DenyAll Protect. accelerating. Web Application & Services Firewalls. your applications. DenyAll Protect

Similar documents
Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

Web Application Firewall for Web Environments

PCI DSS Compliance. White Paper Parallels Remote Application Server

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

Web Application Firewall Subscription on Cyberoam UTM appliances

Key Considerations in Choosing a Web Application Firewall

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Solutions Business Manager Web Application Security Assessment

Corrigendum 3. Tender Number: 10/ dated

Configuring BIG-IP ASM v12.1 Application Security Manager

Coordinated Threat Control

Citrix NetScaler AppFirewall and Web App Security Service

Dynamic Datacenter Security Solidex, November 2009

WEB DDOS PROTECTION APPLICATION PROTECTION VIA DNS FORWARDING

Simple and Powerful Security for PCI DSS

Securing Your Microsoft Azure Virtual Networks

F5 Big-IP Application Security Manager v11

THUNDER WEB APPLICATION FIREWALL

PineApp Mail Secure SOLUTION OVERVIEW. David Feldman, CEO

Microsoft Internet Security & Acceleration Server Overview

SteelGate Overview. Manage perimeter security and network traffic to ensure operational efficiency, and optimal Quality of Service (QoS)

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

Web Application Firewall

Security Architect Northeast US Enterprise CISSP, GCIA, GCFA Cisco Systems. BRKSEC-2052_c Cisco Systems, Inc. All rights reserved.

Understanding Cisco Cybersecurity Fundamentals

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Ethical Hacking and Prevention

Pulse Secure Application Delivery

Security

Gladiator Incident Alert

Network. Arcstar Universal One

Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall

Securing Your Amazon Web Services Virtual Networks

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

Forum XWall and Oracle Application Server 10g

WEBSCALE CONVERGED APPLICATION DELIVERY PLATFORM

Vidder PrecisionAccess

Positive Security Model for Web Applications, Challenges. Ofer Shezaf OWASP IL Chapter leader CTO, Breach Security

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

Cisco s Appliance-based Content Security: IronPort and Web Security

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

Brocade Virtual Traffic Manager and Parallels Remote Application Server

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

Security for the Cloud Era

Training UNIFIED SECURITY. Signature based packet analysis

Imperva Incapsula Product Overview

Complying with PCI DSS 3.0

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

COPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51

haltdos - Web Application Firewall

Imperva Incapsula Website Security

Introduction. The Safe-T Solution

Bank Infrastructure - Video - 1

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

Integrated Web Application Firewall & Distributed Denial of Service (DDoS) Mitigation Solution

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Citrix NetScaler Basic and Advanced Administration Bootcamp

KASPERSKY ANTI-MALWARE PROTECTION SYSTEM BE READY FOR WHAT S NEXT. Kaspersky Open Space Security

Cyber Attacks and Application - Motivation, Methods and Mitigation. Alfredo Vistola Solution Architect Security, EMEA

Deploying a Next-Generation IPS Infrastructure

OWASP TOP OWASP TOP

Security, Internet Access, and Communication Ports

RSA SecurID Implementation

Security, Internet Access, and Communication Ports

Addressing Security, Governance and Performance Issues with an XML Gateway as part of a Service Oriented Architecture. Vic Morris CEO Vordel

Evaluation Criteria for Web Application Firewalls

PCI DSS and VNC Connect

BUILDING A NEXT-GENERATION FIREWALL

BIG-IP V11.3: PRODUCT UPDATE. David Perodin Field Systems Engineer III

ForeScout Extended Module for Carbon Black

Identiteettien hallinta ja sovellusturvallisuus. Timo Lohenoja, CISPP Systems Engineer, F5 Networks

PCI DSS Compliance with Riverbed Stingray Traffic Manager and Stingray Application Firewall WHITE PAPER

Vulnerabilities in online banking applications

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats.

Maximum Security, Zero Compromise in Availability and Performance

Web Application Penetration Testing

Achieving End-to-End Security in the Internet of Things (IoT)

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis

DEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP Access Policy Manager with IBM, Oracle, and Microsoft

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

App Gateway Deployment Guide

Cisco ASA Next-Generation Firewall Services

AD FS v3. Deployment Guide

Web Services in Cincom VisualWorks. WHITE PAPER Cincom In-depth Analysis and Review

Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

MEMORY AND BEHAVIORAL PROTECTION ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

Scan Report Executive Summary

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

Spirent Avalanche. Applications and Security Testing Solutions. Application. Features & Benefits. Data Sheet. Network Performance Testing

Deployment Scenarios Microsoft TMG Standard, TMG Enterprise, TMG Branch Office series Appliances

FIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT?

Transcription:

DenyAll Protect DenyAll Protect Web Application & Services Firewalls Securing Sécuring & accelerating your applications Corporate or ecommerce website, email, collaborative tools, enterprise application portals, web services and database servers: your applications are central components of your information system, and hackers favorite targets. Deployed in your DMZ, behind your network firewall, DenyAll Protect s web application/services firewalls block application-layer attacks targeting your IT infrastructure. The result of 15 years of innovation, they combine advanced functions to effectively protect you, even against zero-day and the most advanced application-layer attacks. With DenyAll Protect, you can reduce the risk of vandalism, denial of service, intrusion and theft, and minimize their impact on the revenue and reputation of your organization. DenyAll sproxy The plug&protect web application firewall DenyAll rxml The best-of-breed web services firewall DenyAll rweb The next generation web application and services firewall DenyAll rweb + Client Shield The end-to-end application security solution Main benefits Immediate protection, without complex configuration, against known and unknown application-layer attacks (injections, cross-site scripting, etc), Possibility of implementing a more restrictive security policy adapted to the specific needs of your enterprise, Ability to effectively filter Web 2.0 languages and protocols, Unrivaled Web Services security, with no impact on application architecture, Application acceleration with a view to optimizing user experience, Continuity of service thanks to load balancing and high availability mechanisms, Central configuration and monitoring via the DenyAll management console, Compliance with PCI DSS (for ecommerce sites). www.denyall.com

DenyAll Protect : A WAF complements a network firewall Network firewalls usually authorize incoming Web traffic They cannot guarantee the safety of the data within those connection requests however. A WAF ensures that incoming http/https requests don t contain attacks, such as injections or cross-site scripting. DenyAll sproxy 4.1 : the Plug&Protect Web Application Firewall In a Web 2.0 world, a Web Application Firewall is a vital control for securing your informational assets. Deployed effortlessly at the front end of your servers (Webmail, portal, ERP, etc), a WAF protects your IT against modern, application-layer attacks (SQL injection, cross-site scripting, etc.), and accelerates user access. Whatever the size of your organization, or its activity, you need at least sproxy to tackle vandalism, denial of service attacks, data theft and industrial espionage threats. Quick setup Deploying sproxy only requires a few clicks, thanks to an optimized graphical user interface, No DNS changes required, the Secure Transparent Mode eases deployment while taking advantage of reverse proxy security, Predefined security, acceleration and authentication policies available for common applications (Outlook Web Access, SharePoint, inotes, SAP, etc.), No initial learning phase: immediate protection with no special configuration. Protection against unknown attacks The scoring list is a unique technology, designed to stop tomorrow s attacks. - Unique method for detecting unpublished («0-day») attacks. - No parametering, learning or updating. - Content-agnostic analysis (Ajax, JSON, Javascript, etc.).

DenyAll Protect : a proven platform The DenyAll Protect products are all based on a modular, proven platform, resulting from 15 years of application security innovation for demanding customers. Reverse Proxy Reverse Proxy Reverse Proxy High Availability Application Acceleration Standard Web App Security Advanced Web App Security XML Security User Security Distributivity Caching Deep Inspection White List Model Validation Client Certificates Active-Passive Compression Transformation Stateful XML Validation User Authentification Active-Passive TCP Multiplexing Black List User Behavior Tracking Transformation SSO Integration SSL Offloading Scoring List Adv. Detection Engines Black List Cookie Tracking Server Load-Balancing ICAP Support Virtual Patching Stateful Command Injection Engine Client Shield SOAP Attachments JSON security ACL Functions common to all products REVERSE PROXY Analysis of http/https requests to only transmit to your servers those that are non-malicious. The protocol break makes it possible to block attacks that target the vulnerabilities of your internal servers, hides them from the outside. The Secure Transparent Mode eases deployment (no modification of internal IP addresses) without compromising security (integral reverse proxy). STANDARD WEB SECURITY In-depth inspection: canonization (normalization of transferred data), anti-evasion and anomaly detection techniques. Transformation of the content of requests to evade attacks based on URL malformation and header spoofing, and to prevent data theft. Blacklist : over a 1000 filters protect against the various types of known application attacks (cross-site scripting, SQL injection, etc.). The list is updated monthly by the DenyAll Research Center (DARC). Scoring list : determines the potential hazardousness of incoming connections by analyzing the content of requests and applying a weighting system. Protects against unknown (0-day) attacks. The JSON security engine enables efficient filtering of this data structure by all http security engines. The dynamic command injection engine blocks attacks and minimizes false positives. USER SECURITY User authentication via SSLv3 certificates APPLICATIONS ACCELERATION Caching of the most frequently requested pages On the fly compression of data Multiplexing of incoming connections (HTTP/1.1 tunnels) Termination of SSL tunnels Server Load Balancing: balancing of incoming traffic between the servers on your network HIGH AVAILABILITY Clusters, in which several WAFs work together, in active-passive mode or active-active mode, ensure redundancy for your application security. Capacity to increase the load of your applications using the active-active mode automatic synchronization mechanism, configured in just a few minutes. UPGRADABILITY Your application security controls evolve with your business needs. A simple license key is all you need to upgrade from sproxy to rxml (adding Web Services security), or to rweb (and its Advanced Web Application Security), or to enable rweb to also protect Web Services: Web Services Security : - Validation of XML templates - Specific filters for attacks that target Web Services - Protection of UDDI servers, etc. Advanced Web Application Security: - Whitelist (positive security model), - User behavioral tracking, - HTTP session protection (stateful) - Advanced Detection Engines - Optional browser security module (Client Shield)

DenyAll rxml 4.1 : best-in-class Web Services Firewall In service-oriented architectures (SOA), application and data security is provided by rxml, which provides effective protection against application-layer attacks on your Web Services, without changing the architecture. It secures XML/SOAP transactions between internal and external components of your applications, avoiding denials of service and data theft. Main benefits Securing existing Web Services with no impact on application architecture. High level of protection against current application-layer attacks and attacks specifically targeting Web Services. No learning phase: your Web Services are protected in just a few clicks. Transparent deployment - rxml is not a Web Service actor, - No modification to the configuration of the components required, - No modification to the encryption or signature key exchange architecture. Unrivaled XML/SOAP security - Black list: filters for Web applications and Web Services - Unique protection against blind xpath injections - Validation of WSDL templates reinforced by a positive/negative security mechanism - Protection of UDDI servers through command analysis - Simple alternative to XML Signature without modifying the Web Service operating mode Example of Web Services Functions specific to DenyAll rxml Template validation: the data transmitted by Web Services are verified and made to conform to XML templates (WSDL, XSD and DTD). Additional rules can be specified to strengthen these templates. XML validation and transformation: to avoid data loss, error messages are deleted, sensitive data are replaced and complexity is verified (maximum size of a document or maximum tree depth) Black list: specific signatures (xpath and XML injections, DoS, etc) combined with generic http filters offer an excellent level of security against attacks that target Web Services. Stateful: monitoring XML elements makes it possible to avoid data alteration, whether involuntarily by a user or by an attacker during transmission SOAP attachments: these can be authorized or not, a maximum size can be set, text attachments are analyzed by the XML black list and the generic HTTP filter, and by a third-party anti-virus program via the ICAP protocol. Access control lists: - Granular control of access to the functions of the various Web Services (by URL and function, by source IP address) - Limitation of UDDI access to registry services, based on the source IP address or the accessed functions

DenyAll Protect DenyAll rweb 4.1 : the Next Generation WAF Modern web applications and web services take advantage of new languages and protocols (JSON, AJAX, REST, SOAP, HTML5, etc), in order to deliver a richer user experience. Attacks evolve too, and strive to take advantage of the vulnerabilities found in complex architectures. A new generation of security controls is required to prevent attacks in such a context. DenyAll rweb builds on a proven platform to deliver numerous security innovations, capable of identifying the nature of the requests and of blocking attacks and evasion techniques. The most comprehensive member of the Protect line, DenyAll rweb, includes all the features of DenyAll sproxy and, optionally, the full XML/SOAP Security features of DenyAll rxml. Functions specific to DenyAll rweb Advanced Web Application Security Whitelist : identification of the exact characteristics of data transmitted to Web applications. Three deployment methods ensure rapid activation and protection with no false positives. Stateful : monitoring, signature and encryption of the data associated with HTTP sessions in order to prevent identity spoofing. User Behavior Tracking : the behavioral analysis engine identifies and blocks attacks based on legitimate requests but with a malicious purpose, without disrupting legitimate traffic: denial of service attacks, brute force, password cracking, etc. Advanced Detection Engines: they protect your applications against base64 encrypted attacks, advanced path traversals, http parameter pollution, http request splitting, html tags and attributes, SQL injection grammar and scripting language detection, arithmetic calculations. «End to end» Application Security The browser is the notable weak point in a Web application chain, because it can run on a compromised device. In addition to filtering the server side, rweb can also deliver Client Shield, an optional module which controls the safe execution of browsers connecting to rweb, step-by-step. It blocks malware attempting to leverage an authenticated connection to access the back-end application and steal your data. Client Shield is available by default for Outlook Web Access. It can be configured to protect any browser-based application. The Shield technology, designed by our partner Promon, is also able to secure browser and mobile applications running on ios and Androïd devices. User Security To incorporate the user dimension of server connections, rweb can delegate the authentication process to third-party components such as LDAP or ActiveDirectory servers, CA SiteMinder (SSO), SecurID (strong authentication) or Radius. Integration with DenyAll Detect products rweb can digest Detect vulnerability scan reports and offer ad hoc options for virtually patching the found vulnerabilities. Eventually, this integration will automate the discovery of unprotected applications and deployment of the appropriate security policy. Example of virtual patching with DenyAll Detect

DenyAll Protect High Availability & Scalability v v v v Application Acceleration v v v v Manageability (via DAMC) v v v v Standard Web Application Security v v v v XML/SOAP security v v* v* Advanced Web Application Security v v User Security Basic v v Browser Security * Optional Competitive advantages Positive and negative security functions combined for maximum security Blacklist (known attacks). Whitelist, http session protection. Unique Security Features : Advanced Detection Engines are new modules designed to effectively filter new languages and protocols (JSON, HTML5, etc) and deal with the obfuscation and evasion techniques used by hackers. The Scoring list protects your infrastructure against unknown (zero day) application-layer attacks. The User Behavior Tracking function stops automated attacks (denial of service, password cracking, site downloading, etc). The Client Shield option controls the safe execution of browsers connecting to your applications, preventing man-in-the-browser malware from hijacking the session. Integration with the DenyAll Detect products Detect scan reports imported into rweb offer options for virtually patching the found vulnerabilities that match your goals (maximizing security, optimizing performance, reducing false positives) Eventually, this integration will automate the discovery of unprotected applications and deployment of the appropriate security policy. Easy and secure deployment The Secure Transparent Mode provides easy deployment without compromising security (reverse proxy). In pooling mode, no connection is initiated from the DMZ, the LAN queries the DMZ. Form factor choice DenyAll Protect web application/services firewalls are available as virtual appliances, physical appliances or Linux-based software. v Detect Protect Manage DenyAll is an innovative leader in application security. We help organizations identify IT vulnerabilities in their infrastructure, secure and accelerate their Web applications & services. Our reverse-proxy based firewalls protect transactional sites, Web-enabled, SOA and cloud-based applications against known and unknown attacks. Headquartered in France, we sell through partners in Europe, Africa, the Middle East, Asia and Latin America. NEXTSTEP CONSEIL 04/2013 63ter avenue Edouard Vaillant 92 100 Boulogne-Billancourt FRANCE +33 1 46 20 96 00

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback