In-depth defense for your web servers, website, and applications
Kemp’s Web Application Firewall (WAF) helps to protect your custom and off-the-shelf applications from common vulnerabilities, such as SQL injection and cross-site scripting (XSS). Kemp’s WAF lets you create per-application security profiles to enforce source location-level filtering, adopt pre-integrated rulesets for common attack vectors, and custom security rules support.
Using a combination of rule types, you can protect all your applications from within Progress Kemp LoadMaster. The protection covers known web attacks and prevents specific traffic patterns from reaching your applications — without changing your application or infrastructure. Kemp WAF can also help meet PCI-DSS compliance and data loss prevention (DLP) compliance requirements. With granular per-application event logging, in-UI statistic visualization, and false-positive analysis with rich telemetry to third-party SIEMs, Kemp LoadMaster provides comprehensive visibility of running applications.
As part of your network infrastructure, the WAF helps deliver in-depth defense for your web servers, website, and applications from the ever-changing threat landscape. A LoadMaster IDS/IPS, rate-limiting, SSL/TLS encryption, authentication, and SSO, in a package that simplifies customization and scales across any environment.
Updated reputation data is available daily to provide ongoing protection to a wide range of applications with the option to supplement with custom rules for local use cases.
Avoid the complexity of integrating multiple services by adopting a fully integrated solution that provides a single point of management for application security.
Achieve PCI-DSS compliance and avoid unneeded expense and complexity by implementing WAF to deliver on compliance requirements.
A web application firewall complements and enhances traditional firewall security protection. Traditional firewalls don’t stop encrypted HTTPS traffic as they have no visibility of the content within.
A web application firewall operates at Layer 7 of the network stack between standard firewalls and web servers. It can decrypt HTTPS traffic and inspect the data they contain. Using lists of knock attack methods, plus anomaly detection, the web application firewall can deny access to web servers when it detects malicious activity.
LoadMaster supplies a WAF based on the industry-leading ModSecurity engine, backed by open-source rule sets. This web application firewall deploys on the award-winning LoadMaster load balancer. It is a fully supported component of the Progress software stack and backed by our industry-leading consulting team, security experts, and support staff who take all issues from initial contact to resolution without passing support tickets up a helpdesk hierarchy.
The WAF takes advantage of all the benefits of the available and flexible Progress licensing models. Deploying via LoadMaster instances with a metered license allows WAF placement that fully meets an organization’s unique application delivery and security needs.
The Open Web Application Security Project (OWASP) Top 10 lists the most common and important security risks against web applications. With pre-defined rulesets to counter these web application vulnerabilities highlighted in the OWASP Top 10 and many other types of attacks, the WAF provides out-of-the-box protection without any application modifications.
Examples of the delivered protections include:
Cookies are used in authentication and authorization processes and track and maintain state across HTTP sessions. Cookies are also used to accomplish many attacks (SQL injection, XSS, buffer overflow, integer overflow) by injecting malicious values into cookies.
Cross-site request forgery (CSRF or XSRF) attacks execute unwanted commands on a web application. These exploits inherit the user’s authorization level and appear legitimate to the application to which the user authentication. By checking referrer headers, WAF blocks CSRF attempts.
Hijack client sessions to insert input data into a traffic stream that attackers can use to read privileged data, modify the data, and execute administrative operations. WAF mitigates such attacks by dynamically monitoring client traffic flows for malicious injection patterns and preventing unauthorized execution.
XSS attacks exploit web-based applications by sending scripts that are transparently activated by clients when loaded. These attacks allow for user identity theft, cookie poisoning, and malicious redirection. The WAF mitigates this attack by disallowing the malicious injection of untrusted data into passed values.
The unauthorized transfer of sensitive information from a network may happen through malicious or accidental means. By inspecting and denying egress traffic containing unauthorized data, WAF prevents the malicious or unintentional transfer of sensitive content out of application infrastructures in alignment with business practices.
Prevent user-invoked buffer overflow attacks.
Enforcement of proper access controls on application resources to prevent unauthorized use.
Continuous protection monitoring to detect and prevent access due to misconfigured security settings.
Continuous monitoring for known and emerging threats via rules updates.
Detect HTTP traffic patterns that indicate a Denial of Service (DoS) attack.
Detect patterns from distributed botnet-based DDoS attacks and prevent them from overloading application servers.
Detect and block malware attacks that use web-based attack methods.
Malicious activity detection and blocking. Kemp WAF prevents zero-day vulnerabilities from being exploited before they get added to the available rulesets of known attacks.
A web application firewall is an additional network security protection that does not replace traditional network firewalls. The WAF operates at the application layer of the network stack and inspects application traffic, network data packets, and their content to detect malicious traffic. LoadMaster WAF also supports SSL/TLS so that it can monitor encrypted web services network traffic.
The web application firewall acts a reverse proxy server and handles all session communication with clients. It is common practice to have LoadMaster load balancers working as both reverse proxy servers and WAFs. This hides application servers from the clients to enhance protection.
Using rule sets for known attack methods and looking for suspicious activity that might indicate an attack via new techniques, a WAF filters network traffic and only passes on safe requests and data.
The protections provided by a web application firewall are implemented via rules and policies. System admins can load rules from sets supplied by industry-leading security providers. Each organization has a unique application landscape, so each deployment can have custom rules for individual applications.
You have several options when deploying the LoadMaster web application firewall. They mirror the network and cloud options available for other network and security infrastructures.
Organizations can deploy a network-based web application firewall either as a dedicated instance or as a component alongside other LoadMaster functionality like load balancing. Virtual, machine-based network WAF deployment is becoming the norm, but hardware-based options are available if required. A network-based web application firewall has the advantage of lower network latency for protected applications due to the proximity of back-end servers. However, there is management overhead due to deploying another device or virtual machine instance.
Cloud-based web application firewall deployment allows all the benefits of public cloud deployment. Capacity can flex up and down as required. IT teams can eliminate the management overhead burden of hosting infrastructure on-premise.