View
235
Download
3
Category
Tags:
Preview:
Citation preview
Web Application Firewall (WAF)
RSA® Conference 2013
©2013 AKAMAI | FASTER FORWARDTM
The Cybercrime Landscape in 2013
Attacks have become more sophisticated...
…and easier to carry out
Source: hackmageddon.com/
…industry agnostic...
©2013 AKAMAI | FASTER FORWARDTM
Moving From Network to Application Layer
Target of Traditional DDoS Attacks
Network Layer
(Layers 3/4)
Application Layer
(Layer 7)
Where increasing number of attacks are focused
©2013 AKAMAI | FASTER FORWARDTM
Web Application Firewall Highlights
• Operates at the network edge – over 100,000 servers• Inspects requests and responses for malicious content and info leakage• Inspects packets to protect against attacks such as SQL Injections &
Cross-Site Scripts • Configurable to log or block activities against policy• Protects organizations against application layer attacks propagated via
HTTP and HTTPS• Enables compliance with PCI DSS 1.2 section 6.6• Provides advanced rate controls (behavioral based protections) • Propagates quickly (~30 minutes)• Configured via portal
©2013 AKAMAI | FASTER FORWARDTM
Kona Security Solutions 2.0
•ModSecurity Rule Update• Core Rule Set 2.2.6• Legacy CRS support
•Akamai Common Rules • Based on Akamai’s unique view• 20 – 25% of internet traffic
•Advanced Rate Controls• Session-ID; Client-IP+User-Agent
•Rule Upgrade Wizard
©2013 AKAMAI | FASTER FORWARDTM
©2013 AKAMAI | FASTER FORWARDTM
Appendix & Details
©2013 AKAMAI | FASTER FORWARDTM
Akamai Intelligent Platform™Deflecting Network Layer Attacks at the Edge
Network Layer attack mitigation Built-in protection is “always on” Only Port 80 (HTTP) or Port 443 (HTTPS) traffic
allowed on Platformo All other traffic dropped at the Akamai Edge
• Attack traffic never makes it onto Platform• Customer not charged for traffic dropped at Edge
o Absorbs attack requests without requiring identificationo Requires CNAME onto Akamai Intelligent Platform
Absorbs attacks through massive scale ~5.5 Tbps average throughput; up to 8Tbps Distribution of HTTP request traffic across 100,000+
servers; 1,100+ networks No re-routing, added latency, or point of failure
Examples of attacks types dropped at Akamai Edge UDP Fragments ICMP Floods SYN Floods ACK Floods RESET Floods UDP Floods
©2013 AKAMAI | FASTER FORWARDTM
Custom RulesWeb Application Firewall
Description WAF Custom Rules implemented
in Akamai metadata written by Akamai Professional Services
Rules are created and managed incustomer portal Rules are then associated with firewall policies and deployed with WAF in 45 minutes
The Result New rule logic can be built to handle
specific use cases for the customer Rules can be built that execute when
one or more baseline rules or rate control rules match
Output of application vulnerability products can be implemented as “virtual patches”
Advanced piping to user validation actions can be achieved (prioritization)
©2013 AKAMAI | FASTER FORWARDTM
Custom RulesWeb Application Firewall
Description WAF Custom Rules implemented
in Akamai metadata written by Akamai Professional Services
Rules are created and managed incustomer portal Rules are then associated with firewall policies and deployed with WAF in 45 minutes
The Result New rule logic can be built to handle
specific use cases for the customer Rules can be built that execute when
one or more baseline rules or rate control rules match
Output of application vulnerability products can be implemented as “virtual patches”
Advanced piping to user validation actions can be achieved (prioritization)
©2013 AKAMAI | FASTER FORWARDTM
Adaptive Rate ControlsMalicious Behavior Detection
Specify number of requests per second against a given URLo Controls requests based on behavior
pattern – not request structure• Use client IP address, session ID, cookies, etc.
Configure rate categories to control request rates against digital properties•Mitigate rate-based DDoS attacks
Statistics collected for 3 request phaseso Client Request – Client to Akamai Servero Forward Request – Akamai Server to Origino Forward Response – Origin to Akamai Server
Statistics collected allow us to ignore large proxies and pick out a malicious user hiding behind a proxy
Statistics collected allow for detection of pathological behavior by a cliento Request rate is excessive for any stageo Requests causing too many Origin errors
©2013 AKAMAI | FASTER FORWARDTM
Adaptive Rate ControlsMalicious Behavior Detection
Specify number of requests per second against a given URLo Controls requests based on behavior
pattern – not request structure• Use client IP address, session ID, cookies, etc.
Configure rate categories to control request rates against digital properties•Mitigate rate-based DDoS attacks
Statistics collected for 3 request phaseso Client Request – Client to Akamai Servero Forward Request – Akamai Server to Origino Forward Response – Origin to Akamai Server
Statistics collected allow us to ignore large proxies and pick out a malicious user hiding behind a proxy
Statistics collected allow for detection of pathological behavior by a cliento Request rate is excessive for any stageo Requests causing too many Origin errors
©2013 AKAMAI | FASTER FORWARDTM
Security Monitor (1 of 3)
Timeline of Requests by Hour
Visual Display of Requests by Geography
Requests by WAF Message
Requests by WAF Tag
Requests by WAF Rule ID
©2013 AKAMAI | FASTER FORWARDTM
Security Monitor (2 of 3)
Multiple waysto display
request statistics
©2013 AKAMAI | FASTER FORWARDTM
Security Monitor (3 of 3)
Requests byClient IP address
Requests by City
ARLs beingattacked
©2013 AKAMAI | FASTER FORWARDTM
Recommended