Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

Transcription

1 Arrow ECS University 2015 Radware Hybrid Cloud WAF Service 9 Ottobre 2015

2 Get to Know Radware 2

3 Our Track Record Company Growth Over 10,000 Customers USD Millions % % % % 2% % % % % 5% % 7% % Global Technology Partners

4 Market Analysis 4

5 Enterprise Cloud Migration Internet Customer Premise Data Center Cloud Service Provider 5

6 Enterprise Cloud Migration Internet Customer Premise Data Center Cloud Service Provider Enterprises expand application resources to the cloud 6

7 Enterprise Cloud Migration Internet Customer Premise Data Center Cloud Service Provider Multi-vector attacks target enterprise applications everywhere 7

8 Enterprise Cloud Migration Internet Customer Premise Data Center Cloud Service Provider On-premises mitigation tools alone are ineffective against cloud-based attacks 8

9 Increased Dependency on Multiple Vendors Enterprise hybrid cloud adoption: 82% have a hybrid cloud strategy (74% in 2014) 13% expect to use multiple public clouds 14% expect to use multiple private cloud Harder to protect & manage multiple instances Varying degree of protection offered by cloud vendors 9

10 Rise in Popularity of Web Based Attacks Web attacks - most common attack vector OWASP Top 10 attacks Availability based attacks 3.8% 3.7% 3% 2.1% 1.9% 2.8% Top 10 Web Attack Methods Denial of Service 25% Denial of Service SQL Injection Cross Site Scripting (XSS) Brute Force Predictable Resource Location 4.8% Cross Site Scripting (XSS) 8.9% SQL Injection 24% Stolen Credentials Unintentional Information Disclosure Banking Trojan Credential/Session Prediction Cross Site Request Forgery (CSRF) Source: Web Hacking Incident Database (WHID), Feb

11 Complexity of Attacks Continues to Grow Multi-vector attacks target all layers of the infrastructure Low & Slow DoS attacks (e.g.sockstress) SQL Injections XSS, CSRF Large volume network flood attacks Network Scan Syn Floods HTTP Floods SSL Floods Brute Force App Misuse Internet Pipe Firewall IPS/IDS Load Balancer/ADC Server Under Attack SQL Server Cloud DDoS protection DoS protection Behavioral analysis IPS WAF SSL protection 11

12 New Challenges Require New Solutions Protection in a dynamic and moving environment Wide protection coverage for the full range of attacks Ease of use and serviceability Protecting applications regardless of location Single-vendor, hybrid solution for consistency in protection Critical to eliminate any blind spots that attackers can leverage Network and application DDoS attacks (including volumetric) Common (SQL Injections, XSS) and more advanced web attacks (Cookie Poisoning, XML) Solution needs to be easy to set-up and easy to maintain Fully-managed services are required in most cases 12

13 Hybrid Cloud WAF Offering 13

14 Radware s Hybrid Cloud WAF Fully managed & always-on cloud service Provides WAF and DDoS protection Based on Radware s widely adopted Attack Mitigation Solution Scalable cloud-based configuration Optimal for detecting and mitigating a vast array of attack vectors Hybrid Cloud WAF 14

15 Radware s Hybrid Cloud WAF Customer Premise-based Apps Attack Mitigation Device Cloud WAF Data Center Customer Cloud-based Apps Radware Security Cloud POP Web-based attack is launched and detected by Radware s Cloud WAF 15

16 Radware s Hybrid Cloud WAF Customer Premise-based Apps Attack Mitigation Device Cloud WAF Data Center Customer Cloud-based Apps Radware Security Cloud POP Attack is mitigated and clean traffic is relayed to the customer s cloud and premise 16

17 Why Radware s Hybrid Cloud WAF? Integrated CPE and Cloud WAF Technologies Unmatched Web Application Protection Fully Managed Security Service Easy, Flexible Model Always-On DDoS Protection 17

18 Integrated CPE and Cloud WAF Technologies Only solution to integrate with on-premise security devices Gain more visibility and control in disaggregated application-delivery environments Messaging to enable threats detected in the cloud can be mitigated by onpremise attack mitigation devices Allow for ease and speed of security policy orchestration & automation 18

19 Unmatched Web Application Protection Based on Radware s WAF - AppWall Full coverage of ALL OWASP Top-10 ICSA Labs certification Auto-policy generation Supports negative & positive security models TCP Termination & Normalization HTTP Protocol attack (e.g. HRS) Path traversal Base 64 and encoded attacks JSON and XML attacks Login Protection Password cracking Brute Force LFI/RFI Protection Local File Inclusion Remote File Inclusion Data Leak Prevention Credit card number (CCN) Social Security (SSN) Regular Expression Attack Categories Covered Attack Signature and Rules Cross site scripting (XSS) Injections: SQL, LDAP OS commanding Server Side Includes (SSI) Session Protection Cookie Poisoning Session Hijacking Access Control Predictable Resource Location Backdoor and debug resources File Upload attacks DDoS Protection Behavioral Network DDoS Behavioral Application DDoS Network Challenge Response HTTP Challenge Response Access List Volumetric DDoS (add-on) 19

20 Fully Managed Security Service 24x7 support System monitoring and auto policy generation Proactive analysis including policy optimization and logs review Backed by Radware's Emergency Response Team (ERT) 20

21 Easy, Flexible Model Simple setup - nothing to download or install Phased and risk free onboarding Out-of-path Auto Policy 3 step process Every new policy is initially introduced in Span Port 7 days for new policy activation Inline passive mode OPEX-based model 3 levels of service offering (Silver, Gold & Platinum) Flexibility in growth options Inline protective mode 21

22 Always-On DDoS Protection Based on Radware's attack mitigation device (DefensePro) Includes Anti DDoS, NBA and IPS protection Adaptive behavioral analysis and challenge response technologies 22

23 Volumetric DDoS Attack Protection Customer Premise-based Apps Radware Cloud Scrubbing Attack Mitigation Device Cloud WAF Data Center Customer Cloud-based Apps Radware Security Cloud POP Volumetric attack is launched on the customer environment

24 Volumetric DDoS Attack Protection Customer Premise-based Apps Radware Cloud Scrubbing Attack Mitigation Device Cloud WAF Data Center Customer Cloud-based Apps Radware Security Cloud POP Attack is detected by Radware s attack mitigation device in the Radware Cloud POP

25 Volumetric DDoS Attack Protection Customer Premise-based Apps Radware Cloud Scrubbing Defense Messaging Attack Mitigation Device Cloud WAF Data Center Customer Cloud-based Apps Radware Security Cloud POP Attack baseline is synchronized to Radware s Scrubbing Center and traffic redirected

26 Volumetric DDoS Attack Protection Customer Premise-based Apps Radware Cloud Scrubbing Defense Messaging Attack Mitigation Device Cloud WAF Data Center Customer Cloud-based Apps Radware Security Cloud POP Traffic is cleaned by Scrubbing Center and sent to customer cloud and premise

27 Scalability and Availability Service Monitoring: Traffic Volume Monitoring, HTTP Heath-checks Redundancy: for all network components No single point of failure Failover: Auto failover based on Active standby Disaster Recovery: DNS redirection to secondary site; Tier 1 DNS 27

28 Offering Sets Service available in three packages: Silver Gold Platinum Single shared policy for multiple web applications Basic security offering to secure against common web attacks Dedicated policy for each web application PCI Compliance ready policy Added protection from data and access centric attacks OWASP Top 10 coverage Extended security policy Zero-day attack protection Advanced attack protection DDoS protection of up-to 1 Gbps of attack traffic is included in all packages Volumetric DDoS-attack protection available at additional cost 28

29 Service Full SLA Security Offerings WAF Features Silver Gold Platinum HTTP Protocol Manipulation Yes Yes Yes Error info leakage & fingerprinting Yes Yes Yes Known Vulnerabilities & Custom Rules Yes Yes Yes SQL, OS and LDAP Injection Yes Yes Yes Cross Site Scripting (XSS) Yes Yes Yes SSL (including custom certificate) Yes Yes Yes Geo Location, Anonymous proxies Yes Yes Yes Credit Card Number Leakage No Yes Yes CSRF No Yes Yes Access Control (White & Black list) No Yes Yes Brute Force No Yes Yes Session attacks (hijacking, cookie poisoning) No No Yes Zero Day Protection; Parameter policy No No Yes XML and Web Service No No Yes Security Offerings DDoS Features Silver Gold Platinum Behavioral Network Layer DDoS Protection Behavioral Application Layer DDoS Protection Yes Yes Yes Yes Yes Yes Network Challenge Response Yes Yes Yes HTTP Challenge Response Yes Yes Yes Access List on demand up to 1 list per month Up to 100 entries Up to 100 entries Weekly Security Update Subscription Yes Yes Yes Up to 100 entries Attack volume supported Up to 1G Up to 1G Up to 1G 29

30 Service Full SLA Service Offerings - Service Silver Gold Platinum 24 X 7 support Yes Yes Yes Managed Security Service Yes Yes Yes logs review and system monitoring Yes Yes Yes Customized Weekly Scheduled Reports Yes Yes Yes Tenant-based Policy (shared Policy for multiple apps) Yes No No Application Based policy No Yes Yes Auto Policy Generation Yes Yes Yes Dedicated WAF instance No No Yes At least once a month Proactive Security Policy Review and No No Yes optimization 2 Forensics Reports per year No No Yes Emergency Response Attack Mitigation Yes Yes Yes Pre-attack high risk alerts Yes Yes Yes Post attack report and recommendations Yes Yes Yes Time to Security Expert response SLA Best Effort Best Effort Best Effort Number of DDoS Protection policy changes per calendar month (non-cumulative)

31 Global Infrastructure Radware Security Cloud Radware Scrubbing Centers Coming soon 31

32 Summary 32

33 Why Radware s Hybrid Cloud WAF? Integrated CPE and Cloud WAF Technologies Only solution with same technology to protect both cloud-based and on-premise applications Unmatched Web Application Protection Full OWASP Top 10 coverage Auto policy generation; ICSA Labs certification Fully Managed Security Service 24x7 Support Backed by Radware s ERT security experts Easy, Flexible Model Simple, no setup OPEX based with 3 offerings to chose from Always-On DDoS Protection Based on Radware s attack mitigation device Minimal false positives; no impact on legitimate traffic 33

34