FortiWeb for ISP Web Application Firewall Copyright Fortinet Inc. All rights reserved.
Agenda Introduction to FortiWeb Highlights Main Features Additional FortiWEB Services for the ISP FortiWeb Family 2
Introduction to FortiWeb
Scope/Definition of WAFs Protects web-based applications from code-based attacks» SQL Injection or other injection types» Cross Site Scripting and Request Forgery» Layer 7 DoS/DDoS attacks» Cookie/schema poisoning Protects against application vulnerabilities in custom code and commercial platforms INTERNET Web Application" Servers" SQL Injection, XSS FortiWeb WAF! Understands/learns normal behaviors and stops anomalies» URL parameters, HTTP methods, session IDs, cookies, schema, etc. Can t a Firewall or IPS do this? Firewalls look for network-based attacks IPS Signatures detect only known problems» No protection of SSL traffic» No application or user awareness 4
WAF Drivers/Challenges Protect current and existing applications from code-based vulnerabilities Meet PCI Compliance (5.5 and 6.6) for credit card and healthcare data Address OWASP Top 10 Application Vulnerabilities Identify and address web application vulnerabilities Website publishing for Microsoft and other applications Protect against website defacement Who Needs it? Any organization that processes credit cards and/or has PCI requirements Large internal or external applications Sensitive/proprietary information Mission-critical business applications Who Needs it Most? MSPs/Hosting Companies E-commerce/online services Retail, Food Service, Hospitality Financial services Healthcare 5
FortiWeb Web Application Firewalls 4 models from 100 Mbps to 4 Gbps HTTP throughput Up to 6x GE and models with 2x 10GE SFP+ ports Included vulnerability scanning and antivirus Hardware and VM options (VMware, Hyper-V) Automatic behavior-based scanning Auto setup/learning mode Layer 7 DDoS protection FortiGuard antivirus/ip reputation Transparent, reverse and non-inline deployment options Central Management/ADOMs Advanced real-time reporting SSL offloading/compression SSO/Authentication Layer 7 load balancing NSS recommended Complete WAF Solution 6
FortiWeb Benefits Protect custom and commercial applications with automatic usage profiling Meet PCI Compliance (5.5 and 6.6) with behavior-based attack detection and mitigation Protection against OWASP Top 10 Application Vulnerabilities Identify web application security weaknesses with vulnerability scanning Website publishing with Single Sign On/Authentication Restore website pages from attacks with Anti-Defacement Protection Block botnets and attacks from known rogue and malicious sources with FortiGuard IP Reputation 7
Deployment Options Layer II - Transparent Inspection and True Transparent Proxy Easy deployment - No need to re-architect network, full transparency Fail Open Interface Reverse Proxy Supports content modification for both requests and replies from the server Advanced URL rewriting capabilities HTTPS offloading Enhanced load balancing schemes Non Inline Deployment SPAN port Zero network latency Blocking capabilities using TCP resets Ideal for initial product evaluations, non-intrusive network deployment FortiWeb! FortiWeb! Web Application" Servers" 8
Highlights Main Features
FortiWeb Application Delivery WAF Web Application Firewall - WAF Secures web applications to help customers meet compliance requirements Web Vulnerability Scanner Scans, analyzes and detects web application vulnerabilities Application Delivery Assures availability and accelerates performance of critical web applications Secures Web Applications Scans and Detects Web Vulnerabilities Optimizes Application Delivery 10
FortiWeb Application Delivery WAF Web Application Firewall - WAF Secures web applications to help customers meet compliance requirements Web Vulnerability Scanner Scans, analyzes and detects web application vulnerabilities Application Delivery Assures availability and accelerates performance of critical web applications Secures Web Applications Scans and Detects Web Vulnerabilities Optimizes Application Delivery 11
SSL Offloading & Acceleration SSL Offloading Integrated ASIC based hardware Hardware-based key exchange and bulk encryption Purpose built SSL processing CA Management Full certificate management Advanced certification verification and revocation capabilities TCP Connection Multiplexing FortiASIC CP8 SSL Acceleration Chip ü Offload CPU intensive SSL computing from server to FortiWeb 12
Server Load Balancing Layer 7 Load Balancing Methods: Weighted Round Robin, Round- Robin, Least Connection, HTTP session round robin Connection persistence with timeout value Probes & Health Checks: TCP, HTTP/ HTTPS, PING. Content based health checks ü Intelligent, application aware layer 7 load balancing 13
URL Routing/Rewriting Advanced Routing and Rewriting capabilities Route traffic based on: IP, Host, URL Rewriting and Redirection: Host, URL, Referrers Rewrite Reply Content Rewrite absolute links Any required content Multiple content types supported 14
FortiWeb main features WAF Web Application Firewall - WAF Secures web applications to help customers meet compliance requirements Web Vulnerability Scanner Scans, analyzes and detects web application vulnerabilities Application Delivery Assures availability and accelerates performance of critical web applications Secures Web Applications Scans and Detects Web Vulnerabilities Optimizes Application Delivery 15
Vulnerability Assessment Easily Scan your web applications Common vulnerabilities SQL Injection Cross Site Scripting Source code disclosure OS Commanding Enhanced/Basic Mode Crawling information URLs accepting input External Links Authentication Options Scheduled and on Demand Scanning FortiWeb 16
Vulnerability Assessment Vulnerability Reports Scan summary Vulnerability by severity Vulnerability by categories Application Vulnerabilities Common Vulnerabilities Server Information Crawling information URLs accepting input External Links Provides Recommendations and Graphs Updates via FortiGuard 17
FortiWeb main features WAF Web Application Firewall - WAF Secures web applications to help customers meet compliance requirements Web Vulnerability Scanner Scans, analyzes and detects web application vulnerabilities Application Delivery Assures availability and accelerates performance of critical web applications Secures Web Applications Scans and Detects Web Vulnerabilities Optimizes Application Delivery 18
FortiWeb Protection at all Layers ATTACKS/THREATS BOTNETS, MALICIOUS HOSTS, ANONYMOUS PROXIES, DDOS SOURCES IP REPUTATION APPLICATION LEVEL DDOS ATTACKS IMPROPER HTTP RFC KNOWN APPLICATION ATTACK TYPES VIRUSES, MALWARE, LOSS OF DATA DDOS PROTECTION PROTOCOL VALIDATION ATTACK SIGNATURES ANTIVIRUS/DLP CORRELATION UNKNOWN APPLICATION ATTACKS APPLICATION BEHAVIORAL VALIDATION 19
FortiGuard Ip Reputation Threats DDoS Phishing Botnets Anonymous Proxy access Infected source SPAM hosts IP Reputation Service Daily feed updates Automated downloads Immediate protection Visibility and reporting FortiGuard Techniques FortiGuard historical analysis Honeypots Botnet analysis Anonymous proxies Third party sources FortiGuard IP Reputation Service: Protect against automated attacks and malicious source 20
Bot Identification and Protection Enhanced Bot Identification Known search engines Bad robots (scanners, crawlers, spiders) Protection Accuracy Bypass threshold based policies (DoS, Brute force) for known search engines Bot Analysis Bot dashboard provides overview of all traffic with breakdown for bad robots and known search engines ü Analyze traffic from malicious robots, scanners, crawlers and known search engines 21
Protection Policies Application Layer HTTP request limit per source TCP connections using the same cookie HTTP requests using the same cookie Challenge Response validate whether the user is real or automated Network Layer TCP connections limit per source SYN Cookie SYN flood protection ü Analyze requests originating from different users based on different characteristics such as IP and cookie ü Sophisticated mechanism identifies real users from automated attacks 22
Intrusion Prevention FortiGuard Labs Weekly updates Automatic download Wide coverage Various categories Thousands of signatures Action rules per category Information about each signature Sample match Location where inspected Exceptions/Whitelist Create exceptions down to the signature User regex to cover more URLs ü Flexible and granular signature interface 23
FortiWeb Auto Learn Understand Application Structure Models elements from actual traffic Builds baseline based on URLs, parameters, HTTP methods Automatically Understands Real Behavior Can form fields/parameters be modified by users? What are the length and type of each form field? What characters are acceptable (min, max, average)? Is a form field required or optional? ý ý ý þ þ þ þ þ þ þ þ þ þ þ þ þ Provides Recommendations and Graphs 24
FortiWeb Auto Learn Learns the protected applications structure URLs Parameters Expected behavior Analyzes: Visits Attacks Provides automatic rules Exportable to PDF 25
FortiGuard Services FortiGuard Labs» Award-winning threat research services» Dynamic/automated updates for FortiWeb» Automatic downloads» Always up-to-date Subscription Based» Available per device» Select services that are needed» Annual renewals Security Service Application layer signatures Malicious bots Suspicious URL pattern Web vulnerability scanner updates IP Reputation Protection for automated attacks and malicious sources DDoS, Phishing, Botnet, Spam, Anonymous proxies and infected sources Antivirus Scan file uploads Regular and extended AV databases 26
Additional FortiWEB Services for the ISP
On Premise Web Application FortiWeb is configured in Reverse Proxy mode Cloud WAF! A cloud WAF solution allows customers to have an external device scan their traffic without the need to deploy any SW/HW in their environment End customer change their application s DNS entry to point to the cloud WAF which scans the traffic and forwards it to the application The solution provides each customer:» Application security» Performance acceleration (caching, compression, etc)» UI access dashboard Traffic graphs, alerts, minimal configuration Customer B! Customer A! 28
Hosted Web Application FortiWeb is configured in True Transparent Proxy mode This solution gives the ISP additional revenue by offering WAF services to its hosted applications All applications are hosted at the ISP infrastructure Managed by ISP, no UI access for end customers The solution provides each customer:» Application security» Performance acceleration (possibly)» Reports via email MSSP Site! Customer! Applications 1-N! 29
Multi-tenancy Administrative Domains Controls privileges and permissions across the organization True role based access control (RBAC) Global and per-adom settings Per ADOM logging and reporting MSSP Features Protect multiple customers with one FortiWeb appliance Allow customers to securely access their own logs and reports Per user read/write permissions ü Provides multiple logical entities in a single physical unit ü Out-of-the box Multi-tenant solution Customer 1,2,3,4..N 30
High Availability Active/Passive Failover Full configuration synchronization Seamless failover No downtime ü Use Active/Passive failover or simply sync policies across multiple data centres, regardless of location Configuration-Sync Sync FortiWeb devices across networks Allows managing policies across multiple devices from a central location Seamless integration into already existing HA/LB environments Support for DR environments FortiWeb! Disaster Recovery 31
FortiWeb for Virtual Datacenter Virtual WAF for VDC Deploy WAFs without extra hardware Dynamic expansion in VM environments Resource efficiency with uncompromised WAF functionality Virtualization Environment:» VMware ESX / ESXi / 4.0 / 4.1 / 5.0 / 5.1 / 5.5,» Microsoft Hyper-V,» Citrix XenServer 6.2» Open Source Xen 4.2 DMZ Servers / DMZ Public Zone FortiWeb Desktops / Virtual Private Appliance Virtualized Data Center 32
FortiWeb Family
FortiWeb Product Lineup Performance & Scalability FWB-1000D FWB-3000DFsx FWB-3000D FWB-4000D FWB-400C WAF < 1 Gbps 1 2 Gbps 3+ Gbps SSL Software ASIC ASIC Ports GE GE/10GE GE/10GE 34
FortiWeb Product Matrix 400C 1000D 3000D 3000DFsx 4000D WAF Throughput 100 Mbps 750 Mbps 1.5 Gbps 1.5 Gbps 4.0 Gbps Latency Sub-ms Sub-ms Sub-ms Sub-ms Sub-ms SSL Software ASIC ASIC ASIC ASIC L7 Load Balancing P P P P P L7 DoS Protection P P P P P Site Publishing/SSO P P P P P Vulnerability Scanner P P P P P Antivirus/antimalware P P P P P GE Port 4 6 6 6 8 GE Bypass 0 4 2 0 2 GE-SX Bypass 0 0 0 0 2 GE SFP 0 2 0 0 0 10GE SFP+ Bypass 0 0 0 2 2 35
FortiWeb Virtual Appliances Virtual WAF Deploy WAFs without extra hardware Dynamic expansion in VM environments Resource efficiency with uncompromised WAF functionality VMware ESX / ESXi / 4.0 / 4.1 / 5.0 / 5.1 / 5.5, Microsoft Hyper-V, Citrix XenServer 6.2, Open Source Xen 4.2 Technical Specifications FortiWeb VM01 FortiWeb VM02 FortiWeb VM04 FortiWeb VM08 vcpu Support (Max) 1 2 4 8 Memory Support (Max) Unlimited Unlimited Unlimited Unlimited Network Interface Support (Max) 4 4 4 4 Storage Support (Min / Max) 40 GB / 1TB 40 GB / 1TB 40 GB / 1TB 40 GB / 1TB 36