FortiWeb for ISP

Web Application Firewall

© Copyright Fortinet Inc. All rights reserved.

Agenda

Introduction to FortiWeb
Highlights Main Features
Additional FortiWEB Services for the ISP
FortiWeb Family

2
Introduction to FortiWeb
Scope/Definition of WAFs

§  Protects web-based applications

Web Application"
from code-based attacks Servers"

»  SQL Injection or other injection types

»  Cross Site Scripting and Request Forgery
»  Layer 7 DoS/DDoS attacks
»  Cookie/schema poisoning
FortiWeb WAF!
§  Protects against application INTERNET

vulnerabilities in custom code

and commercial platforms SQL Injection, XSS…

§  Understands/learns “normal”

behaviors and stops anomalies
»  URL parameters, HTTP methods, Can’t a Firewall or IPS do this?
§  Firewalls look for network-based attacks
session IDs, cookies, schema, etc.
§  IPS Signatures detect only known problems
»  No protection of SSL traffic
»  No application or user awareness

4
WAF Drivers/Challenges

§  Protect current and existing

applications from code-based Who Needs it?
vulnerabilities §  Any organization that processes
credit cards and/or has PCI
§  Meet PCI Compliance (5.5 and 6.6) requirements
for credit card and healthcare data §  Large internal or external
applications
§  Address OWASP Top 10 Application
Vulnerabilities §  Sensitive/proprietary information
§  Mission-critical business applications
§  Identify and address web application
vulnerabilities
Who Needs it Most?
§  Website publishing for Microsoft and §  MSPs/Hosting Companies
other applications §  E-commerce/online services
§  Protect against website defacement §  Retail, Food Service, Hospitality
§  Financial services
§  Healthcare

5
FortiWeb – Web Application Firewalls

§  4 models from 100 Mbps to 4 Gbps HTTP throughput

§  Up to 6x GE and models with 2x 10GE SFP+ ports
§  Included vulnerability scanning and antivirus §  Automatic behavior-based scanning

§  Hardware and VM options §  Auto setup/learning mode

§  Layer 7 DDoS protection
(VMware, Hyper-V)
§  FortiGuard antivirus/IP reputation
§  Transparent, reverse and non-inline
deployment options
§  Central Management/ADOMs
§  Advanced real-time reporting
§  SSL offloading/compression
§  SSO/Authentication
§  Layer 7 load balancing
§  NSS recommended

Complete WAF Solution

6
FortiWeb Benefits

§  Protect custom and commercial applications with automatic usage

profiling
§  Meet PCI Compliance (5.5 and 6.6) with behavior-based attack detection
and mitigation
§  Protection against OWASP Top 10 Application Vulnerabilities
§  Identify web application security weaknesses with vulnerability scanning
§  Website publishing with Single Sign On/Authentication
§  Restore website pages from attacks with Anti-Defacement Protection
§  Block botnets and attacks from known rogue and malicious sources with
FortiGuard IP Reputation

7
 Deployment Options

•  Layer II - Transparent Inspection and

True Transparent Proxy FortiWeb!
•  Easy deployment - No need to re-architect network,
Web Application"
full transparency Servers"
•  Fail Open Interface

•  Reverse Proxy
•  Supports content modification for both requests and
replies from the server
•  Advanced URL rewriting capabilities
•  HTTPS offloading
FortiWeb!
•  Enhanced load balancing schemes
•  Non Inline Deployment – SPAN port
•  Zero network latency
•  Blocking capabilities using TCP resets
•  Ideal for initial product evaluations, non-intrusive
network deployment

8
Highlights Main Features
FortiWeb Application Delivery

WAF
Web Application Firewall - WAF
Secures web applications to help customers meet compliance requirements

Web Vulnerability Scanner

Scans, analyzes and detects web application vulnerabilities

Application Delivery
Assures availability and accelerates performance of critical web applications

Secures Web Scans and Detects Optimizes Application

Applications Web Vulnerabilities Delivery

10
FortiWeb Application Delivery

WAF
Web Application Firewall - WAF
Secures web applications to help customers meet compliance requirements

Web Vulnerability Scanner

Scans, analyzes and detects web application vulnerabilities

Application Delivery
Assures availability and accelerates performance of critical web applications

Secures Web Scans and Detects Optimizes Application

Applications Web Vulnerabilities Delivery

11
SSL Offloading & Acceleration

SSL Offloading
•  Integrated ASIC based hardware
•  Hardware-based key exchange and bulk
encryption
•  Purpose built SSL processing

CA Management
•  Full certificate management
•  Advanced certification verification and
revocation capabilities

TCP Connection Multiplexing

FortiASIC CP8 SSL
Acceleration Chip

ü  Offload CPU intensive SSL computing from server to FortiWeb

12
Server Load Balancing

Layer 7 Load Balancing

•  Methods: Weighted Round Robin, Round-
Robin, Least Connection, HTTP session ü  Intelligent, application aware
round robin layer 7 load balancing
•  Connection persistence with timeout value
•  Probes & Health Checks: TCP, HTTP/
HTTPS, PING.
•  Content based health checks

13
URL Routing/Rewriting

Advanced Routing and Rewriting

capabilities
•  Route traffic based on: IP, Host, URL
•  Rewriting and Redirection: Host, URL,
Referrers

Rewrite Reply Content

•  Rewrite absolute links
•  Any required content
•  Multiple content types supported

14
FortiWeb main features

WAF
Web Application Firewall - WAF
Secures web applications to help customers meet compliance requirements

Web Vulnerability Scanner

Scans, analyzes and detects web application vulnerabilities

Application Delivery
Assures availability and accelerates performance of critical web applications

Secures Web Scans and Detects Optimizes Application

Applications Web Vulnerabilities Delivery

15
 Vulnerability Assessment

Easily Scan your web applications

•  Common vulnerabilities
•  SQL Injection
•  Cross Site Scripting
•  Source code disclosure
•  OS Commanding

Enhanced/Basic Mode
•  Crawling information
•  URLs accepting input
•  External Links

Authentication Options
Scheduled and on Demand Scanning
FortiWeb

16
 Vulnerability Assessment

Vulnerability Reports
•  Scan summary
•  Vulnerability by severity
•  Vulnerability by categories
•  Application Vulnerabilities
•  Common Vulnerabilities

Server Information
•  Crawling information
•  URLs accepting input
•  External Links

Provides Recommendations and

Graphs
Updates via FortiGuard

17
FortiWeb main features

WAF
Web Application Firewall - WAF
Secures web applications to help customers meet compliance requirements

Web Vulnerability Scanner

Scans, analyzes and detects web application vulnerabilities

Application Delivery
Assures availability and accelerates performance of critical web applications

Secures Web Scans and Detects Optimizes Application

Applications Web Vulnerabilities Delivery

18
FortiWeb Protection at all Layers

ATTACKS/THREATS
BOTNETS, MALICIOUS HOSTS,
ANONYMOUS PROXIES, DDOS SOURCES IP REPUTATION

APPLICATION LEVEL
DDOS ATTACKS DDOS PROTECTION

CORRELATION
IMPROPER
HTTP RFC PROTOCOL VALIDATION

KNOWN APPLICATION
ATTACK TYPES ATTACK SIGNATURES

VIRUSES, MALWARE,
LOSS OF DATA ANTIVIRUS/DLP

UNKNOWN APPLICATION
ATTACKS BEHAVIORAL VALIDATION

APPLICATION

19
FortiGuard Ip Reputation

Threats
•  DDoS •  Anonymous Proxy access
•  Phishing •  Infected source
•  Botnets •  SPAM hosts

IP Reputation Service
•  Daily feed updates
•  Automated downloads
•  Immediate protection
•  Visibility and reporting

FortiGuard Techniques
•  FortiGuard historical analysis •  Anonymous proxies
•  Honeypots •  Third party sources
•  Botnet analysis
FortiGuard IP Reputation Service:
Protect against automated attacks and malicious source

20
Bot Identification and Protection

Enhanced Bot Identification

•  Known search engines
•  Bad robots (scanners, crawlers,
spiders)

Protection Accuracy
•  Bypass threshold based policies
(DoS, Brute force) for known
search engines

Bot Analysis
•  Bot dashboard provides
overview of all traffic with
breakdown for bad robots and ü  Analyze traffic from malicious robots,
known search engines scanners, crawlers and known search engines

21
Protection Policies

Application Layer
•  HTTP request limit per source
•  TCP connections using the same cookie
•  HTTP requests using the same cookie
•  Challenge Response – validate whether
the user is real or automated

Network Layer
•  TCP connections limit per source
•  SYN Cookie – SYN flood protection

ü  Analyze requests originating from different users based on

different characteristics such as IP and cookie
ü  Sophisticated mechanism identifies real users from automated
attacks

22
 Intrusion Prevention

FortiGuard Labs
•  Weekly updates
•  Automatic download

Wide coverage
•  Various categories
•  Thousands of signatures
•  Action rules per category
•  Information about each
signature
•  Sample match
•  Location where inspected

Exceptions/Whitelist
•  Create exceptions down to
the signature
•  User regex to cover more
ü  Flexible and granular signature interface
URLs

23
FortiWeb Auto Learn

Understand Application Structure

•  Models elements from actual traffic
•  Builds baseline based on URLs,
parameters, HTTP methods

Automatically Understands Real

Behavior
•  Can form fields/parameters be modified
by users?
•  What are the length and type of each ýýýþ
þþþþ
form field? þþþþ
•  What characters are acceptable (min, þþþþ
max, average)?
•  Is a form field required or optional?

Provides Recommendations and

Graphs

24
 FortiWeb Auto Learn

•  Learns the protected

applications structure
•  URLs
•  Parameters
•  Expected behavior
•  Analyzes:
•  Visits
•  Attacks
•  Provides automatic rules
•  Exportable to PDF

25
FortiGuard Services

§ FortiGuard Labs § Subscription Based

» Award-winning threat » Available per device
research services » Select services that are needed
» Dynamic/automated » Annual renewals
updates for FortiWeb
» Automatic downloads
» Always up-to-date

Security Service IP Reputation Antivirus

•  Application layer •  Protection for •  Scan file uploads
signatures automated attacks
•  Regular and
and malicious
•  Malicious bots extended AV
sources
databases
•  Suspicious URL
•  DDoS, Phishing,
pattern
Botnet, Spam,
•  Web vulnerability Anonymous proxies
scanner updates and infected sources

26
Additional FortiWEB Services for the ISP
 On Premise Web Application

§  FortiWeb is configured in Reverse Proxy mode Cloud WAF!

§  A cloud WAF solution allows customers to have

an external device scan their traffic without the
need to deploy any SW/HW in their environment

§  End customer change their application’s DNS

entry to point to the cloud WAF which scans the
traffic and forwards it to the application

§  The solution provides each customer:

»  Application security
»  Performance acceleration (caching, compression, etc)
»  UI access dashboard – Traffic graphs, alerts, minimal
configuration
Customer B! Customer A!

28
Hosted Web Application

§ FortiWeb is configured in True Transparent

Proxy mode
MSSP Site!
§ This solution gives the ISP additional
revenue by offering WAF services to its Customer !
Applications 1-N!
hosted applications
§ All applications are hosted at the ISP
infrastructure
§ Managed by ISP, no UI access for end
customers
§ The solution provides each customer:
» Application security
» Performance acceleration (possibly)
» Reports via email

29
Multi-tenancy

Administrative Domains ü  Provides multiple logical entities in a single

•  Controls privileges and permissions physical unit
across the organization
•  True role based access control (RBAC) ü  Out-of-the box Multi-tenant solution
•  Global and per-ADOM settings
•  Per ADOM logging and reporting

MSSP Features
•  Protect multiple customers with one
FortiWeb appliance
•  Allow customers to securely access their
own logs and reports
•  Per user read/write permissions
Customer 1,2,3,4..N

30
High Availability

Active/Passive Failover ü  Use Active/Passive failover or simply sync policies

•  Full configuration synchronization across multiple data centres, regardless of
•  Seamless failover location
•  No downtime

Configuration-Sync
•  Sync FortiWeb devices across networks
•  Allows managing policies across multiple
devices from a central location
•  Seamless integration into already existing
HA/LB environments
•  Support for DR environments
FortiWeb!

Disaster Recovery

31
FortiWeb for Virtual Datacenter

Virtual WAF for VDC

§  Deploy WAFs without extra hardware
§  Dynamic expansion in VM environments
§  Resource efficiency with uncompromised WAF
functionality DMZ Public Zone

§  Virtualization Environment:

»  VMware ESX / ESXi / 4.0 / 4.1 / 5.0 / 5.1 / 5.5,
»  Microsoft Hyper-V, Servers / DMZ FortiWeb
Desktops /
Virtual
»  Citrix XenServer 6.2 Private
Appliance
»  Open Source Xen 4.2

Virtualized Data Center

32
FortiWeb Family
 FortiWeb Product Lineup

FWB-4000D
Performance & Scalability

FWB-3000DFsx

FWB-3000D

FWB-1000D

FWB-400C

WAF < 1 Gbps 1 – 2 Gbps 3+ Gbps

SSL Software ASIC ASIC

Ports GE GE/10GE GE/10GE

34
 FortiWeb Product Matrix

400C 1000D 3000D 3000DFsx 4000D

WAF Throughput 100 Mbps 750 Mbps 1.5 Gbps 1.5 Gbps 4.0 Gbps
Latency Sub-ms Sub-ms Sub-ms Sub-ms Sub-ms
SSL Software ASIC ASIC ASIC ASIC
L7 Load Balancing P P P P P
L7 DoS Protection P P P P P
Site Publishing/SSO P P P P P
Vulnerability Scanner P P P P P
Antivirus/antimalware P P P P P
GE Port 4 6 6 6 8
GE Bypass 0 4 2 0 2
GE-SX Bypass 0 0 0 0 2
GE SFP 0 2 0 0 0
10GE SFP+ Bypass 0 0 0 2 2

35
FortiWeb Virtual Appliances

Virtual WAF
§  Deploy WAFs without extra hardware
§  Dynamic expansion in VM environments
§  Resource efficiency with uncompromised WAF functionality
§  VMware ESX / ESXi / 4.0 / 4.1 / 5.0 / 5.1 / 5.5, Microsoft Hyper-V,
Citrix XenServer 6.2, Open Source Xen 4.2

Technical
Specifications FortiWeb VM01 FortiWeb VM02 FortiWeb VM04 FortiWeb VM08
vCPU Support (Max) 1 2 4 8
Memory Support (Max) Unlimited Unlimited Unlimited Unlimited
Network Interface Support (Max) 4 4 4 4
Storage Support (Min / Max) 40 GB / 1TB 40 GB / 1TB 40 GB / 1TB 40 GB / 1TB

36