Akamai Kona WAF Help Manual

Web Application Firewall
2012 Akamai FASTER FORWARD

TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense
What Were Seeing
Attacks Are Happening On Multiple Levels
Target of
Traditional
DDoS
Attacks
Network Layer
(Layers 3/4)
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense
What Were Seeing
Target of
Traditional
DDoS
Attacks
Network Layer
(Layers 3/4)
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense
What Were Seeing
Target of
Traditional
DDoS
Attacks
Network Layer
(Layers 3/4)
Application Layer
(Layer 7)
Where increasing
number of attacks
are focused
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense
Web Attacks Are Getting More Sophisticated (e.g. multi-
vector)
Layers 3&4, Layer 7, DNS, Direct-to-Origin, Large, Small & Stealthy
Unreported
37%
SQL Injection (SQLi)
27%
Denial of Service
23%
Banking Trojan, 3%
Brute Force, 3%
Cross-Site Request Forgery, 2%

Predictable Resource
Location, 2%
Stolen Credentials, 2%
Clickjacking, 1%
What Attack Methods do Hackers Use?
Source: TrustWave Spider Labs - 2011 - Web Hacking Incident Database
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense
Web Applications (Layer 7) Are Increasingly Targeted
~10,000,000 More Attacks in 1H2011 over 1H2010 (~45% increase)
0
5,000,000
10,000,000
15,000,000
20,000,000
25,000,000
30,000,000
35,000,000
2009 2010 1H2011
Total # Web Application
Attacks at Mid-Year 20092011
Source: HP CyberSecurity Risks Report 1H2011
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense
Web Applications (Layer 7) Are Increasingly Targeted
~10,000,000 More Attacks in 1H2011 over 1H2010 (~45% increase)
63%
37%
Layer 3/4 Attacks versus non-
Web Layer 7 Attacks 1H2011
Layer 3/4 Attacks
Layer 7 Attacks
0
5,000,000
10,000,000
15,000,000
20,000,000
25,000,000
30,000,000
35,000,000
2009 2010 1H2011
Total # Web Application
Attacks at Mid-Year 20092011
Source: HP CyberSecurity Risks Report 1H2011
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense
On the Web, the Application is the Perimeter
Firewall
Hardware WAF
App server
DB
Web server
Traditional Data Center Security
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense
In-The-Cloud Security
Firewall
Hardware WAF
App server
DB
Web server
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense
In-The-Cloud Security
The threats are distributed, your response needs to be distributed!
Firewall
Hardware WAF
App server
DB
Web server
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense

Akamai Intelligent Platform
Deflecting Network Layer Attacks at the Edge
Network Layer attack mitigation
! Built-in protection is always on
! Only Port 80 (HTTP) or Port 443 (HTTPS) traffic
allowed on Platform
o All other traffic dropped at the Akamai Edge
Attack traffic never makes it onto Platform
Customer not charged for traffic dropped at Edge
o Absorbs attack requests without requiring identification
o Requires CNAME onto Akamai Intelligent Platform

Absorbs attacks through massive scale
! ~5.5 Tbps average throughput; up to 8Tbps
! Distribution of HTTP request traffic across 100,000+
servers; 1,100+ networks
! No re-routing, added latency, or point of failure
Examples of attacks types dropped
at Akamai Edge
! UDP Fragments
! ICMP Floods
! SYN Floods
! ACK Floods
! RESET Floods
! UDP Floods
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense

Web Application Protection
Application-layer controls
! Does deep packet inspection to protect
against attacks such as SQL Injections
& Cross-Site Scripts
Custom Rules
! Create policy-based rules that are
enforced before or after execution of the
application layer controls
! Serve as Virtual Patches for new
website vulnerabilities

Network Layer Controls
! Allow or restrict requests from
specific IP addresses
Protect customer Origin from
application layer attacks
! Implements IP Blacklists & Whitelist
! Geo blocking
! 10,000 CIDR entries supported
Named lists e.g., Tor exit nodes
30 45 minute deployment
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense

Custom Rules
Description
! WAF Custom Rules implemented
in Akamai metadata written by
Akamai Professional Services
! Rules are created and managed in
customer portal
! Rules are then associated with
firewall policies and deployed with
WAF in 45 minutes
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense

Custom Rules
Description
! WAF Custom Rules implemented
in Akamai metadata written by
Akamai Professional Services
! Rules are created and managed in
customer portal
! Rules are then associated with
firewall policies and deployed with
WAF in 45 minutes
The Result
! New rule logic can be built to handle
specific use cases for the customer
! Rules can be built that execute when
one or more baseline rules or rate
control rules match
! Output of application vulnerability
products can be implemented as
virtual patches
! Advanced piping to user validation
actions can be achieved (prioritization)
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense

Custom Rules
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense
Adaptive Rate Controls
Malicious Behavior Detection
! Specify number of requests per
second against a given URL
o Controls requests based on behavior
pattern not request structure
Use client IP address, session ID, cookies, etc.
! Configure rate categories to
control request rates against digital
properties
Mitigate rate-based DDoS attacks
! Statistics collected for 3 request phases
o Client Request Client to Akamai Server
o Forward Request Akamai Server to Origin
o Forward Response Origin to Akamai Server
! Statistics collected allow us to ignore large
proxies and pick out a malicious user
hiding behind a proxy
! Statistics collected allow for detection
of pathological behavior by a client
o Request rate is excessive for any stage
o Requests causing too many Origin errors

TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense
Rate Controls Use Case: Blocking IPs Causing Origin Errors
1. Count the number of Forward Responses that return a 404 error code
2. Block any IP address that exceeds 5 errors per second
Client
Request
Forward
Request
Response
code 404
Customer
Origin
Akamai
Edge Server
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense
Client
Request
Forward
Request
Response
code 404
Customer
Origin
Akamai
Edge Server
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense
Client
Request
Forward
Request
Response
code 404
Customer
Origin
Akamai
Edge Server
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense
Client
Request
Forward
Request
Response
code 404
Customer
Origin
Akamai
Edge Server
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense
Client
Request
Forward
Request
Response
code 404
Customer
Origin
Akamai
Edge Server
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense
Client
Request
Forward
Request
Response
code 404
Customer
Origin
Akamai
Edge Server
X
Custom
Error page
Automatic Origin Abuse Mitigation!
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense
Use Case 2: Validate IPs Causing High Origin Load
1. Count the number of Forward Requests
2. Validate any IP address that exceeds 20 Forward Requests per second
Forward
Request
Forward
Response
Customer
Origin
Akamai
Edge Server Client
Request
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense
Forward
Request
Customer
Origin
Akamai
Edge Server Client
Request
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense
Forward
Request
Customer
Origin
Akamai
Edge Server Client
Request
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense
Forward
Request
Customer
Origin
Akamai
Edge Server Client
Request
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense
Customer
Origin
X
Custom
Error page
Automatic Origin Overload Prevention!
Akamai
Edge Server Client
Request
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense
Security Monitor (1 of 3)
Timeline of Requests
by Hour
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense
Visual Display of
Requests by
Geography
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense
Requests by
WAF Rule ID
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense
Requests
by WAF Message
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense
Requests
by WAF Tag
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense
Multiple ways
to display
request statistics
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense
Requests by
City
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense
Requests by
Client IP address
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense
ARLs being
attacked
TM
Web Application
Firewall
Compliance
Payment
Tokenization
Web Application
Firewall
Website
Defense
Any experience. Any device. Anywhere.

Akamai Kona WAF Help Manual

Uploaded by

Copyright:

Available Formats

Akamai Kona WAF Help Manual

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Akamai Kona WAF Help Manual

Uploaded by

Copyright:

Available Formats

Web Application Firewall

2012 Akamai FASTER FORWARD

You might also like