Security, security, security
As covered in our recent blog online security is more important than ever. When running a bricks and mortar shop you would know to never leave the shop unattended, to lock the door and drop the shutters on a night and set the alarm. Online shops are the same and although the various forms of security are different (patches, firewalls) they have the same purpose, to protect your business. One of the more advanced means of securing your website is a Web Application Firewall (WAP). This is a solution whose function is to monitor, filter and if necessary, block, any HTTP/HTTPS traffic to and from the end users server. Essentially your firewall prevents non-HTTP/HTTPS attacks while the WAF would also prevent malicious or unwanted HTTP/HTTPs data allowing only safe traffic through to your server.
Essentially the WAF helps prevent vulnerabilities in web applications from exploitation by outside threats. As examples of WAF providers we will now outline the individual offerings from Foregenix, Sucuri and Cloudflare.
Foregenix
Foregenix was founded in 2009 consisting of a team originally specialising in forensics, from this the company developed extensively into compliance and risk services. Specifically they have a history of helping payment organisations in their security solutions securing customers information.
They offer a wide range of bespoke security solutions from which we will look at their FXG-Web Business package which is ‘designed for 95% of small to medium sized eCommerce websites’. No prices are given on Foregenix website.
The Business package includes:
Advanced WAF
OWASP Threat Protection
SQL Injection Protection
Cross Site Scripting (XSS)
ProtectionShopping Cart Protection
Remote File Inclusion Protection
SSL Support
DDOS Protection
Custom Event Management
Custom WAF Rules and Management
Dedicated Elastic Load Balancer
Site Accelerator – rapid content delivery
Granular customised WAF
Use your own SSL Certificate
PCI DSS Website Security Monitoring
All FGX-Web Alert features (Foregenic’s first step offering in security)
Foregenix Secure Seal
Daily Malware Scanning
File Change Monitoring
Payment Card Data Scans
Backdoor/Webshell Scanning
Web Log Monitoring
Experienced Security Support
Website Reputation Management
Search Engine Blacklist Monitoring
SSL Verification
SPAM Verification
Domain Verification
Their solution is ‘scalable and effective – protects your website through multiple growth stages’. As can be seen the WAF is complemented by a suite of monitoring and scanning features to help protect your site against malicious attacks and ensure you are fully PCI compliant.
Below is Foregenix diagram of just how their WAF solution works.
Foregenix layer 7 (Application Layer) firewall acts as a reverse HTTP proxy controlling input and output and/or access to an application or service. Any input, output or system calls that do not meet the configured policies of the firewall can be blocked.
Your original site domain name is configured to pass HTTP(S) requests to the WAF first by having the domain name resolve to the WAFs IP. The target site would simply be configured to accept only incoming traffic from the WAF IP.
After inspection the request is:
Forwarded to the target site (legitimate traffic)
Forwarded to target site but with an alert attached (a ‘warning mode’)
Blocked as undesirable traffic
As your server sits behind the WAF it effectively becomes the back end while the actual back end server is no longer exposed to the internet. Your site, once set up, will have access only to the WAF ensuring that all traffic is assessed before reaching your server.
As Foregenix explains “The actual rules determining what is desirable, what should be ignored, what should be blocked etc. are configurable through the FGX-Web Web UI.” Foregenix FGX-Web Protect offers additional layer 3&4 protection completely blocking all non-HTTP/HTTPs traffic. In addition to this they offer a £50,000 warranty against a PCI forensic investigation.
Cloudflare
Created in 2009 and launched in 2010 Cloudflare and have since acquired StopTheHacker in 2014, a malware detection, automatic malware removal and reputation and blacklist monitoring followed by Eager in December 2016.
As an example of Cloudflare’s packages we will look at their Business Plan model ($200/month per website*) which includes:
Web Application Firewall (WAF) with 25 custom rulesets
Inc. Protection from top 10 OWASP vulnerabilities
Injection
Broken Authentication and Session Management
Sensitive Data Exposure
XML External Entities (XXE)
Broken Access Control
Security Misconfiguration
Cross-Site Scripting (XSS)
Insecure Deserialization
Using Components with Known Vulnerabilities
Insufficient Logging & Monitoring
Custom SSL certificate upload
PCI compliance thanks to Modern TLS Only mode and WAF
Access to account Audit Logs
Plus these features
Global Content Delivery Network (CDN)
Image optimizations with Polish™
Mobile optimizations with Mirage™
Prioritized email Support
Accelerate delivery of dynamic content with Railgun™
50 page rules
Bypass Cache on Cookie
*worth noting that Cloudflare do a Pro package at $20/month per website which includes a WAF but does not offer PCI compliance and is not targeted at eCommerce websites.
Advertised “For small eCommerce websites and businesses requiring advanced security and performance, PCI compliance, and prioritized email support.” Cloudfare’s WAF works on Collection Intelligence, whereby out of roughly 2.9 million requests every second, their WAF continually identifies threats which, if relevant to your own domain, are immediately applied.
This is in addition to the top 10 OWASP plus 25 custom rule-sets that are offered with the Business Plan and the 148 built-in rules which can be applied by a click of a button. Cloudflare’s WAF runs on the same extensive network as their Content Delivery Network (CDN covered below) and is said to add latency of less than 1 millisecond.
As mentioned Cloudflare also offer their Content Delivery Network as part of their Business Plan. The aim of this service is to speed up your content to end users by the use of 137+ data centres which cache static content across Cloudflare’s global content delivery network.
Sucuri
Founded in 2010 Sucuri was originally providing webmasters a tool that enabled them visibility into the stats of security for their websites. In, 2010 Sucuri became a LLC and now has over 100 employees in 27 different countries.
Now a look at Sucuri’s most popular WAF offering, the Pro plan at $19.98 per month. Sucuri’s Firewall is a cloud based software as a service WAF and Intrusion Prevention System (IPS) developed exclusively for websites. It acts as a reverse proxy where the WAF intercepts and inspects all incoming HTTP/HTTPs requests. All malicious requests are stripped at the Sucuri network edge before it arrives to your server.
As it provides virtual patching and virtual Hardening engines the Firewall mitigates threats as they happen. They claim that this not only doesn’t impact your website negatively, it can make it up to 75% faster due to their own CDN.
All dynamic and static content is cached across their CDN which uses Anycast to ensure your customers connect to the nearest Point of Presence (PoP). This results in improved availability, resilience, and failover capability to any website. As an SSL certificate is included in conjunction with the use of the CDN, two recognised factors in Google ranking, your SEO can also be improved.
Sucuri’s WAF:
Mitigates Distributed Denial of Service (DDoS) Attacks
Prevents Vulnerability Exploit Attempts
SQL injections
cross-site scripting (XSS)
remote file inclusion (RFI)
local file inclusion (LFI)
Protects Against the OWASP Top 10 (and more)
Inc. Protection from top 10 OWASP vulnerabilities
Injection
Broken Authentication and Session Management
Sensitive Data Exposure
XML External Entities (XXE)
Broken Access Control
Security Misconfiguration
Cross-Site Scripting (XSS)
Insecure Deserialization
Using Components with Known Vulnerabilities
Insufficient Logging & Monitoring
Custom SSL certificate upload
Protects Against Zero-Day Exploits
Protects Against Access Control Attacks, such as Brute Force attempts
Offers Performance Optimization with its CDN
Sucuri’s WAF is aimed at additional security in conjunction with a performance boost and improved SEO.
WAF – A worthwhile addition to your sites security?
A WAF is the best available preventive security control for web applications, significantly reducing the risks of web vulnerabilities exploitation. It is however important to ensure that your WAF is properly configured allowing it to prevent simple vectors of the most common web vulnerabilities (XSS and SQL injections), even in very dynamic and complicated environments. In particular virtual patching is especially useful for the security of your site.
The most prevalent issue in cyber security are attacks against web servers. From gaining control of your server to spread malware, to stealing data such as customers details including anything from email addresses to payment details, your server is a target for cyber criminals. A WAF is one more extra layer of security that could well save your from a very expensive attack.
Each of the above offerings will help in protecting your server but as with any important decision it is always recommended that you contact the providers, talk to them, see what they can provide for your own specific needs, the cost options available and what you require from them.. When you buy into their WAF you also need to look at their other services, for example Cloudflare’s exstensive CDN (not required if your intended market is regionally based), Foregenix wealth of knowledge in PCI compliance and Sucuri’s price per features.