Embed Size (px)
DESCRIPTION
Citation preview
Web Application Firewall as-a-service
Qualys GmbH September, 2013
Web Applications �
• Are everywhere: Webmail, CMS, CRM, Corporate WWW etc. �
• HTTP is powering all new applications using new data format like XML and JSON�
• Organisations are publishing data for B2B through APIs using HTTP and XML/JSON or SOAP �
• Mobile applications usually connect to APIs or Web Applications using HTTP �
New security issues �
• Network firewalls are useless, they can’t inspect HTTP Protocol �
• Web Applications can be developed in-house or provided by software editor, with closed or open source code �
• Each web applications is different, depending on the business logic, development framework and data used and stored �
• To secure Web applications, a WAF (Web Application Firewal) Must be deployed additionnaly to network firewall�
Existing solutions �
• From network security, application delivery and compliance �– Fortinet, SonicWall,
Deny All, imperva�– F5, Citrix Netscaler,
Radware, BeeWare �– Mod_security�
• Saas vendors �– Cloudflare, incapsula, �– Art of defense �– Trend Micro�– Akamai Kona�
Hard to maintain and operate, security, development,
infrastructure team are involved, policies are unique and not shared
between customers
Few clic deployment, no expertise needed, security is compiled from all website knowledge, but traffic MUST be processed in the cloud
Technical Challenge �
• Web application security policies are complex �– Need to use regular expression �– Need to understand how the application works �
• Today, WAF are too complex to maintain and operate. Vendors are adding others feature to make it a must have product �
• Qualys stay focused on WAF security features but dramaticaly reduce TCO of this kind of protection by providing a distributed solution. �
�
Qualys alternative �
• Qualys Distributed WAF�– Security ruleset provided from all Qualys WAF feedback �– Virtual Appliance deployment, you keep managing your traffic�
• Available as �– Amazon EC2 AMI (beta)�– VMware image (beta)�– GA Planned to early december �– HW WAF Appliance is under development for 2014 �
• Manage security events and rules from a single UI �
• With Qualys WAF, you don’t spend time on managing rules, you can stay focused on managing security events �
http://www.qualys.com/waf
Qualys Web Application Firewall Beta available WAF
Provides protection against known and emerging web application threats, and helps increase web site performance through caching, compression and content optimization, with no equipment needed.
Benefits Zero-footprint, low cost deployment
Ease of use, ease of maintenance
Real-time attack preventionVirtual patching and application hardening
Qualys Web Application Firewall Beta available
�
Qualys Security intelligence �
• A team of dedicated security researchers computing rules for industry standard web applications �
• Blocking attacks according to OWASP TOP10 and WASC TCv2�
• Correlating security events on Qualys sensors all around the world �
�
• Detecting and researching 0-days �
Qualys distributed WAF�
Security Features�• Always up-to-date WAF�
– Qualys is directly managing the security engine and ruleset, they are updated in less than 5 minutes when a security or maintenance fix is avaible �
• Qualys Security Ruleset�– Provided by Qualys Security Researcher Team,
this ruleset is the default security policy avalaible on all WAF. It’s blocking injection attacks like command, SQL, Javascript, Files etc. �
• Custom Security rules �– Provided by the customer or partner, these
rules are adapted to the website specific design and can be setup depending on each HTTP Request field. �
• Integration with QualysGuard WAS*�– No need to setup twice your web applications
in these security tools, it’s automaticaly provisionned and the WAF deployment made easy from what the Web Application Scanner found. �
��
• HTTP Security�– HTTP protocol can be implemented in
different ways depending on web server and browsers. To avoid some attack based on bad implementation, the Qualys WAF will verify the protocol is correctly used. �
• IP/Country Blacklist�– Depending on your activity, you may not want
some request from specific countries or IP. The Qualys WAF is able to increase/decrease the request score, or directly block depending of source IP or country. �
• Information leakage �– By doing Web Cloaking, the Qualys WAF is
able to shadow all critical informations sent by the Web Server, Application server or development framwork used to develop the web application �
• Reporting �– Build your own report containing key indicators
you need to speak with managers �
• Session tracking�
�
Deployment �
• Virtual appliance available �– On EC2 as an AMI you can instanciate �– On VMWare vCenter as an image you can run �
• Mode of operation �– Reverse-Proxy:Terminating TCP connection �– Out-of-Band*: Sniffing traffic (Passive device)�
• Available as OpenSource �– IronBee project ��
Qualys advantage �
• Always uptodate & Always at maximum efficiency�– Get the latest security rules and engine on your WAF�
• Prevention with WAS and Protection with WAF available in the same UI and security suite �
• Available as subscription (Pay per year) OPEX vs CAPEX �
• All the SaaS advantage on a virtual appliance product �
�
Release schedule 2013 �
Amazon EC2 Beta 1 Limited to first 10 subscribers
August 1st
Amazon EC2 Beta 2 Limited to first 100 subscribers
October 1st
WAF GA* VMWare & EC2
December 1st
November 1st
VMWare Beta 2 Limited to first 100 subscribers
September 1st
VMWare beta 1 Limited to first 10 subscribers
*: can be delayed until we reach 100% quality and availibility
Next releases �
• Advanced reporting �
• SSL Support �
• Integration between WAF and WAS�
• Qualys WAF Microsoft Edition for Exchange and Sharepoint �
