DATA SHEET

Brocade Virtual Web Application

Highlights The Ongoing Story of ••Maximizes deployment flexibilitywith Every year, thousands of new vulnerabilities are reported in Web a software-based (WAF), ideal for Network applications. With so many new vulnerabilities, many enterprises find Functions Virtualization (NFV) it difficult to secure, maintain, and enhance applications due to the ••Provides massive scalability so complexities of security analysis and testing. organizations can secure the largest ® online applications, clustering both The Brocade Virtual Web Application Defense in Depth within data centers and across global Firewall (Brocade vWAF) is a scalable Enterprise security has traditionally cloud platforms solution for application-level security, been focused on network firewalls and ••Helps meet compliance requirements both for off-the-shelf solutions, and content filtering solutions. However, more such as PCI DSS complex custom applications including recently the primary target for attacks third-party frameworks. It can be used has shifted from the network layer to the to apply business rules to online traffic, application layer, because the operating inspecting and blocking attacks such as systems and service interfaces of modern SQL injection and cross-site scripting IT infrastructure have been hardened (XSS), while filtering outgoing traffic to to expose a reduced risk profile. As a mask credit card data, and help achieve result, it is now much easier to target the compliance with PCI-DSS requirements application logic or application framework by filtering outgoing data. than the actual server or network behind the hardened network perimeter. Although many applications are created in-house, security is not always fully developed, which potentially leads to security problems throughout the application lifecycle. KEY FEATURES ••Massive scale for global applications ••Delegated security model for security professionals ••Wide range of proactive security measures ••Protection against key vulnerabilities such as SQL injection and Cross-Site Scripting ••Integration with external security scanners and and workflow tools such as Denim Group’s Threadfix ••Dual-mode “detect and protect” operation ••Security automation using REST API Figure 1: Brocade Virtual Web Application Firewall provides multiple layers of protection. ••Available as an NFV-ready virtual appliance As a result, network and servers may Dynamic network and applications need RELIABLE SUPPORT OPTIONS be secure, but not applications. They a new approach to manage the security Brocade Essential Support •• must be protected with proactive Layer 7 of applications that are developed and ••Provides 24×7 access to Brocade security. Brocade vWAF brings defense launched for the New IP. Rapid application Technical Support expertise, in depth to applications with real-time development methodologies mean that reducing time to resolution policy enforcement, including transparent a strong security layer essential for any ••Provides unmatched expertise in data secure session management and form- complex Web application that handles center networking to optimize network field virtualisation, in a scalable Web sensitive data. No matter how carefully performance Application Firewall (WAF) solution. developed and audited application code ••Simplifies management through online may be, it is not possible to verify that no technical support tools Application Security for the vulnerabilities exist in the application and New IP the underlying developer frameworks. As enterprise networks evolve, their The Brocade vWAF provides an business requires more flexible and open additional barrier of protection, and can architectures to support the demand for be compatible with existing security richer services and customer-focused processes and network architectures. applications, and to meet the challenges of cloud, mobile, social, and big data. The New IP is based on open standards, with automated provisioning and customer- self service management, to reduce costs and improve the speed of innovation.

Figure 2: Brocade and the New IP.

2 Massive Scalability simultaneously operating a detection- Comprehensive Reporting and Organizations must scale dynamically only ruleset which can include watch Logging to meet the needs of the largest global lists and trial policies. This enables new Brocade vWAF includes a range of applications. Brocade vWAF can extend rulesets to be tested in a detection- reporting options for threat analysis and seamlessly across CPU, computer, only mode, ensuring that new policies data retention. This not only helps security server rack, and data center boundaries. are not activated without approval professionals to see potential attacks Organizations can use a combination of from security administrators. With this developing, but also where policies are too public and private cloud technologies, feature, new layered rulesets can be restrictive. In addition, data retention can and be assured of a common application tested without compromising existing help with local compliance requirements security platform and centralized policies, policy enforcement, which helps to for record-keeping, and also for auditing even when clustering between data avoid false positives or weakened policy changes. centers or across different cloud providers. defenses, particularly in large-scale cloud applications. PCI DSS Compliance Cross Platform Portability Brocade vWAF helps compliance with As IT architectures deploy more Automated Learning PCI DSS, which is a key standard with applications, they must also ensure that The Brocade vWAF’s security is adaptive for organizations which manage credit they are secure. The Brocade vWAF can through automated learning and can card payments. Failure to meet the extend security policies to all corners make policy recommendations by requirements of PCI DSS exposes a of the data center, and as the network learning about application behavior, merchant to higher risk of fraud, potential transforms to enable the New IP. It can which can make it easier for security liability for costs resulting from leakage deploy common security policies across teams to manage policies. Administrators of cardholder data, and incurs higher a mixture of cloud, software, virtual retain full control over the activation and processing fees from credit providers. The appliance, Web server plug-in, or even deactivation of each ruleset, with the PCI DSS standard defines a pragmatic set as a bare-metal server, integrating with opportunity to screen for false positive of security procedure: Section 6.6 of the existing systems with minimal disruption before committing to production. standard mandates that a merchant must to the existing network. either perform regular security reviews of Integration with Existing the source of all public-facing applications Rapid Response Technology or deploy and configure an appropriate Organizations can avoid vendor-lock- Brocade vWAF can close application Web application firewall. vulnerabilities faster, by importing ruleset in for both networking and application Brocade vWAF not only helps meet the recommendations from third-party security. The Brocade vWAF connects requirements of PCI DSS 6.6, but it also vulnerability scanners and workflow with organizations’ existing technology helps to observe other parts of the PCI tools such as Denim Group’s ThreadFix. and business processes, and can DSS standard. Brocade vWAF can easily Automated learning is available help integrate with Security Incident and Event be configured with additional security security teams to manage policies. With Management systems (SIEMs). policies to detect and prevent attacks full control over the activation of individual Distributed and Delegated specific to all applications. policies, organizations can maximize Management application security, while reducing the The Brocade vWAF includes a Web- number of false positives. based user interface to give security Dual-Mode Detection and professionals full distributed access to Protection centralized policy management and Organizations can refine security reporting. Organizations can now manage policies with the dual-mode “detect policies centrally and also delegate and protect” operation. Brocade vWAF access to business partners to manage allows layered rulesets, maintaining a the security configurations of specific live ruleset to enforce policies which applications or domains, tailoring access have been approved for production, and rights granular settings for individual client applications.

3 How the Brocade Virtual Request Analysis Response Analysis Web Application Firewall When activated, the Brocade vWAF The Brocade vWAF also monitors receives and analyzes each request outgoing responses as they are returned Works against the ruleset assigned to the to the client. Security-sensitive information The Brocade vWAF is a pure application, and determines which of the can be filtered out from responses to software Web application firewall designed following actions to take: ensure that data leakage is captured, to support best practices for application even if the initial malformed request Permitted requests are passed to the security. Due to its modular construction, •• is successful. As a result, customer application organizations can deploy applications very information such as credit card data, social easily in a cloud-computing environment, ••Requests which are identified as known security numbers, or healthcare-related making it a scalable solution for attacks are rejected, and logged with content can be screened out by using application-level security. Brocade vWAF information to help trace the attacker comprehensive security policies. can apply business rules to online traffic, Requests which cannot immediately The Brocade vWAF can monitor the inspecting and blocking attacks such as •• be categorized can be rejected locally behavior of the application and traffic SQL injection and cross-site scripting, or passed on to the application, and patterns to help optimize protection and while filtering outgoing traffic to mask depending on the security policy in recommend additional policies. credit card data. force, they are logged and used to help classify future requests of this type

Figure 3: Brocade vWAF provides comprehensive reporting and logging.

4 Unique Scalable Architecture Enforcer Administration Interface The software consists of three scalable The Enforcer is an adapter for the Web Organizations can choose to deploy components: application firewall to analyze the data the administration system either as a to enforce the policy. The Enforcer single server, or fully decentralized. This The Enforcer •• sends request and response data to decentralized architecture is resilient ••The Decider a component called the Decider, and against node failures, and allows groups ••The Administration Interface modifies requests and responses as of security administrators to work on needed. individual application policies while These can be configured either as a providing detailed central monitoring and pre-packaged WAF solution, such as an Decider alerting functions. add-on module for the Brocade Virtual The policy engine checks the data from Traffic Manager (Brocade vTM) to manage the Enforcer module and decides how to Integrated ADC Implementation manage each request/response. The a cluster of applications, or as a fully In integrated ADC deployments, the unique architecture allows scaling across distributed solution across hundreds of Brocade vWAF is licensed as an add- multiple CPU cores, and is also capable Web servers and multiple data centers for on for the Brocade vTM, and can be of scaling horizontally. The Decider is the maximum scalability and performance. deployed either on a server appliance or compute-intensive part of the solution, The same distributed management on a VM in virtual or cloud infrastructure. and the workload on the Decider depends interface can be used to protect both Enforcers and Deciders are co-resident on the load of the Web infrastructure types of deployment, or even in a shared inside the Brocade vTM package and behind it. As users and applications services environment. are administered as a single platform. generate more traffic, the Decider will The Admin GU is accessed through the utilize greater CPU resources. standard Brocade vTM console.

Figure 4: The Brocade vWAF is available as an optional add-on for the Brocade Virtual Traffic Manager.

5 Feature Summary Secure Session Management Cross Site Scripting (XSS) While many applications use secure Applications which accept user-generated Baseline Protection passwords and , it is input, including simple online forms or The Brocade vWAF includes a Baseline possible for user and session data to social media sites, need to ensure that the Protection Wizard, which makes it easy be exposed through weak links such as content has been validated and is safe to to update policies. The baseline policies session cookies and tokens. Attackers can be re-posted and viewed by a client Web are a blacklist and regex-pattern match of use these weak links to create or midify browser. A Cross-Site Scripting attack known vulnerabilities and attacks: when sessions and access live data. (XSS) attempts to insert scripts into the Brocade vWAF detects a suspicious user data, which are executed by the client The Brocade vWAF Secure Session pattern which matches the baseline Web browser when the content is viewed Wizard can help to secure vulnerable policies, then the request is rejected by another user—which can result in sessions, using two important tools: the without exposing the application. hijacked user sessions, defaced Web sites, Session Handler can impose additional or uploaded . Brocade publishes regular baseline controls on user session timeouts updates, and the Brocade vWAF and session limits, while the Cookie The Brocade vWAF Baseline Protection dashboard highlights the recommended Jar Handler can be used to preserve Wizard includes policies that validate all updates. Note that the new baseline vulnerable information by exchanging user input and exclude traffic that contains policies are NOT applied automatically - weak session cookies for a more secure suspected XSS payloads. Alternatively, the new rules should be reviewed by the session management. With Brocade custom rules can be set to trigger on security team and activated through the vWAF, organizations can add an additional specific XSS patterns. management console. authentication layer in front of their applications. Cross Site Request Forgery Injection Flaws (CSRF) Injection is a common way for attackers Secure Entry Points When a CSRF attack sends a request to to compromise an application, which Similarly, many applications enforce the target Web application, and relies on attempts to force an application to execute authentication when a session is opened, the user being already being logged into malicious code in a database or script, but do not perform access control the target application—for example, when when the application was only expecting verification at each step or intermediate a user remains logged in to an application to find user data such as login credentials function. Attackers can manipulate using a cookie or other session token, or an online form. For example, SQL workflow flaws to access data or bypass to avoid having to re-authenticate each Injection can be used to attack databases, session authentication. time. The CSRF attack hijacks the client but other forms include LDAP injection browser to send a request to the target The Brocade vWAF offers an Entry or Shell injection, which can be equally application, which is pre-authenticated by Point Handler that can provide additional damaging. the existing session token. Because the security by ensuring that new user target application recognises the request The Brocade vWAF Baseline Protection sessions always start at a pre-determined as authenticated, the CSRF attack can Wizard automatically configures standard entry point. This prevents attackers from send commands or queries to any form in rules to perform additional validation of deep linking into applications, bypassing the target application, potentially leaking user input, in order to detect and drop entry points and authentication steps. traffic that contains suspected injection or corrupting data. flaw payloads. Alternatively, custom rules Brocade vWAF provides additional can be set to look for application-specific protection against CSRF attacks using patterns. the Form Protection Handler, which authenticate online forms with a session- based key to ensure that they are only accessed directly, and not through a cross-site linkage.

6 Masking Sensitive Data The Brocade vWAF Baseline Protection Flexible Deployment Attackers may attempt a variety of Wizard includes policies that check for Options exploits to extract sensitive data, including fully-qualified URL references to protect The Brocade vWAF supports a full payment card information, social security against unwanted redirection. Security range of deployment options, enabling information, and security credentials. This professionals can also define preferred organizations to choose the best fit for kind of sensitive data requires additional redirection targets for when an invalid their architecture and application risk layers of protection beyond the redirection target is detected. profile. The Brocade vWAF can be of stored data: for example, data in deployed as a plug-in on the Web server, transit should be encrypted using secure Resolving Third-Party Vulnerabilities installed as software on bare-metal transport, and active response filtering Modern online applications often include servers, or as a virtual appliance in a can mask out sensitive data which leaks third-party libraries and tools, which may customer data center or cloud provider— through other defenses. vulnerable to zero-day attacks. Third- or even installed as an integrated Redirection and Forwarding party software providers may be unable to package with the Brocade vTM for Attacks resolve flaws quickly, so attackers may be enhanced security and control of complex Many Web applications use redirections able to exploit these vulnerabilities before applications. they are corrected. and forwarding to transfer control within In addition, the Brocade vWAF is also online services, and may be vulnerable Known vulnerabilities within application available as a stand-alone proxy, designed when they use untrusted data or URL components can be mitigated with the to be used with existing load-balancers parameters to select the target Web Brocade vWAF. Standard application and ADCs, and is particularly suitable for page. Attackers may use weak validation attacks like SQL Injection or XSS can cloud deployment to add application-level of redirection criteria to trigger malware be mitigated using using the Baseline security to a cloud application without or attacks by forwarding to Protection or the Whitelist Learning changing the application architecture. unauthorised targets. Capability. Similarly, the pro-active features of the Brocade vWAF can be used to identify and protect against vulnerabilities in the application logic of applications.

Summary of Deployment Options

Brocade vWAF for the Brocade This optional module may be licensed for the Brocade vTM, and allows the traffic manager to enforce VirtualTraffic Manager application-level security to HTTP traffic.

Brocade vWAF Proxy This WAF proxy solution is available as either a software or virtual appliance, and is typically deployed alongside an existing ADC or load balancer device. The existing ADC routes traffic through the proxy so that the Web Application Firewall can apply deep application-level security.

Brocade vWAF Bare-Metal Appliance For networks that need to deploy a WAF as a hardware appliance, Brocade vWAF can be installed on Image standard Intel x86 servers, and manage as a stand-alone device.

Brocade vWAF Web-Server Plug-in For maximum scalability in custom applications, Brocade vWAF can be implemented as Web-server plug- ins to provide a fully distributed application security with optimum flexibility.

7 Brocade Virtual Web Application Firewall System Requirements—Standard Deployment

Brocade Virtual Web Application Firewall Software and Virtual Appliances (when deployed with the Brocade Virtual Traffic Manager or as a proxy)

Supported OS: Traffic Manager x86_64: Kernel 2.6.8 – 3.13 (2.6.22+ for IPv6), glibc 2.5+; Solaris 10 (x86_64)

Virtual Environment: Virtual Appliance VMware vSphere 5.0, 5.1, 5.5; XenServer 6.1, 6.2; OracleVM for x86 2.1, 2.2, 3.2, 3.3; Microsoft Hyper-V Server 2012 & 2012 R2, Microsoft Hyper-V under Windows Server 2012 and 2012 R2; QEMU/KVM (RHEL/CentOS 6.x, 7.x, Ubuntu 12.04, 14.04)

Recommended CPU Intel Xeon / AMD Opteron

Recommended Minimum Memory 2 GB

Recommended Minimum Disk Space 10 GB (Software), 16 GB (Virtual Appliance)

Brocade Virtual Web Application Firewall System Requirements—Distributed Deployment

Brocade Virtual Web Application Firewall Software’s three independently scalable components (when deployed as a distributed service)

Decider modules Decider modules apply security policy to traffic bidirectionally. They are deployed on a cluster of one or more multicore servers. Linux 2.6+ (x86_32 and x86_64), Solaris 10 (x86_64), 2012 Server R2 1 GB RAM per core

Enforcer plug-ins Enforcer plug-ins are deployed on origin Web servers or proxies. They forward selected traffic to the Decider cluster and enforce the decision returned. Apache 2.0, 2.2 or 2.4 on Linux 2.6+ (x86_32 and x86_46), Solaris 10 (x86_64); J2EE servers running Java 1.2 and later and Servlet API 2.3 and later (e.g. Apache Tomcat); Nginx (1.9.7+ LUA module required); IIS 8; CPU utilization of Web server should not exceed 60% before deployment of Enforcer plug-in

Administration Server The Administration Server manages and deploys security policies to the Decider cluster and reports on security status. Linux 2.6+ (x86_32 and x86_46), Solaris 10 (x86_64), or Microsoft Windows 2012 Server R2 2 GB RAM for Admin Server

8 Brocade Global Services Affordable Acquisition Options Maximizing Investments Brocade Global Services has the Brocade Capital Solutions helps To help optimize technology investments, expertise to help organizations build organizations easily address their IT Brocade and its partners offer complete scalable, efficient cloud infrastructures. requirements by offering flexible network solutions that include professional Leveraging 20 years of expertise in acquisition and support alternatives. services, technical support, and education. storage, networking, and virtualization, Organizations can select from purchase, For more information, contact a Brocade Brocade Global Services delivers world- lease, Brocade Network Subscription, sales partner or visit www.brocade.com. class professional services, technical and Brocade Subscription Plus options to support, and education services, align network acquisition with their unique enabling organizations to maximize capital requirements and risk profiles. their Brocade investments, accelerate To learn more, visit www.Brocade.com/ new technology deployments, and Capital. optimize the performance of networking infrastructures.

Corporate Headquarters European Headquarters Asia Pacific Headquarters San Jose, CA USA Geneva, Switzerland Singapore T: +1-408-333-8000 T: +41-22-799-56-40 T: +65-6538-4700 [email protected] [email protected] [email protected]

© 2016 Brocade Communications Systems, Inc. All Rights Reserved. 04/16 GA-DS-5287-00

Brocade, Brocade Assurance, the B-wing symbol, ClearLink, DCX, Fabric OS, HyperEdge, ICX, MLX, MyBrocade, OpenScript, VCS, VDX, Vplane, and are registered trademarks, and Fabric Vision is a trademark of Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names mentioned may be trademarks of others.

Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment features, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This information document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United States government.