DATASHEET

JunOs WEbApp SECuRE
The Smartest Way to Secure Websites and Web Applications Against Hackers, Fraud, and Theft

Product Overview
Traditional signature-based Web application firewalls are flawed because they rely on a library of signatures and are always susceptible to unknown or zero-day Web attacks. Junos WebApp Secure offers a new technology that uses deception to address this problem. Junos WebApp Secure is the first Web intrusion deception system that prevents Web attackers in real time. Unlike legacy signature-based approaches, Junos WebApp Secure uses deceptive techniques and inserts detection points, or tar traps, into the code of outbound Web application traffic to proactively identify attackers before they do damage—with no false positives.

The First Web Intrusion Deception System
No False Positives
Juniper Networks® Junos® WebApp Secure is a Web Intrusion Deception system that does not generate false positives because it uses deceptive tar traps to detect attackers with absolute certainty. Junos WebApp Secure inserts detection points into the code and creates a random and variable minefield all over the Web application. These detection points allow you to detect attackers during the reconnaissance phase of the attack, before they have successfully established an attack vector. Attackers are detected when they manipulate the tar traps inserted into the code. And because attackers are manipulating code that has nothing to do with your website or Web application, you can be absolutely certain that it is a malicious action—with no chance of a false positive. IT security professionals know that false positives diminish the effectiveness of any security program. By using this certainty-based approach, Junos WebApp Secure solves this problem for Web attacks. Furthermore, this product works out-of-the-box and improves your Web application security. There are no rules to write, no signatures to update, no learning modes to monitor, and no log files to review—just attackers to prevent.

Block Attackers, Not IPs
Junos WebApp Secure captures the IP address as one data point for tracking the attacker. But it also realizes that making decisions on attackers identified only by an IP address is fundamentally flawed because many legitimate users could be accessing your site from the same IP address. For this reason, Junos WebApp Secure tracks the attackers in significantly more granular ways. For attackers who are using a browser to hack your website, Junos WebApp Secure tracks them by injecting a persistent token into their client. The token persists even if the attacker clears cache and cookies, and it has the capacity to persist in all browsers including those with various privacy control features. As a result of this persistent token, Junos WebApp Secure can prevent a single attacker from attacking your site, while allowing all legitimate users normal access. For attackers who are using software and scripts to hack your website, Junos WebApp Secure tracks them using a fingerprinting technique to identify the machine delivering the script.

1

Smart Profiling provides IT security professionals with more valuable knowledge about attackers and the threat they pose than they have ever seen before.. It just tells you how many attackers it detected and what countermeasure response was applied. at the client level. Responses can be as simple as a warning or as deceptive as making the site simulate that it is broken for the attacker only. Every detected attacker gets a profile and every profile gets a name.g. The Smart Profile ultimately creates a threat level for each attacker in order to prevent attackers in real time. and scripts) Attacker threat-level analysis Assigns name to attacker (e. It’s a security device that works as part of your security team even when you sleep. Web Application Firewall (WAF) Features Comparison Product Features Junos WebApp Secure Traditional Signature-Based WAF Detection Techniques Signatures Behavior analysis Web intrusion deception 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 Track IP address Browsers (cookies across multiple IP addresses) Browsers (persistent tokens across multiple IP addresses) Software/script (fingerprinting) 3 3 Profile IP address (geo-location) Attacker (incident history. Junos WebApp Secure works around the clock detecting and preventing attackers. browsers. JoeSmith27) 3 Respond Automated and manual real-time response Alerting Force logout and reauthentication Force CAPTCHA Block IP addresses Block attacker (browser.6 compliant 3 3 2 . software. with no false positives. Only with certainty-based detection can you safely prevent an attacker and know that you are not blocking legitimate users. software. and scripts) Warn attacker (browser) Deceptive response (slow connection) Deceptive response (simulate broken applications) 3 3 3 3 3 Web Application Hardening Cross-site request forgery (CSRF) prevention Anti-profiling of application Session hijacking prevention CAPTCHA inserted into existing workflow 3 3 Compliance Payment Card Industry (PCI) 6. Table 1: Juniper WebApp Secure vs. The Smart Profiling technology profiles the attacker to determine the best response to prevent the attack.Prevent and Deceive Detection with no false positives and client-level tracking are both vital for launching a countermeasure to prevent an attacker. It doesn’t create log files for you to review. With automated countermeasures.

includes one-click automation of responses during configuration These responses include: -. quite simply. faster performance and mobile device support -. security incidents.Role based access control -.­ Simulated broken application (strip inputs) • Policy Expressions—simple expression syntax for writing automated. It detects genuine attackers before they have the chance to successfully establish an attack vector and blocks them with client-level tracking that does not impact legitimate users. Detection points identify abusive users who are trying to establish attack vectors such as cross-site request forgery. send a custom message -.­ Remote system logging -. Some examples of processors include: • A uthentication Abuse Detection—detects abuses against application authentication such as: -.0 .­ Manage and monitor manual and automated responses -.­ Deep search and filtering capabilities -. over time and across sessions • Enhanced tracking capabilities and fingerprinting of detected attackers Abuse Detection Processors A library of HTTP processors that implement specific abuse detection points in application code. It is. and abuse profiles -.­ Attempts to crack authentication • Cookie Abuse Detection—detects attempts to manipulate the application by changing cookie values • Error Code Detection—detects suspicious application errors that indicate abuse. including illegal and unexpected response codes • S uspicious File Request Detection—detects when an attacker is attempting to request files with known suspicious extensions.UI 2. response and request headers can be stripped.Features and Benefits Junos WebApp Secure doesn’t generate false positives. locked-down ports. and additional checks.Restful API -. blocks.­ Login attempts with invalid credentials -.­ Requests for directory configurations. or filtered.­ Multiple applications/domains -.­ Block connection and return arbitrary HTTP error -.Enhanced workflows. so there are no rules to write.Different UI skins available -. prefixes.­ Multiple administrators -. if a vulnerability is found • Third-Party Vulnerability Protection—detects known attacks • IP List Export – For Layer 3 firewall integration • Automated high volume attack tool protection and blocking via SRX Series integration Abuse Response • Abuse Responses—enables administrators to respond to application abuse with session-specific warnings. It works out-ofthe-box.­ Warn user. no signatures to update.­ CAPTCHA -.STRM Series Support 3 . and it maintains a profile of known application abusers and all of their malicious activity. and protected resources -. etc. mixed. application-wide responses Global Attacker Database • Shares and receives attacker information via a cloud service across deployments globally providing enhanced detection and protection Updates • Automatically downloaded and available within the management console Platform Security • Hardened kernel. a virtual member of your security team that keeps stopping attacks even when you are asleep.­ Connection throttling -. and tokens • Header Enforcement—enables the policing of HTTP headers from the application to ensure that critical infrastructure information is not exposed. passwords. It continually profiles attackers as they come onto the scene.Drill ­ into application sessions. Abuse Recording • Full HTTP Capture—captures and displays all HTTP traffic for security incidents Abusive Behavior Analysis • Abuse Profiles—maintains a profile of known application abusers and all of their malicious activity against the application • Tracking and Re-identification—enables application administrators to re-identify abusive users and apply persistent responses. encrypted backups Management • Simplified configuration with setup wizards • Web-Based Configuration—browser-based interface for all deployment options • Monitoring Console—web-based monitoring and analysis interface -. unified configuration & monitoring.­ Real-time and historical system monitoring -.­ Logout and forced reauthentication -. • Input Parameter Manipulation Detection—detects attempts to abuse form inputs and establish vectors for injection and crosssite scripting attacks • Link Traversal Detection—detects attempts to spider the application for links to hidden and confidential resources • Directory Traversal Protection—prevents attackers from finding hidden directories • Illegal Request Method Detection—detects attempts to abuse non-standard HTTP methods such as TRACE • Query Parameter Manipulation Detection—detects attempts to manipulate application behavior through query parameter abuse • Malicious Spider Detection—detects attempts to spider and index protected directories and resources • Cross-Site Request Forgery—detects and prevents cross-site request forgery attacks • Custom Authentication—allows companies to protect a page or portion of a site.

Reporting. TUI. and incidents MWS1000 Specifications Hardware (MWS1000) CPU • Dual Intel Quad Core (2. and report generation • Security incidents via system logging • Reports—country comparisons.SSL Inspection • Passive decryption or termination Alerts. Logging • E-mail Alerts—sends alert e-mails when specific incidents or incident patterns occur • Command-line interface—can be used for custom reporting • Reporting Management System—includes user interface • SNMP system logging • Auditing—tracks changes to the system made by the administrators in the configuration interface. security monitor.000 rpm Architecture and Key Components • Functions as a reverse proxy Crypto • Software Chassis • 1U Rack-mountable Chassis • Externally accessible hot swappable cooling fans Client Use Case • Mid-end performance application User Interface Themes Firewall Load Balancer Junos WebApp Secure Application Server Figure 1: Where does the Junos WebApp Secure live? 4 .4GHz) • 2 threads / core Performance • High availability for hardware version • Higher throughput using master/slave clustering • Low latency • Link aggregation Memory • 48 GB DDR3 Interface • 4 x 1GbE (onboard ports) • 2 x SFP+ 10GbE (additional data IOCs via Intel 82599 Ethernet Controller) Note: All ports are PXE bootable Deployment • Reverse proxy with load balancing • Available as hardware • Available as a VMware or Amazon Machine Image • Support for alternate ports (other than 80 and 443) Storage • 4 Slots offering hardware RAID • Maximum Capacity = 900 TB RAID-1 • HDDs used: 450 GB SAS 10. top IP addresses.

The company serves customers and partners worldwide. Three year term.juniper. Junos WebApp Secure software . Description Junos WebApp Secure Hardware Appliance SW Sold Separately Junos WebApp Secure 100Mbps Licenses Junos WebApp Secure . per month Junos WebApp Secure software .100Mbps for one geographic site.net . Including support and updates.Ordering Information Model Number MWS1000 MWS100MB MWS-HDD MWS-SP-100 MWS-SP-20 MWS-SL-1 About Juniper Networks Juniper Networks is in the business of network innovation. MWS-SL-3 5 . Additional information can be found at www. Including support and updates. from consumers to cloud providers.100Mbps for one geographic site. From devices to data centers. per month 20Mbps per end customer application. One year term. silicon and systems that transform the experience and economics of networking.Spare HDD 100Mbps per end customer application. Juniper Networks delivers the software.

the Juniper Networks logo.207. please contact your Juniper Networks representative at 1-866-298-6428 or authorized reseller. CA 94089 USA Phone: 888. transfer. 1000401-005-EN Jun 2013 Printed on recycled paper 6 . Juniper Networks.V.125. modify.2000 Fax: 408. The Netherlands Phone: 31. Inc. or otherwise revise this publication without notice. in the United States and other countries. Copyright 2013 Juniper Networks.net APAC and EMEA Headquarters Juniper Networks International B. and ScreenOS are registered trademarks of Juniper Networks.0.701 To purchase Juniper Networks solutions.207. Junos. NetScreen. All rights reserved. 1194 North Mathilda Avenue Sunnyvale.Corporate and Sales Headquarters Juniper Networks. or registered service marks are the property of their respective owners. service marks.4737) or 408. registered marks.586. Boeing Avenue 240 1119 PZ Schiphol-Rijk Amsterdam.745. Inc.700 Fax: 31.juniper.125.0. Juniper Networks assumes no responsibility for any inaccuracies in this document.745. Inc.2100 www. Juniper Networks reserves the right to change. All other trademarks.JUNIPER (888.