Cisco ACE Web Application Firewall



Similar documents
Where every interaction matters.

Cisco ASA 5500 Series Advanced Inspection and Prevention Security Services Module

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

How To Protect Your Network From Attack From A Network Security Threat

Cisco ACE 4710 Application Control Engine

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

NSFOCUS Web Application Firewall

Barracuda Web Site Firewall Ensures PCI DSS Compliance

How To Protect A Web Application From Attack From A Trusted Environment

Symantec Messaging Gateway powered by Brightmail

Cisco Intrusion Prevention System Advanced Integration Module for Cisco 1841 and Cisco 2800 and 3800 Series Integrated Services Routers

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

Passing PCI Compliance How to Address the Application Security Mandates

Application Firewall Overview. Published: February 2007 For the latest information, please see

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Cisco IronPort C370 for Medium-Sized Enterprises and Satellite Offices

Basic & Advanced Administration for Citrix NetScaler 9.2

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

Symantec Brightmail Gateway Real-time protection backed by the largest investment in security infrastructure

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

Symantec Messaging Gateway 10.6

Cisco IPS AIM and IPS NME for Cisco 1841 and Cisco 2800, 2900, 3800 and 3900 Series Integrated Services Routers

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Importance of Web Application Firewall Technology for Protecting Web-based Resources

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

Application Security Testing

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL

Cisco Application Networking for BEA WebLogic

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Overview. SSL Cryptography Overview CHAPTER 1

White Paper A10 Thunder and AX Series Load Balancing Security Gateways

The New PCI Requirement: Application Firewall vs. Code Review

IronPort C300 for Medium-Sized Enterprises and Satellite Offices

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

Symantec Messaging Gateway 10.5

Cisco Security Appliances

IJMIE Volume 2, Issue 9 ISSN:

Cisco Security Manager 4.2: Integrated Security Management for Cisco Firewall, IPS, and VPN Solutions

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Cisco ASA 5500 Series IPS Solution

10 Things Every Web Application Firewall Should Provide Share this ebook

Information Technology Policy

Achieving PCI Compliance Using F5 Products

Table of Contents. Page 2/13

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

IronPort X1000 Security System

Swordfish

F5 and Microsoft Exchange Security Solutions

Cisco IronPort X1070 Security System

Features of a comprehensive application security solution

Cisco Application Networking Manager Version 2.0

Cisco ASA 5500 Series Firewall Edition for the Enterprise

PCI DSS 3.0 Compliance

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Datacenter Transformation

White paper. Keys to SAP application acceleration: advances in delivery systems.

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

elearning for Secure Application Development

Data Sheet. VLD 500 A Series Viaedge Load Director. VLD 500 A Series: VIAEDGE Load Director

Cisco Application Networking for IBM WebSphere

Imperva s Response to Information Supplement to PCI DSS Requirement Section 6.6

Functional vs. Load Testing

ICSA Labs Web Application Firewall Certification Testing Report Web Application Firewall - Version 2.1 (Corrected) Radware Inc. AppWall V5.6.4.

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

Protecting Your Organisation from Targeted Cyber Intrusion

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

全 球 資 安 剖 析, 您 做 確 實 了 嗎? Albert Yung Barracuda Networks

Permeo Technologies WHITE PAPER. HIPAA Compliancy and Secure Remote Access: Challenges and Solutions

White Paper Secure Reverse Proxy Server and Web Application Firewall

How to complete the Secure Internet Site Declaration (SISD) form

Inspection of Encrypted HTTPS Traffic

FortiWeb 5.0, Web Application Firewall Course #251

syslog-ng Product Line

The Education Fellowship Finance Centralisation IT Security Strategy

FormFire Application and IT Security. White Paper

WEB APPLICATION SECURITY

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

Web Application Security 101

IT Security & Compliance. On Time. On Budget. On Demand.

NSA/DHS CAE in IA/CD 2014 Mandatory Knowledge Unit Checklist 4 Year + Programs

Cisco Advanced Services for Network Security

Strategic Information Security. Attacking and Defending Web Services

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

The Application Delivery Controller Understanding Next-Generation Load Balancing Appliances

ZEN LOAD BALANCER EE v3.02 DATASHEET The Load Balancing made easy

BANKING SECURITY and COMPLIANCE

The syslog-ng Store Box 3 LTS

WEB APPLICATION FIREWALL

Clavister InSight TM. Protecting Values

Monitoring System Status

Load Balancing Security Gateways WHITE PAPER

Transcription:

Cisco ACE Web Application Firewall Product Overview The Cisco ACE Web Application Firewall (Figure 1) is the newest component of the Cisco Application Control Engine (ACE) family of products. Many ganizations are looking to increase efficiency and profitability through the implementation of new Web-based applications, Web 2.0 and SOA solutions. These new Web-based services provide greater flexibility and interactivity to customers, employees, and partners. At the same time, criminals have seized on exploiting these new, and often poly secured services f such things as financial fraud, identity and data theft, denial of service attacks, and the spread of malware and remote-controlled agent software. Accding to privacyrights.g, nearly a quarter of a billion recds have been breached since 2005 in the US alone. In response, new and emerging regulaty requirements, like Sarbanes-Oxley, Graham-Leach-Bliley, HIPAA, PCI, Basel II, EU Data Privacy Regulation, J-SOX, and PIPEDA, in virtually every country and region in the wld, place a special emphasis on protecting the access to, transmission of, and stage of sensitive infmation, such as the personal and financial infmation of customers and employees. Of special interest is the protection of consumer financial and personal infmation. In response to increased identity theft incidents and security breaches, maj credit card companies have collabated to create the Payment Card Industry (PCI) Data Security Standard (DSS), which is a series of requirements to streamline and standardize how companies ste and access credit card infmation. The Cisco ACE Web Application Firewall helps ganizations that ste, process, and transmit credit card data to comply with the PCI DSS requirements. Because of its unique blend of HTML and XML security, the Cisco ACE Web Application Firewall provides a full compliance solution f the PCI DSS version 1.1 s requirements in sections 6.5 and 6.6. Section 6.6 in particular mandates that any ganization handling, processing, sting credit card infmation must install a Web application firewall by June 30, 2008 to protect applications against the OWASP Top 10 attacks (http://www.owasp.g/index.php/top_10_2007.) The Cisco ACE Web Application Firewall provides full compliance with the latest PCI requirements by combining deep Web application analysis with high-perfmance XML inspection and management to truly address the full range of threats associated with all new Web application services. It secures and protects Web applications from common attacks, such as identity theft, data theft, application disruption, fraud and targeted attacks. These attacks may include cross-site scripting (XSS) attacks, SQL and command injection, privilege escalation, cross-site request fgeries (CSRF), buffer overflows, cookie tampering, and Denial of Service (DoS) attacks. The Cisco ACE Web Application Firewall s integrated Extensible Markup Language (XML) firewall capabilities extend protection f traditional HTML-based Web applications to modern XMLenabled Web services applications. The security f XML data includes XML threat mitigation such All contents are Copyright 1992 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Infmation. Page 1 of 7

as validating XML content to block message processing policy violations in your Web services application traffic. The Cisco ACE Web Application Firewall is also a full proxy security solution that provides deep message-level inspections f both request and response traffic. This enables it to not only block attacks but also to cloak your Web applications from hackers. It can also enfce privacy policies by filtering outbound traffic to prevent leakage of sensitive data such as credit cards and personal identification numbers, such as passpts social security numbers. The Cisco ACE Web Application Firewall software license can be upgraded to include the full Cisco ACE XML Gateway software, which provides a robust set of XML perfmance enhancement and management tools f XML-based software applications. The Cisco ACE XML Gateway helps to ensure that all XML messages are processed without compromising security, interoperability, reliability. It enables businesses to efficiently secure, accelerate, and integrate XML Web services with the market s most extensive policy control and end-to-end perfmance, which allows customers to accelerate their time-to-market and gain competitive advantage in their businesses. Figure 1. Cisco ACE Web Application Firewall Secure, fast, and reliable HTML and XML applications require the capability to deliver assured throughput, high concurrency, low latency, and suppt f critical operations such as security and availability. The Cisco ACE Web Application Firewall offers these benefits by providing: Bullet-proof security f your custom applications Extensive set of Cisco validated signatures f known malicious patterns Understanding of Web applications to filter and allow only legitimate traffic Human-assisted learning to remove the guesswk from your security configuration The Cisco ACE Web Application Firewall offers industry-leading security processing on a highperfmance netwk appliance to accommodate your development and deployment requirements. Whether you are showing proof of concept, securing a small set of Web-enabled applications, deploying a broad set of Web-enabled applications enterprise wide, Cisco provides the industryleading Web application firewall solution that scales to meet your application security, availability and perfmance requirements. Features and Benefits Dramatically reduce exposure to expensive Web-based attacks on mission critical applications Deploy secure Web projects in a fraction of the time and cost of competitive solutions Simplify ongoing Web security management through the ability to wk with SOAP and XML applications Figure 2 shows a typical deployment, and Table 1 summarizes the features and benefits of the Cisco ACE Web Application Firewall. All contents are Copyright 1992 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Infmation. Page 2 of 7

Figure 2. Cisco ACE Web Application Firewall Deployment Table 1. Feature Features and Benefits Benefit Web Application Security Privacy Encryption and Signing Audit and Logging Moniting Policy-Based Provisioning and Versioning Acceleration and Offloading Suppt f human-assisted learning using monit mode deployment Defends applications against Web-based HTML and XML threats Protects against identity theft, data theft, content and fmat threats, access threats, compliance, transpt, and targeted attacks such as denial-of-service (DoS) attacks Enables users to create custom rules and signatures Offers a set of preconfigured rules that help address PCI DSS 1.1 section 6.5 and 6.6 (OWASP Top 10) requirements Exerts comprehensive, enterprise wide, policy control f application access and data privacy Prevents cookie tampering and maintain confidentiality of infmation sted in browser cookies. Provides full FIPS-compliance, protecting against Secure Sockets Layer (SSL) key hijacking by persistently sting private SSL keys in the platfm hardware Meets compliance requirements with audit and non repudiation capabilities Quickly debugs and monits Web applications using sophisticated GUI Comprehensive statistics and repting capability Increases developer productivity and improves deployment flexibility with sophisticated rollback and versioning capabilities Quickly eliminate false positives with the ability to turn off firewall rules f specific violations with a single click. Provides enterprise wide management accessible anywhere on the netwk through the Web GUI Secure Shell (SSH) interface Enables configuration of security policies in one centralized policy management system, without programming Accelerates Web and XML application processing and improves server utilization by offloading computationally intensive operations such as transpt security and enabling HTTP TCP session reuse. Allows upgrades with future perfmance enhancements without requiring new hardware Product Specifications Table 2 provides software specifications, and Table 3 provides hardware specifications f the Cisco ACE Web Application Firewall. All contents are Copyright 1992 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Infmation. Page 3 of 7

Table 2. Item Product Specifications f the Cisco ACE Web Application Firewall Specification Web Application Security Transpt Security Cryptographic Suppt Administration Logging, Moniting, and Auditing Full reverse proxy Monit mode deployment Buffer overflow HTTP parameter manipulation, Protocol compliance Null byte blocking Input encoding nmalization Response filtering and rewriting Flexible firewall actions Cookie and session tampering Cross-site scripting (XSS) Command injection, SQL injection Privacy enfcement by preventing infmation leak Cryptography enfcement Application and server err message cloaking Referrer enfcement Positive and negative security models Custom rules and signatures PCI compliance profiles Full SSL v2/3 suppt with configurable cipher suites FIPS 140-2 Level 3 platfms available Cryptographic algithms including: Advanced Encryption Standard (AES) Data Encryption Standard (DES) Triple DES (3DES) Blowfish RSA Diffie-Helman Digital Signature Algithm (DSA) Secure Hash Algithm 1 (SHA-1) and Message-Digest 5 (MD5) Web user interface Command-line interface SSH Simple Netwk Management Protocol (SNMP) Roles-based access control (RBAC) Delegated administration Central policy management and distributed enfcement Impt and expt of configuration, statistics, and logs Syslog and message and event logs Traffic and service-level agreement (SLA) moniting and repting Statistics f moniting and various alerts and triggers Audit trail of administrative operations Table 3. Item Chassis Process Product Specifications: Cisco ACE Web Application Firewall Hardware Specification Dimensions 1 rack unit (1RU) standard rack mount: 1.70 x 16.78 x 27.75 in. (4.32 x 42.62 x 70.49 cm) Weight 37 lb (16.8 kg) fully configured (per unit, not including shipping materials) 2 Intel dual-ce Xeon processs Hardware Accelerats Pts Memy One of the following: 1 FIPS 140-2 Level 3 compliant 4,000 SSL TPS 1 Non-FIPS compliant (14,000 SSL TPS ) 4 Gigabit Ethernet pts plus a dedicated lights-out management Ethernet pt 4 GB fixed RAM All contents are Copyright 1992 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Infmation. Page 4 of 7

Stage Power Dual hot-swappable serial-attached Small Computer System Interface (SCSI) hard disk drive (SAS HDD) with RAID (20 GB usable) Dual redundant; 700 watts (W) Cisco Service and Suppt Cisco takes a lifecycle approach to services and, with its partners, provides a broad ptfolio of security services so enterprises can design, implement, operate, and optimize netwk platfms that defend critical business processes against attack and disruption, protect privacy, and suppt policy and regulaty compliance controls. Cisco services help you protect your netwk investment, optimize netwk operations, and prepare your netwk f new applications to extend netwk intelligence and the power of your business. Cisco services include: The Cisco Security Center provides one-stop shopping f early warning threat intelligence threat and vulnerability analysis, Cisco IPS signatures, and mitigation techniques. Visit and bookmark the Cisco Security Center at www.cisco.com/security. The Cisco Security Intellishield Alert Manager Service provides a customizable, Web-based threat and vulnerability alert service that allows ganizations to easily access timely, accurate, and credible infmation about potential vulnerabilities in their environment. Cisco Security Optimization Service: Increasingly, the netwk infrastructure is the foundation of the agile and adaptive business. The Cisco Security Optimization Service suppts the continuously evolving security system to meet ever-changing security threats through a combination of planning and assessments, design, perfmance tuning, and ongoing suppt f system changes. This service helps integrate security into the ce netwk infrastructure. Cisco SMARTnet Service delivers rapid issue resolution by giving businesses direct, anytime access to Cisco engineers, an award-winning online Suppt Center, machine-tomachine diagnostics on select devices and premium advance hardware replacement options. Cisco Software Application Suppt Services, plus Upgrades [SASU] ensures CSA availability, functionality, and reliability with around-the-clock access to technical suppt, software updates, and maj upgrades The services and suppt programs described in Table 4, Cisco SMARTnet Service and Software Application Suppt plus Upgrades (SASU), are available as part of the Cisco ACE Web Application Firewall Service and Suppt solutions. Table 4. Cisco SMARTnet and Software Application Service and Suppt Programs Service and Suppt Features Benefits Available directly from Cisco through Cisco Certified Partners Cisco SMARTnet Service Cisco SASU 24x7 access to software updates and upgrades 24x7 access to Cisco Technical Assistance Center (TAC) via web, phone, email Advance replacement of hardware parts (Cisco SMARTnet Service only) Supplements existing staff Helps ensure that functions meet needs Mitigates risk Helps enable proactive expedited problem resolution Lowers total cost of ownership (TCO) by using Cisco expertise and knowledge Helps minimize netwk downtime All contents are Copyright 1992 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Infmation. Page 5 of 7

Ordering Infmation Companies can choose between two versions of the Cisco ACE Web Application Firewall, depending on which cryptographic process meets their needs. One version offers FIPScompliant SSL acceleration at 4000 transactions per second (TPS); the other can process 14,000 TPS but is not FIPS compliant. Cisco ACE Web Application Firewall will be available f dering beginning May 1, 2008. Table 5 provides dering infmation f the Cisco ACE Web Application Firewall. Table 5. Ordering Infmation Product Options Product Name Part Number Suppt and Services Chassis Firewall Appliance ACE-XML-K9 ACE-XML-NF-K9 CON-SNT-ACEXK9 CON-SNT-ACEXNK9 Software Firewall Software ACE-XML-SW-6.0 Cryptography FIPS-compliant SSL acceleration Non-FIPS-compliant SSL acceleration ACE-XML-FIPS ACE-XML-NONFIPS CON-SNT-ACEXFIPS CON-SNT-ACEXNFIP Licensing Firewall license Firewall Manager license ACE-WAF-GAT-LICFX ACE-WAF-MGT-LICFX CON-SAU-ACEWGW CON-SAU-ACEWMG *Cisco ACE Web Application Firewall will be available f dering beginning May 1, 2008. F Me Infmation F me infmation about the Cisco ACE Web Application Firewall, visit http://www.cisco.com/go/ace contact your local Cisco account representative. Printed in USA C78-458627-00 03/08 All contents are Copyright 1992 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Infmation. Page 6 of 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information