THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

of ALL threats are at the Web application layer.Gartner

70%

INCONVENIENT STATISTICS

2

Copyright © 2013 Juniper Networks, Inc. www.juniper.net

of organizations have been hacked in the past two years through insecure Web apps.

73%

Ponemon Institute

Theft

Sony Stolen Records

100M

THE COST OF AN ATTACK PONEMON INSTITUTE | AVERAGE BREACH COSTS $214 PER RECORD STOLEN

3

Copyright © 2013 Juniper Networks, Inc. www.juniper.net

RevenueReputation

Sony Direct Costs

$171M

� 23 day network closure� Lost customers� Security improvements

Sony Lawsuits

$1-2B

HACKER THREATS

Scripts, Tools, Exploits Targeted ScanIP ScanGeneric scripts and tools against one site. Script run against multiple sites seeking

a specific vulnerability.Targets a specific site for any vulnerability.

4

Copyright © 2013 Juniper Networks, Inc. www.juniper.net

Botnet Human HackerScript loaded onto a bot network to carry out attack. Sophisticated, targeted attack (APT). Low and slow to avoid detection.

Jan June Dec

WEB APP SECURITY TECHNOLOGY

Web Application Firewall

Web Intrusion Prevention System

Detection Signatures � �

Tar Traps �

5

Copyright © 2013 Juniper Networks, Inc. www.juniper.net

Tar Traps �

Tracking IP address � �

Browser, software and scripts �

Profiling IP address � �

Browser, software and scripts �

Responses Block IP � �

Block, warn and deceive attacker �

PCI Section 6.6 � �

THE JUNOS WEBAPP SECURE ADVANTAGEDECEPTION-BASED SECURITY

6

Copyright © 2013 Juniper Networks, Inc. www.juniper.net

“Tar Traps” detect threats without false

positives.

Track IPs, browsers, software and scripts.

Understand attacker’s capabilities

and intents.

Adaptive responses, including block,

warn and deceive.

Detect Track Profile Respond

THE ANATOMY OF A WEB ATTACK

Phase 1Reconnaissance

Phase 2Attack Vector Establishment

Phase 3Implementation

Phase 4Automation

Days or weeks Weeks or months Weeks or months Months or years Years

Phase 5Maintenance

7

Copyright © 2013 Juniper Networks, Inc. www.juniper.net

Web App Firewall

Days or weeks Weeks or months Weeks or months Months or years Years

Network Perimeter

Query String Parameters

Tar Traps

Hidden Input Fields

DETECTION BY DECEPTION

8

Copyright © 2013 Juniper Networks, Inc. www.juniper.net

App ServerClient

Server Configuration

DatabaseFirewall

Track Software and Script AttacksFingerprinting

Track Browser AttacksPersistent Token

Track IP Address

TRACK ATTACKERS BEYOND THE IP

9

Copyright © 2013 Juniper Networks, Inc. www.juniper.net

FingerprintingHTTP communications.

Persistent TokenCapacity to persist in all browsers including

various privacy control features.

Junos WebAppSecure Responses

Human Human HackerHacker BotnetBotnet

TargetedTargetedScanScan IPIP ScanScan

Scripts Scripts &&Tools Tools

ExploitsExploits

Warn attacker ��

Block user �� �� �� �� ��

RESPOND AND DECEIVE

10

Copyright © 2013 Juniper Networks, Inc. www.juniper.net

Force CAPTCHA �� �� �� �� ��

Slow connection �� �� �� �� ��

Simulate broken application �� �� �� �� ��

Force log-out �� �� ��

All responses are available for any type of threat. Highlighted responses are most appropriate for each type of threat.

Every attacker assigned a name

SMART PROFILE OF ATTACKER

Attacker threat level

11

Copyright © 2013 Juniper Networks, Inc. www.juniper.net

Incident history

SECURITY ADMINISTRATION

12

Copyright © 2013 Juniper Networks, Inc. www.juniper.net

� SMTP alerting� Reporting (Pdf, HTML)� CLI for exporting data into SIEM tool

� Web-based console� Real-time� On-demand threat information

App Server Database

Internal

UNIFIED PROTECTION ACROSS PLATFORMS

13

Copyright © 2013 Juniper Networks, Inc. www.juniper.net

Virtualized

Cloud

NEXT GENERATION SECURITY SOLUTIONS THAT SPAN PHYSICAL AND VIRTUAL NETWORKS

Physical

Management and Security Services

SecurityDesign

Security Threat Response ManagerSTRM

Services Virtual

Virtual Control

14

Copyright © 2013 Juniper Networks, Inc. www.juniper.net

Hypervisor

vGW

VM

vGW, vSRX, Mykonos

Firewall

IPS

DoS & DDoSProtection

AppSecure

DoS

VM VM VM

FireFly

VM

Mykonos

New Security Features� Improved Geo-IP targeting – Updated database

improves accuracy of IP to location mapping.

� Improved Reporting

� Country comparison over time

� Top IP addresses

� Incidents list

� Top incident types

� Created empty header incident.

Operational Improvements� High Availability – Full active-passive option for the

hardware appliance.

Deployment Options� New hardware appliance version released.

New Pricing� Hardware pricing.

� Incremental throughput pricing available.

� Incremental throughput pricing for VM and Cloud available.

� Service provider sell-through pricing available.

WHAT’S NEW IN BAGLEY (NOV 2012)

15

Copyright © 2013 Juniper Networks, Inc. www.juniper.net

hardware appliance.

� Off-line updates – Independently downloads updates, and securely updates Junos WebApp Secure Web Security in a fully closed environment.

� Automatic log uploads to support.

� Configure NTP (timing) server.

� 3rd party logs included in log-rotate configuration.

� User guide available in multiple formats.

� Performance improvements in queue and memcacheprocessing.

� Configuration watchdog process added.

� Improved security monitor for access speed.

� Bug fixes.

Abuse ResponseAbuse Responses – Enables administrators to respond to application abuse with session-specific warnings, blocks, and additional checks. One-click automation of responses during configuration.The responses include:� Warn user: send a custom message� Block connection and return arbitrary

HTTP error� CAPTCHA� Connection throttling� Logout and forced re-authentication� Simulated broken application (Strip

inputs)Policy Expressions – Simple expression syntax for writing automated, application-wide responses.

Abuse Detection ProcessorsA library of HTTP processors that implement specific abuse detection points in application code. Detection points identify abusive users who are trying to establish attack vectors such as cross-site request forgery. Some examples of processors include:� Authentication Abuse Detection – Detects abuses against application authentication,

Cookie Abuse Detection – Detects attempts to manipulate the application by changing cookie values

� Error Code Detection – Detects suspicious application errors that indicate abuse, including illegal and unexpected response codes.

� Suspicious File Request Detection – Detects when an attacker is attempting to request files with known suspicious extensions, prefixes, and tokens.

� Header Enforcement – Enables the policing of HTTP headers from the application to ensure critical infrastructure information is not exposed. Response and request headers can be stripped, mixed, or filtered.

� Input Parameter Manipulation Detection – Detects attempts to abuse form inputs and establish vectors for injection and cross-site scripting attacks.

� Link Traversal Detection – Detects attempts to spider the application for links to hidden and confidential resources.

� Directory Traversal Protection – Prevents attackers finding hidden directories.

ManagementSimplified configuration with set-up wizardsWeb-based Configuration – Browser-based interface for all deployment options.Monitoring Console – Web-based monitoring and analysis interface.� Drill into application sessions, security

incidents, and abuse profiles� Manage and monitor manual and automated

responses� Deep search and filtering capabilities.� Real time & Historical System Monitoring� Multiple administrators� Multiple applications/domains� Remote syslog

SSL InspectionPassive decryption or termination

Alerts, Reporting, Logging

TECHNICAL SPECIFICATIONS

16

Copyright © 2013 Juniper Networks, Inc. www.juniper.net

Deployment� Reverse Proxy with Load Balancing� Available as hardware� Available as a VMWare or AMI image.� Support for alternate ports (other than

80 & 443)

UpdatesAutomatically downloaded and available within the management console.

Platform SecurityHardened kernel, locked-down ports, encrypted back-ups.

� Directory Traversal Protection – Prevents attackers finding hidden directories.� Illegal Request Method Detection – Detects attempts to abuse non-standard HTTP

methods such as TRACE.� Query Parameter Manipulation Detection – Detects attempts to manipulate

application behavior through query parameter abuse.� Malicious Spider Detection – Detects attempts to spider and index protected

directories and resources.� Cross Site Request Forgery – Detects and prevents cross site request forgery

attacks.� Custom Authentication – Allows companies to protect a page or portion of a site if a

vulnerability is found.� 3rd Party Vulnerability protection – Detects known attacks� IP List Export – For Layer 3 firewall integration

Abuse Recording� Full HTTP Capture – Captures and displays all HTTP traffic for security incidents.

Abusive Behavior Analysis� Abuse Profiles – Maintains a profile of known application abusers and all of their

malicious activity against the application.� Tracking and Re-identification – Enables application administrators to re-identify

abusive users and apply persistent responses, over time and across sessions.

Alerts, Reporting, Logging� Email Alerts – Sends alert emails when specific

incidents or incident patterns occur� Command line interface for custom reporting� Reporting Management System with user

interface� SNMP system logging� Auditing – Tracks changes to the system made

by the administrators in the configuration interface, security monitor, TUI and report generation.

� Security incidents via syslog� Reports– country comparisons, Top IP

addresses and incidents

Performance� High availability for Hardware version� Higher throughput using clustering� Low latency� Link aggregation