provides Recommendations and
Graphs
Updates via FortiGuard
Complements WAF for PCI DSS
8/11/2019 FortiWeb May 2013
21/35
21 Fortinet Confidential
Web Application Security
Deployment and Management
Vulnerability Assessment
Protection and Monitoring
Compliance
12
4
56
Application Delivery3
Agenda
8/11/2019 FortiWeb May 2013
22/35
8/11/2019 FortiWeb May 2013
23/35
23 Fortinet Confidential
FortiWeb Auto Learn Application Profiling
Understand Application Structure Models elements from actual traffic Builds baseline based on URLs,
parameters, HTTP methods
Automatically Understands RealBehavior Can form fields/parameters be modified
by users? What are the length and type of each
form field? What characters are acceptable (min,
max, average)? Is a form field required or optional?
Provides Recommendations andGraphs
8/11/2019 FortiWeb May 2013
24/35
24 Fortinet Confidential
Web Based Attacks Denial of Service
Zombie BotnetMany become one
Application based DDoS is on the increaseaccounting for a quarter of all DDoS attacks
Under the radars bandwidth threshold
Targeting specific web app/protocol flawsrather than bandwidth consumption
CPU intensive SQL queries to backend DB Writing to hard disks
Server specific
Slow based and legitimate request attacks Slowloris - Sends legitimate, but partial, never ending
requests
Using tools that can be easily downloaded from theinternet such as HOIC and LOIC
Using botnets and automatic tools to reach mass
Sometimes camouflaging real data breach attempts SQL Injection primarily
8/11/2019 FortiWeb May 2013
25/35
25 Fortinet Confidential
Protection Policies Denial of Service
Application Layer HTTP request limit per source TCP connections using the same cookie HTTP requests using the same cookie Challenge Response validate whether
the user is real or automated
Network Layer TCP connections limit per source SYN Cookie SYN flood protection
Analyze requests originating from different users based ondifferent characteristics such as IP and cookie
Sophisticated mechanism identifies real users from automatedattacks (LOIC, HOIC, etc)
8/11/2019 FortiWeb May 2013
26/35
26 Fortinet Confidential
Overview FortiGuard IP Reputation
Threats DDoS Phishing Botnets
IP Reputation Service
Daily feed updates Automated downloads Immediate protection Visibility and reporting
FortiGuard Techniques
FortiGuard historical analysis Honeypots Botnet analysis
FortiGuard IP Reputation Intelligence Service :Protect against automated attacks and malicious source
Anonymous Proxy access Infected source SPAM hosts
Anonymous proxies Third party sources
8/11/2019 FortiWeb May 2013
27/35
27 Fortinet Confidential
FortiWeb provides protection at all layers
IP Reputation Automated attacks and compromised host protection Protection against access from Anonymous proxies, malicious hosts and sources identified in DDoS/Phishing
attacks
Antivirus file upload scanning andData Leak Prevention Scans uploaded files for viruses and malware (FortiGuard updates) Detects Information Disclosure, credit card and PII leakage
Auto Learn and Validation Rules Deviations from normal user behavior, automated and customer rules
Application Attack Signatures Detects known application attacks FortiGuard updates
Protocol Validation Validates HTT P RFC compliance
Application and Network Denial of Service Protection (DoS/DDos protection) Detects and aggregates DoS attacks from multiple vectors
8/11/2019 FortiWeb May 2013
28/35
28 Fortinet Confidential
Web Application Security
Deployment and Management
Vulnerability Assessment
Protection and Monitoring
Compliance
12
4
56
Application Delivery3
Agenda
8/11/2019 FortiWeb May 2013
29/35
29 Fortinet Confidential
FortiWeb addresses PCI 6.6 Web Application Firewall - OWASP Top Protection Web Application Scanner
FortiDB addresses PCI requirements with Data Activity Monitoringand Vulnerability Assessment for Databases
Requirement 2 : No vendor supplied defaults for system passwords Requirement 3 : Stored cardholder data must be protected Requirement 6 : Develop and maintain secure systems Requirement 7 : Access to data restricted on a need-to-know basis
Requirement 10 : Track and monitor access to cardholder data Requirement 11 : Regular systems testing Requirement 12 : Maintaining an information security policy
Fortinet Addresses PCI DSS
8/11/2019 FortiWeb May 2013
30/35
30 Fortinet Confidential
FortiWeb Value Add
FortiClient Desktop
Application Security
Application Delivery
Vulnerability Assessment
Authentication SSL Offloading an d Acceleration
HTTP Compliance Application Signatures Application Profiling Data Leak Prevention
Compression
DDoS Protection AntivirusIP Reputation
Load Balancing
Dramatically reduce the risk of corporate data
loss. Accurate protection with multiple layers of defense Integrated Web Vulnerability Scanner Protects against the OWASP Top 10
Positive and negative security policies Automated management using Auto Learn
Baselining Sophisticated DoS/DDoS protection
Layer 7 focus Botnet and malicious sources protection Easily deploys in any environment
Multiple deployment options Data Analytics Geo IP data analysis and
security over the world map Accelerates applications Application aware Load Balancing Compression ASIC based SSL Acceleration
Helps achieve PCI compliance
8/11/2019 FortiWeb May 2013
31/35
31 Fortinet Confidential
Q&A
8/11/2019 FortiWeb May 2013
32/35
32 Fortinet Confidential
T H I S I S F O R T I W E B
FortiWeb :Additional Features
8/11/2019 FortiWeb May 2013
33/35
33 Fortinet Confidential
Overview AntiVirus
FortiWeb Antivirus Scan file uploads usingFortinets antivirus
engine Restrict file type uploads
Virus Databases Regular and extended virus databases
Updates Updates via FortiGuard antivirus service
AV Configuration
8/11/2019 FortiWeb May 2013
34/35
34 Fortinet Confidential
Overview DLP
DLP Identification Credit card theft/misuse Information Disclosure Server information
Policy Actions Rewrite sensitive data with xxxx Alert, Block
Sensitive info in Logs Automatically mark with xxxx any
sensitive data in FortiWeb logs
FortiWeb monitors all outgoingweb traffic to identify and erasesensitive customer data
8/11/2019 FortiWeb May 2013
35/35