WAF & MELA

KEMP delivers application security at scale with Metered Licensing and Web Application Firewall (WAF).

A WAF sits in front of web applications and inspects all traffic to block any requests that are identified as being potentially dangerous. Malicious traffic can take many forms but all can attempt to exploit some vulnerability in the web application. To ensure protection against emerging vulnerabilities, WAF rules are updated daily. This provides ongoing protection against emerging threats and protection while applications are being patched or rebuilt. WAF has a targeted focus on application-specific exploits missed by traditional firewalling techniques and is a key part of a considered ‘defense in depth’ strategy.

KEMP WAF is available for customers on Metered Licensing (MELA) subscriptions. MELA is a more flexible way to enable web security across the Application Delivery Fabric. It combines Layer 7 Web Application Firewall protection with other application delivery services including intelligent load balancing, intrusion detection, intrusion prevention as well as edge security and authentication. KEMP WAF is built on ModSecurity, the world’s most deployed web application firewall engine. It is augmented by constantly updated threat intelligence from Trustwave and protects applications from known and emerging threats by providing:

  • data loss prevention (DLP)
  • mitigation of the OWASP Top Ten Common Vulnerabilities
  • real-time threat protection for packaged & custom applications
  • support for organizational PCI DSS compliance requirement

Scalable Security

Modern approaches to security dictate an assumed distrust. Services and applications are segmented to only communicate when actually needed. Limiting services and applications in this way requires deploying a mini application security stack per application or even service. Application security stacks can be expensive, impractical to deploy and manage or require the implementation of an entirely new network overlay solution. KEMP combine WAF with Metered Licensing (MELA) giving organizations the flexibility to place a WAF instance on front of each of their applications rather than being forced to choose when and where they should deploy WAF services for their applications. A WAF instance per application also reduces challenges around application placement in a hybrid or multi-cloud environment given that organizations will not have to trombone their customers through a single place where WAF services are deployed. Instead KEMP provides the flexibility to deploy WAF services on-demand, wherever they are needed.

Zero Downtime

Most security threats today are created to directly attack the application rather than the lower layers of the network and are the cause of the majority of attack-related outage. Organizations using WAF with MELA mitigate the application attacks that can cause a major breach. Enterprises and Service Providers can now do what’s best for their applications to prevent security-related outages without the constraint of traditional approaches to planning and procuring data center infrastructure.

Key Benefits of WAF

Comprehensive Security Services

Web Application Firewall protection (WAF), edge security, L7 IPS/IDS, DDos Mitigation, application publishing and authentication services.

PCI DSS Compliance

For customers who process payments, industry proven WAF rule sets are regularly and automatically updated, reducing the need for extensive code reviews.

Ease of Deployment and Use

LoadMaster with WAF enables secure, scalable, and always-on workload delivery in one fully integrated, easy to use and deploy load balancing solution.

Cookie Tampering

Cookies are small pieces of text transmitted to web clients by a server or proxy with the intent to eventually be sent back to the server or proxy, unchanged. These are used in authentication and authorization processes as well as to track and maintain state across HTTP sessions. They can also be used to accomplish a number of attacks (SQL injection, XSS, buffer overflow, integer overflow) by injecting malicious values into the cookie.

Cross Site Request Forgery

Cross-site request forgery (CSRF or XSRF) attacks execute unwanted commands on a web application by unknowingly using an end users authentication. These exploits inherit the privilege level of the user and appear legitimate to the application which the user is authenticated to. By checking referrer headers, Application Firewall Pack blocks attempts at leveraging CSRF against application infrastructures.

Cross-Site Scripting

Cross-site scripting (XSS) attacks exploit web-based applications by sending scripts that are transparently activated by clients when read allowing for user identity theft, cookie poisoning and malicious redirection. KEMP’s Application Firewall Pack mitigates this attack by disallowing the malicious injection of untrusted data into values that are passed.

Data Loss Prevention (DLP)

The unauthorized transfer of sensitive information from a network via accomplished both through malicious and legitimate means including File transfer protocol (FTP), web applications, Windows Management Instrumentation (WMI) and messaging clients. By inspecting and denying egress traffic containing unauthorized data, KEMP’s Web Application Firewall Pack prevents the exfiltration of sensitive content out of application infrastructures based on business policies.

Injection

Injection attacks leverage client sessions to insert input data into a traffic stream that can be used to read privileged data, modify content and execute administrative operations. KEMP’s Web Application Firewall Pack mitigates such attacks by dynamically monitoring client traffic flows for malicious injection patterns and preventing unauthorized execution.

Payment Card Industry Data Security Standards (PCI DSS) Requirements Supported by KEMP WAF

PCI-DSS Section 1.2: Deny traffic from untrusted networks and hosts

The integrated security features of LoadMaster with AFP limit access to only explicitly allowed entities using only the protocols that are dictated as allowable

PCI-DSS Section 3.3: Mask account numbers when displayed

Application Firewall Pack can be configured to prevent the leakage of sensitive PII (Personally identifiable information) data as often exploited through a variety of application vectors.

PCI-DSS Section 3.5: Protect encryption keys against disclosure and misuse

By supporting FIPS 140-2 Level 2 compliance, the LoadMaster 5305-FIPS, protects encryption keys while delivering application firewalling

PCI-DSS Section 4.1: Use strong cryptography and security protocols

LoadMaster with AFP provides an overlay for applications that may have not been originally developed to leverage SSL and TLS sessions to improve environment security.

PCI-DSS Section 6.6: Audit and correct application code vulnerabilities or institute an application firewall

AFP enables ongoing real-time protection against the latest application threats to prevent the exploitation of potential application code vulnerabilities.

 

KEMP’s WAF and daily rule updates are available on all platforms (cloud, virtual, bare metal and dedicated hardware). KEMP Customer Support for custom rules implementation and troubleshooting requires add-on service engagement.

Metered Licensing (MELA)

MELA offers Enterprises and Service Providers a flexible and elastic way to license their application delivery resources. Rather than licensing individual appliances, a metered license measures the aggregate throughput of all load balancers. Customers subscribe on a monthly basis to a capacity tier and can deploy as many load balancer instances as needed with no additional per-instance charges. Pay-As-You-Grow with an application delivery infrastructure that is flexible, cost-effective, scalable and always right-sized.

How WAF with MELA works

MELA is a monthly capacity license for KEMP Virtual LoadMaster where the peak throughput during the month of each LoadMaster ADC instance is the metric used for metering. Individual peak throughputs are totaled to give the overall monthly usage for MELA. KEMP 360 Central is used to license load balancer instances and WAF can be enabled on all of these instances. KEMP 360 Central also provides a single WAF logging and analysis point for all load balancers. The metering of usage is based on throughput. The number of WAF enabled instances or virtual services does not impact the metering as WAF is included by default for all instances with Metered Licensing. Metered Licensing also includes the important daily rule updates that ensure maximum protection and these updates are applied to all instances.

Solving Application Delivery Challenges

Today’s application and service delivery environments are complex and dynamic. Metered Licensing offers the flexibility to address challenges easily and cost-effectively.

Challenge The MELA solution
I need multi-tenancy so I can isolate for security and compliance Traditional multi-tenancy requires large appliances that are expensive to scale and focused on a limited number of large tenants. With Metered Licensing, individual application instances, departments and organizations can have dedicated and isolated load balancers of any capacity.
I need to be able to scale on demand Hardware based solutions do not fit well in dynamic environments as they need to be over-provisioned to meet anticipated demand. In contrast, Metered Licensing is always right-sized and can instantly scale to meet unpredicted demands.
I need to load balance in the Cloud Metered licensing fits perfectly with cloud consumption models as you only pay for what you use and have the flexibility to scale within a single load balancer instance or to scale using multiple instances.
I need to react quickly to business demands Metered licensing simplifies the process of provisioning LoadMaster instances as services can be easily deployed, licensed and configured for service using the LoadMaster API and platform auto-provisioning tools.
I need to meet business demands without incurring infrastructure costs Metered licensing leverages existing infrastructure as LoadMaster instances are virtual and execute on a wide range of hypervisor and cloud platforms. This optimizes use of existing resources and minimizes operational costs by using existing tools and processes.
I need to deliver security across all web applications MELA includes the option to enable a Web Application Firewall (WAF) on all ADCs and provide daily rule updates.

MELA Features

Feature Benefit
Monthly subscription No up-front investment and flexibility to grow as demands change.
Based on aggregate usage Always right-sized with no over-provisioning
Unlimited number of load balancer instances Simplify delivery in dynamic environments such as cloud and simplify ADC lifecycle management
24x7 Support Access the skills and resources of the KEMP team whenever needed
Cross Platform Use the same MELA license for all load balancing instances regardless of deployment location (e.g. public cloud, private cloud, hybrid cloud)
Web Application Firewall Provide application level security to all applications regardless of size with daily rule updates for ongoing protection
IPS Identify potential security threats and respond to them swiftly with intrusion prevention, a preemptive approach to security
Edge Security Pack Deliver Reverse Proxy, End Point Authentication, Active Directory integration, RADIUS authentication, Single Sign On across virtual services, RSA SecurID dual factor authentication, and Persistent Logging and Reporting
AAA Secure and manage your environment with Authentication, Authorization, and Accounting for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing information necessary to bill for services.

MELA Subscriptions

MELA Subscriptions include an entry level month-to-month subscription where usage is charged per Gbit of throughput and there is no long-term commitment. The annual subscriptions provide defined costs within a capacity band and any overage being charged at monthly MELA-1Gb rate.

Subscription Minimum Term Capacity Max. Instances SSL TPS LoadMaster Features Support
MELA-1Gb 1 Month Pay per Gbit Unlimited Unlimited ESP GEO 24x7
MELA-10 1 Year Up to 10Gbit Unlimited Unlimited ESP GEO 24x7
MELA-25 1 Year Up to 20Gbit Unlimited Unlimited ESP GEO 24x7
MELA-50 1 Year Up to 50Gbit Unlimited Unlimited ESP GEO 24x7
MELA-100 1 Year Up to 100Gbit Unlimited Unlimited ESP GEO 24x7
MELA-SCH 1 Year Custom Unlimited Unlimited ESP GEO 24x7

The MELA-SCH subscription allows for the creation of custom subscriptions to allow scenarios such as service ramp-up and known peaks. All LoadMaster instances are licensed for WAF and WAF rule updates via new MELA-WAF license on KEMP 360 Central.