© Copyright Fortinet Inc. All rights reserved. FortiWeb Web Application Firewalls Lan & Wan Solutions – Soluzioni Informatiche per Reti Locali & Geografiche
© Copyright Fortinet Inc. All rights reserved.
FortiWebWeb Application FirewallsLan & Wan Solutions – Soluzioni Informatiche per Reti Locali & Geografiche
2
Scope/Definition of WAFs
Protects web-based applications from code-based attacks
» SQL Injection or other injection types» Cross Site Scripting and Request
Forgery» Layer 7 DoS/DDoS attacks» Cookie/schema poisoning
Protects against application vulnerabilities in custom code and commercial platforms
Understands/learns “normal” behaviors and stops anomalies
» URL parameters, HTTP methods, session IDs, cookies, schema, etc.
Dynamic and adaptive to adjust to new threats
Can’t a Firewall or IPS do this? Firewalls look for network-based attacks IPS Signatures detect only known
problems» High rate of false positives» No protection of SSL traffic» No application or user awareness
FortiWeb WAF
Web ApplicationServers
SQL Injection, XSS…
INTERNET
Web Application Firewalls
3
WAF Drivers/Challenges
Protect current and existing applications from code-based vulnerabilities
Meet PCI Compliance (5.5 and 6.6) for credit card and healthcare data
Address OWASP Top 10 Application Vulnerabilities
Identify and address web application vulnerabilities
Website publishing for Microsoft and other applications
Protect against website defacement
Who Needs it? Any organization that processes
credit cards and/or has PCI requirements
Large internal or external applications
Sensitive/proprietary information Mission-critical business
applications
Who Needs it Most? MSPs/Hosting Companies E-commerce/online services Retail, Food Service, Hospitality Financial services Healthcare
Web Application Firewalls
4
Emerging Requirements/Trends
WAFs are converging other technologies» High-end products adding web application firewall (WAF) and
traditional firewall technologies» Low end is quickly adding high end features (WAF, scripting,
etc.) Business adoption increasing
» Awareness of threats and benefit of WAF increasingly understood
» 96% of applications have been attacked in 2013» Gartner expects over 80% of organizations will have a WAF
by 2018 (60% today) WAF market continues to grow
» IDC 2014 market size: $1.0 billion» 6.9% CAGR through 2017
Web Application Firewalls
5
FortiWeb – Web Application Firewalls
6 models from 25 Mbps to 4 Gbps HTTP throughput Up to 6x GE and models with 2x 10GE SFP+ ports Included vulnerability scanning and antivirus Hardware and VM options
(VMware, Hyper-V and AWS) AWS On-demand Pricing
Automatic behavior-based scanning
Auto setup/learning mode Layer 7 DDoS protection FortiGuard antivirus/IP
reputation Transparent, reverse and non-
inline deployment options Central Management/ADOMs Advanced real-time reporting SSL offloading/compression SSO/Authentication Layer 7 load balancing NSS recommended
Complete WAF Solution forPCI DSS Compliance
Web Application Firewalls
6
FortiWeb Benefits
Protect custom and commercial applications with automatic usage profiling and anomaly scanning
Meet PCI Compliance (5.5 and 6.6) with behavior-based attack detection and mitigation
Protection against OWASP Top 10 Application Vulnerabilities Identify web application security weaknesses with vulnerability
scanning Website publishing with Single Sign On/Authentication Restore website pages from attacks with Anti-Defacement
Protection Block botnets and attacks from known rogue and malicious sources
with FortiGuard IP Reputation
Web Application Firewalls
7
Performance &
Scalabilit
y
WAF < 1 Gbps 1 – 2 Gbps 3+ Gbps
SSL Software ASIC ASIC
Ports GE GE/10GE GE/10GE
FortiWeb Product Lineup
FWB-400C
FWB-100D
FWB-3000DFsx
FWB-3000D
FWB-4000D
Web Application Firewalls
FWB-1000D
8
FortiWeb Product Matrix
100D 400C 1000D 3000D 3000DFsx 4000D
WAF Throughput 25 Mbps 100 Mbps 750 Mbps 1.5 Gbps 1.5 Gbps 4.0 Gbps
Latency Sub-ms Sub-ms Sub-ms Sub-ms Sub-ms Sub-ms
SSL Software Software ASIC ASIC ASIC ASIC
L7 Load Balancing P P P P P PL7 DoS Protection P P P P P PSite Publishing/SSO P P P P P PVulnerability Scanner P P P P P P
Antivirus/antimalware P P P P P P
Form Factor Desktop 1U 2U 2U 2U 2U
GE Port 4 4 6 6 6 8
GE Bypass 0 0 4 2 0 2
GE-SX Bypass 0 0 0 0 0 2
GE SFP 0 0 2 0 0 0
10GE SFP+ Bypass 0 0 0 0 2 2
ADOMs N/a 32 64 64 64 64
Web Application Firewalls
9
FortiWeb Virtual Appliances
Enterprise grade virtual WAF Deploy WAFs without extra hardware Dynamic expansion in VM environments Resource efficiency with uncompromised WAF functionality VMware ESX / ESXi / 4.0 / 4.1 / 5.0 / 5.1 / 5.5, Microsoft Hyper-V,
Citrix XenServer 6.2, Open Source Xen 4.2, AWS (BYOL/On-Demand)
Technical Specifications FortiWeb VM01 FortiWeb VM02 FortiWeb VM04 FortiWeb VM08vCPU Support (Max) 1 2 4 8
Memory Support (Max) Unlimited Unlimited Unlimited Unlimited
Network Interface Support (Max) 4 4 4 4
Storage Support (Min / Max) 40 GB / 1TB 40 GB / 1TB 40 GB / 1TB 40 GB / 1TB
Web Application Firewalls
10
FortiWeb Protection at all Layers
ATTACKS/THREATS
APPLICATION
IP REPUTATION
DDOS PROTECTION
PROTOCOL VALIDATION
ATTACK SIGNATURES
ANTIVIRUS/DLP
BEHAVIORAL VALIDATION
CORR
ELAT
ION
BOTNETS, MALICIOUS HOSTS, ANONYMOUS PROXIES, DDOS
SOURCES
APPLICATION LEVELDDOS ATTACKS
IMPROPERHTTP RFC
KNOWN APPLICATIONATTACK TYPES
VIRUSES, MALWARE, LOSS OF DATA
UNKNOWN APPLICATIONATTACKS
11
Auto Setup and Protection Key Features
»Auto learn»Completely transparent»Traffic pattern
monitoring»Models application
basedon usage patterns
»Understands real behavior
Benefits»No application changes»Traffic anomalies
trigger actions»Protects against
unknown vulnerabilities and zero-day attacks
Web Application Firewalls
12
Key Features» Scans all application
elements» Granular crawling
capabilities» Scheduled or on demand» Recommendation reporting» FortiGuard updates
Benefits» Automated vulnerability
reporting» Complements WAF for PCI
DSS compliance
Vulnerability ScanningWeb Application Firewalls
13
FortiGuard Labs» Award-winning threat
research services» Dynamic/automated
updates for FortiWeb» Automatic downloads» Always up-to-date
Subscription Based» Available per device» Select services that are
needed» Annual renewals
FortiGuard Services
Security Service• Application layer
signatures• Malicious bots• Suspicious URL
pattern• Web vulnerability
scanner updates
IP Reputation• Protection for
automated attacks and malicious sources
• DDoS, Phishing, Botnet, Spam, Anonymous proxies and infected sources
Antivirus• Scan file uploads• Regular and
extended AV databases
Web Application Firewalls
14
FortiWeb Recommended by NSS Labs
SVM Published on September 30, 2014
Test Categories» Security: URL Parameter manipulation,
form/hidden field manipulation, cookie/session poisoning, cross-site scripting, directory traversal, SQL injection and padding Oracle attacks
» Evasions: packet fragmentation reassembly, stream segmentation, URL obfuscation
» Performance: stability, reliability and connections per second
Fortinet FortiWeb-1000D earned a Recommended rating
Strong performance with 99.85% block rate and 15,865 connections/second
Passed all tests for evasion techniques and for stability and reliability
0.366% false positive detection rate
Web Application Firewalls
15
Purchase price includes:» Hardware: appliance,
mounting hardware, etc.» VM: Downloadable software
and license» 90 days of FortiCare 8x5
support FortiCare
(1, 2 and 3 year increments):» 8x5 Enhanced» 24x7 Comprehensive
FortiGuard (1 year only)» IP reputation» FortiWeb Security Service
(signatures)» Antivirus
Central Management (separate)» Up to 10 FortiWeb appliances» Unlimited option
AWS» Bring Your Own License
(BYOL)» On-demand licensing
through AWS marketplace
Pricing/LicensingWeb Application Firewalls
16
Complementary/Related Products
FortiADC Application Delivery Controllers» Server load balancing» Layer 7 content-based routing and SSL offloading
FortiDDoS DDoS Attack Mitigation Appliances» Full layer 3, 4 and advance layer 7 DDoS attack mitigation» 100% hardware and behavior-based detection and mitigation
AscenLink/FortiWAN Link Load Balancers» Advanced link load balancing up to 50 links» Patented tunnel routing
Web Application Firewalls
17
Objection Handling
We regularly review our applications for security flaws, we don’t need a WAF
» A WAF can automatically protect applications without the need to constantly manage existing older applications; frees up resources
Only our developers know the code well enough to address security issues
» Even the best of programmers can’t account for every possible vulnerability, and they can’t predict unknown problems in advance
We’ve never had a data breach and our other security measures are good enough
» Over 96% of all web-based applications have been attacked in 2013. Chances are you have been attacked and may not have known about it.
I’ve never heard of FortiWeb (Fortinet) for WAF? Why should I look at a FortiWeb WAF?
» FortiWeb has been in the WAF market for over 5 years. We’re a leader according to NSS labs with over 99.85% security effectiveness against today’s latest web application threats.
Web Application Firewalls
18
Qualifying Questions
How do you protect your mission critical web-based applications from attacks today?
» Look for opportunities to have a WAF automate manual processes like application security patches and code changes on older applications.
Do you regularly conduct code security reviews and if so, how often?
» If they’re not doing it, they’re most likely at risk. If they are, they are most likely spending a lot of effort to conduct these reviews. A WAF can automate and protect better.
Do you need to meet PCI DSS compliance standards? What were the results of your last PCI DSS audit?
» If yes, they most likely need a WAF for PCI DSS 6.6. If not, then it’s a harder sell to protect applications, however focus on mission critical systems, sensitive user and proprietary data protection.
Are you concerned about data breaches of sensitive customer or proprietary information through your web-based applications?
» The answer should be “yes”. If so, only a WAF can protect against application specific attacks.
Web Application Firewalls
19
Additional Resources
White Papers» Beyond the Firewall» WAF or NFGW with IPS to Protect Applications
Solution Guides/Briefs» Fortinet Virtual Appliance Solutions (AWS)» Protecting Against Layer 7 DoS Attacks with FortiWeb» OWASP 2013 and FortiWeb
Deployment Guides:» Replacing Microsoft TMG with FortiWeb for Publishing
applications Positioning Guides/Responses:
» NSS Labs WAF SVM Talking Points» NSS WAF SVM and Product Analysis Report
Web Application Firewalls
Lan & Wan SolutionsInnovare la tua Azienda. La nostra sfida
Via dell’Artigianato, 62 - 35010 Saletto di Vigodarzere (PD) Tel. +39 049 8843198 digit 5E-mail [email protected]