Presentation is loading. Please wait.

Presentation is loading. Please wait.

Blue Coat Web Application Firewall (WAF)

Similar presentations


Presentation on theme: "Blue Coat Web Application Firewall (WAF)"— Presentation transcript:

1 Blue Coat Web Application Firewall (WAF)
Thank you for joining today’s Blue Coat Customer Support Technical Webcast! The Webcast will begin just a minute or so after the top of the hour to allow today’s very large audience sufficient time to join You may join the teleconference through the numbers provided in your invite, or listen through your computer speakers Audio broadcast will only go live when the Webcast begins – there will be silence until then The Presentation will run approximately 60 minutes There will be a 30-minute Q/A session thereafter Please submit questions using the Webex Q/A feature!

2 Blue Coat Web application firewall
Blue Coat Support Webinar Michael Mauch, EMEA CTO

3 Blue Coat Web application firewall Webinar Agenda
Journey: Reverse Proxy to Web Application Reverse Proxy and now a complete WAF Quick Recap of Blue Coat Reverse Proxy Capabilities What’s different about Blue Coat WAF security model WAF Solution Components and versions Web Application Protection (WAP) details Multi-Tenancy: What and how-to Configuration and Workflow for publishing and protecting web applications WAF Solution Sizing Demonstration: Solution in action Logs and Reporting Q&A

4 Intro

5 Web evolution Cyber threats and attacks Website vulnerabilities
Business applications are becoming “web-ified” Move away from dedicated clients Shifting from computer-centered to network-diffused technologies Extending organizational boundaries to remote employees, business partners, and customers Eliminating desktop install issues Public websites are getting more sophisticated Interactive sites, streaming media Transactional and self-service applications

6 WHY WAF? Security User Experience Complexity
Direct Internet access to web servers Application and Server OS vulnerabilities DMZ deployment Uploaded malicious content OWASP Top 10 Sophisticated and targeted attacks User Experience Overburdened origin servers (offload SSL, web services, cached content) Slow remote connections Dynamic content Complexity Growing web infrastructures Administrative overhead Performance demands

7 Blue Coat’s WAF Journey
Reverse Proxy Traditional website protection, good at caching, keeping a buffer between outside world and inside world Web Application Reverse Proxy In addition to reverse proxy, application aware, including benefits for streaming and video, comprehensive policy, and rewrite capabilities, user awareness and tracking, SSL aware and capable, Inbound protection and scanning of uploaded files Web Application Firewall Focused on protection around OWASP Top 10, attacks on websites, firewall capabilities, IPS, IDS WAF functionality is built upon our Reverse Proxy capabilities

8 Reverse Proxy Capabilities: Recap (SGOS 6.5 and earlier)
Management Local Central Appliance Monitoring On-Premise Reporting GEO Location Cookie Signing DoS Protection DLP White & Blacklisting HTTP Compression Global Intelligence Network Services Anti-malware URL Rewriting BW MGMT SQLi Security Analytics Platform Object Caching SSL Offload Server Load- balancing SSL Inspection Authentication Authorization Logging ICAP & E-Tap Integration Policy Policy / Enablement Last Updated: Platform: WA_RP can either be deployed as appliance or as virtual appliance Connectivity: Customer can deploy ProxySG transparent or explicit. We support IPv4, IPv6 or mixed IPv4+IPv6 deployments Transparent: this can be achieved by deploying ProxySG physically inline using bridge interface configurations, or by using traffic redirection from L4-L7 loadbalancers Explicit: this can be achieved by configuring DNS in order to resolve the server hostname to an IP address that is configured on the ProxySG Policy: Policy is the enabler for all services / functionalities on ProxySG. It triggers authentication, authorization, logging, ssl interception and also ICAP and encrypted TAP integration. Policy (Content Policy Language, CPL) is still a great differentiator and provides un-matched flexibility Services: WA-RP provides services like GEO IP identification, anti-malware scanning (via ICAP, incl. sandboxing (CAS&MAA or encrypted TAP - FEYE)), denial of service (DoS) protection, OWASP TOP 10 attack protection, DLP (via ICAP), IDS (via enrypted TAP), Security Analytics Platform integration (via encrypted TAP), white and blacklisting (of URLs, IP addresses, applications, etc.), URL rewriting, object caching, SSL server offloading, HTTP compression, server loadbalancing bandwidth management and integration into our Global Intelligence Network (WebPulse) Management: SWG can be managed locally or using a central management system. Cloud or Central Manager can be used for detailed appliance monitoring. Customers have a choice of using Reporter on-premise or the Cloud for reporting purposes Connectivity (IPv4, IPv6) Transparent (Inline, Load-balanced) Explicit (DNS) Platform Appliance Virtual Appliance

9 Bluecoat Web Application firewall
ProxySG provides scalable performance and security for web content and applications Secure proxy architecture High-performance, scalable content delivery Optimized appliance for cost-effective, easy-to-manage reverse proxy solution Intuitive work flows in Management Center for policy creation and management Comprehensive logging and reporting for visibility Complete OWASP Top 10 protection Next Generation, Advanced Engines protection Summary Proven reverse proxy, caching, application visibility, and application control technology since 1996.

10 Solution: Web Application FIREWall
PROTECTS Web Servers OWASP Top 10 Security Advanced WAF Engine PCI Compliance Controls access to web apps Web malware scanning ACCELERATES Web Content Intelligent caching Compression and bandwidth mgt. SSL offload Users Web Servers WAF Public Internet SIMPLIFIES Operations Multi-tenant, RBAC Scalable, optimized appliance Easy policy creation & management Complete logging & reporting Internal Network Firewall Firewall

11 Use-Case: Virtual Patching Verify vulnerability & Action
Scale your Confidentiality, Integrity and Availability! Protect web applications by virtual patching on the Web Application Firewall SSL/TLS Vulnerability Examples Heartbleed April 7th Heartbleed goes public April 8th ProxySG patched Poodle Config change to restrict allowed ciphers and protocols Shellshock ProxySG: not vulnerable Exploit detection: 0-day detection by using the upcoming advanced engines Freak ProxySG: config change to restrict allowed ciphers and protocols Content Management System Examples Drupal Known vulnerabilities: 290 Vuln: Code execution, DoS, XSS, SQL injection, etc. WordPress Known vulnerabilities: 253 Joomla Known vulnerabilities: 321 Vuln: Code execution, SQL injection, XSS, etc. (source: Feb-16) Major vulnerabilities that had and still have wide implications for the industry Blue Coat provides assurance that enterprise servers and clients are protected

12 WA-RP and WAF: Data & Workflow
GLOBAL INTELLIGENCE NETWORK IDENTITY PROVIDER REPORTER SECURITY ANALYTICS PLATFORM E-TAP WAF & Reverse Proxy Services GEO IP, SIGNATURE & RULE UPDATES INTERNET WEB SERVER USER REQUEST CONTENT ANALYSIS SYSTEM Last Updated: 01-JUL-15 1: User requests a URL 2: ProxySG authenticates and authorizes the user 3.1: ProxySG checks the GEO location of the client via GEO IP database lookup (updated by the Global Intelligence Network 3.2: ProxySG is looking for attacks targeting the application running on the server (OWASP TOP 10, for example XSS, SQL Injection, etc.) using signature-less, advanced engines as well as signature-based engines, where signatures are provided by the Global Intelligence Network 4: If traffic is SSL/TLS encrypted, ProxySG can decrypt it and also send a clear-text copy of the request to the Security Analytics Platform via encrypted TAP 5: File uploads can be send to Content Analysis System for malware scanning 5.1: Certain files (not known good and not known bad) can be send to MAA for deeper analysis via sandboxing. Note that this crosses the real-time border, analysis results will take at least 60 seconds 6: ProxySG receives traffic from the server 7: From the web server downloaded files data can be send to a DLP system using ICAP 8: If traffic is SSL/TLS encrypted, ProxySG can decrypt it and also send a clear-text copy of the response to the Security Analytics Platform via encrypted TAP 9: Content gets served to the client 10: Access log data can be uploaded to Blue Coat Reporter 11: MAA provides feedback to CAS and if the file was malicious, subsequent requests will be blocked. Scanning results can also be sent to the Global Intelligence Network PROXYSG SSL/TLS ICAP ICAP MALWARE ANALYSIS DLP

13 WA-RP and WAF: Topology
INTERNET USERS GLOBAL INTELLIGENCE NETWORK LOADBALANCER (optional) LOADBALANCER (optional) PROXYSG FIREWALL PROXYSG Last Updated: 11-JAN-16 This diagram shows an example deployment. WAF: ProxySG is deployed in a DMZ, CAS is integrated via ICAP Users are accessing resources on the server farm that is protected by ProxySG A load-balancer in front of ProxySG is optional, it depends on throughput and HA requirements A load-balancer in front of the server farm is optional, ProxySG has basic server load-balancing capabilities The right part of the diagram shows an admin workstation, Management Center, Reporter and a user directory (for example MS Active Directory) ADMIN MANAGEMENT CENTER USER DIRECTORY REPORTER SWITCH CONTENT ANALAYSIS MALWARE ANALYSIS Last Updated: 11-JAN-16

14 Blue Coat WAF Solution Proxy SG SGOS 6.6.3+ With Multi-Tenancy
Management Center Version 1.5+ WAP Subscription Reporter Version Management Center and Reporter are optional but recommended

15 Are MC and Reporter mandatory ?
No. With MC you get WAF policy GUI WAF specific workflows RBAC Reporting integration Customizable dashboards Support for proprietary WAF log fields (JSON format) Alternatives MGMT: Write WAF CPL manually Reporting: third-party tools (SIEM, etc.) Manoj

16 WAF protection Challenges
Canonical paradox – too many representations of same attack 1=1 syndrome; attack payloads can be represented in a multitude of ways Performance impact of using regular expressions Overhead of maintaining blacklist and whitelist High risk of false positives JavaScript that evades detections No alphanumeric characters require Polymorphic JavaScript that evades signatures New languages, data formats, evasion techniques Always playing catch-up, meaning losing game Whitelisting quickly becomes unmanageable with Enterprise scaling Dynamic nature of web applications leads to high False Positive rates

17 Blue Coat WAF Security Model
Negative Security Model Advanced engines Understand the nature of the content, no need for traditional regex signatures Traditional signature-based engines Benefits Less false-positives Better protection against new attacks Scalability Close collaboration between network security and application owners is NOT required Less frequent signature updates 0-day protection (e.g. Shellshock exploit) Colin

18 Blue coat WAF Security features
Advanced Detection Engines SQL injection Command injection Code injection HTML injection Directory traversal Cross-site scripting Multi-Tenancy Support Per-web application control Traditional Detection Features Blacklist Analytics Filter JSON validation Null byte detection Invalid encoding detection Parameter pollution detection Multiple encoding detection Per-part threshold controls Multiple header detection Fine-grained normalization control Advanced Policies CSP HSTS HPKP Server error message replacement Etc.

19 WAF Advanced Engines Advanced Engines
Understands the nature of the content (SQL, bash/shell grammar, PHP, JavaScript, Java, etc.) Provides 0-day protection because it is not blocking specific attacks, but instead understands how the backend will treat the data Advanced engines provide excellent attack detection results with greatly reduced false-positives | negatives and less performance impact at the same time Example: Shellshock blocked automatically! Cookie: (){:;};ps –aux

20 WAF Advanced Engines: Key takeaways
They are not using specific attack signatures and regular expression matching. The advanced engines use lexical analysis and parsing of request content to perform content nature detection. For example, the code injection engine works similar to a compiler that will look at the constructs presented to determine if it is a valid set of functionality. The engines contain language grammar and fingerprints that require infrequent updates compared with attack signatures. The architecture reduces false positives, and ongoing maintenance, increases breadth of coverage and performance. They provide protection against unknown attacks because they rely on content nature detection rather than specific attack signatures.

21 WAF Blacklists and Analytics Filter Engines
An extensive database of attack signatures Optimized and high performance regex Blacklist ruleset library Benefits: Well-known attack patterns are quickly and efficiently caught Analytics Filter Detect attack characteristics and trigger intelligently based on the sum of the anomalies Regex matching with weights and thresholds Allows smarter fine-tuning that simple blacklisting cannot provide Blacklist The Blacklist engine runs regular expressions of attack signatures against specific parts of a request. Each rule is not run against all parts, but is intelligently pruned to optimize the engine by only running rule evaluations against relevant parts. For example, a rule that only applies to query arguments is not evaluated against the request path, headers or body. When a request contains a pattern that matches the Blacklist rule-set, it is likely a malicious request and should be blocked. The Blacklist is the most frequently updated engine. Its content is driven from the Application Protection Subscription database. Blacklist rule updates can be used for quick virtual patching driven by Blue Coat. Where applicable, Blacklist engines contain CVE (Common Vulnerability Enumeration) meta-data which is outputted as an optional key:value pair in the WAF block and monitor details access log fields. The Blacklist engine supports the Effective Date specifier. Analytics Filter The Analytics Filter engine is a rule-based engine that looks for suspicious patterns within groups of attack families. Each anomaly has an associated weight. When enough indicators are identified to cross a threshold, the engine flags the request. Unlike the Blacklist engine where finding a single known-bad pattern is enough to trigger a detection, the Analytics Filter is based on heuristics. The presence of a single small indicator is usually not sufficient to make an attack determination. Instead, the engine intelligently sums a set of weighted scores that must cross a tipping point for a request to be flagged. As such, the ruleset is highly tuned and very rarely updated. However, the Analytics Filter engine supports the Effective Date specifier so that content updates can be controlled by the WAF Administrator.

22 Web application protection (WAP)
Subscription Service Enables WAF Protection Features Geo-IP Enables policy based on the geographic location of the end user accessing the enterprise website. Allows country-specific locations to be used in policy for regulatory, corporate or compliance needs, or for help with troubleshooting policy The Geo-IP database is automatically updated to reflect changes in locations of IP addresses Geo-IP does require that the real IP address of the client be delivered via a HTTP request header (in NAT environments) Application Protections Including Signature updates for a number of engines are provided via the Web Application Protection (WAP) subscription. Protection from these signatures is provided through the ProxySG policy engine configurable via Management Center. Administrators can have patterns automatically enforced, or manually enforce after administrator review An assortment of protection engines scans and validates request data for malicious data patterns and validity. Protection is offered through next generation signature-less engines and signature based detection engines

23 WAF Policy Actions & effective Date
Granular Block / Monitor / Ignore Actions Each WAF engine and property can be configured in Block or Monitor mode, providing power and versatility Configurable global, per engine, per rule, per FP exception, etc. Effective Date All signatures have a time stamp Block / Monitor / Ignore Actions can be applied based on that time stamp E.g. run signatures from 1st of January 2016 and older in block mode and all newer signatures in monitoring mode Benefit: Allows customers to test (new) policies and signatures before they turn on policy enforcement in order to identify false positives and fine-tune policies

24 Multi-Tenancy: One size does not fit all
Allows WAF Administrators to group Web Apps together and specify unique security settings without impacting other apps. Management Center RBAC allows for delegating tenant policy to LOB admins. Security team(s) can ensure a base-level of security settings are enforced. LOB 1 Admin App 1 App 2 App 3 App 4 Global LOB 2 LOB 3 LOB 4 Net Sec Management Center MC or LOB Self-Service Portal

25 Multi-Tenancy Each request passes through a single tenant
Landlord slot Default Tenant 1 Tenant 2 VPM Local Forward Central LOB 1 Admin App 1 App 2 App 3 App 4 Global LOB 2 LOB 3 LOB 4 WAF Management Center MC or LOB Self-Service Portal Each request passes through a single tenant

26 Sizing Blue Coat WAF WAF and Reverse Proxy function is available on all ProxySG appliances, including: Proxy SG hardware appliances ProxySG virtual appliances Advanced Secure Gateway (ASG) Standard ProxySG sizing guidelines apply The following is needed to select the most appropriate ProxySG devices(s) for your requirements: Transactions/s Peak concurrent connections Internet bandwidth If SSL/TLS termination is required How much of the traffic is SSL/TLS? Reporting: for how long do you need to keep data in the database? Manoj

27 Live Demo

28 How To publish and protect an app: Quick workflow
On ProxySG(s) Basic IP configuration Install Licenses, enable services & download databases Setup Failover (if applicable) Import keyrings from app servers into SG Create Services Create Forwarding Hosts Setup and Enable Access Logging for WAF On MC Create a Tenant for each Application Create a WAF Security Profile for each Application Create a CPL Fragment for each app (allow and forward traffic for the app URLs) Create Tenant Determination File Create WAF Application Policy for each app Push Policy to the target ProxySG devices

29 WAF Demo Setup Landlord and Tenant policy WAF Security Profile
INTERNET WEB APP WAF USERS Request to (DNS resolves name to ) Forward to Landlord and Tenant policy WAF Security Profile WAF Application False positive mitigation workflow Integrated reporting RBAC for environments Reminder: WAF = ProxySG (Proxy Edition) + Management Center Reporter

30 Policy: Advanced URLs and CLI commands
ProxySG#show policy ProxySG#show sources policy

31 Functions Summary

32 WA-RP and WAF: Functions Summary
Management Local Central Multi-Tenancy RBAC Appliance Monitoring On-Premise Reporting GEO Location Cookie Signing DoS Protection Global Intelligence Network White & Blacklisting Advanced Policies (e.g. CSP, HSTS, HPKP, …) WAF Services Blacklists Analytics Filter OWASP TOP 10 Advanced Engines Normalization Signature versions per application Reverse Proxy Services URL Rewriting HTTP Compression Object Caching SSL/TLS Offloading Server Load- balancing BW MGMT SSO Anti-malware DLP ICAP & E-Tap Integration SSL/TLS Inspection Authentication Authorization Logging Policy Last Updated: 11-JAN-16 Platform: ProxySG can either be deployed as appliance or as virtual appliance Connectivity: Customers can deploy ProxySG transparent or explicit. We support IPv4, IPv6 or mixed IPv4+IPv6 deployments Transparent: this can be achieved by deploying ProxySG physically inline using bridge interface configurations, or by using traffic redirection from L4-L7 load-balancers Explicit: this can be achieved by configuring DNS in order to resolve the server hostname to an IP address that is configured on the ProxySG Policy: Policy is the enabler for all services / functionalities on ProxySG. It triggers authentication, authorization, logging, ssl/tls interception and also ICAP and encrypted TAP integration. Policy (Content Policy Language, CPL) is still a great differentiator and provides un-matched flexibility Reverse Proxy Services: RP provides services like URL rewriting, http compression, server off-loading capabilities like object caching and ssl/tls off-loading, server load-balancing, bandwidth management, single sign on user experience, malware scanning and DLP (via ICAP, incl. sandboxing (CAS&MAA or encrypted TAP - FEYE)) WAF Services: WAF provides services like GEO IP identification, Cookie signing, denial of service (DoS) protection, OWASP TOP 10 attack protection, white and blacklisting (of URLs, IP addresses, applications, etc.), and integration into Global Intelligence Network for GEO IP, signature and rule updates. 3 main WAF engines types are available: Blacklists and Analytics Filter are signature based, the advanced engines do not require traditional signatures and are a key differentiator of our WAF solution. The WAF also provides comprehensive normalization capabilities and signature version sets (for blacklists and analytics filter) can be specified per application (which is another differentiator) Management: The solution can be managed locally or using Management Center. Note that the WAF solution GUI is only available on Management Center. Cloud or Management Center can be used for detailed appliance / statistics monitoring. Customers can use Reporter on-premise for detailed WA-RP and WAF reporting Policy / Enablement Connectivity (IPv4, IPv6) Transparent (Inline, Load-balanced) Explicit (DNS) Platform Physical Appliance Virtual Appliance Last Updated: 11-JAN-16

33 Open Q&A

34 Blue Coat Customer Forums
Community where you can learn from and share your valuable knowledge and experience with other Blue Coat customers Research, post and reply to topics relevant to you at your own convenience Blue Coat Moderator Team ready to offer guidance, answer questions, and help get you on the right track Access at forums.bluecoat.com and register for an account today!

35 Thank you for Joining Today!
Please provide feedback on this webcast and suggestions for future webcasts to: Webcast replay and slide deck found here within 48 hours: (Requires BTO log-in)

36 Questions for Michael? Quick Survey
We are truly committed to continuous improvement for these Technical Webcasts. At the end of the event you will be re-directed to a very short survey about satisfaction with this Program. Please help us out by taking two minutes to complete it. Thank you! Questions for Michael?

37

38 Backup slides (MC screenshots)

39 The configuration and reporting interface

40

41

42

43

44

45

46

47

48

49

50 Demonstration: take a look at the real setup

51

52

53

54

55

56 WAF Reporting

57 MC 1.5: WAF Dashboard

58 WAF Reporting Screenshots

59 WAF Reporting Screenshots

60


Download ppt "Blue Coat Web Application Firewall (WAF)"

Similar presentations


Ads by Google