By Cliff Turner, Sales Engineer, Alert Logic
bfw Advertising is a full service advertising agency with expertise in building websites. However, bfw Advertising does not have expertise in cloud or Web Application Firewall (WAF) technologies. In order to focus on its business, bfw Advertising turned to Rackspace Managed Cloud and Alert Logic.
The south Florida-based agency boasts a strong client list that spans industries from aerospace to healthcare to travel and more. It also has a strong interactive department that offers website design and development; and in-house Microsoft certified web developers to build websites, intranets, extranets, applications and more for multiple clients.
A Rackspace customer for years, bfw Advertising recently moved its infrastructure to the Rackspace Managed Cloud, to take advantage of new functionality and to reduce costs, while also remaining in a fully managed environment. Moving to the managed cloud gave bfw Advertising an opportunity to take a fresh look at security technology that could further protect its customers’ websites and applications.
Web Application Firewall (WAF) Basics
Since bfw Advertising hosts many of the websites and web applications it develops for clients, one of the first technologies that Rackspace suggested bfw Advertising evaluate to protect its clients was a Web Application Firewall (WAF). A WAF examines web traffic, looking for suspicious activity and filtering out bad traffic, based on rules set by the user or by the WAF itself, which learns normal website behavior over time and blocks abnormal behavior.
WAF Example SQL Injection
To better understand how a WAF works, let’s look at a quick example. While there are countless ways to try to breach websites, according to the Open Web Application Security Project (OWASP), the most popular method is SQL injection. In a SQL injection attack, malicious SQL statements are inserted into an entry field to do something like dump the database contents if the attacker is looking to access the data or erase the data if the attacker is simply out to cause trouble.
Here’s an example where someone is using a shopping cart application to buy a new winter coat. In the entry boxes, the buyer selects their category and item and the web application would translate their selections into SQL code and make a database request.
The SQL code would go to the database looking something like this:
In a SQL injection, an attacker adds some malicious SQL code to the URL in hopes of finding a vulnerability that enables them to do some damage, like the example here of dropping a table from the database which would remove some information.
A WAF would stop that from happening by examining the URL request, and if it contains anything malicious (like the example above), the WAF would simply not pass the request on to the website.
Alert Logic Web Security Manager at bfw Advertising
A well-documented challenge with WAFs is tuning them. WAFs require expert tuning and management to be effective; otherwise, they can impact site availability by blocking legitimate traffic or are tuned down to a level where they are no longer effective. And to be a WAF tuning expert, you typically have to be an expert in web application, security and WAFs. So, to protect their clients’ web applications, bfw Advertising chose to work with Alert Logic Web Security Manager. Web Security Manager offered the WAF capabilities they needed, but even more important to bfw Advertising is that the Alert Logic WAF comes fully managed, so it could get the benefits of a WAF without having to become WAF experts themselves.0
Let’s make one thing absolutely clear at the outset: the time to think about the best options for cyber-threat mitigation is NOT when your network is being attacked. In the best-case scenario you will already have a mitigation strategy in place for defending against both network-layer and application-layer attacks. The most important thing to know when you are building a multi-layered approach to securing web applications is that security solutions aren’t one-size-fits-all. You have several options to mix and match. Akamai’s free eBook, “Threats and Mitigations: A Guide to Multi-Layered Web Security”, gives you options for making the choices that best fit both your business and IT infrastructure requirements.
These days it’s not enough to have a web-application firewall (WAF). The key to using hardware devices in a mitigation strategy is understanding what these devices can and cannot do. Defending against today’s increasingly sophisticated application-layer attacks can be resource-intensive. WAFs require large amounts of computing resources and processing, which can degrade performance. The fact is that most devices represent a single point of failure. Moreover, by definition on-premises hardware attempts to stop an attack only after it’s entered the data center – when it’s simply too late.
Enter the new era of cloud-based mitigation services that reside outside of your data center and stop malicious traffic before it can penetrate your company’s infrastructure. You have choices to make here, too. You can go with always-on mitigation that acts like a shock absorber that protects your network by taking the first big hit of a cyber-attack. Or you can choose an on-demand solution that you can engage once an attack is suspected to intercept your incoming traffic using mitigation services where legitimate traffic is forwarded on and malicious attack traffic is scrubbed.
Yet another option is Website Protection Service providers who utilize CDNs to provide network- and application-layer security for Web sites and applications. As a cloud-based proxy, these networks sit in front of your IT infrastructure and deliver traffic from your end users to your Web sites and applications. The cloud platform examines network traffic for known threats and passes only legitimate traffic to the Web application. Chapter 3 in “Threats and Mitigations: A Guide to Multi-Layered Web Security” discusses the advantages and caveats of using each of these solutions, or blending them in a multi-layer mitigation strategy.
Don’t wait until your business is targeted by a cyber-attack. Download our free eBook, “Threats and Mitigations: A Guide to Multi-Layered Web Security,” which covers everything you need to know about the types of cyber threats, how to secure websites, how to protect applications against data theft, how to choose a web security solution, and how to make your network less vulnerable to attack.0
The data center perimeter is dead – web assets cannot be protected by a fortress wall – but a historical view of web protection lives on in the way many IT departments continue to defend their infrastructures. Websites and web applications increasingly live outside the data center. Cloud-based applications and websites are at constant risk from web threats that are becoming more damaging and sophisticated by the day.
Akamai advises organizations to avoid becoming the next cyber-attack victim in the headlines by making a critical evaluation of cybersecurity practices – and then take steps to extend multi-layered security controls to the cloud. Of course, before you can even start to build a multi-layered web defense, you must understand your enemy and its weapons.
Generally, attacks fall into two categories: Distributed denial of service (DDoS), which is also called denial of service (DoS), and hacks against web applications that steal data, such as SQL injection and other command injection attacks.
Akamai predicts that by 2020, the average distributed denial of service (DDoS) attack will generate 1.5 Tbps of network traffic, but even today’s large and sophisticated denial of service attacks can easily overwhelm available IT resources. The more you understand the nuances of different types of DDoS attacks and web threats, the better you can determine how they will affect your network.
A mind-boggling array of DoS and DDoS attacks occur at the network layer. These can be grouped into two broad categories: simple flooding and amplification attacks. Several readily available tools are available to attackers to automate the process of creating both types of attacks, allowing malicious actors with no technical background to quickly and easily threaten their choice of website.
Attacks at the application layer are also common and often very sophisticated. They consist of high bandwidth attacks and low-bandwidth denial of service attacks, Domain Name System (DNS) attacks, and attacks that steal data. Attempts to steal data are most likely to take the form of command injection attacks where a hacker injects commands into a vulnerable application. The attacker can then execute these commands to view data, wipe out data, or take over the machine.
Akamai advises practicing good web-application hygiene by using a secure software development lifecycle that includes secure configuration, updates, patches, and secure validation. In addition, a web application firewall (WAF) with anti-DoS capabilities provides a strong line of defense against application-layer attacks such as SQL injection commonly used to cover data theft. The eBook goes into greater detail on how to ensure good web-application hygiene and what to look for in a WAF.
With knowledge you can identify and close network vulnerabilities before your company is harmed. And the reality is that it is when, not if, your network will be threatened by cyber-attackers.
To that end, Akamai has released a free eBook, Threats and Mitigations: A Guide to Multi-Layered Web Security that covers important information that you need to know about the types of cyber threats, how to secure your sites, how to protect web applications from data theft, the different types of cybersecurity solutions, and how to make your network less vulnerable to attack.
There is no one solution to cybersecurity. Before you sign on the dotted line, know the key differences between on-premise hardware and cloud-based services; learn about the strengths of Security Operations Centers (SOCs) and Content Delivery Networks (CDNs) and of always-on services versus on-demand services. The eBook includes a guide to asking the right questions when seeking a web security services provider.
The fortress can no longer be defended by traditional methods, but it can be defended. The cyber battlefield keeps changing with powerful attacks that can down the websites and web applications of global brands, but you don’t have to become a victim. Learn how to defend your web and cloud resources – and win. The free Akamai eBook “Threats and Mitigations: A Guide to Multi-Layered Web Security” explains how. Download it today and learn how to build the strongest defense to protect all of your network assets and web applications.0