DenyAll Protect. accelerating. Web Application & Services Firewalls. your applications. DenyAll Protect

Transcription

1 DenyAll Protect DenyAll Protect Web Application & Services Firewalls Securing Sécuring & accelerating your applications Corporate or ecommerce website, , collaborative tools, enterprise application portals, web services and database servers: your applications are central components of your information system, and hackers favorite targets. Deployed in your DMZ, behind your network firewall, DenyAll Protect s web application/services firewalls block application-layer attacks targeting your IT infrastructure. The result of 15 years of innovation, they combine advanced functions to effectively protect you, even against zero-day and the most advanced application-layer attacks. With DenyAll Protect, you can reduce the risk of vandalism, denial of service, intrusion and theft, and minimize their impact on the revenue and reputation of your organization. DenyAll sproxy The plug&protect web application firewall DenyAll rxml The best-of-breed web services firewall DenyAll rweb The next generation web application and services firewall DenyAll rweb + Client Shield The end-to-end application security solution Main benefits Immediate protection, without complex configuration, against known and unknown application-layer attacks (injections, cross-site scripting, etc), Possibility of implementing a more restrictive security policy adapted to the specific needs of your enterprise, Ability to effectively filter Web 2.0 languages and protocols, Unrivaled Web Services security, with no impact on application architecture, Application acceleration with a view to optimizing user experience, Continuity of service thanks to load balancing and high availability mechanisms, Central configuration and monitoring via the DenyAll management console, Compliance with PCI DSS (for ecommerce sites).

2 DenyAll Protect : A WAF complements a network firewall Network firewalls usually authorize incoming Web traffic They cannot guarantee the safety of the data within those connection requests however. A WAF ensures that incoming http/https requests don t contain attacks, such as injections or cross-site scripting. DenyAll sproxy 4.1 : the Plug&Protect Web Application Firewall In a Web 2.0 world, a Web Application Firewall is a vital control for securing your informational assets. Deployed effortlessly at the front end of your servers (Webmail, portal, ERP, etc), a WAF protects your IT against modern, application-layer attacks (SQL injection, cross-site scripting, etc.), and accelerates user access. Whatever the size of your organization, or its activity, you need at least sproxy to tackle vandalism, denial of service attacks, data theft and industrial espionage threats. Quick setup Deploying sproxy only requires a few clicks, thanks to an optimized graphical user interface, No DNS changes required, the Secure Transparent Mode eases deployment while taking advantage of reverse proxy security, Predefined security, acceleration and authentication policies available for common applications (Outlook Web Access, SharePoint, inotes, SAP, etc.), No initial learning phase: immediate protection with no special configuration. Protection against unknown attacks The scoring list is a unique technology, designed to stop tomorrow s attacks. - Unique method for detecting unpublished («0-day») attacks. - No parametering, learning or updating. - Content-agnostic analysis (Ajax, JSON, Javascript, etc.).

3 DenyAll Protect : a proven platform The DenyAll Protect products are all based on a modular, proven platform, resulting from 15 years of application security innovation for demanding customers. Reverse Proxy Reverse Proxy Reverse Proxy High Availability Application Acceleration Standard Web App Security Advanced Web App Security XML Security User Security Distributivity Caching Deep Inspection White List Model Validation Client Certificates Active-Passive Compression Transformation Stateful XML Validation User Authentification Active-Passive TCP Multiplexing Black List User Behavior Tracking Transformation SSO Integration SSL Offloading Scoring List Adv. Detection Engines Black List Cookie Tracking Server Load-Balancing ICAP Support Virtual Patching Stateful Command Injection Engine Client Shield SOAP Attachments JSON security ACL Functions common to all products REVERSE PROXY Analysis of http/https requests to only transmit to your servers those that are non-malicious. The protocol break makes it possible to block attacks that target the vulnerabilities of your internal servers, hides them from the outside. The Secure Transparent Mode eases deployment (no modification of internal IP addresses) without compromising security (integral reverse proxy). STANDARD WEB SECURITY In-depth inspection: canonization (normalization of transferred data), anti-evasion and anomaly detection techniques. Transformation of the content of requests to evade attacks based on URL malformation and header spoofing, and to prevent data theft. Blacklist : over a 1000 filters protect against the various types of known application attacks (cross-site scripting, SQL injection, etc.). The list is updated monthly by the DenyAll Research Center (DARC). Scoring list : determines the potential hazardousness of incoming connections by analyzing the content of requests and applying a weighting system. Protects against unknown (0-day) attacks. The JSON security engine enables efficient filtering of this data structure by all http security engines. The dynamic command injection engine blocks attacks and minimizes false positives. USER SECURITY User authentication via SSLv3 certificates APPLICATIONS ACCELERATION Caching of the most frequently requested pages On the fly compression of data Multiplexing of incoming connections (HTTP/1.1 tunnels) Termination of SSL tunnels Server Load Balancing: balancing of incoming traffic between the servers on your network HIGH AVAILABILITY Clusters, in which several WAFs work together, in active-passive mode or active-active mode, ensure redundancy for your application security. Capacity to increase the load of your applications using the active-active mode automatic synchronization mechanism, configured in just a few minutes. UPGRADABILITY Your application security controls evolve with your business needs. A simple license key is all you need to upgrade from sproxy to rxml (adding Web Services security), or to rweb (and its Advanced Web Application Security), or to enable rweb to also protect Web Services: Web Services Security : - Validation of XML templates - Specific filters for attacks that target Web Services - Protection of UDDI servers, etc. Advanced Web Application Security: - Whitelist (positive security model), - User behavioral tracking, - HTTP session protection (stateful) - Advanced Detection Engines - Optional browser security module (Client Shield)

4 DenyAll rxml 4.1 : best-in-class Web Services Firewall In service-oriented architectures (SOA), application and data security is provided by rxml, which provides effective protection against application-layer attacks on your Web Services, without changing the architecture. It secures XML/SOAP transactions between internal and external components of your applications, avoiding denials of service and data theft. Main benefits Securing existing Web Services with no impact on application architecture. High level of protection against current application-layer attacks and attacks specifically targeting Web Services. No learning phase: your Web Services are protected in just a few clicks. Transparent deployment - rxml is not a Web Service actor, - No modification to the configuration of the components required, - No modification to the encryption or signature key exchange architecture. Unrivaled XML/SOAP security - Black list: filters for Web applications and Web Services - Unique protection against blind xpath injections - Validation of WSDL templates reinforced by a positive/negative security mechanism - Protection of UDDI servers through command analysis - Simple alternative to XML Signature without modifying the Web Service operating mode Example of Web Services Functions specific to DenyAll rxml Template validation: the data transmitted by Web Services are verified and made to conform to XML templates (WSDL, XSD and DTD). Additional rules can be specified to strengthen these templates. XML validation and transformation: to avoid data loss, error messages are deleted, sensitive data are replaced and complexity is verified (maximum size of a document or maximum tree depth) Black list: specific signatures (xpath and XML injections, DoS, etc) combined with generic http filters offer an excellent level of security against attacks that target Web Services. Stateful: monitoring XML elements makes it possible to avoid data alteration, whether involuntarily by a user or by an attacker during transmission SOAP attachments: these can be authorized or not, a maximum size can be set, text attachments are analyzed by the XML black list and the generic HTTP filter, and by a third-party anti-virus program via the ICAP protocol. Access control lists: - Granular control of access to the functions of the various Web Services (by URL and function, by source IP address) - Limitation of UDDI access to registry services, based on the source IP address or the accessed functions

5 DenyAll Protect DenyAll rweb 4.1 : the Next Generation WAF Modern web applications and web services take advantage of new languages and protocols (JSON, AJAX, REST, SOAP, HTML5, etc), in order to deliver a richer user experience. Attacks evolve too, and strive to take advantage of the vulnerabilities found in complex architectures. A new generation of security controls is required to prevent attacks in such a context. DenyAll rweb builds on a proven platform to deliver numerous security innovations, capable of identifying the nature of the requests and of blocking attacks and evasion techniques. The most comprehensive member of the Protect line, DenyAll rweb, includes all the features of DenyAll sproxy and, optionally, the full XML/SOAP Security features of DenyAll rxml. Functions specific to DenyAll rweb Advanced Web Application Security Whitelist : identification of the exact characteristics of data transmitted to Web applications. Three deployment methods ensure rapid activation and protection with no false positives. Stateful : monitoring, signature and encryption of the data associated with HTTP sessions in order to prevent identity spoofing. User Behavior Tracking : the behavioral analysis engine identifies and blocks attacks based on legitimate requests but with a malicious purpose, without disrupting legitimate traffic: denial of service attacks, brute force, password cracking, etc. Advanced Detection Engines: they protect your applications against base64 encrypted attacks, advanced path traversals, http parameter pollution, http request splitting, html tags and attributes, SQL injection grammar and scripting language detection, arithmetic calculations. «End to end» Application Security The browser is the notable weak point in a Web application chain, because it can run on a compromised device. In addition to filtering the server side, rweb can also deliver Client Shield, an optional module which controls the safe execution of browsers connecting to rweb, step-by-step. It blocks malware attempting to leverage an authenticated connection to access the back-end application and steal your data. Client Shield is available by default for Outlook Web Access. It can be configured to protect any browser-based application. The Shield technology, designed by our partner Promon, is also able to secure browser and mobile applications running on ios and Androïd devices. User Security To incorporate the user dimension of server connections, rweb can delegate the authentication process to third-party components such as LDAP or ActiveDirectory servers, CA SiteMinder (SSO), SecurID (strong authentication) or Radius. Integration with DenyAll Detect products rweb can digest Detect vulnerability scan reports and offer ad hoc options for virtually patching the found vulnerabilities. Eventually, this integration will automate the discovery of unprotected applications and deployment of the appropriate security policy. Example of virtual patching with DenyAll Detect

6 DenyAll Protect High Availability & Scalability v v v v Application Acceleration v v v v Manageability (via DAMC) v v v v Standard Web Application Security v v v v XML/SOAP security v v* v* Advanced Web Application Security v v User Security Basic v v Browser Security * Optional Competitive advantages Positive and negative security functions combined for maximum security Blacklist (known attacks). Whitelist, http session protection. Unique Security Features : Advanced Detection Engines are new modules designed to effectively filter new languages and protocols (JSON, HTML5, etc) and deal with the obfuscation and evasion techniques used by hackers. The Scoring list protects your infrastructure against unknown (zero day) application-layer attacks. The User Behavior Tracking function stops automated attacks (denial of service, password cracking, site downloading, etc). The Client Shield option controls the safe execution of browsers connecting to your applications, preventing man-in-the-browser malware from hijacking the session. Integration with the DenyAll Detect products Detect scan reports imported into rweb offer options for virtually patching the found vulnerabilities that match your goals (maximizing security, optimizing performance, reducing false positives) Eventually, this integration will automate the discovery of unprotected applications and deployment of the appropriate security policy. Easy and secure deployment The Secure Transparent Mode provides easy deployment without compromising security (reverse proxy). In pooling mode, no connection is initiated from the DMZ, the LAN queries the DMZ. Form factor choice DenyAll Protect web application/services firewalls are available as virtual appliances, physical appliances or Linux-based software. v Detect Protect Manage DenyAll is an innovative leader in application security. We help organizations identify IT vulnerabilities in their infrastructure, secure and accelerate their Web applications & services. Our reverse-proxy based firewalls protect transactional sites, Web-enabled, SOA and cloud-based applications against known and unknown attacks. Headquartered in France, we sell through partners in Europe, Africa, the Middle East, Asia and Latin America. NEXTSTEP CONSEIL 04/ ter avenue Edouard Vaillant Boulogne-Billancourt FRANCE