WAPPLES Introduction & the Future March, 2011 Penta Security Systems Inc.
Table of Contents Why a Web Application Firewall? Risk on the rise Targets of web attacks Why should we care about web application attacks? What Is a Web Application Firewall? WAF is for What? FW, IDS/IPS, and WAF enabled list Boasting Top-notch WAF - WAPPLES Intelligent Web Application Firewall - WAPPLES Key Differences WAPPLES logical analytic detection engine WAPPLES Major Features Must-have Trend Cloud Computing Security 2
Why Web Application Firewall Risk on the rise! Expansion of web applications B2B, B2C, G2C, etc. Used for internal tasks as well as external services Rapid growth of web vulnerabilities 53% of all vulnerabilities disclosed in 2008 were related to web applications 1 Only 26% of known vulnerabilities are patched by the end of 2008 2 Web applications are the #1 focus of hackers: One new infected webpage is discovered every 4.5 seconds 2 SQL Injections are the #1 reported vulnerability 3 Others, 30% SQL Injection, 30% CSRF, 3% 1. IBM Internet Security Systems in 2008 X-Force Trend & Risk Report 2. Sophos, Security threat report: 2009 - Prepare for this year s new threats 3. WASC : The Web Hacking Incidents Database Cross Site Scripting (XSS), 8% Unknown, 29% 3
Why a Web Application Firewall? Targets of web attacks Injection Flaws Command execution by query Sniffing SSL redirection Web Server S/W Vulnerabilities Request Response Cross Site Scripting (XSS) Active Contents Execution Authentication / Authorization Site Structure Input Validation Attack on Application Logic 4
Why a Web Application Firewall? Why should we care about web application attacks? Security Spending % of Attacks 75% Web Applications 10% % of Dollars 25% Network Servers 90% 75% of attacks on Information Security are directed to the Web Application Layer - Gartner - 5
Why a Web Application Firewall? Web application firewall has a higher priority Web applications are the #1 focus of hackers 75% of attacks are directed at the Application layer (Gartner) SQL Injections are the #1 reported vulnerability (The web hacking incidents DB, 2008) Most websites are vulnerable 90% of websites are vulnerable to application attacks (Watchfire) 78% percent of easily exploitable vulnerabilities affect Web applications (Symantec) 80% of organizations will experience an application security incident by 2010 (Gartner) Web applications are high value targets for hackers Customer data, Credit Cards, Social Security Numbers, ID theft, fraud, website defacement, etc. Compliance requirements Payment Card Industry Standards (PCI-DSS), GLBA, HIPPA, and FISMA 6
Why a Web Application Firewall? Cost Saving Introducing a WAF is cost-saving for a company s IT resources Much more cost effective than hiring a person to manage application security manually Item Assumptions Sum <Revenue in U$> Homepage source code lines 100,000 Lines Number of vulnerabilities per source code 1,000 lines 10 1,000 Time to find and eliminate 1 vulnerability 6 hr. 6,000hr. Average working hours a day 8 hr. 750days Daily payment for engineer 150 112,500 US CERT, DEPT 7
What Is a Web Application Firewall? Application Security Is A Totally Different World Network Security Part of IT Networking Experts Product Focused 1000s of Copies Signature Based Patch Management Application Security Part of Business Units Software Experts Custom Code Focused 1 Copy of Software No Signatures Prevents Vulnerabilities Don t let anyone rely on network security techniques to gain application security 8
What Is a Web Application Firewall? WAF Is For What? Definition It executes a security analysis of the OSI 7 layer between all messages between the web server and the web client. It protects against attacks aimed at the web application. Roles Protects web servers from external attacks (service in) Protects against leakage of the web server s most important information (service out) Web Application Firewall IDS / IPS Network Firewall 9
What Is a Web Application Firewall? WAF Is For What? (Cont d) OSI 7 Layers Protection Device Web Application Firewall Based on White-list Signature Detects highly sophisticated attacks and encoded traffic Detects unknown attacks Analyzes not only protocol but also context Intrusion Detection / Prevention System Based on Black-list Signature Detects by comparing patterns of attack signatures with network traffic Cannot detect unknown attacks Network Firewall Allows/blocks the specific port of the specific IP bandwidth Does not have attack detection ability 10
What Is a Web Application Firewall? FW, IDS/IPS, and WAF enabled list Top Ten 2010* FW IDS / IPS WAF A1: Injection X O A2: Cross Site Scripting (XSS) X O A3: Broken Authentication and Session Management X O A4: Insecure Direct Object References X X O A5: Cross Site Request Forgery (CSRF) X X O A6: Security Misconfiguration X X O A7: Insecure Cryptographic Storage X X O A8: Failure to Restrict URL Access X X O A9: Insufficient Transport Layer Protection X O O A10: Unvalidated Redirects and Forwards X X O * OWASP Top Ten Web Application Security Vulnerabilities (2010) 11
Boasting Top-Notch WAF - WAPPLES Intelligent Web Application Firewall - WAPPLES PORT 23 Close PORT 80 Open Firewall WAPPLES Web Application Firewall Web Server Protection of Web Applications 12
Boasting Top-Notch WAF - WAPPLES Key Differences WAPPLES s advanced architecture and technology provides the strongest intrusion detection and protection for web applications with near 0 false positive detection and an immunity to unknown attacks. Unique Logic Based Detection Engine provides automated best of breed detection/protection capability for web applications, overcoming configuration/operation complexity (which had been the biggest barrier toward rapid growth of the WAF market, in spite of its critical importance). Commercially proven and tested solution with more than 900 customers including SMB to Large Enterprises. 9+ years of experience in WAF business 13
Boasting Top-Notch WAF - WAPPLES WAPPLES logical analytic detection engine is called COCEP COCEP stands for COntents Classification and Evaluation Processing. Logic analysis based engine is not a signature based approach. It analyzes and blocks each type of attack. 14
Boasting Top-Notch WAF - WAPPLES Our Detection Engine uses 3 evaluation mechanisms Logical analytic engine means a detection engine performs an application layer interpretation and verification based on the below 3 mechanisms: Evaluation based on Heuristic analysis Evaluation based on Semantic analysis Evaluation based on Pattern Matching WAPPLES 26 detection rules and 1 function (IP Block) can be classified as follows: Evaluation based on Heuristic Analysis Evaluation based on Semantic Analysis Cross Site Scripting Include Injection Evaluation based on Pattern Matching Buffer Overflow Directory Listing Cookie Poisoning Invalid HTTP Error Handling IP Block Invalid URI Extension Filtering Parameter Tampering Parameter Tampering File Upload Suspicious Access Privacy File Filtering Input Content Filtering URI Access Control Privacy Input Filtering IP Filtering Privacy Output Filtering Request Header Filtering SQL Injection Stealth Commanding Request Method Filtering Response Header Filtering User Defined Pattern Web Site Defacement Unicode Directory Traversal 15
Boasting Top-Notch WAF - WAPPLES WAPPLES Unique Technology Enables the Following: Higher Performance No additional system load due to the inputting of new patterns. Generally, more than 3000 patterns lead to low system performance. No difference in performance, in both test environment and real operation environment. Ease of Use and Less Maintenance Installation without (or with minimal) changes in server and network settings is possible. Extremely low management burden for administrator. Low operation cost signature update service, but S/W version update service. Visualizes Various Information Web Traffic, Hit Count, Detection Log summary Statistics for hour, day, week, month, and year Supports more than 22 visualized charts 16
Boasting Top-Notch WAF - WAPPLES WAPPLES Major Features Provides User View using Docking Capability Relocation of each window Saves User View settings Supports Quick Configuration Supports configuration by levels Simplifies complex settings 17
Certifications and Patents Korea National Intelligence Service CC Evaluation (EAL4) Registration No. NISS-2049-2010 PCI-DSS Certification Registration No. AK 50170345 0001 Patents United States: METHOD OF DETECTING A WEB APPLICATION ATTACK U.S. Application No. 12/876,820 China: METHOD OF DETECTING A WEB APPLICATION ATTACK Chinese Patent Application for Invention No. 201010287262.2 Japan: METHOD OF DETECTING A WEB APPLICATION ATTACK Japanese Patent Application No. 2010-178803 Republic of Korea: 2 patents are registered METHOD FOR DETECTING A WEB APPLICATION ATTACK 10-2010-0064363 METHOD FOR DETECTING A WEB ATTACK BASED ON A SECURITY RULE 10-2009-0077410 18
Boasting Topnotch WAF - WAPPLES Class Value Performance High-End Model WAPPLES-50 WAPPLES-100 eco WAPPLES-500 WAPPLES-1000 type2 WAPPLES-2000 WAPPLES-5000 Appearance Capacity Maximum Throughput 100 Mbps 300 Mbps 500 Mbps 2 Gbps 4 Gbps 6 Gbps HTTP Transactions/sec 3,000 9,000 15,000 30,000 50,000 70,000 SSL Transactions/sec 2,000 5,000 8,000 15,000 24,000 33,000 Hardware Form Factor 1U 1U 1U 2U 2U 2U CPU Intel Dual Core 2.5GHz Intel Quad Core 2.66GHz Intel Quad Core Xeon 2.66GHz Intel Quad Core Xeon 2.33GHz * 2 Intel Quad Core Xeon 2.66GHz *2 Intel Westmere 2.53GHz * 2 Memory 2 GB 4 GB 8 GB 8 GB 16 GB 24 GB HDD 160GB 500GB 500GB 500GB 500GB 1TB Dimensions 443mm/292mm/44.5m m 443mm/292mm/44.5m m 443mm/406mm/44.5mm 443mm/512mm/88mm 443mm/512mm/88mm 431.8mm/580mm/88mm Weight 8Kg 8Kg 11Kg 18.75Kg 18.75Kg 21KG NIC 2 x10/100/1000 BaseTX 4 x10/100/1000 BaseTX Bypass 2 x10/100/1000 BaseTX 8 x10/100/1000 BaseTX Bypass 6 x10/100/1000 BaseTX Bypass OR 2 x1000 Base Optical Bypass 2 x10/100/1000 BaseTX Bypass 8 x10/100/1000 BaseTX Bypass 2 x1000 BaseSFP (Optional) 2 x1000 Base Optical Bypass 2 x10/100/1000 BaseTX 8 x10/100/1000 BaseTX Bypass 4 x1000 BaseSFP (Optional) 2 x1000 Base Optical Bypass 2 x10/100/1000 BaseTX 8 x10/100/1000 BaseTX Bypass 4 x1000 BaseSFP 2 x1000 Base Optical Bypass (Optional) 4 x1000 Base Optical Bypass 2 x10g Base Optical Bypass Power Supply AC100~240V 50/60Hz 200W AC100~240V 50/60Hz 200W AC100~240V 50/60Hz 300W AC100~240V 50/60Hz 400W Redundant Power Supply AC100~240V 50/60Hz 400W Redundant Power Supply AC100~240V 50/60Hz 500W Redundant Power Supply 19
Must-have Trend Must-have Trend - Cloud Computing Security Web-based cloud computing All businesses (services) based on cloud computing are provided via the web: whether it is in the form of IaaS, PaaS, SaaS The service that satisfies the essential characteristics of Cloud Computing is the web (according to the Visual Model of NIST Working Definition) The web is the most appropriate and optimized interface to provide cloud computing service It s the Web! Cloud Computing Security is Web Application Security Since cloud computing is web-based, its security issues have much in common with web application security. 20
Must-have Trend Cloud Computing Security Is A No. 1 Issue Cloud computing issues : Security There are many issues related to newly-rising cloud computing: Performance, Availability, Integration, etc. Despite the existence of many issues, security sector is the most important one. The challenges/issues ascribed to the cloud /ondemand model Security Performance 63.1% 74.6% Source: IDC Enterprise Panel, August 2008 Availability 63.1% Hard to integrate with in-house IT 61.1% Not enough ability to customize 55.8% 40% 50% 60% 70% 80% 21
Must-have Trend WAPPLES Meets the Demands Cloud Computing Environment Web service User Virtual appliance(waf) V50 V500 V1000 V2000 V4000 CPU 1 Cores 2 Cores 4 Cores 8 Cores 16 Cores Performance CPS (Connection per Second) Minimum requirements per physical host <2011 Virtual Appliance Lineup> 5,000 10,000 20,000 40,000 80,000 Hypervisor Processor Memory Hard drive Network Interface Citrix XenServer 5 (update 3 or higher); VMWare ESX/ESXi 3.5 or higher Dual core server with Intel VTx 2 GB 20 GB Hypervisor supported network interface card 22
Thank you. Penta Security Systems Inc. Hanjin Shipping Bld. 20F, Seoul, Korea TEL: 82-2-780-7728 FAX: 82-2-786-5281 www.pentasecurity.com Penta Security Systems K.K. 東京都浜田区赤坂 3-2-8 アセンド赤坂 3 階 TEL: 81-3-5573-8191 FAX: 81-3-5573-8193 23