KEMP Web Application Firewall Pack (AFP)

Secure Application Deployments with KEMP’s Web Application Firewall (WAF)

KEMP’s Application Firewall Pack (AFP)* combines Layer 7 Web Application Firewall protection with other application delivery services including intelligent load balancing, intrusion detection, intrusion prevention as well as edge security and authentication. By integrating the world’s most deployed web application firewall engine, ModSecurity, augmented by threat intelligence and research from information security provider, Trustwave, AFP provides:

  • Data loss prevention (DLP)
  • Mitigation of the OWASP Top Ten common vulnerabilities
  • Real-time threat protection for packaged & custom applications
  • Support for organizational PCI-DSS compliance requirement

With a targeted focus on application-specific exploits missed by traditional firewalling techniques, AFP plays a key part in a defense-in-depth strategy that mitigates risk and optimizes applications.

Intelligent Web Application Firewalling


Key Benefits

Comprehensive Security Services

LoadMaster provides integrated security capabilities including Web Application Firewall protection (WAF), edge security, L7 IPS/IDS, DDos Mitigation, application publishing and authentication services as standard features on all platforms including select hardware appliances.

PCI-DSS Compliance

Protecting web applications is of critical importance for all organizations, especially those which process payments. In order to help customers with PCI-DSS requirements, AFP reduces the need for extensive code reviews with industry proven rule sets that are regularly and automatically updated.

Ease of Deployment and Use

With KEMP’s focus on simplicity and shortening time to production for application deployment, LoadMaster with Application Firewall Pack (AFP) enables secure, scalable, and always-on workload delivery in one fully integrated, easy to use and deploy load balancing solution.


Key Threats Mitigated by the KEMP Application Firewall Pack

Cookie Tampering

Cookies are small pieces of text transmitted to web clients by a server or proxy with the intent to eventually be sent back to the server or proxy, unchanged. These are used in authentication and authorization processes as well as to track and maintain state across HTTP sessions. They can also be used to accomplish a number of attacks (SQL injection, XSS, buffer overflow, integer overflow) by injecting malicious values into the cookie.

Cross Site Request Forgery

Cross-site request forgery (CSRF or XSRF) attacks execute unwanted commands on a web application by unknowingly using an end users authentication. These exploits inherit the privilege level of the user and appear legitimate to the application which the user is authenticated to. By checking referrer headers, Application Firewall Pack blocks attempts at leveraging CSRF against application infrastructures.

Cross-Site Scripting

Cross-site scripting (XSS) attacks exploit web-based applications by sending scripts that are transparently activated by clients when read allowing for user identity theft, cookie poisoning and malicious redirection. KEMP’s Application Firewall Pack mitigates this attack by disallowing the malicious injection of untrusted data into values that are passed.

Data Loss Prevention (DLP)

The unauthorized transfer of sensitive information from a network via accomplished both through malicious and legitimate means including File transfer protocol (FTP), web applications, Windows Management Instrumentation (WMI) and messaging clients. By inspecting and denying egress traffic containing unauthorized data, KEMP’s Web Application Firewall Pack prevents the exfiltration of sensitive content out of application infrastructures based on business policies.

Injection

Injection attacks leverage client sessions to insert input data into a traffic stream that can be used to read privileged data, modify content and execute administrative operations. KEMP’s Web Application Firewall Pack mitigates such attacks by dynamically monitoring client traffic flows for malicious injection patterns and preventing unauthorized execution.


Payment Card Industry Data Security Standards (PCI-DSS) Requirements Supported by KEMP’s Web Application Firewall Pack

PCI-DSS Section 1.2: Deny traffic from untrusted networks and hosts

The integrated security features of LoadMaster with AFP limit access to only explicitly allowed entities using only the protocols that are dictated as allowable

PCI-DSS Section 3.3: Mask account numbers when displayed

Application Firewall Pack can be configured to prevent the leakage of sensitive PII (Personally identifiable information) data as often exploited through a variety of application vectors.

PCI-DSS Section 3.5: Protect encryption keys against disclosure and misuse

By supporting FIPS 140-2 Level 2 compliance, the LoadMaster 5305-FIPS, protects encryption keys while delivering application firewalling

PCI-DSS Section 4.1: Use strong cryptography and security protocols

LoadMaster with AFP provides an overlay for applications that may have not been originally developed to leverage SSL and TLS sessions to improve environment security.

PCI-DSS Section 6.6: Audit and correct application code vulnerabilities or institute an application firewall

AFP enables ongoing real-time protection against the latest application threats to prevent the exploitation of potential application code vulnerabilities.


KEMP AFP and daily rule updates are available on all platforms (cloud, virtual, bare metal and dedicated hardware) with Enterprise Plus Subscription. KEMP customer support for custom rules implementation and troubleshooting requires add-on service engagement