Forti web

© Copyright Fortinet Inc. All rights reserved.

FortiWebWeb Application FirewallsLan & Wan Solutions – Soluzioni Informatiche per Reti Locali & Geografiche

2

Scope/Definition of WAFs

Protects web-based applications from code-based attacks

» SQL Injection or other injection types» Cross Site Scripting and Request

Forgery» Layer 7 DoS/DDoS attacks» Cookie/schema poisoning

Protects against application vulnerabilities in custom code and commercial platforms

Understands/learns “normal” behaviors and stops anomalies

» URL parameters, HTTP methods, session IDs, cookies, schema, etc.

Dynamic and adaptive to adjust to new threats

Can’t a Firewall or IPS do this? Firewalls look for network-based attacks IPS Signatures detect only known

problems» High rate of false positives» No protection of SSL traffic» No application or user awareness

FortiWeb WAF

Web ApplicationServers

SQL Injection, XSS…

INTERNET

Web Application Firewalls

3

WAF Drivers/Challenges

Protect current and existing applications from code-based vulnerabilities

Meet PCI Compliance (5.5 and 6.6) for credit card and healthcare data

Address OWASP Top 10 Application Vulnerabilities

Identify and address web application vulnerabilities

Website publishing for Microsoft and other applications

Protect against website defacement

Who Needs it? Any organization that processes

credit cards and/or has PCI requirements

Large internal or external applications

Sensitive/proprietary information Mission-critical business

applications

Who Needs it Most? MSPs/Hosting Companies E-commerce/online services Retail, Food Service, Hospitality Financial services Healthcare

Web Application Firewalls

4

Emerging Requirements/Trends

WAFs are converging other technologies» High-end products adding web application firewall (WAF) and

traditional firewall technologies» Low end is quickly adding high end features (WAF, scripting,

etc.) Business adoption increasing

» Awareness of threats and benefit of WAF increasingly understood

» 96% of applications have been attacked in 2013» Gartner expects over 80% of organizations will have a WAF

by 2018 (60% today) WAF market continues to grow

» IDC 2014 market size: $1.0 billion» 6.9% CAGR through 2017

Web Application Firewalls

5

FortiWeb – Web Application Firewalls

6 models from 25 Mbps to 4 Gbps HTTP throughput Up to 6x GE and models with 2x 10GE SFP+ ports Included vulnerability scanning and antivirus Hardware and VM options

(VMware, Hyper-V and AWS) AWS On-demand Pricing

Automatic behavior-based scanning

Auto setup/learning mode Layer 7 DDoS protection FortiGuard antivirus/IP

reputation Transparent, reverse and non-

inline deployment options Central Management/ADOMs Advanced real-time reporting SSL offloading/compression SSO/Authentication Layer 7 load balancing NSS recommended

Complete WAF Solution forPCI DSS Compliance

Web Application Firewalls

6

FortiWeb Benefits

Protect custom and commercial applications with automatic usage profiling and anomaly scanning

Meet PCI Compliance (5.5 and 6.6) with behavior-based attack detection and mitigation

Protection against OWASP Top 10 Application Vulnerabilities Identify web application security weaknesses with vulnerability

scanning Website publishing with Single Sign On/Authentication Restore website pages from attacks with Anti-Defacement

Protection Block botnets and attacks from known rogue and malicious sources

with FortiGuard IP Reputation

Web Application Firewalls

7

Performance &

Scalabilit

y

WAF < 1 Gbps 1 – 2 Gbps 3+ Gbps

SSL Software ASIC ASIC

Ports GE GE/10GE GE/10GE

FortiWeb Product Lineup

FWB-400C

FWB-100D

FWB-3000DFsx

FWB-3000D

FWB-4000D

Web Application Firewalls

FWB-1000D

8

FortiWeb Product Matrix

100D 400C 1000D 3000D 3000DFsx 4000D

WAF Throughput 25 Mbps 100 Mbps 750 Mbps 1.5 Gbps 1.5 Gbps 4.0 Gbps

Latency Sub-ms Sub-ms Sub-ms Sub-ms Sub-ms Sub-ms

SSL Software Software ASIC ASIC ASIC ASIC

L7 Load Balancing P P P P P PL7 DoS Protection P P P P P PSite Publishing/SSO P P P P P PVulnerability Scanner P P P P P P

Antivirus/antimalware P P P P P P

Form Factor Desktop 1U 2U 2U 2U 2U

GE Port 4 4 6 6 6 8

GE Bypass 0 0 4 2 0 2

GE-SX Bypass 0 0 0 0 0 2

GE SFP 0 0 2 0 0 0

10GE SFP+ Bypass 0 0 0 0 2 2

ADOMs N/a 32 64 64 64 64

Web Application Firewalls

9

FortiWeb Virtual Appliances

Enterprise grade virtual WAF Deploy WAFs without extra hardware Dynamic expansion in VM environments Resource efficiency with uncompromised WAF functionality VMware ESX / ESXi / 4.0 / 4.1 / 5.0 / 5.1 / 5.5, Microsoft Hyper-V,

Citrix XenServer 6.2, Open Source Xen 4.2, AWS (BYOL/On-Demand)

Technical Specifications FortiWeb VM01 FortiWeb VM02 FortiWeb VM04 FortiWeb VM08vCPU Support (Max) 1 2 4 8

Memory Support (Max) Unlimited Unlimited Unlimited Unlimited

Network Interface Support (Max) 4 4 4 4

Storage Support (Min / Max) 40 GB / 1TB 40 GB / 1TB 40 GB / 1TB 40 GB / 1TB

Web Application Firewalls

10

FortiWeb Protection at all Layers

ATTACKS/THREATS

APPLICATION

IP REPUTATION

DDOS PROTECTION

PROTOCOL VALIDATION

ATTACK SIGNATURES

ANTIVIRUS/DLP

BEHAVIORAL VALIDATION

CORR

ELAT

ION

BOTNETS, MALICIOUS HOSTS, ANONYMOUS PROXIES, DDOS

SOURCES

APPLICATION LEVELDDOS ATTACKS

IMPROPERHTTP RFC

KNOWN APPLICATIONATTACK TYPES

VIRUSES, MALWARE, LOSS OF DATA

UNKNOWN APPLICATIONATTACKS

11

Auto Setup and Protection Key Features

»Auto learn»Completely transparent»Traffic pattern

monitoring»Models application

basedon usage patterns

»Understands real behavior

Benefits»No application changes»Traffic anomalies

trigger actions»Protects against

unknown vulnerabilities and zero-day attacks

Web Application Firewalls

12

Key Features» Scans all application

elements» Granular crawling

capabilities» Scheduled or on demand» Recommendation reporting» FortiGuard updates

Benefits» Automated vulnerability

reporting» Complements WAF for PCI

DSS compliance

Vulnerability ScanningWeb Application Firewalls

13

FortiGuard Labs» Award-winning threat

research services» Dynamic/automated

updates for FortiWeb» Automatic downloads» Always up-to-date

Subscription Based» Available per device» Select services that are

needed» Annual renewals

FortiGuard Services

Security Service• Application layer

signatures• Malicious bots• Suspicious URL

pattern• Web vulnerability

scanner updates

IP Reputation• Protection for

automated attacks and malicious sources

• DDoS, Phishing, Botnet, Spam, Anonymous proxies and infected sources

Antivirus• Scan file uploads• Regular and

extended AV databases

Web Application Firewalls

14

FortiWeb Recommended by NSS Labs

SVM Published on September 30, 2014

Test Categories» Security: URL Parameter manipulation,

form/hidden field manipulation, cookie/session poisoning, cross-site scripting, directory traversal, SQL injection and padding Oracle attacks

» Evasions: packet fragmentation reassembly, stream segmentation, URL obfuscation

» Performance: stability, reliability and connections per second

Fortinet FortiWeb-1000D earned a Recommended rating

Strong performance with 99.85% block rate and 15,865 connections/second

Passed all tests for evasion techniques and for stability and reliability

0.366% false positive detection rate

Web Application Firewalls

15

Purchase price includes:» Hardware: appliance,

mounting hardware, etc.» VM: Downloadable software

and license» 90 days of FortiCare 8x5

support FortiCare

(1, 2 and 3 year increments):» 8x5 Enhanced» 24x7 Comprehensive

FortiGuard (1 year only)» IP reputation» FortiWeb Security Service

(signatures)» Antivirus

Central Management (separate)» Up to 10 FortiWeb appliances» Unlimited option

AWS» Bring Your Own License

(BYOL)» On-demand licensing

through AWS marketplace

Pricing/LicensingWeb Application Firewalls

16

Complementary/Related Products

FortiADC Application Delivery Controllers» Server load balancing» Layer 7 content-based routing and SSL offloading

FortiDDoS DDoS Attack Mitigation Appliances» Full layer 3, 4 and advance layer 7 DDoS attack mitigation» 100% hardware and behavior-based detection and mitigation

AscenLink/FortiWAN Link Load Balancers» Advanced link load balancing up to 50 links» Patented tunnel routing

Web Application Firewalls

17

Objection Handling

We regularly review our applications for security flaws, we don’t need a WAF

» A WAF can automatically protect applications without the need to constantly manage existing older applications; frees up resources

Only our developers know the code well enough to address security issues

» Even the best of programmers can’t account for every possible vulnerability, and they can’t predict unknown problems in advance

We’ve never had a data breach and our other security measures are good enough

» Over 96% of all web-based applications have been attacked in 2013. Chances are you have been attacked and may not have known about it.

I’ve never heard of FortiWeb (Fortinet) for WAF? Why should I look at a FortiWeb WAF?

» FortiWeb has been in the WAF market for over 5 years. We’re a leader according to NSS labs with over 99.85% security effectiveness against today’s latest web application threats.

Web Application Firewalls

18

Qualifying Questions

How do you protect your mission critical web-based applications from attacks today?

» Look for opportunities to have a WAF automate manual processes like application security patches and code changes on older applications.

Do you regularly conduct code security reviews and if so, how often?

» If they’re not doing it, they’re most likely at risk. If they are, they are most likely spending a lot of effort to conduct these reviews. A WAF can automate and protect better.

Do you need to meet PCI DSS compliance standards? What were the results of your last PCI DSS audit?

» If yes, they most likely need a WAF for PCI DSS 6.6. If not, then it’s a harder sell to protect applications, however focus on mission critical systems, sensitive user and proprietary data protection.

Are you concerned about data breaches of sensitive customer or proprietary information through your web-based applications?

» The answer should be “yes”. If so, only a WAF can protect against application specific attacks.

Web Application Firewalls

19

Additional Resources

White Papers» Beyond the Firewall» WAF or NFGW with IPS to Protect Applications

Solution Guides/Briefs» Fortinet Virtual Appliance Solutions (AWS)» Protecting Against Layer 7 DoS Attacks with FortiWeb» OWASP 2013 and FortiWeb

Deployment Guides:» Replacing Microsoft TMG with FortiWeb for Publishing

applications Positioning Guides/Responses:

» NSS Labs WAF SVM Talking Points» NSS WAF SVM and Product Analysis Report

Web Application Firewalls

Lan & Wan SolutionsInnovare la tua Azienda. La nostra sfida

Via dell’Artigianato, 62 - 35010 Saletto di Vigodarzere (PD) Tel. +39 049 8843198 digit 5E-mail [email protected]