Embed Size (px)
Citation preview
DenyAll ProtectWeb Application &Services Firewalls
Sécuring & accelerating
your applications
Securing & accelerating
DenyAll Protect
Corporate or eCommerce website, email, collaborative tools, enterprise application portals,web services and database servers: your applications are central components of yourinformation system, and hackers’ favorite targets.
Deployed in your DMZ, behind your network firewall, DenyAll Protect’s web application/services firewalls block application-layer attacks targeting your IT infrastructure. The result of 15 years of innovation, they combine advanced functions to effectively protect you, even against zero-day and the most advanced application-layer attacks.
With DenyAll Protect, you can reduce the risk of vandalism, denial of service, intrusion and theft, and minimize their impact on the revenue and reputation of your organization.
DenyAll sProxy
The plug&protect webapplication firewall
DenyAll rXML
The best-of-breed web services firewall
DenyAllrWeb
The next generation web application andservices firewall
DenyAll rWeb+ Client Shield
The end-to-end application security solution
www.denyal l .com
Main benefitsImmediate protection, without complex configuration, against known and unknown application-layer attacks (injections, cross-site scripting, etc),
Possibility of implementing a more restrictive security policy adapted to the specific needs of your enterprise,
Ability to effectively filter Web 2.0 languages and protocols,
Unrivaled Web Services security, with no impact on application architecture,
Application acceleration with a view to optimizing user experience,
Continuity of service thanks to load balancing and high availability mechanisms,
Central configuration and monitoring via the DenyAll management console,
Compliance with PCI DSS (for eCommerce sites).
DenyAll sProxy 4.1 : the Plug&Protect Web Application Firewall
In a Web 2.0 world, a Web Application Firewall is a vital control for securing your informational assets.Deployed effortlessly at the front end of your servers (Webmail, portal, ERP, etc), a WAF protects your ITagainst modern, application-layer attacks (SQL injection, cross-site scripting, etc.), and acceleratesuser access. Whatever the size of your organization, or its activity, you need at least sProxy to tacklevandalism, denial of service attacks, data theft and industrial espionage threats.
Quick setupDeploying sProxy only requires a few clicks, thanks to an optimized graphical user interface,No DNS changes required, the Secure Transparent Mode eases deployment while taking advantage of reverse proxy security,Predefined security, acceleration and authentication policies available for common applications (Outlook Web Access, SharePoint, iNotes, SAP, etc.),No initial learning phase: immediate protection with no special configuration.
Protection against unknown attacksThe scoring list is a unique technology, designed to stop tomorrow’s attacks.
- Unique method for detecting unpublished (« 0-day ») attacks.- No parametering, learning or updating.- Content-agnostic analysis (Ajax, JSON, Javascript, etc.).
DenyAll Protect :A WAF complements a network firewall
Network firewalls usually authorize incoming Web traffic They cannot guarantee the safety of the data within those connection requests however. A WAF ensures that incoming http/https requests don’t contain attacks, such as injections or cross-site scripting.
Functions common to all productsREVERSE PROXYAnalysis of http/https requests to only transmit to your ser-vers those that are non-malicious.The protocol break makes it possible to block attacks that target the vulnerabilities of your internal servers, hides them from the outside.The Secure Transparent Mode eases deployment (no modi-fication of internal IP addresses) without compromising secu-rity (integral reverse proxy).
STANDARD WEB SECURITYIn-depth inspection: canonization (normalization of transfer-red data), anti-evasion and anomaly detection techniques.Transformation of the content of requests to evade attacks based on URL malformation and header spoofing, and to pre-vent data theft.Blacklist : over a 1000 filters protect against the various types of known application attacks (cross-site scripting, SQL injection, etc.). The list is updated monthly by the DenyAll Re-search Center (DARC).Scoring list : determines the potential hazardousness of inco-ming connections by analyzing the content of requests and ap-plying a weighting system. Protects against unknown (0-day) attacks.The JSON security engine enables efficient filtering of this data structure by all http security engines.The dynamic command injection engine blocks attacks and minimizes false positives.
USER SECURITYUser authentication via SSLv3 certificates
Client Certificates
Advanced Web App Security XML Security User Security
Reverse Proxy Reverse Proxy Reverse Proxy
Model ValidationWhite List
User AuthentificationXML ValidationStateful
SSO IntegrationTransformationUser Behavior Tracking
Cookie TrackingBlack ListAdv. Detection Engines
StatefulVirtual Patching
SOAP AttachmentsClient Shield
ACL
High Availability Application Acceleration Standard Web App Security
Deep InspectionCachingDistributivity
TransformationCompressionActive-Passive
Black ListTCP MultiplexingActive-Passive
Scoring ListSSL Offloading
ICAP SupportServer Load-Balancing
Command Injection Engine
JSON security
APPLICATIONS ACCELERATION Caching of the most frequently requested pagesOn the fly compression of dataMultiplexing of incoming connections (HTTP/1.1 tunnels)Termination of SSL tunnelsServer Load Balancing: balancing of incoming traffic between the servers on your network
HIGH AVAILABILITY Clusters, in which several WAFs work together, in active-pas-sive mode or active-active mode, ensure redundancy for your application security.Capacity to increase the load of your applications using the ac-tive-active mode automatic synchronization mechanism, confi-gured in just a few minutes.
UPGRADABILITY Your application security controls evolve with your business needs. A simple license key is all you need to upgrade from sProxy to rXML (adding Web Services security), or to rWeb (and its Advanced Web Application Security), or to enable rWeb to also protect Web Services:Web Services Security : - Validation of XML templates - Specific filters for attacks that target Web Services - Protection of UDDI servers, etc.Advanced Web Application Security: - Whitelist (positive security model), - User behavioral tracking, - HTTP session protection (stateful) - Advanced Detection Engines - Optional browser security module (Client Shield)
DenyAll Protect :a proven platform
The DenyAll Protect products are all based on a modular, proven platform, resulting from 15 years of application security innovation for demanding customers.
DenyAll rXML 4.1 :best-in-class Web Services Firewall
In service-oriented architectures (SOA), application and data security is provided by rXML, which provides effec-tive protection against application-layer attacks on your Web Services, without changing the architecture. It se-cures XML/SOAP transactions between internal and external components of your applications, avoiding denials of service and data theft.
Main benefitsSecuring existing Web Services with no impact on application architecture.High level of protection against current application-layer attacks and attacks specifically targeting Web Services.No learning phase: your Web Services are protected in just a few clicks.
Transparent deployment - rXML is not a Web Service actor, - No modification to the configuration of the components required, - No modification to the encryption or signature key exchange architecture.
Unrivaled XML/SOAP security - Black list: filters for Web applications and Web Services- Unique protection against blind xPath injections- Validation of WSDL templates reinforced by a positive/negative security mechanism- Protection of UDDI servers through command analysis- Simple alternative to XML Signature without modifying the Web Service operating mode
Functions specific to DenyAll rXMLTemplate validation: the data transmitted by Web Services are verified and made to conform to XML templates (WSDL, XSD and DTD). Additional rules can be specified to strengthen these templates.XML validation and transformation: to avoid data loss, error messages are deleted, sensitive data are replaced and complexity is verified (maximum size of a document or maximum tree depth)Black list: specific signatures (xPath and XML injections, DoS, etc) combined with generic http filters offer an excellent level of security against attacks that target Web Services.Stateful: monitoring XML elements makes it possible to avoid data alteration, whether involuntarily by a user or by an attacker during transmissionSOAP attachments: these can be authorized or not, a maximum size can be set, text attachments are analyzed by the XML black list and the generic HTTP filter, and by a third-party anti-virus program via the ICAP protocol.Access control lists: - Granular control of access to the functions of the various Web Services (by URL and function, by source IP address) - Limitation of UDDI access to registry services, based on the source IP address or the accessed functions
Example ofWeb Services
Modern web applications and web services take advantage of new languages and protocols (JSON, AJAX, REST, SOAP, HTML5, etc), in order to deliver a richer user experience. Attacks evolve too, and strive to take ad-vantage of the vulnerabilities found in complex architectures. A new generation of security controls is required to prevent attacks in such a context. DenyAll rWeb builds on a proven platform to deliver numerous security innovations, capable of identifying the nature of the requests and of blocking attacks and evasion techniques. The most comprehensive member of the Protect line, DenyAll rWeb, includes all the features of DenyAll sProxy and, optionally, the full XML/SOAP Security features of DenyAll rXML.
Functions specific to DenyAll rWeb
Advanced Web Application SecurityWhitelist : identification of the exact characteristics of data transmitted to Web applications. Three deploy-ment methods ensure rapid activation and protection with no false positives.Stateful : monitoring, signature and encryption of the data associated with HTTP sessions in order to prevent identity spoofing.User Behavior Tracking : the behavioral analysis engine identifies and blocks attacks based on legitimate re-quests but with a malicious purpose, without disrupting legitimate traffic: denial of service attacks, brute force, password cracking, etc.Advanced Detection Engines: they protect your applications against base64 encrypted attacks, advanced path traversals, http parameter pollution, http request splitting, html tags and attributes, SQL injection gram-mar and scripting language detection, arithmetic calculations.
«End to end» Application SecurityThe browser is the notable weak point in a Web application chain, because it can run on a compromised device. In addition to filtering the server side, rWeb can also deliver Client Shield, an optional module which controls the safe execution of browsers connecting to rWeb, step-by-step. It blocks malware attempting to leverage an authenticated connection to access the back-end application and steal your data. Client Shield is available by default for Outlook Web Access. It can be configured to protect any browser-based application. The Shieldtechnology, designed by our partner Promon, is also able to secure browser and mobile applications running on iOS and Androïd devices.
User SecurityTo incorporate the user dimension of server connections, rWeb can delegate the authentication process to third-party components such as LDAP or ActiveDirectory servers, CA SiteMinder (SSO), SecurID (strong authentication) or Radius.
Integration with DenyAll Detect productsrWeb can digest Detect vulnerability scan reports and offer ad hoc options for vir-tually patching the found vulnerabilities. Eventually, this integration will automate the discovery of unprotected applications and deployment of the appropriate security policy.
DenyAll rWeb 4.1 : the Next Generation WAF
Example of virtual patching with DenyAll Detect
DenyAll Protect
DenyAll Protect
Competitive advantages
63ter avenue Edouard Vaillant92 100 Boulogne-Billancourt FRANCE+33 1 46 20 96 00
DenyAll is an innovative leader in application security. We help organizations iden-tify IT vulnerabilities in their infrastructure, secure and accelerate their Web ap-plications & services. Our reverse-proxy based firewalls protect transactional si-tes, Web-enabled, SOA and cloud-based applications against known and unknown attacks. Headquartered in France, we sell through partners in Europe, Africa, the Middle East, Asia and Latin America.
Detect Protect Manage©
NEX
TSTE
P C
ON
SEI
L 0
4/
20
13
Positive and negative security functions combined for maximum security
Blacklist (known attacks). Whitelist, http session protection.
Unique Security Features :Advanced Detection Engines are new modules desi-gned to effectively filter new languages and protocols (JSON, HTML5, etc) and deal with the obfuscation and evasion techniques used by hackers.The Scoring list protects your infrastructure against unknown (zero day) application-layer attacks.The User Behavior Tracking function stops automated attacks (denial of service, password cracking, site down-loading, etc).The Client Shield option controls the safe execution of browsers connecting to your applications, preventing man-in-the-browser malware from hijacking the session.
Integration with the DenyAll Detect productsDetect scan reports imported into rWeb offer options for virtually patching the found vulnerabilities that match your goals (maximizing security, optimizing performan-ce, reducing false positives)Eventually, this integration will automate the discovery of unprotected applications and deployment of the ap-propriate security policy.
Easy and secure deploymentThe Secure Transparent Mode provides easy deploy-ment without compromising security (reverse proxy).In pooling mode, no connection is initiated from the DMZ, the LAN queries the DMZ.
Form factor choiceDenyAll Protect web application/services firewalls are available as virtual appliances, physical appliances or Linux-based software.
High Availability & Scalability v v v vApplication Acceleration v v v v Manageability (via DAMC) v v v vStandard Web Application Security v v v vXML/SOAP security v v* v*Advanced Web Application Security v vUser Security Basic v vBrowser Security v
* Optional
