Professional Documents
Culture Documents
AIWAF - Solution Brief - EN
AIWAF - Solution Brief - EN
WAF
2. WAF INTRODUCTION
3. WAF FEATURES
Changes in IT Environment
• Smart devices, allowing individuals to bring work • Majority of web services require basic personal
wherever they go information
• Accessible and easy to use, central data and • Increase in data breach attacks
information are concentrated on the web • Brand image and financial loss in an event of a
• Increase in various web services such as finance, breach
shopping, and medical care
• Increased IT compliance needs • Ports for web services must be open at all times
• Need for ISMS certification • IPS is not capable of defending against SSL
communication (excessive system load when used)
• Strict personal information protection act
and does not provide detailed policy setting
WAF Vs IPS / NG FW
Multiprotocol
Security
IP Reputation
Web Vulnerabilities
Signatures
Automatic
Policy Learning
Source: Gartner
A1-Injection A1:2017-Injection
A4-Insecure Direct Object References [Merged with A7] A4:2017-XML External Entity (XXE) [NEW]
A7-Missing Function Level Access Control [Merged with A7:2017-Cross-site Scripting (XSS)
A4}
A9-Using Components with Known Vulnerabilities A9:2017-Using components with Known Vulnerabilities
Source : https://www.owasp.org
Key Points
In order to provide services, web servers are always open to the public
Because of its vulnerability, 80% of hacking incidents happen on the web (or uses the web as an entry point)
Vulnerabilities within the source code are the problem and it takes an average of 100 days to solve even 50%
of the issues
Hackers find new vulnerabilities with new technologies and improved skills. Unresolved web security
vulnerabilities can cause serious information leakage as it has happened with SONY and AT&T
Appearance
RAM 4GB 8GB (최대 128GB) 16GB (최대 128GB) 32GB (최대 2TB) 32GB (최대 2TB) 64GB (최대 2TB) 64GB (최대 2TB)
- Mgmt 1 UTP Port - Mgmt 1 UTP Port - Mgmt 1 UTP Port - Mgmt 1 UTP Port - Mgmt 1 UTP Port - Mgmt 1 UTP Port - Mgmt 1 UTP Port
MGMT / HA
- HA 1 UTP Port - HA 1 UTP Port - HA 1 UTP Port - HA 1 UTP Port - HA 1 UTP Port - HA 1 UTP Port - HA 1 UTP Port
Network
1G UTP * 2 1G UTP * 4 1G UTP * 4 - - - -
(Default)
CPS
5,000/1,500 30,000/10,000 55,000/15,000 130,000/35,000 200,000/50,000 250,000/70,000 350,000/100,000
HTTP / HTTPS
TPS
9,000/5,000 55,000/35,000 80,000/55,000 250,000/100,000 300,000/150,000 400,000/200,000 550,000/300,000
HTTP / HTTPS
Throughput
400M/200M 2G/1G 4G/2G 10G/5G 14G/8G 15G/9G 16G/10G
HTTP / HTTPS
• NIC modules can be selected/combined in the slot and an SSL accelerator card can be installed as an option.
• Specifications of this product are subject to change without prior notice for performance improvement.
• Performance figures may differ depending on the instrument profile and environment. Please refer to the APPLIANCE SHEET for
the measurement environment.
Transparent Proxy
Proxy base Full Transparent Mode – Patented Tech (Kor) (No. 10-0695489)
■ Proactive response to various threats that cannot be solved by security rules alone
- Real-time response to various web attack threats through cyber threat intelligence platform linkage
- Comprehensive/physical response system for proxy IP, Black Client IP, C&C IP, and malicious code link insertion
- Reputation information about the attack IP
■ Efficient response to new web vulnerabilities that does not, yet, have response patterns
- Syncing with machine learning (cloud center) technology to detect anomalies and threats
- Protect web-based applications from known and unknown threats
Machine Learning
■ Detection↑ False-positive↓
- Some web services (pages) communicate with various types of encoded data as needed
- When an attack phrase is inserted in the encoded query value or payload value, a gap in the security policy
occurs
- After decoding data encoded by various methods, perform inspection through normalization
- URL, HEX, UNICODE, BASE64 encoding support
Master Admin
A Domain
admin
SQL INJECTON ON ON ON
XSS ON
ON ON ON
CSRF ON OFF ON
Web Shell ON
ON ON OFF
■ Security Gap↓
Granular policy control
- In case of false positive, service is uninterrupted and security gap minimized through exception handling for
each rule
- Applied IP/URL and exception IP/URL setting
- Customizable block page setting
- Customizable disable pattern setting
- Schedule setting
DoS Policy Detect and block TCP Session limit, Slow DoS attack
Domain Domain registration and maintenance, QoS setting by domain, origin IP header detection,
Domain Registration
Management admin by domain
Threshold- Forced browsing, HTTP request flooding, click fraud, login fraud, attacker IP auto-detection
Based Security Threshold-Based Policy attempts inflow more than the threshold, the source IP will be added to a blacklist and
Policy detect or block within the configured time
OWASP TOP 10 SQL injection, XSS, cookie forgery, CSRF, forced browsing, malicious file upload, command
Vulnerability Detection injection, directory access, and other vulnerability detection and block
Detection
Other Vulnerability Detection Application vulnerability, scanner/proxy/spambot, and other vulnerability detection and block
An abnormal HTTP request, HTTP method restriction, bugger overflow, unverified redirect,
HTTP Header Detection
HTTP header/payloads/queries check to detect or block based on the policy setting
Create a profile by learning access information of users for a specified period, and profiling.
Application Profiling
Detect and block access attempts that violate policy.
Abnormal Detect and block undefined extension requests by defining extensions that can be requested
Request/Respo URL Extension Access Control
nse from clients
Honeypot URL Block users accessing Honeypot URL as a tool (crawler, Scraper, etc.)
Bot detection based on the client’s script analysis after inserting Java script in the response
Script Authentication
data
Page Forgery Detection Detect URL page forgery and restore the original page
Remove the header information of the HTTP response packet containing the important
Header Cloaking
information of the web server and send it to the user
Server/Data
Protection If the web server’s response code is an error code (or DBMS error), a block page appears
Error Page Cloaking
instead of the error page
Detects and blocks leakage of the server’s directory file and information from erroneous
Directory Listing
settings
Malware Distribution Detect and block when the web server is infected with malicious code and has malicious
Detection data embedded in the reply page.
URL Access Rule Detect and block access to specified URL based on the client’s IP
Keyword Filtering Rule Detect and block profanity or advertisement keyword input
User-Defined
Detection Create custom patterns that combine methods, URL paths, headers, cookies, queries, and
User-Defined Rule
payloads
Check the web server’s error code and in the case of specified error code, then send a
Error Page Cloaking
customized response to the client
Web Socket
WebSocket Detect and block WebSocket attack traffic that’s not normal HTTP(S)
Detection
Web Accelerator
Web Accelerator Web server setting according to URL when web acceleration function is activated
Policy
Vulnerability Attack
• SQL injection
• LDAP injection
• XSS
• CSRF
• Cookie forgery detection
• Malicious file upload
• Malicious file access
• Command injection
• Directory access
• Vulnerable page access
• System file access
• Web server/application vulnerability
• Header vulnerability
• Scanner/proxy/spambot
Abnormal Request/Response
Server/Data Protection
User-defined Detection
WebSocket
Trouble Shooting
Sniffing(In-Line) Mirroring(Out-of-path)
Reverse Proxy(Out-of-Path)
• Port Trunk, Tag VLAN, LACP configuration • Suppports N number of segments (depends on
support the number of interfaces)
• No configuration changes in network or web • NO configuration changes in network or web
server’s IP server’s IP.
• Provides fail-open for each segment
Active-Standby Asynchronous
• Checks health status of between the firewalls • Asynchronous traffic forwarding between the
• In the case of system error provides HA (fail-over) firewalls
Deployment
Effectiveness
• Maintaining all the environment configuration of the
existing network (no need to change environment settings)
• Efficient defense system for external/internal services
• Provide security policy setting environment for each web
server administrator
Main Policy
Deployment
• L4 switch port redirection setting- HTTP / HTTPS
-Two-way traffic filter (Service Port)
• Suitable for handling low-volume web traffic compared to
overall network capacity
Effectiveness
• Improved detection rate by 19.4% compared to IPS
(compare the number of undetected IPS)
• Defends against zeroday attacks even before web server
patching
• Can separate accessible web services depending on the user
IP
Main Policy
• URL access rules, header vulnerability detection, and web
server vulnerability detection
Deployment
Effectiveness
• Asynchronous traffic processing using session forwarding
function
• 98% defense rate during a client's own mock hacking(2%
false positive)
• Malicious file upload rate decreased by 22.8%
Main Policy
MONITORAPP INC. | Address: 3162 S Colonial Ave. Ontario, CA 91761 | Tel : 951-800-0012 | Web : www.monitorapp.com
E-mail : sales@monitorapp.com | Copyright 2018 MONITORAPP Co.,Ltd. All rights reserved.