default-focus-right

WAF & MELA

Kemp delivers application security at scale with Metered Licensing and Web Application Firewall (WAF).

A WAF sits in front of web applications and inspects all traffic to block any requests that are identified as being potentially dangerous. Malicious traffic can take many forms but all can attempt to exploit some vulnerability in the web application. WAF has a targeted focus on application-specific exploits missed by traditional firewalling techniques and is a key part of a considered ‘defense in depth’ strategy.

Kemp WAF is available for customers on Metered Licensing (MELA) subscriptions. MELA is a more flexible way to enable web security across the Application Delivery Fabric. It combines Layer 7 Web Application Firewall protection with other application delivery services including intelligent load balancing, intrusion detection, intrusion prevention as well as edge security and authentication. Kemp WAF is built on ModSecurity, the world’s most deployed web application firewall engine.

  • mitigation of the OWASP Top 10 Common Vulnerabilities
  • real-time threat protection for packaged & custom applications
  • support for organizational PCI DSS compliance requirement
waf_diagram_november_2017

Scalable Security

Modern approaches to security dictate an assumed distrust. Services and applications are segmented to only communicate when actually needed. Limiting services and applications in this way requires deploying a mini application security stack per application or even service. Application security stacks can be expensive, impractical to deploy and manage or require the implementation of an entirely new network overlay solution. Kemp combine WAF with Metered Licensing (MELA) giving organizations the flexibility to place a WAF instance on front of each of their applications rather than being forced to choose when and where they should deploy WAF services for their applications. A WAF instance per application also reduces challenges around application placement in a hybrid or multi-cloud environment given that organizations will not have to trombone their customers through a single place where WAF services are deployed. Instead Kemp provides the flexibility to deploy WAF services on-demand, wherever they are needed.

Zero Downtime

Most security threats today are created to directly attack the application rather than the lower layers of the network and are the cause of the majority of attack-related outage. Organizations using WAF with MELA mitigate the application attacks that can cause a major breach. Enterprises and Service Providers can now do what’s best for their applications to prevent security-related outages without the constraint of traditional approaches to planning and procuring data center infrastructure.

Key Benefits of WAF

Comprehensive Security Services

Web Application Firewall protection (WAF), edge security, L7 IPS/IDS, DDos Mitigation, application publishing and authentication services.

PCI DSS Compliance

For customers who process payments, reducing the need for extensive code reviews.

Ease of Deployment and Use

LoadMaster with WAF enables secure, scalable, and always-on workload delivery in one fully integrated, easy to use and deploy load balancing solution.

Cookie Tampering

Cookies are small pieces of text transmitted to web clients by a server or proxy with the intent to eventually be sent back to the server or proxy, unchanged. These are used in authentication and authorization processes as well as to track and maintain state across HTTP sessions. They can also be used to accomplish a number of attacks (SQL injection, XSS, buffer overflow, integer overflow) by injecting malicious values into the cookie.

Cross Site Request Forgery
Cross-site request forgery (CSRF or XSRF) attacks execute unwanted commands on a web application by unknowingly using an end users authentication. These exploits inherit the privilege level of the user and appear legitimate to the application which the user is authenticated to. By checking referrer headers, WAF blocks attempts at leveraging CSRF against application infrastructures.

 

Cross-Site Scripting

Cross-site scripting (XSS) attacks exploit web-based applications by sending scripts that are transparently activated by clients when read allowing for user identity theft, cookie poisoning and malicious redirection. Kemp’s WAF mitigates this attack by disallowing the malicious injection of untrusted data into values that are passed.

Data Loss Prevention (DLP)

The unauthorized transfer of sensitive information from a network via accomplished both through malicious and legitimate means including File transfer protocol (FTP), web applications, Windows Management Instrumentation (WMI) and messaging clients. By inspecting and denying egress traffic containing unauthorized data, Kemp’s WAF prevents the exfiltration of sensitive content out of application infrastructures based on business policies.

Injection

Injection attacks leverage client sessions to insert input data into a traffic stream that can be used to read privileged data, modify content and execute administrative operations. Kemp’s WAF mitigates such attacks by dynamically monitoring client traffic flows for malicious injection patterns and preventing unauthorized execution.

Payment Card Industry Data Security Standards (PCI DSS) Requirements Supported by Kemp WAF

PCI-DSS Section 1.2: Deny traffic from untrusted networks and hosts

The integrated security features of Kemp's WAF limit access to only explicitly allowed entities using only the protocols that are dictated as allowable

PCI-DSS Section 3.3: Mask account numbers when displayed

Kemp's WAF can be configured to prevent the leakage of sensitive PII (Personally identifiable information) data as often exploited through a variety of application vectors.

PCI-DSS Section 3.5: Protect encryption keys against disclosure and misuse

By supporting FIPS 140-2 Level 2 compliance, the LoadMaster 5305-FIPS, protects encryption keys while delivering application firewalling

PCI-DSS Section 4.1: Use strong cryptography and security protocols

Kemp's WAF provides an overlay for applications that may have not been originally developed to leverage SSL and TLS sessions to improve environment security.

PCI-DSS Section 6.6: Audit and correct application code vulnerabilities or institute an application firewall

Kemp’s WAF is available on all platforms (cloud, virtual, bare metal and dedicated hardware). Kemp Customer Support for custom rules implementation and troubleshooting requires add-on service engagement.

Kemp’s WAF is available on all platforms (cloud, virtual, bare metal and dedicated hardware). Kemp Customer Support for custom rules implementation and troubleshooting requires add-on service engagement.

Metered Licensing (MELA)

MELA offers Enterprises and Service Providers a flexible and elastic way to license their application delivery resources. Rather than licensing individual appliances, a metered license measures the aggregate throughput of all load balancers. Customers subscribe on a monthly basis to a capacity tier and can deploy as many load balancer instances as needed with no additional per-instance charges. Pay-As-You-Grow with an application delivery infrastructure that is flexible, cost-effective, scalable and always right-sized.

waf-mela-360

How WAF with MELA works

MELA is a monthly capacity license for Kemp Virtual LoadMaster where the peak throughput during the month of each LoadMaster ADC instance is the metric used for metering. Individual peak throughputs are totaled to give the overall monthly usage for MELA. Kemp 360 Central is used to license load balancer instances and WAF can be enabled on all of these instances. Kemp 360 Central also provides a single WAF logging and analysis point for all load balancers. The metering of usage is based on throughput. The number of WAF enabled instances or virtual services does not impact the metering as WAF is included by default for all instances with Metered Licensing. Metered Licensing also includes the important updated reputation data daily that ensure maximum protection and these updates are applied to all instances.

Solving Application Delivery Challenges

Today’s application and service delivery environments are complex and dynamic. Metered Licensing offers the flexibility to address challenges easily and cost-effectively.

ChallengeThe MELA solution
I need multi-tenancy so I can isolate for security and complianceTraditional multi-tenancy requires large appliances that are expensive to scale and focused on a limited number of large tenants. With Metered Licensing, individual application instances, departments and organizations can have dedicated and isolated load balancers of any capacity.
I need to be able to scale on demandHardware based solutions do not fit well in dynamic environments as they need to be over-provisioned to meet anticipated demand. In contrast, Metered Licensing is always right-sized and can instantly scale to meet unpredicted demands.
I need to load balance in the CloudMetered licensing fits perfectly with cloud consumption models as you only pay for what you use and have the flexibility to scale within a single load balancer instance or to scale using multiple instances.
I need to react quickly to business demandsMetered licensing simplifies the process of provisioning LoadMaster instances as services can be easily deployed, licensed and configured for service using the LoadMaster API and platform auto-provisioning tools.
I need to meet business demands without incurring infrastructure costsMetered licensing leverages existing infrastructure as LoadMaster instances are virtual and execute on a wide range of hypervisor and cloud platforms. This optimizes use of existing resources and minimizes operational costs by using existing tools and processes.
I need to deliver security across all web applicationsMELA includes the option to enable a Web Application Firewall (WAF) on all ADCs and provide updated reputation data daily.

MELA Features

FeatureBenefit
Monthly subscriptionNo up-front investment and flexibility to grow as demands change.
Based on aggregate usageAlways right-sized with no over-provisioning
Unlimited number of load balancer instancesSimplify delivery in dynamic environments such as cloud and simplify ADC lifecycle management
24x7 SupportAccess the skills and resources of the Kemp team whenever needed
Cross PlatformUse the same MELA license for all load balancing instances regardless of deployment location (e.g. public cloud, private cloud, hybrid cloud)
Web Application FirewallProvide application level security to all applications regardless of size with updated reputation data daily for ongoing protection
IPSIdentify potential security threats and respond to them swiftly with intrusion prevention, a preemptive approach to security
Access ManagementSecure and manage your environment with Authentication, Authorization, and Accounting for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing information necessary to bill for services.

MELA Subscriptions

MELA Subscriptions include an entry level month-to-month subscription where usage is charged per Gbit of throughput and there is no long-term commitment. The annual subscriptions provide defined costs within a capacity band and any overage being charged at monthly MELA-1Gb rate. All LoadMaster instances are licensed for WAF via new MELA-WAF license on Kemp 360 Central.

SubscriptionMinimum TermCapacityMax. InstancesSSL TPSLoadMaster FeaturesSupport
MELA-1Gb1 MonthPay per GbitUnlimitedUnlimitedESP GEO24x7
MELA-101 YearUp to 10GbitUnlimitedUnlimitedESP GEO24x7
MELA-251 YearUp to 20GbitUnlimitedUnlimitedESP GEO24x7
MELA-501 YearUp to 50GbitUnlimitedUnlimitedESP GEO24x7
MELA-1001 YearUp to 100GbitUnlimitedUnlimitedESP GEO24x7
MELA-SCH1 YearCustomUnlimitedUnlimitedESP GEO24x7

The MELA-SCH subscription allows for the creation of custom subscriptions to allow scenarios such as service ramp-up and known peaks.

Start Powering Your Always-on Application Experience Today

Download Kemp 360 Central Contact Sales