By Cliff Turner
By Cliff Turner, Sales Engineer, Alert Logic
bfw Advertising is a full service advertising agency with expertise in building websites. However, bfw Advertising does not have expertise in cloud or Web Application Firewall (WAF) technologies. In order to focus on its business, bfw Advertising turned to Rackspace Managed Cloud and Alert Logic.
The south Florida-based agency boasts a strong client list that spans industries from aerospace to healthcare to travel and more. It also has a strong interactive department that offers website design and development; and in-house Microsoft certified web developers to build websites, intranets, extranets, applications and more for multiple clients.
A Rackspace customer for years, bfw Advertising recently moved its infrastructure to the Rackspace Managed Cloud, to take advantage of new functionality and to reduce costs, while also remaining in a fully managed environment. Moving to the managed cloud gave bfw Advertising an opportunity to take a fresh look at security technology that could further protect its customers’ websites and applications.
Web Application Firewall (WAF) Basics
Since bfw Advertising hosts many of the websites and web applications it develops for clients, one of the first technologies that Rackspace suggested bfw Advertising evaluate to protect its clients was a Web Application Firewall (WAF). A WAF examines web traffic, looking for suspicious activity and filtering out bad traffic, based on rules set by the user or by the WAF itself, which learns normal website behavior over time and blocks abnormal behavior.
WAF Example SQL Injection
To better understand how a WAF works, let’s look at a quick example. While there are countless ways to try to breach websites, according to the Open Web Application Security Project (OWASP), the most popular method is SQL injection. In a SQL injection attack, malicious SQL statements are inserted into an entry field to do something like dump the database contents if the attacker is looking to access the data or erase the data if the attacker is simply out to cause trouble.
Here’s an example where someone is using a shopping cart application to buy a new winter coat. In the entry boxes, the buyer selects their category and item and the web application would translate their selections into SQL code and make a database request.
The SQL code would go to the database looking something like this:
In a SQL injection, an attacker adds some malicious SQL code to the URL in hopes of finding a vulnerability that enables them to do some damage, like the example here of dropping a table from the database which would remove some information.
A WAF would stop that from happening by examining the URL request, and if it contains anything malicious (like the example above), the WAF would simply not pass the request on to the website.
Alert Logic Web Security Manager at bfw Advertising
A well-documented challenge with WAFs is tuning them. WAFs require expert tuning and management to be effective; otherwise, they can impact site availability by blocking legitimate traffic or are tuned down to a level where they are no longer effective. And to be a WAF tuning expert, you typically have to be an expert in web application, security and WAFs. So, to protect their clients’ web applications, bfw Advertising chose to work with Alert Logic Web Security Manager. Web Security Manager offered the WAF capabilities they needed, but even more important to bfw Advertising is that the Alert Logic WAF comes fully managed, so it could get the benefits of a WAF without having to become WAF experts themselves.0