Hackers are more terrible than they are painted, or how to protect web applications

In recent years, government agencies and commercial organizations have increasingly become using web applications. But with the growing number of web applications, cyber threats aimed at them have grown. Companies began to pay more and more attention to information security.



Indeed, hacker attacks are becoming more ambitious, and therefore - bring more damage. According to a report from research firm Forrester , three sectors are most vulnerable: government agencies, retail and technology.



Companies operating in these areas are very attractive to fraudsters because they operate with a large amount of data about users' personal information.

')

Large international initiatives are aimed at protecting personal data. For all companies that work with European users, this is, for example, GDPR . For violation of the rules established by the GDPR, significant fines were imposed, therefore companies are doubly interested in the high reliability of their clients' data protection in order to avoid costs.

The scale of information security threats

Some facts about the situation in the field of information security:

• Hacker attacks happen every 39 seconds .
• DDoS attacks increased on average by more than 500% .

It is expected that cybersecurity by 2021 around the world will spend more than 1 trillion dollars a year. The cost of cybercrime by this time will rise to 6 trillion per year!



Probably, many people remember the large-scale distribution of Petya and WannaCry, which encrypted all the files on the computer and demanded a ransom with the threat of deleting the files. Some experts came to the conclusion that the ultimate goal of these viruses was not so much a buyback, as a massive system failure, because as a result of the failure, the company suffers a lot more losses, which plays into the hands of competitors.



The lack of uniform standards in web programming leads to the fact that software development has errors and vulnerabilities that a hacker will not fail to use for mercenary purposes. And this, in turn, leads to company costs: leakage of confidential data, theft of intellectual property, delayed business processes and reputational losses.

WAF - protection of web applications from cybercriminals

However, with the action, the opposition also grows. Approach to preventing attacks must be comprehensive - throughout the entire life cycle of the web application. During development, special attention should be paid to testing and ethical hacking, which helps to identify and eliminate key vulnerabilities. During operation, the application will be guarded by special protective equipment. And here the installed antivirus and firewall will not save the application.



Usually, a new generation firewall (NGFW - next generation firewall) for intrusion prevention and traffic filtering for applications (WAF - web application firewall) is the shield and sword of applications. The difference between them is that NGFW controls the access of external applications to enterprise data, and WAF protects user applications on internal servers by analyzing data transmitted via the HTTP and HTTPS protocols. It is WAF that can provide in-depth analysis of packet data content and take into account the features of the structure of web applications, which provides real-time protection and monitoring of applications, as well as has the functionality to block both known attacks and zero-day attacks.

Features of WAF technology

• Maximizes detection and detection rate for known and unknown threats;
• Minimizes false alerts (false positives) and adapts to constantly evolving web applications;
• Distinguishes automated traffic from real users and applies appropriate controls for both traffic categories;
• Provides deeper analysis and implementation due to ease of use and minimal impact on performance;
• Automates incident response workflow to help web application security analysts;
• It protects both mass open and internally used web applications and APIs.

Compare 7 WAF leaders of the Gartner Magic Quadrant by characteristics

WAF solutions on the market a lot and for every taste. To choose a product that will be ideally suited specifically for your company, you should pay attention to the functionality - different vendors have slightly different services. Below is an overview of the market leaders of WAF software solutions, devices and cloud services, defined by the Magic Quadrant for Web Application Firewall in 2018. More detailed information about them can be obtained in the WAF comparison table on ROI4CIO , where you can compare 28 WAF on 32 characteristics.





And in this review we will try to highlight the main properties and advantages of the 7 most popular of them.

Akamai Kona Web Application Firewall

Akamai's Kona Web Application Firewall (a cheaper trimmed version of Kona Site Defender) is suitable for customers who need the WAF cloud service, especially when customers are already using Akamai as a CDN. A relatively expensive product, but developed by a company (Cambridge, 7500 people), whose development team deals exclusively with the security of web applications.



Akamai provides a managed SOC that can track incidents. The manufacturer applies automatic analytics and sorting of all the traffic that it processes, so that customers set up their signatures and collect threat information to create new means of protection.



Since WAF Akamai is only available as a cloud service, for organizations that simply do not like cloud security solutions, or when evaluations of potential customers determine that compliance and regulatory restrictions restrict its use, Akamai will not work.



Akamai's Kona Web Application Firewall on the vendor's site

Barracuda Web Application Firewall

Barracuda Web Application Firewall is a comprehensive system designed to ensure the security of web applications and sites for medium-sized businesses. Barracuda WAF gives a powerful rebuff to attackers who exploit weaknesses in protocols and applications for data theft, service disruption, or website deface. The WAF line is provided by a vendor for physical or virtual devices, and is also available on Microsoft Azure, AWS and Google Cloud Platform (GCP) platforms. With the release of the WAF 1060, the Barracuda now supports bandwidths of up to 10 Gbps.



Barracuda remains one of the best WAF in Microsoft Azure. Barracuda Cloud WAF as a service includes protection against DDoS at no extra charge. Technical support is appreciated by customers.



The user interface is rated by users as user-friendly. And here is good news for Russian speakers - the solution from Barracuda WAF has not only English, but also a Russian interface.



The product from Barracuda is able to protect against the following attacks: SQL injection, cross-site scripting (XSS), session forgery and buffer overflow, and also prevents theft of information by monitoring all outgoing data for any secret information leaks (bank account numbers personal user information, passwords and other things).



The system administrator will be able to detect DoS and DDoS attacks in time thanks to a special function that controls the data transfer rate. Powerful built-in antivirus allows you to check any data and files imported into the system for various malicious code.



Barracuda Web Application Firewall is fully compatible with most common authentication systems (Active Directory, eDirectory) that support LDAP RADIUS. In addition, there is a two-factor identification function: the system supports user authenticators and tokens (RSASecureID) to ensure reliable protection of client authentication.



Barracuda Web Application Firewall on the vendor site



Barracuda Web Application Firewall Cost Calculator on ROI4CIO

Cloudflare WAF

Cloudflare web application firewall (WAF) in the cloud protects web applications from common vulnerabilities, such as SQL injection attacks, cross-site scripting and cross-site counterfeiting, without changes to the existing infrastructure. Relatively inexpensive maintenance plans are convenient for small companies. There are more expensive individual plans for large companies - Enterprise. The self-service model used by the company allows customers to quickly and easily customize configurations using wizards. Therefore, customers appreciate the ease of maintenance.



Cloudflare (San Francisco, 700 employees) develops DDoS protection and CDN offers. Cloudflare is a provider with a bandwidth of 15 Tbps and 152 data centers around the world. This infrastructure not only supports high performance applications, but also provides the most advanced protection.



The recent addition of Cloudflare Workers allows customers to host web applications in Cloudflare infrastructure, which should be attractive for small organizations. The provider also provides an easily accessible “I'm under attack” button. It automatically includes a set of protection and is convenient for emergency response.



Cloudflare offers WAF only as a cloud service. For organizations with restrictions on cloud services and organizations that require local physical or virtual devices, the product is not suitable.



Cloudflare WAF on the vendor site

Citrix NetScaler Application Firewall

Citrix NetScaler AppFirewall is a good choice for Citrix customers who value high-performance WAF devices. NetScaler Web App Firewall is designed for the state segment, large and medium businesses due to the ability of NetScaler to scale applications for large organizations. NetScaler Web App Firewall comes as a virtual machine, as well as a hardware complex, as well as a cloud service.



NetScaler TLS decryption capabilities and Thales and SafeNet hardware integration with security hardware modules (HSM) are often key features in benchmarking for the future, when an organization plans further growth.



Citrix (CTXS, Santa Clara, Calif., More than 9,600 people) is developing a NetScaler ADC portfolio that includes hardware (MPX), software (VPX), container (CPX), and multi-instance (SDX). All of these ADC options offer WAF (NetScaler AppFirewall) and Virtual Private Network (VPN) Secure Sockets Layer (SSL) modules. WAF is also available as a standalone product.



Citrix mainly sells AppFirewall as an add-on to customers who are primarily interested in its ADC features or high-performance environments. The bandwidth of the Citrix Web Application Firewall ranges from 500 Mbps to 44 Gbps.



Customers appreciate the support they receive from system integrators and service providers. They also appreciate the improvements in manageability through the API. Most Citrix clients use NetScaler AppFirewall as software option on top of their physical ADC device.



Citrix NetScaler Application Firewall protects against SQL injection attacks, XSS, from changing read form parameters (hidden) parameters and other attacks. There is a data leak prevention function that provides prevention of theft of credit card data and other confidential data, filters and blocks, if necessary, the transmitted information.



Citrix NetScaler AppFirewall on the vendor site

F5 Networks Silverline Web Application Firewall

F5 WAF is mainly used as a software option, Application Security Manager (ASM), which is integrated into the F5 Big-IP platform. F5 (Seattle, WA, 4,300 employees) is known for its ADC product lines (Big-IP and Viprion). The Big-F5 hardware line of hardware devices can also use a full software version with a limited (but upgradeable) version that will act as a standalone security solution (for example, standalone WAF).



Under the brand Silverline F5 provides cloud protection against WAF and DDoS. Two service options are available: Silverline Managed WAF and WAF Express self-service with a threat analysis intelligence add-in. All Silverline services rely on Big-IP technology.



Silverline WAF protects applications from attacks based on SQL injection, zero-day attacks, JSON attachments, OWASP Top Ten, and others. An important advantage of Silverline WAF is an automated learning function that uses iRules and iApps technologies for real-time reconfiguration with the specifics of new threats.



F5 supports AWS, Azure, Google Cloud, OpenStack and VMware Cloud. Unified management multicloud support appeals to organizations building hybrid architectures.



Silverline WAF offers 24x7 support from security experts. The product provides an opportunity to reduce operating costs by using the special resources of the F5 Networks Security Center while managing WAF policies. The integrated proactive monitoring feature from F5 Networks employs external, specialized solutions to protect applications from new attacks. The solution generates access reports through the customer portal.



F5 Networks Silverline Web Application Firewall on the vendor site

Fortinet FortiWeb

Fortinet FortiWeb - Fortinet's web application firewall (Sunnyvale, California, 5,000 employees, about 1,000 people in R & D) is focused on medium and large businesses, as well as Internet service providers.



The product comes in the form of a hardware or virtual device, as well as a cloud service (starting in 2017). With support from FortiGuard Labs security services, FortiWeb provides robust threat analysis and protection against the latest application vulnerabilities, bots, and suspicious URLs. In addition, due to two threat detection mechanisms built on AI-based machine learning technology and statistical probabilities for detecting anomalies and individual threats, web applications are protected from complex cyber risks: SQL injection, cross-scripting, buffer overflow, Malicious changes to cookies, sources of threats and DoS attacks.



FortiWeb is available as a physical or virtual (FortiWeb-VM) device (eight models, from 25 Mbit / s to 20 Gbit / s), as well as FortiWeb Cloud - on AWS and Azure IaaS platforms, which made the product accessible to medium-sized businesses.



FortiWeb subscriptions include IP address reputation, antivirus, security updates (signatures and machine learning models), credential protection and cloud-based sandbox software (FortiSandbox). FortiWeb is a good choice for protecting file-sharing services, as it offers extensive capabilities and integration for malware detection, and can also integrate with Fortinet sandbox solutions.



Full compatibility of all Fortinet products with each other makes it possible to scale the system quickly and easily. The high degree of automation of operations and the simplicity of their maintenance reduces the number of errors caused by human factors. In addition, this feature allows you to reduce the number of employees of the information security department.



Fortinet FortiWeb vendor site

Imperva SecureSphere Web Application Firewall

Imperva WAF solutions are designed for use in the public sector, as well as in large and medium businesses. SecureSphere can be supplied both physical and virtual devices. It is also available as a cloud service and a cloud service - WAF Incapsula on AWS and Microsoft Azure. Imperva (Redwood Shores, California) also offers managed rulesets for AWS WAF.



The maximum supported bandwidth of the older model reaches 10 Gb / s. In addition to HTTP / HTTPS, there is support for WebSockets, XMS and JSON web standards. The products are interesting by the simultaneous application of several cyber defense technologies at once: control of protocols for abnormal behavior, dynamic profiling, analysis through signatures, and session tracking. For all Imperva products, quality support is provided, rated by customers.



The imperva web application firewall consists of two main modules:

SecureSphere Web Application Firewall - protection of web applications from cyber attacks;

ThreatRadar is a reputation database (ThreatRadar allows you to quickly block traffic coming from suspicious sources, even before the impact of any harmful effects).



Imperva offers flexible licensing for organizations using both local and cloud applications. This allows the manufacturer to focus on a wider range of use cases and organizations, as well as better manage the transition from the WAF device to the WAF cloud service.



SecureSphere clients report that the management console remains difficult to use more advanced features, and professional services are often required for deployment to be deployed.



For effective protection, mechanisms are applied based on the signatures of the free open-source Snort intrusion prevention system, as well as its own SQL signatures generated by the ADC (Application Defense Center) research center. In terms of fault tolerance, there is support for clustering Active-Active and Active-Passive.



SecureSphere WAF is equipped with a non-embeddable sniffer, transparent proxy server and reverse proxy server, it has excellent support for SSL. So the product provides passive decryption of SSL, support for sessions established on client certificates, termination and determination (that is, SSL traffic analysis without termination). It is important that the development contains hardware modules that accelerate SSL processing.



Here, the method of classifying rules and applying detailed signatures (using firewall rules, creating signatures and processing protocol violations) is applied here to form a reference security model. To adapt WAF to a variable application, the ability to change the profile of web applications created in machine learning mode is implemented. However, there is a manual configuration of the web application profile.



Implemented in SecureSphere WAF report generator, provides system administrators with reports in accordance with the requirements of information security standards. There is also an opportunity to generate your own customized reports (including, according to the schedule) and export to various formats.



Imperva SecureSphere Web Application Firewall on the vendor site



Imperva SecureSphere Web Application Firewall Cost Calculator on ROI4CIO

findings

There is an opinion that in the future the cybercrime statistics will exceed the statistics of off-network crimes. And now we should not neglect the protection against attacks, these investments pay off completely. The WAF solution is a small but important brick in your line of defense against intruders.



Authors: Natalia Zorba, Victoria Sholoyko, for ROI4CIO