1 Fortinet Confidential

May 21, 2013

FortiWeb
Web Application Firewall

2 Fortinet Confidential
Web Application Security
Deployment and Management
Vulnerability Assessment
Protection and Monitoring
Compliance
1
2
4
5
6
Application Delivery
3
Agenda
3 Fortinet Confidential
Hackers use attack automation to DDoS organizations
Utilize mass hoards of bots
Off the shelf attack tool kits make it easy for Hacktivists
to join DDoS attacks
Rise of layer 7 DDoS
Malware infected Sources
SQL Injection/XSS dominate
Latest Trends.
Web Application
Servers
4 Fortinet Confidential








Network Firewall
Application Security Needs New Approach









IPS/Deep Packet
Inspection Firewalls
FortiWeb
Web Application Firewall
Only Web Application
Firewalls can detect and
block application
attacks!


Network layer
(OSI 1-3)
Application layer
(OSI 4-7)
Network firewalls detect network attacks
Inspect IP and port

IPS products detect known signatures only
Signature evasion is possible
No protection of SSL traffic
No real HTTP understanding (headers,
parameters, etc)
No application awareness
No user awareness
High rate of false positives



5 Fortinet Confidential
Introducing - FortiWeb Web Application Firewall
Web Application Firewall - WAF
Secures web applications to help customers meet compliance requirements
Secures Web
Applications
Scans and Detects
Web Vulnerabilities
Optimizes Application
Delivery
Web Vulnerability Scanner
Scans, analyzes and detects web application vulnerabilities
Application Delivery
Assures availability and accelerates performance of critical web applications
WAF
6 Fortinet Confidential
FortiWeb Customers Worldwide
Government Telco
Retail/Technology/Financial/Other
7 Fortinet Confidential
Web Application Security
Deployment and Management
Vulnerability Assessment
Protection and Monitoring
Compliance
1
2
4
5
6
Application Delivery
3
Agenda
8 Fortinet Confidential
Layer II - Transparent Inspection and True
Transparent Proxy
Easy deployment - No need to re-architect network,
full transparency
Fail Open Interface
Reverse Proxy
Supports content modification for both requests
and replies from the server
Advanced URL rewriting capabilities
HTTPS offloading
Enhanced load balancing schemes
Non Inline Deployment SPAN port
Zero network latency
Blocking capabilities using TCP resets
Ideal for initial product evaluations, non-intrusive
network deployment




Deployment Options

Web Application
Servers
FortiWeb
FortiWeb
System Administration
9 Fortinet Confidential
FortiWeb Product Family
Large Enterprise Deployments
ASIC based Acceleration - FortiModule-CP7
500 Mbps HTTP throughput
27,000 transactions per second
Large Enterprise/ Service Provider Deployments
ASIC based Acceleration - FortiModule-CP7
1 Gbps HTTP throughput
40,000 transactions per second
Hot-swap redundant AC-Power, 2*1 TB storage
6 x 10/100/1000 copper (+ 2x Gbps SFP for 3000CFsx)
Mid-Enterprise Deployments
100 Mbps HTTP throughput
10,000 transactions per second
FortiWeb-400C
FortiWeb-1000C
FortiWeb-3000C/3000CFsx
FortiWeb-4000C
Large Enterprise/ Service Provider Deployments
ASIC based Acceleration - FortiModule-CP7
Hardware based DLP acceleration
2 Gbps HTTP throughput
70,000 transactions per second
Hot-swap redundant AC-Power, 2*1 TB storage
6 x 10/100/1000 copper, 2x Gbps SFP interfaces
10 Fortinet Confidential
FortiWeb-VM
Desktops /
Private
Servers / DMZ
FortiWeb
Virtual
Appliance
Virtualized Data
Center
Public Zone DMZ
Requirement Min needed for FortiWeb-VM
Licenses 2-vCPU, 4-vCPU, 8-vCPU
Hypervisor VMware ESXi/ESX 3.5/4.0/4.1/5.0/5.1
Memory Min. 1024
CPU Min. 2 virtual CPUs
10/100/1000 Interfaces Min. 2 Max. 4virtual NICs
Storage Capacity Min. 40G
Deploy FortiWeb in a virtualized
environment
Mitigate blind spots
Protects web applications regardless of connection origin
Provides visibility to internal connections as well
Same functionality as appliance
Virtual Systems
11 Fortinet Confidential
Overview
Signatures
Security Service
Application layer
signatures
Malicious bots
Suspicious URL
pattern
Web vulnerability
scanner updates

IP Reputation
Protection for
automated attacks
and malicious
sources
DDoS, Phishing,
Botnet, Spam,
Anonymous proxies
and infected
sources
Antivirus
Scan file uploads
Regular and
extended AV
databases

FortiGuard Services
FortiGuard Security Subscription Services deliver dynamic, automated
updates for Fortinet products. The Fortinet Global Security Research Team creates
these updates to ensure up-to-date protection against sophisticated threats
12 Fortinet Confidential
Data Analytics/Geo IP
Provides a graphical interface that
helps organizations understand
application trends both from a
user and server perspective

Log & Report
Analyses web app usage based on
geographic location and server
access
Dissect traffic based on number of hits,
data used and attack type
Map or list view
Geo IP security
Easily block access from a country
using right click
13 Fortinet Confidential
Web Application Security
Deployment and Management
Vulnerability Assessment
Protection and Monitoring
Compliance
1
2
4
5
6
Application Delivery
3
Agenda
14 Fortinet Confidential
Overview SSL Offloading & Acceleration
SSL Offloading
Integrated ASIC based hardware
Hardware-based key exchange and bulk
encryption
Purpose built SSL processing
CA Management
Full certificate management
Advanced certification verification and
revocation capabilities
TCP Connection Multiplexing
Offload CPU intensive SSL computing from server to FortiWeb

FortiASIC CP8 SSL
Acceleration Chip
15 Fortinet Confidential
Data Compression
FortiWeb
Data Compression
Compression
Compress files using gzip compression
Compression rate depends on data
type and character redundency
Support for multiple content types
Easily exclude specific URLs
Uncompressing
Inspect data compressed by server
Compress poorly optimised content to minimise impact on network
resources and reduce application delivery latency
Allows efficient bandwidth utilization and response time to users by
compressing data retrieved from servers
16 Fortinet Confidential
Load Balancing
Methods: Weighted Round Robin, Round-
Robin, Least Connection, HTTP session
round robin
Connection persistence with timeout value
Probes & Health Checks: TCP,
HTTP/HTTPS, PING.
Content based health checks
Overview
Intelligent, application aware
load balancing
Server Load Balancing
17 Fortinet Confidential
Overview URL Rewriting
Advanced Rewriting capabilities
Route traffic based on: IP, Host, URL
Rewriting and Redirection: Host, URL,
Referrers
Rewrite Reply Content
Rewrite absolute links
Any required content
Multiple content types supported
18 Fortinet Confidential
Web Application Security
Deployment and Management
Vulnerability Assessment
Protection and Monitoring
Compliance
1
2
4
5
6
Application Delivery
3
Agenda
19 Fortinet Confidential
Overview
Vulnerability Assessment

Easily Scan your web
applications
Common vulnerabilities
SQL Injection
Cross Site Scripting
Source code disclosure
OS Commanding
Enhanced/Basic Mode
Crawling information
URLs accepting input
External Links
Authentication Options
Granular Crawling Capabilities
Scheduled and on Demand
Scanning
FortiWeb
20 Fortinet Confidential
Overview
Vulnerability Assessment

Vulnerability Reports
Scan summary
Vulnerability by severity
Vulnerability by categories
Application Vulnerabilities
Common Vulnerabilities
Server Information
Crawling information
URLs accepting input
External Links
Provides Recommendations and
Graphs
Updates via FortiGuard
Complements WAF for PCI DSS
21 Fortinet Confidential
Web Application Security
Deployment and Management
Vulnerability Assessment
Protection and Monitoring
Compliance
1
2
4
5
6
Application Delivery
3
Agenda
22 Fortinet Confidential
Overview
Application Profiling

Accurate Protection Requires:
Understanding the Protected
Application
Application structure (URLs,
parameters, methods)
What is expected and what is
suspicious

Understanding Hackers
Popular attack methods, tools, and
application vulnerabilities
Differentiate between application
changes, human errors and real
attacks


23 Fortinet Confidential
FortiWeb Auto Learn
Application Profiling





Understand Application Structure
Models elements from actual traffic
Builds baseline based on URLs,
parameters, HTTP methods
Automatically Understands Real
Behavior
Can form fields/parameters be modified
by users?
What are the length and type of each
form field?
What characters are acceptable (min,
max, average)?
Is a form field required or optional?
Provides Recommendations and
Graphs
24 Fortinet Confidential
Web Based Attacks
Denial of Service

Zombie Botnet
Many become one
Application based DDoS is on the increase
accounting for a quarter of all DDoS attacks

Under the radars bandwidth threshold

Targeting specific web app/protocol flaws
rather than bandwidth consumption
CPU intensive SQL queries to backend DB
Writing to hard disks
Server specific

Slow based and legitimate request attacks
Slowloris - Sends legitimate, but partial, never ending
requests

Using tools that can be easily downloaded from the
internet such as HOIC and LOIC
Using botnets and automatic tools to reach mass

Sometimes camouflaging real data breach attempts
SQL Injection primarily


25 Fortinet Confidential
Protection Policies Denial of Service
Application Layer
HTTP request limit per source
TCP connections using the same cookie
HTTP requests using the same cookie
Challenge Response validate whether
the user is real or automated
Network Layer
TCP connections limit per source
SYN Cookie SYN flood protection
Analyze requests originating from different users based on
different characteristics such as IP and cookie
Sophisticated mechanism identifies real users from automated
attacks (LOIC, HOIC, etc)
26 Fortinet Confidential
Overview FortiGuard IP Reputation
Threats
DDoS
Phishing
Botnets
IP Reputation Service
Daily feed updates
Automated downloads
Immediate protection
Visibility and reporting
FortiGuard Techniques
FortiGuard historical analysis
Honeypots
Botnet analysis
FortiGuard IP Reputation Intelligence Service:
Protect against automated attacks and malicious source
Anonymous Proxy access
Infected source
SPAM hosts
Anonymous proxies
Third party sources
27 Fortinet Confidential
FortiWeb provides protection at all layers
IP Reputation Automated attacks and compromised host protection
Protection against access from Anonymous proxies, malicious hosts and sources identified in DDoS/Phishing
attacks


Antivirus file upload scanning and Data Leak Prevention
Scans uploaded files for viruses and malware (FortiGuard updates)
Detects Information Disclosure, credit card and PII leakage




Auto Learn and Validation Rules
Deviations from normal user behavior, automated and customer rules

Application Attack Signatures
Detects known application attacks
FortiGuard updates

Protocol Validation
Validates HTTP RFC compliance
Application and Network Denial of Service Protection (DoS/DDos protection)
Detects and aggregates DoS attacks from multiple vectors




28 Fortinet Confidential
Web Application Security
Deployment and Management
Vulnerability Assessment
Protection and Monitoring
Compliance
1
2
4
5
6
Application Delivery
3
Agenda
29 Fortinet Confidential
FortiWeb addresses PCI 6.6
Web Application Firewall - OWASP Top Protection
Web Application Scanner
FortiDB addresses PCI requirements with Data Activity Monitoring
and Vulnerability Assessment for Databases
Requirement 2 : No vendor supplied defaults for system passwords
Requirement 3 : Stored cardholder data must be protected
Requirement 6 : Develop and maintain secure systems
Requirement 7 : Access to data restricted on a need-to-know basis
Requirement 10 : Track and monitor access to cardholder data
Requirement 11 : Regular systems testing
Requirement 12 : Maintaining an information security policy

Fortinet Addresses PCI DSS
30 Fortinet Confidential
FortiWeb Value Add
FortiClient Desktop
Application Security
Application Delivery
Vulnerability Assessment
Authentication
SSL Offloading and
Acceleration
HTTP Compliance Application Signatures Application Profiling Data Leak Prevention
Compression
DDoS Protection Antivirus IP Reputation
Load Balancing
Dramatically reduce the risk of corporate data
loss.
Accurate protection with multiple layers of defense
Integrated Web Vulnerability Scanner
Protects against the OWASP Top 10
Positive and negative security policies
Automated management using Auto Learn
Baselining
Sophisticated DoS/DDoS protection
Layer 7 focus
Botnet and malicious sources protection
Easily deploys in any environment
Multiple deployment options
Data Analytics Geo IP data analysis and
security over the world map
Accelerates applications
Application aware Load Balancing
Compression
ASIC based SSL Acceleration
Helps achieve PCI compliance



31 Fortinet Confidential
Q&A
32 Fortinet Confidential
T H I S I S F O R T I W E B
FortiWeb :
Additional Features
33 Fortinet Confidential
Overview AntiVirus
FortiWeb Antivirus
Scan file uploads using Fortinets antivirus
engine
Restrict file type uploads
Virus Databases
Regular and extended virus databases
Updates
Updates via FortiGuard antivirus service
AV Configuration
34 Fortinet Confidential
Overview DLP
DLP Identification
Credit card theft/misuse
Information Disclosure
Server information
Policy Actions
Rewrite sensitive data with xxxx
Alert, Block
Sensitive info in Logs
Automatically mark with xxxx any
sensitive data in FortiWeb logs

FortiWeb monitors all outgoing
web traffic to identify and erase
sensitive customer data
35 Fortinet Confidential
Overview
WAF
Web Defacement Protection
Monitors application files at specified time
intervals
Upon file change detection:
Automatically restore
Alert
Web Defacement Protection
Protect and monitor applications for any
defacement and quickly and
automatically revert to stored version