Venustech WAF Introduction

Beijing Venustech 2016

داده پردازی اوان خاورمیانه86085194021و 8: تلفن

www.o-1.co: سایتInfo@o-1.co: ایمیل

Product technology development road map

2007- Nascent stage- Venusense WAF product release, Version V6.0

2009- Growing stage- Release patented algorithm based detection engine.(VXID, VSID patent)- Web attack and defense function has been developed for maturity- Obtain 20 technical patents- Major product version up, new version V7.0

2015- Asia-pacific market planning- Release high performance 10G WAF platform(13G~30Gbps)- Release virtualization WAF version(compatible with Vmware, kvm)- SSL performance architecture optimization, 20% improvement on SSL

performance- WAF+DAP linkage

2012- Rapid development stage- First multi-core 10G high performance WAF platform in China- First WAF that obtains OWASP, CVE and IPv6 Gold certificate in China- Frost & Sullivan Asia-pacific area WAF market ranking 2nd among all China

companies- SSL offload function, PCI-DSS compatible. English version of V7.0

2016- Release first ADC+WAF platform in China- WAF+sandbox linkage- HSM acceleration card

2017- Cloud and virtualized WAF- WAF+Web sandbox

Product Roadmap

• Venustech, based on 20 years of R&D experience in attack & defense field, launched Venusense WAF product in 2007;

• In recent 3 years, Venusense WAF achieves an total revenue of 30 million USD, conducts more than 2800 projects with average shipment price range from 50,000 to 500,000 RMB. Main customers includes ABC head office, Sinopec, China Mobile, China Telecom and China Unicom, etc.

• Venusense WAF’s technology and experience in attack & defense is supported by Venustech post-doctoral station and ADLab (Active Defense Lab). WAF Appliance WAF Virtualization

WAF Management Interface

About Venustech Web Application Firewall

• Industry Member of Cloud Security Alliance

• Microsoft MAPP Partner

• CVE Compatible • OWASP Compatible

• VSID algorithm, SQL detection technical patent (patent number: 200710145398.8)

• VXID algorithm, XSS attack detection technical patent (patent number: 200910085034.4)

• Webpage trojan detection algorithm, technical patent (patent number: 201010532887.0)

• Web malicious scan prevention algorithm, technical patent (patent number: 200910084701.7)

Take the lead among Chinese vendors, Venusense WAF obtained OWASP certification in May 2012, obtained CVE certifiation in July 2012. Venustech currently has 165 OWASP members.

Product Certification

• IPv6 READY

For small and midsize business,100Mb network

For medium enterprises,Gb network

For large & medium enterprises, Gb network

For large enterprises, 10Gb network

WAF700-S WAF700-M WAF700-A

WAF6000-S WAF6000-M1

WAF6000-A WAF6000-U

WAF10000-M

WAF6000-C-T WAF6000-C-TR

WAF6000-C-P WAF6000-C-PR

WAF10000-A

HTTP:350M~650Mbps

HTTP:2G~5Gbps

HTTP:5G~15Gbps

HTTP：9G~30Gbps

Venusense WAF Product Models

AttackPrevention

Algorithm based SQL injection detection

Algorithm based XSS attack detection

Algorithm based Webpage Trojan detection

HTTP protocol compliance and self-learning

CSRF attack prevention and self-learning

Data Leak Prevention

File download protection

Sensitive information leak prevention (ID, credit card, social insurance card) OS and server information leak prevention

Error page information protection

SSL based Attack

Prevention

“heart bleed” vulnerability prevention

HTTPS encryption offload

HTTPS encryption/decryption traffic attack detection

Anti-Scanning

Algorithm based web malicious scan prevention

Web crawler prevention

CGI scan prevention

Web vulnerability scan prevention

Brute force scan prevention

Webpage TamperingPrevention

Webpage tampering prevention

OS support: Windows, Linux, Unix

• Deployment: serial / reverse

proxy / bypass / one-arm

• Support IPv6 / IPv4 network

environment

• Support Chinese and English

system language

Product Core Function

Brute Force Attack

Malicious Scanning

Internet

Early Warning Attack Prevention Analysis after the Incident

Sensitive Info Filtering

Web Attack Protection

XML Firewall

cookie protection

Sql Injection

XSS

WebShell

Web Compliance

Error Page Shielding

Web server info

ID information

Credit card info

System Monitoring

personal information detection

Traffic monitoring

Dynamic Profile

user defined rule

Request Limit Rule

Web Traffic Rule

Web tampering protection

Web Monitoring

Web Application Protection Solution

• According to Frost & Sullivan report, Venusense WAF ranks the 2nd in Greater China market share among all Chinese companies for 3 continuous years.

Market Performance

• Telecom

• Financing

• Enterprise

• Overseas

• Successful use cases such as China Mobile, China Telecom, ICBC head office, CCB head office, ABC head office, National Tax, Sinopec, CNPC.

• Venusense WAF has been serving for government, carriers, financing, energy industries. And we are trying to adopt lease and service sales model.

• Since 2015 Venustech has started it’s overseas market developing for WAF products.

Use Cases

Deployment Mode

• Transparent (bridge) mode:Protect the Web servers without changing network topology or existing network configuration.

• Proxy mode:Be able to shield the real IP address of the Web servers. As a result, operation system and applications of the Web servers would not be exposed to the Internet.

Deployment Mode - cont'd

• One-arm proxy mode:Bypass physically and in-line logically.Shield the real IP address of the Web servers.Expansion available upon the service condition.

• Out of band mode (Bypass):Mirror the traffic to WAF interface.WAF detects threat from external to the Web servers.

Venusense WAF Use Case in Financial Industry

Traffic requirement：Network layer throughput 1Gbps，application layer throughput 200MbpsDeployment：Venusense WAF are deployed in one-arm proxy mode in one of the top4 state owned banks in China, protecting customer’s business-critical web applications.

WAF

Intranet

FW

UTM UTM

Cisco 6509

Cisco 6509

Web server system

Central database

Application system

Intranet office system

Internet

Venusense WAF Use Case in Energy Industry

Traffic requirement：Network layerthroughput 1.5G，Application layer throughput 500M

Deployment：24 sets of Venusense WAF appliances are deployed in transparent mode in all major business regions in China for company A (one major energy enterprise in China).

Application zone

System interconnection zone

Core switch zone

Test zoneExtranet zone

ISP1 ISP2

Load balancing

WAFWAF

DMZ

IDS engine

Testing server Testing server

WEB Mail

DNS

IDS engine

Application server

Management zone

Database zone

IDS engine

HA

Database

Fiber switch

Fiber switch

IDS engine

Interface device

Other system

Management hosts

Internet

Load balancing

Venusense WAF Use Case in Telecom Operator

Deployed high performance WAF to the largest telecom operator in China. Demands on WAF:

• 1. Compliance with mobile internet security protection standard.

• 2. Effective prevent SQL injection, XSS attacks, sensitive information leakage, CSRF attacks and other vulnerabilities.

Internet

ISP2

Un

io

np

ay

in

te

rfa

ce

Application

server

Load

balancing

Load

balancingCore

switch1

Core

switch2

Core

zone

Internet access subnet

Core

switch1

Core

switch2

WEB server

groupExternal

interface

business group

3rd p

arty in

te

rfa

ce

SSL VPN1SSL VPN2

Interface

server group

DB

servers

Disk

arrayVTL

Manageme

nt servers

Publishing

servers

IDS1IDS2

Router1 Router2

Internet

FW1

Internet

FW2Inside FW1

Inside FW2

FW

Branch offices

Maintenance personnel

switch1 switch2

Intranet access subnetEndpoint access

subnet

业务服务器集群

Extranet access subnet

HQ junction

ISP1

User

WAF1 WAF2

User

Interface

server group

FWFW FW

Application

server

Application

server

Application

server

• Malaysia government website attacked by “Anonymous” hacking group in 2015

• Venustech worked with SEA local distributor Mavisco and provided Website security solution to Malaysia government website hosting provider.

• Venusense WAF won the competition test with Barracuda and other solution providers. And successfully deployed Venusense WAF 6000-A appliance in serial mode to customer’s data center.

• Venusense WAF is now running stably and providing security protection for more than 50 Malaysia government websites.

Venusense WAF Use Case in Government

Centralized Management and Control

Centralized management and configuration of multiple WAF engines

Attack statistics Traffic monitoring URL access statistics

Centralized Management and Control

WAF Control Center provides reports in various types and forms, including analysis report, basic statistics report, advanced statistics report, and detailed event report. Email subscription is available for users.

Attack event analysis Attacked URL statistics Server upstream traffic trend

HTTPS Compatibility

Venusense WAF supports detection of HTTPS traffic.

• Support encryption mode and encryption offload mode

• Support converting internal http service to outward https service.

• Support a wide range of SSL versions: SSL3.0, TLS1.0, TLS1.1, TLS1.2.

• Support automatic identification.

Mobile App Identification

With the popularity of mobile phones, tablets, and smart mobile devices, mobile device has become a new kind of Web access client. And the use of mobile apps are increasing.

Due to special development demands or skill gaps of app developers, request from mobile APP would differ with RFC standard in packet format or contain some new undefined protocol headers.

Venusense WAF now integrates the function of mobile app identification. Be able to customize the settings of User-Agent, and define a certain app as a whitelist.

IPv6 Ready

With the lack of IPv4 address resource, IPv6 will be widely used in the future.

Venusense WAF supports protection for IPv6 Web server protection and IPv6 traffic detection.

Intelligent Deployment

Intelligent deployment feature realize automatic in-depth learning of application servers, and generate proper security policies according to the content of self-learning.When Venusense WAF is deployed to a new network environment, with the intelligent deployment enabled, WAF will detect the type of application servers, then automatically create corresponding address object and service object, as well as protection policy according to the website type and visiting condition.

HTTP self-learning

• Help users to understand the situation of the protected websites, such as HTTP request type, protocol field length range, request parameter type and data value range. The self-learning result can be directly used in compliance check, and then can be adjusted according to user needs.

Cookie self-learning

• Help users to understand the cookie data of the protected websites. The self-learning result can be directly used in cookie data protection, and adjusted according to user needs.

CSRF data form self-learning

• Help users to gather information about the form data of protected websites, such as the source URL and hosts access to the form. The self-learning result can be directly used in CSRF prevention and adjusted according to user needs. Hence, users can setup targeted CSRF prevention policies according to the self-learning result.

Self-learning Policies

VSID Algorithm, SQL injection patented technology (Patent NO. 200710145398.8)

• VSID algorithm is an advanced technology combined rule analysis with abnormal analysis (Comparing with the SQL injection

patterns), and establish the detection pattern with common behavior for each types of the SQL injection. Meanwhile, the light-

weight virtual machine pre-analysis technology is used to perform further analysis of the submitted URL, Cookies and Post Form,

checking if any SQL injection attacks is contained in them.

SQL Injection Algorithm Detection

VXID Algorithm, XSS attack detection patented technology (Patent No.200910085034.4)

– Obtain the protocol variables (such as URL parameter, Cookie, Hosts, Reference, Post Form) which potentially contains XSS attackinformation from the submitted HTTP request, and performing decoding, DOM analysis, JS code extraction and syntax detection for these protocol variables. Then the attack behavior will be reported as an XSS attacking event if it matches a specified association rule or the abnormal score sum reaches the specified threshold.

XSS Algorithm Detection

Algorithm based Webpage Trojan Detection, patented technology (Patent No.201010532887.0)

When the Trojan detection feature is enabled, WAF will add a segment of Javascript code to the responsive webpages. The function of the added script is to make the client browser automatically send back the necessary html tags after page loading. By checking the tags like SCRIPT, IFRAME, LINK, FRAME and IMG, Venusense WAF analyzes/determines whether the webpage is linked to a Trojan. (The tag extraction is performed by browser, which can process dynamic tags generated by scripts.)

Algorithm Based Webpage Trojan Detection

Server load balancing is supported when Venusense WAF working in proxy mode.

The request traffic can be allocated properly between servers, in this way, the response speed, overall performance, and expansion capability of the application system can be greatly improved.

Venusense WAF supports 3 types of load balancing algorithm: round robin, weighted round robin, and least connection.

Server Load Balancing

In order to increase the bandwidth and reliability, the trunk interface function of Venusense WAF establishes a logical network link by aggregating multiple links.

• More reliable: Reallocate the load to other link while failure occurred on one of the physical links, to keep the business persistency.

• Bandwidth improvement: Aggregate multiple physical links to one logical link and perform load balancing between these links, in order to increase bandwidth and save cost

• Venusense WAF supports both Manual and LACP trunk modes, and two options (L2 and L34) are available when using LACP

Trunk Interface

Virtual Patching is an active defense function used to prevent web application vulnerabilities from being exposed to attacks.

When Venusense WAF detected intensive probing requests sending to web servers from external scanners with the purpose of discovering web application vulnerabilities, WAF will provide virtual patching to the vulnerable web pages, then shield malicious scanning and block the probing attack. Meanwhile Venusense WAF will return an error page, and report an alarm for the scanning attack.

Virtual Patching

Linkage with APT: Venusense WAF will send unknown file to APT for detection and generate corresponding security policy based on the detection result from APT.

Linkage with IDS: Venusense WAF can mirror the traffic to IDS for detection and analysis.

Linkage with business audit system: Reproduce the attack scenario and help the administrator get more information about the attack process. Ensure system security from both the prevention and audit points of view.

Prevention Linkage

داده پردازی اوان خاورمیانه

86085194021و 8: تلفنwww.o-1.co: سایتInfo@o-1.co: ایمیل