Presentación del webinar “Cómo proteger–de verdad–tus aplicaciones web”, en la que se ha desarrollado la presentación del producto Incapsula de Imperva
5. Como funciona
Nube Incapsula Sus servidores
Hackers
Bots
DDoS
Spammers
Tráfico legítimo
WAF
Balanceo de carga
Rendimiento DDoS
Mitigation
6. Los servidores web tienen muchas vulnerabilidades
96% de las aplicaciones web
tienen vulnerabilidades
Más del 61% del tráfico es
no-humano. La mitad de
eso es malicioso
96%
61.5%
Tráfico no-humano
38.5%
Tráfico humano
WEB
APP
1/2es malicioso.
7. • Detecta y bloquea tráfico
automático y malicioso tales como:
> Escáneres maliciosos
> Robots de Spam
> Robo de contenidos
• Firewall de Aplicación Web de grado
empresarial
> Protege contra SQL injection, XSS, y
las 10 principales amenazas OWASP
> Parcheo virtual específico de
aplicaciones
> Robusto motor de políticas y reglas
personalizadas
Incapsula protege de todas las amenazas Web
8. • Asegura que las passwords de
administrador perdidas o robadas
no originan perdidas de datos
> Autenticación doble factor incluida
> Protección en 1-click de áreas
administrativas
> Implementado y gestionado desde
una consola central
• Defiende contra malware en
sistemas protegidos
> Identificación y cuarentena
automática de puertas traseras en
servidores Web
Protege los servidores Web más allá de los ataques
9. Control de acceso
Mitigación de robots
WAF
El modelo de seguridad de Incapsula
Motor de políticas y
reglas personalizadas
Autenticación doble Factor
Detección de puertas traseras
Protección adicional
10. Ventajas de seguridad de Incapsula
• Construido para aprovechar la nube
> Arquitectura redundante y escalable
> Plataforma de análisis Big Data y grandes volúmenes de ejemplos
de ataques mejoran la detección y la precisión
> Los datos de ataques y de reputación basados en crowdsourcing
mejoran la seguridad de la red
• Seguridad de servidores web como servicio sin esfuerzo
> No se requiere despliegue de hardware ni software
> Despliegue sencillo basado en cambios en DNS
> No es necesario disponer de técnicos formados en WAF
> Respuesta inmediata a amenazas de día 0
11. Ataques distribuidos de denegación de servicio
(DDoS )
Accept
Cookies
30%
Execute
JavaScript
1%
Primitive
Bots
69%
El número de visitas de robots
DDoS se ha incrementado
más del 240% en los últimos
12 meses
Los robots se hacen más
inteligentes - 30% puede
ya pasar Cookie Challenge
240%
La media de ataques DDoS es un
42% mayor que el último año
13. Volumétrico
Protocolo
Aplicación
24x7 SOC
Tecnología DDoS de Incapsula
• Ataques volumétricos
> Red de centros de limpieza
> Hardware y Software dedicado
> Arquitectura escalable
• Ataques DDoS de protocolo
> Proxy capa 7 / Proxy DNS
> Gestión de conexiones
• Ataques DDoS de aplicación
> Parcheo virtual
> Clasificación de clientes
> Conocimiento de aplicaciones
> Plataforma WAF
> Desafíos progresivos
• Centro de Operaciones de
Seguridad
> Soporte 24x7
14. Ventajas de Incapsula DDoS
• Red global de centros de limpieza bloquean ataques
DDoS de cualquier tamaño
> Capacidad de mitigación de más de 1.5 Tbps
> Bloquea los ataques cerca de su fuente
• Protege cualquier servicio de cualquier tipo de ataque
DDoS
> Mitiga ataques DDoS de red, aplicación y protocolo
> Protege la infraestructura de ataques DDoS (p.e., email,
FTP, VoIP, etc.)
> Previene que los servidores Web y DNS se conviertan en
vectores de ataques DDoS
15. Ventajas de Incapsula DDoS
• Mitigación avanzada de DDoS de capa de aplicación
> Detección y mitigación de ataques automáticas
> Monitorización en tiempo real que ayuda a elaborar reglas
personalizadas eficaces
> Las nuevas reglas se propagan por toda la red en menos de 60
segundos
> Tecnología de “desafío progresivo” no intrusiva
• Respuesta rápida con un SOC 24x7
> Monitorización y asistencia continua
> Control del balance entre falsos positivos y falsos negativos
16. Webs de carga lenta impactan los ingresos online
Un menor tiempo de
respuesta de acceso a
páginas resulta en un
aumento de abandono
Incremento de
abandono de
páginas
en porcentaje
25%
2 10864
Carga de páginas en segundos
50%
Según Aberdeen Group
Un retraso de 1-segundo en la carga
de una página equivale a:
Menos páginas
vistas Disminución
de satisfacción
del cliente
Perdidas en
conversiones
11%
16% 7%
17. Aceleración y entrega de contenidos
Incapsula está construida en una Red de Distribución de Contenidos (CDN) global
El cacheo, la optimización y la entrega de contenidos localmente con la
CDN proporciona al visitante una experiencia de navegación rápida.
18. Acercar los servidores Web a los visitantes
• Sin CDN, los datos deben
viajar desde el servidor
web hasta los visitantes
19. Acercar los servidores Web a los visitantes
• Sin CDN, los datos deben
viajar desde el servidor
web hasta los visitantes
• Con Incapsula, el contenido
origen del servidor web es
cacheado por la red CDN
20. Acercar los servidores Web a los visitantes
• Sin CDN, los datos deben
viajar desde el servidor
web hasta los visitantes
• Con Incapsula, el contenido
origen del servidor web es
cacheado por la red CDN
• El contenido cacheado se
sirve localmente a los
visitantes aumentando la
velocidad de respuesta de
la web
El cacheo, la optimización y la entrega de contenidos localmente con la
CDN proporciona al visitante una experiencia de navegación rápida
21. Optimización de servidores webs para aceleración
• Algoritmos de cacheo avanzados para contenido estático y dinámico
• Control granular de cache que permite políticas por recurso
• La optimización de contenidos aumenta la velocidad de entrega
(compresión, minificación, etc.)
• La optimización de red y la gestión inteligente de conexiones y
sesiones acelera la entrega de tráfico
Paginas web de
carga más rápida
Menor consumo
de ancho de banda
Mejor utilización
de servidor Web
22. • La CDN global sirve los contenidos
localmente para aumentar el tiempo de
respuesta
• Perfilado dinámico para contenido
almacenado en caché
> Cachea contenido estático y dinámico
> Determina automáticamente que puede
ser cacheado y por cuanto tiempo
• El análisis frecuencial permite la entrega
de contenidos optimizada
> Los recursos más accedidos se sirven
directamente desde memoria física
> Asegura las velocidades de entrega más
rápidas posibles
Ventajas de la aceleración Incapsula
23. Servicios DR In-house DR
El tiempo de inactividad cuesta dinero
De media, el coste de un corte no
planificado por minuto puede
superar los $8,000 por incidente
$0
$2,000
$4,000
$6,000
$8,000
$10,000
$12,000
$14,000
$16,000
$18,000
Minimum Median Mean Maximum
FY 2010 (n=41) FY 2013 (n=67)
Coste total por minuto de cortes no planificados
Empresas con recuperación
ante desastres (DR) propia
se recuperan del corte 3
veces más lento que los
que usan servicios de DR.
Tiempo gastado recuperando de
un desastre
24. Balanceo de carga y alta disponibilidad de Incapsula
Aplicando la versatilidad de la
nube al balanceo de carga
25. • Balanceo de carga inteligente entre servidores web
económico
• Balanceo de carga como un servicio
> No es necesario el uso de dispositivos físicos o
virtuales
Balanceo de carga Intra-Datacenter
26. • Asegura alta disponibilidad
> Conmuta automáticamente entre sedes principales y secundarias
• Monitorización en tiempo real del estado de la web para
acelerar la recuperación ante desastres
> Monitoriza los servidores principales para detectar
caídas del datacenter
> Pone en marcha servidores en espera
> Conmuta el tráfico al nuevo
datacenter activo
Alta disponibilidad de Data Center (Escenarios DR)
27. • Asegura alta disponibilidad y rendimiento consistente para
aplicaciones que usen múltiples CPDs
• Aprovecha el CDN global para proporcionar varios tipos de
GSLB
> GSLB basado en rendimiento
- Los usuarios se asignan a un centro de datos
basado en los tiempos de respuesta
> GLSB basado en localización
- Los usuarios se asigna a un centro de datos
basado en su localización
Balanceo de carga de servidores globales (GSLB)
28. Ventajas del balanceo de carga y alta disponibilidad
• Escalado ajustado en costes al no usar un
equipo físico o virtual
• Algoritmos de balanceo de carga flexibles
> Menores peticiones pendientes, menores
conexiones abiertas, hash de IP origen
• Soporta cualquier tipo de entorno web o
equipo
> Físico, virtual, in house, en la nube, etc.
• Monitorización del estado de la web en
tiempo real
• Visibilidad completa extremo a extremo de
capa 7
29. Productos
líderes en el
mercado
Más de
100.000
clientes
¿Por qué elegir Incapsula?
Red global de
1.5Tbps en 26
Datacenters
Equipo de
desarrollo
altamente
cualificado
Líder en Cuadrante Mágico
Mejor servicio de mitigación DDoS
Top Ten Reviews 2013 – 2014
Mejor servicio de seguridad y
rendimiento Web
Top Ten Reviews 2012 – 2014
30. Expertos en
seguridad
Más de 23 años
de experiencia.
Más de 1.300
clientes
¿Por qué elegir Ingenia?
Multinacional,
con sedes en
España, Chile y
Perú
Equipo técnico
especializado en
Incapsula
Keeping websites and cloud applications available, fast and secure are the fundamental concerns of operations teams. Users expect websites to be available and get annoyed when they are down or when the site won’t load within a few seconds. And customers find somewhere else to shop when an ecommerce site is breached and private customer data is exposed.
Keeping sites fast, secure and available has until now required a complex and expensive mix of hardware and software from several vendors.
Incapsula has changed that by building a cloud service on a global network that provides the security, DDoS Protection, Performance and Availability that ops teams need.
With the move of more applications to the cloud and the increased usage of Platform as a Service (PaaS) capabilities, Incapsula is migrating more and more “what used to be, on premise software and appliances” onto a comprehensive cloud-based service platform.
This includes: Web Application Firewall (WAF), Distributed Denial of Service (DDoS) mitigation, Global and Local Load balancing, Caching, Content Acceleration and even Two-Factor Authentication services.
Incapsula is activated through a DNS change without installing on premise software or hardware and without making any changes to the site or application.
Once traffic is routed through the Incapsula network, incoming traffic is inspected and filtered with only legitimate traffic forwarded to the origin servers and the malicious traffic blocked.
Outgoing traffic is accelerated through the content delivery network that caches and optimizes the application’s content across the globe.
At the same time, Incapsula can act at a global and local load balancer to allow for application scaling, traffic geo optimization and disaster recovery
The fact of the matter is that websites typically have vulnerabilities. The problem is so widespread that – according to a report by Cenzic, a leading vulnerability scanner – 96% of today’s web apps have vulnerabilities. These vulnerabilities leave websites susceptible to attack.
To further compound the web security problem, an increasing amount of website traffic is automated. These automated clients now make up over 60% of web traffic and of that, roughly 50% is malicious.
http://www.darkreading.com/vulnerabilities---threats/websites-harbor-fewer-flaws-but-most-have-at-least-one-serious-vulnerability/d/d-id/1139670?
Luckily Incapsula Addresses these website security threats. To deal with the problem of automated attackers, Incapsula detects and blocks all types of bad bots including malicious scanners, spam bots, and content scrapers.
To deal with hackers, Incapsula also includes an enterprise grade WAF which protects against web application layer threats. In addition to out of the box protection for all common attacks, Incapsula has automatic application specific virtual patching and a robust custom rule and policy engine which ensure that web threats can be met head-on and defeated.
The Incapsula system includes two additional modules which provide protection for specific use cases. The first is Login Protect, a two factor authentication solution, which helps ensure that lost or stolen passwords don’t compromise the security of a website or lead to data breach. This feature protects admin areas and can be enabled with a single click.
The second solution is Incapsula’s “Backdoor Protection” feature which automatically identifies and quarantines backdoors on protected systems. This feature was developed as a sort of “sanitization mechanism” ensuring that customers who newly join the Incapsula service are not breach-able via backdoors or malware which they were injected with prior to using Incapsula.
All of the capabilities we just talked about come together to create the Incapsula Website security module. Incapsula uses a layered approach to security on all web traffic. As traffic passes through Incapsula, it is subject to
Access control which blocks traffic from unwanted regions, IPs, or client types
Bot Mitigation which sorts human users from automated users, leaving helper bots, search engine bots, and humans unhindered while blocking bad bots like comment spammers, site scrapers, and DDoS attack bots.
A Web Application firewall which analyses web traffic for hacking attempts which it blocks from reaching protected systems
Custom rules and policies, which can be used to further harden system against attacks
Alongside these layers of security are two additional services, 2 factor Authentication and backdoor detection which prevent data breach through lost or stolen passwords and malware infected systems.
Incapsula was built from the ground up for the cloud. It’s architecture is naturally scalable and redundant and it uses crowdsourcing techniques along side a big data analysis engine on enormous volumes of attack samples from across the entire network, to the improve detection and accuracy of the system and better protect all customers.
Incapsula is offered as a service, which no need for hardware or software installation and no requirement for WAF expertise. Simply by sending website traffic through Incapsula, websites are immediately protected from web threats including zero-day attacks. On top of this, Incapsula provides a robust custom rule and policy engine to fine tune security and performance.
In the last 12 months, we have seen a 240% increase in visits by DDoS bots. These bots are not only becoming more common but the attacks which they perform are steadily growing. According to the 2014 Verizon breach report, the average DDoS attack size has grown 42% over the last year, from 7.4Gbps in 2012 to 10Gbps in 2013 and there is no sign that this trend will change.
To further compound the issue, these bots are getting smarter. Around 30% of these DDoS bots can now accept cookies, making them harder for solutions to detect and block.
http://www.darkreading.com/vulnerabilities---threats/websites-harbor-fewer-flaws-but-most-have-at-least-one-serious-vulnerability/d/d-id/1139670?
Incapsula offers a complete approach to DDoS mitigation. Our DDoS protection services can span across an the entire organization’s infrastructure:
Web Applications are protected through Incapsula global network of HTTP proxies that fend off Layer 3,4 and 7 attacks.
DNS servers are shielded through Incapsula’s DNS proxy service.
Other network areas and services are defended though Incapsula’s BGP/GRE infrastructure protection.
For each type of DDoS attack, Incapsula has an appropriate mitigation technique which best handles this type of attack.
For Volumetric attacks, those which seek to “plug up the pipe to a website” we have our global network of scrubbing centers. This is basically a pipe that’s un-cloggable. DDoS attacks are then dealt with using dedicated hardware and software at each scrubbing center. As needed, we have the ability to transparently scale up our system by adding additional POPs to increase our aggregate capacity.
To deal with Protocol attacks, we use proxies layer 7 and DNS proxies as well as connection management.
To deal with Application layer DDoS attacks, we have application awareness and virtual patching, which help the system understand the “soft spots” in website and to automatically protect them. We have a client classification engine which identifies and blocks DDoS bots. We also use a WAF to analyze web traffic for other attacks which may be mixed in with DDoS Traffic. Finally we have progressive challenges such as Captcha, cookie, and Javascript challenges
On top of this we have our SOC, which provides 24x7 support to our customers.
In terms of advantages, we have one of the largest scrubbing networks available for DDoS mitigation. It’s currently at 1.05+ Gbps of capacity with plans to increase to 1.5Tbps by the end of Q12015.
Additionally, Incapsula can protect any type of website or service against any type of DDoS attack. This includes websites, network infrastructure, and DNS servers.
Another key advantage for us lays in our prowess in handling application layer attacks. Application DDoS attacks are much more sophisticated than network layer attacks and vendors which rely on signatures or 3rd party DDoS mitigation appliances have a harder type defending against them. Incapsula on the other hand can automatically detect and mitigate them, with the ability to craft and propagate custom rules every 60 seconds should out of the box protection not mitigate the attack.
Incapsula customers have access to the our Security Operations Center which can help customers craft custom rules, and in the case of advanced attacks, to help control the balance between false positives and negatives so that attacks won’t impact user experience.
No one likes slow websites. In fact, research has shown a very real correlation between website loading times and page abandanement. After about 4 seconds of waiting, around 25% of visitors will leave.
Another study has pointed out that a 1 second delay in page load results in 11% fewer page views, 16% decrease in customer satisfaction, and 7% loss in conversions.
http://www.tagman.com/mdp-blog/2012/03/just-one-second-delay-in-page-load-can-cause-7-loss-in-customer-conversions/
How does Incapsula help combat this problem? It starts with our Content delivery network or CDN.
Our CDN makes up the backbone of our system. It is globally distributed, with Datacenters all over the world. Incapsula currently has 16 datacenters adding up to an aggregate capacity of 700+ Gbps.
By the end of 2014, those numbers are expected to grow to 30 datacenters and 1.5Tbps of capacity.
Now let’s talk about how this CDN speeds up websites. Without a CDN data must travel all the way to website visitors
With Incapsula, origin website content is cached by the Incapsula network
Cached content is then served to website visitors locally. Caching, optimizing, and locally serving content provides visitors with a fast-loading website viewing experience
The incapsula solution includes several technologies which help optimize websites. The first is Content Caching. Out of the box, Incapsula automatically identifies content which is cacheable and determines the length of time that resource can be cached; more static assets will be cached longer than dynamic assets. This algorithm allows website owners to easily optimize their website without the need for a specialized staff who is experienced with caching techniques. For power users, we also provide tools to allow them to dive deep into the product and define custom settings for their caching.
In addition to this, Cached content is optimized using compression, and minification in order to speed up delivery by reducing the amount of data needing to be sent to the user.
Finally, Incapsula also includes networking optimization and smart session handling.
All of these things come together to help our customers optimize their website, resulting in faster loading webpages, less bandwidth consumption, and lower web server utilization.
The Incapsula solution provides 3 main advantages for our customers. The first is that it is built on top of a global CDN resulting in a highly resilient network which accelerates web traffic. The Incapsula solution is able to profile website content and dynamically determine what assets can be cached, and for how long. It also performance frequency analysis on the content to ensure that frequently accessed content is cached in memory for the fastest possible delivery speeds.
Downtime costs businesses money. A recent study by Ponemon Institute has found that every minute of unplanned outage is likely to exceed $8,000. If it’s this costly to have downtime, it is important to minimize outages by keeping them available, and also bring them back online as fast as possible. For this reason companies typically have some sort of Disaster recovery plan. Another study, this time by the Aberdeen group, compared businesses who use homegrown DR solutions, versus those who use 3rd party DR services and found that companies who us DR as a service typically have 50% fewer outages and recover from them 3 times faster.
How does Incapsula help prevent downtime? By using our Load balancing and Failover service. This service helps business owners maintain website availability and further enhances website performance.
Incapsula offers three types of load balancing:
Intra Datacenter load balancing
Datacenter Failover
Global Server Load balancing
Intra datacenter load balancing is the balancing of traffic between multiple web servers within a single datacenter. This service helps companies make the best use of their existing servers and to cost effectively scale their operations as web server counts grow. The solution is provided as a service and there is no need for physical or virtual load balancing appliances.
The second type of load balancing Incapsula offers is Data center Failover. This could be thought of as “DR in a box” as it provides an easy way to create disaster recovery scenarios that use an active / passive configuration.
When using this service, Incapsula monitors primary servers to detect when the go offline. If a primary server does go offline, Incapsula can automatically kick-start the standby server and fail over traffic to this server so the web application can continue business as usual.
Global Server load Balancing is the final Incapsula load balancing mode. It allows our customers to intelligently balance traffic to multiple datacenters and to multiple web servers within those datacenters. Incapsula has several different load balancing algorithms to including performance and geographical based GSLB.
Why choose Incapsula?
We have huge global network footprint made up for 16 datacenters, with an aggregate capacity of 1.05Tbps. This forms the backbone of our system and enables us to mitigate enormous DDoS attacks
Incapsula has over 100,000 customers. These customers are of every size and come from every vertical.
The incapsula products are market leading in their field. We are a Magic Quadrant leader in the WAF space (Incapsula is part of the Imperva Submission) and have been repeatedly recognized as a leader in the DDoS mitigation and Website security and performance space by companies like Top Ten Review.
Our research team on the cutting edge in terms of innovation. They are frequently cited by mainstream media such as the NYT, WSJ, CNN, BBC, NPR, etc.
Why choose Incapsula?
We have huge global network footprint made up for 16 datacenters, with an aggregate capacity of 1.05Tbps. This forms the backbone of our system and enables us to mitigate enormous DDoS attacks
Incapsula has over 100,000 customers. These customers are of every size and come from every vertical.
The incapsula products are market leading in their field. We are a Magic Quadrant leader in the WAF space (Incapsula is part of the Imperva Submission) and have been repeatedly recognized as a leader in the DDoS mitigation and Website security and performance space by companies like Top Ten Review.
Our research team on the cutting edge in terms of innovation. They are frequently cited by mainstream media such as the NYT, WSJ, CNN, BBC, NPR, etc.