Resources
Secure Application Deployments with KEMP’s Web Application Firewall (WAF)
KEMP’s Application Firewall Pack (AFP)* combines Layer 7 Web Application Firewall protection with other application delivery services including intelligent load balancing, intrusion detection, intrusion prevention as well as edge security and authentication. By integrating the world’s most deployed web application firewall engine, ModSecurity, augmented by threat intelligence and research from information security provider, Trustwave, AFP provides
- data loss prevention (DLP)
- mitigation of the OWASP Top Ten common vulnerabilities
- real-time threat protection for packaged & custom applications
- support for organizational PCI-DSS compliance requirement
With a targeted focus on application-specific exploits missed by traditional firewalling techniques, AFP plays a key part in a defense-in-depth strategy that mitigates risk and optimizes applications.
Intelligent Web Application Firewalling
Key Benefits
Comprehensive Security Services
LoadMaster provides integrated security capabilities including Web Application Firewall protection (WAF), edge security, L7 IPS/IDS, DDos Mitigation, application publishing and authentication services as standard features on all platforms including select hardware appliances.
PCS-DSS Compliance
Protecting web applications is of critical importance for all organizations, especially those which process payments. In order to help customers with PCI-DSS requirements, AFP reduces the need for extensive code reviews with industry proven rule sets that are regularly and automatically updated.
Ease of Deployment and Use
With KEMP’s focus on simplicity and shortening time to production for application deployment, LoadMaster with Application Firewall Pack (AFP) enables secure, scalable, and always-on workload delivery in one fully integrated, easy to use and deploy load balancing solution.
Key Threats Mitigated by the KEMP Application Firewall Pack
Cookie Tampering
Cookies are small pieces of text transmitted to web clients by a server or proxy with the intent to eventually be sent back to the server or proxy, unchanged. These are used in authentication and authorization processes as well as to track and maintain state across HTTP sessions. They can also be used to accomplish a number of attacks (SQL injection, XSS, buffer overflow, integer overflow) by injecting malicious values into the cookie.
Cross Site Request Forgery
Cross-site request forgery (CSRF or XSRF) attacks execute unwanted commands on a web application by unknowingly using an end users authentication. These exploits inherit the privilege level of the user and appear legitimate to the application which the user is authenticated to. By checking referrer headers, Application Firewall Pack blocks attempts at leveraging CSRF against application infrastructures.
Cross-Site Scripting
Cross-site scripting (XSS) attacks exploit web-based applications by sending scripts that are transparently activated by clients when read allowing for user identity theft, cookie poisoning and malicious redirection. KEMP’s Application Firewall Pack mitigates this attack by disallowing the malicious injection of untrusted data into values that are passed.
Data Loss Prevention (DLP)
The unauthorized transfer of sensitive information from a network via accomplished both through malicious and legitimate means including File transfer protocol (FTP), web applications, Windows Management Instrumentation (WMI) and messaging clients. By inspecting and denying egress traffic containing unauthorized data, KEMP’s Web Application Firewall Pack prevents the exfiltration of sensitive content out of application infrastructures based on business policies.
Injection
Injection attacks leverage client sessions to insert input data into a traffic stream that can be used to read privileged data, modify content and execute administrative operations. KEMP’s Web Application Firewall Pack mitigates such attacks by dynamically monitoring client traffic flows for malicious injection patterns and preventing unauthorized execution.
Payment Card Industry Data Security Standards (PCI-DSS) Requirements Supported by KEMP’s Web Application Firewall Pack
PCI-DSS Section 1.2: Deny traffic from untrusted networks and hosts
The integrated security features of LoadMaster with AFP limit access to only explicitly allowed entities using only the protocols that are dictated as allowable
PCI-DSS Section 3.3: Mask account numbers when displayed
Application Firewall Pack can be configured to prevent the leakage of sensitive PII (Personally identifiable information) data as often exploited through a variety of application vectors.
PCI-DSS Section 3.5: Protect encryption keys against disclosure and misuse
By supporting FIPS 140-2 Level 2 compliance, the LoadMaster 5305-FIPS, protects encryption keys while delivering application firewalling
PCI-DSS Section 4.1: Use strong cryptography and security protocols
LoadMaster with AFP provides an overlay for applications that may have not been originally developed to leverage SSL and TLS sessions to improve environment security.
PCI-DSS Section 6.6: Audit and correct application code vulnerabilities or institute an application firewall
AFP enables ongoing real-time protection against the latest application threats to prevent the exploitation of potential application code vulnerabilities.
*KEMP AFP is available on all cloud, virtual and bare metal LoadMasters and the following hardware appliances: LM-R320, LM-3600, LM-5300, LM-5305-FIPS, LM-5400. The AFP engine with custom rule capabilities is included without cost on all supported products. KEMP customer support for custom rules implementation and troubleshooting requires add-on service engagement. Subscriptions for daily commercial rules updates provided by KEMP are also available. Contact sales for additional details on subscription and support options. General Availability for AFP will be November 25th 2014.