Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS
of ALL threats are at the Web application layer.Gartner
70%
INCONVENIENT STATISTICS
2
Copyright © 2013 Juniper Networks, Inc. www.juniper.net
of organizations have been hacked in the past two years through insecure Web apps.
73%
Ponemon Institute
Theft
Sony Stolen Records
100M
THE COST OF AN ATTACK PONEMON INSTITUTE | AVERAGE BREACH COSTS $214 PER RECORD STOLEN
3
Copyright © 2013 Juniper Networks, Inc. www.juniper.net
RevenueReputation
Sony Direct Costs
$171M
� 23 day network closure� Lost customers� Security improvements
Sony Lawsuits
$1-2B
HACKER THREATS
Scripts, Tools, Exploits Targeted ScanIP ScanGeneric scripts and tools against one site. Script run against multiple sites seeking
a specific vulnerability.Targets a specific site for any vulnerability.
4
Copyright © 2013 Juniper Networks, Inc. www.juniper.net
Botnet Human HackerScript loaded onto a bot network to carry out attack. Sophisticated, targeted attack (APT). Low and slow to avoid detection.
Jan June Dec
WEB APP SECURITY TECHNOLOGY
Web Application Firewall
Web Intrusion Prevention System
Detection Signatures � �
Tar Traps �
5
Copyright © 2013 Juniper Networks, Inc. www.juniper.net
Tar Traps �
Tracking IP address � �
Browser, software and scripts �
Profiling IP address � �
Browser, software and scripts �
Responses Block IP � �
Block, warn and deceive attacker �
PCI Section 6.6 � �
THE JUNOS WEBAPP SECURE ADVANTAGEDECEPTION-BASED SECURITY
6
Copyright © 2013 Juniper Networks, Inc. www.juniper.net
“Tar Traps” detect threats without false
positives.
Track IPs, browsers, software and scripts.
Understand attacker’s capabilities
and intents.
Adaptive responses, including block,
warn and deceive.
Detect Track Profile Respond
THE ANATOMY OF A WEB ATTACK
Phase 1Reconnaissance
Phase 2Attack Vector Establishment
Phase 3Implementation
Phase 4Automation
Days or weeks Weeks or months Weeks or months Months or years Years
Phase 5Maintenance
7
Copyright © 2013 Juniper Networks, Inc. www.juniper.net
Web App Firewall
Days or weeks Weeks or months Weeks or months Months or years Years
Network Perimeter
Query String Parameters
Tar Traps
Hidden Input Fields
DETECTION BY DECEPTION
8
Copyright © 2013 Juniper Networks, Inc. www.juniper.net
App ServerClient
Server Configuration
DatabaseFirewall
Track Software and Script AttacksFingerprinting
Track Browser AttacksPersistent Token
Track IP Address
TRACK ATTACKERS BEYOND THE IP
9
Copyright © 2013 Juniper Networks, Inc. www.juniper.net
FingerprintingHTTP communications.
Persistent TokenCapacity to persist in all browsers including
various privacy control features.
Junos WebAppSecure Responses
Human Human HackerHacker BotnetBotnet
TargetedTargetedScanScan IPIP ScanScan
Scripts Scripts &&Tools Tools
ExploitsExploits
Warn attacker ��
Block user �� �� �� �� ��
RESPOND AND DECEIVE
10
Copyright © 2013 Juniper Networks, Inc. www.juniper.net
Force CAPTCHA �� �� �� �� ��
Slow connection �� �� �� �� ��
Simulate broken application �� �� �� �� ��
Force log-out �� �� ��
All responses are available for any type of threat. Highlighted responses are most appropriate for each type of threat.
Every attacker assigned a name
SMART PROFILE OF ATTACKER
Attacker threat level
11
Copyright © 2013 Juniper Networks, Inc. www.juniper.net
Incident history
SECURITY ADMINISTRATION
12
Copyright © 2013 Juniper Networks, Inc. www.juniper.net
� SMTP alerting� Reporting (Pdf, HTML)� CLI for exporting data into SIEM tool
� Web-based console� Real-time� On-demand threat information
App Server Database
Internal
UNIFIED PROTECTION ACROSS PLATFORMS
13
Copyright © 2013 Juniper Networks, Inc. www.juniper.net
Virtualized
Cloud
NEXT GENERATION SECURITY SOLUTIONS THAT SPAN PHYSICAL AND VIRTUAL NETWORKS
Physical
Management and Security Services
SecurityDesign
Security Threat Response ManagerSTRM
Services Virtual
Virtual Control
14
Copyright © 2013 Juniper Networks, Inc. www.juniper.net
Hypervisor
vGW
VM
vGW, vSRX, Mykonos
Firewall
IPS
DoS & DDoSProtection
AppSecure
DoS
VM VM VM
FireFly
VM
Mykonos
New Security Features� Improved Geo-IP targeting – Updated database
improves accuracy of IP to location mapping.
� Improved Reporting
� Country comparison over time
� Top IP addresses
� Incidents list
� Top incident types
� Created empty header incident.
Operational Improvements� High Availability – Full active-passive option for the
hardware appliance.
Deployment Options� New hardware appliance version released.
New Pricing� Hardware pricing.
� Incremental throughput pricing available.
� Incremental throughput pricing for VM and Cloud available.
� Service provider sell-through pricing available.
WHAT’S NEW IN BAGLEY (NOV 2012)
15
Copyright © 2013 Juniper Networks, Inc. www.juniper.net
hardware appliance.
� Off-line updates – Independently downloads updates, and securely updates Junos WebApp Secure Web Security in a fully closed environment.
� Automatic log uploads to support.
� Configure NTP (timing) server.
� 3rd party logs included in log-rotate configuration.
� User guide available in multiple formats.
� Performance improvements in queue and memcacheprocessing.
� Configuration watchdog process added.
� Improved security monitor for access speed.
� Bug fixes.
Abuse ResponseAbuse Responses – Enables administrators to respond to application abuse with session-specific warnings, blocks, and additional checks. One-click automation of responses during configuration.The responses include:� Warn user: send a custom message� Block connection and return arbitrary
HTTP error� CAPTCHA� Connection throttling� Logout and forced re-authentication� Simulated broken application (Strip
inputs)Policy Expressions – Simple expression syntax for writing automated, application-wide responses.
Abuse Detection ProcessorsA library of HTTP processors that implement specific abuse detection points in application code. Detection points identify abusive users who are trying to establish attack vectors such as cross-site request forgery. Some examples of processors include:� Authentication Abuse Detection – Detects abuses against application authentication,
Cookie Abuse Detection – Detects attempts to manipulate the application by changing cookie values
� Error Code Detection – Detects suspicious application errors that indicate abuse, including illegal and unexpected response codes.
� Suspicious File Request Detection – Detects when an attacker is attempting to request files with known suspicious extensions, prefixes, and tokens.
� Header Enforcement – Enables the policing of HTTP headers from the application to ensure critical infrastructure information is not exposed. Response and request headers can be stripped, mixed, or filtered.
� Input Parameter Manipulation Detection – Detects attempts to abuse form inputs and establish vectors for injection and cross-site scripting attacks.
� Link Traversal Detection – Detects attempts to spider the application for links to hidden and confidential resources.
� Directory Traversal Protection – Prevents attackers finding hidden directories.
ManagementSimplified configuration with set-up wizardsWeb-based Configuration – Browser-based interface for all deployment options.Monitoring Console – Web-based monitoring and analysis interface.� Drill into application sessions, security
incidents, and abuse profiles� Manage and monitor manual and automated
responses� Deep search and filtering capabilities.� Real time & Historical System Monitoring� Multiple administrators� Multiple applications/domains� Remote syslog
SSL InspectionPassive decryption or termination
Alerts, Reporting, Logging
TECHNICAL SPECIFICATIONS
16
Copyright © 2013 Juniper Networks, Inc. www.juniper.net
Deployment� Reverse Proxy with Load Balancing� Available as hardware� Available as a VMWare or AMI image.� Support for alternate ports (other than
80 & 443)
UpdatesAutomatically downloaded and available within the management console.
Platform SecurityHardened kernel, locked-down ports, encrypted back-ups.
� Directory Traversal Protection – Prevents attackers finding hidden directories.� Illegal Request Method Detection – Detects attempts to abuse non-standard HTTP
methods such as TRACE.� Query Parameter Manipulation Detection – Detects attempts to manipulate
application behavior through query parameter abuse.� Malicious Spider Detection – Detects attempts to spider and index protected
directories and resources.� Cross Site Request Forgery – Detects and prevents cross site request forgery
attacks.� Custom Authentication – Allows companies to protect a page or portion of a site if a
vulnerability is found.� 3rd Party Vulnerability protection – Detects known attacks� IP List Export – For Layer 3 firewall integration
Abuse Recording� Full HTTP Capture – Captures and displays all HTTP traffic for security incidents.
Abusive Behavior Analysis� Abuse Profiles – Maintains a profile of known application abusers and all of their
malicious activity against the application.� Tracking and Re-identification – Enables application administrators to re-identify
abusive users and apply persistent responses, over time and across sessions.
Alerts, Reporting, Logging� Email Alerts – Sends alert emails when specific
incidents or incident patterns occur� Command line interface for custom reporting� Reporting Management System with user
interface� SNMP system logging� Auditing – Tracks changes to the system made
by the administrators in the configuration interface, security monitor, TUI and report generation.
� Security incidents via syslog� Reports– country comparisons, Top IP
addresses and incidents
Performance� High availability for Hardware version� Higher throughput using clustering� Low latency� Link aggregation