Categories
Magento

WEB APPLICATION FIREWALL

Security, security, security

As covered in our recent blog online security is more important than ever. When running a bricks and mortar shop you would know to never leave the shop unattended, to lock the door and drop the shutters on a night and set the alarm. Online shops are the same and although the various forms of security are different (patches, firewalls) they have the same purpose, to protect your business. One of the more advanced means of securing your website is a Web Application Firewall (WAP). This is a solution whose function is to monitor, filter and if necessary, block, any HTTP/HTTPS traffic to and from the end users server. Essentially your firewall prevents non-HTTP/HTTPS attacks while the WAF would also prevent malicious or unwanted HTTP/HTTPs data allowing only safe traffic through to your server.

Basic WAF

Essentially the WAF helps prevent vulnerabilities in web applications from exploitation by outside threats. As examples of WAF providers we will now outline the individual offerings from Foregenix, Sucuri and Cloudflare.

Foregenix

Foregenix was founded in 2009 consisting of a team originally specialising in forensics, from this the company developed extensively into compliance and risk services. Specifically they have a history of helping payment organisations in their security solutions securing customers information.

They offer a wide range of bespoke security solutions from which we will look at their FXG-Web Business package which is ‘designed for 95% of small to medium sized eCommerce websites’. No prices are given on Foregenix website.

The Business package includes:

Advanced WAF

OWASP Threat Protection

SQL Injection Protection

Cross Site Scripting (XSS)

ProtectionShopping Cart Protection

Remote File Inclusion Protection

SSL Support

DDOS Protection

Custom Event Management

Custom WAF Rules and Management

Dedicated Elastic Load Balancer

Site Accelerator – rapid content delivery

Granular customised WAF

Use your own SSL Certificate

PCI DSS Website Security Monitoring

All FGX-Web Alert features (Foregenic’s first step offering in security)

Foregenix Secure Seal

Daily Malware Scanning

File Change Monitoring

Payment Card Data Scans

Backdoor/Webshell Scanning

Web Log Monitoring

Experienced Security Support

Website Reputation Management

Search Engine Blacklist Monitoring

SSL Verification

SPAM Verification

Domain Verification

Their solution is ‘scalable and effective – protects your website through multiple growth stages’. As can be seen the WAF is complemented by a suite of monitoring and scanning features to help protect your site against malicious attacks and ensure you are fully PCI compliant.

Below is Foregenix diagram of just how their WAF solution works.

Foregenix WAF

Foregenix layer 7 (Application Layer) firewall acts as a reverse HTTP proxy controlling input and output and/or access to an application or service. Any input, output or system calls that do not meet the configured policies of the firewall can be blocked.

Your original site domain name is configured to pass HTTP(S) requests to the WAF first by having the domain name resolve to the WAFs IP. The target site would simply be configured to accept only incoming traffic from the WAF IP.

After inspection the request is:

Forwarded to the target site (legitimate traffic)

Forwarded to target site but with an alert attached (a ‘warning mode’)

Blocked as undesirable traffic

As your server sits behind the WAF it effectively becomes the back end while the actual back end server is no longer exposed to the internet. Your site, once set up, will have access only to the WAF ensuring that all traffic is assessed before reaching your server.

As Foregenix explains “The actual rules determining what is desirable, what should be ignored, what should be blocked etc. are configurable through the FGX-Web Web UI.” Foregenix FGX-Web Protect offers additional layer 3&4 protection completely blocking all non-HTTP/HTTPs traffic. In addition to this they offer a £50,000 warranty against a PCI forensic investigation.

Cloudflare

Created in 2009 and launched in 2010 Cloudflare and have since acquired StopTheHacker in 2014, a malware detection, automatic malware removal and reputation and blacklist monitoring followed by Eager in December 2016.

As an example of Cloudflare’s packages we will look at their Business Plan model ($200/month per website*) which includes:

Web Application Firewall (WAF) with 25 custom rulesets

Inc. Protection from top 10 OWASP vulnerabilities

Injection

Broken Authentication and Session Management

Sensitive Data Exposure

XML External Entities (XXE)

Broken Access Control

Security Misconfiguration

Cross-Site Scripting (XSS)

Insecure Deserialization

Using Components with Known Vulnerabilities

Insufficient Logging & Monitoring

Custom SSL certificate upload

PCI compliance thanks to Modern TLS Only mode and WAF

Access to account Audit Logs

Plus these features

Global Content Delivery Network (CDN)

Image optimizations with Polish™

Mobile optimizations with Mirage™

Prioritized email Support

Accelerate delivery of dynamic content with Railgun™

I’m Under Attack™mode

50 page rules

Bypass Cache on Cookie

*worth noting that Cloudflare do a Pro package at $20/month per website which includes a WAF but does not offer PCI compliance and is not targeted at eCommerce websites.

Advertised “For small eCommerce websites and businesses requiring advanced security and performance, PCI compliance, and prioritized email support.” Cloudfare’s WAF works on Collection Intelligence, whereby out of roughly 2.9 million requests every second, their WAF continually identifies threats which, if relevant to your own domain, are immediately applied.

Cloudflare WAF

This is in addition to the top 10 OWASP plus 25 custom rule-sets that are offered with the Business Plan and the 148 built-in rules which can be applied by a click of a button. Cloudflare’s WAF runs on the same extensive network as their Content Delivery Network (CDN covered below) and is said to add latency of less than 1 millisecond.

As mentioned Cloudflare also offer their Content Delivery Network as part of their Business Plan. The aim of this service is to speed up your content to end users by the use of 137+ data centres which cache static content across Cloudflare’s global content delivery network.

Sucuri

Founded in 2010 Sucuri was originally providing webmasters a tool that enabled them visibility into the stats of security for their websites. In, 2010 Sucuri became a LLC and now has over 100 employees in 27 different countries.

Now a look at Sucuri’s most popular WAF offering, the Pro plan at $19.98 per month. Sucuri’s Firewall is a cloud based software as a service WAF and Intrusion Prevention System (IPS) developed exclusively for websites. It acts as a reverse proxy where the WAF intercepts and inspects all incoming HTTP/HTTPs requests. All malicious requests are stripped at the Sucuri network edge before it arrives to your server.

As it provides virtual patching and virtual Hardening engines the Firewall mitigates threats as they happen. They claim that this not only doesn’t impact your website negatively, it can make it up to 75% faster due to their own CDN.

Sucuri WAF

All dynamic and static content is cached across their CDN which uses Anycast to ensure your customers connect to the nearest Point of Presence (PoP). This results in improved availability, resilience, and failover capability to any website. As an SSL certificate is included in conjunction with the use of the CDN, two recognised factors in Google ranking, your SEO can also be improved.

Sucuri’s WAF:

Mitigates Distributed Denial of Service (DDoS) Attacks

Prevents Vulnerability Exploit Attempts

SQL injections

cross-site scripting (XSS)

remote file inclusion (RFI)

local file inclusion (LFI)

Protects Against the OWASP Top 10 (and more)

Inc. Protection from top 10 OWASP vulnerabilities

Injection

Broken Authentication and Session Management

Sensitive Data Exposure

XML External Entities (XXE)

Broken Access Control

Security Misconfiguration

Cross-Site Scripting (XSS)

Insecure Deserialization

Using Components with Known Vulnerabilities

Insufficient Logging & Monitoring

Custom SSL certificate upload

Protects Against Zero-Day Exploits

Protects Against Access Control Attacks, such as Brute Force attempts

Offers Performance Optimization with its CDN

Sucuri’s WAF is aimed at additional security in conjunction with a performance boost and improved SEO.

WAF – A worthwhile addition to your sites security?

A WAF is the best available preventive security control for web applications, significantly reducing the risks of web vulnerabilities exploitation. It is however important to ensure that your WAF is properly configured allowing it to prevent simple vectors of the most common web vulnerabilities (XSS and SQL injections), even in very dynamic and complicated environments. In particular virtual patching is especially useful for the security of your site.

The most prevalent issue in cyber security are attacks against web servers.  From gaining control of your server to spread malware, to stealing data such as customers details including anything from email addresses to payment details, your server is a target for cyber criminals.  A WAF is one more extra layer of security that could well save your from a very expensive attack.

Each of the above offerings will help in protecting your server but as with any important decision it is always recommended that you contact the providers, talk to them, see what they can provide for your own specific needs, the cost options available and what you require from them..  When you buy into their WAF you also need to look at their other services, for example Cloudflare’s exstensive CDN (not required if your intended market is regionally based), Foregenix wealth of knowledge in PCI compliance and Sucuri’s price per features.