DATASHEET

JunOs WEbApp SECuRE

The Smartest Way to Secure Websites and Web Applications Against Hackers, Fraud, and Theft

Product Overview
Traditional signature-based Web application rewalls are awed because they rely on a library of signatures and are always susceptible to unknown or zero-day Web attacks. Junos WebApp Secure offers a new technology that uses deception to address this problem. Junos WebApp Secure is the rst Web intrusion deception system that prevents Web attackers in real time. Unlike legacy signature-based approaches, Junos WebApp Secure uses deceptive techniques and inserts detection points, or tar traps, into the code of outbound Web application traffic to proactively identify attackers before they do damagewith no false positives.

The First Web Intrusion Deception System

No False Positives
Juniper Networks Junos WebApp Secure is a Web Intrusion Deception system that does not generate false positives because it uses deceptive tar traps to detect attackers with absolute certainty. Junos WebApp Secure inserts detection points into the code and creates a random and variable minefield all over the Web application. These detection points allow you to detect attackers during the reconnaissance phase of the attack, before they have successfully established an attack vector. Attackers are detected when they manipulate the tar traps inserted into the code. And because attackers are manipulating code that has nothing to do with your website or Web application, you can be absolutely certain that it is a malicious actionwith no chance of a false positive. IT security professionals know that false positives diminish the effectiveness of any security program. By using this certainty-based approach, Junos WebApp Secure solves this problem for Web attacks. Furthermore, this product works out-of-the-box and improves your Web application security. There are no rules to write, no signatures to update, no learning modes to monitor, and no log files to reviewjust attackers to prevent.

Block Attackers, Not IPs

Junos WebApp Secure captures the IP address as one data point for tracking the attacker. But it also realizes that making decisions on attackers identified only by an IP address is fundamentally flawed because many legitimate users could be accessing your site from the same IP address. For this reason, Junos WebApp Secure tracks the attackers in significantly more granular ways. For attackers who are using a browser to hack your website, Junos WebApp Secure tracks them by injecting a persistent token into their client. The token persists even if the attacker clears cache and cookies, and it has the capacity to persist in all browsers including those with various privacy control features. As a result of this persistent token, Junos WebApp Secure can prevent a single attacker from attacking your site, while allowing all legitimate users normal access. For attackers who are using software and scripts to hack your website, Junos WebApp Secure tracks them using a fingerprinting technique to identify the machine delivering the script.

Prevent and Deceive

Detection with no false positives and client-level tracking are both vital for launching a countermeasure to prevent an attacker. Only with certainty-based detection can you safely prevent an attacker and know that you are not blocking legitimate users. The Smart Profiling technology profiles the attacker to determine the best response to prevent the attack. Responses can be as simple as a warning or as deceptive as making the site simulate that it is broken for the attacker only. Every detected attacker gets a profile and every profile gets a name. The Smart Profile ultimately creates a threat level for each attacker in order to prevent attackers in real time, at the client level, with no false positives. Smart Profiling provides IT security professionals with more valuable knowledge about attackers and the threat they pose than they have ever seen before. With automated countermeasures, Junos WebApp Secure works around the clock detecting and preventing attackers. It doesnt create log files for you to review. It just tells you how many attackers it detected and what countermeasure response was applied. Its a security device that works as part of your security team even when you sleep.

Table 1: Juniper WebApp Secure vs. Web Application Firewall (WAF) Features Comparison
Product Features Junos WebApp Secure Traditional Signature-Based WAF

Detection Techniques
Signatures Behavior analysis Web intrusion deception

3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3

3 3

Track
IP address Browsers (cookies across multiple IP addresses) Browsers (persistent tokens across multiple IP addresses) Software/script (ngerprinting)

3 3

Prole
IP address (geo-location) Attacker (incident history, browsers, software, and scripts) Attacker threat-level analysis Assigns name to attacker (e.g., JoeSmith27)

Respond
Automated and manual real-time response Alerting Force logout and reauthentication Force CAPTCHA Block IP addresses Block attacker (browser, software, and scripts) Warn attacker (browser) Deceptive response (slow connection) Deceptive response (simulate broken applications)

3 3 3 3 3

Web Application Hardening

Cross-site request forgery (CSRF) prevention Anti-proling of application Session hijacking prevention CAPTCHA inserted into existing workow

3 3

Compliance
Payment Card Industry (PCI) 6.6 compliant

Features and Benets

Junos WebApp Secure doesnt generate false positives. It detects genuine attackers before they have the chance to successfully establish an attack vector and blocks them with client-level tracking that does not impact legitimate users. It works out-ofthe-box, so there are no rules to write, no signatures to update, etc. It continually profiles attackers as they come onto the scene, and it maintains a profile of known application abusers and all of their malicious activity. It is, quite simply, a virtual member of your security team that keeps stopping attacks even when you are asleep.

Abuse Recording
Full HTTP Capturecaptures and displays all HTTP traffic for security incidents

Abusive Behavior Analysis

Abuse Prolesmaintains a prole of known application abusers and all of their malicious activity against the application Tracking and Re-identicationenables application administrators to re-identify abusive users and apply persistent responses, over time and across sessions Enhanced tracking capabilities and ngerprinting of detected attackers

Abuse Detection Processors

A library of HTTP processors that implement specific abuse detection points in application code. Detection points identify abusive users who are trying to establish attack vectors such as cross-site request forgery. Some examples of processors include: A uthentication Abuse Detectiondetects abuses against application authentication such as: -- Requests for directory congurations, passwords, and protected resources -- Login attempts with invalid credentials -- Attempts to crack authentication Cookie Abuse Detectiondetects attempts to manipulate the application by changing cookie values Error Code Detectiondetects suspicious application errors that indicate abuse, including illegal and unexpected response codes S uspicious File Request Detectiondetects when an attacker is attempting to request les with known suspicious extensions, prexes, and tokens Header Enforcementenables the policing of HTTP headers from the application to ensure that critical infrastructure information is not exposed; response and request headers can be stripped, mixed, or ltered. Input Parameter Manipulation Detectiondetects attempts to abuse form inputs and establish vectors for injection and crosssite scripting attacks Link Traversal Detectiondetects attempts to spider the application for links to hidden and condential resources Directory Traversal Protectionprevents attackers from nding hidden directories Illegal Request Method Detectiondetects attempts to abuse non-standard HTTP methods such as TRACE Query Parameter Manipulation Detectiondetects attempts to manipulate application behavior through query parameter abuse Malicious Spider Detectiondetects attempts to spider and index protected directories and resources Cross-Site Request Forgerydetects and prevents cross-site request forgery attacks Custom Authenticationallows companies to protect a page or portion of a site, if a vulnerability is found Third-Party Vulnerability Protectiondetects known attacks IP List Export For Layer 3 rewall integration Automated high volume attack tool protection and blocking via SRX Series integration

Abuse Response
Abuse Responsesenables administrators to respond to application abuse with session-specic warnings, blocks, and additional checks; includes one-click automation of responses during conguration These responses include: -- Warn user, send a custom message -- Block connection and return arbitrary HTTP error -- CAPTCHA -- Connection throttling -- Logout and forced reauthentication -- Simulated broken application (strip inputs) Policy Expressionssimple expression syntax for writing automated, application-wide responses

Global Attacker Database

Shares and receives attacker information via a cloud service across deployments globally providing enhanced detection and protection

Updates
Automatically downloaded and available within the management console

Platform Security
Hardened kernel, locked-down ports, encrypted backups

Management
Simplied conguration with setup wizards Web-Based Congurationbrowser-based interface for all deployment options Monitoring Consoleweb-based monitoring and analysis interface -- Drill into application sessions, security incidents, and abuse proles -- Manage and monitor manual and automated responses -- Deep search and ltering capabilities -- Real-time and historical system monitoring -- Multiple administrators -- Multiple applications/domains -- Remote system logging -- UI 2.0 - Enhanced workows, unied conguration & monitoring, faster performance and mobile device support -- Different UI skins available -- Role based access control -- Restful API -- STRM Series Support

SSL Inspection
Passive decryption or termination

Alerts, Reporting, Logging

E-mail Alertssends alert e-mails when specic incidents or incident patterns occur Command-line interfacecan be used for custom reporting Reporting Management Systemincludes user interface SNMP system logging Auditingtracks changes to the system made by the administrators in the conguration interface, security monitor, TUI, and report generation Security incidents via system logging Reportscountry comparisons, top IP addresses, and incidents

MWS1000

Specications
Hardware (MWS1000)
CPU
Dual Intel Quad Core (2.4GHz) 2 threads / core

Performance
High availability for hardware version Higher throughput using master/slave clustering Low latency Link aggregation

Memory
48 GB DDR3

Interface
4 x 1GbE (onboard ports) 2 x SFP+ 10GbE (additional data IOCs via Intel 82599 Ethernet Controller) Note: All ports are PXE bootable

Deployment
Reverse proxy with load balancing Available as hardware Available as a VMware or Amazon Machine Image Support for alternate ports (other than 80 and 443)

Storage
4 Slots offering hardware RAID Maximum Capacity = 900 TB RAID-1 HDDs used: 450 GB SAS 10,000 rpm

Architecture and Key Components

Functions as a reverse proxy

Crypto
Software

Chassis
1U Rack-mountable Chassis Externally accessible hot swappable cooling fans

Client

Use Case
Mid-end performance application

User Interface Themes

Firewall

Load Balancer

Junos WebApp Secure

Application Server
Figure 1: Where does the Junos WebApp Secure live?

Ordering Information
Model Number
MWS1000 MWS100MB MWS-HDD MWS-SP-100 MWS-SP-20 MWS-SL-1

About Juniper Networks

Juniper Networks is in the business of network innovation. From devices to data centers, from consumers to cloud providers, Juniper Networks delivers the software, silicon and systems that transform the experience and economics of networking. The company serves customers and partners worldwide. Additional information can be found at www.juniper.net .

Description
Junos WebApp Secure Hardware Appliance SW Sold Separately Junos WebApp Secure 100Mbps Licenses Junos WebApp Secure - Spare HDD 100Mbps per end customer application, per month 20Mbps per end customer application, per month Junos WebApp Secure software - 100Mbps for one geographic site. Including support and updates. One year term. Junos WebApp Secure software - 100Mbps for one geographic site. Including support and updates. Three year term.

MWS-SL-3

Corporate and Sales Headquarters Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA Phone: 888.JUNIPER (888.586.4737) or 408.745.2000 Fax: 408.745.2100 www.juniper.net

APAC and EMEA Headquarters Juniper Networks International B.V. Boeing Avenue 240 1119 PZ Schiphol-Rijk Amsterdam, The Netherlands Phone: 31.0.207.125.700 Fax: 31.0.207.125.701

To purchase Juniper Networks solutions, please contact your Juniper Networks representative at 1-866-298-6428 or authorized reseller.

Copyright 2013 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

1000401-005-EN Jun 2013

Printed on recycled paper