One of the mantras for today’s enterprise could be, “living on the edge.” With the proliferation of the cloud and the digital services and mobile apps that it hosts, today’s enterprise is all about the edge. Chances are your company or organization has a web presence on the Internet thanks to Web 2.0, which gives your customers the ability to interact with your web sites and their integrated web applications that service requests. Unfortunately, it also gives hackers the ability to interact as well. According to the 2016 Verizon Data Breach Investigation Report, 40% of all data breaches involved web application attacks.
It happens every day, and many IT managers are initially baffled as to how their web servers were compromised behind the firewall. The fact is however, a traditional firewall does very little to protect a multitier web application.
“A traditional firewall does very little to protect a multitier web application.”
This is because a perimeter firewall opens the common ports such as 80 and 443 that are required so that users can access and interact with the hosted sites. Hackers use these same ports as well. Thus, a traditional firewall cannot stop a SQL injection or DDOS attack. A web application based security system must be able to do more than open and close ports. It must be able to discern incoming traffic.
In order to properly shield your web applications, you need a Web Application Firewall (WAF). Unlike a traditional firewall, a WAF does not provide perimeter protection for the entire enterprise. It is a highly specialized security tool specifically designed to protect web applications, not the servers. A WAF actually resides at the outer edge of your network in front of the public side of a web application and analyzes incoming traffic. That is all it does and it does it very well. Unlike traditional security devices that focus on layers 3 and 4 of the OSI Model, a WAF focuses on the application layer (layer 7). Because a WAF is so specialized, many network managers make the mistake of not justifying the investment in one. In today’s hyper connected environment however, this is a major oversight as web applications interact directly with the backend database servers that hold the precious data of the enterprise such as the personal information of online retail customers that hackers so covet.
Sometimes there is a misconception that an Intrusion Protection System can supplement a firewall enough to protect web applications. While an IPS can monitor incoming network traffic, it is not equipped to interpret the complex nature of HTTP traffic. Like a perimeter firewall, an IPS is designed to protect a network at large, not a dedicated edge based application. It can be deployed as a hardware appliance, inline web server or server plugin.
Just as an online retail customer can interact with an online retail site, hackers can conduct malicious interactions as well. These attacks predominantly occur as SQL injections, cross-site scripting and malicious file executions. A modern day WAF is designed to protect against these and other OWASP Top Ten application risks. WAFs are able to discern fraudulent interactions from legitimate traffic. This is a highly complex task as hackers today weave their attack code within safe-looking website traffic. A WAF accomplishes this by intercepting and analyzing each and every HTTP request before they reach the web application.
“WAFs are able to discern fraudulent interactions from legitimate traffic. This is a highly complex task as hackers today weave their attack code within safe-looking website traffic.”
WAFs are also designed to perform SSL termination. Much of today’s web traffic is encrypted in order to protect the data being transferred within the web session. HTTPS works both ways however, in that it also protects malicious hacking code from being scrutinized as well. Many hackers take advantage of this, using HTTPS as a camouflage to avoid detection.
Because a WAF stands between the public and the web application, it is able to decouple the traffic between the web server and the internet. SSL certificates are hosted on the WAF, thus terminating the encrypted connection. Traffic is then forwarded to the web application in HTTP and analyzed. In a sense, the WAF is working as an inbound or reverse proxy. Response traffic is then sent back to the WAF where it is then encrypted and forwarded to the user using the HTTPS protocol.
Just because you do not host your own web applications does not mean you do not need a WAF. Many large cloud vendors offer WAF subscription services, but if they don’t, you can count on Total Uptime. Our WAF can protect your infrastructure no matter where it resides: in the cloud, on-premise, and anywhere in between.
For the same reason that today’s web applications demand layer seven security protection, they also demand layer seven load balancing and failover protection as well. Security and fault tolerance are vital to ensure that your web applications are not compromised or disrupted.
With GoDaddy’s unfortunate DNS outage on September 10th, we received an enormous number of inquiries about our DNS services. A frequently asked question was whether or not Total Uptime could provide secondary or backup DNS services for disaster recovery. The quick answer is “yes”, we can definitely provide this commonly implemented DNS backup solution, but we thought […]
IT managers are faced with many difficult decisions today. The demands of performance, security, and economics are difficult to reconcile, and are only getting more challenging with the increasing number and complexity of internet attacks. Another challenge that we are dealing with is the explosive growth of Web 2.0 applications, such as social media, blogs, […]
Total Uptime’s DNS Service along with our DNS Failover solution are often compared to Amazon Route 53, and for good reason. Organizations are increasingly looking for a reliable DNS provider in light of frequent outages at various Domain Registrars like Network Solutions. IT experts understand that because DNS is the first link in the chain, it must be the […]
Your plaintext internet traffic is subject to attack. You already knew this. And it probably won’t surprise you to learn that your encrypted internet traffic is also vulnerable. It’s an unfortunate situation. Carl Herberger, Radware’s VP for Security Solutions, says that the prospect of SSL-based attacks “makes a folly of our existing security infrastructure”. The […]