Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
© Copyright Fortinet Inc. All rights reserved.
FortiWebFai evolvere il tuo approccio nella gestione della sicurezza per le Web Application
24/09/2020
2
Web Applications are an Easy Target
48% of all data breaches caused by application vulnerabilities1
147.9mUS citizens’ personal info stolen in 2017 web application breach
42% Of all websites have at least one severe vulnerability2
Notes/Sources:1. Verizon 2018 Data Breach Report. 2. Acunetix Web Application Vulnerability Report 2017.
3
Web Applications Require Specialized Protection
“The web application firewall (WAF) market is driven by a customer's need to protect public and internal web applications when they are deployed locally (on-premises) or remotely (hosted, cloud- based or as a service).”
“WAFs are deployed in front of web servers to protect web applications against external and internal attacks, to monitor and control access to web applications, and to collect access logs for compliance/auditing and analytics.
4
Traditional Vulnerability Patching can take Months
WEB APPLICATION
User ID:
Password:
LOGIN
User Name
•••••••••••••
Attackers target known exploits and develop new ones
Development time to patch can take weeks to months
EXPLOIT
Time to issue patch can take weeks to even months
Inherited legacy apps may not have development expertise
DATA BREACH
APPLICATIONOUTAGE
SPREADMALWARE
THEFT OF CREDENTIALS
5
Dynamic Security Patching for Web Applications
BLOCKED
BLOCKED
BLOCKED
FortiWebWeb Application Firewall
• Protect from known and unknown application exploits
• Temporarily patch exploits until permanent fix
• Can act as permanent patch for inherited or legacy applications
Protect web application vulnerabilities that can lead to data breaches, or shut down mission critical systems
for customers, partners or employees
6
FortiWeb Typically Deployed in Front of Web Servers
FortiGuard
• WAF Signatures• IP Reputation• Antivirus• Credential Stuffing Defense• FortiSandbox Cloud
Web Servers
FortiGate
FortiWeb
7
FortiWeb Product Line
Appliances
• 7 models
• 25 Mbps to 20 Gbps
• Support for 10GE
Public Cloud
• 4 VM models
• BYOL
• On-demand
Virtual Machines
• 4 VM models
• CPU-based
• Perpetual licensing
SaaS
• Subscription
• Based on throughput and number of sites
FortiWebCloud
8
FortiWeb – Web Application Firewalls
7 HW appliances 4 VMs (25 Mbps to 20 Gbps) Public Cloud and SaaS Versions Available FortiGate, FortiSandbox, and
FortiAnalyzer Integration
CORE FEATURES* Machine Learning Threat Detection
Layer 7 DDoS protection
FortiGuard antivirus, IP reputation, FortiSandbox Cloud, Credential Stuffing Defense, and WAF signatures
Exchange Publishing and Attachment Scanning
Native HTTP/2 WAF protection
Central Management/ADOMs
REST API
Included vulnerability scanner
Virtual Patching/3rd Party support
Advanced False Positive Mitigation
Advanced SQLi detection
SSL offloading/compression
SSO/Authentication
Layer 7 load balancing
* Some features not supported on all platforms/formats
9
VM01 – 25MbpsVM02 – 100MbpsVM04 – 500MbpsVM08 – 2Gbps
• 1 to 8 CPUs supported• Unlimited memory support• Up to 10 Network Interfaces• 40 GB to 1 TB storage
supported• VMware, Hyper-V, Citrix
XenServer, Open Source Xen, KVM
• Amazon Web Services (AWS), Azure
• MSSP On-Demand
FortiWeb VMs
FortiWeb Appliance/VM Product LinesPe
rfor
man
ce &
Sca
labi
lity
WAF < 1 Gbps 1 – 10 Gbps 10+ Gbps
SSL Software SPU/ASIC SPU/ASIC
Ports GE GE/10GE GE/10GE
50Mbps
250Mbps
750Mbps
FWB-400E
FWB-100E
FWB-600E
1.3
2.5
5.0
FWB-1000E
FWB-3000E
FWB-2000E
20.0FWB-4000E
10
FortiWeb Cloud – SaaS Web Application Firewall
Web Server
FortiWebCloud
WAF “Lite” focused on quick setup and minimal day-to-day operations
Hosted by Fortinet Web-based management Flexible pricing based on
throughput and number of sites
Benefits No hardware/software to manage Buy only what is needed ”Set and forget” WAF Simplified and fast deployment
Great for SMB Web Applications, Distributed Applications, and Enterprise DevOps Testing Environments
11
FortiGuard Services for FortiWeb Appliances/VMs
WAF Security Service Application layer signatures, machine learning threat detection models, malicious bots, suspicious URL patterns, vulnerability scanner updates
IP Reputation
Antivirus
Credential Stuffing Defense
FortiCloud Sandbox
Protection for automated attacks, malicious sources, DDoS, Phishing, Botnet, Spam, Anonymous proxies and infected sources
Scan file uploads, regular and extended AV databases
Identifies stolen credentials, provides visibility or can block access; aggregated from numerous sources
FortiSandbox hosted by Fortinet, subscription-based; no separate sandbox required
STA
ND
AR
D B
UN
DLE
AD
VA
NC
ED
BU
ND
LE
3 services plus FortiCare for
Bundle
5 services plus FortiCare for
Bundle
12
Layered, Correlated, Weighted ProtectionATTACKS/THREATS
APPLICATION
CO
RR
ELAT
ION
IP REPUTATIONBOTNETS, MALICIOUS HOSTS, ANONYMOUS PROXIES, DDOS SOURCES
DDOS PROTECTIONAPPLICATION LEVELDDOS ATTACKS
PROTOCOL VALIDATIONIMPROPERHTTP RFC
ATTACK SIGNATURESKNOWN APPLICATIONATTACK TYPES
ANTIVIRUS/DLPVIRUSES, MALWARE, LOSS OF DATA
BEHAVIORAL VALIDATIONUNKNOWN APPLICATIONATTACKS WITH MACHINE LEARNING
ADVANCED PROTECTIONSCANNERS, CRAWLERS,SCRAPERS, CREDENTIAL STUFFING
INTEGRATIONFORTIGATE AND FORTISANDBOXAPT DETECTION
Use
r/Dev
ice
Thre
at S
corin
g
13
The Next Generation of Web Application Protection
Weaknesses• Limited HTTP understanding• No session awareness• No application awareness• No user awareness• No false positive tuning• Limited WAF feature sets
FW/IPSFortiGate and Competitors
WAFFortiWeb and Competitors
Strengths• Signatures + auto scanning• Aware of application elements• Knows normal traffic patterns• Detects anomalies
100% Signature-based Application Learning
Strengths• Single device• Known attack detection• Simplified ”1-click” deployment
Weaknesses• High false positive detections• Labor intensive to fine tune• Learning not 100% reliable• Changes require re-learning
MACHINELEARNING
14
Traditional WAF Application Learning Detection
THREAT DETECTION
Application Traffic
Whitelist matching using observed request traffic during “learning
windows”
= Normal Request
= Benign Anomaly
= Threat
✘ ✘ ✘
All Anomalies
BLOCKED
Blocked Request Traffic (with false positives)
Allowed Request Traffic (with false negatives)
Known Issues/Limitations• Blocking all anomalies leads to
high false positives• Accuracy requires labor
intensive fine tuning• Unobserved variations trigger
anomalies• Whitelisting characters used in
attacks leads to threats evading detection
• Changes to application require relearning
15
FortiWeb Employs 2 Layers of Machine Learning
ANOMALY DETECTION
Application Traffic
✘ ✘ ✘Statistical probability
analysis based on observed application
traffic over time
= Normal Request
= Benign Anomaly
= Threat
Anomalies
Allowed Normal Request Traffic
THREAT DETECTION
Pattern analysis matching based on
FortiGuard trained and curated threat models
Threats
BLOCKED
Normal and Benign Traffic
16
How FortiWeb ML Works - Simplified
ATTACKSAnomalies
NormalApplicationTraffic
User sends ”Mark Smith” in application form field for NAME
FortiWeb ML expects letters only in this field.
FortiWeb ML see this as Normal Application Traffic
ALLOWED
User accidentally sends ”Janette Smit&” in application form field for NAME
FortiWeb ML predicts that this as an Anomaly from normally expected field entries but not a threat
ALLOWED
User sends ”SELECT *.* FROM CUSTOMER” in application form field for NAME
FortiWeb ML with FortiGuard SVM predicts that this as an Anomaly AND AN ATTACK
BLOCKED
FortiWeb ML matches entry against characters normally expected for the field and typical length of field entry Support Vector Machine
(SVM) separates threats from anomalies using vector patterns from FortiGuard Labs
https://www.example.com/insert?firstname=Mark&lastname=Smith
https://www.example.com/insert?firstname=Janette&lastname=Smit&
https://www.example.com/insert?firstname=”SELECT *.* FROM CUSTOMER”
17
Application Learning vs. Machine LearningApplication Learning FortiWeb Machine Learning
Methodology Block on profile violations Block anomalies that are verified as real attacks
Profile Building • Basic• Adds traffic elements to profile• No distinction between ‘good’ characters and ‘dangerous’
character groups that are used in attacks
• Sophisticated• Learning done using machine learning algorithms• Different threat values for char groups
Attack Detection Are characters in parameter allowed in profile? What is the attack probability of the request?
Protect Mode Engagement Manual depending on vendor Automatic
Attack Verification No Yes using second machine learning layer
False Positives High(every anomaly is blocked that doesn’t fit profile)
Limited(Anomalies are flagged then inspected by the second machine learning layer for threat detection)
Tuning Requirements High Minimal
Application Changes Limited adaptability(Legitimate traffic blocked until profile updated)
Automatic(Legitimate traffic not blocked due to second layer)
Advantages • Allows reviewing profile• Easy concept to understand
• Easy to deploy/manage• No manual intervention required• Very few false positives• Addresses both false positives and false negatives
18
Benefits of FortiWeb with Machine Learning
• Near 100% application threat detection accuracy
• Virtually no resources required deploy and fine tune FortiWeb
• Detects attacks that application learning-based WAFs cannot
• Adjusts automatically as applications change
• Almost a ”Set and Forget” WAF
19
Fortinet Security Fabric Integration
WCCPExternalWAFON
FortiGate
FortiWeb
HTTP TrafficQuarantined IPs
WebServer
FortiSandbox
Files forInspection
Third PartyScanners
FortiGate» Compromised user sharing with IP Polling» Simplified setup with WCCP Protocol
FortiSandbox» File scanning for unknown threats» APT protection» Also available with FortiSandbox Cloud
Third-party Scanners» IBM AppScan and QRadar» HP WebInspect» WhiteHat» Qualys» Acunetix
20
FortiView for FortiWeb
Visual tools that quickly display suspicious activity and provide unique threat insights including:
» Origin of threats» Common violations» Client/device risks.
Real time log and drill down analytics» Server/IP configurations» Attack and traffic logs» Attack maps» User/device activity
Based FortiOS FortiView First of its kind in the WAF market
21
FortiWeb Reviews: Gartner and NSS Labs
Gartner WAF MQ 2019:Challenger
NSS Labs 2017 WAF Testing: Recommended
22
Quick Fortiweb Tour
23
E la versione SaaS Cloud? Eccola, Buon Tour!
https://www.fortiweb-cloud.com/root/applications
24
FortiWeb Leads with Speed and Features
$
PERFORMANCEFastest protected WAF throughput at 20 Gbps
INTEGRATIONOnly WAF with Firewall and Sandbox integration
INNOVATIONOnly WAF with True Machine Learning
LOW TCO30% lower TCO compared to direct Competitors
25
Web Application Firewall Protects hosted, web-based applications from
exploits such as:» SQL Injection» Cross Site Scripting» Improper application authentication» OWASP Top 10 Threats
Versions/models for virtually any segment or customer (hardware, VM, AWS, Azure, SaaS)
Why FortiWeb?» Fastest protected WAF throughput at 20 Gbps» Fortinet Security Fabric and Third-party integration» Security effectiveness as rated by NSS» Industry-leading Machine Learning-based
protection
FortiWeb – Product Summary