Hillstone Web Application Firewall

(WAF)
Business Problem

Introduction of Hillstone WAF

Model Selection & Ordering Information

Deployment Modes

© 2021 Hillstone Networks All Rights Reserved | 2

Business Problem

© 2021 Hillstone Networks All Rights Reserved | 3

Key Problems:
More Threats From Web Application

Invasion Threat Information Rising Cost Productivity

Leakage Decline

High-risk Use of unauthorized Bandwidth abuse Uncontrolled

applications cause applications can leads to rising application usage
more threat intrusion easily lead to data operating costs reduces employee
leakage productivity

DDoS attack, CC attack, SQL injection…

Nowadays, more than 75% of threats occur in web application
© 2021 Hillstone Networks All Rights Reserved | 4
What Can WAF Provides?
Web Application Firewalls are the fastest and most cost-effective way to address application vulnerabilities in production

API Protection • App Protection Network Protection

• Coverage for OWASP Top 10: • Protection of DoS attacks • Brute Force mitigation
• XSS • Protection of Flood attack • L7 DoS
• Injection
• Protection of IP/port scanning • API schema validation
• Bot Mitigation and spoofing
• Security policy updates
• Malware • Protection of TCP anomalies
• …
• Protection of Malicious IP
• Protection over other unknown
threats

© 2021 Hillstone Networks All Rights Reserved | 5

When Do You Use WAF In A Security Solution
Product positioning in a security solution: NGFW vs IPS vs WAF

FW IPS WAF

Analogy The Gate The Guard The Bodyguard

Technique Policy Signatures Proxy

Service All traffic All traffic HTTP/HTTPS

Size of the purchase 8 4 1

© 2021 Hillstone Networks All Rights Reserved | 6

Introduction of Hillstone WAF

© 2021 Hillstone Networks All Rights Reserved | 7

Hillstone Web Application Firewall Overview

Multi-dimension Threat Web Asset Auto Discovery

Analysis 08. 01. Help admin to find and manage their web
Effective website security O&M. sites.

Signature Based plus

Scalable Performance
07. 02. Semantic Analysis Detection
Expand performance with Hillstone ADC.
One-Stop Web Manage OWASP Top 10 Security Risk.

Application
IPv6 Proxy, Dual Stack Security
Intelligent self-learning
Security 06. 03.
Help to find unknown attacks.
Fast IPv6 transformation

API Protection SSL Offloading

Protect the increasingly used API 05. 04.
High performance HTTPS protection
applications.

© 2021 Hillstone Networks All Rights Reserved | 8

Simplify Operations through Automatic
Website Asset Discovery

Before: 24 hour or Days Now: 20 min

WAF
R&D ERP

OA
Web
Web 5# Web 7#
Market Web 6# Web 8#
CRM

DNS
ERP
Web 1# Web 3# OA ERP Market R&D
Web
Web

Mail Web 2# Web 4#

DB CRM DNS DB Mail

• How to sort out hundreds of Web services that need protection?

• Automatically detect web traffic in the network through asset self-discovery;
discover and define web services and assets.
• Fill the form, IP/port/domain name statistics, etc.

© 2021 Hillstone Networks All Rights Reserved | 9

Complete OWASP Risk Mitigation
and Resolution
A1 Injection
OWASP
TOP10 Security Risks (2017) A2 Broken Authentication

A3 Sensitive Data Exposure

Hillstone WAF using dual A4 XML External Entities (XXE)

detection engines to find attacks
Regular Semantic like SQL injection and XSS with
A5 Broken Access Control
higher precision than regular
Expression Analysis expression WAF, and thus help
A6 Security Misconfigurations
customer to mitigate OWASP
Top10 web application risks.
A7 Cross Site Scripting (XSS)

A8 Insecure Deserialization
*The Open Web Application Security Project (OWASP) is a non-profit foundation
dedicated to improving the security of software. OWASP Top 10 is an online document A9 Using Components with Know Vulnerabilities
on OWASP’s website that provides ranking of and remediation guidance for the top 10
most critical web application security risks.
A10 Insufficient Logging and Monitoring

© 2021 Hillstone Networks All Rights Reserved | 10

Dual Detection Engine -
Semantics Analysis + Rule Matching

30% decrease in false

Dual Detection Engine Sematics positive
Analysis

Semantic Analysis Rule Matching

OPTION OPTION
• XSS Semantics
Detection 01 02 •
•
Regular Expression
False positive
• SQL Injection Remediation
Detection
Rule
• Recursive Decoding
Matching

© 2021 Hillstone Networks All Rights Reserved | 11

Comprehensive Defense Against Injection
Attack

• In addition to the most common SQL • 10+ injection attacks, SQL Injection LDAP Injection
injection, Hillstone WAF can detect and 200+ injection
defend against various other injection detection rules.
attacks.
PHP Code Injection XML Injection

Email Injection Remote File Inclusion (RFI)

Local File Inclusion (LFI) Local File Inclusion (LFI)

XPath Injection JavaScript Injection

Command Injection Other Injections…

© 2021 Hillstone Networks All Rights Reserved | 12

Machine Learning Based Customized
Protection

Customized protection based on

traffic auto-learning

General protection
based on rules and
scripts

General protection
based on rules and
scripts

Learn Revision Protection

• Parameter length, type • Administrator optimization • Dynamic URL tree
• Cookie • Learning result correction • Generate an exclusive protection
strategy
• HTTP operation method
• Detect the unknown attacks
• Client IP distribution

© 2021 Hillstone Networks All Rights Reserved | 13

Anti-Defacement For Dynamic & Static Contents

Safe & Reliable Increment

Kernel Driver Level Protection Static& Dynamic Contents
Synchronization
APPLICATION

I/O MANAGMENT

DRIVER FILTERING

FILE SYSTEM

FILE STORAGE

Encrypted File Transfer

Fast Sync Channel

Anti- Add, Delete, Update, Publish
defacement Compress）
Software server

Integrity Check

Web Server File Access

© 2021 Hillstone Networks All Rights Reserved | 14

Sensitive Information Protection (Web)
• Hide Personal information & sensitive words (with *) Before desensitization
WAF
• No impact to normal business

Personal Information

Cell phone, email, ID

card, bank card number
leakage

After desensitization

Sensitive Words

Sensitive political
tendency, violent
tendency, unhealthy color
© 2021 Hillstone Networks All Rights Reserved | 15
Detect Attacks in Encrypted Traffic

Encrypted traffic across Google 95%

95% of the traffic Seamlessly upgrade the website to HTTPS and provide
across Google has comprehensive protection using Hillstone WAF
been encrypted. 48%

HTTPS HTTPS

Google marks http

web as unsafe. SSL Offload

HTTPS

SSL Proxy

© 2021 Hillstone Networks All Rights Reserved | 16

API Protections

API Scenarios

• API are software intermediary that allows two applications to talk

to each other, and now widely used in modern apps.
• Online shopping, booking, weather, map, stock…

Risks

• Excessive data exposures via API

• Injection and XSS attacks among API calls
• Refer to OWASP Top 10 API Security

Hillstone Provides

• Detect attacks in API

• Schema Validation according to OpenAPI file.
© 2021 Hillstone Networks All Rights Reserved | 17
API Protection - Compliance

Typical Scenario: Risk

• Online Shopping • API exposes a lot of information to the public and
• Financial Transactions raises more potential risks
• Hospital Registration
• Smart City Solution：
• Others • API Protection - Compliance

Schema Validation User Definition

API Specification Customized Rules

Import • json Customized • HTTP host

OpenAPI File • yaml Configuration • URI
• yml

© 2021 Hillstone Networks All Rights Reserved | 18

IPv6 Protection and Fast IPv6 Transformation

Value:
IPv4
Support IPv6 transformation

IPv6

Scenario:
01 02 03 Limited budget;
IPv6 transformation of
Support IPv4/IPv6 Support IPv6 access Provide IPv6 services
dual-stack proxy without upgrading IPv4 websites with external links
deployment application server, and IPv4
access is not affected.
© 2021 Hillstone Networks All Rights Reserved | 19
Multi-dimensional Visibility for Efficient O&M

Threat Analysis Traffic Analysis Attack Breakdown Threat Control

© 2021 Hillstone Networks All Rights Reserved | 20

Aggregated Logs Help to Eliminate False
Positives
Original log

Attack Name Attack Frequency Aggregated log

according to attack type

Attack Distribution Aggregated log

according to rule id
Payload Analysis

Following Actions…

How to find false positives among the massive logs?

Hillstone WAF support multi-dimensional log aggregation and help admins to review log, find false positives, and tune the policy.
© 2021 Hillstone Networks All Rights Reserved | 21
 Model Selection&
Ordering Information

© 2021 Hillstone Networks All Rights Reserved | 22

Hillstone W-Series WAF Portfolio

For ISP & Datacenter

vWAF08/vWAF12
HTTP Throughput ：3-10G

For Education & Enterprise

vWAF04
HTTP Throughput ：2-3G

For SMB
vWAF02
HTTP Throughput ：500M-1G

© 2021 Hillstone Networks All Rights Reserved | 23

Hillstone vWAF Specifications

Specifications SG-6000-WV02 SG-6000-WV04 SG-6000-WV08 SG-6000-WV12

• CPU 2 Core 4 Core 8 Core 12Core
Hardware • Hard Disk （min, max） 100GB, 1TB 100GB, 1TB 100GB, 1TB 100GB, 1TB
• Memory 4GB 8GB 16G 24G
Interface • Interface （max） 10 10 10 10
• Protection Sites Numbers 16 32 128 256
Sites
• IP/PORT Pair Can Be Protected 32 64 1024 1024
• Throughput（1518 Bytes）（SR-IOV） 5G 10G 20G 40G
Network Performance (Without WAF)
• Concurrent Sessions 0.4M 1.2M 2.5M 4M
• HTTP Throughput
1200M 2500M 5500M 8000M
（HTTP GET 512KByte file）
• HTTP Concurrent Sessions
100K 300K 1.5M 2.5M
HTTP Protection PERFORMANCE （HTTP GET 64Byte file）
（USE“Medium policy"） • HTTP Connection/s
2,800 5,800 14,000 20,000
（HTTP GET 1Byte file）
• HTTP Transaction/s（TPS） 3,000 6,500 16,000 22,000
• HTTP Model Selection Suggestion 250M HTTP Traffic 650M HTTP Traffic 1.6G HTTP Traffic 2G HTTP Traffic
• HTTPS Throughput 200M 400M 900M 1500M
HTTPS Protection PERFORMANCE • HTTPS New Connection 400 900 2200 3300
（USE“Medium policy，TLSv1.2 ECDHE-
RSA-AES128-GCM-SHA256， 2K RSA） • HTTPS Transaction/s（TPS） 3000 6000 15000 24000
• HTTPS Model Selection Suggestion 50M HTTPS Traffic 80M HTTPS Traffic 200M HTTPS Traffic 300M HTTPS Traffic

© 2021 Hillstone Networks All Rights Reserved | 24

Ordering Guide – Perpetual Mode
Category SKU Definition

Base System SG-6000-WV02-BP-IN vWAF-02 Base System

SG-6000-WV04-BP-IN vWAF-04 Base System
SG-6000-WV08-BP-IN vWAF-08 Base System
SG-6000-WV12-BP-IN vWAF-12 Base System
Maintenance Service SG-6000-WV02-SP-IN12/24/36/48/60 vWAF-02 Maintenance Service for 1/ 2/ 3/ 4/ 5 year(s)
SG-6000-WV04-SP-IN12/24/36/48/60 vWAF-04 Maintenance Service for 1/ 2/ 3/ 4/ 5 year(s)
SG-6000-WV08-SP-IN12/24/36/48/60 vWAF-08 Maintenance Service for 1/ 2/ 3/ 4/ 5 year(s)
SG-6000-WV12-SP-IN12/24/36/48/60 vWAF-12 Maintenance Service for 1/ 2/ 3/ 4/ 5 year(s)
IP Reputation License IPR-WV02-SP-IN12/24/36/48/60 vWAF-02 IP Reputation Subscription
IPR-WV04-SP-IN12/24/36/48/60 vWAF-04 IP Reputation Subscription
IPR-WV08-SP-IN12/24/36/48/60 vWAF-08 IP Reputation Subscription
IPR-WV12-SP-IN12/24/36/48/60 vWAF-12 IP Reputation Subscription

© 2021 Hillstone Networks All Rights Reserved | 25

Ordering Guide – Subscription Mode
Category SKU Definition

Base System SG-6000-WV02-BS-IN1 vWAF-02 Subscription Package for 1 month

SG-6000-WV04-BS-IN1 vWAF-04 Subscription Package for 1 month
SG-6000-WV08-BS-IN1 vWAF-08 Subscription Package for 1 month
SG-6000-WV12-BS-IN1 vWAF-12 Subscription Package for 1 month
Maintenance Service SG-6000-WV02-BS-IN12 vWAF-02 Subscription Package for 1 year
SG-6000-WV04-BS-IN12 vWAF-04 Subscription Package for 1 year
SG-6000-WV08-BS-IN12 vWAF-08 Subscription Package for 1 year
SG-6000-WV12-BS-IN12 vWAF-12 Subscription Package for 1 year
IP Reputation License IPR-WV02-SS-IN1 vWAF-02 IP Reputation Subscription for 1 month
IPR-WV04-SS-IN1 vWAF-04 IP Reputation Subscription for 1 month
IPR-WV08-SS-IN1 vWAF-08 IP Reputation Subscription for 1 month
IPR-WV12-SS-IN1 vWAF-12 IP Reputation Subscription for 1 month
IPR-WV02-SS-IN12 vWAF-02 IP Reputation Subscription for 1 year
IPR-WV04-SS-IN12 vWAF-04 IP Reputation Subscription for 1 year
IPR-WV08-SS-IN12 vWAF-08 IP Reputation Subscription for 1 year
IPR-WV12-SS-IN12 vWAF-12 IP Reputation Subscription for 1 year
© 2021 Hillstone Networks All Rights Reserved | 26
Deployment Modes

© 2021 Hillstone Networks All Rights Reserved | 27

One-arm Reverse Proxy Mode

Deployment

• Layer 3 deployment
• Single interface for traffic in and out
192.168.2.1
WAF
WAF
eth0/1
192.186.2.2 Pros
10.180.11.1

• Support server load balancing

• IP are Not exposed to clients
• No impact to existing network
deployment

10.180.11.11 10.180.11.22 10.180.11.33

© 2021 Hillstone Networks All Rights Reserved | 28

Reverse Proxy Mode

10.180.11.11
Deployment

• Layer 3 deployment
• Deployed inline between clients and
servers

Pros

• Support server load balancing

10.180.11.1 • IP are not exposed to clients

WAN WAF LAN

eth0/1 eth0/2

192.186.3.1
192.168.2.1 192.186.2.2 192.168.3.2

© 2021 Hillstone Networks All Rights Reserved | 29

Traction Proxy Mode

Deployment

• Layer 3 deployment
192.186.2.2 • Requires two interfaces: one in and one
192.168.2.1 WAN:eth0/3
out
WAF
• Requires the router to redirect the traffic
10.180.11.1 192.168.3.2
from clients to WAF and then from WAF
LAN: eth0/2
192.168.3.1 back to servers.

Pros

• Auto failover without bypass

10.180.11.22

© 2021 Hillstone Networks All Rights Reserved | 30

TAP Mode

Deployment

• Layer 2 deployment
• Traffic are mirrored to WAF
• WAF analyzes the behavior of the traffic
for detection.
• WAF does NOT forward traffic back to
Firewall
192.186.4.1 the network
eth0/2:
192.186.4.2
• WAF updates block list to NGFW if it
WAF finds the source IP of an attack.

TAP: eth0/1

Pros

10.180.11.22 • No impact to existing network

deployment
© 2021 Hillstone Networks All Rights Reserved | 31
Hillstone ADC Provides Scalability for WAF

Challenge
Internet
• Performance of single WAF appliance
maybe not enough for heavy traffics
• WAFaaS

Solutions
WAF Service Pool

• With the help of Hillstone ADC, WAF

can expands its protection performance
for high-traffic web protection scenario.
Web Service Pool
• Service pool with multiple vWAF.

© 2021 Hillstone Networks All Rights Reserved | 32

 +1 408 508 6750
[email protected]
5201 Great America Pkwy, #420
Santa Clara, CA 95054
www.hillstonenet.com