Web Application Firewall (WAF)

1
Web Application Firewall (WAF)

• RSA Conference 2013

2
The Cybercrime Landscape in 2013
Source hackmageddon.com/
3
Moving From Network to Application Layer
Target of Traditional DDoS Attacks
Network Layer (Layers 3/4)
4
Web Application Firewall Highlights

• Operates at the network edge over 100,000
  servers
• Inspects requests and responses for malicious
  content and info leakage
• Inspects packets to protect against attacks such
  as SQL Injections Cross-Site Scripts 
• Configurable to log or block activities against
  policy
• Protects organizations against application layer
  attacks propagated via HTTP and HTTPS
• Enables compliance with PCI DSS 1.2 section 6.6
• Provides advanced rate controls (behavioral based
  protections)
• Propagates quickly (30 minutes)
• Configured via portal

5
Kona Security Solutions 2.0

• ModSecurity Rule Update
• Core Rule Set 2.2.6
• Legacy CRS support
• Akamai Common Rules
• Based on Akamais unique view
• 20 25 of internet traffic
• Advanced Rate Controls
• Session-ID Client-IPUser-Agent
• Rule Upgrade Wizard

6
(No Transcript)
7

• Appendix Details

8
Akamai Intelligent PlatformDeflecting Network
Layer Attacks at the Edge

• Network Layer attack mitigation
• Built-in protection is always on
• Only Port 80 (HTTP) or Port 443 (HTTPS) traffic
  allowed on Platform
• All other traffic dropped at the Akamai Edge
• Attack traffic never makes it onto Platform
• Customer not charged for traffic dropped at Edge
• Absorbs attack requests without requiring
  identification
• Requires CNAME onto Akamai Intelligent Platform
• Absorbs attacks through massive scale
• 5.5 Tbps average throughput up to 8Tbps
• Distribution of HTTP request traffic across
  100,000 servers 1,100 networks
• No re-routing, added latency, or point of failure

• Examples of attacks types dropped at Akamai Edge
• UDP Fragments
• ICMP Floods
• SYN Floods
• ACK Floods
• RESET Floods
• UDP Floods

9
Custom RulesWeb Application Firewall

• Description
• WAF Custom Rules implemented in Akamai metadata
  written by Akamai Professional Services
• Rules are created and managed incustomer portal
• Rules are then associated with firewall
  policies and deployed with WAF in 45 minutes

• The Result
• New rule logic can be built to handle specific
  use cases for the customer
• Rules can be built that execute whenone or more
  baseline rules or rate control rules match
• Output of application vulnerability products
  can be implemented as virtual patches
• Advanced piping to user validation actions can
  be achieved (prioritization)

10
Custom RulesWeb Application Firewall

• Description
• WAF Custom Rules implemented in Akamai metadata
  written by Akamai Professional Services
• Rules are created and managed incustomer portal
• Rules are then associated with firewall
  policies and deployed with WAF in 45 minutes

• The Result
• New rule logic can be built to handle specific
  use cases for the customer
• Rules can be built that execute whenone or more
  baseline rules or rate control rules match
• Output of application vulnerability products
  can be implemented as virtual patches
• Advanced piping to user validation actions can
  be achieved (prioritization)

11
Adaptive Rate ControlsMalicious Behavior
Detection

• Specify number of requests per second against a
  given URL
• Controls requests based on behavior pattern not
  request structure
• Use client IP address, session ID, cookies, etc.
• Configure rate categories to control request
  rates against digital properties
• Mitigate rate-based DDoS attacks

• Statistics collected for 3 request phases
• Client Request Client to Akamai Server
• Forward Request Akamai Server to Origin
• Forward Response Origin to Akamai Server
• Statistics collected allow us to ignore large
  proxies and pick out a malicious user hiding
  behind a proxy
• Statistics collected allow for detection of
  pathological behavior by a client
• Request rate is excessive for any stage
• Requests causing too many Origin errors

12
Adaptive Rate ControlsMalicious Behavior
Detection

• Specify number of requests per second against a
  given URL
• Controls requests based on behavior pattern not
  request structure
• Use client IP address, session ID, cookies, etc.
• Configure rate categories to control request
  rates against digital properties
• Mitigate rate-based DDoS attacks

• Statistics collected for 3 request phases
• Client Request Client to Akamai Server
• Forward Request Akamai Server to Origin
• Forward Response Origin to Akamai Server
• Statistics collected allow us to ignore large
  proxies and pick out a malicious user hiding
  behind a proxy
• Statistics collected allow for detection of
  pathological behavior by a client
• Request rate is excessive for any stage
• Requests causing too many Origin errors

13
Security Monitor (1 of 3)
Timeline of Requests by Hour
Visual Display of Requests by Geography
Requests by WAF Rule ID
Requests by WAF Message
Requests by WAF Tag
14
Security Monitor (2 of 3)
Multiple ways to display request statistics
15
Security Monitor (3 of 3)
Requests by City
Requests by Client IP address
ARLs being attacked
16
(No Transcript)