why wapples n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Why WAPPLES? PowerPoint Presentation
Download Presentation
Why WAPPLES?

Loading in 2 Seconds...

play fullscreen
1 / 13

Why WAPPLES? - PowerPoint PPT Presentation


  • 110 Views
  • Uploaded on

Why WAPPLES?. 2009. 7. 21. Originality (1/3). WAPPLES versus other Web Application Firewalls(WAFs). WAPPLES. Strong Points. Fundamentally Unique Concept. In Korea, WAPPLES holds #1 WAF m arket share 、 over 60%!!. Higher Security Level ex) Can detect altered/unknown attacks.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Why WAPPLES?' - ingrid-palmer


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
why wapples

Why WAPPLES?

2009. 7. 21

originality 1 3
Originality (1/3)

WAPPLES versus other Web Application Firewalls(WAFs)

WAPPLES

Strong Points

Fundamentally

Unique Concept

In Korea,

WAPPLESholds

#1 WAF market share、

over 60%!!

Higher Security Level

ex) Can detect

altered/unknown attacks

COCEP Engine

performs

Logic Analysis

+

Positive/negative

Security by rules

Ease of Use

ex) No need for

manual update

Misdetection to 0%

Other WAFs

Cannot detect

altered/unknown attack

Pattern matching

based on

IPS/Network engine

High cost to maintain

ex) security level is in proportion

to the number of patterns

Possibility for misdetection

Misdetection can cause

service suspension

originality 2 3
Originality (2/3)

WAPPLES is FUNDAMENTALLY DIFFERENT!

  • After gaining extensive experience in developing IDS, Penta has found some critical weak points in the pattern matching method:
    • Misdetection and impossible deployments
    • Management difficulties
  • In order to overcome these weak points, a whole new architecture with higher security level, lower managing cost, and no misdetection was developed.
  • WAPPLES has a unique Logic Analysis Engine (COCEP engine) to detect web attacks.(WAPPLES also supports pattern methods with COCEP engine in order to meet customers’ desire)
originality 3 3
Originality (3/3)

COCEP Engine(Logic Analysis Engine) Diagram

features
Features

Strong points of Logic Analysis against Pattern Matching

  • Higher Security
    • Extremely low possibility of false positive
    • Accurate detection against modified attacks.
  • Higher Performance
    • No additional system load by inputting new patterns.
    •  Generally, more than 3000 patterns lead to low system performance.
    • No difference in performance, in both test environment and real operation environment.
  • Ease of Use and Less Maintenance
    • Installation without(or with minimal) changes in server and network settings is possible.
    • Extremely little managing burden of administrator.
    • Low operation cost – receives not signature update service but S/W update service.
cocep engine process sql injection rule
COCEP Engine Process – SQL Injection Rule
  • WAPPLES’s SQL Injection Rule acts as below.
    • Inspect whether there is any SQL reserved word
    • Check SQL phrase including the reserved word in step (1) is appropriate to SQL grammar
    • Evaluate whether the SQL phrase is effective as a attack

Ex) SQL phrase including meaningless bypass code like [aaa’ or ‘1’=’1]

SQL phrase accessing vulnerable procedures or functions

  • Positive Effects
    • WAPPLES can detect an infinite number of modified SQL injections.
    • WAPPLES does not need a new pattern if only attack is the same type.
    • Just because SQL phrase include a few SQL reserved words, WAPPLES does not judge it an attack.

 Extremely low possibility of false positive

cocep engine process suspicious access rule
COCEP Engine Process – Suspicious Access Rule
  • WAPPLES’s Suspicious Access Rule acts as below.
    • Send back validation request(HTTP request) to suspicious client accessing to web server
    • Deny the client’s access, when it reply abnormal response.

Validation request is needed to check the client’s capability for HTTP manipulation.

- Whether it can understand HTTP request header or not

- Whether it can process(create, update, and so on) a cookie or not

- Whether it can send a response for HTTP status request

  • Positive Effects
    • WAPPLES can detect an unknown robot or scanner without adding new patterns.
cocep engine process 3 contents filtering rules
COCEP Engine Process – 3 Contents Filtering Rules
  • WAPPLES has 3 contents filtering rules against privacy leakage;
    • Privacy input filtering
    • Privacy output filtering
    • Privacy file filtering

These rules inspect http message not by simple pattern matching, but by evaluation of message data.

They can identify credit card number, e-mail, mobile number, bank account number, address and so on.

Ex) For credit card number, validate checksum by Luhn algorithm(ISO/IEC 7812-1:2006).

  • Positive Effects
    • Accurate detection and control of privacy data
    • WAPPLES can detect various type of privacy data (High extensibility)
example of false positive and misdetection 1 5
Example of False-Positive and Misdetection (1/5)
  • Signature(Patterns) Sample related to SQL Injection
    • Ex) In case that a HTTP message includes string “… having a good time. Seoul ==> Tokyo …”
    • Limitation
      • The use of the ‘having‘ is common in a Website. The regular expression that detects “the having” results in too many false positives.
  • This is a selection of signatures from Product ‘S’ of Company ‘I’ .
  • Below ‘part’ means substring-searching target and ‘rgxp’ means a regular expression describing a certain amount of text.
  • After finding a string of ‘part’, ‘rgxp’ is applied.
example of false positive and misdetection 2 5
Example of False-Positive and Misdetection (2/5)
  • Signature Sample of ‘SQL Injection WHERE Statement Manipulation’
    • Ex) In case that a HTTP message includes string “or ‘b’=‘b”
    • Limitation
      • If SQL Injection source is modified from ‘a’=‘a’ to ‘b’=‘b’, the regular expression cannot detect the modified SQL Injection attack.
example of false positive and misdetection 3 5
Example of False-Positive and Misdetection (3/5)
  • Signature Sample related to DDoS attacks
    • Ex) In case that HTTP URI includes “yahoo.co.jp/movie/deadoralive/default.jsp”
    • Limitation
      • The use of the ‘alive‘ is common in Website. When DDoS signatures are turned on, the regular expression that just detects the ‘alive’ results in too many false positives.
example of false positive and misdetection 4 5
Example of False-Positive and Misdetection (4/5)
  • Signature Sample related to Privacy(Credit Card Number) Filtering
    • Ex) For a credit card number “4254361480110015”
      • 4254361480110016 : Detected in spite of invalid card number  False-Positive
      • 4254-3614-8011-0015-1234-5678 : Detected in spite of not credit card number  False-Positive
      • 4254_3614_8011_0015 : Credit card number, but not in pattern  Misdetection
    • Limitation
      • Although Credit Card Number is invalid or even not Credit Card Number, the regular expression filters it.
      • If Credit Card Number’s format is changed, it can not detect at all.
example of false positive and misdetection 5 5
Example of False-Positive and Misdetection (5/5)
  • Signature Sample of ‘Buffer Overflow Attack Attempt’
    • If the Buffer Overflow Attack is modified like “abcdabcd…abcd”, the regular expression cannot detect it.
    • Signature is made to cope with some scanners and robots. So, it leads to many misdetection.
    • Limitation
      • It is very difficult to express an infinite number of cases as one pattern.
      • To add many single patterns gives additional system load to web application firewall.