Web Application Firewall (WAF)

Download Report

Transcript Web Application Firewall (WAF)

Web Application Firewall (WAF)

RSA ® Conference 2013

The Cybercrime Landscape in 2013

Attacks have become more sophisticated...

…industry agnostic...

Source: hackmageddon.com/

©2013 AKAMAI | FASTER FORWARD

TM

…and easier to carry out

Moving From Network to Application Layer

Application Layer (Layer 7) Network Layer (Layers 3/4)

Where increasing number of attacks are focused Target of Traditional DDoS Attacks

©2013 AKAMAI | FASTER FORWARD

TM

Web Application Firewall Highlights

• • • • • • • • • Operates at the network edge – over 100,000 servers Inspects requests and responses for malicious content and info leakage Inspects packets to protect against attacks such as SQL Injections & Cross-Site Scripts Configurable to log or block activities against policy Protects organizations against application layer attacks propagated via HTTP and HTTPS Enables compliance with PCI DSS 1.2 section 6.6

Provides advanced rate controls (behavioral based protections) Propagates quickly (~30 minutes) Configured via portal

©2013 AKAMAI | FASTER FORWARD

TM

Kona Security Solutions 2.0

ModSecurity Rule Update

• • Core Rule Set 2.2.6

Legacy CRS support •

Akamai Common Rules

• • Based on Akamai’s unique view 20 – 25% of internet traffic •

Advanced Rate Controls

• Session-ID; Client-IP+User-Agent •

Rule Upgrade Wizard

©2013 AKAMAI | FASTER FORWARD

TM

©2013 AKAMAI | FASTER FORWARD

TM

Appendix & Details

©2013 AKAMAI | FASTER FORWARD

TM

Akamai Intelligent Platform™

Deflecting Network Layer Attacks at the Edge

  Network Layer attack mitigation Built in protection is “always on” Only Port 80 (HTTP) or Port 443 (HTTPS) traffic allowed on Platform o • • All other traffic dropped at the Akamai Edge Attack traffic never makes it onto Platform Customer not charged for traffic dropped at Edge o Absorbs attack requests without requiring identification o Requires CNAME onto Akamai Intelligent Platform       Examples of attacks types dropped at Akamai Edge UDP Fragments ICMP Floods SYN Floods ACK Floods RESET Floods UDP Floods Absorbs attacks through massive scale   ~5.5 Tbps average throughput; up to 8Tbps Distribution of HTTP request traffic across 100,000+ servers; 1,100+ networks  No re-routing, added latency, or point of failure

©2013 AKAMAI | FASTER FORWARD

TM

Custom Rules

Web Application Firewall

Description

 WAF Custom Rules implemented in Akamai metadata written by Akamai Professional Services  Rules are created and managed in customer portal  Rules are then associated with firewall policies and deployed with WAF in 45 minutes

The Result

 New rule logic can be built to handle specific use cases for the customer  Rules can be built that execute when one or more baseline rules or rate control rules match  Output of application vulnerability products can be implemented as “virtual patches”  Advanced piping to user validation actions can be achieved (prioritization)

©2013 AKAMAI | FASTER FORWARD

TM

Custom Rules

Web Application Firewall

Description

 WAF Custom Rules implemented in Akamai metadata written by Akamai Professional Services  Rules are created and managed in customer portal  Rules are then associated with firewall policies and deployed with WAF in 45 minutes

The Result

 New rule logic can be built to handle specific use cases for the customer  Rules can be built that execute when one or more baseline rules or rate control rules match  Output of application vulnerability products can be implemented as “virtual patches”  Advanced piping to user validation actions can be achieved (prioritization)

©2013 AKAMAI | FASTER FORWARD

TM

Adaptive Rate Controls

Malicious Behavior Detection

 Specify number of requests per second against a given URL o • Controls requests based on behavior pattern – not request structure Use client IP address, session ID, cookies, etc.

 Configure rate categories to control request rates against digital properties • Mitigate rate-based DDoS attacks  Statistics collected for 3 request phases o Client Request – Client to Akamai Server o Forward Request – Akamai Server to Origin o Forward Response – Origin to Akamai Server  Statistics collected allow us to ignore large proxies and pick out a malicious user hiding behind a proxy  Statistics collected allow for detection of pathological behavior by a client o Request rate is excessive for any stage o Requests causing too many Origin errors

©2013 AKAMAI | FASTER FORWARD

TM

Adaptive Rate Controls

Malicious Behavior Detection

 Specify number of requests per second against a given URL o • Controls requests based on behavior pattern – not request structure Use client IP address, session ID, cookies, etc.

 Configure rate categories to control request rates against digital properties • Mitigate rate-based DDoS attacks  Statistics collected for 3 request phases o Client Request – Client to Akamai Server o Forward Request – Akamai Server to Origin o Forward Response – Origin to Akamai Server  Statistics collected allow us to ignore large proxies and pick out a malicious user hiding behind a proxy  Statistics collected allow for detection of pathological behavior by a client o Request rate is excessive for any stage o Requests causing too many Origin errors

©2013 AKAMAI | FASTER FORWARD

TM

Security Monitor (1 of 3)

Visual Display of Requests by Geography Requests by WAF Message Timeline of Requests by Hour Requests by WAF Rule ID Requests by WAF Tag

©2013 AKAMAI | FASTER FORWARD

TM

Security Monitor (2 of 3)

Multiple ways to display request statistics

©2013 AKAMAI | FASTER FORWARD

TM

Security Monitor (3 of 3)

Requests by Client IP address

©2013 AKAMAI | FASTER FORWARD

TM

Requests by City ARLs being attacked

©2013 AKAMAI | FASTER FORWARD

TM