White Paper NSFOCUS Web Application Firewall White Paper By NSFOCUS White Paper - 2014 NSFOCUS
NSFOCUS is the trademark of NSFOCUS Information Technology Co., Ltd. NSFOCUS enjoys all copyrights with respect to all textual narrations, document formats, illustrations, photographs, methods, processes and other contents, unless otherwise specified, which shall be governed by relevant property rights and copyright laws. Without written permission of NSFOCUS, any individual or institution shall be prohibited to copy or quote any section herein in any way. White Paper - 2014 NSFOCUS
Contents Overview... 1 Key Features of NSFOCUS WAF... 2 Adoption of a Customer Asset Perspective... 2 Optimized Configuration Wizard... 2 Multiple Rule- Based Inspections... 3 PCI- DSS Compliance Report... 4 Layered Security Mechanism... 5 Effective Auto- Learning and Whitelist Creation... 5 Transparent, Drop- in Deployment... 6 Emergency Response through Smart Patching... 7 Typical Deployment... 9 Use Cases... 11 Website Access Control... 11 Webpage Defacement Prevention... 11 Prevention against Sensitive Data Leaks... 11 Correlated Protection against DDoS... 12 Virtual Website Protection... 13 Appendix... 14 Business Assets: Definitions... 14 WAF Rule Systems: Definitions... 14 White Paper - 2014 NSFOCUS
Overview The NSFOCUS Web Application Firewall (WAF) is an asset- focused web security solution. WAF combines blacklist and whitelist mechanisms and integrates multiple web security detection technologies into a complete solution that can be configured for a customer s specific needs. Additionally, NSFOCUS WAF correlates with mature distributed denial- of- service (DDoS) prevention systems. This comprehensive design enables WAF to protect against the OWASP Top Ten and other web security threats in addition to DDoS attacks. WAF offers transparent in- path deployment, router (out- of- path) deployment, and cloud- based deployment, all with a low operating expense (OPEX). Given its easy deployment and economical yet comprehensive features, NSFOCUS WAF is an excellent solution for safeguarding your applications against current and future security threats. In the first section of this white paper, we will present the key features which differentiate the WAF solution. In sections two and three, we will describe typical deployment modes and use cases, with an appendix and definitions following. 1 / 19 - White Paper
Key Features of NSFOCUS WAF Adoption of a Customer Asset Perspective NSFOCUS WAF adopts a website tree (user asset list) method to treat the asset inventory and attributes of each asset, including the state, the protocol type, the IP address, and the port number. In addition, WAF takes related security policies, which are collections of security rules, as one of the asset attributes and stores these in the form of templates. Policy templates can be easily reused by websites with different IP addresses and port numbers in similar business environments, making WAF a very adaptable and easy to manage system for our clients. Figure 1: The Asset Perspective of NSFOCUS WAF Optimized Configuration Wizard NSFOCUS WAF offers an optimized wizard tool that confirms client information for operating systems (OSs), databases, web servers, and programming languages. WAF also employs the concept of a website group, which categorizes websites (IP address 2 / 19 - White Paper
+ port number) with the same or similar OS, and groups web servers or applications into one website group, so that WAF can filter rules specific to customer environments while building website assets. This achieves a precise utilization of blacklist rules in customer environments, reducing false positives and streamlining configuration operations. Figure 2: Website Rules Filtered by the Wizard System Multiple Rule- Based Inspections Rule- based inspections are a basic method used by web application firewalls to detect and block known attacks. The rule database of NSFOCUS WAF has been highly refined based on years of accumulative research on network security. The WAF rule- based protection capabilities include: Web server vulnerability protection Web plug- in vulnerability protection Crawler protection Cross- site scripting protection SQL injection protection LDAP injection protection SSL directive protection XPATH injection protection 3 / 19 - White Paper
Command line injection protection Path traversal protection Remote file inclusion protection In addition to rule refinement and diversification, NSFOCUS WAF also applies several mechanisms to ensure the precision and effectiveness of its rules. A. Leading character Most network traffic is legitimate. A traffic pre- screening mechanism improves detection efficiency by matching simple character strings of leading codes. B. Diversified detection locations Supports flexible definitions for detected objects, including any HTTP header fields and HTTP body fields, and various detection algorithms. C. Logical combination of multiple detection conditions Supports logical combination of multiple detection conditions, to enable definitions for complex rules. D. Custom rules Provides custom rules close to natural languages with complicated scenario description capabilities. The custom rules can act on specific URLs, significantly improving the effectiveness and accuracy of the rules. E. Independent rule update Within its compiled rule database, NSFOCUS WAF separates rule updates and system updates. PCI- DSS Compliance Report Regulatory compliance is an increasingly important measure to constrain exposure and ensure information security for enterprises. The Payment Card Industry Data Security Standard (PCI- DSS) is a globally- recognized data security metric related to payment cards which is used to protect consumers, financial organizations, and other merchants and service providers. PCI- DSS specifies security requirements regarding storing, processing, and transferring cardholder data. NFOCUS WAF can determine 4 / 19 - White Paper
whether a user assets environment meets the PCI- DSS, with consideration of the current security configurations of the protected websites. WAF then provides configuration suggestions for PCI- DSS compliance, and assists merchants and service providers to prepare for PCI- DSS compliance inspections and to conduct security reinforcement of their information systems. Layered Security Mechanism Based on the layered structure of user assets, NSFOCUS WAF subdivides the protection layer into a default layer(s) and a custom layer(s). The default layer applies to website objects, while the custom layer treats specific assets (specific URLs). Default ProtecQon Layer ( Website Objects) Custom ProtecQon (Asset 1, a URL) Custom ProtecQon (Asset 2, a URL) Custom ProtecQon (Asset 3, a URL) Figure 3: Layered Asset Protection In addition to dedicated protection for Web applications, NSFOCUS WAF also defends against bandwidth- consumption DDoS attacks and application- layer DDoS attacks. This defense is powered by NSFOCUS s independent research on anti- DDoS algorithms and on application- layer DDoS mitigation technologies. By blocking attack traffic in real time, NSFOCUS ensures the availability and continuity of web services at the network layer. When DDoS attack volume overpowers processing capacity, NSFOCUS WAF can correlate with dedicated NSFOCUS Anti- DDoS systems (ADS) to divert and clean the attack traffic. Effective Auto- Learning and Whitelist Creation A blacklist contains certain pre- defined and custom rules. It utilizes a strong knowledge base as a backup to support WAF in protecting against web threats. However, since rule updates are made after an event, the blacklist mechanism best functions to address known security issues. It is not designed to deal with real- time, zero- day exploits. By its nature, a blacklist cannot predict future business logic for a 5 / 19 - White Paper
specific customer environment and thus deter attacks with any precision. To make up for inherent defects of blacklist- based detection, NSFOCUS WAF adopts auto- learning and whitelist mechanisms to create enhanced detection of zero- day vulnerabilities. Taking advantage of statistical auto- learning technology, the WAF appliances analyze user behaviors and HTTP request parameters of specified URLs. By doing so, WAF gathers not only an intact display of the business logic of the target websites, but also helps administrators to build whitelist rules around legitimate business traffic. Figure 4: Effective Auto- Learning and Whitelist Creation As a comprehensive protection procedure, NSFOCUS WAF first employs blacklist rules to solve known security risks, and then uses auto- learning and the whitelist as a complement to mitigate security risks at the business logic layer. This allows NSFOCUS WAF to better fit into customers business environments, and to pinpoint zero- day vulnerabilities with higher speed and efficacy. The NSFOCUS procedure eliminates the need to learn the business environment over a long span of time, which is typically required in the case of sole dependence on a whitelist mechanism. It also frees clients from the need to tune policies frequently with changing business models. Installing NSFOCUS WAF is easy it can be put into operation with drop- in deployment and zero- configuration. Transparent, Drop- in Deployment NSFOCUS WAF provides flexible deployment modes. The most common one is the drop- in transparent deployment which requires no changes to existing applications or 6 / 19 - White Paper
networks. And in this mode, WAF also offers default protection policies and default network interface configuration functions, shortening the time needed to get to go- live to less than half an hour. Two router (out- of- path) modes, reverse proxy and out- of- path traffic diversion, are also available. The reverse proxy mode reduces the single point of failure (SPOF) and enables WAF to exert its optimized capabilities, while the out- of- path traffic diversion features flexible deployment locations. Since WAF and web servers can be placed in different security zones, this mode is widely used in cloud- based WAF services worldwide. Emergency Response through Smart Patching NSFOCUS WAF can correlate with cloud- based NSFOCUS WebSafe Services (WSS) or NSFOCUS Web Application Vulnerability Scanning Systems (WVSS), and receive vulnerability scanning reports about protected websites from them. Then, based on its existing rules, NSFOCUS WAF automatically generates a new set of rules called Smart Patch to apply to the protected websites. When the protected websites are remediated with Smart Patch, previously scanned web application vulnerabilities can never reappear. Figure 5: Smart Patching Smart Patch leverages the web vulnerability awareness of NSFOCUS WSS and WVSS, as well as the rule systems of WAF. With no change to the configurations of the protected websites and no additional burden on devices, Smart Patch can effectively minimize any security risks caused by frequent business updates or by lack of timely 7 / 19 - White Paper
patching. It also helps customers to satisfy security compliance in real time. 8 / 19 - White Paper
Typical Deployment NSFOCUS WAF offers flexible deployment options, including transparent, reverse proxy, and out- of- path modes. With in- path deployment, NSFOCUS WAF supports a transparent proxy at the TCP/IP protocol stack in the kernel module, which considerably accelerates network adaptability. This mode not only ensures drop- in deployment without any change to the network or to server configurations, but also reduces deployment and maintenance costs. For the reverse proxy mode, DNS resolution and change of server IP addresses are required. The bridge deployment mode uses the IP address of the web server as the virtual IP address (VIP) at the expense of some capabilities, such as SSL. In the network environment with servers deployed in multiple network segments, the NSFOCUS WAF appliance can also be deployed in out- of- path mode to provide logical online protection. This deployment has advantages in flexibility, traffic shunting, and making only minor impacts on core systems. The technical principles of this out- of- path mode are: 1. Traffic diversion. Traffic destined for the IP address of the target websites is diverted to WAF appliances. The diverted HTTP traffic is a mixture of web attack traffic and legitimate traffic. 2. Traffic detection and filtering. Web attack traffic is filtered out of the blended traffic through multi- layer identification and purging functions. 3. Traffic reinjection. The filtered legitimate traffic is redirected to the network and allowed to flow to the destination website. 4. Response traffic inspection. The website s response HTTP traffic is inspected before the returning to the client side. 9 / 19 - White Paper
Figure 6: Typical WAF Deployment 10 / 19 - White Paper
Use Cases Website Access Control Some website paths may restrict to certain IP addresses, while some may open access to any IP address. In response to this, NSFOCUS WAF offers HTTP access control functions via in- path, out- of- path, and reverse proxy deployments. Using HTTP access controls, users can control access permissions while also correcting false positives, such as allowing some URLs to pass without any check. Most web servers with access control requirements have been configured with certain security policies. However, most security policies may not implement stringent inspections on host names, leading to potential security policy bypass risks. Through explicit configuration, NSFOCUS WAF allows only specified host names to access. This prevents permission abuse risks at the security policy configuration layer, ensuring strict implementation of access controls. Webpage Defacement Prevention NSFOCUS WAF offers online protection to prevent webpage defacement during an event and to remediate any affected systems after the event. WAF filters defacement traffic (such as SQL injection and XSS) which is mixed in with HTTP requests. After the event, WAF automatically monitors the integrity of all protected webpages. If webpage defacement is detected, WAF will immediately alert the administrator by SMS, and will display the stored correct version of the webpage to ensure the website s integrity view for its users. Prevention against Sensitive Data Leaks NSFOCUS WAF can identify and correct business processes which are using wrong web applications. WAF can also detect and block leaks of sensitive data to maintain regulatory compliance and meet audit requirements. WAF can: 1. Customize a search of illegal sensitive keywords, and automatically filter these keywords to avoid any related illegal content being published to the public. 11 / 19 - White Paper
2. Provide granular HTTP access controls to prevent unauthorized access to URL links which are not included in the website data directory tree. This could include directories not intended for public access, stealth links which have been publicized without authorization, and web login interfaces. 3. Proactively protect the website. Filter errors at the server side, including error types, absolute paths with invalid scripts, absolute paths to webpage directories, incorrect SQL sentences and parameters, software versions, and system configuration information. This can prevent sensitive data from being exploited by hackers as an entry point to access customers assets. 4. Supervise and protect against leakage of sensitive data. Filter and act upon sensitive data included in server response traffic, including PII numbers and credit card numbers. Correlated Protection against DDoS NSFOCUS WAF provides TCP flood mitigation functions. When a DDoS attack occurs and the traffic volume exceeds the threshold value of NSFOCUS WAF, WAF can correlate with the scrubbing center of the dedicated NSFOCUS Anti- DDoS system (ADS), to achieve a layered traffic cleaning. The working scenario of NSFOCUS WAF and the DDoS scrubbing center is as follows: 1. NSFOCUS WAF uses its TCP flood prevention module to block DDoS attack traffic below a certain threshold value. 2. When the attack traffic exceeds the threshold value of NFOCUS WAF, WAF notifies and requests the upstream ADS scrubbing center to divert and clean the attack traffic destined for the WAF- protected websites. 3. When the ADS scrubbing center successfully diverts and cleans the attack traffic, NSFOCUS WAF disables its TCP flood protection function. 4. When WAF detects that the attack traffic cleaned by the upstream ADS scrubbing center is less than its threshold value, WAF calls the upstream ADS to suspend its traffic diversion and cleaning, and enables the WAF TCP flood function. 12 / 19 - White Paper
Figure 7: Correlated Protection by NSFOCUS WAF and NSFOCUS ADS This correlated protection solution is a critical feature of NSFOCUS s web security solutions. This solution benefits clients with its rational on- demand utilization of WAF s anti- DDoS module along with the cleaning resource of the scrubbing center, by automatically judging and controlling the cleaning layers based on the actual volume of attack traffic. Virtual Website Protection With the expansion of data centers and the myriad business diversifications of a hosted website, hosted websites are frequently using one IP address to match different domain names to one virtual website. For IP+Port defined websites, NSFOCUS WAF can configure different domain names matching the protected IP address, and use different policies for different domain names of the virtual websites, and thus ensure that policy configurations fit the client s various business scenarios. In addition to safeguarding the hosted websites, this also gives data centers an additional business opportunity in offering web security services to their customers. NSFOCUS has already been enabling our domestic and overseas clients with this value- added revenue opportunity. 13 / 19 - White Paper
Appendix Business Assets: Definitions 1. Website: Figure 8: Definition of Website 2. Host Name: Host www.example.com:8080 Domain Port Figure 9: Definition of Host Name 3. URI: Parameter-name Parameter-value GET /index.php?a=1&b=2 HTTP/1.1\r\n Method URI-path URI Parameter Query-string Parameter Version Figure 10: Definition of a URL and Relevant Fields WAF Rule Systems: Definitions 14 / 19 - White Paper
The rule systems of NSFOCUS WAF are defined as follows: 1. Rule: A character string for the signature detection of specific objects based on HTTP traffic. 2. Policy: A set of rules and the actions of the rule set, which can be used to define policy exceptions. 3. Policy exception: Permission for attack signatures for targeted specific objects, or a specific rule of a policy. 4. Whitelist rules: Description of legitimate traffic to a website, generated by auto- learning traffic signatures of the protected websites or by custom. 5. Smart patch rule: A targeted custom rule generated by the smart patch system, based on vulnerability information from protected websites. 6. Leading character (code): A sub- string of simple character strings in a rule. 15 / 19 - White Paper
Please contact us to see how NSFOCUS can work for you: For more information about NSFOCUS products and services, contact one of our NSFOCUS sales offices: NSFOCUS Global TEL: +1 408 907 6638 EMAIL: info- us@nsfocus.com NSFOCUS Japan TEL: +81 3 6206 8156 EMAIL: info- jp@nsfocus.com Visit NSFOCUS on the Web at: www.nsfocus.com NSFOCUS is the trademark of NSFOCUS Information Technology Co., Ltd. NSFOCUS enjoys all copyrights with respect to all textual narrations, document formats, illustrations, photographs, methods, processes and other contents, unless otherwise specified, which shall be governed by relevant property rights and copyright laws. Without written permission of NSFOCUS, any individual or institution shall be prohibited to copy or quote any section herein in any way. About NSFOCUS NSFOCUS is a global leader in active perimeter network security for service providers, data centers, and corporations. Through our network security solutions including our industry- proven Anti- DDoS System, Web Application Firewall, and Network Intrusion Prevention System, NSFOCUS helps clients to secure their networks and protect critical data and customer information. Learn more at http://www.nsfocus.com. 16 / 19 - White Paper