Web Application Firewall (WAF)

Download Report

Transcript Web Application Firewall (WAF)

Web Application Firewall (WAF)
RSA® Conference 2013
The Cybercrime Landscape in 2013
…and
easier to
carry out
Attacks have
become more
sophisticated...
…industry
agnostic...
Source: hackmageddon.com/
©2013 AKAMAI | FASTER FORWARDTM
Moving From Network to Application Layer
Application Layer
(Layer 7)
Network Layer
(Layers 3/4)
©2013 AKAMAI | FASTER FORWARDTM
Where increasing
number of attacks
are focused
Target of
Traditional
DDoS
Attacks
Web Application Firewall Highlights
• Operates at the network edge – over 100,000 servers
• Inspects requests and responses for malicious content and info leakage
• Inspects packets to protect against attacks such as SQL Injections &
Cross-Site Scripts
• Configurable to log or block activities against policy
• Protects organizations against application layer attacks propagated via
HTTP and HTTPS
• Enables compliance with PCI DSS 1.2 section 6.6
• Provides advanced rate controls (behavioral based protections)
• Propagates quickly (~30 minutes)
• Configured via portal
©2013 AKAMAI | FASTER FORWARDTM
Kona Security Solutions 2.0
•ModSecurity Rule Update
• Core Rule Set 2.2.6
• Legacy CRS support
•Akamai Common Rules
• Based on Akamai’s unique view
• 20 – 25% of internet traffic
•Advanced Rate Controls
• Session-ID; Client-IP+User-Agent
•Rule Upgrade Wizard
©2013 AKAMAI | FASTER FORWARDTM
©2013 AKAMAI | FASTER FORWARDTM
Appendix & Details
©2013 AKAMAI | FASTER FORWARDTM
Akamai Intelligent Platform™
Deflecting Network Layer Attacks at the Edge
Network Layer attack mitigation
 Built-in protection is “always on”
 Only Port 80 (HTTP) or Port 443 (HTTPS) traffic
allowed on Platform
o All other traffic dropped at the Akamai Edge
•
•
Attack traffic never makes it onto Platform
Customer not charged for traffic dropped at Edge
o Absorbs attack requests without requiring identification
o Requires CNAME onto Akamai Intelligent Platform
Examples of attacks types dropped
at Akamai Edge






UDP Fragments
ICMP Floods
SYN Floods
ACK Floods
RESET Floods
UDP Floods
Absorbs attacks through massive scale
 ~5.5 Tbps average throughput; up to 8Tbps
 Distribution of HTTP request traffic across 100,000+
servers; 1,100+ networks
 No re-routing, added latency, or point of failure
©2013 AKAMAI | FASTER FORWARDTM
Custom Rules
Web Application Firewall
Description
The Result
 WAF Custom Rules implemented
in Akamai metadata written by
Akamai Professional Services
 Rules are created and managed in
customer portal
 Rules are then associated with
firewall policies and deployed with
WAF in 45 minutes
 New rule logic can be built to handle
specific use cases for the customer
 Rules can be built that execute when
one or more baseline rules or rate
control rules match
 Output of application vulnerability
products can be implemented as
“virtual patches”
 Advanced piping to user validation
actions can be achieved (prioritization)
©2013 AKAMAI | FASTER FORWARDTM
Custom Rules
Web Application Firewall
Description
The Result
 WAF Custom Rules implemented
in Akamai metadata written by
Akamai Professional Services
 Rules are created and managed in
customer portal
 Rules are then associated with
firewall policies and deployed with
WAF in 45 minutes
 New rule logic can be built to handle
specific use cases for the customer
 Rules can be built that execute when
one or more baseline rules or rate
control rules match
 Output of application vulnerability
products can be implemented as
“virtual patches”
 Advanced piping to user validation
actions can be achieved (prioritization)
©2013 AKAMAI | FASTER FORWARDTM
Adaptive Rate Controls
Malicious Behavior Detection
 Specify number of requests per
second against a given URL
o Controls requests based on behavior
pattern – not request structure
• Use client IP address, session ID, cookies, etc.
 Configure rate categories to
control request rates against digital
properties
• Mitigate rate-based DDoS attacks
 Statistics collected for 3 request phases
o Client Request – Client to Akamai Server
o Forward Request – Akamai Server to Origin
o Forward Response – Origin to Akamai Server
 Statistics collected allow us to ignore
large proxies and pick out a malicious
user hiding behind a proxy
 Statistics collected allow for detection
of pathological behavior by a client
o Request rate is excessive for any stage
o Requests causing too many Origin errors
©2013 AKAMAI | FASTER FORWARDTM
Adaptive Rate Controls
Malicious Behavior Detection
 Specify number of requests per
second against a given URL
o Controls requests based on behavior
pattern – not request structure
• Use client IP address, session ID, cookies, etc.
 Configure rate categories to
control request rates against digital
properties
• Mitigate rate-based DDoS attacks
 Statistics collected for 3 request phases
o Client Request – Client to Akamai Server
o Forward Request – Akamai Server to Origin
o Forward Response – Origin to Akamai Server
 Statistics collected allow us to ignore
large proxies and pick out a malicious
user hiding behind a proxy
 Statistics collected allow for detection
of pathological behavior by a client
o Request rate is excessive for any stage
o Requests causing too many Origin errors
©2013 AKAMAI | FASTER FORWARDTM
Security Monitor (1 of 3)
Timeline of Requests
by Hour
Visual Display of
Requests by
Geography
Requests by
WAF Rule ID
Requests
by WAF Message
Requests
by WAF Tag
©2013 AKAMAI | FASTER FORWARDTM
Security Monitor (2 of 3)
Multiple ways
to display
request statistics
©2013 AKAMAI | FASTER FORWARDTM
Security Monitor (3 of 3)
Requests by
City
Requests by
Client IP address
ARLs being
attacked
©2013 AKAMAI | FASTER FORWARDTM
©2013 AKAMAI | FASTER FORWARDTM