The Smartest Way to Secure Websites and Web Applications Against Hackers, Fraud, and Theft

Transcription

1 DATASHEET Junos WebApp Secure The Smartest Way to Secure Websites and Web Applications Against Hackers, Fraud, and Theft Product Overview Traditional signature-based Web application firewalls are flawed because they rely on a library of signatures and are always susceptible to unknown or zero-day Web attacks. Junos WebApp Secure offers a new technology that uses deception to address this problem. Junos WebApp Secure is the first Web intrusion deception system that prevents Web attackers in real time. Unlike legacy signature-based approaches, Junos WebApp Secure uses deceptive techniques and inserts detection points, or tar traps, into the code of outbound Web application traffic to proactively identify attackers before they do damage with no false positives. The First Web Intrusion Deception System No False Positives Juniper Networks Junos WebApp Secure is a Web Intrusion Deception system that does not generate false positives because it uses deceptive tar traps to detect attackers with absolute certainty. Junos WebApp Secure inserts detection points into the code and creates a random and variable minefield all over the Web application. These detection points allow you to detect attackers during the reconnaissance phase of the attack, before they have successfully established an attack vector. Attackers are detected when they manipulate the tar traps inserted into the code. And because attackers are manipulating code that has nothing to do with your website or Web application, you can be absolutely certain that it is a malicious action with no chance of a false positive. IT security professionals know that false positives diminish the effectiveness of any security program. By using this certainty-based approach, Junos WebApp Secure solves this problem for Web attacks. Furthermore, this product works out-of-the-box and improves your Web application security. There are no rules to write, no signatures to update, no learning modes to monitor, and no log files to review just attackers to prevent. Block Attackers, Not IPs Junos WebApp Secure captures the IP address as one data point for tracking the attacker. But it also realizes that making decisions on attackers identified only by an IP address is fundamentally flawed because many legitimate users could be accessing your site from the same IP address. For this reason, Junos WebApp Secure tracks the attackers in significantly more granular ways. For attackers who are using a browser to hack your website, Junos WebApp Secure tracks them by injecting a persistent token into their client. The token persists even if the attacker clears cache and cookies, and it has the capacity to persist in all browsers including those with various privacy control features. As a result of this persistent token, Junos WebApp Secure can prevent a single attacker from attacking your site, while allowing all legitimate users normal access. For attackers who are using software and scripts to hack your website, Junos WebApp Secure tracks them using a fingerprinting technique to identify the machine delivering the script. 1

2 Prevent and Deceive Detection with no false positives and client-level tracking are both vital for launching a countermeasure to prevent an attacker. Only with certainty-based detection can you safely prevent an attacker and know that you are not blocking legitimate users. The Smart Profiling technology profiles the attacker to determine the best response to prevent the attack. Responses can be as simple as a warning or as deceptive as making the site simulate that it is broken for the attacker only. Every detected attacker gets a profile and every profile gets a name. The Smart Profile ultimately creates a threat level for each attacker in order to prevent attackers in real time, at the client level, with no false positives. Smart Profiling provides IT security professionals with more valuable knowledge about attackers and the threat they pose than they have ever seen before. With automated countermeasures, Junos WebApp Secure works around the clock detecting and preventing attackers. It doesn t create log files for you to review. It just tells you how many attackers it detected and what countermeasure response was applied. It s a security device that works as part of your security team even when you sleep. Table 1: Juniper WebApp Secure vs. Web Application Firewall (WAF) Features Comparison Product Features Junos WebApp Secure Traditional Signature-Based WAF Detection Techniques Signatures 3 3 Behavior analysis 3 3 Web intrusion deception 3 Track IP address 3 3 Browsers (cookies across multiple IP addresses) 3 3 Browsers (persistent tokens across multiple IP addresses) 3 Software/script (fingerprinting) 3 Profile IP address (geo-location) 3 3 Attacker (incident history, browsers, software, and scripts) 3 Attacker threat-level analysis 3 Assigns name to attacker (e.g., JoeSmith27) 3 Respond Automated and manual real-time response 3 3 Alerting 3 3 Force logout and reauthentication 3 3 Force CAPTCHA 3 3 Block IP addresses 3 3 Block attacker (browser, software, and scripts) 3 Warn attacker (browser) 3 Deceptive response (slow connection) 3 Deceptive response (simulate broken applications) 3 Web Application Hardening Cross-site request forgery (CSRF) prevention 3 3 Anti-profiling of application 3 3 Session hijacking prevention 3 CAPTCHA inserted into existing workflow Compliance Payment Card Industry (PCI) 6.6 compliant 3 3 2

3 Features and Benefits Junos WebApp Secure doesn t generate false positives. It detects genuine attackers before they have the chance to successfully establish an attack vector and blocks them with client-level tracking that does not impact legitimate users. It works out-ofthe-box, so there are no rules to write, no signatures to update, etc. It continually profiles attackers as they come onto the scene, and it maintains a profile of known application abusers and all of their malicious activity. It is, quite simply, a virtual member of your security team that keeps stopping attacks even when you are asleep. Abuse Detection Processors A library of HTTP processors that implement specific abuse detection points in application code. Detection points identify abusive users who are trying to establish attack vectors such as cross-site request forgery. Some examples of processors include: Authentication Abuse Detection detects abuses against application authentication such as: requests for directory configurations, passwords, and protected resources Login attempts with invalid credentials Attempts to crack authentication Cookie Abuse Detection detects attempts to manipulate the application by changing cookie values Error Code Detection detects suspicious application errors that indicate abuse, including illegal and unexpected response codes Suspicious File Request Detection detects when an attacker is attempting to request files with known suspicious extensions, prefixes, and tokens Header Enforcement enables the policing of HTTP headers from the application to ensure that critical infrastructure information is not exposed; response and request headers can be stripped, mixed, or filtered. Input Parameter Manipulation Detection detects attempts to abuse form inputs and establish vectors for injection and crosssite scripting attacks Link Traversal Detection detects attempts to spider the application for links to hidden and confidential resources Directory Traversal Protection prevents attackers from finding hidden directories Illegal Request Method Detection detects attempts to abuse non-standard HTTP methods such as TRACE Query Parameter Manipulation Detection detects attempts to manipulate application behavior through query parameter abuse Malicious Spider Detection detects attempts to spider and index protected directories and resources Cross-Site Request Forgery detects and prevents cross-site request forgery attacks Custom Authentication allows companies to protect a page or portion of a site, if a vulnerability is found Third-Party Vulnerability Protection detects known attacks IP List Export For Layer 3 firewall integration Automated high volume attack tool protection and blocking via SRX Series integration Abuse Recording Full HTTP Capture captures and displays all HTTP traffic for security incidents Abusive Behavior Analysis Abuse Profiles maintains a profile of known application abusers and all of their malicious activity against the application Tracking and Re-identification enables application administrators to re-identify abusive users and apply persistent responses, over time and across sessions Enhanced tracking capabilities and fingerprinting of detected attackers Abuse Response Abuse Responses enables administrators to respond to application abuse with session-specific warnings, blocks, and additional checks; includes one-click automation of responses during configuration These responses include: Warn user, send a custom message Block connection and return arbitrary HTTP error captcha connection throttling Logout and forced reauthentication Simulated broken application (strip inputs) Policy Expressions simple expression syntax for writing automated, application-wide responses Global Attacker Database Shares and receives attacker information via a cloud service across deployments globally providing enhanced detection and protection Updates Automatically downloaded and available within the management console Platform Security Hardened kernel, locked-down ports, encrypted backups Management Simplified configuration with setup wizards Web-Based Configuration browser-based interface for all deployment options Monitoring Console web-based monitoring and analysis interface Drill into application sessions, security incidents, and abuse profiles Manage and monitor manual and automated responses Deep search and filtering capabilities real-time and historical system monitoring Multiple administrators Multiple applications/domains remote system logging UI Enhanced workflows, unified configuration & monitoring, faster performance and mobile device support Different UI skins available Role based access control Restful API STRM Series Support 3

4 SSL Inspection Passive decryption or termination Alerts, Reporting, Logging Alerts sends alert s when specific incidents or incident patterns occur Command-line interface can be used for custom reporting Reporting Management System includes user interface SNMP system logging Auditing tracks changes to the system made by the administrators in the configuration interface, security monitor, TUI, and report generation Security incidents via system logging Reports country comparisons, top IP addresses, and incidents Performance High availability for hardware version Higher throughput using master/slave clustering Low latency Link aggregation Deployment Reverse proxy with load balancing Available as hardware Available as a VMware or Amazon Machine Image Support for alternate ports (other than 80 and 443) Architecture and Key Components Functions as a reverse proxy Specifications Hardware (MWS1000) CPU Dual Intel Quad Core (2.4GHz) 2 threads / core Memory 48 GB DDR3 Interface 4 x 1GbE (onboard ports) MWS x SFP+ 10GbE (additional data IOCs via Intel Ethernet Controller) Note: All ports are PXE bootable Storage 4 Slots offering hardware RAID Maximum Capacity = 900 TB RAID-1 HDDs used: 450 GB SAS 10,000 rpm Crypto Software Chassis 1U Rack-mountable Chassis Externally accessible hot swappable cooling fans Client Use Case Mid-end performance application User Interface Themes Firewall Load Balancer Junos WebApp Secure Application Server Figure 1: Where does the Junos WebApp Secure live? 4

5 Ordering Information Model Number Description MWS1000 Junos WebApp Secure Hardware Appliance - SW Sold Separately MWS100MB Junos WebApp Secure 100Mbps Licenses MWS-HDD Junos WebApp Secure - Spare HDD MWS-SP Mbps per end customer application, per month MWS-SP-20 20Mbps per end customer application, per month MWS-SL-1 Junos WebApp Secure software - 100Mbps for one geographic site. Including support and updates. One year term. MWS-SL-3 Junos WebApp Secure software - 100Mbps for one geographic site. Including support and updates. Three year term. About Juniper Networks Juniper Networks is in the business of network innovation. From devices to data centers, from consumers to cloud providers, Juniper Networks delivers the software, silicon and systems that transform the experience and economics of networking. The company serves customers and partners worldwide. Additional information can be found at 5

6 Corporate and Sales Headquarters Juniper Networks, Inc North Mathilda Avenue Sunnyvale, CA USA Phone: 888.JUNIPER ( ) or Fax: APAC and EMEA Headquarters Juniper Networks International B.V. Boeing Avenue PZ Schiphol-Rijk Amsterdam, The Netherlands Phone: Fax: To purchase Juniper Networks solutions, please contact your Juniper Networks representative at or authorized reseller. Copyright 2013 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice EN Jun 2013 Printed on recycled paper 6