Web applications are attractive targets to hackers as they are often public facing, providing major e-commerce or business driving tools and are connected to back end database repositories holding customer [credit card] data, company data and other sensitive information. The question may be asked “Why do I need a Web Application Firewall (WAF) when I already have a Next Generation Firewall (NGFW)?” After all, NGFWs have Intrusion Prevention Systems (IPS)... However, IPS functionality is focused more on securing/restricting internal client/end-users when accessing the internet, but not securing internal (or hosted) web applications from external threats. They work at the network layer and have no application state knowledge.
WAFs, being designed from the ground up with Web applications in mind, understand Web traffic constructs and keep track of application states and client sessions. This is increasingly important for protecting custom applications built on Web 2.0 technology such as Web Services, SOAP, AJAX, JSON, RIA and RSS/Atom which have generated additional attack vectors that are being increasingly exploited by hackers.
Our WAF as-a-Service Features
- Included Protections: OWASP Top 10 risks • Brute force attacks • Parameter tampering • Cookie/form manipulation • Forceful browsing • XML attacks • Application tampering • Zero-day attacks • SQL Injection • Cross-site scripting (XSS) • Form field meta-data validation • Website cloaking • Response control • Web scraping prevention • Granular policies to HTML elements • Protocol limit checks • File upload control • IP whitelisting/blacklisting
- Other Advanced Security Features: IP reputation protection - Including IP geolocation, and reputation feeds based on sensors in the field and other inputs • Heuristic fingerprinting • CAPTCHA challenges • Slow client protection • ToR exit nodes • Unmetered L3-L7 DDoS protection
- Support protocols: HTTP/S/0.9/1.0/1.1/2.0 • WebSocket • IPv4