Presentation is loading. Please wait.

Presentation is loading. Please wait.

AXG XML Gateway & Web Application Firewall

Similar presentations


Presentation on theme: "AXG XML Gateway & Web Application Firewall"— Presentation transcript:

1 AXG XML Gateway & Web Application Firewall
ADBU Product Management

2 Types of Firewalls Know your firewalls! Technology Purpose Mechanisms
Scope Value Proposition Protocol Enforcing Network Firewall OSI network model protocol protection Network port blocking UDP/TCP state awareness Network Protocols Protocol enforcement Intrusion Prevention Systems Signature-based network protection Signature scanning Connection reject Network Applications Enhanced access control URL Scanning Broad range of signatures Content Filtering Gateways Outbound access control URL and DNS level access control list Outbound connection reject Outbound web, IM, file applications Anti-malware interface Anti-malware Gateways Signature-based payload Signature payload scanning Attachment removal Payload components Advanced heuristics Outbreak protection Web Application Firewalls HTTP/HTTPS Application Protection URL normalization Session state enforcement Application context HTTP/HTTPS applications Context-based positive security model Adaptive rule modification/exception

3 What is a WAF? Web Application Firewalls intercept, inspect and deny/reject/allow Layer-7 traffic Browser WAF devices protect web applications from specific vulnerabilities that IDS/IPS/FW do not see. Web Servers WAF devices intercept all traffic bound for the web server. Application Servers WAF devices are complex devices with sophisticated features: actually, they have to be as complex as web applications Database Servers

4 Why Another Firewall? 75% 90%
Layer-2, deep packet inspection firewalls do not see layer-7 attacks! Network Server Web Applications % of Attacks % of Dollars 90% Security Spending 75% 25% 10% Intent of attacks has shifted to financial gains. It used to be DoS/Disruptions The objective of attackers is to steal real world identity Today’s Firewalls do not understand L7 protocols. Sources: Gartner, OWASP 90% of security spending prevents only 10% of attacks

5 Which WAF? WAFs should be evaluated on its ability to block attacks at all levels of OSI stack Web Attacks by Category Quarter of the attacks are unknown/unclassified: “WAF device should allow for rich policy based interceptors and extensive logging” Half of the attacks are on web sessions with intent of financial gain. “Only Cisco WAF can block attacks across the network from router, switch, load balancer to WAF device” Quarter of the attacks aim for unauthorized (broken access) system information. “WAF devices that inspect bi-directional traffic are better” Only 6% of the attacks are DoS/Crypto attacks “Majority of security infrastructure is aimed at small minority of the attacks” Cisco’s security infrastructure integrated with AXG/WAF offer the most comprehensive protection in Industry.

6 Cisco’s AXG-WAF Appliance
AXG was first to market with combination WAF/XML FW. It will be first to market with Layer -2- Layer -7, upstream, downstream blocking mechanisms. Performance & Scalability Computer Hardware: 1 RU Rack mountable appliance, Dual Core Xeon with 4MB DDR2 Clustering Support (Active/Active) Connectivity 4 GbE Ports with NIC Teaming for high ingress bandwidth Blocking Coverage Inline at L7 Upstream at TCP on ACE/ Upstream at L3* Threat Protection Extensive Threat Signatures HTTP Input Normalization Application Cloaking Encrypted & Tamperproof Cookies SSL client and server decryption Data overflow protection Data Theft Prevention Custom error remapping Egress content rewrite Management, Monitoring & Logging Powerful yet simple GUI Seamless Signature Upgrade Human-assisted site learning MIB & Statistics Instant alerting and reporting Change control and audit log Extensive Security Logging including external hosts Pricing $ 40K ACE-XML-K9 ACE-XML-NF-K9 FIPs Compliance XML Firewall Included Authentication Included L4-L7 Inline deployment * On roadmap

7 Standard Deployment Typical deployment of AXG-WAF is one-arm fashion to ACE Load Balancer Web Client ACE Web App Manager Web-enabled Applications Internet ACE App Switch ACE App Switch Network Firewall Portal Applications ACE Web App Firewall ACE Web App Firewall Identity Mgt Systems DMZ DATA CENTER

8 Network Deployment Customers can leverage existing investments in network infrastructure and simultaneously protect the WAF infrastructure Leverage Cisco’s Extensive network infrastructure for directing traffic to WAF. Web and XML Applications External HTTP and XML Web Services Consumers Web Application Firewall HTML XML SOAP Cisco® ACE Internet Network performs HA & Failover/Passthrough Network can also offload SSL Malicious Traffic can be block upstream*

9 Reverse Proxy Deployment
RP deployment is ideal in a trusted VPN B2B scenario. IN RP mode, web servers are gateway’ed through the WAF. Default route for RP is the edge router. WWW Portal External HTTP and XML Web Services Consumers Full Reverse Proxy WWW1 WWW2 AXG Web Application Firewall Internet WWW3 DNS Points to AXG WAF when Asked for WWWx HTTP Leverage Cisco’s Extensive network infrastructure for directing traffic to WAF.

10 Deployment in DC with Virtual Web Tier
Oversubscribed deployment configuration for datacenters with virtual webtier Physical NIC vSwitch VLAN /Purpose pNIC -1 vSwitch-0 Management VLAN 100 None vSwitch-1 Private VMs pNIC-2/3 vSwitch-2 VM Network (Port Groups) pNIC-4 vSwitch-3 Vmotion (VMKPort) Eth0 for COS VM ERPs/ AppServers 100 110 pNIC-1 vSwitch-0 VM IDMS ACE VM vSwitch-1 WAF 110 pNIC-2 VM 110 WAN vSwitch-2 pNIC-3 VM pNIC-4 VM WAF ACE Eth0 is the management network for ssh into COS or to run esxtop. vSwitch is the ESX virtual switch. ESX Host vSwitch-3 110 Physical Application & Data Tier Virtualized Web Tier Application Delivery Infrastructure

11 Release 6.1 Before & After 1 1 4 1 2 2 3 3 2 3 4 4 Before After Log
Internet 1 No support for NIC Teaming 1 NIC Teaming Supported 4 1 Log Manager able to handle few hundred policies with simultaneous access. Manager able to handle thousands of policies with simultaneous access 2 2 External HTTP and XML Web Services Consumers 3 SDK based on Java 1.4 3 SDK based on Java 1.6 Web Application 2 3 4 Weblog at origin server recorded AXG/WAF IP Address 4 Weblog at origin server record client IP Address SDK Manager Tentative 4

12 Defender Before & After
Internet HTML/HTTP ACE 1 Limited Integration with Load Balancer ACE 1 Use WAF Manager to add ACLs to ACE 2 4 Authentication traffic from browser limited in performance. Authentication traffic from browser competitive in performance SOAP/ HTTP 2 2 External HTTP and XML Web Services Consumers 1 Widely adopted IDMS supported on browser based authentication without loss of performance. 3 Limited support for IDMS With AXG license 3 XML/ HTTP 4 Limited support for WS-* Security standards 4 Considering WS-I base profile compliance. ACE-WSG 3 Identity Mgt Systems Tentative 4

13 Protect Browser initiated traffic
AXG-WAF Competitive AXG-WAF is the only WAF device with the potential of blocking malicious traffic end to end in the network. Device Level Traffic Blocking Network Level Traffic Blocking Protect against XML/Web services oriented services and Browser initiated traffic. Citrix Netscalar (v9.0) IBM DataPower XS40** CISCO AXG/WAF* Protect Browser initiated traffic Protegrity F5 ASM Imperva Barracuda Breach WebDefend Through integration with Cisco ACE load balancer in 6.1 release ** DataPower appliance is XML Only.

14 AXG-WAF Competitive Side by Side
Value Factor Barracuda NC1100 BeeWare IS200 Breach WebDefend Citrix NS-9 F5 Big-IP 8800 with ASM Imperva SS WAF Cisco Traffic Management Limited Load Balancing No Yes YES with ACE integration High Availability YES with ACE and Catalyst Integration SSL Acceleration YES with FIPS Cache & Compression YES with WAAS, ACE-Module Integration Policy Templates Traffic Blocking Coverage Limited to device Limited to Device Across datacenter with integration Administration GUI Monitoring, Alerts, Audit & Reporting Yes on device only Yes on device and upstream with integration

15 AXG-WAF Direction 2012 2011 2010 2009 AXG on CA
Integration with Nexus/Catalyst 2010 “Defender” Release (Q1CY10) ACE Integration 2009 Release 6.1 (Q4CY09) Unified upgrade path from Rel 5.2 and 6.0.x Release (1/28/09) on CCO

16 Questions?

17 OWASP Top 10 A1 – Cross Site Scripting (XSS)
XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim’s browser which can hijack user sessions, deface web sites, etc. A2 – Injection Flaws Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker’s hostile data tricks the interpreter into executing unintended commands or changing data. A3 – Insecure Remote File Include Code vulnerable to remote file inclusion allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. A4 – Insecure Direct Object Reference A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization. A5 – Cross Site Request Forgery (CSRF) A CSRF attack forces a logged-on victim’s browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim’s browser to perform a hostile action to the benefit of the attacker. A6 – Information Leakage and Improper Error Handling Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to violate privacy, or conduct further attacks. A7 – Broken Authentication and Session Management Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users’ identities. A8 – Insecure Cryptographic Storage Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud. A9 – Insecure Communications Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications. A10 – Failure to Restrict URL Access Frequently, the only protection for sensitive areas of an application is links or URLs are not presented to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations.


Download ppt "AXG XML Gateway & Web Application Firewall"

Similar presentations


Ads by Google