Secure Application Deployments with KEMP’s Web Application Firewall (WAF)
KEMP’s Application Firewall Pack (AFP)* combines Layer 7 Web Application Firewall protection with other application delivery services including intelligent load balancing, intrusion detection, intrusion prevention as well as edge security and authentication. KEMP WAF provides continuous protection against vulnerabilities with daily rule updates based on threat intelligence and research from information security provider, Trustwave.
What does a Web Application Firewall (WAF) protect against?
|Vulnerability||Protection provided by WAF|
|Injection of untrusted data||Identify and block requests that contain untrusted data or code|
|Broken authentication and session management||Protect against exploitation of weak Session ID management|
|Cross site scripting||Protect against dynamically adding malicious code to a web page|
|Flawed access control||Enforce access controls on what resources are accessible|
|Misconfigured security||Ongoing protection for resources that are misconfigured or vulnerable|
|Sensitive data exposure||Protect agains leakage of information such as credit card numbers|
|Attack Protection||Adds a layer of protection via constantly updated rules|
|Cross site forgery||Protect authenticated users against forged requests|
Table 1 - What protection is provided by a WAF
With a targeted focus on application-specific exploits missed by traditional firewalling techniques, AFP plays a key part in a defense-in-depth strategy that mitigates risk and optimizes applications.
Comprehensive Security Services
LoadMaster provides integrated security capabilities including Web Application Firewall protection (WAF), edge security, L7 IPS/IDS, DDos Mitigation, application publishing and authentication services as standard features on all platforms including select hardware appliances.
Protecting web applications is of critical importance for all organizations, especially those which process payments. In order to help customers with PCI-DSS requirements, AFP reduces the need for extensive code reviews with industry proven rule sets that are regularly and automatically updated.
Ease of Deployment and Use
With KEMP’s focus on simplicity and shortening time to production for application deployment, LoadMaster with Application Firewall Pack (AFP) enables secure, scalable, and always-on workload delivery in one fully integrated, easy to use and deploy load balancing solution.
Key Threats Mitigated by the KEMP Application Firewall Pack
Cookies are small pieces of text transmitted to web clients by a server or proxy with the intent to eventually be sent back to the server or proxy, unchanged. These are used in authentication and authorization processes as well as to track and maintain state across HTTP sessions. They can also be used to accomplish a number of attacks (SQL injection, XSS, buffer overflow, integer overflow) by injecting malicious values into the cookie.
Cross Site Request Forgery
Cross-site request forgery (CSRF or XSRF) attacks execute unwanted commands on a web application by unknowingly using an end users authentication. These exploits inherit the privilege level of the user and appear legitimate to the application which the user is authenticated to. By checking referrer headers, Application Firewall Pack blocks attempts at leveraging CSRF against application infrastructures.
Cross-site scripting (XSS) attacks exploit web-based applications by sending scripts that are transparently activated by clients when read allowing for user identity theft, cookie poisoning and malicious redirection. KEMP’s Application Firewall Pack mitigates this attack by disallowing the malicious injection of untrusted data into values that are passed.
Data Loss Prevention (DLP)
The unauthorized transfer of sensitive information from a network via accomplished both through malicious and legitimate means including File transfer protocol (FTP), web applications, Windows Management Instrumentation (WMI) and messaging clients. By inspecting and denying egress traffic containing unauthorized data, KEMP’s Web Application Firewall Pack prevents the exfiltration of sensitive content out of application infrastructures based on business policies.
Injection attacks leverage client sessions to insert input data into a traffic stream that can be used to read privileged data, modify content and execute administrative operations. KEMP’s Web Application Firewall Pack mitigates such attacks by dynamically monitoring client traffic flows for malicious injection patterns and preventing unauthorized execution.
Payment Card Industry Data Security Standards (PCI-DSS) Requirements Supported by KEMP’s Web Application Firewall Pack
PCI-DSS Section 1.2: Deny traffic from untrusted networks and hosts
The integrated security features of LoadMaster with AFP limit access to only explicitly allowed entities using only the protocols that are dictated as allowable
PCI-DSS Section 3.3: Mask account numbers when displayed
Application Firewall Pack can be configured to prevent the leakage of sensitive PII (Personally identifiable information) data as often exploited through a variety of application vectors.
PCI-DSS Section 3.5: Protect encryption keys against disclosure and misuse
By supporting FIPS 140-2 Level 2 compliance, the LoadMaster 5305-FIPS, protects encryption keys while delivering application firewalling
PCI-DSS Section 4.1: Use strong cryptography and security protocols
LoadMaster with AFP provides an overlay for applications that may have not been originally developed to leverage SSL and TLS sessions to improve environment security.
PCI-DSS Section 6.6: Audit and correct application code vulnerabilities or institute an application firewall
AFP enables ongoing real-time protection against the latest application threats to prevent the exploitation of potential application code vulnerabilities.
KEMP AFP and daily rule updates are available on all platforms (cloud, virtual, bare metal and dedicated hardware) with Enterprise Plus Subscription. KEMP customer support for custom rules implementation and troubleshooting requires add-on service engagement