The SecureSphere Web Application Firewallgovernmentvideosolutionsforum.com/.../Imperva-SecureSphere_WAF0… · The SecureSphere Web Application Firewall: An automated approach to

The SecureSphere Web Application Firewall An Automated Approach to Defending Web Applications

Web applications have lowered costs and increased revenue by

extending the enterprise’s strategic business systems to

customers and partners. However, Web applications also

expose these critical systems to continuous threats from both

internal and external sources.

Defending Web applications is one of the most challenging

aspects of information security. Because Web applications

constantly change to meet business requirements, the security

model must adapt as changes are made to the applications. In

addition, because data centers are highly optimized, deploying

an application security solution must require minimal changes

to the existing infrastructure. Unfortunately, first generation

Web Application Firewalls are too inflexible for most customer

environments, too intrusive to deploy and too costly to

maintain.

This paper provides an overview of the Web application threat

environment and presents Imperva’s SecureSphere Web

Application Firewall – an integrated approach that meets

stringent data center requirements for security, performance,

deployment, operations, and regulatory compliance.

The SecureSphere Web Application Firewall: An automated approach to defending Web applications

Web Application Security Web applications have become the backbone of business in nearly every segment of the economy. They connect employees, customers, and partners to the information they need anywhere and anytime. This universal information accessibility has cut costs and dramatically accelerated the pace of business. Unfortunately, as the information accessibility has grown, so too has risk. Identity theft, data leakage, phishing, SQL injection, worms, denial of service (DoS) attacks, and malicious robots increasingly target Web applications with consequences that impact brand, revenues, and regulatory compliance.

Attack Example - Identity Theft Web application security solutions must provide protection against a range of attacks targeting vulnerabilities in both custom application logic and underlying commercial software platforms. Increasingly, these attacks also target vulnerabilities in Web services (XML, SOAP, etc.) components of application software. As the following example illustrates, a single threat such as identity theft may result from any number of vulnerabilities and associated attacks.

• SQL Injection attacks take advantage of input validation vulnerabilities in custom Web application code to send unauthorized SQL commands to a back-end database. For example, using SQL injection, an attacker may gain access to the entire contents of a backend database including identity information. SQL injection is usually carried out by an external attacker from outside the perimeter firewall.

• Cross–site Scripting attacks take advantage of script injection vulnerabilities in custom Web application code to redirect a customer’s login credentials to an attacker. Often used as part of a larger phishing scheme, cross-site scripting is usually carried out by an external attacker from outside the perimeter firewall.

• Worm Infections take advantage of vulnerabilities in underlying operating systems and commercial software platforms. Code Red, Nimda, and MSBlaster represent just a few widely known worms targeting Web application platform software. In the case of identity theft, platform software vulnerabilities may be exploited by worms (or individual attackers) to install Trojan horse programs to enable back-door access to identify information.

There are many more examples of Web application vulnerabilities and attacks. For more information, see the research by Imperva’s Application Defense Center (ADC) located at http://www.imperva.com/application_defense_center.

Assessing Alternatives for Web Application Security The complexity of the Web application threat environment makes it different from other segments of the IT security landscape. Traditional network firewalls and intrusion prevention capabilities, while necessary, do not have insight into the higher level data layer activity necessary to protect against Web application attacks such as those described in the previous section. Complete Web application security requires detailed understanding of the elements of legitimate user transactions within each Web application – including URLS, HTTP methods, session IDs, cookies, XML/SOAP schema, and more. This level of security can only be provided with advanced Web application firewall capabilities. This section analyzes the strengths and weakness of the individual security capabilities required for complete Web application security.

Network Firewall Network firewalls provide network layer access control and attack protection services. They have been uniformly deployed at the network perimeter and in front of critical internal enterprise resources

Page 2 Imperva, Inc.

http://www.imperva.com/application_defense_center


– such as Web applications. As a component of overall Web application security architecture, network firewalls provide necessary protection against network-layer hacking (network scanning, telnet, etc.). They also provide a barrier against the spread of worms from corporate desktop networks to Web applications via non-essential ports and protocols. While network firewalls prevent network-layer attacks and worm propagation, firewall rulesets must allow essential protocols such as HTTP and HTTPS unrestricted access to Web applications. Over time, the hacking community has learned to use this fact to their advantage by embedding attacks into Web traffic that is perfectly legitimate from a protocol perspective. Code Red and Nimda are examples of Web application worms that easily traverse network firewalls via protocol-compliant Web communications. Similarly, SQL injection and cross-site scripting represent two targeted Web application attacks (among many) that go completely unnoticed by network firewalls since they are similarly implemented via protocol compliant Web traffic. As long as an attack is carried out via commonly allowed application protocols, network firewalls are ineffective.

Intrusion Prevention Systems (IPS) The broader security industry has responded to the need for a deeper understanding of application layer behavior with intrusion prevention systems (IPS). IPSs look at the contents of a packet’s payload and compare it to a list of known attacks (signatures or other defenses) derived from documented vulnerabilities in commercial software. IPS technology may also enforce protocol restrictions to protect against known protocol related vulnerabilities in commercial software. Since virtually all worms are based on known software vulnerabilities, IPS can be an effective worm defense and therefore a useful component of a comprehensive Web application security architecture. Unfortunately, IPSs are ineffective against targeted Web application attacks targeting unknown vulnerabilities in custom code1. Since the vulnerabilities are unknown, no signatures are available.

Web Application and Web Services Firewalls Web application and Web Services parse Web application protocols and enforce a policy over detailed data layer variables such as URLs, URL parameters, session IDs, cookies, etc. Standard Web application firewalls focus on HTTP/HTTPS protocol traffic. Web services firewalls handle XML, SOAP, and WSDL protocols. Some modern applications require both Web and Web services support. Together these products provide critical protection against application attacks targeting vulnerabilities in custom Web applications. The biggest challenge to implementing a Web application firewall is building and maintaining an accurate policy over time. A policy for a single application firewall may contain thousands or even millions of variables (URLs, parameters, cookies, SQL queries, etc.) that are unique to each Web application. To make matters worse, application developers change these variables on a regular basis. Given this degree of complexity and speed of application change, expecting a human administrator (or a team of administrators drawn from application development, operations, and security groups) to manually create and maintain application firewall rules is unrealistic. Any practical Web application firewall must completely automate the creation and ongoing maintenance

1 Although some IPS solutions claim to defeat certain targeted attacks such as SQL injection and cross-site scripting, these claims should be treated with caution. IPS products rely on signatures that are commonly used as part of SQL injection or cross-site scripting attacks. These signatures, however, are words such as “union,” “select” and “script”. They are prone to false positives since they commonly appear in normal Web site content. Therefore, these signatures are usually not enabled, leaving the application open to these attacks. Even if these signatures are enabled, they can be circumvented using well-known evasion techniques.



of an accurate policy. Unfortunately, most application firewalls have not adequately addressed this fundamental challenge. Instead, they force administrators to manually configure and tune rules to an extent that does not scale in real-world application environments.

Point Solutions are Problematic As discussed in the previous section, complete Web application security traditionally requires a combination of network firewall, IPS, Web application firewall and Web services firewall capabilities. However, integration of so many disparate solutions can be problematic. Without integration there is no way to stop sophisticated attacks that can only be identified by correlating information from across the multiple components. Moreover, the combined cost to manage the discrete systems is extremely high. Product selection, purchasing, training, deployment, configuration, ongoing policy management, and audit functions must be duplicated for each solution. To make matters worse, each inline security device introduces an additional point-of-failure and a performance risk that must be managed closely. In short, the operational cost and risks associated with maintaining disparate Web application security solutions are too high to be practical.

Deployment and Operational Challenges The threat environment is not the only area in which Web application security challenges are unique. Web applications must maintain exacting service levels, so they have stringent requirements related to deployment and operations. Specific issues include performance, deployment risk, availability, and centralized management.

• Performance – Web applications are designed to handle high throughput and transaction rates. The performance of Web application security solutions must match or exceed other elements of the application infrastructure or they cannot be deployed without degrading performance.

• Deployment Risk – Web applications are finely tuned and extremely sensitive to change.

Any change to the network, application software, back-end databases, or Web server platforms introduces risk to availability, performance, and security. Mitigating this risk requires costly testing which is a serious barrier to deployment. Therefore, Web application security solutions should be transparent the surrounding infrastructure. In other words, they must require no changes to that infrastructure.

• Availability – Any Web application downtime or poor service levels have a negative impact

on revenues, customer satisfaction and productivity. Therefore, Web application security solutions must incorporate high availability capabilities.

• Centralized Management – Web application infrastructure is often distributed across the

globe. Security managers need to manage devices without connecting to each device separately. Therefore, a centralized management server that automatically aggregates management of distributed devices is a necessity.



SecureSphere Web Application Firewall The SecureSphere® Web Application Firewall is the only solution to provide automated attack protection for Web and Web Services applications. Imperva’s Dynamic Profiling technology builds a model of legitimate application behavior and adapts to application changes over time, keeping SecureSphere’s application protection up to date and accurate. Deployed in minutes with no changes to the data center infrastructure, SecureSphere enables precise attack protection without manual configuration or tuning.

Dynamic Profiling is the foundation of a multi-layer security architecture that provides complete protection for all layers of the application infrastructure, including the network, server and application. Imperva’s Transparent Inspection technology delivers multi-gigabit performance, sub-millisecond latency and options for high availability that meet the most demanding data center requirements. For large scale deployments, the SecureSphere MX Management Server centralizes and streamlines configuration, administration, monitoring and reporting. And because SecureSphere supports a broad range of network deployment options, it can be deployed into any environment without requiring any network changes.

SecureSphere includes both firewall gateway and management server components. Gateway appliances are deployed in the path of Web servers where they can identify and immediately block attacks. The MX

Management Server provides centralized management for multi-gateway deployments.

SecureSphere Provides Automated and Accurate Protection Against …

• Web, HTTPS and XML application attacks

• SQL Injection • Session Hijacking • Cross Site Scripting (XSS) • Form Field Tampering • Known Worms • Zero Day Web Worms • Buffer Overflow • Cookie Poisoning

• Denial of Service • Malicious Robots • Parameter Tampering • Brute Force Login • Malicious Encoding • Directory Traversal • Web Server and Operating

System Attacks • Scanning

• Command Injection • Illegal Encoding • Identity Theft • Data Theft • Patient and Financial Data

Disclosure • Corporate Espionage • Phishing • Data Destruction



Core Technology SecureSphere’s foundation technology meets the unique security, deployment and operational demands of enterprise Web applications. This section provides a detailed explanation of this core technology. The following (and final) section of this document covers key features and benefits that are derived from the core technology.

Security Models and Security Enforcement SecureSphere incorporates both dynamic positive (white list) and dynamic negative (black list) security models. Instant Attack Validation (IAV) immediately validates and blocks any clear violations according to either model. For complex attacks that are neither clearly good nor clearly bad, Imperva’s unique Correlated Attack Validation (CAV) technology correlates violations across multiple layers and over time to separate actual attacks from legitimate user traffic. CAV effectively correlates information from all of SecureSphere security layers to achieve overall accuracy that cannot be matched by several standalone security products.

Dynamic positive and negative security models are combined with SecureSphere’s Instant Attack Validation and Correlated Attack Validation enforcement algorithms.

Dynamic Positive Security Model Dynamic Profiling At the heart of SecureSphere’s automated approach to security is Dynamic Profiling. Dynamic Profiling automatically examines live traffic to create a comprehensive model (profile) of an application’s structure and dynamics. The profile serves as the baseline for a positive security model governing detailed application-layer behavior. By comparing actual traffic to the profile, SecureSphere is able to detect malicious activity of any kind. Valid application changes are automatically recognized and incorporated into the profile over time. SecureSphere employs Dynamic Profiling to create positive security models of legitimate user behaviors for Web and Web Services applications. By comparing profiled elements to actual traffic, SecureSphere is able to detect malicious activity of any kind.

Dynamic Profiling overcomes the biggest drawback of other application firewall solutions – manual rule creation and maintenance. Unlike network firewall solutions where policy may be limited to a few dozen static rules, application firewall policy requires hundreds or thousands of rules governing



thousands of constantly changing variables including URLs, parameters, cookies, XML elements and form fields.

Any application security architecture that relies upon manual rule creation by a security administrator requires constant rule-base tuning to account for changes to the applications. For example, many Web application firewalls require manually created rules to define expected behaviors for client-side scripts. These manual rules specify detailed application variables such as allowed URLs, parameters, parameter types, and parameter constraints. Maintenance of these rules can be a major source of operational overhead as many sites rely on hundreds of scripts. Any script change requires a parallel rule change to avoid false positives. Considering that many operations and security managers are not kept abreast of every application change and some may not have the application expertise to evaluate application changes, manual rule maintenance is an unrealistic expectation2. Dynamic Profiling, on the other hand, delivers completely automated security with no need for manual configuration or tuning3. If desired, administrators can always manually modify the profiles to bridge any differences between actual usage and corporate security policies. Completing the Positive Security Model In addition to application structure and dynamics modeled by Dynamic Profiling, SecureSphere’s positive model security capabilities include network firewall white lists and http protocol checks. Together, these combined capabilities form a complete picture of normal data center behavior that extends from the valid network IP addresses to high-level Web application operations.

Dynamic Negative Security Model SecureSphere’s dynamic negative security model capabilities include network firewall black lists and Intrusion Prevention System (IPS). Network firewall black lists define specific protocol/IP address combinations that are specifically not allowed into the data center. For example, Telnet from corporate desktops might be specifically restricted. Similarly, signatures define patterns that match known attacks targeting commercial software platforms. For more information on SecureSphere’s integrated IPS, see the SecureSphere Features and Benefits section of this document. Custom Policy Definition In addition to the automated policy definition provided by Dynamic Profiling, SecureSphere allows security administrators to define policies regarding specific attributes of Web traffic. Custom policy rules are manually configured and provide the power to perform operations that are not available or convenient to implement via profile and protocol violation rules.

Enforcement Algorithms – Instant and Correlated Attack Validation SecureSphere separates attacks from legitimate interactions using two enforcement algorithms - Instant Attack Validation (IAV) and Correlated Attack Validation (CAV). IAV immediately validates and blocks clear violations of any dynamic positive or negative security model. However, certain suspicious violations cannot be classified as either clearly good or clearly bad. These suspicious

2 Application developers, data center operations and security teams usually operate independently. Any application firewall architecture that relies upon manual administrator rule maintenance requires that application developers work closely with the operations and security teams in advance of all changes. The operations team, security team and developers must then test and deploy changes in parallel to avoid false positives that block legitimate users. 3 In addition to the automated policy definition provided by Dynamic Profiling, SecureSphere allows security administrators to define policies regarding specific attributes of Web traffic. Custom policy rules are manually configured and provide the power to perform operations that are not available or convenient to implement via profile and protocol violation rules.



violations usually result from harmless application changes or user error – but they could represent dangerous attacks or attack reconnaissance. To handle these suspicious violations, CAV validates attack activity by tracking events across multiple detection layers (Web, database, IPS, etc) and over time. Based on Imperva’s deep understanding of attack strategies, information from multiple violations can be correlated to definitively distinguish attacks from harmless user error and application changes. The figure below presents a specific example of CAV in action. The Web application firewall identifies a parameter length violation in a user’s request. While suspicious, this could also be the result of a change in the application (for instance, changing the allowed values of a parameter to include a new product category). Therefore, this single violation alone is not enough to confirm an attack. However, if the user continues to generate parameter length violations in rapid succession, CAV would correlate these actions and correctly conclude that attack reconnaissance (i.e. looking for parameters vulnerable to SQL Injection or buffer overflow) is in progress. By basing security decisions upon multiple events rather than a single event, CAV is able to detect attacks with a degree of accuracy that is not possible via Instant Attack Validation.

SecureSphere's CAV engine tracks and correlates events over time to

accurately identify and block attack activities.

Transparent Inspection SecureSphere can be deployed inline as a transparent bridge, router, or a reverse proxy4. SecureSphere can also be deployed as an offline network monitor (sniffer). Imperva’s Transparent

4 SecureSphere is often deployed as a direct replacement for legacy reverse proxy appliances. In most cases, customers choose to configure SecureSphere as a bridge or a router because it fits into the existing architecture and reduces the deployment and operational burden associated with reverse proxies. However, in some cases, customers must deploy



Inspection technology delivers multi-gigabit performance, sub-millisecond latency, and options for high availability that meet the most demanding Web application requirements. Moreover, Transparent Inspection technology makes it possible for SecureSphere to be deployed in minutes with no changes to the existing data center infrastructure From a security perspective, inspecting the upper layers of the OSI model and beyond is required to deliver protection. From an operational networking perspective, the chief desire is for seamless, transparent operation. As such, from the perspective of how a device functions as a networking node, operating at lower layers is desirable for application security solutions. Transparent Inspection allows SecureSphere to operate as a transparent bridge, a network router or a reverse proxy. SecureSphere intercepts traffic at the kernel level and reconstructs all layers of the application stack in order to inspect application behavior. The benefits of this are as follows.

1. High Performance – SecureSphere performance is an order of magnitude faster than competing approaches. Because SecureSphere security processing is done at the kernel level, it requires far less processing overhead than competing reverse proxy products that must do security processing in user space.

2. No Changes to Applications - Since network traffic passes through SecureSphere without

modification, SecureSphere is transparent to the traffic endpoints (the client and the web servers). This means SecureSphere can easily drop into any enterprise’s data center without changing carefully optimized Web application infrastructure.

By comparison, many competing Web application security devices can only operate as reverse proxies. From a network perspective, this means traffic is terminated at layer 7 of the OSI model. The implications of this are as follows.

1. Diminished Performance - Security processing must take place in the user space, greatly increasing processing overhead. Because traffic is terminated and passed to the user space, the communications of the security device must process the traffic for inspection, but also re-encode and re-construct an independent communication with the server, resulting in low performance, low throughput, and high latency.

2. Changes to Existing Infrastructure - The proxy must modify network traffic. For the network,

this means that existing IP address and routing infrastructure must be changed during deployment. For the application, this means that URLs must be re-written and embedded calls to dynamic objects must be translated. The result is a high level of deployment impact.

3. Weakening of Non-Repudiation - The security device must terminate and decrypt SSL

encrypted traffic, re-package the communications, re-negotiate a new SSL connection to the server, and re-encrypt the information. The result is weak link in the non-repudiation processes as well as significant additional performance reduction.

SecureSphere as a reverse proxy to meet special pre-existing architectural or design requirements. When deployed as a reverse proxy, Transparent Inspection still performs the data inspection and analysis; the proxy functionality is used to provide networking connectivity that maps to pre-existing requirements.



SecureSphere Features and Benefits This section details key SecureSphere features and benefits derived from SecureSphere’s core technology described in the previous section.

SecureSphere Security Complete Web Application Protection SecureSphere integrates four security enforcement components: a Dynamic Profile of the Web application, an IPS, a network firewall, and an optional Database Security Gateway. Web Application Firewall SecureSphere protects custom Web application code against attacks such as SQL injection, cookie poisoning, parameter tampering, directory traversal and more. Dynamic Profiling automatically creates a dynamic positive security model of Web application usage and structure, including URLs, http methods, parameters, hidden fields, cookies, session IDs and response codes. As users interact with the application, SecureSphere closely monitors their activities and compares them to the profile. Any attempted attack is detected and blocked.

SecureSphere identifies web attacks and can generate alerts and/or block the attacks. Web Services Firewall SecureSphere’s Web services firewall protects against attacks targeting XML, SOAP and WSDL applications. Like SecureSphere’s Web application firewall the Web services firewall leverages Dynamic Profiling technology to create a dynamic positive security model of allowed application usage and structure, including XML URLs, SOAP actions, XML elements and XML attributes. Any attempts to tamper with Web services application schemas or variables are identified and blocked.



Custom Policy Enforcement As a supplement to the automated policy definition provided by Dynamic Profiling, SecureSphere allows security administrators to define policies regarding specific attributes of Web traffic. Enforcement of custom policy rules supplements SecureSphere’s enforcement of dynamically generated Web and Web services security policies.

Intrusion Prevention System (IPS) SecureSphere IPS provides broad protection against known infrastructure attacks and zero day worms. These attacks typically target vulnerabilities in commercial web server, application server and operating system software (e.g. IIS, Apache, and Windows 2000).

Protocol Compliance SecureSphere protocol compliance checks ensure that Web traffic meets RFC and expected usage requirements. For example, SecureSphere checks HTTP for malformed URLs, abnormally long URLs, abnormally long header lines, and many other protocol anomalies. By ensuring that the protocols meet guidelines, protocol compliance prevents attacks on vulnerabilities in server platform protocol implementations. Signature Detection for All Protocols SecureSphere supports Snort®-compatible signatures across all protocols. The Application Defense Center, Imperva’s international security research organization, enhances the Snort®-compatible signature database with contextual attributes such as affected systems, risk, accuracy and frequency. SecureSphere administrators can use this information to modify the signature dictionaries or adjust action policies to meet their specific requirements. In addition, the ADC has added advanced HTTP and SQL signatures designed specifically for Web application attack detection. These unique signatures provide critical inputs to SecureSphere’s Correlated Attack Validation (CAV), enabling it to detect sophisticated attacks and even attack reconnaissance. The SecureSphere Security Update Service provides regular updates to ensure the most up to date protection is continuously enforced. Zero-Day Web Worm Profiling SecureSphere’s Web Worm Profile defends against zero day Web Worms and all Web-based worms without relying on signatures or computationally intensive techniques such as inline code simulation. Instead, SecureSphere’s zero day worm profiling technology identifies attacks for which there are no signatures by detecting the specific combinations of attributes that uniquely characterize such attacks.

Network Firewall SecureSphere’s integrated stateful network firewall protects against unauthorized users, dangerous protocols, common network layer attacks and worm infections. Access control policies support both black and white listing of protocol/IP address combinations to eliminate data center exposure to non-essential or dangerous protocols such as Telnet, pcAnywhere, or even SQL. The network firewall plays an important worm defense role by preventing the spread of worms from internal user desktops to Web applications via non-essential ports and protocols.



Extending SecureSphere to Databases The SecureSphere Web Application Firewall can be extended to include database protection for Oracle, MS-SQL Server, DB2 (including mainframe) and Sybase databases. Dynamic Profiling automatically creates a dynamic positive security model of database usage dynamics and structure, including user names, IP addresses, tables, operations, queries, query patterns, privileged commands, and stored procedures. Any interaction that violates the profile triggers an alert and can be blocked depending upon policy for the threat level of the violation. SecureSphere database security protects against external attacks and insider abuse, providing end-to-end defense for the data center.

Unparalleled Accuracy SecureSphere incorporates a multi-layer security architecture that enables precise attack protection without manual configuration or tuning. SecureSphere’s security architecture incorporates both dynamic positive (white list) security models and dynamic negative (black list) security models. Sophisticated enforcement algorithms draw on both security models to identify and block even the most sophisticated attacks. For more information, see the Security Model and Security Enforcement section earlier in this document.

SecureSphere Deployment

Imperva’s Transparent Inspection processing architecture allows SecureSphere to be completely transparent to the surrounding data center. SecureSphere deployment requires no changes to the network or application infrastructure, supports multi-gigabit network performance, and offers a host of high availability options.

No Changes to Existing Network SecureSphere can be flexibly deployed in the network as a transparent inline bridge, an inline proxy, an inline router, or a non-inline network monitor. Because of this flexibility, deployment requires no changes to the existing network architecture, including network routers, load balancers and servers.

No Changes to Application Powered by a unique Transparent Inspection technology, SecureSphere examines Web application traffic for attacks and malicious activity without altering or rewriting Web content. This enables SecureSphere to provide complete and accurate application security without forcing organizations to redesign their Web applications, change authentication schemes or install new SSL certificates.

Multi-Gigabit Performance SecureSphere delivers multi-gigabit throughput and over 16,000 transactions per second while maintaining sub-millisecond packet latency. This level of performance is an order of magnitude better than competing approaches. A single SecureSphere gateway is sufficient for many customers and SecureSphere can scale to meet the requirements of the largest enterprise by deploying multiple gateways managed from a single unified management server. With SecureSphere, security will never impact your data center service level agreements (SLAs).

Performance Metric SecureSphere Throughput 2 Gbps Request/Sec 16,000 Latency <1 millisecond



High Availability SecureSphere supports a broad range of options to ensure maximum uptime and application availability.

• Imperva High Availability (IMPVHA) protocol provides sub-second failover for two or more SecureSphere gateways deployed in bridging mode.

• Virtual Router Redundancy Protocol (VRRP) provides for failover when SecureSphere is configured as a router or proxy.

• Redundant gateways can be deployed in environments with redundant system infrastructures. SecureSphere’s transparent deployment modes support both active-active and active-passive fail-over configurations when using external HA mechanisms.

• Inline fail-open network interfaces ensure availability in the event of software, hardware, or power failures

• Non-inline monitoring configuration offers transparent deployment with no single point of failure.

SecureSphere Active-Active Configuration

Load Balancers

SecureSphere

Switches

Load Balancers

SecureSphere

Switches

Normal Operation Failure / Recovery

Active-Active Fail-over ensures continuous data availability and security



SecureSphere Operations Automated Web Application Security Ongoing tuning of manually created policies is often the most significant component of a Web application firewall’s total cost of ownership. It is not practical to expect multiple organizations (e.g. operations, security, and software development) to jointly tune a security product every time the application changes. Dynamic Profiling eliminates manual tuning by automatically adapting to Web application changes as they are deployed. The result is comprehensive security without burdensome operational processes.

Centralized, Scalable Management SecureSphere G4 and G8 appliances can be deployed in standalone configurations and include all of the administration and reporting capabilities needed to manage a single gateway deployment. Large enterprise security deployments require mature management tools to scale across multi-gateway environments. To meet this requirement, the SecureSphere MX Management Server serves as the focal point of a three-tier management architecture that automates the task of managing multi-gateway deployments. Rather than require each gateway be managed individually, the Management Server provides a single point for aggregating policy, real-time monitoring, logging, and reporting activity across multiple SecureSphere gateways. For example, generating a report analyzing high-priority security alerts across ten distributed gateways requires a few simple clicks with SecureSphere. By comparison, less mature two-tier management infrastructures require that security managers connect to ten separate devices, collect ten alert files, and run ten separate reports using a third-party reporting product.

The MX Management Server automates the task of managing multiple gateways

SecureSphere provides alerts and reporting across the enterprise



Management Capabilities Specific management capabilities for single-gateway and multi-gateway deployments include the following.

• Graphical Reporting - Both pre-configured and customized reporting is supported with a full Crystal Reports™ package and ODBC-compliant database access. Pre-configured reports provide immediate visibility into performance, regulatory compliance, security events, application vulnerabilities, database usage anomalies, and application changes.

• Unified Real-Time Alert Monitoring – Real-time alerts originating from multiple SecureSphere

security layers (Dynamic Profile, IPS, etc.) are collected, prioritized and presented to the administrator within a single unified view. Alerts notifications may be sent via email, phone, pager, SNMP, and syslog messages. There is no need to connect to individual devices distributed throughout the data center. Log data from multiple gateways are also presented in a single view and stored in a single MX Management Server database.

• Alert Auditing – Alerts from multiple gateways are collected and stored in a single MX

Management Server database. To support audit initiatives, alerts can be sorted and searched based upon a variety of parameters with a few clicks. Even specific user violations (identified by session ID or IP address) originating from different SecureSphere security services (network firewall, Web firewall, CAV, etc.) may be instantly traced. Log data from multiple gateway deployments are collected and stored in a single MX Management Server database.

• Intelligent Attack Summaries – Intelligent attack summaries improve administrator

productivity by intelligently aggregating a sequence of events caused by complex attacks into a single actionable alert. For example, thousands of related scanning events extending across multiple gateways are aggregated into a single attack alert. This highly focused information allows administrators to quickly respond to immediate threats. Aggregated alerts preserve underlying component alert information for detailed forensics.

• Centralized Policy Distribution – Dynamic Profile, IPS policy, and system parameters for

multiple gateways are stored centrally on the MX Management Server. Changes are made on the server and automatically distributed to multiple gateways with a single click.



Summary The SecureSphere Web Application Firewall is designed from the ground up to meet the unique security, deployment and operational requirements of enterprise Web Applications. It integrates the capabilities of a traditional Web application firewall, with Web Services firewall, IPS, network firewall, and optional database security capabilities. Imperva’s Dynamic Profiling technology enables a completely automated security model with no need for manual configuration or tuning. Transparent Inspection technology delivers multi-gigabit performance, rapid deployment, and multiple high availability deployment options. Finally, the MX Management Server delivers the multi-gateway management capabilities necessary to support the largest Web application environments.

US Headquarters 950 Tower Lane

Suite 1710 Foster City, CA 94404

Tel: (650) 345-9000 Fax: (650) 345-9004

www.imperva.com

International Headquarters 12 Hachilazon Street

Ramat-Gan 52522 Israel

Tel: +972-3-6120133 Fax: +972-3-7511133

© 2006 Imperva, Inc. All rights reserved. Imperva and SecureSphere are registered trademarks of Imperva, Inc. Dynamic Profiling is a trademark of Imperva, Inc. All other brand or product names are trademarks or registered trademarks of their respective holders.


http://www.imperva.com/

Documents

The SecureSphere Web Application Firewallgovernmentvideosolutionsforum.com/.../Imperva-SecureSphere_WAF0… · The SecureSphere Web Application Firewall: An automated approach to