Installation form without making changes to the existing network

• Transparent bridge (inline)
  • Fail open/close support
• Sniffing (non-inline) installation
  • Packet copy from switch mirror port

Various attack defense methods

• Blacklist by signature
  • Provided by ADC on a regular basis (on average twice a month)
  • Block Recommended Signatures, Detect Recommended Signatures
• Whitelist (dynamic profiling feature)
  • Automatically generate web communication whitelist (profile) from communication content
• Correlation attack verification
  • Detect complex attacks by judging from multiple anomalies
• Reputation defense (THREAT INTELLIGENCE feature)
  • Detect malicious source IP, anonymous proxy, phishing site URL

WAF Operation Example: Strengthening Security

• Operational issues
  • Created a threshold-based custom policy for list-type attack countermeasures, but there are many false positives/false blockings
• Countermeasure option
  • Adjustment of the threshold according to the actual situation (high load)
  • Policy & Alert Weighting with Threat Intelligence Bot Detection (low load)
• Examples of threat intelligence countermeasures:
  Create custom policies based on Threat Intelligence information
  • Limits the scope of blocking to only highly malicious accesses, but also raises alerts and records other accesses that show malicious behavior
    1. "Access the login page from the same source IP address 5 times per minute" → Not blocked, but logging with LowAlert
    2. "Access the login page from the same source IP address 5 times per minute" "Access by malicious bot" → Logging & log inspection with Block + High Alert

Frequently Asked Questions