PT Application Firewall

PT Application Firewall protects applications from all common OWASP and WASC threats, complex client attacks (DOM-based XSS), application-level DDoS attacks, and can block zero-day attacks using machine learning algorithms. The product is able to automatically correlate events, which makes it possible to detect attacks in the early stages. The virtual patch mechanism allows you to instantly respond to threats without waiting for the vulnerabilities to be fixed. Currently, PT Application Firewall provides security for web services of banks, telecommunications companies, oil and gas enterprises, government organizations, online stores and television channels.

2020: Release of PT Application Firewall 4.0

On April 28, 2020, the company Positive Technologies announced the release of the next version of PT Application Firewall - firewall the web application firewall (WAF) layer, designed to protect web resources from attacks from the OWASP Top 10 list DDoS-attacks , the application layer, as well as malicious bots. PT Application Firewall 4.0 received an updated architecture, the ability to install in a distributed infrastructure and flexible scaling for any load, deep tools, machine learning as well as a mechanism for integrating with the web.server Nginx

The microservice architecture of PT Application Firewall makes the system components loosely connected and allows you to scale the product to any load. This ensures high availability of web applications - up to 99,999% time (or no more than 5.5 minutes of downtime per year) - and the new version of PT AF only works in active attack prevention mode.

There is an ambiguous understanding of the purpose of the WAF solution class on the Russian market. When working with high-load systems, companies often use WAF in monitoring mode, fearing to put the solution "in the gap" with active blocking of attacks, or use tools that are essentially responsible not for protection, but for application delivery and traffic balancing. We are actively changing this paradigm and offering a product that is able to protect the web resources of an organization of any scale and effectively identify and block the most modern attacks on web applications, their users and the infrastructure for hosting web applications. - comments Maxim Lungu, Head of Application Protection Systems at Positive Technologies

Another difference between PT Application Firewall 4.0 and the previous version is the built-in deep machine learning algorithms, which, unlike traditional machine learning, are most applicable in conditions of simultaneous work with dozens of web applications, since they do not require fine-tuning by the user.

PT Application Firewall 4.0 is suitable for installation in a distributed infrastructure. This allows you to quickly integrate the product with applications hosted at remote sites without redirecting traffic to a single data collection point. An additional innovation is the integration mechanism with the Nginx web server: now it is enough to install a lightweight module for the web server.

The infrastructures in which applications "live" today can be different: the company's own capacity, service provider resources, private or public clouds. The services themselves are also heterogeneous: for example, the company's website and remote banking service (RBS) imply two disjoint logics of user interaction. All this requires WAF class products to be flexible and transparently scaled. It is with an eye to solving these problems and taking into account the popular requests of our customers that PT Application Firewall 4.0 was created, - comments Viktor Ryzhkov, Product Marketing Manager for Application Security at Positive Technologies

PT Application Firewall 4.0 received an updated user interface. Now the start page provides only top-level data on current threats - by sources of activity, attacked URLs, attack names and levels of danger. At the same time, it remains possible to go to a more detailed consideration of each threat separately - the class and description of the threat, the headers of requests and responses. To simplify product configuration, the interface has a configuration scheme that allows you to view all current product settings on one page and add, delete, change protected applications, policies, profiles, and establish links between them in two clicks.

Statistical data confirm the demand for web application firewall solutions. WAF class products are in the top 3 of the mandatory list of technologies used by large enterprises and medium-sized companies and. small business The number of Positive Technologies clients using PT Application Firewall has reached 250 over the past two years. In the company's overall financial result, PT Application Firewall accounts for about 10%, with the total number of product license sales doubling compared to 2018

• PT Application Firewall is a web application firewall (WAF) solution from Positive Technologies, the product was first introduced in 2014. In 2015, PT Application Firewall entered the Magic Quadrant for Web Application Firewalls rating of the analytical agency Gartner and for several years in a row confirmed the status of a visionary.
• Microservice architecture is a variant of the software architecture aimed at dividing the program into small, loosely connected, easily variable and scalable modules (microservices) and their interaction with each other. This approach is opposed to a monolithic architecture and, unlike the latter, allows you to design, update, configure and scale components independently of each other (as much as possible).

2018

ICSA Labs Certification

On June 6, 2018, it became known that PT Application Firewall (PT AF) received certification from ICSA Labs, an independent division of Verizon that tests and certifies developer and service provider products.

Upon request, Positive Technologies ICSA Labs has supplemented its baseline validation criteria with testing of specialized PT AF capabilities, which significantly improve operational efficiency. In firewall particular, they analyzed detection functions, malicious software virtual patching, incident investigation DDoS-attacks and application-level detection, built-in vulnerability scanners, content security policies. PT AF has successfully passed all tests and remains deployed at ICSA Labs, where it can be further tested at any time against ICSA certification criteria to determine the level of security, compliance with standards and performance testing.

PT AF is a comprehensive firewall for web applications that combines machine learning, real-time user behavior analysis, deviation detection, event correlation technology. The solution can be integrated with the PT Application Inspector and other security systems. All this helps to provide proactive and continuous protection against both known and unknown attacks.

Inspection control of FSTEC

On May 31, 2018, it became known that firewall the PT Application, Firewall designed to protect web applications from, cyber attacks successfully passed inspection control. FSTEC Russia The presence of the FSTEC certificate of conformity allows you to use the product in state information systems up to and including the 1st class of security, as well as in personal information systems data up to and including the 1st level of security. The certificate of conformity No. 3455 has been extended until October 27, 2021. The certificate confirms compliance with the declared specifications and compliance with the requirements of the documents "Requirements for firewalls" and "Protection profile of firewalls of type D of the fourth protection class. IT.ME.G4.PZ "(FSTEK, 2016).

The certificate was issued on the basis of the results of tests conducted by the laboratory of the Institute of Engineering Physics (technical conclusion from 17.06.2015), an expert opinion from the 25.08.2015 certification body of the Echelon scientific and production association and the results of inspection control conducted by the laboratory of the Institute of Engineering Physics (technical conclusions from 07.04.2017 and 09.04.2018).

In 2015, PT Application Firewall became a solution in the web application firewalls class, confirming compliance with the requirements of technical specifications and guidance documents for the 4th level of control over the absence of undeclared capabilities.

As of May 31, 2018, PT Application Firewall provides security for web services of banks, telecommunications companies, government organizations, oil and gas enterprises, online stores and television channels.

2017

June update

Ready-made security policy templates have appeared in the product, and the initial configuration can be performed quickly and easily - through the system configuration wizard. Security mechanisms have also been improved: along with the ability to quickly and subtly customize the product for individual scenarios - for more effective protection, now you can disguise bank card numbers and other sensitive data so that even the product administrator cannot see them.

Key changes to PT Application Firewall:

• Install on one, two, three - Now organizations will be able to connect PT Application Firewall to their IP networks without making changes to their configuration. This is possible thanks to new deployment models - the L2 network bridge and a transparent proxy server. The L2 network bridge model identifies intrusion attempts and administrators can monitor them in a timely manner. Transparent proxy mode allows administrators to either simply detect malicious traffic or immediately block suspicious activity. Separately, it should be noted that it is possible to instantly switch between models directly in the web interface.
• Configuration Is Subtle - For even more convenience and greater security, PT Application Firewall introduces a new approach to working with security policies. Based on research, Positive Technologies experts have developed security policy templates that are now available in the default product. The administrator can select and easily configure them in a variety of modifications: in terms of security, for one or more applications or their individual parts. Templates created can be saved and used for new sites.
• Quick Start-Now, instead of executing numerous commands, you can easily first configure deployment settings through the System Configuration Wizard. Thanks to the automatic definition of protected applications, relevant for transparent proxy, L2 and SPAN network bridge modes, you no longer have to keep all servers and IP addresses in mind. These and other automated features significantly save administrators time without requiring deep technical training.

In addition:

• Support for application availability in case of problems. Security is important, but at the same time, it is no less important for many organizations to ensure application continuity. Now, if minor defects are found in the application, the PT Application Firewall can maintain its normal operation while the defects are fixed on the server side.
• Protect applications in the public cloud. Business is increasingly relying on clouds and using them, among other things, to post its web provisions. It should be remembered that "in the cloud" the application is subject not only to all the same threats as on the company's servers, but also to cloud-specific threats. PT Application Firewall is now available in the Microsoft Azure public cloud and allows you to protect applications from both cloud and traditional "terrestrial" threats.
• Enhanced integration with Check Point. Now, as part of the PT Application Firewall integration solution and the Check Point firewall, it is now possible to send incident and attack data from the PT Application Firewall to the Check Point SmartCenter. This allows you to effectively match security events from both products, providing more accurate detection of attacks.
• Maximum privacy of end-user data. The administrator can create rules for determining sensitive user data, such as passport data or bank card numbers. These rules can be applied, for example, to mask such information from third parties or even from PT Application Firewall administrators. In future versions, data masking rules will be pre-configured for instant deployment.

Certification according to new FSTEC requirements

Positive Technologies announced on June 1 that it had passed PT Application Firewall [1] certification tests for compliance with the new requirements of the FSTEC of Russia for firewalls, which entered into force on December 1, 2016. The product, designed to protect against hacking ERP systems, Internet banking, public services portals, was the first to receive a certificate in the fourth class of protection for web server-level firewalls (type "D").

Certificate 3455 received is valid until 27 Oct 2018. It certifies that PT Application Firewall complies with the requirements of the documents "Requirements for Firewalls" (FSTEC of Russia, 2016) and "Protection profile of a firewall of type" D "of the fourth protection class. IT.ME.G4.PZ "(FSTEC of Russia, 2016).

Software Protection in Microsoft Azure

On May 3, 2017, Positive Technologies announced a partnership with Microsoft in the field of cloud technology. PT Application Firewall is now available for installation from Microsoft Azure Marketplace.

The joint actions of vendors will protect applications in the Azure cloud environment from hacking and application-level DDoS attacks. Companies offer applications with increased security, flexibility, and resiliency requirements.

With cloud platforms, almost any company can optimize IT infrastructure costs and ensure the continuity of critical business processes. Today, customers of one of the world's largest cloud services will be able to take advantage of the advanced security features of the security screen of the PT Application Firewall application layer in the same ecosystem in which their web applications are deployed. Mikhail Chernomordikov, Director of the Department of Strategic Technologies at Microsoft

Web applications hosted in the cloud are susceptible not only to attacks typical of this class, but also to a number of specific threats. In particular, the IP address ranges of all data centers of cloud providers are well known and are constantly analyzed by scanners for the emergence of new nodes with vulnerable services. Therefore, less than five minutes after deployment, such a service may be attacked. In addition, the elasticity of cloud services risks unexpected user costs in the event of a DDoS attack at the application level, exploitation of a vulnerability in the introduction of external XML entities, or remote code execution. PT Application Firewall can detect such actions and prevent wasted computing power. Maxim Filippov, Business Development Director of Positive Technologies in Russia

The product blocks all common OWASP and WASC classification attacks, including SQLi, XSS and XXE, HTTP Request Splitting, Clickjacking, and complex client attacks.

PT Application Firewall Cloud DDoS Protection

On March 28, 2017, Positive Technologies announced the creation of an Internet attack protection service that combines anti-DDoS from the network to the application layer and anti-hacking technology.

The technology is based on a platform of machine learning algorithms implemented in PT Application Firewall to protect against application-level DDoS attacks and Qrator Labs' DDoS filtering cloud infrastructure. The service blocks multi-vector attacks, stores sensitive information within the organization, and opposes any bots that simulate user behavior.

Protection is based on mutual communication and control commands between the client-side Positive Technologies Application Firewall and the Qrator filtering cloud, which covers the Internet infrastructure.

By using cross-over models for detecting anomalies in user actions, PT Application Firewall Cloud DDoS Protection more effectively protects against combined attacks (DDoS application, network layer and hacks) and attacks adapted to heuristic countermeasures. Thanks to the behavioral analysis technologies implemented in the products of both vendors, PT Application Firewall Cloud DDoS Protection distinguishes legitimate users from robots and detects IP addresses involved in the attack.

In organizations with increased privacy requirements, the service allows you to configure protection against any attacks so that all important information does not leave the perimeter of the organization. PT Application Firewall is presented in the form of a software and hardware complex (on-premium software), which allows you to process passwords, financial, medical and other information of limited access at the customer's side when filtering any network attacks.

{{quote 'author
= Maxim Filippov, Business Development Director of Positive Technologies in Russia' With the development of the Internet of Things, DDoS attacks got a second wind. Increasingly, critical infrastructure with strict requirements for data availability and privacy is under attack:

• websites of public services,
• hospital sites,
• sites of enterprises,
• bank sites,
• online shopping sites.

In addition to increasing the power of attacks, we note a sharp increase in combined DDoS incidents, and often DDoS is a "smokescreen" for penetrating the organization's network. All these factors require a comprehensive solution that combines technologies to block DDoS attacks at all levels with the indispensable protection of web resources from hacking.}}

We are extremely pleased to see a strong technology company like Positive Technologies in our partners, and I hope that our partnership will allow both companies to further strengthen their position in the enterprise segment. Alexander Lyamin, CEO and founder of Qrator Labs

This service is an extension of PT Application Firewall and, in addition to blocking DDoS attacks, provides automatic protection of applications from attacks related to penetration into the corporate network, fraud, and interception of information. PT Application Firewall meets the requirements of Russian regulatory organizations and is included in the unified register of Russian programs for computers and databases.

Added filters by user and geolocation

On January 16, 2017, Positive Technologies announced the release of the PT Application Firewall. The product has the functions of blocking based on geolocation data, tracking the authentication of users of the protected application and allows you to respond to password matching attacks.

The system has enhanced the ability of the product to configure protection:

• added a function that allows you to associate requests to an application with a specific account (from under which they are carried out),
• Track the facts of successful and unsuccessful login.

The security screen analyzes requests based on session data, in particular, geolocation information and the user account from which the protected application is entered. This allows the PT Application Firewall operator to add lock rules based on a specific user or groups of users and, in case of suspicious actions, create a security incident.

There are many cases where account information helps provide better protection and timely detection of attacks. One of the popular scenarios is account theft. For example, a visitor to the site is located in Moscow, and on his behalf is entered from Singapore. The new version of PT Application Firewall has tools that allow you to detect theft of a session or account and quickly take measures - to block the possibility of using a protected application for a specific user or groups of users from certain regions. Or another situation: a visitor to the site entered under his credentials, but shows activity atypical for him, for example, trying to enter the admin panel - PT Application Firewall will record this event. Dmitry Nagibin, Head of Application Protection Development at Positive Technologies

The technology helps track unsuccessful login attempts and will associate this event with a "password matching" attack (brute force), which will help block it.

This release has improved the Rule Engine self-rule creation mechanism: an administrator working with the system can configure query blocking rules based on geolocation attributes. Due to this, with massive attacks on web servers, you can block incorrect requests from a region, country or city from which there is an instant increase in load. The mechanism can be used to quickly respond to DDoS attacks.

Integrating the system with other security systems in your organization is easier. Internal security systems can automatically transfer IP addresses involved in the attack directly to the PT Application Firewall through the REST API for subsequent blocking. This increases the level of security of the organization's infrastructure, as well as reduces labor costs, because previously the data was transferred manually by the administrator.

Supported formats for uploading reports include an HTML view. Now you can get all the information about the product in the browser, view PivotTables, graphs and charts.

2016

PT Application Firewall 3.4

On October 27, 2016, Positive Technologies announced the release of a new release of the PT Application Firewall. Key changes to version 3.4 include support for the most popular virtualization platform VMware vSphere, improved mechanisms for detecting malicious bots (simple and advanced), visualization, and scheduling reports.

The new version of PT Application Firewall more accurately detects threats against web applications and has become more convenient for users. For example, Remote Assistance allows you to request help from Positive Technologies technical support when configuring or resolving other issues. Integration with Check Point security gateways allows you to transfer information about the intruder from the PT Application Firewall to the Check Point firewall and block the attacker from accessing all network resources. As of release 3.4, the product supports automatic updates and the installation of special extensions, including SAP and VMware security profiles. Oleg Matykov, Head of Product Development for Protection of Applications and Industrial Networks, Positive Technologies

In 2016, the Positive Technologies Research Center discovered a number of critically dangerous flaws in a dedicated web client designed to administer VMware vSphere. The release of PT Application Firewall 3.4 blocks attacks using discovered vulnerabilities (now they are being fixed by the manufacturer's specialists) and protects against other security holes published on the official VMware website.

By gaining administrator privileges in an unsecured version of VMware vCenter Server Web Client, an intruder can seize control of the entire virtual enterprise environment. To intercept access to virtual machines, it is enough to perform cross-site scripting, using social engineering, luring the web client administrator to a malicious web page and intercepting session identifiers. From the corporate network, a web client can be attacked while exploiting server vulnerabilities such as XXE (an attack on applications with an insecure XML parser). Arseniy Reutov, Head of Application Protection Research at Positive Technologies

According to the developers, the capabilities of PT Application Firewall 3.4 are necessary for companies using versions of the web client based on Flash and AMF technologies. The security profile for VMware will be kept up-to-date and automatically updated by the Positive Technologies Research Center.

This version of PT Application Firewall helps to detect and block almost all known tools for scanning and copying site content.

Simple bots do not execute JavaScript code, do not move the mouse when navigating between pages, and do not execute queries in the browser the way users do. This allows them to be detected and neutralized. For more advanced bots that emulate human actions in a browser, PT Application Firewall has added validation mechanisms that analyze mouse behavior. For example, if the mouse does not move to click on a link (and it does not use a mobile device), the application layer firewall will consider both activity and the user suspicious Dmitry Nagibin, Head of Application Protection Development at Positive Technologies

This version of the firewall has improved reporting and enhanced visualization mechanisms. Reports can now be generated:

• on schedule,
• adapted for management or IT professionals,
• with graphs showing the distribution of attacks
  • by time,
  • types,
  • hazard level,
  • sources
  • other parameters.

Positive Technologies Joins OPSEC Check Point Program

Positive Technologies and Check Point Software announced in September 2016 a technology alliance aimed at creating an integrated approach to protecting the organization's network perimeter and web resources. As part of this partnership, the companies launched a joint solution based on the integration of PT Application Firewall and network devices Check ^[1]

"According to Positive Research, 71% of web applications surveyed contain critical vulnerabilities. The vector of attacks for intruders to penetrate the company's internal network is mainly based on the exploitation of vulnerabilities in the code of web applications. This does not allow traditional information security systems to fully implement countermeasures, since the classic means of perimeter control are powerless here, − says Filippov Maxim, director of business development at Positive Technologies in Russia. - Therefore, it is especially important not only to use security tools such as Web Application Firewall and Network Firewall separately, but to have a technological tandem of tools that exchange information online. This will ensure the protection of companies' resources at a fundamentally new level: fully covering the network and application layers. "

As part of the integration, the rules for the exchange of information between the products of both manufacturers were implemented and the corresponding connectors were developed. The interaction of the two technologies is carried out in a machine-to-machine format and allows for comprehensive protection of web resources: PT Application Firewall detects and blocks attacks, transmits information about the attacker's IP address and lock timeout to Check Point devices, which, in turn, block requests from a suspicious source at the network level.

The developed joint solution for protecting the perimeter of an organization (and its web resources, among other things) provides protection against zero-day attacks (thanks to machine learning mechanisms embedded in the PT Application Firewall), DDoS attacks on applications and detects anomalies. And also significantly expands the capabilities of information security services to investigate incidents and scales flexibly.

PT Application Firewall complies with the security requirements of the Republic of Belarus

The self-learning application-level security screen from Positive Technologies (PT Application Firewall) has been certified for security requirements in the Republic of Belarus. The compliance of the system with the regulations of TR 2013/027/BY (STB 34.101.1-2014, STB 34.101.2-2014 and STB 34.101.3-2014) was confirmed by the Operational Analytical Center (OAC) under the President of the Republic of Belarus.

The certificate was issued to Axoftbel − the exclusive distributor of Positive Technologies solutions in the Republic of Belarus, and is valid until June 2020. In accordance with it, PT Application Firewall can be used to protect information systems that process or contain open information, data, distribution and/or provision of which is limited, as well as information protected in accordance with the legislation of the Republic of Belarus.

PT Application Firewall is the second Positive Technologies product approved in this for use at informatization facilities of class A2, B2, V2, A3, B3 and V3 in Belarus. The first was MaxPatrol 8.0, certified in June 2016.

Positive Technologies and S-Terra CSP Joint Solution

On August 2, 2016, Positive Technologies and S-Terra CSP reported testing a joint solution to protect enterprise web applications.

The companies have completed testing of the PT Application Firewall and the C-Terra Gateway appliance on a single platform. Tests have demonstrated that there is no impact of a secure tunnel on firewall performance and functionality. This allows the use of a comprehensive solution in organizations with strict requirements for protecting web applications.

Large companies and government organizations are actively using VPNs to provide secure access to their information systems, built primarily using web technologies. Using PT Application Firewall allows you to solve two problems at once. Firstly, it is the protection of applications from intruders from public networks for cases when certain groups of users are given access without using a VPN tunnel. Secondly, PT AF detects and blocks attacks on applications by internal intruders and provides protection when the user loses control over the AWS. Alexey Goldbergs, Head of Technology Partners at Positive Technologies

According to Positive Technologies statistics, in 60% of cases, the vector of penetration into the internal network is aimed at vulnerabilities in the code of web applications. So, in 2013, the connection between the Target retail network and the company serving its air conditioning systems was compromised in the United States: having gained access to the internal web application Target, the attackers discovered a vulnerability in it and downloaded a backdoor, which led to a data leak of 70 million users of the sixth largest US retailer and damage of $162 million.

At the stage of testing the collaboration of Positive Technologies and S-Terra CSP products, the basic functionality of PT Application Firewall, the operation of security mechanisms and the correctness of attack logging were checked. During testing, a connection was made from an external network through the C-Terra Gateway, and then through the PT Application Firewall to a web application on the internal network. Control tests showed the same performance of PT Application Firewall both using the C-Terra Gateway and without it.

"The use of C-Terra certified VPN products ensures the confidentiality and integrity of the information transmitted, and using standard IPsec protocols. In combination with the use of an application-level firewall, this allows the user to ensure full protection of information, the security of which is regulated by law, for example, personal data, the storage of which has recently been increasingly organized on the basis of web technologies, "said Vladimir Zalogin, director of special projects at S-Terra CSP.

Technological cooperation between the two companies continues in the framework of other projects. In the course of joint work with S-Terra CSP specialists, support was provided for the collection of S-Terra Gateway events in MaxPatrol SIEM version 2.0. MaxPatrol SIEM currently supports the protection of most domestic developers.

Integration with Group-IB products

On July 14, 2016, Positive Technologies and Group-IB announced the integration of online payment protection technologies and web portals on the PT Application Firewall platform.

Positive Technologies has integrated the Group-IBBot-Trek Secure Bank and Bot-Trek Secure Portal with PT Application Firewall. Now users of Bot-Trek services can control the risks that arise on the side of their customers, without making changes to the code of web applications.

Bot-Trek Secure Bank and Bot-Trek Secure Portal early fraud detection systems are part of the cyber threat monitoring, detection and prevention ecosystem. The principle of their operation is based on the collection of data from client devices at the time of their access to the web application. When using Bot-Trek SB and Bot-Trek SP, a special script is introduced into the responses of the web application server, which collects and transmits information to the Bot-Trek server infrastructure for analyzing data of various types, including identification, web injection facts or signs of suspicious plugins.

The implementation of a custom module for customers involves making changes to the code of the web application, which is not always feasible. For example, many organizations use third-party applications to solve their business problems and do not have access to the source code. In addition, the human factor cannot be discounted: any erroneous change in an already running web application threatens with serious consequences, up to the failure of the service, which is especially important when it comes to state portals, e-commerce or online stores. Pavel Krylov, Head of Bot-Trek Secure Bank and Secure Portal

The solution to the problem was the integration of Group-IB Bot-Trek SB and Bot-Trek SP services with PT Application Firewall. Combining technologies required minor improvements in the PT Application Firewall: the Bot-Trek SB and Bot-Trek SP modules are integrated with client modules and embedded in the application-level firewall used in reverse proxy mode.

Thus, when a user accesses the PT web portal, the Application Firewall automatically inserts the combined script into the application responses and sends all the data collected by the module to the Bot-Trek SB and Bot-Trek SP server infrastructure. The entire process does not require additional interventions in the source code of the web application and does not affect the page loading speed in any way. Aleksei Goncharov, Head of Application Security at Positive Technologies

Added P-Code Module

In 2016, additional modules were added to the product. In particular, the P-Code module, which supports the function of analyzing the security of source code and creating virtual patches, as well as special modules designed to deeply protect critical business applications (ERP, CRM, SRM and big data client applications, including SAP HANA). The combination of the PT Application Inspector SSDL Edition, released in 2016, designed to build a secure software development process, with PT Application Firewall allows you to ensure application security at all stages of its life cycle, from development to operation.

To the register of Russian programs

The system for monitoring information security events MaxPatrol SIEM and the protection screen of the PT Application Firewall application level by order of the Ministry of Telecom and Mass Communications of the Russian Federation were entered in the unified register of Russian programs for electronic computers and databases in early June 2016. In accordance with the decision of the authorized body, since June 14, 2016, the PT Application Firewall system has been included in the software class, which includes enterprise information security tools. MaxPatrol SIEM is also included in the monitoring and management systems class and systems for collecting, storing, processing, analyzing, modeling and visualizing data arrays.

Since May 2016, the unified register of domestic software also includes the XSpider vulnerability scanner (in the class of information security tools) and the flagship solution of Positive Technologies - MaxPatrol 8.0 (in the class of enterprise information security monitoring and management systems).

PT Application Firewall 3.3

In May 2016, Positive Technologies introduced version 3.3 of the PT Application Firewall, designed to detect and block cyber attacks on web portals, mobile and cloud applications, RBS and ERP systems. Now PT Application Firewall is more fine-tuned and protects against client attacks and applied DDoS attacks, monitors visitors via GeoIP, identifies hacker tools, and simplifies incident investigation.

Protection against applied DDoS attacks

Application-level DDoS attacks do not require significant resources from the attacker, but are increasingly difficult to counteract. Bots begin to massively support web protocols and emulate the browser, which makes it difficult to apply traditional methods of struggle.

This version of PT AF implements a mechanism for protecting against DDoS attacks at the application level, using machine learning technologies. All events are divided into two stages: detection of signs of denial of service and search for an attacker.

Version 3.3 supports integration with a specialized solution to protect against DDoS attacks Arbor Peakflow. The list of suspicious visitors is sent to the Arbor system, the administrator of which can block specific IP addresses for a certain period of time.

Rule Creation Engine

An extensive set of rules in the new version of PT AF allows you to detect attacks by the presence of several atomic conditions in traffic. For example, the rules for SAP NetWeaver cover many known vulnerabilities, provide data leakage control, and protect against scanners. It also supports the detection of attacks on SAP ICM, SAP Management Console, SAP SOAP RFC.

The main difference between the Rule Engine mechanism is the ability to create rules yourself, including for all known vulnerabilities from the CVE dictionary. Any HTTP request can be automatically turned into a set of rules, edited and tested with various parameters. This functionality allows you to solve many problems without contacting the firewall developer.

The ability not only to analyze traffic by regular expressions, but also to compare the parameters of the request and its response is a unique characteristic of PT AF 3.3. This reduces the number of false positives and improves the accuracy of detecting attacks.

Event Grouping

The grouping tool allows you to see the most important information in the total flow of triggers. This will seriously simplify the investigation of incidents and will be in demand in information security monitoring centers. To cut off, for example, scanning attempts from certain addresses and for a certain period of time, it is enough for a specialist to select sorting by event type and IP. It is possible to determine the IP address and see all attacks from this machine - this will help block the most active bots. When a user has multiple web applications, they can choose to sort by profile and incident type or other categories to see which attacks pose a threat to a particular type of web application.

Advanced protection against client attacks

Attacks on users such as XSS, CSRF, Clickjacking are one of the most important security issues for web applications. In 2014, 54% of the RBS systems studied by Positive Technologies were affected by cross-site scenario execution (XSS), and in 2015 - 30%. Using XSS, an attacker can intercept the credit card information entered on the page (along with the CVC code), steal a session, and change the bank transfer details.

In this version of PT Application Firewall, it was possible to block (not only detect) DOM XSS attacks, which are considered the most difficult to determine by automated means of protection. For this and other attacks on the client, a JavaScript module was added to protect the client side (waf.js), which runs in the user's browser after the first visit to the protected site. Other waf.js features include detecting bots with page rendering capabilities and identifying clients using tools to analyze the security of web applications (Burp Suite, ZAP Proxy, Acunetix, Netsparker, etc.). In addition, the waf.js module has expanded the ability to protect against CSRF attacks by inserting tokens into dynamic forms on the client side.

Configuration

Using the REST-based API allows you to easily install as many PT Application Firewall systems as you like, configure their network configuration and basic security policies. Knowing the username and password, you can configure the PT Application Firewall through the automated deployment system that is available on the user side.

Recording Actions and Analyzing GeoIP Moves

The system continues to develop the functionality of tracking suspicious visitors. If someone attempted to attack your web application, PT AF can record their next steps, including legitimate ones, for a subsequent investigation into the incident.

PT Application Firewall also introduced a mechanism for informing about changes in geolocation. A dramatic change in geographical location - city, region or country - entails the creation of a security incident. Trust gradations are flexibly configured for the needs of the user.

Other changes to version 3.3 include integration with PT MultiScanner to detect viruses in files uploaded to the web portal.

2015

Promotion of PT Application Firewall to the Russian market

On December 22, 2015, Cisco, Positive Technologies and OCS announced the start of promotion of the joint PT Application Firewall product.

Positive Technologies and Cisco are launching a joint product, PT Cisco UCS AF. The solution is a hardware and software appliance, a PT Application Firewall, installed on the Cisco UCS C- or E-series server platform.

Adapting PT Application Firewall to Cisco UCS hardware allows you to improve the security of enterprise and public web applications, and reduce maintenance costs. An agreement was reached on the promotion of PT Cisco UCS AF to the market by OCS since 2016.

PT Application Firewall has a certificate of FSTEC of Russia (certificate of conformity No. 3455 dated October 27, 2015).

Technologies used in Cisco UCS, including for UCS C-series servers, can optimize IT infrastructure, reduce acquisition, deployment, and maintenance costs. Cisco UCS Director software provides centralized collection of physical and virtual resource information and helps prevent system complexity as the system expands. With Cisco UCS Manager and Cisco SingleConnect technology, you can automatically configure your hardware using predefined policies.

With the Cisco UCS E-Series hardware solution, customers receive a router and network and application layer shield in one device, reducing network and application security costs. The Cisco UCS AF PT on the Cisco UCS E-Series platform is suitable for a large distributed organization.

OCS will act as a distributor - since 1997, the company has been promoting all Cisco technologies in the Russian market.

author = Mikhail Kader, Honored Systems Engineer, Cisco The Russian market is one of the key ones for us. That is why we are very careful in choosing our technology partners. Of particular interest to us are companies offering high-tech and effective solutions. Our cooperation with Positive Technologies and OCS has continued for many years, we have great respect for what these companies are doing to develop the information security market, and we know firsthand about the high competence of experts, as well as the quality of Positive Technologies products and OCS Distribution partner services.

author = Ruslan Chinyakov, Vice President of OCS Distribution We are pleased to replenish our product portfolio with a new product not only high-tech, but also in demand on the market. This is a good example when the cross-competencies of the distributor in the field of networks, data centers and information security are of interest to both two vendors and a wide range of partners. In our difficult time for the market, this is a great - and absolutely real - example of the synergy of technologies, products and services of different market players. Our role in this is to "deliver" benefits to partners. We are confident in the successful future of this area and will actively develop it.

author = Maxim Filippov, Director of Positive Technologies for Business Development in Russia Cisco is our longtime technology partner. Our experts are very familiar with Cisco technologies, which tend to become de facto industry standards. We work together to ensure that your business applications function efficiently and securely. This applies not only to vulnerability research or support in MaxPatrol for Cisco's network security recommendations in the form of compliance checks. A separate area of ​ ​ collaboration is the organic inclusion of Positive Technologies products in the Cisco solution architecture. The support of Cisco UCS C- and E-series servers as a hardware platform for Positive Technologies Application Firewall was a significant step in this direction. A partnership with OCS opens up opportunities to interact with companies that design IT infrastructure based on Cisco solutions. This is especially true in the context of the awareness of the problem of protecting web applications by employees of IT and information security departments of our customers.

PT Application Firewall 3.2

On November 10, 2015, Positive Technologies announced the release of version 3.2 of the PT Application Firewall (PT AF) web protection screen.

Product release 3.2 contains a mechanism for detecting connections from suspicious sources, the ability to integrate with reputation services, an improved tool for filtering false positives. The product includes reporting, notification, archiving, and other useful features. The shell reduces the time for initial network configuration when integrating into an existing network infrastructure by tens of times.

Product Interaction Chart (2015)

Phishing Protection

Connecting the largest reputation services allows you to more effectively track and block transitions from phishing sites to legitimate resources. PT AF version 3.2 detects and blocks transitions from both insecure sites, Referrer header, and transitions to compromised pages within protected resources.

Countering attacks from anonymous networks

In addition to accessing reputation services, the product has the ability to form lists of blocked IP addresses and DNS names to block attacks originating from Tor network output nodes, anonymous proxies (for example, SOCKS proxy) and other suspicious sources. Data Base of such sources is created on the basis of information from special services, reputation services or honeypot.

Reduction of false positives

False positives are one of the main problems of modern firewalls for web applications (WAF). PT AF effectively solves this problem through correlation analysis and the built-in dynamic vulnerability scanner, and in version 3.2, it will become even easier to filter out irrelevant events using the filtering mechanism.

Set up in a few minutes

Linux-like shell for initial network configuration does not require interaction with configuration files and ifconfig, ip, route, etc. The shell received a set of simple and short commands for easy configuration of basic parameters, which allows you not to enter standard Linux console commands, the syntax of which can be complex for the user. At the same time, access to the fine settings of all components that are in Linux has been preserved.

The utility helps the customer to independently configure any of the possible topologies, and the functions of prompts, auto-completion and user input verification help to avoid errors during the initial stage of PT AF configuration.

Interface

Changes have occurred in the user interface. Now you can add all the necessary information about network configurations to it, which allows you not to access the console if you need information about IP addresses, routes, gateways, interface roles, application server groups, etc. Now all this data is conveniently tabbed.

Reports, Notifications, and Archiving

Version 3.2 adds an archive schedule that allows you to save both database incidents for a specific period, database configuration, and individual user actions. There is also a new reporting system with all the information that security specialists may need. PT AF users will be able to download their own lists in CSV format for automated loading of templates into lock tools. It is also worth noting the notification system: SMTP allows you to inform the administrator by regular mail, and support for the secure SNMPv3 protocol makes it possible to send notifications to various monitoring systems, as well as integrate with border gateways and send them the IP addresses of attackers so that they block them "on themselves," if necessary.

"The high competition in the web application protection market and getting into the visionary sector of the Gartner quadrant oblige us to work daily to improve the PT Application Firewall," said Mikhail Bashlykov, Deputy General Director for Product Development at Positive Technologies. - Today, the capabilities of PT Application Firewall have already been evaluated by almost 50 companies, including such giants as Megafon and VGTRK. In addition, dozens of companies participate in our open pilot testing (af.ptsecurity.ru) program. Customer feedback is one of the main sources of our knowledge: this is how the functionality of the new version was developed, decisions were made about the need for technical support in 24/7 mode and about improving the XML traffic protection module. The product continues to develop actively: in the following releases, new capabilities will be improved and added to repel DDoS attacks at the application level and track users based on machine learning methods. "

PT Application Firewall XML Extension

Positive: The PT Application Firewall XML Extension is a solution for protecting the information interaction of business applications that extends the capabilities of PT Application Firewall when working with disparate customer systems.

On August 4, 2015, Positive Technologies announced the launch of a domestic solution to protect the information interaction of business applications, expanding the capabilities of PT Application Firewall when working with disparate customer systems. The advanced components of the XML Traffic Protection Module improve the security of internal and external business processes, a significant part of which is carried out using XML.

Interaction Scheme, 2014

Protocols using XML (SOAP, HTTP and others) are used today to interact applications in a variety of industries - in power, public administration, telecommunications, education, banks, healthcare and transport. Through the versatility and flexibility of XML, service-oriented platforms help link heterogeneous applications and services together, solving intra- and cross-enterprise integration problems.

The prevalence of XML in critical infrastructure nodes (ERP, APCS, ABS, public service portals, interagency systems) makes the vulnerabilities of this language especially dangerous. For example, in 2014, according to Positive Technologies statistics, the critically dangerous vulnerability "Introduction of external XML entities" was found in almost half of RBS systems (46%). Using such an error, an attacker can obtain the contents of files on the attacked server by injecting arbitrary XML code.

The XML protection module in the PT Application Firewall is ready to counteract such attacks on web services. It allows you to detect unauthorized and malicious inclusions in the content of XML messages, validate and profile SOA calls and XML messages. XML analysis uses automatic self-learning mechanisms, which significantly reduces the likelihood of exploiting vulnerabilities.

The second important feature of the new solution is the ability to control user access and analyze their behavior. The system administrator can differentiate the access rights of internal or external users in accordance with the organization's policy, block illegitimate or erroneous requests on their part.

Oleg Matykov, head of design solutions at Positive Technologies, noted: "Integrating applications with both internal and external systems is the most important task for any enterprise. Service buses and SOA platforms today are a kind of bridge between disparate "islands": insurance services interact with banking, industrial management systems - with enterprise management systems, central divisions of the organization automate work with branches, etc. In information exchange between different services, XML transport has taken one of the dominant roles, which makes you pay close attention to specific security problems. The solution that we offer will protect the information interaction of distributed services of any level of complexity both within the organization and beyond. "

PT Application Firewall integrated with Zecurion Zgate

On April 13, 2015, it became known about the mutual integration firewall of the PT Application Firewall application layer and the DLP Zecurion Zgate company's Traffic Control system. Zecurion

Interaction

The sharing of Application Firewall and Zecurion Zgate provides data flow from the Zgate system about the presence of confidential data in forwarded messages and files. The DLP system analyzes the information received according to the specified filtering rules and determines inconsistencies with security policies using more than 10 specialized threat detection technologies. After analysis, Zgate generates a special message for Application Firewall with information about the user, secret data and the rule that has worked.

If a message that violates security policies is detected, the PT AF Firewall blocks the transfer of information, preventing the leakage of secret data.

Through an anomaly analysis based attack detection mechanism, the PT Application Firewall provides protection against all common OWASP and WASC vulnerabilities, including SQLi, XSS and XXE, as well as popular HTTP Request Splitting, Clickjacking and complex client attacks (DOM-based XSS).

Application Firewall identifies zero-day vulnerabilities, including bugs like Heartbleed, Shellshock and GHOST, and blocks related attacks even without updating signatures. The virtual patching function allows you to quickly configure protection while the development team of the vulnerable application is working to create an update.

The integration of two analytical tools - Zecurion Zgate) and PT Application Firewall helps to execute a number of use cases:

• spam filtering in client applications,
• control of access to confidential documents,
• verification of content on various corporate platforms.

PT Application Firewall in Gartner Visionaries Quadrant

 Positive Technologies is included by the analytical company Gartner in the "magic quadrant," uniting the world manufacturers of solutions for protecting web applications (2015 Magic Quadrant for Web Application Firewalls). The Russian PT Application Firewall product hit the Visionaries quadrant. According to the Gartner methodology, such products have innovative functions and solutions that determine the development of the market.

2014: Description

PT Application Inspector and PT Application Firewall are security solutions for RBS and ABS systems, as well as corporate applications and e-government portals. The products are used to protect web applications and provided online services not only in Russia, but also in India, Italy, Korea. Companies such as Megafon and Postel (a division of the Italian state postal service) are already using Application Security products.

One of the most significant examples is the implementation of PT Application Firewall to ensure uninterrupted broadcasts of the most significant event for Russia last year - the Sochi-2014 Olympic Games. Despite the huge number of attempts to attack the resources of the All-Russian State Television and Radio Broadcasting Company, the broadcast was provided at the highest level.

As practice shows, the main target of cybercriminals today is application services, which have become an integral part of the IT systems of large and medium-sized businesses. Web technologies are increasingly used: Internet banking, mobile services for customers, portal ERP solutions for interaction with suppliers, online services of telecom operators, remote terminals. APCS However, they not only increase efficiency, business processes but also give new opportunities to attackers.

According to a study by Positive Technologies, in 2014, over half of information security incidents in large Russian companies were related to the Internet, most of them leading to serious problems, including financial and reputational losses. The situation is not affected by the use of traditional firewalls and intrusion prevention systems by companies. Attackers successfully bypass classic signature protection methods by exploiting zero-day vulnerabilities. Fixing detected errors and vulnerabilities in business applications and installing updates in ERP, APCS, RBS systems can take months, and sometimes more than a year, and all this time the vulnerability remains uncovered.

The difference between the PT AF self-learning firewall is that it is able to eliminate threats without updating the software of the protected application. The virtual patch engine blocks attacks through known vulnerabilities before unsafe code is fixed. Together with the PT AI source code analysis system, this function provides a continuous process of identifying and blocking vulnerabilities. In this case, instead of using the classic signature method, PT AF analyzes network traffic and system logs to create an up-to-date model of application performance and, based on it, detects abnormal system behavior. In combination with other protective mechanisms, this allows you to block 80% of zero-day attacks out of the box without special configuration and adaptation for a protected application system.

The PT Application Firewall and PT Application Inspector communicate efficiently with each other and can be used on equipment from different manufacturers. For example, the PT AF firewall is fully compatible with the Cisco Unified Computing System Express platform.

When systems are shared, the PT AF firewall can receive information about the presence of vulnerabilities in the application directly from the PT AI source code analysis and vulnerability detection system, which implements a unique hybrid approach that combines the advantages of static, dynamic and interactive analysis, as well as using a huge vulnerability knowledge base accumulated by Positive Technologies experts.

The number of applications used by modern companies (mobile, ERP and web) is steadily growing, and with it the number of critical vulnerabilities that attackers can exploit is increasing. Modern firewalls and intrusion prevention systems (IPS) do not provide the necessary level of protection for web applications: attack vectors that exploit vulnerabilities of web applications in corporate networks are still used by attackers most often and efficiently. The answer to this challenge was the PT Application Firewall product: experience in researching the security of web applications, the use of innovative machine learning technologies and behavioral analysis, together with the use of the latest security methods (for example, virtual patching and building attack chains), allowed Positive Technologies to create a product whose effectiveness is confirmed by practice - as well as the world's leading analytical agency.

PT AF automatically sorts and ranks identified attacks, visualizes threats in such a way as to highlight really important ones - using a unique technology for building attack chains. Its functions (such as automatic incident correlation) allow organizations to detect and stop attacks early in their development, weeding out irrelevant events and focusing on truly dangerous attacks, as well as significantly reducing their detection time. Thanks to the machine self-learning mechanism, PT AF also detects previously unknown attacks (zero-day attacks).