1. Web Application Firewall
as-a-service
Qualys GmbH September, 2013

2. Web Applications
• Are everywhere: Webmail, CMS, CRM, Corporate WWW
etc.
• HTTP is powering all new applications using new data
format like XML and JSON
• Organisations are publishing data for B2B through APIs
using HTTP and XML/JSON or SOAP
• Mobile applications usually connect to APIs or Web
Applications using HTTP

3. New security issues
• Network firewalls are useless, they can’t inspect HTTP
Protocol
• Web Applications can be developed in-house or
provided by software editor, with closed or open source
code
• Each web applications is different, depending on the
business logic, development framework and data used
and stored
• To secure Web applications, a WAF (Web Application
Firewal) Must be deployed additionnaly to network
firewall

4. Existing solutions
• From network security,
application delivery and
compliance
– Fortinet, SonicWall,
Deny All, imperva
– F5, Citrix Netscaler,
Radware, BeeWare
– Mod_security
• Saas vendors
– Cloudflare, incapsula,
– Art of defense
– Trend Micro
– Akamai Kona
Hard to maintain and operate,
security, development,
infrastructure team are involved,
policies are unique and not shared
between customers
Few clic deployment, no expertise
needed, security is compiled from
all website knowledge, but traffic
MUST be processed in the cloud

5. Technical Challenge
• Web application security policies are complex
– Need to use regular expression
– Need to understand how the application works
• Today, WAF are too complex to maintain and operate.
Vendors are adding others feature to make it a must
have product
• Qualys stay focused on WAF security features but
dramaticaly reduce TCO of this kind of protection by
providing a distributed solution.

6. Qualys alternative
• Qualys Distributed WAF
– Security ruleset provided from all Qualys WAF feedback
– Virtual Appliance deployment, you keep managing your traffic
• Available as
– Amazon EC2 AMI (beta)
– VMware image (beta)
– GA Planned to early december
– HW WAF Appliance is under development for 2014
• Manage security events and rules from a single UI
• With Qualys WAF, you don’t spend time on managing rules, you can
stay focused on managing security events

7. http://www.qualys.com/waf
Qualys Web Application Firewall
Beta available
WAF
Provides protection against known
and emerging web application threats,
and helps increase web site
performance through caching,
compression and content
optimization, with no equipment
needed.
Benefits
Zero-footprint, low cost deployment
Ease of use, ease of maintenance
Real-time attack prevention
Virtual patching and application
hardening

8. Qualys Web Application Firewall
Beta available

9. Qualys Security intelligence
• A team of dedicated security researchers computing
rules for industry standard web applications
• Blocking attacks according to OWASP TOP10 and WASC
TCv2
• Correlating security events on Qualys sensors all around
the world
• Detecting and researching 0-days

10. Qualys distributed WAF

11. Security Features
• Always up-to-date WAF
– Qualys is directly managing the security
engine and ruleset, they are updated in less
than 5 minutes when a security or
maintenance fix is avaible
• Qualys Security Ruleset
– Provided by Qualys Security Researcher Team,
this ruleset is the default security policy
avalaible on all WAF. It’s blocking injection
attacks like command, SQL, Javascript, Files
etc.
• Custom Security rules
– Provided by the customer or partner, these
rules are adapted to the website specific
design and can be setup depending on each
HTTP Request field.
• Integration with QualysGuard WAS*
– No need to setup twice your web applications
in these security tools, it’s automaticaly
provisionned and the WAF deployment made
easy from what the Web Application Scanner
found.
• HTTP Security
– HTTP protocol can be implemented in
different ways depending on web server and
browsers. To avoid some attack based on bad
implementation, the Qualys WAF will verify the
protocol is correctly used.
• IP/Country Blacklist
– Depending on your activity, you may not want
some request from specific countries or IP.
The Qualys WAF is able to increase/decrease
the request score, or directly block depending
of source IP or country.
• Information leakage
– By doing Web Cloaking, the Qualys WAF is
able to shadow all critical informations sent by
the Web Server, Application server or
development framwork used to develop the
web application
• Reporting
– Build your own report containing key indicators
you need to speak with managers
• Session tracking

12. Deployment
• Virtual appliance available
– On EC2 as an AMI you can instanciate
– On VMWare vCenter as an image you can run
• Mode of operation
– Reverse-Proxy:Terminating TCP connection
– Out-of-Band*: Sniffing traffic (Passive device)
• Available as OpenSource
– IronBee project

13. Qualys advantage
• Always uptodate & Always at maximum efficiency
– Get the latest security rules and engine on your WAF
• Prevention with WAS and Protection with WAF
available in the same UI and security suite
• Available as subscription (Pay per year) OPEX vs
CAPEX
• All the SaaS advantage on a virtual appliance product

14. Release schedule 2013
Amazon EC2 Beta 1
Limited to first 10 subscribers
August 1st
Amazon EC2 Beta 2
Limited to first 100 subscribers
October 1st
WAF GA*
VMWare & EC2
December 1st
November 1st
VMWare Beta 2
Limited to first 100 subscribers
September 1st
VMWare beta 1
Limited to first 10 subscribers
*: can be delayed until we reach 100% quality and availibility

15. Next releases
• Advanced reporting
• SSL Support
• Integration between WAF and WAS
• Qualys WAF Microsoft Edition for Exchange and
Sharepoint