venustech waf introduction¯اده-پردازی-اوان-خاورمیانه... · -first waf that...
TRANSCRIPT
Venustech WAF Introduction
Beijing Venustech 2016
داده پردازی اوان خاورمیانه86085194021و 8: تلفن
www.o-1.co: سایت[email protected]: ایمیل
Product technology development road map
2007- Nascent stage- Venusense WAF product release, Version V6.0
2009- Growing stage- Release patented algorithm based detection engine.(VXID, VSID patent)- Web attack and defense function has been developed for maturity- Obtain 20 technical patents- Major product version up, new version V7.0
2015- Asia-pacific market planning- Release high performance 10G WAF platform(13G~30Gbps)- Release virtualization WAF version(compatible with Vmware, kvm)- SSL performance architecture optimization, 20% improvement on SSL
performance- WAF+DAP linkage
2012- Rapid development stage- First multi-core 10G high performance WAF platform in China- First WAF that obtains OWASP, CVE and IPv6 Gold certificate in China- Frost & Sullivan Asia-pacific area WAF market ranking 2nd among all China
companies- SSL offload function, PCI-DSS compatible. English version of V7.0
2016- Release first ADC+WAF platform in China- WAF+sandbox linkage- HSM acceleration card
2017- Cloud and virtualized WAF- WAF+Web sandbox
Product Roadmap
• Venustech, based on 20 years of R&D experience in attack & defense field, launched Venusense WAF product in 2007;
• In recent 3 years, Venusense WAF achieves an total revenue of 30 million USD, conducts more than 2800 projects with average shipment price range from 50,000 to 500,000 RMB. Main customers includes ABC head office, Sinopec, China Mobile, China Telecom and China Unicom, etc.
• Venusense WAF’s technology and experience in attack & defense is supported by Venustech post-doctoral station and ADLab (Active Defense Lab). WAF Appliance WAF Virtualization
WAF Management Interface
About Venustech Web Application Firewall
• Industry Member of Cloud Security Alliance
• Microsoft MAPP Partner
• CVE Compatible • OWASP Compatible
• VSID algorithm, SQL detection technical patent (patent number: 200710145398.8)
• VXID algorithm, XSS attack detection technical patent (patent number: 200910085034.4)
• Webpage trojan detection algorithm, technical patent (patent number: 201010532887.0)
• Web malicious scan prevention algorithm, technical patent (patent number: 200910084701.7)
Take the lead among Chinese vendors, Venusense WAF obtained OWASP certification in May 2012, obtained CVE certifiation in July 2012. Venustech currently has 165 OWASP members.
Product Certification
• IPv6 READY
For small and midsize business,100Mb network
For medium enterprises,Gb network
For large & medium enterprises, Gb network
For large enterprises, 10Gb network
WAF700-S WAF700-M WAF700-A
WAF6000-S WAF6000-M1
WAF6000-A WAF6000-U
WAF10000-M
WAF6000-C-T WAF6000-C-TR
WAF6000-C-P WAF6000-C-PR
WAF10000-A
HTTP:350M~650Mbps
HTTP:2G~5Gbps
HTTP:5G~15Gbps
HTTP:9G~30Gbps
Venusense WAF Product Models
AttackPrevention
Algorithm based SQL injection detection
Algorithm based XSS attack detection
Algorithm based Webpage Trojan detection
HTTP protocol compliance and self-learning
CSRF attack prevention and self-learning
Data Leak Prevention
File download protection
Sensitive information leak prevention (ID, credit card, social insurance card) OS and server information leak prevention
Error page information protection
SSL based Attack
Prevention
“heart bleed” vulnerability prevention
HTTPS encryption offload
HTTPS encryption/decryption traffic attack detection
Anti-Scanning
Algorithm based web malicious scan prevention
Web crawler prevention
CGI scan prevention
Web vulnerability scan prevention
Brute force scan prevention
Webpage TamperingPrevention
Webpage tampering prevention
OS support: Windows, Linux, Unix
• Deployment: serial / reverse
proxy / bypass / one-arm
• Support IPv6 / IPv4 network
environment
• Support Chinese and English
system language
Product Core Function
Brute Force Attack
Malicious Scanning
Internet
Early Warning Attack Prevention Analysis after the Incident
Sensitive Info Filtering
Web Attack Protection
XML Firewall
cookie protection
Sql Injection
XSS
WebShell
Web Compliance
Error Page Shielding
Web server info
ID information
Credit card info
System Monitoring
personal information detection
Traffic monitoring
Dynamic Profile
user defined rule
Request Limit Rule
Web Traffic Rule
Web tampering protection
Web Monitoring
Web Application Protection Solution
• According to Frost & Sullivan report, Venusense WAF ranks the 2nd in Greater China market share among all Chinese companies for 3 continuous years.
Market Performance
• Telecom
• Financing
• Enterprise
• Overseas
• Successful use cases such as China Mobile, China Telecom, ICBC head office, CCB head office, ABC head office, National Tax, Sinopec, CNPC.
• Venusense WAF has been serving for government, carriers, financing, energy industries. And we are trying to adopt lease and service sales model.
• Since 2015 Venustech has started it’s overseas market developing for WAF products.
Use Cases
Deployment Mode
• Transparent (bridge) mode:Protect the Web servers without changing network topology or existing network configuration.
• Proxy mode:Be able to shield the real IP address of the Web servers. As a result, operation system and applications of the Web servers would not be exposed to the Internet.
Deployment Mode - cont'd
• One-arm proxy mode:Bypass physically and in-line logically.Shield the real IP address of the Web servers.Expansion available upon the service condition.
• Out of band mode (Bypass):Mirror the traffic to WAF interface.WAF detects threat from external to the Web servers.
Venusense WAF Use Case in Financial Industry
Traffic requirement:Network layer throughput 1Gbps,application layer throughput 200MbpsDeployment:Venusense WAF are deployed in one-arm proxy mode in one of the top4 state owned banks in China, protecting customer’s business-critical web applications.
WAF
Intranet
FW
UTM UTM
Cisco 6509
Cisco 6509
Web server system
Central database
Application system
Intranet office system
Internet
Venusense WAF Use Case in Energy Industry
Traffic requirement:Network layerthroughput 1.5G,Application layer throughput 500M
Deployment:24 sets of Venusense WAF appliances are deployed in transparent mode in all major business regions in China for company A (one major energy enterprise in China).
Application zone
System interconnection zone
Core switch zone
Test zoneExtranet zone
ISP1 ISP2
Load balancing
WAFWAF
DMZ
IDS engine
Testing server Testing server
WEB Mail
DNS
IDS engine
Application server
Management zone
Database zone
IDS engine
HA
Database
Fiber switch
Fiber switch
IDS engine
Interface device
Other system
Management hosts
Internet
Load balancing
Venusense WAF Use Case in Telecom Operator
Deployed high performance WAF to the largest telecom operator in China. Demands on WAF:
• 1. Compliance with mobile internet security protection standard.
• 2. Effective prevent SQL injection, XSS attacks, sensitive information leakage, CSRF attacks and other vulnerabilities.
Internet
ISP2
Un
io
np
ay
in
te
rfa
ce
Application
server
Load
balancing
Load
balancingCore
switch1
Core
switch2
Core
zone
Internet access subnet
Core
switch1
Core
switch2
WEB server
groupExternal
interface
business group
3rd p
arty in
te
rfa
ce
SSL VPN1SSL VPN2
Interface
server group
DB
servers
Disk
arrayVTL
Manageme
nt servers
Publishing
servers
IDS1IDS2
Router1 Router2
Internet
FW1
Internet
FW2Inside FW1
Inside FW2
FW
Branch offices
Maintenance personnel
switch1 switch2
Intranet access subnetEndpoint access
subnet
业务服务器集群
Extranet access subnet
HQ junction
ISP1
User
WAF1 WAF2
User
Interface
server group
FWFW FW
Application
server
Application
server
Application
server
• Malaysia government website attacked by “Anonymous” hacking group in 2015
• Venustech worked with SEA local distributor Mavisco and provided Website security solution to Malaysia government website hosting provider.
• Venusense WAF won the competition test with Barracuda and other solution providers. And successfully deployed Venusense WAF 6000-A appliance in serial mode to customer’s data center.
• Venusense WAF is now running stably and providing security protection for more than 50 Malaysia government websites.
Venusense WAF Use Case in Government
Centralized Management and Control
Centralized management and configuration of multiple WAF engines
Attack statistics Traffic monitoring URL access statistics
Centralized Management and Control
WAF Control Center provides reports in various types and forms, including analysis report, basic statistics report, advanced statistics report, and detailed event report. Email subscription is available for users.
Attack event analysis Attacked URL statistics Server upstream traffic trend
HTTPS Compatibility
Venusense WAF supports detection of HTTPS traffic.
• Support encryption mode and encryption offload mode
• Support converting internal http service to outward https service.
• Support a wide range of SSL versions: SSL3.0, TLS1.0, TLS1.1, TLS1.2.
• Support automatic identification.
Mobile App Identification
With the popularity of mobile phones, tablets, and smart mobile devices, mobile device has become a new kind of Web access client. And the use of mobile apps are increasing.
Due to special development demands or skill gaps of app developers, request from mobile APP would differ with RFC standard in packet format or contain some new undefined protocol headers.
Venusense WAF now integrates the function of mobile app identification. Be able to customize the settings of User-Agent, and define a certain app as a whitelist.
IPv6 Ready
With the lack of IPv4 address resource, IPv6 will be widely used in the future.
Venusense WAF supports protection for IPv6 Web server protection and IPv6 traffic detection.
Intelligent Deployment
Intelligent deployment feature realize automatic in-depth learning of application servers, and generate proper security policies according to the content of self-learning.When Venusense WAF is deployed to a new network environment, with the intelligent deployment enabled, WAF will detect the type of application servers, then automatically create corresponding address object and service object, as well as protection policy according to the website type and visiting condition.
HTTP self-learning
• Help users to understand the situation of the protected websites, such as HTTP request type, protocol field length range, request parameter type and data value range. The self-learning result can be directly used in compliance check, and then can be adjusted according to user needs.
Cookie self-learning
• Help users to understand the cookie data of the protected websites. The self-learning result can be directly used in cookie data protection, and adjusted according to user needs.
CSRF data form self-learning
• Help users to gather information about the form data of protected websites, such as the source URL and hosts access to the form. The self-learning result can be directly used in CSRF prevention and adjusted according to user needs. Hence, users can setup targeted CSRF prevention policies according to the self-learning result.
Self-learning Policies
VSID Algorithm, SQL injection patented technology (Patent NO. 200710145398.8)
• VSID algorithm is an advanced technology combined rule analysis with abnormal analysis (Comparing with the SQL injection
patterns), and establish the detection pattern with common behavior for each types of the SQL injection. Meanwhile, the light-
weight virtual machine pre-analysis technology is used to perform further analysis of the submitted URL, Cookies and Post Form,
checking if any SQL injection attacks is contained in them.
SQL Injection Algorithm Detection
VXID Algorithm, XSS attack detection patented technology (Patent No.200910085034.4)
– Obtain the protocol variables (such as URL parameter, Cookie, Hosts, Reference, Post Form) which potentially contains XSS attackinformation from the submitted HTTP request, and performing decoding, DOM analysis, JS code extraction and syntax detection for these protocol variables. Then the attack behavior will be reported as an XSS attacking event if it matches a specified association rule or the abnormal score sum reaches the specified threshold.
XSS Algorithm Detection
Algorithm based Webpage Trojan Detection, patented technology (Patent No.201010532887.0)
When the Trojan detection feature is enabled, WAF will add a segment of Javascript code to the responsive webpages. The function of the added script is to make the client browser automatically send back the necessary html tags after page loading. By checking the tags like SCRIPT, IFRAME, LINK, FRAME and IMG, Venusense WAF analyzes/determines whether the webpage is linked to a Trojan. (The tag extraction is performed by browser, which can process dynamic tags generated by scripts.)
Algorithm Based Webpage Trojan Detection
Server load balancing is supported when Venusense WAF working in proxy mode.
The request traffic can be allocated properly between servers, in this way, the response speed, overall performance, and expansion capability of the application system can be greatly improved.
Venusense WAF supports 3 types of load balancing algorithm: round robin, weighted round robin, and least connection.
Server Load Balancing
In order to increase the bandwidth and reliability, the trunk interface function of Venusense WAF establishes a logical network link by aggregating multiple links.
• More reliable: Reallocate the load to other link while failure occurred on one of the physical links, to keep the business persistency.
• Bandwidth improvement: Aggregate multiple physical links to one logical link and perform load balancing between these links, in order to increase bandwidth and save cost
• Venusense WAF supports both Manual and LACP trunk modes, and two options (L2 and L34) are available when using LACP
Trunk Interface
Virtual Patching is an active defense function used to prevent web application vulnerabilities from being exposed to attacks.
When Venusense WAF detected intensive probing requests sending to web servers from external scanners with the purpose of discovering web application vulnerabilities, WAF will provide virtual patching to the vulnerable web pages, then shield malicious scanning and block the probing attack. Meanwhile Venusense WAF will return an error page, and report an alarm for the scanning attack.
Virtual Patching
Linkage with APT: Venusense WAF will send unknown file to APT for detection and generate corresponding security policy based on the detection result from APT.
Linkage with IDS: Venusense WAF can mirror the traffic to IDS for detection and analysis.
Linkage with business audit system: Reproduce the attack scenario and help the administrator get more information about the attack process. Ensure system security from both the prevention and audit points of view.
Prevention Linkage