WAPPLES Introduction the Future - Penta Security · 2012-05-04 · WAPPLES Introduction & the Future 18 Korea National Intelligence Service CC Evaluation (EAL4) • Registration No

March, 2011

Penta Security Systems Inc.

WAPPLES Introduction& the Future

2

Table of Contents

Why a Web Application Firewall?

• Risk on the rise

• Targets of web attacks

• Why should we care about web application attacks?

What Is a Web Application Firewall?

• WAF is for What?

• FW, IDS/IPS, and WAF enabled list

Boasting Top-notch WAF - WAPPLES

• Intelligent Web Application Firewall - WAPPLES

• Key Differences

• WAPPLES logical analytic detection engine

• WAPPLES Major Features

Must-have Trend

• Cloud Computing Security

WAPPLES Introduction & the Future

Why Web Application Firewall

3

Risk on the rise!

Expansion of web applications

B2B, B2C, G2C, etc.

Used for internal tasks as well as external services

Rapid growth of web vulnerabilities

53% of all vulnerabilities disclosed in 2008 were related to web applications1

Only 26% of known vulnerabilities are patched by the end of 20082

Web applications are the #1 focus of hackers:

One new infected webpage is discovered every 4.5 seconds2

SQL Injections are the #1 reported vulnerability3

1. IBM Internet Security Systems in 2008 X-Force® Trend & Risk Report 2. Sophos, Security threat report: 2009 - Prepare for this year’s new threats3. WASC : The Web Hacking Incidents Database

SQL Injection,

30%

Unknown, 29%Cross Site

Scripting (XSS), 8%

CSRF, 3%

Others, 30%



4

• Sniffing• SSL redirection

• Cross Site Scripting (XSS)• Active Contents Execution

• Web Server S/W Vulnerabilities

• Authentication / Authorization• Site Structure• Input Validation• Attack on Application Logic

Request

Response

• Injection Flaws• Command execution by query

Targets of web attacks

4WAPPLES Introduction & the Future

Why should we care about web application attacks?

5

Security Spending

% of Dollars% of Attacks 75%

25%

10%

90%

WebApplications

NetworkServers

of attacks on Information Security are directed to the Web Application Layer

75%- Gartner -




Web application firewall has a higher priority

Web applications are the #1 focus of hackers75% of attacks are directed at the Application layer (Gartner)

SQL Injections are the #1 reported vulnerability (The web hacking incidents DB, 2008)

Most websites are vulnerable90% of websites are vulnerable to application attacks (Watchfire)

78% percent of easily exploitable vulnerabilities affect Web applications (Symantec)

80% of organizations will experience an application security incident by 2010 (Gartner)

Web applications are high value targets for hackersCustomer data, Credit Cards, Social Security Numbers, ID theft, fraud, website defacement, etc.

Compliance requirementsPayment Card Industry Standards (PCI-DSS), GLBA, HIPPA, and FISMA


Cost Saving

Introducing a WAF is cost-saving for a company’s IT resources

Much more cost effective than hiring a person to manage application security manually

7

Item Assumptions Sum

Homepage source code lines 100,000 Lines

Number of vulnerabilities per source code 1,000 lines 10 1,000

Time to find and eliminate 1 vulnerability 6 hr. 6,000hr.

Average working hours a day 8 hr. 750days

Daily payment for engineer 150 112,500

<Revenue in U$>

US CERT, DEPT



Network Security

Part of IT

Networking Experts

Product Focused

1000s of Copies

Signature Based

Patch Management

Don’t let anyone rely on network security techniques to gain application security

Application Security Is A Totally Different World


Application Security

Part of Business Units

Software Experts

Custom Code Focused

1 Copy of Software

No Signatures

Prevents Vulnerabilities


9


WAF Is For What?

Definition

It executes a security analysis of the OSI 7 layer between all messages between the web server and the web client.

It protects against attacks aimed at the web application.

Roles

Protects web servers from external attacks (service in)

Protects against leakage of the web server’s most important information (service out)

Web Application Firewall

IDS / IPS

Network Firewall


10

Web Application Firewall

• Based on White-list Signature

• Detects highly sophisticated attacks and

encoded traffic

• Detects unknown attacks

• Analyzes not only protocol but also context

Intrusion Detection / Prevention System

• Based on Black-list Signature

• Detects by comparing patterns of attack

signatures with network traffic

• Cannot detect unknown attacks

Network Firewall

• Allows/blocks the specific port of the specific

IP bandwidth

• Does not have attack detection ability

OSI 7 Layers Protection Device


WAF Is For What? (Cont’d)


11

Top Ten 2010* FW IDS / IPS WAF

A1: Injection X △ O

A2: Cross Site Scripting (XSS) X △ O

A3: Broken Authentication and Session Management X △ O

A4: Insecure Direct Object References X X O

A5: Cross Site Request Forgery (CSRF) X X O

A6: Security Misconfiguration X X O

A7: Insecure Cryptographic Storage X X O

A8: Failure to Restrict URL Access X X O

A9: Insufficient Transport Layer Protection X O O

A10: Unvalidated Redirects and Forwards X X O

* OWASP Top Ten Web Application Security Vulnerabilities (2010)

FW, IDS/IPS, and WAF enabled list



Boasting Top-Notch WAF - WAPPLES

12

Intelligent Web Application Firewall - WAPPLES

Firewall

PORT 23 Close

PORT 80 Open

Web Server

WAPPLES Web Application Firewall

Protection of Web Applications



Key Differences

WAPPLES’s advanced architecture and technology provides the strongest intrusion

detection and protection for web applications with near 0 false positive detection and an immunity to unknown attacks.

Unique Logic Based Detection Engine provides automated best of breed detection/protection capability for web applications, overcoming configuration/operation complexity (which had been the biggest barrier toward rapid growth of the WAF market, in spite of its critical importance).

Commercially proven and tested solution with more than 900 customersincluding SMB to Large Enterprises.

9+ years of experience in WAF business



WAPPLES logical analytic detection engine is called COCEP

COCEP stands for COntents Classification and Evaluation Processing.

Logic analysis based engine is not a signature based approach.

It analyzes and blocks each type of attack.



Our Detection Engine uses 3 evaluation mechanisms Logical analytic engine means a detection engine performs an application layer

interpretation and verification based on the below 3 mechanisms:

• Evaluation based on Heuristic analysis

• Evaluation based on Semantic analysis

• Evaluation based on Pattern Matching

WAPPLES 26 detection rules and 1 function (IP Block) can be classified as follows:

Evaluation based on Heuristic Analysis

Evaluation based on Semantic Analysis

Evaluation based on Pattern Matching

Cross Site Scripting Buffer Overflow

Include Injection Directory Listing

Cookie Poisoning Invalid HTTP Error Handling

IP Block Invalid URI Extension Filtering

Parameter Tampering Parameter Tampering File Upload

Suspicious Access Privacy File Filtering Input Content Filtering

URI Access Control Privacy Input Filtering IP Filtering

Privacy Output Filtering Request Method Filtering

Request Header Filtering Response Header Filtering

SQL Injection User Defined Pattern

Stealth Commanding Web Site Defacement

Unicode Directory Traversal



WAPPLES Unique Technology Enables the Following:

Higher Performance• No additional system load due to the inputting of new patterns.

Generally, more than 3000 patterns lead to low system performance.

• No difference in performance, in both test environment and real operation environment.

Ease of Use and Less Maintenance• Installation without (or with minimal) changes in server and network settings is possible.

• Extremely low management burden for administrator.

• Low operation cost signature update service, but S/W version update service.

Visualizes Various Information• Web Traffic, Hit Count, Detection Log summary

• Statistics for hour, day, week, month, and year

• Supports more than 22 visualized charts



WAPPLES Major Features

Provides User View using Docking Capability

• Relocation of each window

• Saves User View settings

Supports Quick Configuration

• Supports configuration by levels

• Simplifies complex settings


Certifications and Patents

WAPPLES Introduction & the Future 18

Korea National Intelligence Service CC Evaluation (EAL4)• Registration No. NISS-2049-2010

PCI-DSS Certification• Registration No. AK 50170345 0001

Patents• United States: METHOD OF DETECTING A WEB APPLICATION ATTACK

U.S. Application No. 12/876,820

• China: METHOD OF DETECTING A WEB APPLICATION ATTACK

Chinese Patent Application for Invention No. 201010287262.2

• Japan: METHOD OF DETECTING A WEB APPLICATION ATTACK

Japanese Patent Application No. 2010-178803

• Republic of Korea: 2 patents are registered

METHOD FOR DETECTING A WEB APPLICATION ATTACK 10-2010-0064363

METHOD FOR DETECTING A WEB ATTACK BASED ON A SECURITY RULE 10-2009-0077410

Boasting Topnotch WAF - WAPPLES

19

Class Value Performance High-End

Model WAPPLES-50 WAPPLES-100 eco

WAPPLES-500 WAPPLES-1000 type2

WAPPLES-2000 WAPPLES-5000

Appearance

Capacity

Maximum Throughput 100 Mbps 300 Mbps 500 Mbps 2 Gbps 4 Gbps 6 Gbps

HTTP Transactions/sec 3,000 9,000 15,000 30,000 50,000 70,000

SSL Transactions/sec 2,000 5,000 8,000 15,000 24,000 33,000

Hardware

Form Factor 1U 1U 1U 2U 2U 2U

CPU Intel Dual Core 2.5GHzIntel Quad Core

2.66GHzIntel Quad Core Xeon

2.66GHzIntel Quad Core Xeon

2.33GHz * 2Intel Quad Core Xeon

2.66GHz *2Intel Westmere

2.53GHz * 2

Memory 2 GB 4 GB 8 GB 8 GB 16 GB 24 GB

HDD 160GB 500GB 500GB 500GB 500GB 1TB

Dimensions443mm/292mm/44.5m

m 443mm/292mm/44.5m

m443mm/406mm/44.5mm 443mm/512mm/88mm 443mm/512mm/88mm 431.8mm/580mm/88mm

Weight 8Kg 8Kg 11Kg 18.75Kg 18.75Kg 21KG

NIC

• 2 x10/100/1000 BaseTX

• 4 x10/100/1000 BaseTXBypass

• 2 x10/100/1000 BaseTX



OR

• 2 x1000 Base Optical Bypass



• 2 x1000 BaseSFP

(Optional)


• 2 x10/100/1000 BaseTX


• 4 x1000 BaseSFP

(Optional)


• 2 x10/100/1000 BaseTX


• 4 x1000 BaseSFP


(Optional)


• 2 x10G Base Optical Bypass

Power SupplyAC100~240V 50/60Hz

200WAC100~240V 50/60Hz

200WAC100~240V 50/60Hz

300W

AC100~240V 50/60Hz 400WRedundant Power Supply




Must-have Trend

Must-have Trend - Cloud Computing Security

Web-based cloud computing All businesses (services) based on cloud computing are provided via the web: whether it is in the

form of IaaS, PaaS, SaaS

The service that satisfies the essential characteristics of Cloud Computing is the web (according to the

Visual Model of NIST Working Definition)

The web is the most appropriate and optimized interface to provide cloud computing service

Cloud Computing Security is Web Application Security Since cloud computing is web-based, its security issues have much in common with web application

security.

20

It’s the

Web!


Cloud Computing Security Is A No. 1 Issue

Cloud computing issues : Security There are many issues related to newly-rising cloud computing: Performance, Availability,

Integration, etc.

Despite the existence of many issues, security sector is the most important one.

21

Must-have Trend

55.8%

61.1%

63.1%

63.1%

74.6%

40% 50% 60% 70% 80%

Not enough ability to customize

Hard to integrate with in-house IT

Availability

Performance

SecurityThe challenges/issues ascribed to the ‘cloud’/on-demand model

Source: IDC Enterprise Panel, August 2008


WAPPLES Meets the Demands

Must-have Trend

22

V50 V500 V1000 V2000 V4000

CPU 1 Cores 2 Cores 4 Cores 8 Cores 16 Cores

Performance

CPS

(Connection per Second)5,000 10,000 20,000 40,000 80,000

Minimum requirements per physical host

Hypervisor Citrix XenServer 5 (update 3 or higher); VMWare ESX/ESXi 3.5 or higher

Processor Dual core server with Intel® VTx

Memory 2 GB

Hard drive 20 GB

Network Interface Hypervisor supported network interface card

<2011 Virtual Appliance Lineup>

Web service

UserVirtual appliance(WAF)

Cloud Computing Environment


Thank you.

Penta Security Systems Inc.

Hanjin Shipping Bld. 20F, Seoul, Korea

TEL: 82-2-780-7728 FAX: 82-2-786-5281

www.pentasecurity.com

Penta Security Systems K.K.

東京都浜田区赤坂3-2-8アセンド赤坂3階

TEL: 81-3-5573-8191 FAX: 81-3-5573-8193


Documents

WAPPLES Introduction the Future - Penta Security · 2012-05-04 · WAPPLES Introduction & the Future 18 Korea National Intelligence Service CC Evaluation (EAL4) • Registration No