You are on page 1of 46

Radware Cloud WAF

In-Depth Training

July 31, 2018


Cloud WAF Overview
NEW CDN Service
Technical Flows
Cloud Portal Walkthrough
What’s New: SIEM Integration, Reporting, more
Technical Tools
Radware Cloud Services
Best Managed Security
Service for 2016

Fully-managed enterprise-grade cloud services


that protect from multi-vector threats
and optimize application performance

Cloud WAF Service Cloud DDoS Protection Service Cloud Web Acceleration Global CDN Service
Hybrid | Always-On | On-Demand Service

Unmatched Protection | Continuously Adaptive | Fully Managed


Radware Cloud WAF Service

Unmatched Web Security Protection


 Fully-managed enterprise-grade WAF service
Web Application Attack Categories Covered
 Operated by Radware ‘battle-proven’ ERT TCP Termination & Normalization Attack Signature and Rules

 Using Radware’s ICSA Labs certified WAF technology 



HTTP Protocol attack (e.g. HRS)
Path traversal


Cross site scripting (XSS)
Injections: SQL, LDAP
 Base 64 and encoded attacks  OS commanding
 PCI-DSS v.3.1 compliant cloud services  JSON and XML attacks  Server Side Includes (SSI)
 Login Protection
 Unique 0-day web-attack protection: Positive security model  Password cracking – Brute Force

LFI/RFI Protection Session Protection


 Unique continuously adaptive Auto-policy module
 Local File Inclusion  Cookie Poisoning
 
 Unique Device Fingerprinting: IP-Agnostic attack protection Remote File Inclusion Session Hijacking

Data Leak Prevention Access Control


 Uniquely provides full coverage for all OWASP Top-10
 Credit card number (CCN)  Predictable Resource Location
 Social Security (SSN)  Backdoor and debug resources
 Regular Expression  File Upload attacks

Top 10-2013
The Ten Most Critical Web Application Security Risks
WEB APPLICATION FIREWALL

Unmatched Protection | Continuously Adaptive | Fully Managed


Uniquely Employing Positive Security Model
Negative Security Model
 Standard across most cloud WAF services and WAF technologies

 Blocks known attacks via known signatures and rules

 Cannot provide FULL protection against OWASP TOP-10

 Cannot protect from unknown vulnerabilities: 0-day attacks

Positive Security Model


 Learns and defines what actions are legitimate traffic
 Blocks unauthorized access or actions that are not permitted
 Uniquely protects from 0-day attacks and unknown vulnerabilities
 Higher layer of protection: FULL OWASP TOP-10 protection, minimum false-positives

Unmatched Protection | Continuously Adaptive | Fully Managed


Protect New Applications with Auto Policy Generation

App Mapping Threat Analysis Policy Generation Policy Activation


& Optimization

BEST SECURITY COVEREGE OVER 150 attack vectors covered through auto threat analysis

LOWEST FALSE-POSITIVES ~0 false positives through auto-optimization of out-of-box rules

SECURITY ASSURANCE AUTO DETECT web application changes

6
Unique IP-Agnostic Fingerprinting Protection

Device Reputation for bot detection and blocking


System Fonts Screen Resolution
 Beyond IP address blacklisting: detailed device
fingerprinting through multiple parameters
 Enables precise activity tracking over time and
development of IP-agnostic Device Reputation
 Provides advanced protection from:
 Website Scraping Local IPs
 Brute Force Attacks
 HTTP Dynamic Floods
 Dynamic IP Attacks
Browser Plug-ins Operating System

7
OWASP Top Ten: Biggest Threats on Web Apps

Unmatched Protection | Continuously Adaptive | Fully Managed


Side-by-side testing of Cloud WAF

Extensive testing of Radware Cloud WAF Vulnerable app


hosted in the cloud
vs. Akamai, Incapsula, CloudFlare
Following our Cloud WAF PoC testing guidelines:
Incapsula Cloud Radware Cloud
 Vulnerable web application hosted on AWS WAF service WAF service

 Penetration testing with Kali Linux pen test tools


 Testing OWASP TOP-10 web vulnerability risks

Kali Linux package


penetration testing
attack tools

Unmatched Protection | Continuously Adaptive | Fully Managed


Side-by-side Testing: Akamai, Incapsula, CloudFlare

Unmatched Protection | Continuously Adaptive | Fully Managed


Cloud WAF Overview
NEW CDN Service
Technical Flows
Cloud Portal Walkthrough
What’s New: SIEM Integration, Reporting, more
Technical Tools
High Capacity Global CDN Service

Strategic cooperation with Verizon EdgeCast CDN Services

Globally available 95 POPs, +3,000 interconnections, 20 Tbps capacity

Robust architecture global Anycast-based routing, Super POP topology

PCI-DSS compliant content delivery network

Best Performance lightning-fast world-class cache engine

Best Flexibility fast configuration changes, near-instant purging of cached content

Best Scalability rich request processing rules, TCP/IP/HTTP protocol tuning options

Unmatched Protection | Continuously Adaptive | Fully Managed


High Capacity Global CDN Service

Unmatched Protection | Continuously Adaptive | Fully Managed


Statistics
presentation CloudOps
Resellers Customers Config Plane

Unified Portal
Cyber DBTool
WAFaaS DDoSaaS CDN Future… *
Intel.
REST / API
Statistics Retrieval

Elastic
Search
PostgresSQL
BIG DATA
Statistics collection & User Model
enrichment

Clean/attack traffic NetFlow /


JFlow NetFlow NetFlow / Clean traffic
JFlow

SFlow SFlow SFlow


Clients
Origin Servers
API DP/AW/etc DP/DF
Network . 3rd party
Cache Collectors Network Network Legend
Collectors infra. Collectors Collector Data plane - attack
servers infra. infra.
s Data plane - clean
Future cloud services - Mgmt plane
CDN Prot., FVaaS, APMaaS CDN (EdgeCast) RDWR POPs Scrubbing Centers Tech. Partner POPs Config plane
New Services

CDN Service – FAQ

• What does the CDN service include?


• Caching of static content
• Black/white listing
• Refresh/purge content
• For HTTP / HTTPS traffic
• How CDN service is managed?
• Onboarding: Customer can specify CDN is requested
• CDN Service is a fully managed service, by Cloud Ops
• Selected statistics and actions (e.g. - Flush cache, configure cache black/ white listing) can be
performed via a dedicated page
New Services

CDN Service – Self Service


• Statistics:
• Bandwidth
• Hits

• Day-to day activities:


• Purge cache
• Load fresh content on
demand
• White / black URL access
lists by country
New Services

CDN Competitive Overview

Powered by

Global CDN  (30 locations)  (71 PoPs)  (80+ POPs)


Security oriented CDN, general General Purpose reverse proxies World class CDN
Under the hood
purpose reverse proxies
Market share* Lower than 1% 1% 7%
SMBs Enterprises and SMBs Leading carriers **,
Used by
enterprises and SMBs
Static content caching   
Content compression   
Purge cache   
Black/White Listing   
Price Included Included ~2,000$ Monthly

* - according to http://trends.builtwith.com/cdns
** - http://blog.streamingmedia.com/2014/07/cdnvendors.html
Cloud WAF Overview
NEW CDN Service
Technical Flows
Cloud Portal Walkthrough
What’s New: SIEM Integration, Reporting, more
Technical Tools
User Flow #1 – Cloud WAF
4b-2
WAFaaS enabled

1
Client
Border Routers

Traffic to origin
server is redirected 4a
to the closest RDWR WAFaaS
POP via DNS/BGP disabled
Radware
Radware
CloudWAF POP
CloudWAF POP
AppWall cluster
mitigates app-level 3
Alteon
attacks
2
AppWall Cluster
(Inline/OOP)
4b-1
… WAFaaS enabled
Radware CloudWAF POPs (for symmetric prot.)
Origin Server
Customer purchases
Radware’s Cloud WAF 19
Protection
User Flow #2 – Cloud WAF and CDN
1

CDN edge
(optional)
2a Client
Border Routers

Traffic to origin server is


redirected to the closest
CDN Edge. If data available
Radware – sent immediately to client
Radware
CloudWAF POP
CloudWAF POP

Alteon

AppWall Cluster
(Inline/OOP)

Radware CloudWAF POPs Origin Server
Customer purchases
Radware’s Cloud WAF 20
Protection, using CDN
User Flow #2 – Cloud WAF and CDN
5b-2
WAFaaS enabled
CDN edge
2b (optional)
Client
Border Routers

if data not available on


CDN edge – request is 5a
redirected to the WAFaaS
closest RDWR POP disabled
Radware
Radware
CloudWAF POP
CloudWAF POP
AppWall cluster
mitigates app-level 4
Alteon
attacks
3
AppWall Cluster
(Inline/OOP)
5b-1
… WAFaaS enabled
Radware CloudWAF POPs (for symmetric prot.)
Origin Server
Customer purchases
Radware’s Cloud WAF 21
Protection, using CDN
User Flow #3 – Cloud WAF with DDoS add-on
5b-2
WAFaaS enabled
1
CDN edge
(optional)
Client
Border Routers

Traffic to origin server


Always-On DDoS prot. – is redirected to the 5a
per customer Assets DefensePro
closest CDN Edge WAFaaS
(networks / /24) X n and /RDWR POP disabled
Radware
capacity purchased 2 Switches Radware
CloudWAF POP
CloudWAF POP
AppWall cluster
mitigates app-level 4
Alteon
attacks
3
AppWall Cluster
(Inline/OOP)
5b-1
… WAFaaS enabled
Radware CloudWAF POPs (for symmetric prot.)
Origin Server
Customer purchases Radware’s
Cloud WAF Protection, using 22
DDoS add-on
User Flow
Volumetric DDoS #4 – Cloud
VolumetricWAF
attacks iswith Volumetric DDoS add-on
traffic cleansing diverted to SD SC
4
9b-2 DNS Diversion 3
1 CDN edge
SecurityDAM (optional)
SecurityDAM
DDoS 9a
DDoS Scrubbing Client
DDoSScrubbing
Scrubbing Border Routers
Centers
Vol. traffic to origin
9b-1 server is redirected
DefensePro
2 to the closest RDWR
5 POP via DNS/BGP
Radware
Radware
Volumetric
CloudWAF
Switches POP attack is detected,
CloudWAF
updatePOP
DNS CNAME / BGP to
After volumetric DDoS
point to SD scrubbing POP
cleansing, traffic is passed to 7
Alteon
RDWR CloudWAF POP
8
6 AppWall Cluster
AppWall cluster (Inline/OOP)
mitigates app-level …
Radware CloudWAF POPs Origin Server
attacks Customer purchases Radware’s
Cloud WAF Protection (using DDoS
add-on) and volumetric DDoS (on- 23
demand?)
Cloud WAF Overview
NEW CDN Service
Technical Flows
Cloud Portal Walkthrough
What’s New: SIEM Integration, Reporting, more
Technical Tools
Cloud Portal Overview
Access level per user role
– Account user – access only to his/her specific account data
– Operator (Radware CloudOPS) – access to all accounts data
Dashboard – real-time and historic reporting charts displayed in multiple widgets:
– Cloud WAF Widgets
• Attack Distribution, Attack Type per Source, Security Alerts, HTTP Transactions per Second, Top Attacked Hosts
– Cloud DDoS Protection Widgets
• Top attacks by source/destination/vectors, traffic utilization, security alerts
Security Events – detailed information of events generated by the service (WAF and DDoS)
Reports – configure scheduled reports
Service Overview - service related information
SIEM Integration – security events from cloud are visible in customer’s existing SIEM system to, for
complete visibility in one place
Orientation…

Logged-in user
Application
Navigation tabs + role
Customer (WAF+DDoS) dropdown list Network
(for WAF widgets)
Global time
dropdown list dropdown list filter
(CloudOps can change, (for DDoS Widgets)
customer can’t)

Widget pool
Cloud WAF
Widgets

Top Application Attack Sources


Displays the top attackers identified by Top Attacked Hosts
the Cloud WAF protection service by the Displays the top attacked hosts by the
number and types of attacks. Note: A number and type of attacks
maximum of 5 sources can be displayed
Application Security Alerts HTTP Transactions per Second
Application Attack Distribution Displays the number of HTTP transactions
Displays the distribution of attack types Displays the number of security alerts
per each severity level (Info / Low / per second by action taken (Blocked /
identified by the WAF protection service and
Warning / High / Critical) over time Reported / Legitimate) over time
correlates the action taken
(blocked/reported/modified) per each attack.

OWASP Top 10 Mapping


Displays security alerts per each
OWASP Category
Cloud DDoS
Widgets
Top DDoS Attack Sources
Displays the top attack sources by the
volume and rate of attacks
Top DDoS Attacked
Destinations
Displays the top attacked destinations
(networks / subnets / IP ranges) by the
volume and rate of attacks

Top DDoS Attack Vectors


Displays the top attack vectors by the DDoS Traffic Utilization
volume and rate of attacks Displays the average traffic utilization
data (clean, attack and dirty - which
sums both) volume, over time

DDoS Attack Status


Displays whether the account is
currently under DDoS attack or not
Reports
Reports

Create a Report Entry

Set Report Name Set Report Period


(weekly or monthly)

Set Email Recipients


up to 10 recipients
Generated Periodic Reports
Forensics
Security Events

Toggle between
WAF and DDoS events
Define complex
criteria to filter

Review events by:


Expand an event to view its full attributes • Severity
• Violation Type
• Time (range)
• Targeted Host
• Attacker Source IP
• Attacker Geolocation
Sort by an column • Action Taken
• More…
Service Overview Service Overview

• Subscription Period
• # of Protected Applications / Networks out of total as
purchased
• Throughput Usage
• Protected Hosts
• Transaction Rate
• Onboarding Stage
Cloud WAF Overview
NEW CDN Service
Technical Flows
Cloud Portal Walkthrough
What’s New: SIEM Integration, Reporting, more
Technical Tools
Security

Integration with Customer SIEM Systems


• For Security managers to gain full visibility from one management system, Cloud Services events can be exported to
an external SIEM system, used by the customer
• Exported Events types include (based on customer service plans):
• WAF attacks
• DDoS attacks
• Log data is provided to customer system in near real-time, in a secured manner
• Architecture overview:
• Customer deploys a LogStash client,
which collects data from a dedicated
message queue in the cloud, Security Devices
and forwards to SIEM system.

Event Amazon SIEM


LogStash
Collector SQS System

Radware Cloud Services Customer Data Center


Security

Integration with Customer SIEM Systems


Splunk customized dashboard example

36
Visibility
Reporting
• Provides visibility and insights into security threats to your protected applications and networks
• Easy to read graphical display of WAF and DDoS protection provided
• Reports can be generated manually or automatically, according to configured schedule
• Customers can opt-in at onboarding
• Customers select the report period (week or month), and the email recipient list
Manageability
Improved Onboarding Process
• Onboarding was simplified, to make the user experience easier and more fluent, resulting in faster onboarding

 Secure online upload of SSL certificates


 Support for new Cloud WAF features including the new CDN service and multi-host applications
 Simplified and redesigned user interface for a more intuitive user experience
Manageability
Multi Host Applications
• Application is the entity protected by Cloud WAF
• Till Cloud WAF v1.50, an Application consisted of a single host only (single domain name)
• Customers may require protection for an extremely high number of hosts, which logically
belong to the same application.
• Cloud WAF 1.50 provides WAF protection and aggregated reporting for an application that
includes many hostnames.
• Several hosts can be grouped to a single application as long as they meet the following
criteria:
• Certificate – hosts use the same certificate (when used)
• IP address – hosts use same origin IP address
• Character set - same character set is used
• Protection policy - same WAF policy is used
Manageability
Multi Host Applications – Cont.
• Reporting & monitoring:
• Dashboard presents Application-level entities (group)
• Security Events allows drill down to the specific host level
Manageability
PCI Compliance


• PCI compliance for the Cloud Services offering – approved !
Visibility
OWASP top 10 Widget
• The OWASP Top 10 project goal is to raise awareness about application security

• Cloud WAF detects, blocks and reports attacks of these categories, to make sure your web site is protected

• New OAWSP Top-10 Distribution attacks, showing the top Web app security risks
• A1 – Injection
• A2 – Broken Authentication and Session Management
• A3 – Cross Site Scripting (XSS)
• A4 – Insecure Direct Object References
• A5 – Security Misconfiguration
• A6 – Sensitive Data Exposure
• A7 – Missing Functional Level Access Control
• A8 – CSRF (Cross-Site Request Forgery)
• A9 – Using Known Vulnerable Components
• A10 – Invalidated Redirects & Forwards
Visibility
OWASP top 10 Widget – Drill Down
• Can drill down by filtering Security Events
Cloud WAF Overview
NEW CDN Service
Technical Flows
Cloud Portal Walkthrough
What’s New: SIEM Integration, Reporting, more
Technical Tools
Additional Information & Tools

Assets Technical Resources


• Cloud WAF Service Description • SIEM Integration Guide
• Cloud Data Sheet • Cloud Onboarding Guide

Demos & Videos Competitive


• Radware Cloud Security Services Video • Competitive Comparison Slides
• Unified Cloud Portal Demo - Cloud WAF & DDoS • Competitive Brief
• Cloud WAF Demo Guide
Q&A