2
Web Application Attacks Adapting Quickly
CVEs Compromised
Within 1 year from publish date,
with 20% within 2 weeks.
Impacts:
Systems and applications
vulnerable until patched
Patches can take time from
developers
IT resources must react quickly
and be pulled off other projects
Verizon DIBR 2015
100% Will Have WAFs
Most businesses will have WAFs
by 2018; up from 60% in 2014.
Impacts:
Need to protect all systems and
not just meet compliance
Need to reduce complexity in
managing deployments
Need high-performance WAF
to protect increased traffic
Gartner WAF Magic Quadrant 2014
80% Activist Led Attacks
Web applications more at risk
from activists than criminals.
Impacts:
Payment-related systems less
at risk due to PCI compliance
Other systems now at more
risk and most not protected
Criminals now focusing more
on obtaining credentials
Verizon DIBR 2015
61%
3
Scope/Definition of WAFs
Protects web-based applications
from code-based attacks
» SQL Injection or other injection types
» Cross Site Scripting and Request Forgery
» Layer 7 DoS/DDoS attacks
» Cookie/schema poisoning
Protects against application
vulnerabilities in custom code
and commercial platforms
Understands/learns “normal”
behaviors and stops anomalies
» URL parameters, HTTP methods,
session IDs, cookies, schema, etc.
Dynamic and adaptive to adjust
to new threats
Can’t a Firewall or IPS do this?
Firewalls look for network-based attacks
IPS Signatures detect only known problems
» High rate of false positives
» No protection of SSL traffic
» No application or user awareness
FortiWeb WAF
Web Application
Servers
SQL Injection, XSS…
INTERNET
Web Application Firewalls
4
WAF Drivers/Challenges
Protect current and existing
applications from code-based
vulnerabilities
Meet PCI 6.6 Compliance for credit
card and healthcare data
Address OWASP Top 10 Application
Vulnerabilities
Identify and address web application
vulnerabilities
Website publishing for Microsoft and
other applications
Protect against website defacement
Who Needs it?
Any organization that processes
credit cards and/or has PCI
requirements
Large internal or external
applications
Sensitive/proprietary information
Mission-critical business applications
Who Needs it Most?
MSPs/Hosting Companies
E-commerce/online services
Retail, Food Service, Hospitality
Financial services
Healthcare
Web Application Firewalls
5
Introducing - FortiWeb (Web Application Firewall)
Web Application Firewall - WAF
Secures web applications to help customers meet compliance requirements
Secures Web
Applications
Scans and Detects
Web Vulnerabilities Optimizes Application
Delivery
Web Vulnerability Scanner Scans, analyzes and detects web application vulnerabilities
Application Delivery
Assures availability and accelerates performance of critical web applications
WAF
6
FortiWeb – Web Application Firewalls
6 models from 25 Mbps to 20 Gbps HTTP throughput
Up to 8x GE and models with 4x 10GE SFP+ ports
Included vulnerability scanning and antivirus
Hardware and VM options
FortiSandbox Integration
Automatic behavior-based scanning
Auto setup/learning mode
Layer 7 DDoS protection
FortiGuard antivirus, IP reputation
and signatures
Transparent, reverse and non-inline
deployment options
Central Management/ADOMs
REST API
Virtual Patching/Third-Party support
Advanced real-time reporting
SSL offloading/compression
SSO/Authentication
Layer 7 load balancing
Fastest Web Application Firewall in the Industry
Web Application Firewalls
7
Duel Stack Support IPv4/IPv6
IPv6 Networking & Protection • Out of the box dual stack support
• VIP can listen to both IPV4 and IPv6
addresses
• Mixed server farm support
• IPv4 to IPv6 and IPv6 to IPv4
communication
• Enabled by default
Adopts IPv6 ready networks
quickly & easily
Comprehensive protection for
IPv6 traffic
Virtual Server configuration
Virtual Server can listen
to both IPv4 and IPv6
addresses
8
Layer II - Transparent Inspection and True
Transparent Proxy
Easy deployment - No need to re-architect network,
full transparency
Fail Open Interface
Reverse Proxy
Supports content modification for both requests
and replies from the server
Advanced URL rewriting capabilities
HTTPS offloading
Enhanced load balancing schemes
Non Inline Deployment – SPAN port Zero network latency
Blocking capabilities using TCP resets
Ideal for initial product evaluations, non-intrusive
network deployment
Flexible Deployment Options
Web Application
Servers
FortiWeb
FortiWeb
9
Auto Setup and Protection
Key Features
» Auto learn
» Completely transparent
» Traffic pattern monitoring
» Models application based
on usage patterns
» Understands real behavior
Benefits
» No application changes
» Traffic anomalies
trigger actions
» Protects against unknown
vulnerabilities and
zero-day attacks
Web Application Firewalls
10
FortiWeb Protection at all Layers
ATTACKS/THREATS
APPLICATION
IP REPUTATION
DDOS PROTECTION
PROTOCOL VALIDATION
ATTACK SIGNATURES
ANTIVIRUS/DLP
BEHAVIORAL VALIDATION
CO
RR
EL
AT
ION
BOTNETS, MALICIOUS HOSTS,
ANONYMOUS PROXIES, DDOS SOURCES
APPLICATION LEVEL
DDOS ATTACKS
IMPROPER
HTTP RFC
KNOWN APPLICATION
ATTACK TYPES
VIRUSES, MALWARE,
LOSS OF DATA
UNKNOWN APPLICATION
ATTACKS
11
Standard Rules and Policies
Easy to use Predefined or Custom Rules Baseline rules (Input validation rules)
Application layer signatures
HTTP Protocol constraints
Custom Robots
Threshold based limits for App DOS
Brute Force, Page Access Rules
And much more…
Regular
expression
statements
Granular Controls
12
Advanced Rules Advanced Protection
New predefined content scraper rule to protect against
abusive scrapers stealing content and data
New filter types for maximum flexibility
New Filter Types • Percentage (Occurrence)
• Content-types
• Custom Signature support
Content Scraper • Predefined rule
• Auto Learn rule generation
13
Advanced Rules
Custom Access Rules
Block only and exactly what is required by matching multiple filters in
a single rule!
Exceptional Granular Controls
14
Key Features
» Scans all application elements
» Granular crawling capabilities
» Scheduled or on demand
» Recommendation reporting
» FortiGuard updates
Benefits
» Automated vulnerability
reporting
» Complements WAF for PCI
DSS compliance
Vulnerability Scanning Web Application Firewalls
15
Direct integration for advanced
threat detection
Web application file uploads
cleared by FortiWeb’s AV
scanner are sent to
FortiSandbox for analysis
FortiWeb notified if threat
detected
If determined to be a threat,
FortiWeb blocks all future
instances
FortiSandbox Integration
Web server upload
(1) File sent to
FortiSandbox
(2) File analyzed in
Sandbox environment
(3) If malicious,
FortiWeb notified
to block in
future
FortiWeb
FortiSandbox
16
FortiGuard Labs
» Award-winning threat
research services
» Dynamic/automated
updates for FortiWeb
» Automatic downloads
» Always up-to-date
Subscription Based
» Available per device
» Select services that are needed
» Annual renewals
FortiGuard Services
Security Service
• Application layer
signatures
• Malicious bots
• Suspicious URL
pattern
• Web vulnerability
scanner updates
IP Reputation
• Protection for
automated attacks
and malicious
sources
• DDoS, Phishing,
Botnet, Spam,
Anonymous proxies
and infected sources
Antivirus
• Scan file uploads
• Regular and
extended AV
databases
Web Application Firewalls
17
FortiWeb Recommended by NSS Labs
SVM Published on September 30, 2014
Test Categories
» Security: URL Parameter manipulation,
form/hidden field manipulation, cookie/session
poisoning, cross-site scripting, directory traversal,
SQL injection and padding Oracle attacks
» Evasions: packet fragmentation reassembly,
stream segmentation, URL obfuscation
» Performance: stability, reliability and
connections per second
Fortinet FortiWeb-1000D earned a
Recommended rating
Strong performance with 99.85% block
rate and 15,865 connections/second
Passed all tests for evasion techniques
and for stability and reliability
0.366% false positive detection rate
Web Application Firewalls
18
FortiWeb Competitive Advantages
FortiWeb offers products that compete in mid-market to enterprise
FortiWeb proven in NSS Labs WAF testing
Only WAF with vulnerability scanner and antivirus built-in
Low TCO compared to F5 and Imperva
Product Comparisons
FortiWeb Barracuda Imperva F5 Citrix
Throughput (Gbps) 0.025 – 20.0 0.25 – 4.0 0.1 – 10 Not Available 0.5 – 5.0
SSL Offloading Yes Yes Yes Options Options
Security Effectiveness* 99.85% 99.97% 99.82% 99.89% 99.77%
TCO/Protected Mbps* $2.77 $4.88 $15.85 $3.38 $1.93
Vulnerability Scanner Included Separate Separate Separate Separate
Antivirus Included Separate Separate Separate Separate
IP Reputation Yes Yes Yes Yes Yes
L7 Load Balancing Yes Yes Yes Yes Yes
SSL Offloading Yes Yes Yes Yes Yes
* From NSS Labs 2014 Web Application Firewall Security Value Map
Web Application Firewalls
19
Purchase price includes:
» Hardware: appliance,
mounting hardware, etc.
» VM: Downloadable software
and license
FortiCare
(1, 2 and 3 year increments):
» 8x5 Enhanced
» 24x7 Comprehensive
FortiGuard
» IP reputation
» FortiWeb Security Service
(signatures)
» Antivirus
Central Management (separate)
» Up to 10 FortiWeb appliances
» Unlimited option
AZURE
» Bring Your Own License (BYOL)
AWS
» Bring Your Own License (BYOL)
» On-demand licensing through
AWS marketplace
Pricing/Licensing Web Application Firewalls
20
Pe
rfo
rma
nc
e &
Sc
ala
bil
ity
WAF < 1 Gbps 1 – 5 Gbps 5+ Gbps
SSL Software ASIC ASIC
Ports GE GE/10GE GE/10GE
FortiWeb Product Lineup
FWB-400C
FWB-100D
FWB-3000E
FWB-4000E
Web Application Firewalls
FWB-1000D
21
FortiWeb Product Matrix
100D 400C 1000D 3000E 4000E
WAF Throughput 25 Mbps 100 Mbps 1 Gbps 5 Gbps 20.0 Gbps
Latency Sub-ms Sub-ms Sub-ms Sub-ms Sub-ms
SSL Software Software ASIC ASIC ASIC
L7 Load Balancing P P P P P
L7 DoS Protection P P P P P
Site Publishing/SSO P P P P P
Vulnerability
Scanner P P P P P
Antivirus/antimalwa
re P P P P P
Form Factor Desktop 1U 2U 2U 2U
GE Port 4 4 6 8 8
GE Bypass 0 0 4 4 4
GE SFP 0 0 2 4 4
10GE SFP+ Bypass 0 0 0 4 4
ADOMs N/a 32 64 64 64
Web Application Firewalls
22
FortiWeb Virtual Appliances
Enterprise grade virtual WAF
Deploy WAFs without extra hardware
Dynamic expansion in VM environments
Resource efficiency with uncompromised WAF functionality
VMware ESX / ESXi / 4.0 / 4.1 / 5.0 / 5.1 / 5.5, Microsoft Hyper-V,
Citrix XenServer 6.2, Open Source Xen 4.2,
AWS (BYOL/On-Demand), KVM
Technical
Specifications FortiWeb VM01 FortiWeb VM02 FortiWeb VM04 FortiWeb VM08
vCPU Support (Max) 1 2 4 8
Memory Support (Max) Unlimited* Unlimited* Unlimited* Unlimited*
Network Interface Support (Max) 4 4 4 4
Storage Support (Min / Max) 40 GB / 1TB 40 GB / 1TB 40 GB / 1TB 40 GB / 1TB
Web Application Firewalls
* 4 GB minimum memory recommended.
23
Complementary/Related Products
FortiSandBox
» APT behavioral analysis of files
FortiADC Application Delivery Controllers
» L2 to L7 Server load balancing
» Layer 7 content-based routing and SSL offloading
» Global Server Load Balancing and Link Load Balancing
FortiDDoS DDoS Attack Mitigation Appliances
» Full layer 3, 4 and advance layer 7 DDoS attack mitigation
» 100% hardware and behavior-based detection and mitigation
FortiWAN Link Load Balancers
» Advanced link load balancing up to 50 links
» Patented tunnel routing
Web Application Firewalls
24
FortiWeb Benefits
Protect custom and commercial applications with automatic usage
profiling and anomaly scanning
Meet PCI Compliance (5.5 and 6.6) with behavior-based attack detection
and mitigation
Protection against OWASP Top 10 Application Vulnerabilities
FortiSandbox Integration to protect against APTs that target web apps
Identify web application security weaknesses with vulnerability scanning
Website publishing with Single Sign On/Authentication
Restore website pages from attacks with Anti-Defacement Protection
Block botnets and attacks from known rogue and malicious sources with
FortiGuard IP Reputation
Virtual application patching with Third-party Scanner Integration
Web Application Firewalls
Top Related