main

Application DeliveryWAF

Application Delivery and Application Security Should be Combined

January 17, 2018 — by Frank Yue0

waf-adc-960x579.jpg

Most businesses have multi-function printers that can fax, scan, and copy.  In our roles, we are multi-functional as well.  A network architect is often the operational troubleshooter because of his/her knowledge and expertise.  The financial expert can take on the role of the supply logistics because of their understanding of the parts and processes involved in the day to day business.

SecurityWAF

Taking Stock of Application-Layer Security Threats

January 11, 2018 — by Radware0

waf-finance-960x720.jpg

The financial services industry is, by its very nature, inherently risk adverse. The sheer volume of transactional data moving through networks can be staggering and protecting that data from cyberthreats is strategically and fiscally critical. To understand how financial service executives keep their most prized applications secure, Radware surveyed over 600 chief information security officers (CISOs) and other security leaders across financial services, retail and healthcare industries. This article provides an overview of key findings from Radware’s web application security report: Web Application Security in a Digitally Connected World.

SecurityWAF

Retail & Web Application Security: What Application-Layer Security Threats Are in Store for Retailers

January 10, 2018 — by Radware0

waf-retail-960x720.jpg

The retail industry is undergoing a transformative period as the “empowered” consumer, driven by technological advances and breakthroughs, impacts how retailers market, communicate and sell. Retailers continue to erode the barrier to purchase via a myriad of new technologies, such as mobile apps, social media transactions and AI that converse with consumers. They leverage AI to analyze buyer behavior and optimize buyer preferences. Even “traditional” retailers have invested in technologies that track both offline and in-store behaviors to further reduce the barrier to sale regardless of location.

SecurityWAF

Healthcare & Web Application Security: A Prescriptive Look at Application-Layer Security Risks

December 7, 2017 — by Radware0

waf-healthcare-960x640.jpg

The healthcare sector consists of a wide number of segments: payers, such as insurance companies; providers such as hospitals and doctors; and manufacturers, both pharmaceutical as well as medical device and equipment. Because the industry deals with quality of life issues across the spectrum, access to real-time data, especially sensitive data such as patient records, requires both the security and availability of in-house, Web, mobile, or cloud applications.

SecurityWAF

Web Application Security in a Digitally Connected World

November 14, 2017 — by Ben Zilberman0

web-application-security-research-960x608.jpg

Apps control our lives today. We pay our bills, do our shopping, communicate with our doctors, buy our groceries, order a taxi, and even order our lunch through ‘apps.’  If you can think of it, there is an app for it. And these apps live on our phones, our desktops, in web portals and even in our internal networks. However, all these apps create new and different types of security challenges for an organization’s network. The speed and complexity inherent in these technological advances expose application vulnerabilities, security risks and skills deficiencies that can compromise sensitive data, devalue the brand, and affect financial performance.

Application DeliverySSLWAF

Outbound SSL Solutions Protect Assets in the Wild

August 22, 2017 — by Frank Yue0

outbound-ssl-inspection-blog-2-960x576.jpg

Businesses need to protect their assets when they are within their protective infrastructure AND when they are actively exposed or placed within the unprotected external world. The tools and procedures needed to protect the internal assets are different from the ones that protect the assets when they leave the confines of the secured network.

Application DeliverySecurityWAF

Cloud WAF: Why a Checkbox Isn’t Enough

May 10, 2017 — by Daniel Lakier4

cloud-WAF-960x540.jpg

I remember when I first learned about Web application firewall technology. It seemed like magic to me: A device that could compensate for bad coding or unexpected/unintended web application functionality. It could do this by learning expected application behavior and then enforcing said behavior, even if the application itself was capable of allowing the unwanted behavior. The business case for such a technology is easily recognizable even more so today than it was in the mid- to early 2000’s when it first came out: the ability to have a device compensate for human error.

DDoSSecurityWAF

CDN Security is NOT Enough for Today

March 8, 2017 — by David Hobbs0

cdn-security-960x709.jpg

 

Today, many organizations are now realizing that DDoS defense is critical to maintaining an exceptional customer experience. Why? Because nothing diminishes load times or impacts the end users’ experience more than a cyber-attack, which is the silent killer of application performance.

As high-availability and high performance distributors of content to end-users, CDNs can serve as a lynchpin in the customer experience. Yet new vulnerabilities in CDN networks have left many wondering if the CDNs themselves are vulnerable to a wide variety of cyber-attacks, such as forward loop assaults.

So what types of attacks are CDNs vulnerable too? Here are top 5 cyber threats that threaten CDNs so you can safeguard against them.

Blind Spot #1: Dynamic Content Attacks

Attackers have learned that a significant blind spot in CDN services are the treatment of dynamic content requests. Since the dynamic content is not stored on CDN servers, all the requests for dynamic content are sent to the origin’s servers. Attackers are taking advantage of this behavior and they generate attack traffic that contains random parameters in the HTTP GET requests. CDN servers immediately redirect this attack traffic to the origin, expecting the origin’s server to handle the requests. But, in many cases, the origin’s servers do not have the capacity to handle all those attack requests and they fail to provide online services to legitimate users, creating a denial-of-service situation.

Many CDNs have the ability to limit the number of dynamic requests to the server under attack. This means that they cannot distinguish attackers from legitimate users and the rate limit will result in legitimate users being blocked.

Blind Spot #2: SSL-based attacks

SSL-based DDoS attacks target the secured online services of the victim. These attacks are easy to launch and difficult to mitigate, making them attackers’ favorites. In order to detect and mitigate DDoS SSL attacks, CDN servers must first decrypt the traffic using the customer’s SSL keys. If the customer is not willing to provide the SSL keys to its CDN provider, then the SSL attack traffic is redirected to the customer’s origin, leaving the customer vulnerable to SSL attacks. SSL attacks that hit the customer’s origin can easily take down the secured online service.

During DDoS attacks when WAF technologies are involved, CDN networks also have a significant weakness in terms of the number of SSL connections per second from a scalability capability, and serious latency issues can arise.

[You might also like: WAF and DDoS – Perfect Bedfellows: Every Business Owner Must Read.]

PCI and other security compliance issues are also a problem as sometimes this limits the data centers that are able to be used to service the customer, as not all CDN providers are PCI compliant across all datacenters. This can again increase latency and cause audit issues.

Blind Spot #3: Attacks on non-CDN services

CDN services are often offered only for HTTP/S and DNS applications. Other online services and applications in the customer’s data center such as VoIP, mail, FTP and proprietary protocols are not served by the CDN and therefore traffic to those applications is not routed through the CDN. In addition, many web-based applications are also not served by CDNs. Attackers are taking advantage of this blind spot and launch attacks on applications that are not routed through the CDN, hitting the customer origin with largescale attacks that threaten to saturate the Internet pipe of the customer. Once the Internet pipe is saturated, all the applications at the customer’s origin become unavailable to legitimate users, including the ones that are served by the CDN.

Blind Spot #4: Direct IP Attacks

Even applications that are serviced by a CDN can be attacked once the attackers launch a direct attack on the IP address of the web servers at the customer origin. These can be network based floods such as UDP floods or ICMP floods that will not be routed through CDN services, and will directly hit the servers of the customer at the origin. Such volumetric network attacks can saturate the internet pipe, resulting in taking down all the applications and the online services of the origin, including the ones that are served by the CDN. Often misconfiguration of “shielding” the data center can leave the applications directly vulnerable to attack.

Blind Spot #5: Web Application Attacks

CDN protection for web applications threats is limited and exposes the web applications of the customer to data leakage, data thefts and other threats that are common with web applications. Most CDN-based web application firewall capabilities are minimal, covering only a basic set of predefined signatures and rules. Many of the CDN-based WAFs do not learn HTTP parameters, do not create positive security rules and therefore it cannot protect from zero day attacks and known threats. For the companies that DO provide tuning for the web applications in their WAF, the cost is extremely high to get this level of protection.

In addition to the significant blind spots identified earlier, most CDN security services are not responsive enough, resulting in security configurations that take hours to manually deploy and to spread across all its network servers. The security services are using outdated technology such as rate limit that was proven to be inefficient during the last attack campaigns, and it lacks capabilities such as network behavioral analysis, challenge – response mechanisms and more.

 

DDoS_Handbook_glow

Download Radware’s DDoS Handbook to get expert advice, actionable tools and tips to help detect and stop DDoS attacks.

Download Now