Securing Web Applications with FortiWeb and FortiSandbox...DEVICES SHIPPED 30%+ GROWTH EMPLOYEES...
49
© Copyright Fortinet Inc. All rights reserved. Securing Web Applications with FortiWeb and FortiSandbox Shaun Carriveau Channel Systems Engineer 4/19/2017
Transcript of Securing Web Applications with FortiWeb and FortiSandbox...DEVICES SHIPPED 30%+ GROWTH EMPLOYEES...
© Copyright Fortinet Inc. All rights reserved.
Securing Web Applications with FortiWeb and FortiSandbox
Shaun Carriveau Channel Systems Engineer
4/19/2017
4
Fortinet
» Who we are and what we do
FortiGuard Labs
» The “Secret Sauce”
Threat Landscape
» Understanding Security Challenges
FortiSandbox
» Identifying the unknown
FortiWeb
» Protecting the web based applications
Agenda
Fortinet
Company Overview
6
Fortinet Facts
#1 UNIT SHARE WORLDWIDE
In Network Security (IDC)
$ 1.3B REVENUE
FOUNDED
2000 OVER
3 MILLION DEVICES SHIPPED
30%+ GROWTH
EMPLOYEES
4,650+
300,000+ CUSTOMERS
MARKET LEADING
TECHNOLOGY
358+ PATENTS
292+ PENDING
100+ OFFICES WORLDWIDE
SUNNYVALE, CA
HQ
IPO
2009
7
Fortinet: Global Network Security Leader
Fortune Companies
in America
of the
TOP 7 10
Fortune Companies
in EMEA
of the
TOP 8 10
Fortune Companies
in APAC
of the
TOP 9 10
Fortune
Telecommunications
Companies
10 of the
TOP 10
Fortune Retail and Commercial
Banks
9 of the
TOP 10
Aerospace and
Defense
7 of the
TOP 10
FortiGuard Labs
The “Secret Sauce”
9
FortiGuard Threat Map
10
The FortiGuard Minute
Per Minute
21,000 Spam emails intercepted
470,000 Network Intrusion Attempts resisted
95,000 Malware programs neutralized
160,000 Malicious Website accesses blocked
32,000 Botnet C&C attempts thwarted
43 million Website categorization requests
Per Week
46 million New & updated spam rules
1,000 Intrusion prevention rules
108 million New & updated AV definitions
1.4 million New URL ratings
8,000 Hours of threat research globally
Total Database
326 Terabytes of threat samples
19,000 Intrusion Prevention rules
5,800 Application Control rules
250 million Rated websites in 78 categories
375 Zero-day threats discovered
Based on Q2 2016 data
Image: threatmap.FortiGuard.com
11
FortiGuard by the numbers
Threat Landscape
Understanding Security Challenges
13
Infrastructure. Constant Change.
Green Google’s 13 data
centers use 0.01%
of global power
SDN/NFV Software-defined
everything. SD WAN
SaaS On average, companies
have 10+ applications
running via the Cloud
IaaS Security still the
No.1 inhibitor
IoT 35B devices, mostly
headless attaching
to the network
Virtualization 80% of data center
apps are virtualized
Mobile No control of
endpoints (BYOD)
Social Bandwidth ever
increasing
Bandwidth Wi-Fi speeds rival LANs.
100G networks here
Analytics Big Data
Internet 2 100 Gbps and
UHDTV
5G Wireless
FUTURE
100G
TODAY
14
Security is borderless.
Branch Office Campus
Data Center
Remote Office
Mobile
IoT
PoS EndPoint
Mobile
1. The attack surface has
increased
2. Strategy changes bring
new security challenges
3. There are security holes
in existing infrastructure
(ATP, unsecured
wireless, no dedicated
security...)
=> Security is Borderless
0-Day
FortiSandbox
Identifying the Unknown
16
Advanced Threat Protection • Multi-layered filtering with Code Emulator, AV engine, Cloud
query and Virtual OS sandbox
• Handles multiple file types, includes files that are encrypted or
obfuscated
• Examine files from various protocols, included those that uses
SSL encryption
Flexible Operation Modes • Receives file sample using integration with FortiGate/FortiMail,
sniffer mode and manual file uploads
• Capture files from remote locations using deployed FortiGates
Monitoring and Reporting • Detailed analysis reports and real-time monitoring and alerting
Introducing FortiSandbox
File Submission
Malicious
Analysis
output
Latest AV Signature Update
2
3
4
Centralized File Analysis 1
?
Advanced Threat Protection solution designed to identify and
thwart the highly targeted and tailored attacks
17
KEY SANDBOX COMPONENTS
Call Back Detection
Full Virtual Sandbox
Code Emulation
Cloud File Query
AV Prefilter
• Quickly simulate intended activity
• OS independent and immune to evasion/obfuscation
• Apply top-rated anti-malware engine
• Examine real-time, full lifecycle activity to get the
threat to expose itself
• Check FortiSandbox community intelligence & file reputation
• Identify the ultimate aim, call back & exfiltration
• Mitigate w/FortiGuard updates
Intelligence Sharing • Distribute real-time updates
• Feed global systems
18
CPRLSIG
TYPE(pe)
H(IS_NOTDLL)
SZ(GT,8000)
setIP(PE_HEADER)
W(0x5c) chk(word & 2, 2) //check subsystem version
getSecNum()
setIP(SECTION_HEADER)
W(8) getD($m1) // last section VS
W(4) getD($m2) // last section RS
cmp($m2 >= 0x2300) cmp($m1 >= 0x2300) // min
W(0x10) chk(dword & 0xE0000060, 0xE0000060) // last
section char
S(1,END) op($m1 = $IP) op($m1 -= 0x2000)
S(0x2a00,END)
CheckEncVirut:
I(L(0x100,81 e3 00 f0 ff ff),CHECK_NOTENCRYPTED_VIRUT)
// Implement X-ray detection
I(getKey(XOR_B, E8 00 00 00 00), POS_XOR)
TRY_SUB: I(getKey(SUB_B, E8 00 00 00 00), POS_SUB)
TRY_SUBADD: I(getKey(SUB_B, ADD_B, E8 00 00 00 00),
POS_SUB_ADD)
TRY_XORADD: I(getKey(XOR_B, ADD_B, E8 00 00 00 00),
POS_XOR_ADD)
TRY_NEXT_EP:
// brute force?.... hehehehe
I(cmp($m6 == 1),SrchAgn1)
op($m6 = 1) // set flag
R(-1) G(CheckEncVirut)
SrchAgn1:
TRY_SUB: I(getKey(SUB_B, E8 00 00 00 00), POS_SUB)
TRY_SUBADD: I(getKey(SUB_B, ADD_B, E8 00 00 00 00),
POS_SUB_ADD)
TRY_XORADD: I(getKey(XOR_B, ADD_B, E8 00 00 00 00),
POS_XOR_ADD)
TRY_NEXT_EP:
// brute force?.... hehehehe
I(cmp($m6 == 1),SrchAgn1)
op($m6 = 1) // set flag
R(-1) G(CheckEncVirut)
SrchAgn1:
I(L(0x1000,00 00 00 00),Cont1)
I(L(0x1000,00 00 00 00),Cont1)
I(cmp($m5 == 3),ExitSig)
I(cmp($m5 == 1),Vir10)
I(cmp($m5 == 2),Vir11)
cmp($m5 == 0)
getSecNum()
setIP(SECTION_HEADER)
W(8) getD($m1) // last section VS
W(4) getD($
S(0x2c00, END)
Life of a Sample
?
1 Advanced Malware Threat Protection
1. Code Emulation engine is
focusing on encrypted and/or
packed malware. No code evasion
possible as this code is not run.
2. Realtime AV Engine decrypts,
decodes then tracks behaviors of
polymorphic code.
3. CPRL (patented) is used to detect
suspicious code and behavior of a
virus and all variants.
19
#
Life of a Sample
FortiGuard Services
1. Fortiguard Cloud File Query #1 : a hash of the file is sent to
Fortiguard Service and checked against our intelligence
database.
It is the last chance to detect a malware before the
sandbox analysis (step 3).
2. Fortiguard URL Rating: during sandbox analysis, all
connections attempts to any web URL are checked against
Fortiguard Webfiltering database.
3. Fortiguard IP Rating: during sandbox analysis, it detects
connection attempts to C2 servers.
4. Fortiguard Cloud File Query #2: all files generated during
the sandbox analysis are sent to the intelligence databse.
5. Fortiguard File Submission: If sandbox analysis verdict is
suspicious, entire file is submitted to Threat Intelligence
Sharing with the FortiGuard Community.
?
fortiguard
2
20
Life of a Sample
Sandbox Analysis
?
Alert VIRUS
3
21
Life of a Sample
Sandbox Analysis
1. Execution of the file in an emulated environment. All
major windows & android releases supported.
2. Anti Evasion techniques
3. Analysis performed by a sophisticated tracer engine.
4. Complete Reporting: Network activity is captured, all
processes are detailed and listed, all changes are
tracked, logs and original files are available for
download.
Windows XP Windows 7
Windows 8 Windows 10
3
22
Life of a Sample
Rating Engine
1. Clean / Unknown: not detected as suspicious / malicious or the
file could not be processed. It might be re-processed later.
2. Suspicious: Low means the sample is a riskware, medium
represents downloaders or adwares or greywares, high risk is
usually an infector, a dropper or a hijacker…
3. Malicious: the sample is a virus detected by the extended AV
techniques and engines.
Static Analysis
Fortiguard Intelligence
4
23
FortiSandbox Series
FortiSandbox FSA-1000D FSA-3000D FSA-3000E FSA-3500D FSA-VM
VM Sandboxing
(Files/Hour) 160 560 1,120
720* (Upgradable** to
1,200) (160 per node) Hardware Dependent
AV Scanning
(Files/Hour) 6,000 15,000 15,000
30,000* (Upgradable**
to 48,000) (6,000 per
node)
Hardware Dependent
Number of VMs
(WinXP, 32-bit) 8 28 8 + 48 optional
36* (Upgradable** to
60) (8 per node) Total: 2 to 54
Interfaces 6x GE RJ45 ports, 2x
GE SFP slots
4x GE RJ45 ports, 2x
GE SFP, 2x 10GE
SFP+ slots
4x GE RJ45 ports, 2x
10GE SFP+ slots
20x GE RJ45 ports,
10x 10 GE SFP+ slots
(4x GE RJ45 ports, 2x
10 GE SFP+ slots per
node)
Hardware Dependent
FSA-3500D: comes with default 5 nodes, up to 8 maximum
* Based on the assumption that 1 blade will be used as master in HA-cluster mode.
** By adding 3 more SAM-3500D nodes to the same chassis..
24
FortiSandbox Series
FSA-1000D FSA-3000D FSA-VM FSA-CLOUD
VM Sandboxing
(Files/Hour) 160 560 Hardware Dependent Unrestricted
AV Scanning
(Files/Hour) 6,000 15,000 Hardware Dependent Unrestricted
Number of VMs 8 28 4 to 54 Not applicable
Interfaces 6x GE RJ45 ports, 2x GE SFP
slots
4x GE RJ45 ports, 2x GE
SFP, 2x 10GE SFP+ slots Hardware Dependent Not applicable
Scan Engines Similar scan engines across all platforms (release dates may vary)
Input methods FortiGate, FortiMail Integration, Sniffer mode, manual on-demand file upload, submission API,
network file share inspection
FortiGate, FortiWeb, FortiMail
Integration
Status & Analysis
Visibility
Full (rating, source, destination, MD5/SHA, observed behaviors, full logs, pcap, etc) on-box,
statistics overview on FGT only
FortiGate, FortiWeb, FortiMail.
Detailed reports on FG only.
Info submission to
FortiGuard Labs
None or all information related to analysis of “low/medium/high risk” objects, based on customer
configuration All info if rated with risk levels
File Quarantine On-box file quarantine for network file share scanning. FortiMail submits and queues mails for
suspicious content NIL
Protection Manual policy configuration, FortiGuard AV signature update, requires FortiGuard premium service
for SLA
Source Quarantine on FGT
(*V5.2.3+)
*roadmap, may subject to changes
25
FortiGate, FortiMail, FortiWeb, FortiClient » Block as many threats as possible
» Submit at risk objects for additional analysis
» Mitigate previously unknown threats
Sandbox for Payload Analysis » Accept at risk objects for additional analysis
» Execute objects to assess and rate risk
» Provide intelligence and generate updates for
prevention products
Identify more, previously unknown, threats
Minimize the cost of comprehensive coverage
Speed and simplify response
ADVANCED THREAT PROTECTION IN ACTION
Network
FortiGate, FortiMail, FortiWeb
FortiSandbox
Callback
Detection
Cloud
File Query
AV
Prefilter
Code
Emulation Full
Sandbox
FortiClient
FortiWeb
Protecting Web Based Applications
27
Web Application Security Trends
Web application vulnerabilities
are a top source of breaches
IPS alone can not protect
against zero-day threats
PCI compliance needed to
accept/process credit cards
Non-compliance needs growing
Strong awareness and top 5
investment priority with CIOs
11.6% of web sites use HTTP/2
Notes/Sources:
1. Verizon 2016 Data Breach Report.
2. Gartner Magic Quadrant for Web Application Firewalls 2016.
3. IDC Research WAF market size and growth estimates for 2016 to 2020; includes hardware and
hosted WAF services.
$1.5B+
Market size with a CAGR
of 6% expected through
20203
100%↑
Published Critical
Vulnerabilities exploited in
1 year1
40% of data breaches caused
by application
vulnerabilities1
80% of enterprises to have
Web Application Firewalls
by 20182
28
Acunetix Web Application Vulnerability Report 2016
Annual report by
Acunetix
Based on random
sample of 5,700 of
their customers
Web application
vulnerabilities
increasing YoY 2015-
2016
55% susceptible to
high priority
vulnerabilities
Full report at
acunetix.com
SOURCE: Acunetix Web Application Vulnerability Report
2016, published on August 30, 2016.
29
Scope/Definition of WAFs
Protects web-based applications from code-
based attacks
» SQL Injection or other injection types
» Cross Site Scripting and Request Forgery
» Layer 7 DoS/DDoS attacks
» Cookie poisoning
Protects against application vulnerabilities in
custom code and commercial platforms
Understands/learns “normal” behaviors and
stops anomalies
» URL parameters, HTTP methods, session IDs,
cookies, etc.
Dynamic and adaptive to adjust
to new threats
Can’t a Firewall or IPS do this?
Firewalls look for network-based attacks
IPS Signatures detect only known
problems
» High rate of false positives
» No protection of SSL traffic
» No application or user awareness
FortiWeb WAF
Web Application
Servers
SQL Injection, XSS…
INTERNET
30
WAF Drivers/Challenges
Protect current and existing applications from
code-based vulnerabilities
Meet PCI 6.6 Compliance for credit card and
healthcare data
Address OWASP Top 10 Application
Vulnerabilities
Identify and address web application
vulnerabilities
Website publishing for Microsoft and other
applications
Protect against website defacement
Who Needs it?
Any organization that processes credit cards
and/or has PCI requirements
Large internal or external applications
Sensitive/proprietary information
Mission-critical business applications
Who Needs it Most?
MSPs/Hosting Companies
E-commerce/online services
Retail, Food Service, Hospitality
Financial services
Healthcare
31
FortiWeb – Web Application Firewalls
7 models from 25 Mbps to 20 Gbps throughput
Up to 8x GE and models with 4x 10GE SFP+ ports
Native HTTP/2 WAF protection
Hardware and VM options
FortiGate, FortiSandbox, and FortiAnalyzer Integration
Automatic behavior-based scanning
Auto setup/learning mode
Layer 7 DDoS protection
FortiGuard antivirus, IP reputation, FortiSandbox
Cloud, and WAF signatures
Transparent, reverse and non-inline deployment
Central Management/ADOMs
REST API
Included vulnerability scanner
Virtual Patching/3rd Party support
Advanced False Positive Mitigation
Advanced real-time reporting
SSL offloading/compression
SSO/Authentication
Layer 7 load balancing
Fastest Web Application Firewall in the Industry
32
• VM01
• VM02
• VM04
• VM08
• 1 to 8 CPUs supported
• Unlimited memory
support
• Up to 10 Network
Interfaces
• 40 GB to 1 TB storage
supported
• VMware, Hyper-V, Citrix
XenServer, Open Source
Xen, KVM, Amazon Web
Services (AWS), Azure
FortiWeb VMs
FortiWeb Product Line P
erf
orm
an
ce
& S
ca
lab
ilit
y
WAF < 1 Gbps 1 – 10 Gbps 10+ Gbps
SSL Software SPU/ASIC SPU/ASIC
Ports GE GE/10GE GE/10GE
25 Mbps
100 Mbps
250 Mbps
FWB-400D
FWB-100D
FWB-600D
1.0
2.5
5.0
FWB-1000E
FWB-3000E
FWB-2000E
20.0 FWB-4000E
33
FortiWeb Benefits
Protect applications with automatic usage profiling and anomaly scanning
Meet PCI 6.6 Compliance with behavior-based attack detection and mitigation
Full protection against OWASP Top 10 Application Vulnerabilities
ATP Integration with FortiSandbox and FortiGate Quarantined IP Polling
Identify weaknesses with built-in vulnerability scanning
Protect enterprise applications with 3rd party scanner Virtual Patching
Advanced False Positive Mitigation with Syntax-based Detection, User Scoring and Session
Tracking
Simplified deployment with FortiGate using WCCP Integration
34
FortiWeb Multi-layer WAF Protection
ATTACKS/THREATS
APPLICATION
CO
RR
EL
AT
ION
IP REPUTATION BOTNETS, MALICIOUS HOSTS,
ANONYMOUS PROXIES, DDOS SOURCES
DDOS PROTECTION APPLICATION LEVEL
DDOS ATTACKS
PROTOCOL VALIDATION IMPROPER
HTTP RFC
ATTACK SIGNATURES KNOWN APPLICATION
ATTACK TYPES
ANTIVIRUS/DLP VIRUSES, MALWARE,
LOSS OF DATA
BEHAVIORAL VALIDATION UNKNOWN APPLICATION
ATTACKS
ADVANCED PROTECTION SCANNERS, CRAWLERS,
SCRAPERS
INTEGRATION FORTIGATE AND FORTISANDBOX
APT DETECTION
35
Auto Setup and Protection
Key Features » Auto learn
» Completely transparent
» Traffic pattern monitoring
» Models application based on usage patterns
» Understands real behavior
Benefits » No application changes
» Traffic anomalies trigger actions
» Protects against unknown vulnerabilities and zero-day attacks
36
Key Features
» Scans all application elements
» Granular crawling capabilities
» Scheduled or on demand
» Recommendation reporting
» FortiGuard updates
Benefits
» Automated vulnerability reporting
» Complements WAF for PCI
DSS compliance
Vulnerability Scanning
37
Integration
WCCP
External
WAF
ON
FortiGate
FortiWeb
HTTP Traffic
Quarantined IPs
Web
Server
FortiSandbox
Files for
Inspection
Third Party
Scanners
FortiGate
» IP Polling
» WCCP Protocol
FortiSandbox
» File scanning
» APT protection
» Cloud integration Aug 2016
Third-party Scanners
» IBM AppScan and QRadar
» HP WebInspect
» WhiteHat
» Qualys
» Acunetix
38
First ever user scoring system on a WAF
Trigger events can be set to thresholds
If thresholds are met, then attacker is blocked
Can use multiple combinations of triggers and attack types
Minimizes false positive detections
Track users throughout session lifetime
FortiWeb Threat Scoring
FortiWeb
TH
RE
AT
SC
OR
ING
RULE 1
RULE 2
RULE 5…
RULE 4
RULE 3
User 1
Threat Score
18
User 2
Threat Score
22
User 3
Threat Score
78 BLOCKED
39
FortiWeb User Tracking
Automatic recognition of user logins
Users tracked throughout entire
session by binding user name to
session ID
Suspicious activity can be traced back
to user account
All activity tracked, ‘good’ and ‘bad’
Login pages set up by Admin
Aids in attack forensics and identifying
malicious/compromised users
Joe – Active
Session ID: 3450001AB
Login Page
Account Page
Admin Page
Mark – Active
Session ID: 5499459DE
Login Page
Product Pages
Shopping Cart
John – Logged Out
Session ID: 9984578C2
Login Page
Product Pages
Shopping Cart
Activity stored in logs
Jessica – Not Active
Session ID: N/a
Will be tracked once
logged into application
40
Alert Tuning
Granular
exception/whitelist
creation
Automatic Auto Learn
exceptions
Correlation
Threat Scoring
Additional filtering
layers
Code-based Syntax
Analysis and SQL
Injection Validation
False Positive/Negative Mitigation
41
SQL Injection Validation
SQL injection protection accuracy is difficult,
causes many false positives
SQL commands use common English words
Signatures limited to pattern matching of
SQL commands
Will falsely trigger blocking in many cases -
too many SQL words are used, special
characters used (‘,--,”), etc.
Validation reviews suspected events for
proper SQL usage to determine if an attack
is real
Dramatically reduces false positives
I need to SELECT a party location for my GROUP at
work WHERE it’s close to the station for those that are
coming BY train FROM the city.
SELECT *
FROM customer_records
WHERE credit_card IS NOT NULL
GROUP BY state
Form field that could trigger SQL Injection Attack
Form field that is validated as an attack by FortiWeb
ALLOWED
BLOCKED
42
Syntax-based SQL Injection Detection
New sophisticated method to prevent
SQL Injection attacks
Engine uses true SQL context; no
signatures required
SQL statements are inspected at “key
points” of injection as identified by top
security researchers
If an attempt is made to attack through
a SQL statement key point, the attack
is blocked
Virtually eliminates all false positive
and negative detections
www.example.com/test.asp?id=7
Valid SQL Usage (Key Point is normal)
Attempt made to manipulate a Key Point
ALLOWED
www.example.com/test.asp?id=1’ OR 1=1
BLOCKED
43
FortiGuard Labs
» Award-winning threat
research services
» Dynamic/automated
updates for FortiWeb
» Automatic downloads
» Always up-to-date
Subscription Based
» Available per device
» Select services that are needed
» Annual renewals
» Bundle options available
FortiGuard Services
Security Service
• Application layer
signatures
• Malicious bots
• Suspicious URL
pattern
• Web vulnerability
scanner updates
IP Reputation
• Protection for
automated attacks
and malicious
sources
• DDoS, Phishing,
Botnet, Spam,
Anonymous proxies
and infected sources
Antivirus
• Scan file uploads
• Regular and
extended AV
databases
FSX Cloud
• FortiSandbox hosted
by Fortinet
• Subscription-based
• No separate
sandbox required
44
Fortinet Recognized by Gartner for Enterprise WAF
FortiWeb positioned as “Challenger” in 2016 Magic Quadrant for Web Application Firewalls
FortiWeb moves from “Niche Player” to “Challenger” in Gartner’s
assessment of the WAF marketplace in 2016. Feature enhancements,
high-performance models, and Fortinet Fabric integration were seen
as key contributing factors.
Strengths:
• Brand reputation, competitive prices, and integration
• Solid hardware product line with accelerated SSL decryption
• FortiSandbox integration for enhanced AV and malware protection
• Enterprise-focused enhancements (20 Gbps appliance, HSM and
third-party AST support)
• Broad feature set, includes IP reputation (FortiGuard), cookie
signing, SSL acceleration, and web application caching
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire
document. The Gartner document is available upon request from Fortinet. Gartner does not endorse any vendor, product or service depicted in
its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation.
Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact.
Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a
particular purpose
Gartner, Magic Quadrant for Web Application Firewalls, July, 2016
45
NSS Labs Web Application Firewall (WAF) Comparative Report — SVM
Web Application Firewall (WAF) Comparative Report_SVM_041117 2
Overview Empirical data from individual Test Reports and Comparative Reports is used to create NSS Labs’ unique Security
Value Map™ (SVM). The SVM illustrates the relative value of security investment by mapping the Security
Effectiveness and the Total Cost of Ownership (TCO) per Protected Connections per Second (CPS) (or Value) of
tested product configurations. The terms TCO per Protected CPS and Value are used interchangeably throughout
the Comparative Reports.
The SVM provides an aggregated view of the detailed findings from NSS’ group tests. Individual Test Reports are
available for each product tested and can be found at www.nsslabs.com. Comparative Reports provide detailed
comparisons across all tested products in the following areas:
Security
TCO
Performance
Figure 1 – NSS Labs’ 2017 Security Value Map (SVM) for Web Application Firewall (WAF)
FortiWeb Recommended by NSS Labs
WAF Security Value Map Published on April
11, 2017 (current version)
Test Categories
» OWASP Threats; 10 categories (Security
Effectiveness)
» Evasions/Stability/Reliability
» Performance
Fortinet FortiWeb 3000E earned a
Recommended rating
Strong performance with 98% block rate
and 41,120 connections/second
Passed all tests for evasion techniques and
for stability and reliability
46
FortiWeb Competitive Advantages
FortiWeb is the fastest WAF on the market today
Only WAF with FortiGate NGFW and Sandbox integration
Only WAF with vulnerability scanner and antivirus built-in
Industry-first WAF features (Scoring/Tracking, Syntax Analysis)
Low TCO compared to F5 and Imperva
Product Comparisons
FortiWeb Barracuda Imperva F5 Citrix
Throughput (Gbps) 0.025 – 20.0 0.25 – 4.0 0.1 – 10 Not Available 0.5 – 5.0
SSL Offloading Yes Yes Yes Options Options
Security Effectiveness* 99.85% 99.97% 99.82% 99.89% 99.77%
TCO/Protected Mbps* $2.77 $4.88 $15.85 $3.38 $1.93
Vulnerability Scanner Included Separate Separate Separate Separate
Antivirus Included Separate Separate Separate Separate
IP Reputation Yes Yes Yes Yes Yes
L7 Load Balancing Yes Yes Yes Yes Yes
SSL Offloading Yes Yes Yes Yes Yes
* From NSS Labs 2014 Web Application Firewall Security Value Map
47
Purchase price includes:
» Hardware: appliance,
mounting hardware, etc.
» VM: Downloadable software
and license
» 90 days of FortiCare 8x5 support
FortiCare
(1, 2 and 3 year increments):
» 8x5 Enhanced
» 24x7 Comprehensive
FortiGuard
» IP reputation
» FortiWeb Security Service
» Antivirus
» FortiSandbox Cloud
Central Management (separate)
» Up to 10 FortiWeb appliances
» Unlimited option
AWS
» Bring Your Own License (BYOL)
» On-demand licensing through AWS marketplace
Microsoft Azure
» Bring Your Own License (BYOL)
» VM04 and VM08 only
Pricing/Licensing
48
Objection Handling
We regularly review our applications for security flaws, we don’t need a WAF
» A WAF can automatically protect applications without the need to constantly manage existing older applications; frees up resources
Only our developers know the code well enough to address security issues
» Even the best of programmers can’t account for every possible vulnerability, and they can’t predict unknown problems in advance
We’ve never had a data breach and our other security measures are good enough
» Over 96% of all web-based applications have been attacked in 2013. Chances are you have been attacked and may not have
known about it.
Why do a I need a standalone WAF instead of a module on an ADC?
» A dedicated WAF appliance will not decrease performance, plus an appliance like FortiWeb has the processing power to perform
behavior-based detection of application attacks. Most WAF modules on ADCs are very limited.
I’ve never heard of Fortinet for WAF? Why should I look at a FortiWeb?
» FortiWeb has been in the WAF market for over 5 years. We’re a leader according to NSS labs with over 99.85% security
effectiveness against today’s latest web application threats.
49
Qualifying Questions
How do you protect your web-based applications from attacks?
» Look for opportunities to have a WAF automate manual processes like application security patches and code changes on older
applications.
Do you regularly conduct code security reviews and if so, how often?
» If they’re not doing it, they’re most likely at risk. If they are, they are most likely spending a lot of effort to conduct these reviews. A
WAF can automate and protect better.
Do you need to meet PCI DSS compliance standards? What were the results of your last PCI DSS audit?
» If yes, they most likely need a WAF for PCI DSS 6.6. If not, then it’s a harder sell to protect applications, however focus on mission
critical systems, sensitive user and proprietary data protection.
Are you concerned about data breaches of sensitive customer or proprietary information through your
web-based applications?
» The answer should be “yes”. If so, only a WAF can protect against application specific attacks.
50
Additional Resources
White Papers
» Beyond the Firewall
» WAF or NGFW with IPS to Protect Applications
Solution Guides/Briefs
» Fortinet Virtual Appliance Solutions (AWS)
» Protecting Against Layer 7 DoS Attacks with FortiWeb
» OWASP 2013 and FortiWeb
Deployment Guides:
» Replacing Microsoft TMG with FortiWeb for Publishing applications
Positioning Guides/Responses:
» NSS Labs WAF SVM Talking Points
» NSS WAF SVM and Product Analysis Report
