Intelligent Web Application Firewall WEB INSIGHT SG Product Introduction

Intelligent Web Application FirewallWEB INSIGHT SG

Product Introduction

June – 2008MONITORAPP Co.,Ltd.

Contents

about MONITORAPP

Web Security Overview


WEB INSIGHT SG Characteristics

WEB INSIGHT SG Features

about MONITORAPP

Company name : MONITORAPP Co.,Ltd.

Established Date : 2005-2-22

CEO : Young KwangHoo Lee

Business RegionsApplication Delivery Technology Research & DevelopmentWeb Application Security product supplyWeb Application Acceleration product supplyDatabase Security product supplyWeb Application Security Service supply

Address306, Ace Techno Tower 1, 197-17, Guro 3-Dong, Guro-Gu, Seoul, KoreaTel.)+82-2-749-0799 / Fax.)+82-2-749-0798

Vision

Mission

• We leverage E-business by securing the entire web environment.

• Be a leading application delivery

Solution provider in the world.

Strategy Business Model

Secure & FastApplication Delivery

Solution Provider

Increase of web hacking Leakage of personal information

Secure Web Application

Fast Web Application

IT Compliance Increase of Database security

Secure Database

Web Vulnerability Analysis Web service quality Analysis

Reliable Web Application

Web response latency Web server load

Products & Technologies

ProductsFor Web Application

WEB INSIGHT SG – Web Application FirewallWEB INSIGHT AG – Web Application Accelerator

For Database ApplicationDB INSIGHT SG – Database Security & Audit

Service BusinessKT Bizmeka ServiceCollaboration with MSSP

TechnologiesAPPLICATION INSIGHT™ TechnologyAdaptive Profiling™ TechnologyInnovative Web Acceleration Technology


Change of the hacking trend

Hacker’s attack techniques

Attack Sophistication

1980 1985 1990 1995 2000

HIGH

LOW

Hacker’s technique

Intruder Knowledge

Tools

Attackers

Password speculation

Sniffing

Session Hijacking

Password cracking

Web hacking

Service denial

Scann

* reference : John Pescatore, Security Analyst, Gartner Group

System hacking

Network hacking

Web hacking

WAF

IPS

Server SecurityFirewall


Critical dangers against web service are increasing.

80 port should be opened for web service, so that has been threatened by hackers.

Important information like DB can be drained due to web application hacking.

By the limitation of the existing security product like IDS and IPS, Web attacking danger are increasing.

The existing web vulnerabilities opened to the public can always be the attacking targets.

“70~80% of hacking is targeting web!”


The limitation of the traditional security productFirewall

can not control web protocls(80,443 Port).The main target is to protect the whole network infra structure.

IDS(Intrusion Detection System)False Positive exists, it can not defend roundabout attack and protect SSL packet.

IPS(Intrusion Prevention System)Protected area is the whole network, so can only perform packet filtering for web security, so not focusing on for professional web security.Signature based, so regular update is needed.

L7 switchThe main function is load balancing and network bandwidth management.can block harmful traffic on the network level, so professional HTTP and HTTPS security is not guaranteed.


WEB INSIGHT SGIntelligent Web Application Firewall

WEB INSIGHT SG enables more easier and cost effective web communication to user.

Positive Security Model + Negative Security ModelProfile based positive security policyUser defined positive security policyNegative security policy against OWASP Top 10 attack

High Performance Network applianceSupport Gigabit Performance

Physical Independent ImpactSimple DeploymentFail open (LAN Bypass)Fail over (Active – Standby High Availability)


WEB INSIGHT SG ArchitectureNetwork Firewall and Session QoSBi-directional web application inspection

Protocol

Validation

Positive

Security

Negative

Security

Web

Server

Cloaking

Adaptive

Profiling

Engine

Content

Filtering

HTTP Request Inspection

HTTP Response Inspection

Network

Firewall

Web

Client

Web

Server


Key FunctionsPolicy Functions Details

Positive

Request Limit

Restrict all components of HTTP request Automatic policy by learning the HTTP requests Manual policy by user-defied rules.

URL Profile Allow the request to only pre-learned URLs, web pages

Form Profile

Automatic security policy by self learning engine based on Profile HTTP Response based Profile

Negative WEB INSIGHT Rule Pre-defined Signature based Rules User Defined Rule User-defined Signature based Rules about all HTTP components

CloakingError page cloaking Alter the web server error page to block attack.

Header cloaking Remove the server information included to response header

Cookie Encryption & Signature

Block cookie injection & poisoning by cookie encryption or cookie signature

DataTheft

Personal Information& Credit card number

Block or mask the important personal information (Personal Social number, Credit card number.Can block text in Office document, PDF and zipped file.

Management

Central management for a several Analyzing the database traffic & network traffic Monitoring system usage


WEB INSIGHT SG Looks

WISG-530 WISG-1030 WISG-2030 WISG-4060

View

Spec.

1U Rack mountableCore 2 Duo CPU2GB Memory 1GB CFM Single Power Supply 10/100/1000M x 8 (3pairs GBE Bypass)

2U Rack mountableXeon 3.6GHz * 22GB Memory1GB CFM10/100/1000M x 4 (2Pairs GBE Bypass)Fiber 1G x 4 (1Pair Fiber Bypass)10/100M * 1Redundant Power Supply

2U Rack mountableDual Core CPU x 2 2GB Memory 1GB CFM 10/100/1000 x 6 (2Pairs GBE Bypass) Fiber 1G x 2 (1Pair Fiber Bypass)Redundant Power Supply

2U Rack mountableQuad Core CPU x 2 4GB Memory 1GB CFM 10/100/1000 x 10 (4Pairs GBE Bypass) Fiber 1G x 4 (2 Pairs Fiber Bypass)Redundant Power Supply

WISG-100 WISG-500 WISG-1000

View

Spec.

1U Rack mountableIntel C2.0 GHz1GB Memory 10/100 x 4

1U Rack mountableIntel P4 2.8GHz1GB Memory10/100/1000M x 4 10/100M x 4

2U Rack mountableXeon 3.2GHz x 2 2GB Memory 10/100/1000 x 4 Fiber 1G x 4 Redundant Power Supply

’08 New


Adaptive Profiling Technology

•By self learning engine, profileDB based on the valid response from web server is constructed.

•After matching the client request with profile DB, abnormal request is totally blocked.

•Extra update is not needed and the ultimate defensible model against unknown attacks.



Request : GET / HTTP/1.1

Response<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" ><HTML>……<body MS_POSITIONING="FlowLayout" bottomMargin="0" leftMargin="0" topMargin="0" rightMargin="0"><form name="Form1" method="post" action="login.aspx" id="Form1"><TD><input name="TextBoxLogin" type="text" maxlength="32" id="TextBoxLogin" tabindex="1" style="width:256px;" /></TD><TD><input name="TextBoxPasswd" type="password" maxlength="32" id="TextBoxPasswd" tabindex="2" style="width:256px;" /></TD><TD><input type="submit" name="ButtonOk" value=“login" id="ButtonOk" /></TD></font>……

login.aspxMethod : POSTParameter : TextBoxLogin, TextBoxPasswd

Learning Response data Create profile

DB by learning data



Normal RequestPOST http://test.com/login.aspx? HTTP/1.1TextBoxLogin=wiadmin&TextBoxPasswd=1234qwer

login.aspxMethod : POSTParameter1 : TextBoxLoginParameter2 : TextBoxPasswd

Abnormal RequestPOST http://test.com/login.aspx? HTTP/1.1TextBoxLogin=wiadmin&TextBoxPasswd=1234qwer&auth=admin

Diff request andProfile EB

Pass

Diff request andProfile DB

login.aspxMethod : POSTParameter1 : TextBoxLoginParameter2 : TextBoxPasswd

Block


Simple DeploymentProxy Gateway Network Deployment

Proxy Gateway In-line or One armed mode No changes to existing infrastructure Full functions support

Sniffing Gateway

Mirror based In-line or One-armed mode No changes to existing infrastructure Block by session reset. Limited functions (not support cloaking, data theft) Cannot support HTTP response data control

Difference

Proxy Mode Sniffing Mode

Strong security Low performance than sniffing

mode

Limited security High performance than Proxy mo

de about 3 times

In the physical configuration,WEB INSIGHT SG is deployment-easy WAF appliance without FOD (Fail open device).

<In-line mode> <One armed mode>

Bridge L4 redirect


Various Deployment

Bridge Mode A-S HA Mode` One_Armed Mode

In-line on network No changes to existing

infrastructure Support LAN bypass on failure

Active – Standby HA Mode Health Check (Daemon, NIC, Link,

System) Support Fail-over on failure

By L4 switch supporting port redirection, one-armed mode configuration (Proxy & sniffing mode) can be used.

www

L2

www

www

L4 redirect


Positive Policy - Form Profile

After learning mode, normal traffic (which does not contain any danger factor) is profiled and abnormal requests are regarded as the potential danger and blocked

do not need any extra update process.

Ultimate security model against the unknown attacks.

Learning Mode

Passive Mode

Active Mode


do not need any extra update process.


Learning Mode

Passive Mode

Active Mode


Positive Policy – Request Limit


can configure manually.


Learning Mode

Passive Mode

Active Mode


can configure manually.


Learning Mode

Passive Mode

Active Mode


Negative Policy – WEB INSIGHT Rule & User Defined Rule

Can block all web attacks defined by OWASP

By the powerful inspection engine of the Web Insight, set the rule which can detect and block web attacks

can add user defined rule besides the existing attacks

Can block all web attacks defined by OWASP

By the powerful inspection engine of the Web Insight, set the rule which can detect and block web attacks

can add user defined rule besides the existing attacks


Additional Policy – Fraud Click & Page Forgery

Fraud Click functions block connection during a time(Block time) when connect to over the count(Access count) during a time(Detection Time).

Fraud Click functions block connection during a time(Block time) when connect to over the count(Access count) during a time(Detection Time).

Original page is register on policy by client’s first connection to Web server. This original page is created to prevent clients from path traversal or other types of unwanted entry to sensitive sections of the Web site.

Original page is register on policy by client’s first connection to Web server. This original page is created to prevent clients from path traversal or other types of unwanted entry to sensitive sections of the Web site.


Central Management

Central Management manage multiple WEB INSIGHT SG

Log & System monitoring - Detect log - Network / WEB traffic - System usage

Central Management manage multiple WEB INSIGHT SG

Log & System monitoring - Detect log - Network / WEB traffic - System usage


Log view

Search detect/block logs - 14 options for filtering - detail / simple view

Chart Analysis - Top 5 or 10 view - Chart type : 11 categories

Search detect/block logs - 14 options for filtering - detail / simple view

Chart Analysis - Top 5 or 10 view - Chart type : 11 categories

Thank You

MONITORAPP Co.,Ltd.

306, Ace Techno Tower1, 197-17, Guro3-Dong, Guro-Gu, Seoul, Korea

Tel : +82-2-749-0799, Fax) +82-2-749-0798

E-Mail : [email protected]

Website : www.monitorapp.com

mailto:[email protected]

http://www.monitorapp.com/

Documents

Intelligent Web Application Firewall WEB INSIGHT SG Product Introduction