Adding Layered Security to Cloud Applications

Posted on

The internet is a dangerous place, with many bad actors using automated tools to attack organizations of all sizes, 24 hours a day, seven days a week. Regardless of your business size, hackers will attack your network to extort, steal data, or use your enterprise as a launchpad for subsequent attacks.  

In this blog, we will look at how hackers attack and how to mitigate these attacks and preserve the security and availability of applications in the cloud. Maintaining secure applications and high availability requires layered security. In this blog, we will focus our attention on layered security as it relates to cloud applications, and how layered security can help with prevention and mitigation of cyberthreats. 

 Here is a preview of the topics discussed in this article:  

  • Why layered application protection is needed 
  • How to deploy layered security for cloud applications and deployment best practices 
  • How layered security defends against attacks and emerging cyberthreats  

Denial of Service Attacks: What are they and how do I protect my web applications from them? 

First, let’s kick this off by looking at the all-to-common denial of service attacks. Denial of service attacks are generally malicious or vindictive. They seldom actually attempt to break into your network, but instead swamp your website with traffic, impacting normal service.  

Denial of service attacks can result in serious financial costs from lost business transactions. Reputational costs will also cause a disruption to normal service and impact day-to-day business. 

Attacks can be based around network layer protocols and use well-known attack techniques, such as UDP reflection and sending floods. Other attacks can be focused on the application layer — usually the HTTP protocol, where the web server is swamped with requests.   

The first line of protection against denial-of-service attacks is your cloud service provider. All cloud service providers have protections in place to mitigate against large-scale attacks, also known as distributed denial of service attacks, or DDoS.  

The DDoS protection layer from your cloud service provider will work well against attacks that happen at the network layer. However, if the attack is more targeted, yields lower traffic volumes and operates at the application layer, the DDoS protection from your service provider may not detect the attack.  

A DDoS attack at the application layer attempts to overload the application servers with a request that may not be detectable by the network and the bandwidth-focused DDoS protection from your cloud service provider. Insert a load balancer, like the Progress Kemp LoadMaster load balancer, to provide an additional layer of protection to augment the cloud-native DDoS services.  

Adding DDoS Protection to Cloud Applications with LoadMaster 

Let’s look at adding DDoS protection with LoadMaster. The first layer of protection against DDoS attacks is to block traffic from known malicious sources based on their IP address. LoadMaster maintains a list of malicious IP addresses that is updated regularly and will drop connection requests from these IP addresses before they reach the application servers.  

As newly compromised endpoints are constantly appearing, this list will not catch all traffic, but can be amended by administrators to further reduce malicious traffic. LoadMaster can also block all known IP addresses from specific countries, further minimizing the attack risk. The IP reputation controls, which is what we call IP blocking, can be applied to LoadMaster’s global server load balancing feature, or GSLB, where DNS requests from malicious/bad actors are ignored.  

To further reduce the potential impact of denial-of-service attacks, LoadMaster can apply rate limits to traffic, preventing bad actors from swamping the application servers. Rate-limiting can be applied on the absolute bandwidth amount, the number of connections per second, the number of open connections at any one time, or the number of requests per second. Rate limiting can be applied selectively or across all services, and to all sources based on expected normal traffic patterns. It can also be tailored to specific sources based on IP or network address.  

Rate limiting and IP reputation controls may be updated in real-time, providing a means to quickly shut down an in-progress attack, leading to quicker restoration of normal service levels to the business. So, with IP reputation and rate limiting, we can enhance the cloud platform’s DDoS protection to further reduce the volume of malicious traffic getting through to application servers.  

Vulnerability Exploits: Protecting Against OWASP Top 10 and Emerging Attacks 

Let’s look at vulnerability exploits, where hackers exploit common weaknesses and web application to gain access to systems. New exploits against web applications are constantly emerging, whether against the tool sets or libraries used to build the applications, or against inherent weaknesses in how the application was developed or how it was deployed. As proven by industry research, not only do many applications have these vulnerabilities, but the detection and fixing of these problems is also a major challenge.  

Many of these attacks are bot-based and focus on well-known vulnerabilities, which are monitoring and classified by the non-profit organization OWASP, or the Open Web Application Security Project. The independent industry-supported group focused on application security produces an annual list of the top 10 exploits; a list referred to as the OWASP Top 10.  

The vulnerabilities being exploited change over the years, but some have remained constant in the OWASP Top 10 list for years. Issues such as injection or data components and server-side forgery are perennials on the list.  

So, what can you do to protect your applications from common vulnerabilities and new exploits? The load balancer web application firewall, or WAF, provides protection against known and emerging web attacks. The LoadMaster WAF applies a set of rules that not only include defense against the OWASP Top 10, but also many other vulnerabilities.  

While the base set of rules offers comprehensive protection, they may require some fine-tuning to remove false positives. Administrators can also create custom rule sets to address application- or business-specific requirements. LoadMaster WAF is totally integrated on the load balancing appliance and supports things like per application WAF configuration.  

Hacking Credentials: How Hackers Use Bots to Exploit Weaknesses 

Now, let’s explore how hackers use bots to exploit weaknesses around user credentials. A brute-force attack is a crude approach to trying to gain access. Generally, the bot will use a common username such as “admin” or accounts to make multiple login attempts using passwords from a dictionary of commonly used passwords. These types of attacks are not successful, generally, but can impact performance if generating a lot of login requests.  

Credential stuffing is another attack approach, and one that is generally more successful. The vulnerability stems from the fact that people will often register on third-party websites with their carpet email address and reuse their carpet password. If this third-party site gets compromised and the username and password list is stolen, hackers will then attempt to log in with these compromised credentials. These login attempts are highly automated, with successful logins being retained and then reused in focused hacking attempts against the business.  

LoadMaster authentication protects credentials with a client authentication service that integrates at the back end with all major identify providers, such as active directory, RADIUS LDAP, also including cloud-based services such as Azure Active Directory. Before access is granted to any load-balanced resource, clients must successfully authenticate with the LoadMaster and optionally be authorized by a method such as group membership or a LoadMaster zero trust network access policy.  

If load-balanced applications are also integrated with the identity provider, LoadMaster can perform single sign-on, reducing the number of logins a user must perform. Even if the application has no concept of authentication or users, you can use pre-authentication to control access to that app, although it knows nothing about users or authentication.  

One of the simplest ways to stop a bot-based credential attack is use of CAPTCHA. LoadMaster supports the creation of custom login screens with embedded CAPTCHA challenges to create the first hurdle for any bot-based credential attack.  

Some of the more advanced CAPTCHA services, such as reCAPTCHA from Google, have a high rate of bot detection and will use previous browsing history — even metrics such as mouse movements — to decide whether it serves a simple “I’m not a robot” tick box or a more complex challenge.  

Using advanced CAPTCHA services will offer protection against brute-force and credential stuffing attacks. As an aside, many organizations have policies and rule sets to not use email addresses as usernames for corporate applications, specifically to prevent opportunity for credential stuffing attacks.  

Two-Factor Authentication and its Role in Attack Prevention 

Implementing a form of two-factor authentication, whether using a one-time password token or SMS, is also effective in preventing attacks. You could consider using a two-step verification service, such as Microsoft Authenticator, to add this additional layer of security.  

Using two-factor authentication is effective against bots, as bots simply cannot satisfy the secondary challenge. LoadMaster has native support for all major two-factor authentication providers, making integration very, very simple. You can also further lock down access by enforcing the use of client certificates on client devices.  

Zero Trust: Application Access that Implicitly ‘Trusts Nobody’ 

Zero Trust Network Access, or ZTNA, is an approach to application and resource access that trusts no client entity and only grants access when explicitly defined by policies. Zero Trust takes a “trust nobody” stance and only grants access after the client has successfully authenticated.  

Zero Trust first considers the identity of the client and the context of the access request, such as what device or network a user is coming from. Is the request from a corporate-managed device? Are they working from home? All these elements are brought into the fold.  

Once authenticated, clients are then authorized based on the policy with just enough access to allow them to connect to the resources. LoadMaster can act as a Zero Trust Network Access gateway with easy definition of policies via an API, simplifying the integration with other security and policy tool sets.  

Case and Point: Load Balancing is a Critical Network Security Layer

LoadMaster can and will add significantly to your cloud security as an integrated security enforcement point. LoadMaster augments your cloud platform security services to deliver a multi-layered approach to application security and availability.  

LoadMaster is available on all major cloud platforms, and as a virtual appliance — should you want an on-premises deployment. Depending on the cloud platform, you can up for an early pay-as-you-go subscription, an annual subscription, or a perpetual license.  

Take the first step and talk with a technical expert to learn how to secure your applications with layered security using the top-rated load balancing appliance on the market.  

Posted on

Maurice McMullin

Maurice McMullin is a Principal Product Marketing Manager in Kemp with too many years of experience in the development and marketing of networking and security products. He has worked in organizations of all sizes ranging from two person startups through to multinationals in roles as varied as programmer and CTO.