KEMP Web Application Firewall Pack (AFP)

Secure Application Deployments with KEMP’s Web Application Firewall (WAF)

KEMP’s Application Firewall Pack (AFP)* combines Layer 7 Web Application Firewall protection with other application delivery services including intelligent load balancing, intrusion detection, intrusion prevention as well as edge security and authentication. KEMP WAF provides continuous protection against vulnerabilities with daily rule updates based on threat intelligence and research from information security provider, Trustwave.

What does a Web Application Firewall (WAF) protect against?

Vulnerability Protection provided by WAF
Injection of untrusted data Identify and block requests that contain untrusted data or code
Broken authentication and session management Protect against exploitation of weak Session ID management
Cross site scripting Protect against dynamically adding malicious code to a web page
Flawed access control Enforce access controls on what resources are accessible
Misconfigured security Ongoing protection for resources that are misconfigured or vulnerable
Sensitive data exposure Protect agains leakage of information such as credit card numbers
Attack Protection Adds a layer of protection via constantly updated rules
Cross site forgery Protect authenticated users against forged requests

Table 1 - What protection is provided by a WAF

With a targeted focus on application-specific exploits missed by traditional firewalling techniques, AFP plays a key part in a defense-in-depth strategy that mitigates risk and optimizes applications.

Key Benefits

Comprehensive Security Services

LoadMaster provides integrated security capabilities including Web Application Firewall protection (WAF), edge security, L7 IPS/IDS, DDos Mitigation, application publishing and authentication services as standard features on all platforms including select hardware appliances.

PCI-DSS Compliance

Protecting web applications is of critical importance for all organizations, especially those which process payments. In order to help customers with PCI-DSS requirements, AFP reduces the need for extensive code reviews with industry proven rule sets that are regularly and automatically updated.

Ease of Deployment and Use

With KEMP’s focus on simplicity and shortening time to production for application deployment, LoadMaster with Application Firewall Pack (AFP) enables secure, scalable, and always-on workload delivery in one fully integrated, easy to use and deploy load balancing solution.

Key Threats Mitigated by the KEMP Application Firewall Pack

Cookie Tampering

Cookies are small pieces of text transmitted to web clients by a server or proxy with the intent to eventually be sent back to the server or proxy, unchanged. These are used in authentication and authorization processes as well as to track and maintain state across HTTP sessions. They can also be used to accomplish a number of attacks (SQL injection, XSS, buffer overflow, integer overflow) by injecting malicious values into the cookie.

Cross Site Request Forgery

Cross-site request forgery (CSRF or XSRF) attacks execute unwanted commands on a web application by unknowingly using an end users authentication. These exploits inherit the privilege level of the user and appear legitimate to the application which the user is authenticated to. By checking referrer headers, Application Firewall Pack blocks attempts at leveraging CSRF against application infrastructures.

Cross-Site Scripting

Cross-site scripting (XSS) attacks exploit web-based applications by sending scripts that are transparently activated by clients when read allowing for user identity theft, cookie poisoning and malicious redirection. KEMP’s Application Firewall Pack mitigates this attack by disallowing the malicious injection of untrusted data into values that are passed.

Data Loss Prevention (DLP)

The unauthorized transfer of sensitive information from a network via accomplished both through malicious and legitimate means including File transfer protocol (FTP), web applications, Windows Management Instrumentation (WMI) and messaging clients. By inspecting and denying egress traffic containing unauthorized data, KEMP’s Web Application Firewall Pack prevents the exfiltration of sensitive content out of application infrastructures based on business policies.


Injection attacks leverage client sessions to insert input data into a traffic stream that can be used to read privileged data, modify content and execute administrative operations. KEMP’s Web Application Firewall Pack mitigates such attacks by dynamically monitoring client traffic flows for malicious injection patterns and preventing unauthorized execution.

Payment Card Industry Data Security Standards (PCI-DSS) Requirements Supported by KEMP’s Web Application Firewall Pack

PCI-DSS Section 1.2: Deny traffic from untrusted networks and hosts

The integrated security features of LoadMaster with AFP limit access to only explicitly allowed entities using only the protocols that are dictated as allowable

PCI-DSS Section 3.3: Mask account numbers when displayed

Application Firewall Pack can be configured to prevent the leakage of sensitive PII (Personally identifiable information) data as often exploited through a variety of application vectors.

PCI-DSS Section 3.5: Protect encryption keys against disclosure and misuse

By supporting FIPS 140-2 Level 2 compliance, the LoadMaster 5305-FIPS, protects encryption keys while delivering application firewalling

PCI-DSS Section 4.1: Use strong cryptography and security protocols

LoadMaster with AFP provides an overlay for applications that may have not been originally developed to leverage SSL and TLS sessions to improve environment security.

PCI-DSS Section 6.6: Audit and correct application code vulnerabilities or institute an application firewall

AFP enables ongoing real-time protection against the latest application threats to prevent the exploitation of potential application code vulnerabilities.

KEMP AFP and daily rule updates are available on all platforms (cloud, virtual, bare metal and dedicated hardware) with Enterprise Plus Subscription. KEMP customer support for custom rules implementation and troubleshooting requires add-on service engagement

LoadMaster Subscriptions simplify application delivery choices