Hackers are worse than painting, or how to protect web applications
In recent years, government and commercial organizations have begun to use web applications more and more. But with the growing number of web applications, cyber threats aimed at them have grown. Companies began to pay more attention to information security.
Indeed, hacker attacks are becoming more widespread, and therefore - bring more damage. According to a Forrester research company report , three industries are the most vulnerable: government, retail, and technology.
Companies working in these areas are very attractive to scammers because they operate with a lot of data about users' personal information.
Major international initiatives are aimed at protecting personal data. For all companies that work with European users, this is, for example, GDPR . Significant fines are imposed for violating the rules established by the GDPR; therefore, companies are doubly interested in the high reliability of data protection for their customers in order to avoid costs.
The scale of information security threats
A few facts about the situation in the field of information security:
- Hacker attacks happen every 39 seconds .
- DDoS attacks on average increased in size by more than 500% .
More than $ 1 trillion a year is expected to be spent on cybersecurity worldwide by 2021. The cost of cybercrime by this time will grow to 6 trillion a year!
Most likely, many people remember the massive spread of Petya and WannaCry, which encrypted all files on the computer and demanded a ransom with the threat of file destruction. Some experts came to the conclusion that the ultimate goal of these viruses was not so much getting a ransom as a massive system failure, because as a result of the failure the company suffers much more losses, which plays into the hands of competitors.
The lack of common standards in web programming leads to the fact that software development introduces errors and vulnerabilities that the hacker will not fail to take advantage of for personal gain. And this, in turn, leads to the costs of the company: the leak of confidential data, theft of intellectual property, delayed business processes and reputation losses.
WAF - Protecting Web Applications from Cybercriminals
However, with the action, opposition also grows. It is necessary to approach attack prevention comprehensively - throughout the entire life cycle of a web application. During development, special attention should be paid to testing and ethical hacking, which helps to identify and eliminate key vulnerabilities. During operation, the application will be guarded by special protective equipment. And here the installed antivirus and firewall will not save the application.
Typically, the shield and sword of applications is the next generation firewall (NGFW) to prevent intrusions and filtering traffic for applications (WAF - web application firewall). The difference between them is that NGFW controls the access of external applications to enterprise data, while WAF protects user applications on internal servers by analyzing data transmitted via HTTP and HTTPS. It is WAF that can provide in-depth analysis of the content of packet data and take into account the features of the structure of web applications, which provides real-time protection and monitoring of applications, and also has the functionality to block both already known attacks and zero-day attacks.
Features of WAF Technology
- Maximizes detection and detection rate for known and unknown threats;
- Minimizes false alerts (false positives) and adapts to constantly evolving web applications;
- Distinguishes automated traffic from real users and applies appropriate controls for both categories of traffic;
- Provides deeper analysis and implementation due to ease of use and minimal impact on performance;
- Automates incident response workflow to help web application security analysts;
- Protects both mass-open and internally used web applications and APIs.
Compare 7 WAF Gartner Magic Quadrant Leaders by Characteristics
There are many WAF solutions on the market for every taste. To choose a product that will be ideally suited specifically for your company, you should pay attention to the functionality - different vendors have slightly different services. The following is an overview of the WAF market leader in software solutions, devices, and cloud services as defined by Magic Quadrant for Web Application Firewall in 2018. More information about them can be found in the WAF comparison table on the ROI4CIO , where you can compare 28 WAF for 32 characteristics.
And in this review we will try to highlight the basic properties and advantages of the 7 most popular of them.
Akamai Kona Web Application Firewall
Akamai's Kona Web Application Firewall (a cheaper, stripped-down version of the Kona Site Defender) is suitable for customers who need the WAF cloud service, especially when customers are already using Akamai as a CDN. A relatively expensive product, but developed by a company (Cambridge, 7,500 people), whose development team deals exclusively with web application security issues.
Akamai provides a managed SOC that can track incidents. The manufacturer uses automatic analytics and sorting of all traffic that it processes, so that customers configure their signatures and collect information about threats to create new security features.
Since WAF Akamai is only available as a cloud service, for organizations that simply do not like cloud security solutions, or when potential customer ratings determine that compliance and regulatory restrictions limit its use, Akamai will not work.
Kona Web Application Firewall by Akamai on the vendor's website
Barracuda web application firewall
Barracuda Web Application Firewall is a comprehensive system designed to ensure the security of web applications and sites for medium-sized enterprises. Barracuda WAF gives a powerful rebuff to attackers who exploit weaknesses in protocols and applications for data theft, disruption of services or website deface. The WAF line is a vendor for physical or virtual devices, and is also available on Microsoft Azure, AWS, and the Google Cloud Platform (GCP). With the release of the WAF 1060, Barracuda now supports bandwidth up to 10 Gb / s.
Barracuda remains one of the best WAFs in Microsoft Azure. Barracuda Cloud WAF as a service includes DDoS protection at no extra charge. Technical support is highly appreciated by customers.
The user interface is rated by customers as user-friendly. And here is good news for Russian speakers - the solution from Barracuda WAF has not only English, but also a Russian interface.
The product from Barracuda is able to provide protection against the following attacks: SQL code injection, cross-site scripting (XSS), session falsification and buffer overflows, and also prevents information theft by monitoring all outgoing data for any leakage of sensitive information (bank account numbers) , personal user information, passwords, etc.).
The system administrator will be able to detect DoS and DDoS attacks on time thanks to a special function that controls the data transfer rate. A powerful built-in antivirus allows you to check any data and files imported into the system for various malicious code.
Barracuda Web Application Firewall is fully compatible with most common authentication systems (Active Directory, eDirectory) that support LDAP RADIUS. In addition, there is a two-factor authentication function: the system supports user authenticators and tokens (RSASecureID) to guarantee reliable protection of client authentication.
Barracuda Web Application Firewall on the vendor's website
Barracuda Web Application Firewall cost calculator on ROI4CIO
Cloudflare WAF
Enterprise-class Cloudflare web application firewall (WAF) protects web applications from common vulnerabilities such as SQL injection attacks, crossite scripting and crossite fakes, without changing the existing infrastructure. Relatively inexpensive service plans are convenient for small companies. There are more expensive individual plans for large companies - Enterprise. The self-service model used by the company allows customers to quickly and easily configure configurations using wizards. Therefore, customers value ease of use.
Cloudflare (San Francisco, 700 employees) is developing DDoS protection and CDN offerings. Cloudflare is a provider with a bandwidth of 15 Tbps and 152 data centers around the world. This infrastructure not only supports high-performance applications, but also provides the most advanced security features.
The recent addition of Cloudflare Workers allows customers to host web applications on the Cloudflare infrastructure, which should be attractive to small organizations. The provider also provides an easily accessible “I'm under attack” button. This automatically includes a set of defenses and is convenient for emergency response.
Cloudflare only offers WAF as a cloud service. For organizations with restrictions on cloud services and organizations that require local physical or virtual devices, the product is not suitable.
Cloudflare WAF at the vendor's site
Citrix NetScaler Application Firewall
The Citrix NetScaler AppFirewall is a good choice for Citrix customers who value WAF high performance devices. NetScaler Web App Firewall is designed for the government segment, large and medium-sized businesses in view of the ability of NetScaler to scale calls for large organizations. NetScaler Web App Firewall comes as a virtual machine, as well as a hardware complex, as well as a cloud service.
NetScaler TLS decryption capabilities and integration with Thales and SafeNet hardware security modules (HSMs) are often key features in benchmarking when the organization plans to grow further.
Citrix (CTXS, Santa Clara, California, over 9,600 people) is developing the NetScaler ADC portfolio, which includes hardware (MPX), software (VPX), containerized (CPX) and multi-instance (SDX). All of these ADC options offer WAF (NetScaler AppFirewall) and Secure Sockets Layer (SSL) virtual private network (VPN) as modules. WAF is also available as a standalone product.
Citrix mainly sells AppFirewall as a complement to customers who are primarily interested in its ADC functions or in high-performance environments. The bandwidth of Citrix Web Application Firewall ranges from 500 Mbps to 44 Gbps.
Customers appreciate the support they receive from system integrators and service providers. They also appreciate the improvements in manageability through the API. Most Citrix clients use NetScaler AppFirewall as a software option on top of the physical ADC device.
Citrix NetScaler Application Firewall protects against attacks such as SQL injection, XSS, from changing hidden form parameters (read-only (hidden) parameters) and other attacks. There is a function of preventing data leaks, which provides prevention of theft of credit card data and other confidential data, filters and blocks, if necessary, the transmitted information.
Citrix NetScaler AppFirewall on the vendor's site
F5 Networks Silverline Web Application Firewall
F5 WAF is mainly used as a software option, Application Security Manager (ASM), which is integrated into the F5 Big-IP platform. F5 (Seattle, WA, 4,300 employees) is known for its ADC product lines (Big-IP and Viprion). The hardware line of Big-IP F5 hardware devices can also use the full software version with a limited (but updatable) version that will act as a standalone security solution (for example, standalone WAF).
Under the Silverline F5 brand, it provides cloud-based protection against WAF and DDoS. Two service options are available: Silverline Managed WAF and WAF Express self-service with a Silverline Threat Intelligence add-on. All Silverline services rely on Big-IP technology.
Silverline WAF protects applications from attacks based on SQL injection, zero-day attacks, JSON, OWASP Top Ten, and other attachments. An important advantage of Silverline WAF is its self-learning function that employs iRules and iApps technologies for online reconfiguration according to with the specifics of new threats.
F5 supports AWS, Azure, Google Cloud, OpenStack, and VMware Cloud. Unified management multicloud support addresses organizations building a hybrid architecture.
Silverline WAF offers 24x7 support from security experts. The product provides the opportunity to reduce operating costs through the use of special resources of the F5 Networks Security Center to manage WAF policies. F5 Networks' built-in proactive monitoring feature employs external specialized solutions to protect applications from new attacks. The solution generates access reports through the customer portal.
F5 Networks Silverline Web Application Firewall on the vendor's website
Fortinet fortiweb
Fortinet FortiWeb - a firewall for web applications from Fortinet (Sunnyvale, California, 5000 employees, about 1000 people in the field of research and development) is focused on medium and large businesses, as well as Internet service providers.
The product comes in the form of a hardware or virtual device, as well as a cloud service (starting from 2017). With FortiGuard Labs security services, FortiWeb provides robust threat analysis and protection against the latest vulnerabilities in applications, bots, and suspicious URLs. In addition, due to two threat detection mechanisms based on AI-based machine learning technology and statistical probabilities for detecting anomalies and individual threats, web applications are protected from complex cyber risks: SQL injection, cross-site scripting, buffer overflow, malicious cookie changes, sources of threats and DoS attacks.
FortiWeb is available as a physical or virtual (FortiWeb-VM) device (eight models, from 25 Mbps to 20 Gbps), as well as FortiWeb Cloud on AWS and Azure IaaS platforms, which made the product affordable for medium-sized enterprises.
FortiWeb subscriptions include IP reputation, antivirus, security updates (signatures and machine learning models), credential protection, and a cloud-based sandbox (FortiSandbox). FortiWeb is a good choice for protecting file-sharing services, as it offers extensive capabilities and integration for malware detection, and can also integrate with Fortinet sandbox solutions.
The complete compatibility of all Fortinet products with each other makes it possible to quickly and easily scale the system. The high degree of automation of operations and the simplicity of their support reduces the number of errors caused by the human factor. In addition, this characteristic allows you to reduce the number of employees of the information security department.
Fortinet FortiWeb on the vendor's site
Imperva SecureSphere Web Application Firewall
Imperva WAF solutions are designed for use in the public sector, as well as in large and medium-sized businesses. SecureSphere can be supplied with both physical and virtual devices. It is also available as a cloud service and a cloud service - WAF Incapsula on AWS and Microsoft Azure. Imperva (Redwood Shores, CA) also offers managed rule sets for AWS WAF.
The maximum supported bandwidth of the older model reaches 10 Gb / s. In addition to HTTP / HTTPS, there is support for web standards WebSockets, XMS and JSON. The products are interesting for the simultaneous use of several cyber protection technologies at once: monitoring protocols for abnormal behavior, dynamic profiling, analysis through signatures, tracking sessions. All Imperva products provide quality customer-rated support.
The firewall for web applications from Imperva consists of two main modules:
SecureSphere Web Application Firewall - protection of web applications from cyber attacks;
ThreatRadar - a reputation database (ThreatRadar allows you to quickly block traffic coming from suspicious sources, even before the implementation of any harmful effects).
Imperva offers flexible licensing for organizations using both on-premises and cloud applications. This allows the manufacturer to focus on a wider range of use cases and organizations, as well as better manage the transition from a WAF device to a WAF cloud service.
SecureSphere customers report that the management console remains complex when using more advanced features, and deployment often requires professional services for effective implementation.
For effective protection, mechanisms are used based on the signatures of the free open-source Snort intrusion prevention system, as well as proprietary SQL signatures generated by the ADC (Application Defense Center) research center. In terms of fault tolerance, there is support for clustering Active-Active and Active-Passive.
SecureSphere WAF is equipped with a non-embedded sniffer, a transparent proxy server and a reverse proxy server, it has excellent SSL support. So the product provides passive SSL decryption, support for sessions installed on client certificates, termination and determination (that is, SSL traffic analysis without termination). It is also important that the development contains hardware modules that speed up SSL processing.
To create a reference security model, a method for classifying rules and applying detailed signatures (using firewall rules, creating signatures, and processing protocol violations) is used here. To adapt WAF to a modified application, it is possible to change the profile of web applications created in machine learning mode. At the same time, there is a manual setting of the profile of web applications.
The report generator implemented in SecureSphere WAF provides reports to system administrators in accordance with the requirements of information security standards. There is also the opportunity to generate your own customized reports (including those scheduled) and export to various formats.
Imperva SecureSphere Web Application Firewall on the vendor's website
Imperva SecureSphere Web Application Firewall cost calculator on ROI4CIO
conclusions
There is an opinion that in the future the statistics of cybercrime will exceed the statistics of crimes outside the network. And now it’s not worth neglecting protection against attacks, these investments pay off in full. The WAF solution is a small but important brick in your line of defense against intruders.
Authors: Natalia Zorba, Victoria Sholoyko, for ROI4CIO